Skating on Stilts

This episode of the Cyberlaw Podcast delves into the use of location technology in two big events – the surprisingly widespread lockdown protests in China and the January 6 riot at the U.S. Capitol. Both were seen as big threats to the government, and both produced aggressive police responses that relied heavily on government access to phone location data. Jamil Jaffer and Mark MacCarthy walk us through both stories and respond to my provocative question: What’s the difference? Jamil’s answer (and mine, for what it’s worth) is that the U.S. government gained access to location information from Google only after a multi-stage process meant to protect innocent users’ information, and that there is now a court case that will determine whether the government actually did protect users whose privacy should not have been invaded.

Whether we should be relying on Google’s made-up and self-protective rules for access to location data is a separate question. It becomes more pointed as Silicon Valley has started making up a set of self-protective rules penalizing companies that assist law enforcement in gaining access to phones that Silicon Valley has made inaccessible. The movement to punish such law enforcement access providers has moved from trashing companies like NSO, whose technology has been widely misused, to punishing companies on a lot less evidence of wrongdoing. This week, TrustCor lost its certificate authority status mostly for looking suspiciously close to the National Security Agency and Google outed Variston of Spain for ties to a vulnerability exploitation system. Nick Weaver is happy to hose me down.

The UK is working on an online safety bill, likely to be finalized in January, Mark reports, but this week the government agreed to drop its direct regulation of “lawful but awful” speech on social media. The step was a symbolic victory for free speech advocates, but the details of the bill before and after the change suggest it was more modest than the brouhaha suggests.

The Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA) has finished taking comments on its proposed cyber incident reporting regulation. Jamil summarizes industry’s complaints, which focus on the risk of having to file multiple reports with multiple agencies. Industry has a point, I suggest, and CISA should take the other agencies in hand to reach agreement on a report format that doesn’t resemble the State of the Union address.

It turns out that the collapse of FTX is going to curtail a lot of artificial intelligence (AI) safety research. Nick explains why, and offers reasons to be skeptical of the “effective altruism” movement that has made AI safety one of its priorities.

Today, Jamil notes, the U.S. and EU are getting together for a divisive discussion of U.S. subsidies for electric vehicles (EV) made in North America but not Germany. That’s very likely a World Trade Organization (WTO) violation, I offer, but one that pales in comparison to thirty years of European WTO-violating threats to constrain data exports to the U.S. When you think of it as retaliation for the use of EU privacy law to attack U.S. intelligence programs, the EV subsidy is easy to defend.

I ask Nick if we learned anything new this week from Twitter coverage. His answer – that Elon Musk doesn’t understand how hard content moderation is – doesn’t exactly come as news. Nor, really, does most of what we learned from Matt Taibbi’s review of Twitter’s internal discussion of the Hunter Biden laptop story and whether to suppress it. Twitter doesn’t come out of that review looking better. It just looks bad in ways we already suspected were true. One person who does come out of the mess looking good is Rep. Ro Khanna (D., Calif.), who vigorously advocated that Twitter reverse its ban, on both prudential and principled grounds. Good for him.

Speaking of San Francisco Dems who surprised us this week, Nick notes that the city council in San Francisco approved the use of remote-controlled bomb “robots” to kill suspects. He does not think the robots are fit for that purpose.  

Finally, in quick hits:

• Meta was fined $275 million for allowing data scraping of personal data.
• Nick and Jamil tell us that Snowden has at last shown his true colors.
• Jamil offers unwonted praise for Apple, which persuaded TSMC to make more advanced chips in Arizona than it originally planned.
• And I try to explain why the decision of the DHS cyber safety board to look into the Lapsus$ hacks seems to drawing fire.

Download the 433rd Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

We spend much of this episode of the Cyberlaw Podcast talking about toxified tech – new technology that is being demonized by the press and others. Exhibit One, of course, is "spyware," i.e., hacking tools that allow governments to access phones or computers otherwise closed to them. The Washington Post and the New York Times have led a campaign to turn NSO's Pegasus tool for hacking phones into a radioactive product. Jim Dempsey, though, reminds us that not too long ago, in defending end-to-end encryption, tech policy advocates insisted that the government did not need to mandate access to encrypted phones because they could just hack them instead. David Kris joins in, pointing out that, used with a warrant, there's nothing uniquely dangerous about hacking tools of this kind. I offer an explanation for why the public policy community and its Silicon Valley funders have changed their tune on the issue: Having won the end-to-end encryption debate, they feel free to move on to the next anti-law-enforcement campaign.

That campaign includes private lawsuits against NSO by companies like WhatsApp, whose case was briefly delayed by NSO's claim of sovereign immunity on behalf of the (unnamed) countries it builds its products for. That claim made it to the Supreme Court, David reports, where the U.S. government recently filed a devastating brief that will almost certainly send NSO back to court without any sovereign immunity protection.

Meanwhile, in France, Amesys and its executives are being prosecuted for facilitating the torture of Libyan citizens at the hands of the Muammar Qaddafi regime. Amesys evidently sold an earlier and less completely toxified technology – packet inspection tools – to Libya which is alleged to have tracked down dissidents with it. The criminal case is pending.

And in the U.S., a plethora of tech toxification campaigns are under way, all aimed at Chinese products. This week, Jim notes, the Federal Communications Commission came to the end of a long road that began with jawboning in the 2000s and culminated in a flat ban on installing Chinese telecom gear in U.S. networks. On deck for toxification are DJI's drones, which several Senators see as a comparable national security threat that should be handled with a similar ban. Maury Shenk tells us that the British government is taking the first steps on a similar path, this time starting with a ban on some government uses of Chinese surveillance camera systems.

Those measures do not always work, Maury tells us, pointing to a story that hints at trouble ahead for U.S. efforts to decouple Chinese from American artificial intelligence research and development.

Maury and I take a moment to debunk efforts to persuade readers that Artificial Intelligence (AI) is toxic because Silicon Valley will use it to take our jobs. AI code writing is not likely to graduate from facilitating coding any time soon, we agree. Whether AI can do more in replacing Human Resources (HR) staff may be limited by a different toxification campaign – the largely phony claim that AI is full of bias. Amazon's effort to use AI in HR, I predict, will be sabotaged by this claim, as its effort to avoid charges of bias will almost certainly lead the company's HR department to build race and gender quotas into its AI engine.

And in a few quick hits:

• I express doubt that Australia's "unleash the hounds" approach to ransomware actually has anything to do with one notorious ransomware actor's extortion site going down
• Maury praises an MIT Technology Review piece that argues persuasively that China's social credit system is not quite as dystopian as it's been portrayed. I point out that, with Airbnb practicing guilt by association and PayPal taking your money for saying things PayPal doesn't like, Silicon Valley can brag that it's going to reach Full Tech Dystopia well before China.
• I cover what is the fourth review in three different administrations of the  dual-hatted leadership of NSA and Cyber Command. No change is likely.
• And we close with a downbeat assessment of Elon Musk's chances of withstanding the combined hostility of European and U.S. regulators, the press, and the left-wing tech-toxifiers in civil society. He is a talented guy, I argue, and with a three-year runway, he could succeed, but he probably does not have three years.

Download the 432nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

The Cyberlaw Podcast leads with the growing legal cost of Elon Musk's anti-authoritarian takeover of Twitter. Turns out that authority figures have a mean streak, and a lot of weapons, many grounded in law, as Twitter is starting to learn. Brian Fleming explores one of them -- the apparently unkillable notion that the Committee on Foreign Investment in the U.S. (CFIUS) should review Musk's Twitter deal because of a relatively small share that went to investors with Chinese and Persian Gulf ties. CFIUS may in fact be seeking information on what Twitter data those investors will have access to, but I am skeptical that CFIUS will be moved to act on what it learns. More dangerous for Twitter and Musk, says Charles-Albert Helleputte, is the possibility that the company will lose its one-stop-shop privacy regulator for failure to meet the elaborate compliance machinery set up by European privacy bureaucrats. At a quick calculation, that could expose Twitter to fines up to 120% of annual turnover. That would smart. Finally, I reprise my take on all the people leaving Twitter for Mastodon as a protest against Musk allowing the Babylon Bee and President Trump back on the platform. If the protestors really think Mastodon's system is better, there's no reason Twitter can't adopt it, or at least the version that Francis Fukuyama and Roberta Katz have proposed.

If you are looking for the far edge of the Establishment's Overton Window on China policy, you cannot do better than the U.S.-China Economic and Security Review Commission, a consistently China-skeptical but mainstream body. Brian reprises the Commission's latest report. Its headline is about Chinese hacking, but the report does not offer much hope of a solution to that problem, other than more decoupling.

Chalk up one more victory for Trump-Biden continuity, and one more loss for the State Department. Michael Ellis reminds us that the Trump administration took much of Cyber Command's cyber offense decisionmaking out of the National Security Council and put it back in the Pentagon. This made it much harder for the State Department to stall cyber offense operations. When it turned out that this made Cyber Command more effective and no more irresponsible, the Biden Administration followed its predecessor's lead, preparing a memo that will largely ratify Trump's order, with a few tweaks.

I unpack Google's expensive (nearly $400 million) settlement with 40 States over location history. Google's promise to its users that it would stop storing location history if the feature was turned off was poorly and misleadingly drafted, but I doubt there is anyone who actually wanted to keep Google from using location for most of the apps where it remained operative, so the settlement is a good deal for the states, and a reminder of how unpopular Silicon Valley has become in red and blue states alike.

Michael tells the doubly embarrassing story of an Iranian hack of the U.S. Merit Systems Protection Board. It is embarrassing enough for the board to be hacked using a log4j exploit that should have been patched long ago. But it is worse that an Iranian government hacker got access to a U.S. government network – and decided that its access is best used for mining cryptocurrency.

Brian tells us that the U.S. goal of reshoring chip production is making progress, with Apple planning to use TSMC chips from a new fab in Arizona.

In a few updates and quick hits:

• I remind listeners that a lot of tech companies are laying employees off, but that overall Silicon Valley employment is still way up over the past couple of years.
• I update the mess at cryptocurrency exchange FTX, a mess which just keeps getting worse.
• Charles updates us on the next U.S.-E.U. adequacy negotiations, and the prospects for Schrems 3 (and 4, and 5) litigation.
• And I sound a note of both admiration and caution about Australia's plan to "unleash the hounds" – in the form of its own Cyber Command equivalent – on ransomware gangs. As U.S. experience reveals, it makes for a great speech, but actual impact can be hard to achieve.

Download the 431st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

We open this episode of the Cyberlaw Podcast by considering the (still evolving) results of the 2022 federal election. Adam Klein and I trade thoughts on what Congress will do.  Adam sees two years in which the Senate does a lot of nominations, the House does a lot of investigations, and neither does much legislation.  Which could leave renewal of a critically important intelligence authority, Section 702 of FISA, out in the cold.  As supporters of renewal, Adam and I conclude that the best hope for the provision is to package it with trust-building measures to guard against partisan misuse of national security authorities.

I also note that foreign government cyberattacks on our election machinery, something much anticipated in election after election, once again failed to make an appearance. At this point, I argue, election interference falls somewhere between Y2K and Bigfoot on the "things we need to worry about" scale.

In other news, cryptocurrency conglomerate FTX has collapsed in a welter of bankruptcy, stolen funds, and criminal investigations. Nick Weaver lays out the gory details.

A new panelist to the podcast, Chinny Sharma explains for a disbelieving US audience the UK government's plan to scan all the country's internet-connected devices for vulnerabilities. Adam and I agree that it could never happen here.  Nick wonders why the UK government doesn't use a private service for the task.

Nick also covers This Week in the Twitter Dogpile. He recognizes that this whole story is turning into a tragedy for all concerned, but he's determined to linger on the moments of comic relief. Dunning-Krueger makes an appearance.

Chinny and I speculate on what may emerge from the Biden administration's  plan to reconsider the relationship between CISA and the Sector Risk Management Agencies that otherwise regulate important sectors.  I predict that it will spur turf wars and end in new coordination authority for CISA. In addition, the Obama administration's egregious exemption of Silicon Valley from regulation as critical infrastructure should also be on the chopping block. Finally, if the next two Supreme Court decisions go the way I hope, the FTC will finally have to coordinate its privacy enforcement efforts with CISA's cybersecurity standards and priorities.

Adam reviews the European Parliament's report on Europe's spyware problems.  He's impressed (as am I) by the report's willingness to acknowledge that this is not a privacy problem made in America. Governments in at least four European countries by our count have recently used spyware to surveil members of the opposition party, a problem that has been unthinkable for seventy years in the United States. Though maybe not any more, which, we agree, is another reason for Congress to quickly put into place more guardrails against such abuse.

Nick notes the US government's seizure of what was $3 billion in bitcoin. Shrinkflation has brought that value down to around $800 million. But it's worth noting that an immutable blockchain brought James Zhong to justice ten years after he took the money.

Disinformation – or the appalling acronym MDM (for mis-, dis-, and mal-information) – has been in the news lately. A recent paper counted the staggering cost of efforts to suppress "disinformation" during covid times. And Adam published a recent piece in City Journal explaining just how dangerous the concept has become. We end up agreeing that national security agencies need to focus on foreign government dezinformatsiya – falsehoods and propaganda from abroad – and not get in the business of policing domestic speech, even speech that sounds a lot like foreign leaders we don't like.

Chinny takes us into a new and fascinating dispute between the copyleft movement, GitHub, and a new kind of AI that writes code. The short version is that GitHub has been training an AI engine on all the open source code on its site so that an algorithm can "autosuggest" lines of new code as you're writing the boring parts of your program.  Sounds great, except that the resulting algorithm tends to reproduce the code it was trained on --- without imposing the license conditions, such as copyleft, that were part of the original code. Not surprisingly, copyleft advocates are suing on the ground that important information was improperly stripped from their code, particularly the provision that turns all code that incorporates their open source into open source itself.  I remind listeners that this incorporation feature is why Microsoft famously likened open source to cancer. Nick tells me that it's really more like herpes, demonstrating that he has apparently had a lot more fun writing code than I ever had.

In updates and quick hits:

• I note that the  nuclear spies who hid their stolen data in a peanut butter sandwich have been sentenced.
• Adam celebrates TSMC's decision to build a 3 nm chip fab in Arizona. We cross swords, though, about whether the fab capital of the US will be Phoenix or Austin.
• I celebrate the Russian government's acknowledgment of the Cyberlaw Podcast's reach by virtue of its designation of long-time regular Dmitri Alperovitch for Russian sanctions. Occasional guest Chris Krebs also made the list.
• Adam and I flag DOJ's release of basic rules for what I'm calling the Euroappeasement Court: the quasijudicial body that will patiently attend to European complaints that the US isn't living up to human rights standards that no country in Europe even pretends to live up to.

Download the 430th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

The war that began with the Russian invasion of Ukraine grinds on. Cybersecurity experts have spent much of 2022 trying to draw lessons about cyberwar strategies from the conflict. Dmitri Alperovitch takes us through the latest learning, cautioning that all of it could look different in a few months, as both sides adapt to the others' actions.

David Kris joins Dmitri to evaluate a Microsoft report hinting at how China may be abusing its edict that software vulnerabilities must be reported first to the Chinese government. The temptation to turn such reports into 0-day exploits is strong, and Microsoft notes with suspicion a recent rise in Chinese 0-day exploits. Dmitri worried about just such a development while serving on the Cyber Safety Review Board, but he is not yet convinced that we have the evidence to make a case against the Chinese mandatory disclosure law.

Sultan Meghji keeps us in Redmond, digging through a deep Protocol story on how Microsoft has helped build Artificial Intelligence (AI) capacity in China. The amount of money invested, and the deep bench of AI researchers from China, raise real questions about how the United States can decouple from China – and whether China will eventually decide to do the decoupling.

I express skepticism about the White House's latest initiative on ransomware, a 30+ nation summit that produced a modest set of concrete agreements. But Sultan and Dmitri have been on the receiving end of deputy national security adviser Anne Neuberger's forceful personality, and they think we will see results. We'd better. Banks report that ransomware payments doubled last year, to $1.2 billion.

David introduces the high-stakes struggle over when cyberattacks can be excluded from insurance coverage as acts of war. A recent settlement between Mondelez and Zurich has left the law in limbo.

Sultan tells me why AI is so bad at explaining the results it reaches. He sees light at the end of the tunnel. I see more stealthy imposition of woke values. But we find common ground in trashing the Facial Recognition Act, a lefty Democrats' bill that throws together every bad idea for regulating facial recognition ever put forward and adds a few more. A red wave election will be worth it just to make sure this bill stays dead.

Finally, Sultan reviews the National Security Agency's report on supply chain security. And I introduce the elephant in the room, or at least the mastodon: Elon Musk's takeover at Twitter and the reaction to it.  I downplay the probability of CFIUS reviewing the deal. And I mock the Elon-haters who fear that Musk's scrimping on content moderation will turn Twitter into a hellhole that includes *gasp!* Republican speech. Turns out that they are fleeing Twitter for Mastodon, which pretty much invented scrimping on content moderation.

Download the 429th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

You heard it on the Cyberlaw Podcast first, as we did a mashup of the week's top stories: Nate Jones commenting on Elon Musk's expected troubles running Twitter at a profit and Jordan Schneider noting the U.S. government's creeping, halting moves to constrain TikTok's sway in the U.S. market. Since Twitter has never made a lot of money, even before it was carrying loads of new debt, and since pushing TikTok out of the U.S. market is going to be an option on the table for years, why doesn't Elon Musk position Twitter to take its place? (Breaking news: Apparently the podcast has a direct line to Elon Musk's mind; he is reported to be entertaining the idea of reviving Vine to compete with TikTok.)

It's another big week for China news, as Nate and Jordan cover the administration's difficulties in finding a way to thwart China's rise in quantum computing and artificial intelligence (AI). Jordan has a good post about the tech decoupling bombshell. But the most intriguing discussion concerns China's remarkably limited options for striking back at the Biden Administration for its harsh sanctions.

Meanwhile, under the heading, When It Rains, It Pours, Elon Musk's Tesla faces a criminal investigation over its self-driving claims. Nate and I are skeptical that the probe will lead to charges, as Tesla's message about Full Self-Driving has been a mix of manic hype and depressive lawyerly caution.

Jamil Jaffer introduces us to the Guacamaya "hacktivist" group whose data dumps have embarrassed governments all over Latin America – most recently with reports of Mexican military arms sales to narco-terrorists. On the hard question – hacktivists or government agents? – Jamil and I lean ever so slightly toward hacktivists.

Nate covers the remarkable indictment of two Chinese spies for recruiting a U.S. law enforcement officer in an effort to get inside information about the prosecution of a Chinese company believed to be Huawei. We pull plenty of great color from the indictment, and Nate notes the awkward spot that the defense team now finds itself in, since the point of the espionage seems to have been, er, trial preparation.

To balance the scales a bit, Nate also covers suggestions that Google's former CEO Eric Schmidt, who headed an AI advisory committee, had a conflict of interest because he also invested in AI startups. There's no suggestion of illegality, though, and it is not clear how the government will get cutting edge advice on AI if it does not get it from investors and industry experts like Schmidt.

Jamil and I have mildly divergent takes on Transportation Security Administration's new railroad cybersecurity directive. He worries that it will produce more box-checking than security. My concern is that it mostly reinforces current practice rather than raising the bar.

And in quick updates:

• The Federal Trade Commission has made good on its promise to impose consent decree obligations on CEOs as well as companies. The first victim is the CEO of Drizly.
• France has fined Clearview AI the maximum possible fine for not defending a General Data Protection Regulation (GDPR) case – unsurprisingly, because Clearview AI does no business in France.
• I offer this public service announcement: Given the risk that your Prime Ministers' phones could be compromised, it's important to change them every 45 days.

Download the 428th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

This episode features Nick Weaver, Dave Aitel and I exploring a Pro Publica story (and forthcoming book) on the FBI's difficulties in seeking to become the nation's principal resource on cybercrime and cybersecurity. We end up concluding that, for all its strengths, the bureau's structural weaknesses in addressing cybersecurity are going to thwart its ambitions for years to come.

Speaking of being thwarted for years, the effort to decouple U.S. and Chinese tech sectors continues apace. Nick and Dave weigh in on the latest (rumored) initiative -- cutting off China's access to U.S. quantum computing and AI technology -- and what that could mean for U.S. semiconductor companies, among others.

We could not stay away from the Elon Musk-Twitter story, which briefly had a national security dimension, due to news that the Biden Administration was considering a Committee on Foreign Investment in the United States (CFIUS) review of the deal. That's not a crazy idea, but in the end,  we are skeptical that it will amount to much.

Dave and I exchange views on whether it is logical for the Administration to pursue cybersecurity labels for cheap Internet of things (IoT) devices. He thinks it makes less sense than I do, but we agree that the end result will be to crowd the cheapest competitors from the market.

Nick and I discuss the news that Kanye West is buying Parler. Neither of us thinks much of the deal as an investment.

And in updates and quick takes:

• I see a real risk for Google in the Texas Attorney General's lawsuit over the company's use of facial recognition.
• Nick unpacks the dispute between Facebook and The Wire, India's answer to Pro Publica, over The Wire's claim of bias in favor of incumbent Indian politicians. If you had the impression that Facebook has the better of that argument, you're right.
• And in another platform v. press, story, TikTok's parent ByteDance has been accused by Forbes of planning to use TikTok to monitor the location of specific Americans. TikTok has denied the story. I predict that neither the story nor the denial is enough to bring closure. We'll be hearing more.

Download the 427th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

David Kris opens this episode of the Cyberlaw Podcast by laying out some of the massive disruption that the Biden Administration has kicked off in China's semiconductor industry – and among its Western suppliers. The reverberations of the administration's new measures will be felt for years, and the Chinese government's response, not to mention the ultimate consequences, remains uncertain.

Richard Stiennon, our industry analyst, gives us an overview of the cybersecurity market, where tech and cyber companies have taken a beating but cybersecurity startups continue to gain funding.

Mark MacCarthy reviews the industry from the viewpoint of the trustbusters. Google is facing what looks like a serious adtech platform challenge from many directions – the EU, the Justice Department, and several states. Facebook, meanwhile, is lucky to be a target of the Federal Trade Commission, which rather embarrassingly had to withdraw claims that Facebook's acquisition of Within would remove an actual (as opposed to a hypothetical) competitor from the market. No one seems to have challenged Google's acquisition of Mandiant, meanwhile. Richard suspects that is because Google is not likely to do anything much with the company.

David walks us through the new White House national security strategy – and puts it in historical context.

Mark and I cross swords over PayPal's determination to take my money for saying things Paypal doesn't like. Visa and Mastercard are less upfront about their willingness to boycott businesses they consider beyond the pale, but all money transfer companies have rules of this kind, he says. We end up agreeing that transparency, the measure usually recommended for platform speech suppression, makes sense for Paypal and its ilk, especially since they're already subject to extensive government regulation.

Richard and I dive into the market for identity security. It's hot, thanks to zero trust computing. Thoma Bravo is leading a rollup of identity companies. I predict security troubles ahead for the merged portfolio.

In updates and quick hits:

• The Texas social media law is on hold again, but don't get excited. It is a voluntary deal designed to speed Supreme Court consideration of a review petition.
• Now Ukraine knows how Twitter feels: Elon Musk has changed his mind again. He will not be demanding that Department of Defense pay for the Starlink service Elon rolled out at the start of the war with Russia.
• After catching Google red-handed in what looks like ideological use of a spam filter, the GOP now appears to be overplaying its hand.
• And I predict much more coverage, not to mention prosecutorial attention, will result from accusations that a powerful partner at the establishment law firm, Dechert, engaged in hack-and-dox attacks on adversaries of his clients.

Download the 426th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

It's been a jam-packed week of cyberlaw news, but the big debate of the episode is triggered by the White House blueprint for an AI 'bill of rights'. I've just released a long post about the campaign to end "AI bias" in general, and the blueprint in particular. In my view, the bill of rights will end up imposing racial and gender (not to mention intersex!) quotas on a vast swath of American life. Nick Weaver argues that AI is in fact a source of secondhand racism and sexism, something that will not be fixed until we do a better job of forcing the algorithm to explain how it arrives at the outcomes it produces. We do not agree on much, but we do agree that lack of explainability is a big problem for the new technology.

President Biden has issued an executive order meant to resolve the U.S.-EU spat over transatlantic data flows -- at least for a few years, until the anti-American EU Court of Justice finds it wanting again. Nick and I explore some of the mechanics created by the executive order. I argue that masking the identities of foreign intelligence targets will be bad for the comprehensibility of U.S. intelligence reports and for the privacy of U.S. persons. On the other hand, the quasijudicial system the order creates is cleverly designed to discourage litigant grandstanding.

Matthew Heiman covers the biggest CISO news of the week, the month, and the year – the criminal conviction of Uber's CSO, Joe Sullivan, for failure to disclose a data breach to the Federal Trade Commission. Matthew is less surprised by the verdict than others, but we agree that it will change the way CISOs do their job and relate to their fellow corporate officers.

Brian Fleming joins us to cover an earthquake in U.S.-China tech trade – the sweeping new export restrictions on U.S. chips and technology. This will be a big deal for all U.S. tech companies, we agree, and probably a disaster for them in the long run if U.S. allies don't join the party.

I go back to dig a little deeper on a story we covered with just a couple of hours' notice last week – the Supreme Court's grant of review in two cases touching on Big Tech's liability for hosting the content of terror groups. It turns out that only one of the cases is likely to turn on section 230. That's Google's almost laughable claim that holding YouTube liable for recommending terrorist videos is holding it liable as a publisher. The other case will almost certainly turn on when distribution of terrorist content can be punished as "material assistance" to terror groups.

Brian walks us through the endless negotiations between TikTok and the U.S. over a security deal. We are both puzzled over the partisanization of the TikTok security issue, although I suggest one reason why that might be happening.

Matthew catches us up on a little-covered Russian hack and leak operation aimed at former MI6 boss Richard Dearlove and British Prime Minister Boris Johnson. Matthew gives Dearlove's security awareness a low grade.

Finally, two updates:

• Nick catches us up on the Elon Musk-Twitter fight. Nick's gloating now, but he is sure he'll be booted off the platform when Musk takes over.
• And I pass on some very unhappy feedback from a friend at the Election Integrity Partnership (EIP), who feels we were too credulous in commenting on a JustTheNews story that left a strong impression of unseemly cooperation in suppressing election integrity misinformation. The EIP's response makes several good points in its own defense, but I remain concerned that the project as a whole raises real concerns about how tightly Silicon Valley, NGOs, and the government embraced each other to suppress speech "delegitimizing" election results.

Download the 425th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

You probably haven't given much thought recently to the wisdom of racial and gender quotas that allocate jobs and other benefits to racial and gender groups based on their proportion of the population. That debate is pretty much over. Google tells us that discussion of racial quotas peaked in 1980 and has been declining ever since. While still popular with some on the left, they have been largely rejected by the country as a whole. Most recently, in 2019 and 2020, deep blue California voted to keep in place a ban on race and gender preferences. So did equally left-leaning Washington state.

So you might be surprised to hear that quotas are likely to show up everywhere in the next ten years, thanks to a growing enthusiasm for regulating technology – and a large contingent of Republican legislators. That, at least, is the conclusion I've drawn from watching the movement to find and eradicate what's variously described as algorithmic discrimination or AI bias.

Claims that machine learning algorithms disadvantage women and minorities are commonplace today. So much so that even centrist policymakers agree on the need to remedy that bias. It turns out, though, that the debate over algorithmic bias has been framed so that the only possible remedy is widespread imposition of quotas on algorithms and the job and benefit decisions they make.

To see this phenomenon in action, look no further than two very recent efforts to address AI bias. The first is contained in a privacy bill, the American Data Privacy and Protection Act (ADPPA). The ADPPA was embraced almost unanimously by Republicans as well as Democrats on the House energy and commerce committee; it has stalled a bit, but still stands the best chance of enactment of any privacy bill in a decade (its supporters hope to push it through in a lame-duck session). The second is part of the AI Bill of Rights released last week by the Biden White House.

Dubious claims of algorithmic bias are everywhere

I got interested in this issue when I began studying claims that algorithmic face recognition was rife with race and gender bias. That narrative has been pushed so relentlessly by academics and journalists that most people assume it must be true. In fact, I found, claims of algorithmic bias are largely outdated, false, or incomplete. They've nonetheless been sold relentlessly to the public. Tainted by charges of racism and sexism, the technology has been slow to deploy, at a cost to Americans of massive inconvenience, weaker security, and billions in wasted tax money – not to mention driving our biggest tech companies from the field and largely ceding it to Chinese and Russian competitors.

The attack on algorithmic bias in general may have even worse consequences. That's because, unlike other antidiscrimination measures, efforts to root out algorithmic bias lead almost inevitably to quotas, as I'll try to show in this article.

Race and gender quotas are at best controversial in this country. Most Americans recognize that there are large demographic disparities in our society, and they are willing to believe that discrimination has played a role in causing the differences. But addressing disparities with group remedies like quotas runs counter to a deep-seated belief that people are, and should be, judged as individuals. Put another way, given a choice between fairness to individuals and fairness on a group basis, Americans choose individual fairness. They condemn racism precisely for its refusal to treat people as individuals, and they resist remedies grounded in race or gender for the same reason.

The campaign against algorithmic bias seeks to overturn this consensus – and to do so largely by stealth. The ADPPA that so many Republicans embraced is a particularly instructive example. It begins modestly enough, echoing the common view that artificial intelligence algorithms need to be regulated. It requires an impact assessment to identify potential harms and a detailed description of how those harms have been mitigated. Chief among the harms to be mitigated is race and gender bias.

So far, so typical. Requiring remediation of algorithmic bias is a nearly universal feature of proposals to regulate algorithms.  The White House blueprint for an artificial intelligence bill of rights, for example, declares, "You should not face discrimination by algorithms and systems should be used and designed in an equitable way."

All roads lead to quotas

The problems begin when the supporters of these measures explain what they mean by discrimination. In the end, it always boils down to "differential" treatment of women and minorities. The White House defines discrimination as "unjustified different treatment or impacts disfavoring people based on their "race, color, ethnicity, [and] sex" among other characteristics. While the White House phrasing suggests that differential impacts on protected groups might sometimes be justified, no such justification is in fact allowed in its framework.  Any disparities that could cause meaningful harm to a protected group, the document insists, "should be mitigated."

The ADPPA is even more blunt. It requires that, among the harms to be mitigated is any "disparate impact" an algorithm may have on a protected class – meaning any outcome where benefits don't flow to a protected class in proportion to its numbers in society. Put another way, first you calculate the number of jobs or benefits you think is fair to each group, and any algorithm that doesn't produce that number has a "disparate impact."

Neither the White House nor the ADPPA distinguish between correcting disparities caused directly by intentional and recent discrimination and disparities resulting from a mix of history and individual choices. Neither asks whether eliminating a particular disparity will work an injustice on individuals who did nothing to cause the disparity. The harm is simply the disparity, more or less by definition.

Defined that way, the harm can only be cured in one way. The disparity must be eliminated. For reasons I'll discuss in more detail shortly, it turns out that the disparity can only be eliminated by imposing quotas on the algorithm's outputs.

The sweep of this new quota mandate is breathtaking. The White House bill of rights would force the elimination of disparities "whenever automated systems can meaningfully impact the public's rights, opportunities, or access to critical needs" – i.e., everywhere it matters. The ADPPA in turn expressly mandates the elimination of disparate impacts in "housing, education, employment, healthcare, insurance, or credit opportunities."

And quotas will be imposed on behalf of a host of interest groups. The bill demands an end to disparities based on "race, color, religion, national origin, sex, or disability." The White House list is far longer; it would lead to quotas based on "race, color, ethnicity, sex (including pregnancy, childbirth, and related medical conditions, gender identity, intersex status, and sexual orientation), religion, age, national origin, disability, veteran status, genetic information, or any other classification protected by law."

Blame the machine and send it to reeducation camp

By now, you might be wondering why so many Republicans embraced this bill. The best explanation was probably offered years ago by Sen. Alan Simpson (R-WY): "We have two political parties in this country, the Stupid Party and the Evil Party. I belong to the Stupid Party." That would explain why GOP committee members didn't read this section of the bill, or didn't understand what they read.

To be fair, it helps to have a grasp of the peculiarities of machine learning algorithms. First, they are often uncannily accurate. In essence, machine learning exposes a neural network computer to massive amounts of data and then tells it what conclusion should be drawn from the data. If we want it to recognize tumors from a chest x-ray, we show it millions of x-rays, some with lots of tumors, some with barely detectable tumors, and some with no cancer at all. We tell the machine which x-rays belong to people who were diagnosed with lung cancer within six months. Gradually the machine begins to find not just the tumors that specialists find but subtle patterns, invisible to humans, that it has learned to associate with a future diagnosis of cancer.  This oversimplified example illustrates how machines can learn to predict outcomes (such as which drugs are most likely to cure a disease, which websites best satisfy a given search term, and which borrowers are most likely to default) far better and more efficiently than humans.

Second, the machines that do this are famously unable to explain how they achieve such remarkable accuracy. This is frustrating and counterintuitive for those of us who work with the technology. But it remains the view of most experts I've consulted that the reasons for the algorithm's success cannot really be explained or understood; the machine can't tell us what subtle clues allow it to predict tumors from an apparently clear x-ray. We can only judge it by its outcomes.

Still, those outcomes are often much better than any human can match, which is great, until they tell us things we don't want to hear, especially about racial and gender disparities in our society. I've tried to figure out why the claims of algorithmic bias have such power, and I suspect it's because machine learning seems to show a kind of eerie sentience.

It's almost human. If we met a human whose decisions consistently treated minorities or women worse than others, we'd expect him to explain himself. If he couldn't, we'd condemn him as a racist or a sexist and demand that he change his ways.

To view the algorithm that way, of course, is just anthropomorphism, or maybe misanthropomorphism. But this tendency shapes the public debate; academic and journalistic studies have no trouble condemning algorithms as racist or sexist simply because their output shows disparate outcomes for different groups. By that reductionist measure, of course, every algorithm that reflects the many demographic disparities in the real world is biased and must be remedied. 

And just like that, curing AI bias means ignoring all the social and historical complexities and all the individual choices that have produced real-life disparities. When those disparities show up in the output of an algorithm, they must be swept away.

Not surprisingly, machine learning experts have found ways to do exactly that. Unfortunately, for the reasons already given, they can't unpack the algorithm and separate the illegitimate from the legitimate factors that go into its decisionmaking.

All they can do is send the machine to reeducation camp. They teach their algorithms to avoid disparate outcomes, either by training the algorithm on fictional data that portrays a "fair" world in which men and women all earn the same income and all neighborhoods have the same crime rate, or simply by penalizing the machine when it produces results that are accurate but lack the "right" demographics. Reared on race and gender quotas, the machine learns to reproduce them.

All this reeducating has a cost. The quotafied output is less accurate, perhaps much less accurate, than that of the original "biased" algorithm, though it will likely be the most accurate results that can be produced consistent with the racial and gender constraints.  To take one example, an Ivy League school that wanted to select a class for academic success could feed ten years' worth of college applications into the machine along with the grade point averages the applicants eventually achieved after they were admitted. The resulting algorithm would be very accurate at picking the students most likely to succeed academically. Real life also suggests that it would pick a disproportionately large number of Asian students and a disproportionately small number of other minorities.

The White House and the authors of the ADPPA would then demand that the designer reeducate the machine until it recommended fewer Asian students and more minority students.  That change would have costs. The new student body would not be as academically successful as the earlier group, but thanks to the magic of machine learning, it would still accurately identify the highest achieving students within each demographic group. It would be the most scientific of quota systems.

That compromise in accuracy might well be a price the school is happy to pay. But the same cannot be said for the individuals who find themselves passed over solely because of their race. Reeducating the algorithm cannot satisfy the demands of individual fairness and group fairness at the same time.

How machine learning enables stealth quotas

But it can hide the unfairness. When algorithms are developed, all the machine learning, including the imposition of quotas, happens "upstream" from the institution that will eventually rely on it. The algorithm is educated and reeducated well before it is sold or deployed. So the scale and impact of the quotas it's been taught to impose will often be hidden from the user, who sees only the welcome "bias-free" outcomes and can't tell whether (or how much) the algorithm is sacrificing accuracy or individual fairness to achieve demographic parity.

In fact, for many corporate and government users, that's a feature, not a bug. Most large institutions support group over individual fairness; they are less interested in having the very best work force -- or freshman class, or vaccine allocation system -- than they are in avoiding discrimination charges. For these institutions, the fact that machine learning algorithms cannot explain themselves is a godsend. They get outcomes that avoid controversy, and they don't have to answer hard questions about how much individual fairness has been sacrificed. Even better, the individuals who are disadvantaged won't know either; all they will only know is that "the computer" found them wanting.

If it were otherwise, of course, those who got the short end of the stick might sue, arguing that it's illegal to deprive them of benefits based on their race or gender. To head off that prospect, the ADPPA bluntly denies them any right to complain. The bill expressly states that, while algorithmic discrimination is unlawful in most cases, it's perfectly legal if it's done "to prevent or mitigate unlawful discrimination" or for the purpose of "diversifying an applicant, participant, or customer pool." There is of course no preference that can't be justified using those two tools. They effectively immunize algorithmic quotas, and the big institutions that deploy them, from charges of discrimination.

If anything like that provision becomes law, "group fairness" quotas will spread across much of American society. Remember that the bill expressly mandates the elimination of disparate impacts in "housing, education, employment, healthcare, insurance, or credit opportunities." So if the Supreme Court this term rules that colleges may not use admissions standards that discriminate against Asians, in a world where the ADPPA is law, all the schools will have to do is switch to an appropriately reeducated admissions algorithm. Once laundered through an algorithm, racial preferences that otherwise break the law would be virtually immune from attack.

Even without a law, demanding that machine learning algorithms meet demographic quotas will have a massive impact. Machine learning algorithms are getting cheaper and better all the time. They are being used to speed many bureaucratic processes that allocate benefits, from handing out food stamps and setting vaccine priorities to deciding who gets a home mortgage, a donated kidney, or admission to college. As shown by the White House AI Bill of Rights, it is now conventional wisdom that algorithmic bias is everywhere and that designers and users have an obligation to stamp it out. Any algorithm that doesn't produce demographically balanced results is going to be challenged as biased, so for companies that offer algorithms the course of least resistance is to build the quotas in. Buyers of those algorithms will ask about bias and express relief when told that the algorithm has no disparate impact on protected groups. No one will give much thought (or even, if the ADPPA passes, a day in court) to individuals who lose a mortgage, a kidney, or a place at Harvard in the name of group justice.

That's just not right. If we're going to impose quotas so widely, we ought to make that choice consciously. Their stealthy spread is bad news for democracy, and probably for fairness.

But it's good news for the cultural and academic left, and for businesses who will do anything to get out of the legal crossfire over race and gender justice. Now that I think about it, maybe that explains why the House GOP fell so thoroughly into line on the ADPPA. Because nothing is more tempting to a Republican legislator than a profoundly stupid bill that has the support of the entire Fortune 500.

We open today's episode with early news of the Supreme Court's decision to review whether section 230 protects platforms from liability for materially assisting terror groups whose speech they distribute (or even recommend). I predict that this is the beginning of the end of the house of cards that aggressive lawyering and good press have built for the platforms on the back of section 230. Why?  Because Big Tech stayed out of the Supreme Court too long. Now, when section 230 finally gets to the Court, everyone hates Silicon Valley and its entitled content moderators. Jane Bambauer, Gus Hurwitz, and Mark MacCarthy weigh in admirably, despite the unfairness of having to comment on a cert grant that is less than two hours old.

Just to remind us why everyone hates Big Tech's content practices, we do a quick review of the week's news in content suppression.

• A couple of conservative provocateurs prepared  a video consisting of Democrats embracing "election denial." The purpose was to highlight the hypocrisy of those who criticize the GOP for a trope that belonged mainly to Dems until two years ago. And it worked all too well: YouTube did a manual review of the video before it was even released and demonetized it because, well, who knows? An outcry led to reinstatement, but too late for YouTube's reputation. Jane has the story.
• YouTube also steps in the same mess by first suppressing then restoring a video by Giorgia Meloni, the big winner of Italy's recent election. She's on the right, but you already knew that from how YouTube dealt with her.
• Mark covers an even more troubling story, in which government officials flag online posts about election security that they don't like for NGOs that the government will soon be funding, the NGOs take those complaints to the platforms, and the platforms take a lot of the posts down. Really, what could possibly go wrong?
• Jane asks why Facebook is "moderating" private messages sent by the wife of an FBI whistleblower.  I suspect that this is not so much content moderation as part of the government and big tech's hyperaggressive joint pursuit of anything related to January 6. But it definitely deserves investigation.
• Across the Atlantic,  Jane notes, the Brits are hating Facebook for the content it let 14-year-old Molly Russell read before her suicide. Exactly what was wrong with the content is a little obscure, but we agree that material served to minors is ripe for more regulation, especially outside the US.

For a change of pace, Mark has some largely unalloyed good news.  The ITU will not be run by a Russian; instead it has elected an American, Doreen Bodan-Martin to lead it.

Mark tells us that all the Sturm und Drang over tougher antitrust laws for Silicon Valley has wound down to a few modestly tougher provisions that have now passed the House. That is all that will be passed this year, and perhaps in this Administration.

Gus gives us a few highlights from FTCland:

• The FTC is likely to strengthen enforcement tools for its consent decrees, mainly by identifying individuals it can fine for violations. Gus doubts this will work out well in practice.
• The FTC is also end-running a recent Supreme Court decision that denied it the authority to impose certain financial penalties. Now the Commission will bring cases jointly with state agencies who have that authority.

Jane unpacks a California law prohibiting cooperation with subpoenas from other states without an assurance that the subpoenas aren't enforcing laws against abortions that would be legal in California. California is playing the role in twenty-first century federalism that South Carolina played in the nineteenth and twentieth centuries; I predict that some enterprising red state attorney general is likely to challenge the validity of California's law – and win.

Gus notes that private antitrust cases remain hard to win, especially without evidence, as Amazon and major book publishers gain the dismissal of antitrust lawsuits over book pricing.

Finally, in quick hits and updates:

• Gus previews an upcoming executive order intended to cool off the fight over data transfers across the Atlantic
• I cover two US espionage arrests, one of them best summarized by the Babylon Bee
• I also note a large privacy flap Down Under, where the exposure of lots of personal data from a telco database seems likely to cost the carrier, and its parent dearly.

Download the 424th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

This episode features a much deeper, and more diverse, examination of the Fifth Circuit decision upholding Texas's social media law than we did last week. We devote the last half of this episode to a structured dialogue  between Adam Candeub and Alan Rozenshtein about the decision. Both have written about it, Alan critically and Adam supportively. I lead off, arguing that, contrary to legal Twitter's dismissive reaction, the opinion is a brilliant and effective piece of Supreme Court advocacy. Alan thinks that's exactly the problem; he objects to the opinion's grating self-certainty and refusal to acknowledge the less convenient parts of past case law. Adam is closer to my view. We all seem to agree that the opinion succeeds as an audition for Judge Oldham to become Justice Oldham in the DeSantis Administration.

We walk through the opinion and what its critics don't like, touching on the competing free expression interests of social media users and of the platforms themselves, whether there's any basis for an injunction today, given the relative weakness of the overbreadth argument, and whether "exercising editorial discretion" is a fundamental right under the first amendment or just an artifact of older technologies. Most intriguingly, we find unexpected consensus that Judge Oldham's (and Justice Thomas's) common carrier argument may turn out to be the most powerful argument in the case when it reaches the Court.

In the news roundup, we focus on the sprint to pass additional legislation before the end of the Congress. Michael Ellis explains the debate between the Cyberspace Solarium Commission alumni and business lobbyists over enacting a statutory set of obligations for systemically critical infrastructure companies.

Adam outlines a strange-bedfellows bill that has united Sens. Amy Klobuchar (D-Minn.) and Ted Cruz (R-Texas) in an effort to give small media companies and broadcasters an antitrust immunity to bargain with the big social media platforms over the use of their content. Adam is a skeptic, Alan less so.

The Pentagon, reliably braver when facing bullets than a bad Washington Post story, is performing to type in the flap over fake social media accounts. Michael tells us that the accounts pushed pro-U.S. stories but had met with little success before Meta and Twitter caught on and kicked them off their platforms. Now the Department of Defense is conducting a broad review of military information operations. I predict fewer such efforts and don't mourn their loss.

Adam and I touch on a decision of Meta's Oversight Board criticizing Facebook's automated image takedowns. I offer a new touchstone for understanding content regulation at the Big Platforms: They just don't care, so they've turned the whole effort over to second-rate AI and second-rate employees. There's a lot of explanatory power there.

Michael walks us through the Department of the Treasury's new flexibility on sending communications software and services to Iran.

And, in quick hits, I note that:

• The Justice Department's China Initiative continues to suffer pushback,
• We should all expect bad things from the emergence of  violence as a service, and
• Russian botmasters have suddenly discovered that extradition to the U.S. may be better than going home and facing mobilization.

Download the 423rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets. Especially the pets.

The big news of the week was a Fifth Circuit decision upholding Texas's law regulating social media speech suppression. The decision was poorly received by the usual supporters of social media censorship but I found it both remarkably well written and surprisingly persuasive. That does not mean it will survive the almost inevitable Supreme Court review but Judge Oldham wrote an opinion that could be a model for a Supreme Court decision upholding the Texas law.

The big hacking story of the week was a brutal takedown of Uber, probably by the dreaded Advanced Persistent Teenager. Dave Aitel explains what happened and why no other large corporation should feel smug or certain that the same cannot happen to them. Nick Weaver piles on.

Maury Shenk explains a recent European court decision upholding sanctions on Google for its restriction of Android phone implementations.

Dave points to some of the less well publicized aspects of the Twitter whistleblower's testimony before Congress. We agree on the bottom line – that Twitter is utterly incapable of protecting either U.S. national security or even the security of its users' messages. If there were any doubt about that, it would be laid to rest by Twitter's dependence on Chinese government advertising revenue.

Maury and Nick tutor me on The Merge, which moves Ethereum from "proof of work' to "proof of stake," massively reducing the climate footprint of the cryptocurrency. They are both surprisingly upbeat about it.

Maury also lays out a new European proposal for regulating the internet of things – and, I point out, for massively increasing the cost of all those things.

China is getting into the attribution game. It has issued a report blaming the National Security Agency for intruding on Chinese educational institution networks. Dave is not impressed.

The Department of Homeland security, in breaking news from 2003, has been storing the contents of phones it seizes on the border. Dave predicts that DHS will have to further pull back on its current practices. I'm less sure.

Now that China is regulating vulnerability disclosures, are Chinese companies reluctant to disclose vulnerabilities outside China? The Atlantic Council has a report on the subject, but Dave thinks the results are ambiguous at best.

In quick hits:

• The Senate has confirmed Nate Fick as the first U.S. cyber ambassador
• I reiterate wit evidence my cynical view that Apple's app rules are not so much concerned about protecting your privacy as about taking share from Google and Facebook in the advertising market
• Nick lays out the latest Treasury Department guidance on sanctions and tornado cash
• Maury explains how the Indian government persuaded 50 million Indians to geotag their homes
• And I tell listeners how the FBI and Silicon Valley could be working together to identify conservatives for potential criminal investigation.

Download the 422nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Gus Hurwitz brings us up to speed on major tech bills in Congress. They are all dead. But some of them don't know it yet.

The big privacy bill, American Data Privacy and Protection Act, was killed by the left, but I argue that it's the right that should be celebrating, since the bill would have imposed race and gender preferences all across the economy, and the GOP members who supported the measure in the House were likely sold a bill of goods by industry lobbyists.

The big antitrust bill, American Innovation and Choice Online Act, is also a zombie, Gus argues, lurching undead toward the Senate floor but unlikely to muster the GOP votes needed to pass, mainly because content moderation has become a simple partisan issue: the GOP wants less (or fairer) moderation, Dems want more of what Silicon Valley has been dishing out for the past few years. If the bill doesn't produce viewpoint competition in the tech sector, it offers nothing for the GOP, and industry lobbyists are happily driving wedges into that divide.

The same divide also caused a stutter in the bill allowing newspapers to bargain collectively with the big platforms. It may make it to the floor, but it's already losing body parts.

Meanwhile, the White House is having a weirdly inconclusive "listening session" that might better have been called a "talking but not really proposing anything session."

When Iran launched a wiper attack on Albania because of its harboring of Mujahedin-e-Kalq, Albania broke relations with Iran and the U.S. promised consequences. In fact, all the U.S. seems to have done is impose meaningless sanctions on the already-sanctioned Iranian spy ministry. What was Iran's response? A second cyberattack on Albania. Nate Jones runs down the story. Jamil Jaffer and I question whether governmental sanctions on foreign intelligence agencies, which never promised much, are now delivering an appearance of haplessness and not of strength.

Jamil and I dwell on the criminal trial of Joe Sullivan for how he handled some hackers who got access to personal data stored by Uber. He was the chief security officer, and he decided to pay the hackers a bug bounty in exchange for their promising to destroy the data. That allowed Uber to avoid treating (and reporting) the incident as a breach. Creative lawyering or too creative by half? I could go either way, but calling it obstruction of justice and wire fraud seems like a reach. Nonetheless, that's what the Justice is charging in a case that opened last week. It is heavily politicized, and all the politics – corporate and governmental – line up against Sullivan. Whether the jury will do the same is another question. Meanwhile, everyone from other CISOs to former New York Times reporter Nicole Perlroth are questioning the prosecution's merits and warning of its likely consequences. However the case comes out, I predict that the biggest loser will be the FBI, which will never again get the kind of welcome from CISOs that it has in more innocent days.

Jamil critiques Apple's decision to support China's chip industry with new orders – and its claim that the chips it puts in its phones for the China market will stay in China.

The sanctions on Tornado Cash come back to the podcast for the second week in a row, Nate tells us, this time as litigation. Coinbase is funding an APA and constitutional challenge to Treasury's anctioning of a pile of code rather than a person or entity. My money is on the Treasury winning in the end.

In quicker hits,

• Nate and I talk about the many cryptocurrency policy papers coming out of the administration these days. Treasury plans to warn the White House that cryptocurrency needs regulation. And the White House science office thinks proof-of-work crypto mining is warming the planet unnecessarily.
• Gus and I wonder out loud whether Lina Khan's Federal Trade Commission has a fatal case of "eyes bigger than stomach."
• Nate covers the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) request for public feedback on its mandatory incident reporting rule.
• Gus and I note new criticism of the EU's AI Act.
• Gus also lays out the opening round in what could turn out to be an important Justice Department case trying to end Google's large payments to be the default search engine on popular platforms like the iPhone.

Download the 421st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This is our return-from-hiatus episode. Jordan Schneider kicks things off by covering the passage of a major U.S. semiconductor-building subsidy bill, while new contributor Brian Fleming talks with Nick Weaver about new foreign investment restrictions on chip (and maybe other) technology companies, as well as new export controls on (artificial Intelligence (AI) chips going to China. Jordan also covers a big corruption scandal arising from China’s big chip-building subsidy program, leading me to wonder when we’ll have our version.

Brian and Nick cover the month’s biggest cryptocurrency policy story, the imposition of OFAC sanctions on Tornado Cash. They agree that, while the outer limits of sanctions aren’t entirely clear, they are likely to show that sometimes the U.S. Code actually does trump digital code. Nick points listeners to his bracing essay, OFAC Around and Find Out.

Paul Rosenzweig reprises his role as the voice of reason in the debate over location tracking and Dobbs. (Literally. Paul and I did an hour-long panel on the topic last week. It’s available here.) I reprise my role as Chief Privacy Skeptic, calling the Dobbs/location fuss an overrated tempest in a teapot.

Brian takes on one aspect of the Mudge whistleblower complaint criticizing Twitter's security: Twitter’s poor record at keeping foreign spies from infiltrating its workforce and getting wide access to its customer records. Perhaps coincidentally, he notes, a former Twitter employee was just convicted of “spying lite”, proving the company is just as good at national security protection as it is at content moderation.

Meanwhile, returning to onshore aspects of U.S.-China economic relations, Jordan tells us about the survival of high-level government concerns about TikTok. I note that, in the years since these concerns first surfaced in the Trump era, TikTok’s lobbying efforts have only grown more sophisticated. Speaking of which, Klon Kitchen has done a good job of highlighting DJI’s increasingly sophisticated lobbying in Washington D.C.

The Cloudflare decision to deplatform Kiwi Farms kicks off a donnybrook, with Paul and Nick on one side and me on the other. It’s a classic Cyberlaw Podcast debate.

In quick hits and updates:

• Nick and I cover the sad story of the Dad who photographed his baby’s private parts at a doctor’s request and, thanks to Google’s lack of human appellate review, lost his email, his phone number, and all of the accounts that used the phone for 2FA.
• Paul brings us up to speed on the U.S.-EU data fight: and teases today's Federalist Society webinar on the topic.
• Nick explains the big changes likely to come to the porn world because of a lawsuit against Visa. And why Twitter narrowly averted its own child sex scandal.
• I update listeners on the flap over Google’s bias against GOP fundraising emails. It has led to an unlikely result: less spam filtering for all such emails.
• And, after waiting much too long, Brian Krebs has retracted his post about a Ubiquity “breach” that led the company to sue him.

Download the 420th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Just when you thought you had a month free of the Cyberlaw Podcast, it turns out that we are persisting, at least a little. This month we offer a bonus episode, in which Dave Aitel and I interview Michael Fischerkeller, one of three authors of "Cyber Persistence Theory: Redefining National Security in Cyberspace."

The book is a detailed analysis of how cyberattacks and espionage work in the real world – and a sharp critique of military strategists who have substituted their models and theories for the reality of cyber conflict. We go deep on the authors' view that conflict in the cyber realm is all about persistent contact and faits accomplis rather than compulsion and escalation risk. Dave pulls these threads with enthusiasm.

I recommend the book and interview in part because of how closely the current thinking at United States Cyber Command is mirrored in both.

Download the 419th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

As Congress barrels toward an election that could see at least one house change hands, efforts to squeeze a few big bills into law are mounting.  The one with the best chance (better than I expected) would drop $52 billion in cash and a boatload of tax breaks on the semiconductor

Dusty Old Trust Building, Providence, RI

industry. Michael Ellis points out that this is industrial policy without apology, and a throwback to the 1980s, when the government organized Sematech to shore up US chipmaking. Thanks to a bipartisan consensus on the need to fight a Chinese challenge, and elimination of controversial provisions that tried to hitch a ride on the bill, there now looks to be a clear path to enactment for this bill.

And if there were doubt about how serious the Chinese challenge in chips will be, we highlight an undercovered story revealing that China’s chipmaking champion, SMIC, has been making 7-nanometer chips for months without making a public announcement.  That’s a diameter that Intel and GlobalFoundries, the main US producers, have yet to reach in commercial production.

The national security implications are plain. If commercial products from China are cheap enough to sweep the market, even security-minded agencies will be forced to buy them, as it turns out the FBI and DHS have both been doing with Chinese drones. Nick recommends that policymakers read his Lawfare piece showing just how cheaply the US (and Ukraine) could be making drones.

Responding to the growing political concern about national security and Chinese products, TikTok’s owner ByteDance, has  increased its U.S. lobbying budget to more than $8 million a year, Christina Ayiotis tells us; that's an amount, I point out, that just about matches what Google spends on lobbying.

In the same vein, Nick Weaver and Michael question why the government hasn’t come up with the extra $3 billion to fund “rip and replace” for Chinese telecom gear. That effort will certainly get a boost from reports that Chinese telecom gear was offered on especially favorable terms to carriers who service America’s nuclear missile locations. I note that the Obama administration actually paid these same rural carriers to install Chinese equipment in the teens, as part of the 2009 stimulus law. I can’t help wondering why US taxpayers should pay those carriers both to install and to remove the same gear.

In news not tied to China, Nick tells us about the House’s serious progress on a compromise federal data privacy bill. It’s probably still doomed, given resistance from Dems (and maybe the GOP) in the Senate. I argue that that’s a good thing, given the bill's egregious effort to impose “disparate impact” quotas for race, color, religion, national origin, sex, and disability on the outcomes of every algorithm that processes even a little personal data. This is a transformative social engineering project, imposed by a single section (207) of  the bill without any serious debate.

Tina grades Russian information warfare based on its latest exploit:  hacking a Ukrainian radio broadcaster to spread fake news about Zelensky’s health,  As a hack, it gets a passing grade, but as a believable bit of information warfare, it’s a bust.

Tina, Michael and I evaluate YouTube’s new policy on removing “misinformation” related to abortion, and the risk that this policy, like so many Silicon Valley speech suppression schemes, will start out sounding plausible and end up enforcing political correctness. 

Nick and I celebrate DOJ’s increasing though still episodic success in seizing cryptocurrency from hackers and ransomware gangs. It may just be Darwin at work, but it’s nice to see.

Nick offers the recommended long read of the week --  Brian Krebs’s takedown of the VPN malware supplier, 911.

And in updates and quick hits:

1. That Twitter worker arrested for spying on behalf of Saudi Arabia is going to trial.
2. GCHQ’s cryptoskeptics have returned to ask how we can square end-to-end encryption with child safety. I think the answer is “Not well.”
3. GDPR's consequences are still emerging: Turns out, it means that schoolkids in Denmark won’t be able to use Chromebooks or Google Workspace.
4. And Nick takes a moment to dunk on the Three Arrows founders, whose cryptocurrency company went under in the bust and who are now giving interviews from an undisclosed location.

Listen to Episode 418 here.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed.  Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

* This week's title is an obscure Rhode Island tribute to the Industrial Trust Building, known to a generation of children as the ‘Dusty Old Trust” building until a new generation christened it the “Superman Building.” 

Kicking off a packed episode, the Cyberlaw Podcast calls on Megan Stifel to cover the first Cyber Safety Review Board (CSRB) Report. The CSRB does exactly what those of us who supported the idea hoped it would do – provide an authoritative view of how the Log4J incident unfolded along with some practical advice for cybersecurity executives and government officials.

Jamil Jaffer tees up the second blockbuster report of the week, a Council on Foreign Relations study called "Confronting Reality in Cyberspace Foreign Policy for a Fragmented Internet." I think the study's best contribution is its demolition of the industry-led claim that we must have a single global internet. That has not been a realistic prospect for a decade, and pursuing that vision has kept the U.S. from fully defending its own interests in cyberspace, so CFR's realism is welcome. Less welcome is its utterly wrong claim that the U.S. can resolve its transatlantic dispute with Europe by adopting a European-style privacy law. Europe has no real remaining beef with us on privacy regulation of industry (we surrendered); now the fight is over Europe's demand that we rewrite our intelligence and counterterrorism laws, a demand that new privacy legislation won't satisfy. Jamil Jaffer and I debate both propositions.

Megan discloses the top cybersecurity provisions added to the House defense authorization bill – notably the five year term for the head of Cybersecurity and Infrastructure Security Agency (CISA) and a cybersecurity regulatory regime for systemically critical industry. The Senate hasn't weighed in yet, but both provisions now look more likely than not to become law.

Regulatory cybersecurity measures are the flavor of the month in Washington. The latest evidence: The Biden White House is developing a cybersecurity strategy that is expected to encourage more regulation. Jamil reports on the development but is clearly hoping that my prediction of more regulation does not come true.

Speaking of cybersecurity regulation, Megan kicks off a discussion of Department of Homeland Security's CISA weighing in to encourage new regulation from the Federal Communication Commission (FCC) to incentivize a shoring up of the Border Gateway Protocol's security. Jamil thinks the FCC would do better looking for incentives than punishments.

Tatyana Bolton and I try to unpack a recent smart contract hack and the confused debate about whether "Code is Law" in web3. Answer: it is not, and never was, but that does not turn the hacking of a smart contract into a violation of the Computer Fraud and Abuse Act.

Megan covers North Korea's tactic for earning dollars while trying to infiltrate U.S. crypto firms – getting remote work employment at the firms as coders. I wonder why LinkedIn is not doing more to stop scammers like this, given the company's rich trove of data about job applicants using the site.

Not to be outdone, other ransomware gangs are now adding to the threat of doxing their victims by making it easier to search their stolen data. Jamil and I debate the best way to counter the tactic.

Tatyana reports on Sen. Mark Warner's (D-Va) effort to strongarm the intelligence community into supporting Sen. Amy Klobuchar's (D-MN) antitrust law aimed at the biggest tech platforms – despite its inadequate protections for national security.

Jamil discounts as old news the Uber leak. I agree; we didn't learn much from the orgy of coverage that we didn't already know about Uber's highhanded approach in the teens to taxi monopolies and government.

Jamil and I endorse the efforts of a Utah startup devoted to following China's IP theft using China's surprisingly open information. Why Utah, you ask? We've got the answer.

In quick hits and updates:

• Josh Schulte has finally been convicted for one of the most damaging intelligence leaks in history.
• Google gets grudging respect from me for its political jiu-jitsu. Faced with smoking gun evidence of its political bias after the company spam-blocked GOP but not Dem fundraising messages, Google turned the tables. It managed to kick off public  outrage by saying it wanted to fix its bias problem by forcing political spam on all its users. Now the GOP will have the burden of explaining that it's not trying to send us more spam; it just wants Gmail to stop favoring Democrats in running Gmail spam filters.
• And, finally, we all get to enjoy the story of the bored Chinese housewife who created an interlocking universe of fake Russian history on China's Wikipedia. She's promised to stop, but I suspect she's really just been hired to work for the world's most active producer of fake history – China's Ministry of State Security.

Download the 417th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, Dave Aitel introduces us to a deliciously shocking story about lawyers as victims -- and maybe co-conspirators -- in the hacking of law firms to win legal disputes.  The trick, it turns out, is figuring out how to benefit from hacked documents without actually dirtying one's hands with the hacking. And here too, a Shakespearean Henry (II this time) has the answer: hire a private investigator and ask "Will no one rid me of this meddlesome litigant?" Before you know it, there's a doxing site full of useful evidence on the internet.

But first Dave digs into an intriguing but flawed story of how and why the White House ended up bigfooting a possible acquisition of NSO by L3Harris. Dave spots what looks like a simple fact error, and we are both convinced that the New York Times got only half the story. I suspect the White House was surprised by the leak, popped off about how bad an idea the deal was, and then was surprised to discover that its intelligence community had signaled support.

That leads us to the reason why NSO has continuing value – its ability to break Apple's phone security. Apple is now trying a new way to reinforce security: its new, more secure and less convenient lockdown mode. Dave gives it high marks, and he challenges Google to match Apple's move.

Next, we dive into the US effort to keep Dutch firm ASML from selling chip-making machines to China. Dmitri Alperovich makes a special appearance to urge more effective use of export controls; he cautions, however, that the US must impose the same burdens on its own firms as on its allies'.

Jane Bambauer introduces the latest government proposal to take a bite out of crime by taking a bite out of end-to-end (e2e) encryption. The U.K. has introduced an amendment to its pending online safety bill that would require regulated user-to-user services to identify and swiftly take down terrorism and child sex abuse material. Identifying such material isn't easy in an e2e environment, Jane notes, so this bill could force adoption of the now-abandoned Apple proposal to do local scanning on your phone. I'm usually a cheap date for crypto-skeptical laws, but I can't help noticing that this proposal will stir up 90% as much opposition as requiring companies to intercept communications when they get a court order while  addressing only 10% of the crimes that occur on e2e networks.

Jane and I take turns pouring cold water on journalists, NGOs, and even Congress for their feverish effort to turn the Supreme Court's abortion ruling into a privacy issue. Dumbest of all, in my view, is the claim that location services will be used to gather evidence and prosecute women who visit out of state abortion clinics. As I point out, such prosecutions couldn't even muster five votes on this Court.

Dave spots another doubtful story about Russian government misuse of a red team hacking tool. He thinks it's actually a case of a red team hacking tool being used by … a red team.

Jane notes that Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has announced a surprisingly anodyne (and arguably unnecessary) post-quantum cryptography initiative.  I'm a little less hard on DHS, but only a little.

Finally, in updates and quick hits:

• I point out that the U.S. - EU transatlantic data deal is looking a lot like vaporware. That's a worry now that Ireland is on the verge of ordering Facebook to stop moving data across the Atlantic.
• Jane and I take a whack at predicting Elon Musk's Twitter bid. I argue that Musk may escape with less than $1 billion in penalties but for years he will be to mergers what Google is to new digital products.
• And, finally, some modest good news on Silicon Valley's campaign to suppress politically incorrect speech.  Last year, Twitter suspended former NYT reporter Alex Berenson for saying several true but inconvenient things about the covid vaccine (it doesn't stop infection or transmission, and it has side effects, all of which raise real doubts about the wisdom of mandating vaccinations for everyone). Berenson sued, and Twitter has now settled, unsuspending his account. The lawsuit had narrowed down the point where Twitter probably felt it could settle without creating a precedent, but any chink in Big Social's self-righteous armor is worth celebrating.

Download the 416th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

For decades, U.S. cyber exploits were notoriously lawyer-ridden, to the point where it became a key element in attributing US cybertools. But it looks like those days are gone. Today, Israel has matched and surpassed U.S. cyberwarriors on this essential measure. Nate Jones reports on an attack claimed by a vague "hacktivist" group but widely attributed to Israel. The hackers shut down several Iranian mills in a flood of sparks and molten steel. But the most interesting thing about the attack was the video pre-roll, which went out of its way to note that the mills were under international sanction and that the attackers had sent workers warnings to avoid casualties. Some of that was prudence; when you're escalating in cyberspace, it's a good idea to emphasize the limits you're observing. But a lot of it was lawyers advertising the attack's compliance with the law of armed conflict. Coming after an earlier campaign that cut off gasoline supplies but also warned emergency medical and fire services to gas up in advance, it sure looks as though some of the best cyber attacks now come with a phalanx of lawyers.

China, meanwhile, is putting resources into exporting its Fifty Cent Army to the United States. Sultan Meghji and Maury Shenk cover a Chinese social media campaign to turn American rare earths processing into an environmental controversy. In this case, I argue, China is taking a leaf from the Russian playbook; the Russians worked hard to make fracking controversial in the US because it was holding down the price of Russian oil. I urge someone to figure out just how many of those fake American accounts are also on TikTok, and how TikTok's algorithm is treating them.

Speaking of Chinese propaganda, Maury tells us that a well-known Chinese cybersecurity firm is accusing the U.S. of planting Trojans in hundreds of important Chinese information systems, a charge that might be interesting if the report actually provided some details.

Feeling the spur of competition from Israel's cyber lawyers, NSA's counsel has opened a new front. They've persuaded the US Justice Department to fight a merger on the grounds that it will reduce competition in bidding on a single NSA program. Nate and I get stuck on the market definition problems in the case, but Sultan thinks it's an investment opportunity.

This Week in Stupid Artificial Intelligence (AI) Research: We never lack for stories in this category, but this week the two contenders are well matched.  Sultan tells us about a story that proves you can always find sex and race discrimination in AI if your study is designed badly enough. And Maury finds a group of researchers who went one better, designing a moderately effective crime prediction algorithm and then arguing that the police were racist if they put more police into high-crime neighborhoods and racist if they didn't send more police to neighborhoods with rising crime. Since the  point of most AI bias research is apparently to get your story into the press by finding that AI is racist, being able to find racism no matter how the study  turns out is a winning strategy.

Speaking of unimpressive journalism, Sultan flags a Wall Street Journal story that lazily dumps on AI research for not doing everything we want, while pretty much ignoring things it has done well.

Sultan also leads us through the wreckage of one cryptocurrency domino after another, but he thinks it's likely to put a firmer, and more regulated, foundation under the businesses that survive. Nate reprises the EU contribution to the issue – more regulation, natch – but in a surprise twist for the Cyberlaw Podcast, the Brussels proposal gets pretty high marks.

Updating a few stories from past weeks,

• Google is really getting hurt by the study showing its default spam filter favored Democratic fundraising messages over Republican messages by about 7 to 1. The GOP has always believed (correctly) that its views are being handicapped by Silicon Valley, but this time the evidence is hard to refute. Indeed, Google isn't really refuting it, just promising to do better in future, while Republicans are claiming that Gmail's bias cost them $2 billion in donations and proposing tough new transparency laws.
• The Justice Department is upping the stakes for Uber's former chief information security officer (CISO), charging Joe Sullivan with wire fraud for treating what looks like a data breach ransom as a bug bounty. The Department of Justice says this defrauded Uber drivers and customers. Sullivan is the first, but probably not the last, CISO who'll face this charge, as government stops touting "public-private partnership" as the reason for companies to report breaches and instead embraces fear of prosecution.
• And the Transportation Security Administration (TSA), after taking criticism for the harshness of its secret cybersecurity standards for pipelines, has now offered secret amendments to the standards. Is that a good thing? Who knows?

Download the 415th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

It's that time again on the Congressional calendar. All the big, bipartisan tech initiatives that looked so good a few months ago are beginning to compete for time on the floor like fat men desperate to get through a small door. And tech lobbyists are doing their best to handicap the bills they hate while advancing those they like.

We open the Cyberlaw Podcast by reviewing a few of the top contenders. Justin (Gus) Hurwitz tells us that the big bipartisan compromise on privacy is probably dead for this Congress, killed by Senator Maria Cantwell (D-WA) and the new politics of abortion. The big subsidy for domestic chip fabs is still alive, Jamil Jaffer reports, but beset by House and Senate differences, plus a proposal to regulate outward investment in China and Russia by U.S. firms. And Senator Amy Klobuchar's (D-MN) platform anti-self-preferencing bill is being picked to pieces by lobbyists trying to cleave away GOP votes over content moderation and national security. All in all, it's hard times for fat men.

Next, David Kris unpacks the First Circuit decision on telephone pole cameras and the fourth amendment. Technology and Fourth Amendment law is increasingly agoraphobic, I argue, as the Carpenter decision has left aging boomer judges on a vast featureless constitutional plain, lacking principles to guide them and forced to fall back on their sense of what was creepy in their day.

Speaking of creepy, the Australian Strategic Policy Institute (ASPI) has a detailed report oncontent moderation and privacy protections  at TikTok and WeChat. Jamil gives the highlights.   

Not that Silicon Valley has anything to brag about when it comes to creepy. I sum up This Week in Big Tech Censorship with two newly emerging rules for conservatives using social media platforms: First, obeying Big Tech's rules is no defense; it just takes a little longer before your business revenue is cut off. Second, having science on your side is no defense. As a Brown University doctor discovered, citing a study that undermines  coronavirus orthodoxy will get you suspended. Who knew we were supposed to follow the science with enough needle and thread to sew its mouth shut?

If Sen. Klobuchar's bill fails, all eyes will turn to Lina Khan's Federal Trade Commission, Gus tells us, and its defense of the "right to repair" may give a clue to how it will regulate. 

David flags a Google study of zero-days sold to governments in 2021. He finds it a little depressing, but I note that at least some of the zero-days probably require court orders to implement.

Jamil also reviews a corporate report on security, Microsoft's analysis of how Microsoft saved the world from Russian cyber espionage – or would have if you ignoramuses had just bought more cloud services. OK, it's not quite that bad, but the marketing motivations behind the report show a little too often in what is otherwise a useful review of Russian tactics.

In quick hits:

• Gus tells us about a billboard that can pick your pocket: In NYC, naturally.
• Jamil thinks we may have finally found Putin's billions, through the magic of shared email addresses.
• I offer a preview of the next U.S.-E.U. privacy spat, over sharing biometrics at the border.
• And David and I talk marijuana and security clearances. If you listen to the podcast for career advice, it's a long wait, but David delivers.

Download the 414th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast begins by digging into a bill more likely to transform tech regulation than most of the proposals you've actually heard of – a bipartisan effort to regulate US tech investment abroad. The new bill holds a mirror up to the Committee on Foreign Investment in the United States (CFIUS), Matthew Heiman reports. Where CFIUS regulates inward investment from adversary nations, the new proposal will regulate outward investment – from the U.S. to adversary nations. The goal is to slow the transfer of technical expertise (and capital) from the U.S. to China. It is opposed by the Chinese government and the same U.S. business alliance that campaigned against Senator Cornyn's CFIUS reforms in 2018. If it passes, I predict, it will be as part of must-pass legislation and will come as a big surprise to most technology observers.

The cryptocurrency world might as well make Leslie Gore its official chanteuse, because everyone is crying at the end of the crypto party. Well, except for Nick Weaver, who does a Grand Tour of all the overleveraged cryptocurrency firms on or over the verge of collapse as bitcoin values drop to $20 thousand and below.               

Scott Shapiro and I trade views on the spate of stories claiming that Microsoft is downgrading security in its products. It would unfortunately make sense for Microsoft to strip-mine value from its standalone proprietary software by stinting on security, we think, but we can't explain why the firm would neglect cloud security, as it is increasingly accused of doing.              

That brings us to NickTalk about TikTok, and a behind-the-scenes look at what has happened to the TikTok-CFIUS case in the years since former President Donald Trump left the stage. Turns out that CFIUS has been doggedly pursuing the pieces of the deal that were still on the table in 2020: localization of U.S. user data and no Chinese access to the data. The first is moving forward, Nick tells us; the second is turning out to be a morass.

Speaking of localization, India's determination to localize credit card data has been rewarded. Matthew reports that cutting off new credit card customers for noncompliant card systems did the trick: Mastercard localized its data, and India has now lifted the ban.

Scott reports on Japan's latest contribution to the techlash: a law that makes 'online insults' a crime.

Scott also notes a modest bright spot in NSO Group's litigation with Facebook: The Supreme Court granted the company's plea that the U.S. government be asked to weigh in on whether NSO could claim sovereign immunity for the hacking tools it sells to government. Nick puts his grave-dancing shoes back on to report the bad news for NSO: the Biden administration is trashing a rumored acquisition by U.S. - based L3Harris Technologies.

Scott makes short work of the idea that a Google AI chatbot has achieved sentience. Of course, as a trained philosopher, Scott seems a little reluctant to concede that I've achieved sentience. We do agree that it's a hell of a good chatbot.

And in quick hits, I note the appointment of April Doss as General Counsel for the National Security Agency Counsel after a long series of acting General Counsels.

Download the 413th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This bonus episode of the Cyberlaw Podcast is an interview with Amy Gajda, author of "Seek and Hide: The Tangled History of the Right to Privacy." Her book is an accessible history of the often obscure and sometimes "curlicued" interaction between the individual right to privacy and the public's (or at least the press's) right to know.

Gajda, a former journalist, turns what could have been a dry exegesis on two centuries of legal precedent into a lively series of stories about the conflicts behind the case law. All the familiar legal titans of press and privacy -- Louis Brandeis, Samuel Warren, Oliver Wendell Holmes – are there, but Gajda's research shows that they weren't always on the side they're most famous for defending. You may come for deep thoughts about the law of privacy and press, but you'll stick around for generous helpings of sex and hypocrisy (which, it turns out, is pretty much the core of privacy and, often, journalism). 

This interview is just a taste of what Gajda's book offers, but lawyers who are used to a summary of argument at the start of everything they read should listen to this episode first so they know up front where all the book's stories are taking them.

Download Bonus Episode 412 (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast is dominated by things that U.S. officials said in San Francisco last week at the RSA conference.  We summarize what they said and offer our views of why they said it.Bobby Chesney, returning to the podcast after a long absence, helps us assess Russian warnings that the U.S. should expect a "military clash" if it conducts cyberattacks against Russian critical infrastructure. Bobby, joined by Michael Ellis sees this as a run-of-the-mill Russian PR response to U.S. Cyber Command and NSA Director Paul M. Nakasone's remarks about doing offensive operations in support of Ukraine.

Bobby also notes an FBI analysis of the NetWalker ransomware gang, an analysis made possible by seizure of the gang's back office computer system in Bulgaria.  The unfortunate headline summary of the FBI's work was a claim that "just one fourth of all NetWalker ransomware victims reported incidents to law enforcement." Since many of the victims were outside the United States and would have had little reason to report to the Bureau, this statistic undercounts private-public cooperation. But it may, I suggest, reflect the Bureau's increasing sensitivity and insecurity about its long-term role in cybersecurity.  

Michael sees complaints about a dearth of incident reporting by the private sector as one of the themes emerging from the government's RSA appearances. A Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) executive also complained about a lack of ransomware incident reporting, a strange complaint considering that CISA can solve much of the problem by publishing an incident reporting rule that Congress authorized last year. 

In a more promising vein, two intelligence officials underlined a commitment on the part of intel agencies to sharing security data more effectively with the private sector. Michael sees that as the one positive note in an otherwise downbeat cybersecurity report from Avril Haines, Director of National Intelligence. And David Kris points to a similar theme offered by National Security Agency official Rob Joyce, who believes that sharing of (lightly laundered) intelligence  is increasing, thanks in part to the sophistication and cooperation of the cybersecurity industry. 

Michael and I are taking with a grain of salt the New York Times' claim that Russia's use of U.S. technology in its weapons has become a vulnerability due to U.S. export controls.  We think it may take months to know whether those controls are really hurting Russia's weapons production.  

Bobby explains why the Department of Justice (DOJ) was much happier to offer a "policy" -- instead of a legislative amendment -- to protectgood-faith security research from prosecution under the Computer Fraud and Abuse Act. That's understandable, but the DOJ policy doesn't protect researchers from civil lawsuits, so DOJ may yet find itself forced to look for a statutory fix. (If it were up to me, I'd be tempted to dump the civil remedy altogether.)

Michael, Bobby, and I dig into the ways in which smartphones have transformed both the war and, perhaps, the law of war in Ukraine. The change is driven by a Ukrainian government phone app that lets every Ukrainian civilian direct artillery fire onto Russians they encounter in the street. That's probably enough for the Russians to shoot all the civilians they encounter, but for armies that care about the law of armed conflict, the answer is surprisingly complicated and unsatisfying.

Finally, David, Bobby and I dig into a Forbes story, clearly meant to be a shocking expose, about the United States government's use of the All Writs Act to monitor an indicted Russian hacker's travel reservations for years until he finally headed to a country from which he could be extradited. We remain unshocked.

Download the 411th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

If you've been worrying about how a leaky U.S. government can possibly compete with China's combination of economic might and autocratic government, this episode of the Cyberlaw Podcast has a few scraps of good news. The funniest, supplied by Dave Aitel, is the tale of the Chinese gamer who was so upset at the online performance of China's tanks that he demanded an upgrade. When it didn't happen, he bolstered his argument by leaking apparently classified details of Chinese tank performance. The story inspires me to suggest that U.S. intelligence should be subtly degrading the online game performance of other Chinese weapons systems that we need more information about.

There may be similar comfort in the story of Gitee, a well-regarded Chinese competitor to Github that ran into a widespread freeze on open source projects. Jane Bambauer and I speculate that the source of the freeze was a government objection to the code or the comments in several projects. And in the long run, guessing at what it takes to avoid future government freezes will handicap China's software industry and make Western companies more competitive.

In other news, Dave unpacks the widely reported and largely overhyped story of Cyber Command conducting "hunt forward" operations in support of Ukraine.

Mark MacCarthy digs into Justice Samuel A. Alito Jr.'s opinion explaining why he would not have reinstated the district court injunction against Texas's social media regulation. Jane and I weigh in. The short version is that the Alito opinion offers a plausible justification for upholding the law. It is not be the law now, but it could be the law if Justice Alito can find two more votes. And getting those votes may not be all that hard -- at least for an opinion upholding more transparency requirements for social media companies.

Mark and Jane also dig deep into the substance and politics of national privacy legislation. Short version: House Democrats have made substantial concessions in the hopes of getting a privacy bill enacted before they must face what's expected to be a hostile electorate. But Senate Democrats may not be willing to swallow those concessions, and Republican members may think they will do better if they wait until after November. Impressed by the concessions, Jane and Mark hold out hope for a deal this year. I don't.

Meanwhile, Jane notes, California is driving forward with regulations under its privacy law. perhaps helping to persuade Republicans that preemption has lots of value for business.

Finally, revisiting two stories from earlier weeks, Dave notes

• The devastating consequences and obscure motivations of Conti's ransomware attacks on the Costa Rican government, and
• The deep tension between the U.S. government and Microsoft over export controls on intrusion tools.

Download the 410th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.