Skating on Stilts

Yesterday, the Attorney General held a workshop on Section 230 of the Communications Decency Act. The question was whether the law can be improved. Section 230 does need work, though there's plenty of room for debate about exactly how to fix it. These are my mostly tentative and entirely personal thoughts on the question the Attorney General has asked.

Section 230 gives digital platforms two immunities – one for publishing users' speech and one for censoring users' speech. the second is the bigger problem.

1. Immunity for what users say and do online

When section 230 was adopted, the impossibility of AOL, say, monitoring its users in a wholly effective way was obvious. It couldn't afford to hire tens of thousands of humans to police what was said in its chatrooms, and the easy digital connection it offered was so magical that no one wanted it to be saddled with such costs. Section 230 was an easy sell.

A lot has changed since 1996.  Facebook and other have in fact already hired tens of thousands of humans to police what is said on their platforms. Combined with artificial intelligence, content fingerprinting, and more, these monitors work with considerable success to stamp out certain kinds of speech. And although none of these efforts are foolproof, preventing the worst online abuses has become part of what we expect from social media. The sweeping immunity Congress granted in Section 230 is as dated as the Macarena, another hit from 1996 whose appeal seems inexplicable today. Today, jurisdictions as similar to ours as the United Kingdom and the European Union have abandoned such broad grants of immunity, making it clear that they will severely punish any platform that fails to censor its users promptly.

That doesn't mean the US should follow the same path.  We don't need a special, harsher form of liability for big tech companies. But why are we still giving them a blanket immunity from ordinary tort liability for the acts of third parties? In particular, why should they be immune from liability for utterly predictable criminal use of warrant-proof encryption? I've written on this recently and won't repeat what I said there, except to make one fundamental point.

Immunity from tort liability is a subsidy, one we often give to nascent industries that capture the nation's imagination. But once they've grown big, and the harm they can cause has grown as well, that immunity has to be justified anew. In the case of warrant-proof encryption, the justifications are thin.  Section 230 allows tech companies to capture all the profits to be made from encrypting their services while exempting them from the costs they are imposing on underfunded police forces and victims of crime.

That is not how our tort law usually works. Usually, courts impose liability on the party that is in the best position to minimize the harm a new product can cause. Here, that's the company that designs and markets an encryption system with predictable impact on victims of crime. Many believe that the security value of unbreakable encryption outweighs the cost to crime victims and law enforcement. Maybe so.  But why leave the weighing of those costs to the blunt force and posturing of political debate? Why not decentralize and privatize that debate by putting the costs of encryption on the same company that is reaping its benefits? If the benefits outweigh the costs, the company can use its profits to insure itself and the victims of crime against the costs. Or it can seek creative technical solutions that maximize security without protecting criminals – solutions that will never emerge from a political debate. Either way it's a private decision with few externalities, and the company that does the best job will end up with the most net revenue. That's the way tort law usually works, and it's hard to see why we shouldn't take the same tack for encryption.

2. Immunity for censoring users Detecting bias.

The harder and more urgent Section 230 problem is what to do about Silicon Valley's newfound enthusiasm for censoring users whose views it disapproves of. I confess to being a conservative, whatever that means these days, and I have little doubt that social media content mediation rules are biased against conservative speech. This is hard to prove, of course, in part because social media has a host of ways to disadvantage speakers who are unpopular in the Valley. Their posts can be quarantined, so that only the speaker and a few persistent followers ever see them but none knows of that distribution has been suppressed. Or they can be demonetized, so that Valley-unpopular speakers, even those with large followings, cannot use ad funding to expand their reach. Or facially neutral rules, such as prohibitions on doxing or encouraging harassment, are applied with maximum force only to the unpopular. Combined with the utterly opaque talk-to-the-bot mechanisms for appeal that the Valley has embraced, these tools allow even one or two low-level but highly motivated content moderators to sabotage their target's speech.

Artificial intelligence won't solve this problem.  It is likely to make it worse. AI is famous for imitating the biases of the decisionmakers it learns from – and for then being conveniently incapable of explaining how it arrived at its own decisions. No conservative should have much faith in a machine that learns its content moderation lessons from current practice in Silicon Valley.

Foreign government interference. European governments, unbound by the first amendment, have not been shy about telling Silicon Valley to suppress speech it dislikes, which include true facts about people who claim a right to be forgotten, or charges that a politician belongs to a fascist party, or what it calls hate speech. Indeed, much of the Valley has already surrendered, agreeing to use their terms of service to enforce Europe's sweeping view of hate speech--under which the President's tweets and the Attorney General's speeches could probably be banned today.

Europe is not alone in its determination to limit what Americans can say and read.  Baidu has argued successfully that it has a first amendment right to return nothing but sunny tourist pictures when Americans searched for "Tiananmen Square June 1989." Jian Zhang v. Baidu.Com Inc., 10 F. Supp. 3d 433 (S.D.N.Y. 2014). Today, any government but ours is free to order a US company to suppress the speech of Americans the government doesn't like.

In the long run it is dangerous for American democracy to give highly influential social media firms a blanket immunity when they bow to foreign government pressure and suppress the speech of Americans. We need to armor ourselves against such tactics, not facilitate them.

Regulation deserves another look. This isn't the first time we've faced a disruptive new technology that changed the way Americans talked to each other. The rise of broadcasting a hundred years ago was at least at transformational, and as threatening to the political order, as social media today. It played a big role in the success of Hitler and Mussolini, not to mention FDR and Father Coughlin.

American politicians worried that radio and television owners could sway popular opinion in unpredictable or irresponsible ways. They responded with a remarkable barrage of new regulation – all designed to ensure that wealthy owners of the disruptive technology did not use it to unduly distort the national dialogue. Broadcasters were required to get government licenses, not once but over and over again. Foreign interests were denied the right to own stations or networks. A "fairness" doctrine required that broadcasters present issues in an honest, equitable, and balanced way. Opposing candidates for office had to be given equal air time, and political ads could to be aired at the lowest commercial rate. Certain words (at least seven) could not be said on the radio.

This entire edifice of regulation has acquired a disreputable air in elite circles, and some of it has been repealed. Frankly, though, it don't look so bad compared to having a billionaire tech bro (or his underpaid contract workers) decide that carpenters communicating with friends in Sioux Falls are forbidden to "deadname" Chelsea Manning or to complain about Congress's failure to subpoena Eric Ciaramella.

The sweeping broadcast regulatory regime that reached its peak in the 1950s was designed to prevent a few rich people from using technology to seize control of the national conversation, and it worked. The regulatory elements all pretty much passed constitutional muster, and the worst that can be said about them today is that they made public discourse mushy and bland because broadcasters were cautious about contradicting views held by a substantial part of the American public.

Viewed from 2020, that doesn't sound half bad. We might be better off, and less divided, if social media platforms were more cautious today about suppressing views held by a substantial part of the American public.

Whether all these rules would survive contemporary first amendment review is hard to know. But government action to protect the speech of the many from the censorship of the privileged deserves, and gets, more leeway from the courts than the free speech absolutists would have you believe. See, e.g., Bartnicki v. Vopper, 532 U.S. 514 (2001).

That said, regulation has many risks, not least the risk of abuse. Each political party in our divided country ought to ask what the other party would do if given even more power over what can be said on line. It's a reason to look elsewhere for solutions.

Network effects and competitive dominance. Maybe we wouldn't need a lot of regulation to protect minority views if there were more competition in social media – if those who don't like a particular platform's censorship rules could go elsewhere to express their views.

In practice, they can't.  YouTube dominates video platforms, Facebook dominates social platforms, Amazon dominates online book sales, etc. Thanks to network effects, if you want to spread your views by book, by video, or by social media post, you have to use their platforms and live with their censorship regimes.

It's hard to say without investigation whether these platforms have violated antitrust laws in acquiring their dominance or in exercising it. But the effect of that dominance on what Americans can say to each other, and thus on political outcomes, must be part of any antitrust review of their impact. Antitrust enforcement often turns on whether a competitive practice causes consumer harm, and suppression of consumer speech has not usually been seen as such a harm. It should be. Suppression of speech it dislikes may well be one way Silicon Valley takes monopoly profits in something other than cash. If so, there could hardly be a higher priority for antitrust enforcement because such a use of monopoly strikes at the heart of American free speech values.

One word of caution:  Breaking up dominant platforms in the hope of spurring a competition of ideas won't work if the result is to turn the market over to Chinese companies that already have a similar scale – and even less interest in fostering robust debate online. If we're going to spur competition in social media, we need to make sure we aren't trading Silicon Valley censorship for the Chinese brand.

Transparency. Transparency is everyone's favorite first step for addressing the reality and the perception of bias in content moderation. Surely if the rules were clearer, if the bans and demonetizations could be challenged, if inconsistencies could be forced into the light and corrected, we'd all be less angry and suspicious and the companies would behave more fairly. I tend to agree with that sentiment, but we shouldn't kid ourselves. If the rules are made public, if the procedures are made more open – hell, if the platforms just decide to have people answer complaints instead of leaving that to Python scripts -- the cost will be enormous.

And not just in money. All of the rules, all of the procedures, can be gamed, and more effectively the more transparent they are.  Speakers with bad intent will go to the very edge of the rules; they will try to swamp the procedures. And ideologues among the content moderators will still have room to seize on technicalities to nuke unpopular speakers.  Transparency may well be a good idea, but its flaws are going to be painful to behold if that's the direction our effort to discipline Section 230 takes.

3. What is to be done?

So I don't have much certainty to offer.  But if I were dealing with the Section 230 speech suppression immunity today, I'd start with something like the following:

First, treat speech suppression as an antitrust problem, asking what can be done to create more competition, especially ideological and speech competition, among social media platforms. Maybe breakups would work, although network effects are remarkably resilient. Maybe there are ways antitrust law can be used to regulate monopolistic suppression of speech. In that regard, the most promising measures probably are requiring further transparency and procedural fairness from the speech suppression machinery, perhaps backed up by governmental subpoenas to investigate speech suppression accusations.

Second, surely everyone can agree that foreign governments and billionaires shouldn't play a role in deciding what Americans can say to each other. We need to bar foreign ownership of social media platforms that are capable of playing a large role in our political dialogue. We should also use the Foreign Agent Registration Act or something like it to require that speech driven by foreign governments be prominently identified as such. And we should sanction the nations that try to do that.

And finally, here's a no-brainer. If nothing else, it's clear that Section 230 is one of the most controversial laws on the books. It is unlikely to go another five years without being substantially amended. So why in God's name are we writing the substance of Section 230 into free trade deals – notably the USMCA? Adding Section 230 to a free trade treaty makes the law a kind of a low-rent constitutional amendment, since if we want to change it in future, organized tech lobbies and our trading partners will claim that we're violating international law. Why would we do this to ourselves? It's surely time for this administration to take Section 230 out of its standard free-trade negotiating package.

Note: I have many friends, colleagues, and clients who will disagree with much of what I say here.  Don't blame them. These are my views, not those of my clients, my law firm, or anyone else.

In breaking news from 1995, the Washington Post takes advantage of a leaked CIA history paper to retell the remarkable tale (first published in the mid-90s) of Crypto AG, a purveyor of encryption products to dozens of governments – and allegedly a wholly controlled subsidiary of US and German intelligence. Nick Weaver, Paul Rosenzweig, and I are astonished at the derring-do and unapologetic enthusiasm for intelligence collection that the story displays. I mean, really: The Pope?

This week’s interview is with Jonathan Reiber, a writer and strategist in Oakland, California, and former Chief Strategy Officer for Cyber Policy and Speechwriter at the Department of Defense, currently senior advisor at Technology for Global Security and visiting scholar at the UC Berkeley Center for Long-Term Cybersecurity. His recent report offers a candid view of strained relations between Silicon Valley and the Pentagon. The interview explores the reasons for that strain, the importance of bridging the gap, and how that can best be done.

Nick reports that four PLA members have been indicted over the Equifax breach. He speculates that the US government is sending a message by disclosing a photo of one soldier that appears to have been taken by his own webcam. Paul and I note that the purpose of the hack was very likely the assembly of records on Americans not dissimilar to the records we know the Chinese keep on Uighurs – which are extraordinarily detailed and surprisingly artisanal. 

The arrest of a Bitcoin mixer allows Nick to explain how Bitcoin mixing works and why it's (sometimes) illegal.

Paul lays out the potentially serious impact of Amazon’s lawsuit to stop a $10 billion Microsoft-DOD cloud contract. We note that Amazon wants to take testimony from President Trump about political interference in the award. Thanks to his Twitter habit, we conclude, that’s not out of the question.

I preview my remarks at a February 19 Justice Department workshops on Section 230. I will reprise my article in Lawfare and the encryption debate with Nick Weaver that inspired it. And I hope to dig as well into the question whether Section 230 provides too much protection for Silicon Valley’s censors. Speaking of which, Jeff Bezos’s company has joined the censors but won’t tell us which books it’s suppressing.

Nick and I give a favorable review to CISA’s new #Protect2020 election strategy. We search for deeper meaning in IANA’s failure to complete its DNSSEC root key signing ceremony because of… a physical safe. And we all take a moment to mock and abuse the latest vote-by-phone snake-oil app seller, Voatz. If nothing else, we conclude, it will greatly reduce friction in the market for selling votes in future elections. 

Download the 300th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, or friends.

The battle between Congress and Silicon Valley has a new focus: the EARN IT Act of 2019. (The title is an embarrassing retronym that I refuse to dignify by repeating; you can safely ignore it.) A “discussion draft” of the bill is attributed to Republican Sen. Lindsey Graham and Democratic Sen. Richard Blumenthal. To hear the Electronic Frontier Foundation (EFF), the Center for Internet and Society, and Gizmodo tell it, the draft EARN IT Act is an all-out assault on end-to-end encryption.

The critics aren’t entirely wrong about the implications of EARN IT for encryption—but they’ve skipped a few steps. To understand the controversy, it’s useful to start with the structure of the bill. That will show how EARN IT could affect the deployment of end-to-end encryption—and why the draft bill makes sense as social policy.

The central change made by the bill is this: It would allow civil suits against companies that recklessly distribute child pornography. It would do this by taking away a piece of their immunity from liability when transmitting their users’ communications under Section 230 of the Communications Decency Act (CDA).

Originally added to the CDA as part of a legislative bargain, Section 230 was one of the best deals tech lobbyists ever struck. The CDA was a widely popular effort to restrict internet distribution of pornography to minors. Tech companies couldn’t stop the legislation but feared being held liable for what their users did online, so they agreed not to fight the CDA in exchange for Section 230. The next year, the law’s measures to protect children online were ruled unconstitutional, leaving the industry protections in Section 230 as more or less the only operative provision in the entire CDA.

Both Section 230 and the content monitoring it protects have become increasingly controversial in recent years. Conservatives believe they have been unfairly targeted for arbitrary deplatforming and demonetization; liberals complain that there are still too many right-wing proselytizers and rabble-rousers on the internet. Fewer and fewer people are happy that Section 230 gives tech companies broad discretion to do what they please about user content.

But the most recent attacks on Section 230 have been more focused. Congress first took aim at sites, like Backpage, that were accused of knowingly accepting ads that fostered prostitution and sex trafficking. In 2018, Congress enacted the Fight Online Sex Trafficking Act (FOSTA), which provided that internet companies could be held liable for assisting in sex trafficking if they “knew or should have known” what their customers were doing. 18 U.S.C. § 1595; 47 U.S.C. § 230(c)(5).

Silicon Valley’s advocates hated FOSTA, but their resistance didn’t matter. Times had changed. It was hard to argue that the big platforms couldn’t afford to monitor their users’ content. Much of the industry caved rather than look soft on sex trafficking. The bill passed with overwhelming bipartisan support.

This brings us to the EARN IT Act, which would treat child pornography more or less the way FOSTA treated sex trafficking content—by lifting the immunity of companies that don’t take reasonable measures to prevent its distribution. It’s a surprise that EARN IT came second to FOSTA. Sex work has defenders on the left and the libertarian right, after all, but no one defends child pornography. What’s more, ads touching on sex and companionship have a good deal more First Amendment appeal than child sexual abuse images, which are after all direct evidence of crime. But now that FOSTA has shown the way, it’s no surprise that a similar attack on child pornography has gained traction.

In seeking to counter this proposal, Silicon Valley and internet freedom advocates have moved away from the First Amendment paeans and “don’t break the internet” memes they used in their unsuccessful fight against FOSTA. Rather, they’re arguing that EARN IT will hurt end-to-end encryption.

How so? The short answer is that EARN IT imposes civil liability on companies that distribute child pornography “recklessly.” Victims—presumably the individuals whose images are being circulated—could sue online platforms that recklessly ignored the exchange of child pornography on their services. By itself, that rule is hard to quarrel with. Recklessness requires more than simple negligence. A party is reckless if he deliberately ignores a harm that he can and should prevent.

For anyone who has defended a tort case, being reassured that the jury has to find your client acted recklessly is cold comfort. You don’t know what facts you’ll be accused of ignoring. You don’t know what emails may have been sent to even low-level employees in your company. You don’t know what measures you’ll be accused of ignoring. And you don’t know when a trawl through the company’s email servers will show that someone somewhere treated the problem with insensitivity.

To address that fear, EARN IT offers a safe harbor to companies that follow best practices in addressing child pornography. Notably, this is more protective of social media defendants than FOSTA and not strictly necessary for those willing to trust the good sense of American juries. Nonetheless, the bill creates a commission to spell out the safe harbor best practices. To further protect industry, 10 of the 15 members of the commission must agree on the best practices, and six of the 15 must have worked at a computer service or in computer science, giving the commission members with a technical background a blocking minority. To protect the government’s interests, the attorney general is given authority to review and modify, with reasons, the best practices endorsed by the group. Companies that certify compliance with the best practices cannot be sued or prosecuted under federal child pornography laws. Companies that disagree with the best practices that emerge from this process can still claim the safe harbor if they implement “reasonable measures … to prevent the use of the interactive computer service for the exploitation of minors.”

To see what this has to do with encryption, just imagine that you are the CEO of a large internet service thinking of rolling out end-to-end encryption to your users. This feature provides additional security for users, and it makes your product more competitive in the market. But you know it can also be used to hide child pornography distribution networks. After the change, your company will no longer be able to thwart the use of your service to trade in child pornography, because it will no longer have visibility into the material users share with one another. So if you implement end-to-end encryption, there’s a risk that, in future litigation, a jury will find that you deliberately ignored the risk to exploited children—that you acted recklessly about the harm, to use the language of the law.

In other words, EARN IT will require companies that offer end-to-end encryption to weigh the consequences of that decision for the victims of child sexual abuse. And it may require them to pay for the suffering their new feature enables.

I don’t doubt that this will make the decision to offer end-to-end encryption harder. But how is that different from imposing liability on automakers whose gas tanks explode in rear-end collisions? If the gas tank makes its cars cheaper or more popular, the company will get the benefit; but now it will also have to pay damages to the victims of the explosions. That makes the decision to offer risky gas tanks harder, but no one weeps for the automaker. Imposing liability puts the costs and benefits of the product in the same place, making it more likely that companies will act responsibly when they introduce new features.

There is nothing radical about EARN IT’s proposal, except perhaps for the protections that the law still offers to internet companies. Most tort defendants don’t get judged on a recklessness standard. Juries can award damages if the defendant was negligent, a much lower bar. Indeed, in many contexts, the standard is strict liability: If your company is best able to minimize the harm caused by your product, or to bear its cost, the courts will make you the insurer of last resort for all the harm your product causes, whether you are negligent or not. Compared to these commonplace rules, Section 230 remains a remarkably good deal, with or without EARN IT.

But critics of EARN IT have focused on the role the bill provides for the attorney general Because Attorney General William Barr could modify the best practices recommended by the commission, critics say, Barr might unilaterally declare that end-to-end encryption is never a best practice when dealing with the scourge of child pornography. That would effectively prohibit end-to-end encryption, or so the argument goes.

There’s one problem with this: EARN IT doesn’t impose liability on companies that fail to follow the commission’s best practices. They are free to ignore the recommendations of the commission and the attorney general, which are after all just a safe harbor, and they will still have two ways to avoid liability. First, they can still claim a safe harbor as long as they adopt “reasonable measures” to prevent child sex exploitation. Second, they can persuade a jury that their product design didn’t recklessly allow the spread of child pornography.

The risk of liability isn’t likely to kill encryption or end internet security. More likely, it will encourage companies to choose designs that minimize the harm that encryption can cause to exploited kids. Instead of making loud public arguments about the impossibility of squaring strong encryption with public safety, their executives will have to quietly ask their engineers to minimize the harm to children while still providing good security to customers—because harm to children will in the long run be a cost the company bears. That, of course, is exactly how a modern compensatory tort system is supposed to work. Such systems have produced safer designs for cars and lawn mowers and airplanes without bankrupting their makers.

Maybe it’s time to apply the same rules to internet products and services.

The views expressed here do not reflect those of my firm or clients.

The next trade war will be over transatlantic data flows, and it will make the fight with China look like a picnic. That’s the subject of this episode’s interview. The European Court of Justice is poised to go nuclear – to cut off US companies’ access to European customer data unless the US lets European courts and data protection agencies refashion American intelligence capabilities according to standards no European government has ever been required to meet. It is Europe in full neocolonial mode, but the movement has so far sailed below the radar, disguised as an abstruse European legal fight. Maury Shenk and I interview Peter Swire on the Schrems cases that look nearly certain to provoke a transatlantic trade and intelligence crisis. Actually, Maury interviews Peter, and I throw bombs into the conversation. But if ever there were a cyberlaw topic that deserves more bomb-throwing, this is it.

In the News Roundup, David Kris tells us that the trial of alleged Vault7 leaker Joshua Schulte is under way. And the star of the first day is our very own podcast regular, Paul Rosenzweig.

If you’re wondering whether more cybersecurity regulation is what the country needs, you should be paying attention to the Pentagon, which has embraced cybersecurity regulation for its contractors. Matthew Heiman reports that DOD isn’t finding the path easy. DOD has released its final cybersecurity plan for contractors, but the audit process needed to enforce it remains a mystery.

That’s SNAKE spelled backwards: David tells us about a new strain of ransomware known as EKANS; ominously, it is targeting industrial control systems. I manage to find a very modest silver lining.

Nate Jones sums up the cybersecurity lessons from the voting debacle in Iowa.

Nate also reports on the FCC’s latest half-step toward suing one or more telcos for selling phone-location data.

Matthew covers the Maze ransomware that has ravaged law firms in recent weeks. He argues that it’s only a matter of time before such attacks become dog-bites-man stories.

Matthew also notes that Google and Facebook have apparently dropped plans to terminate their transpacific cable in Hong Kong. US national security concerns seem to have driven the decision. Looks like the Great Decoupling could be spurring a very real physical decoupling.

Nate makes the best of being asked to talk about the 2020 version of a Worthwhile Canadian Initiative: The third volume of the Senate Intel Committee’s Russian electoral interference report. It’s sober and responsible and bipartisan – and largely unread, sadly.

And to bring you up to speed on past stories:

• A Brazilian judge has declined to accept charges against Glenn Greenwald, “for now.”
• The poster child for our current facial recognition moral panic can’t catch a break: As I predicted, Clearview AI has been hit with orders to cease-and-desist from Google and Facebook.
• Tag-teaming with Bill Barr, child-welfare activists are attacking Facebook over its encryption plans and what that means for exploited kids.
• One of the first CCPA lawsuits has been filed, against Salesforce.
• And This Week in Silicon Valley's Suppression of the Right:
• Letterboxd banned a black libertarian film critic’s reviews.
• James O’Keefe’s Twitter account was suspended after he named a Bernie Sanders staffer who spoke fondly of gulags and electoral violence.
• And Twitter banned the widely popular Zero Hedge account after it named a Chinese researcher who it thought might have a role in coronavirus.

Download the 299th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the participants' firms, clients, friends, former friends, or family members.

 Nick Weaver and I debate Sens. Graham and Blumenthal's EARN IT Act, a proposal to require that social media firms follow best practices on preventing child abuse. If they don't, they won't get full Section 230 immunity from liability for recklessly allowing the abuse. Nick thinks the idea is ill-conceived and doomed to fail. I think there's a core of sense to the proposal, which simply asks that Silicon Valley firms who are reckless about child abuse on their networks pay for the costs they're imposing on society. Since the bill gives the attorney general authority to modify the best practices submitted by a commission of industry, academic, and civic representatives, though, critics are sure that an evil bogeyman by the name of Bill Barr will effectively prohibit end-to-end encryption.

But before we get to that that debate, Gus Hurwitz and I unpack the law and tactics behind Facebook's decision to pay $550 million to settle a facial recognition class action. And Klon Kitchen and Nick ponder the shocking corruption and coverup alleged in the case of a Harvard chemistry chairman being prosecuted for hiding the large sums he was getting from the Chinese government to boost its research into nanomaterials.

Klon also gives us a feel for just how hard it can be to enforce Iranian sanctions, and the creativity that went into one Iranian app developer's evasion scheme.

Gus and Nick offer real hope that robocalling will start to get harder, and soon: DOJ has requested restraining orders to stop telcos from facilitating fraudulent robocalls; the FTC has put 19 VoIP providers on notice for facilitating robocalls; and SHAKEN/STIR is slowly making it harder to spoof a phone number.

Gus asks a question that had never occurred to me, and certainly not to millions of homeowners who may have committed inadvertent felonies by installing Ring doorbell cameras. It turns out that Ring recordings may be illegal intercepts in states with all-party consent laws. At least that's what one enterprising New Hampshire defense lawyer is arguing.

First it cocks a snook at Brussels, and now this: The UK government is really on a roll. It's proposing an IoT security law that Nick endorses with enthusiasm. Maryland, not so much: Klon critiques a proposed state law that would make ransomware illegal – and maybe ransomware research, too.

In dog-bites-man news, the United Nations has suffered a breach – probably by a semi-competent government. Which doesn't narrow things down much, since as Nick observes, everyone but the Germans has probably pwned the UN. And the Germans are just being polite.

A lot of old stories have come back for one more turn on stage: The Russian hacker that the Russian government was afraid would sing if extradited to the US has pleaded guilty and is probably singing already. Avast has killed Jumpshot, its much-criticized data collection operation. The Bezosphone Saga continues, as Sen. Chris Murphy calls on the DNI and FBI to investigate the hacking allegations, and Bezos's girlfriend's brother is suing for defamation. Charges against the Iowa courthouse pentesters have finally been dropped. LabMD's Mike Daugherty should probably hang up his cleats. He won a great victory over the FTC, but his racketeering suit against Tiversa and lawyers is officially time-barred. Finally, it turns out that the FBI has been investigating NSO Group since 2017, though without bringing charges, so far.

Download the 298th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of our institutions, clients, friends, former friends, spouses, children, or pets.

This episode features an interview on the Bezos phone hacking flap with David Kaye and Alex Stamos. David is the UN Special Rapporteur and clinical professor of law at UC Irvine who first drew attention to an FTI Consulting report concluding that the Saudis did hack Bezos' phone. Alex is director of the Stanford Internet Observatory and was the CSO at Facebook; he thinks the technical case against the Saudis needs work, and he calls for a supplemental forensic review of the phone. 

In the news, Nate Jones unpacks the US-China "phase one" trade deal and what it means for the tech divide.

Nick Weaver and I agree that the King County (Seattle) Conservation District's notion of saving postage by having everyone vote by phone is nuts. Nick in particular reacts as you'd expect him to. Although, frankly, if anyone deserves to have Putin choose their local government, it's Seattle. He could hardly do a worse job than Seattle voters have.

Nate talks about the profound hit the credibility of the FISA process has taken as a result of the Justice Department admitting that two of four Carter Page warrants were invalid. Among other things, it opens FISA to a kitchen sink full of crazy  proposals for handcuffing national security wiretaps. Like this one from Sen. Ron Wyden and Sen. Steve Daines (who should know better).

Brazil has charged Glenn Greenwald with "cybercrimes" on evidence that would be thin at best in the US, Nate argues. Nick agrees and is only sad that the Bolsonaro government has put him in the position of defending the unspeakably unpleasant Greenwald.

Google is redesigning its search results again, blurring even further the line between ads and organic results. Living up to its new motto ("Don't be caught being evil"), Google announces that it's just testing its design, and everyone should chill. Nick and I are skeptical that A/B testing will tell Google anything other than which redesign fools consumers most effectively and thus makes more protection money for Google.

And speaking of protection money, this episode was not brought to you by Avast, the company that probably would have paid the most not to be mentioned on the podcast this week. Because they've been caught getting largely uninformed consent to the monitoring of their customers' Web activities – right down to their porn preferences.

Download the 297th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the participants' institutions, clients, friends, spouses, children, or pets.

This week’s episode includes an interview with Bruce Schneier about his recent op-ed on privacy. Bruce and I are both dubious about the current media trope that facial recognition technology was spawned by the Antichrist. He notes that what we are really worried about is a lot bigger than facial recognition, and he offers ways in which the law could address that deeper worry. I’m less optimistic about our ability to write or enforce laws designed to restrict use of personal information , which after all gets cheaper to collect, to correlate, and to store every year. It’s a good, civilized exchange.

The News Roundup is a little truncated due to a technical failure. (It was a glitch in Zencastr for those of you keeping score, and I definitely am). As a result, we lost Nick Weaver’s audio for about half the program, including a hammer and tongs debate with me over Apple’s fight with the FBI. (But never fear, opportunities for that debate come by about as often as the Red Line comes to Dupont Circle.) 

That said, it’s still a feisty episode. It begins with Michael Vatis teeing off on the California Consumer Privacy Act, the worst-drafted law he’s worked with in over 30 years of practice – and not much better on policy grounds.

We then return to Illinois’s recent law regulating AI hiring interviews systems like HireVue, and sparks fly again as Mark MacCarthy and I mix it up over allegations of AI “bias.” (I’m a skeptic, to put it mildly.) 

Matthew Heiman covers the surprisingly thin claim that the GRU has phished its way into Burisma Holdings. And Nick comments on (yet another!) Italian surveillance tech firm getting into trouble by misusing its capabilities. 

Not-so-Big Tech has begun asking Congress for antitrust help against Big Tech. Mark is skeptical; I’m a little less so.

Matthew and I compliment frequent contributor David Kris on his speed in delivering an amicus report on the FBI’s Horowitz reforms -- between one Cyberlaw Podcast episode and the next – and before his Congressional critics can even finish a letter questioning his appointment. One lingering, and possibly salutary, effect of the kerfuffle is that some good questions are now being directed at the FISA Court itself, asking why it didn’t do a better job of policing the Carter Page excesses. 

Mark reports on an unusual effort by Europe’s chief privacy officer to exempt academic researchers from strict compliance with data protections laws. Privacy law, as I've said for years, is all about privileging the powerful, and academics qualify, so of course they deserve a data protection exemption.

In quick hits, Matthew notes that Erdogan has bowed to the Turkish Supreme Court and reinstated access to Wikipedia. He also reports on the U.S. Department of the Interior permanently grounding its drone fleet over spying concerns. Nick chuckles over China’s APT 40 getting doxxed, and we both give credit to NSA’s Anne Neuberger for disclosing and enabling the patch by Microsoft of a major vulnerability in the Crypt32 library. Finally, I predict that Clearview will be sued for violating terms of service to obtain the facial recognition data it uses to provide identification services to law enforcement. Because privacy law is all about protecting the privileged, and crime victims don't qualify.

Download the 296th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of our institutions, clients, spouses, families, or pets

There’s a fine line between legislation addressing deepfakes and legislation that is itself a deep fake. Nate Jones reports on the only federal legislation addressing the deepfake problem so far. I claim that it is well short of a serious regulatory effort – and pretty close to a fake itself.

In contrast, India seems serious about imposing liability on companies whose unbreakable end-to-end crypto causes harm, at least to judge from the howls of the usual defenders of such products. David Kris explains how the law will work. I ask why Silicon Valley gets to impose the externalities of encryption-facilitated crime on society when we’d never let Big Tech leave us with the tab for water or air pollution just because their products are so cool. In related news, the FBI may be turning the Pensacola military terrorism attack into a slow-motion replay of its San Bernardino fight with Apple, this time with more top cover (and probably better lawyering).

Poor Nate seems to draw all the fake legislation in this episode. He explains a 2020 appropriations rider requiring the State Department to report on how it issues export licenses for cyber espionage capabilities; this is a follow-up to investigative reporting on the way such capabilities ended up being used against human rights activists in the UAE. As we agree, it’s an interesting and likely unsolvable policy problem, so the legislation opts for the most meaningless of remedies, requiring the Directorate of Defense Trade Control to report “on cybertools and capabilities licensing, including licensing screening and approval procedures as well as compliance and enforcement mechanisms” within 90 days.

Nate also gets to cover some decidedly un-fake requirements in the 2019 NDAA limiting how defense contractors can use Chinese technology. The other shoe is about to drop, and if the first one was a baby shoe, the second is a Clydesdale’s horseshoe.

It’s hard to call it fake, but the latest export control rule restricting sales of AI could hardly be narrower. Maury Shenk and I speculate that this is because a long-term turf war has broken out again in export control policy circles. Maury’s money is on the business side of that fight, and the narrowness of the AI rule gives weight to his views.

And here’s some Christmas cheer for DOJ and national security officials: A federal district court put a lump of coal in Fast Eddie Snowden's stocking, denying him royalties from a book that violated his nondisclosure agreement. Nate thinks it’s safe for me to buy a copy, but I’m waiting for appellate confirmation.

Less festive news comes from the European Court of Justice’s advocate general opinion in Schrems II, a case that could greatly complicate EU-US data transfers by purporting to put Europeans in charge of how the US defends itself from terrorism. Maury explains; I complain.

David unpacks with clarity a complex Second Circuit decision on the constitutionality of FISA 702 collection. On the whole, Judge Lynch did a creditable job with a messy and unprecedented set of claims, though I question the wisdom of erecting a baroque mansion of judge-made limits on a slippery and narrow foundation like the Fourth Amendment’s requirement that searches be “reasonable.”

And in short hits:

• Maury tells us that Italy has imposed a French-style revenue tax on Internet companies.
• The Russians claim to have successfully found a way to disconnect from the Internet. Now if we could only get them to stay that way.
• Illinois has a new, mostly fake law imposing modest regulations on the use of AI in video job interviews.
• The TRACED Act rises above fakeness in attacking robocalls but just barely.
• And the FAA released an NPRM calling for a pretty serious requirement for remote ID of drones.

Finally, to put everyone back in the Christmas spirit, LabMD won nearly a million dollars in fees from the Federal Trade Commission for the FTC’s bullheaded pursuit of the company despite the many flaws in its case. The master’s opinion makes clear just how badly the FTC erred in hounding LabMD.

Download the 295th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect those of their spouses, children, clients, firms, or institutions. 

In this special edition of the Cyberlaw Podcast, we’ve convened a panel of experts on intelligence and surveillance law to examine the many failings of the Crossfire Hurricane investigation of the Trump campaign and Russian influence. We unpack the Department of Justice Inspector General’s report on the FBI’s use of FISA, undercover operatives, and the Bureau's many errors in the high-stakes matter. We also ask what can be done to cure what ails the FBI -- including the IG's recommendations, FBI Director Wray’s response, and a public order issued by the Foreign Intelligence Surveillance Court. 

If you're looking for a single episode to make sense of the investigation and its faults, you can't do better than to listen to our team of FISA aficionados. Joining me on the panel:

• Bob Litt, former general counsel of the Office of the Director of National Intelligence.
• David Kris, who wrote the book on FISA and previously headed the DOJ’s National Security Division, which is responsible for FISA warrants.
• Bobby Chesney of the University of Texas School of Law, as well as a founder of Lawfare and co-host of the National Security Law Podcast.

And with that, the Cyberlaw Podcast is going on hiatus for the holidays. We’ll be back in January with more insights into the latest events in technology, security, privacy, and government.

Download the 294th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, family and (mostly former) friends.

This week Maury Shenk guest hosts the podcast and takes us on a world tour of computer insecurity.

Even with a "phase one" trade deal with China apparently agreed, there's of course plenty still at stake between China and the US in the tech space. Nate Jones reports on the Chinese government order for government offices to purge foreign software and equipment within three years and the plans of Arm China to develop chips  using “state-approved” cryptography. Nick Weaver and Maury agree that, while there are some technical challenges on this road, there's a clear Chinese agenda to lose dependency on US suppliers. 

In the Department of Hacking, the aptly-named Plundervolt allows hackers to steal data using the power supply of Intel chips. The immediate hole has been closed, but Nick thinks the hack suggests bigger problems for Intel down the road. We also discuss Apple's flirtation with the using DMCA to get Twitter to de-tweet an encryption key compromising a less-than-critical aspect of iPhone 11 security, and Maury reporte on an 11th Circuit decision on insurance coverage for losses from spear-phishing.

Maury points out that it's not just the EU that is going after Big Tech. Amazon's new-ish Ring subsidiary seems to have scored a couple of own-goals with privacy and security practices for its smart doorbells – Nick explains in detail. And Maury relates the Wall Street Journal report that the FTC is considering seeking an injunction of Facebook app integration, and the big 7.5% tax that Turkey will levy on digital services beginning in March.

Finishing up in the Gulf, we look at a “very big” cyberattack on Iranian banks that the Iranian government claims is state-sponsored. Nate doubts intimations that the US is involved, and we agree that political and commercial motives are difficult to disentangle in this type of attack. Across the Strait of Hormuz, we explore the involvement of former counterterrorism czar Richard Clarke in helping the United Arab Emirates build its DREAD (who thought that was a good name?) counterterrorism unit and the policy implications and slippery slope of allowing US expertise to be used for such efforts.

Download the 293rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of participants' firms, clients, institutions, families, or pets.

The apparent terror attack at Naval Air Station Pensacola spurs a debate among our panelists about whether the FISA Section 215 metadata program deserves to be killed, as Congress has increasingly signaled it intends to do. If the Pensacola attack involved multiple parties acting across US borders, which looked possible as we taped, then it would be just about the first such attacks since 9/11 – and exactly the kind of attack the metadata program was designed to identify in advance. Now may not be the best time to dump it, after all.

Nick Weaver tells us that China has resurrected the Great Cannon to attack a popular Hong Kong forum for protesters. The Cannon depends on users from outside China connecting without TLS to Chinese sites. I ask why Google hasn’t started issuing warnings to Web users before letting them cross the Great Firewall without enabling HTTPS. That could spike the Great Cannon, but Google employees are too busy complaining about the United States government, I suggest. Meanwhile, Microsoft is working hard to make GitHub, an early Great Cannon victim, an essential part of China’s IT infrastructure. Remarkably, we verify in real time that, despite the lure of the Chinese market, Microsoft has apparently not told GitHub to dump the content that offended the Chinese government.

In more China news, the trial lawyers are circling TikTok as though it were a wounded wildebeest on the veldt. A California class action alleges that TikTok harvested and sent data to China, and an Illinois class action charges the company with violating COPPA by marketing to children without sufficient privacy safeguards.

Paul Rosenzweig and I dig deep into the 20-year history behind DHS's now-abandoned proposal to conduct airport facial scans on US citizens leaving the country. We reach broad agreement that this is one of the rare privacy versus national security debates in which there’s precious little privacy or national security at stake.

Matthew Heiman lays out the remarkable international food fight over taxes on digital business. USTR is threatening big tariffs on French wine to counter France’s digital tax. Spain is apparently eager to join France in the fight. And the effort to work everything out at the OECD, where the EU has a 20-1 voting advantage over the US, has predictably not worked out well from the US point of view.

Cue the white cat: The United States has actually imposed sanctions on an entity called “Evil Corp.” SPECTRE was apparently unavailable. Nick explains. This is part of criminal charges against two highly effective Russian bank hackers – and arguably a confession of weakness on the US government’s part.

Meanwhile, Amazon’s efforts to avoid tort liability for third-party sales on its site look to be suffering a long strategic defeat in the courts. The latest example is a Sixth Circuit ruling allowing plaintiffs to pursue product tort claims against the Internet giant.

I offer a quick update and some rare kind words for Nancy Pelosi, who is calling for modification of the North American free trade deal to drop the provision turning Section 230 of the Communications Decency Act into international law. This provision has garnered genuinely bipartisan opposition, so perhaps she’ll prevail.

Paul gets stuck explaining two dog-bites-man stories. The FBI says any Russian app could be a counterintelligence threat. Well, what else would they say? And the European Commission, when asked what US regulation of encryption would mean for Europe, says more or less that the EU may have to escalate from eyebrow-lifting to throat-clearing.

Nick closes the program with advice about the new Android exploit that works (in the right circumstances) to compromise apps running on a fully patched and up-to-date Android phone.

Download the 292nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Algorithms are at the heart of the Big Data/machine learning/AI changes that are propelling computerized decision-making. In their book, The Ethical Algorithm, Michael Kearns and Aaron Roth, two Computer Science professors at Penn, flag some of the social and ethical choices these changes are forcing upon us. My interview with them touches on many of the hot-button issues surrounding algorithmic decision-making.

I have long suspected that much of the fuss over bias in machine learning is a way of smuggling racial and gender quotas and other academic social values into the algorithmic outputs. Michael and Aaron may not agree with that formulation, but the conversation provides a framework for testing it – and leaves me more skeptical about claims that “AI bias" is the problem it's been portrayed.  

Less controversial, but equally fun, is our dive into the ways in which Big Data and algorithms defeat old-school anonymization – and the ways in which that problem can be solved. The cheating husbands of Philadelphia help me understand the value and technique of differential privacy.

And if you wondered why, say, much of the social science and nutrition research of the last 50 years doesn’t hold up to scrutiny, blame Big Data and algorithms that reliably generate a significant correlation once in every 20 tries.

Michael and Aaron also take us  into the unexpected social costs of algorithmic optimization. It turns out that a recommendation engine that produces exactly what we want, even when we didn’t know we wanted it, is great for the user, at least in the moment, but maybe not so great for society. In this regard, it's a little like creating markets in areas once governed by social norms. The switch to market pricing instead of societal mores often optimizes individual choice but at considerable social cost. It turns out that algorithms can do the same – optimize individual gratification in the moment while roiling our social and political order in unpredictable ways. We would react badly to a proposal that dating choices be turned into more efficient microeconomic transactions (otherwise known as prostitution) but we don’t feel the same way about reducing them to algorithms.

Maybe we should.

Download the 291st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

This Week in the Great Decoupling: The Commerce Department has rolled out proposed telecom and supply chain security rules that are aimed at but never once mention China. Acually, what the Department rolled out was more a sketch of its preliminary thinking about proposed rules. Brian Egan and I tackle the substance and history of the proposal and conclude that policymakers are still fighting each other about the meaning of a policy they've already announced.

And to show that decoupling can go both ways, a US-based chip-tech group is moving to Switzerland to reassure its Chinese participants. Nick Weaver and I conclude that there’s a little less here than Reuters seems to think.

Mark MacCarthy tells us that reports of UChicago weather turning sunny and warm for hipster antitrust are probably overdone. Even so, Silicon Valley should be at least a little nervous that Chicago School enforcers are taking a hard look at personal data and free services as sources of anti-competitive conduct.

Mark highlights my favorite story of the week, in which the Right to be Forgotten discredits itself in, where else, Germany. Turns out that you can kill two people and wound a third on a yacht in the Atlantic, get convicted, serve 20 years, and then demand that everybody just forget it happened. The doctrine hasn’t just jumped the shark. It’s doubled back and put a couple of bullets in the poor shark for good measure.

Nick explains why NSA is so worried about TLS inspection. And delivers a rant on the bad cybersecurity software that makes NSA's worries so plausible.

It’s been a bad week for TikTok, which was caught blocking an American Muslim teen who posted about Uighurs in China and offered an explanation that was believable only because US social media companies have offered explanations for their content moderation that were even less credible. I suggest that all the criticism will just lead to social media dreaming up more and sneakier ways to downgrade disfavored content without getting caught. Brian tells us how the flap might affect TikTok’s pending CFIUS negotiation.

Nick ladles out abuse for the bozo who thought it was a good idea to offer Kim Jong Un’s cyber bank robbers advice on using cryptocurrency to avoid sanctions. Brian points out that the prosecution will have to tiptoe past the First Amendment.

Senate Democrats have introduced the Consumer Online Privacy Rights Act, an online privacy bill with an unfortunate acronym (think fossilized dinosaur poop). Mark and I conclude that the bill is a sign that Washington isn’t going to do privacy before 2021.

Who can resist GPS crop circle spoofing by sand pirates? Not Nick. Or me. Arrrr.

I update our story on DHS’s CISA, which has now issued in draft its binding operational directive on vulnerability disclosure policies for federal agencies. It’s taking comments on GitHub; Nick approves.

And in quick hits: The death of the Hippie Internet, part 734: Apple changes its map to show Crimea as Russian, but only for Russians. And part 735: Facebook accepts "fake news" correction notice from the Singapore government. Our own Paul Rosenzweig will be an expert witness in the government’s prosecution of the Vault 7 leaker;. And Apple’s bad IT cost it $467,000 for sanctions violations; I ask whether we should be blaming Scooby-Doo for the error.

Join Steptoe for a complimentary webinar on Tuesday, December 10. We’ll be talking about the impacts on retailers of the newly implemented California Consumer Privacy Act and the EU’s General Data Protection Regulation. This is a fast-moving area of the law; we can keep you up to date. You can find out more and register here.

Download the 290th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the speakers' families, friends, former friends, clients, or institutions. Or spouses.  I've been instructed to specifically mention spouses.

Brad Smith is President of Microsoft and author (with Carol Ann Browne) of Tools and Weapons: The Promise and Peril of the Digital Age. The book is a collection of vignettes of the tech policy battles in the last decade or so. Smith had a ringside seat for most of them, and he recounts what he learned in a compelling and good-natured way in the book – and in this episode’s interview. Starting with the Snowden disclosures and the emotional reaction they caused in Silicon Valley, through the CLOUD Act, Brad Smith and Microsoft displayed a relatively even keel while trying to reflect the interests of the company's many stakeholders. In that effort, Smith became an advocate for more international cooperation in regulating digital technology. (A point on which Brad and I disagree.) As the interview wends on, Brad discloses how the Cyberlaw Podcast’s own Nate Jones and his Microsoft partner, Amy Hogan-Burney, became “Namy,” achieving a fame and moniker inside Microsoft that only Brangelina has achieved in the wider world. Finally, Brad Smith sums up Microsoft’s own journey in the last quarter century as came to recognize that humility is a better long-term strategy than hubris.

Turning to the news, it looks like the surveillance renewal debate will be pushed to March 15 instead of December 15. That’s thanks to impeachment, David Kris assesses. We summarize what’s up for renewal before turning to the hottest of FISA topics: The DOJ inspector general report on bias in the FBI’s investigation of the 2016 Trump-Russia connection. All we’re getting at this point is self-serving leaks, but it sounds as though the report is finding real misbehavior only in the lower rungs of the Bureau. The IG finds no political bias at the top, but criminal charges against one “vive le resistance” lawyer look possible.

David sums up China’s Vulnerability Equities Process: “You can disclose the vulns when MSS is done using them.”

Nick Weaver, meanwhile, tells us that China’s dependence on US-origin AI frameworks is more a matter of bragging rights rather than real disadvantage – unless you think that being unable to deny access to GitHub is a real disadvantage. And if you’re Xi Jinping, you might.

Nate Jones, already immortalized as the quiet half of Namy, reveals that Iran’s APT33 is targeting industrial control systems –and that Iran has shut down its Internet for several days in the face of civil unrest. I suggest that we keep track of the regime-essential links that stay up – so we can take them down later, when Iran really needs them, as retaliation for any intrusion into our industrial control systems.

Nate and I ask why a majority of the UN General Assembly bought into a Russian proposal for a “cybercrime” resolution. Hint: Many of the governments that support it couldn’t survive the combination of a democratic election and a free press.

Speaking of Russians, Nick flags a Brian Krebs explainer on why the Russians really, really didn’t want their accused cybercriminal extradited from Israel to the US.

David and I gape in wonder at the chutzpah of the Indiana police force that accused a suspected drug dealer of theft for removing a police GPS tracker from his car – and then used that theft to justify a search of his home.

In a lightning round, Nick covers the new Russian law that prohibits sale of devices without preinstalled “alternative” software. And Nick and I debate the value and legality of Uber’s plan to introduce audio recordings during rides.

Join Steptoe for a complimentary webinar on Tuesday, December 10. We’ll be talking about the impacts on retailers of the newly implemented California Consumer Privacy Act and the EU’s General Data Protection Regulation. This is a fast-moving area of the law; we can keep you up to date. You can find out more and register here.

Download the 289th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

We kick off the episode with This Week in Mistrusting Google: Klon Kitchen points to a Wall Street Journal story about all the ways Google tweaks its search engine to yield results that look machine-made but aren’t. He and I agree that most of these tweaks have understandable justifications – but you have to trust Google not to misuse them. And increasingly no one does. The same goes for Google’s foray into amassing and organizing health data on millions of Americans. It’s a nothingburger with mayo, unless you mistrust Google. Since mistrusting Google is a growth industry, the report is getting a lot of attention, including from HHS investigators. Matthew Heiman explains, and when he’s done, my money is on Google surviving that investigation comfortably. The capital of mistrusting Google, of course, is Brussels, and not surprisingly, Maury Shenk tells us that the EU has forced Google to modify its advertising protocols to exclude data on sites visited by its customers.

A Massachusetts federal district court says suspicionless device searches at borders are not okay. Matthew and I dig into the details. Bottom line: Requiring reasonable suspicion for electronics searches isn’t a tough standard, but if CBP needs a reasonable suspicion that the phone contains contraband, we aren't going to see a lot of searches. But that’s only good news for US citizens. Searches of foreign travelers’ phones can also be justified as a search for evidence that they should not be admitted to the country, and reasonable suspicion that such evidence will be found on a phone is not hard to come by.

The US Supreme Court will be deciding whether APIs can be copyrighted (or whether copying them is fair use). I put my Supreme Court maven cred on the line, predicting that the Court is going to reverse the federal circuit and reject Oracle’s claim that it can extract hefty rent payments from Google for use of Oracle APIs.

An injunction against disseminating violent and inciting speech is causing angst in Hong Kong. Maury explains why. And Klon unpacks the story of the Chinese hackers who’ve been spying on the US National Association of Manufacturers. 

Maury and I throw shade at the federal court’s claim that it’s arbitrary and capricious for the Trump Administration to drop an unenforceable ban on the export through publication of 3D gun plans. 

In a lightning round, no one should be surprised that Microsoft is making CCPA the law of the land. Nor that Amazon sells a lot of stuff directly from China. Or, frankly, that the hullabaloo over “sophisticated” DDoS attacks on British political parties is just campaign grist.

Advertisement (you knew it would happen eventually): Steptoe is hosting a complimentary webinar on Tuesday, December 10. We’ll be talking about the impacts on retailers of the newly implemented California Consumer Privacy Act and the EU’s General Data Protection Regulation. This is a fast-moving area of the law. You can find out more and register here.

Download the 288th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Foreign Agent Registration Act is having a moment – in fact its best year since 1939, as the Justice Department charges three people with spying on Twitter users for Saudi Arabia. Since they were clearly acting like spies but not stealing government secrets or company intellectual property, FARA seems to be the only law that they could be charged with violating. Nate Jones and I debate whether the Justice Department can make the charges stick.

Nick Weaver goes off on NSO Group for its failure to supervise the way its customers intrude on cell phone contents. I’m less sure that NSO deserves its bad rap, and I wonder whether WhatsApp should have compromised what looks like 1100 legitimate law enforcement investigations because it questions 100 other investigatons using NSO malware.

Speaking of Facebook’s judgment, Paul Rosenzweig and I turn out to be surprisingly sympathetic to the company’s stand on political ads and whether “Mama Facebook” should decide their truthfulness. Meanwhile, Twitter, darling of the press, has gotten away with a no-political-ads stance that is at least as problematical.

Nate, Paul, and I go pretty far down the rabbit hole arguing whether search warrants should give police access to DNA databases.

The National Security Commission on Artificial intelligence has published its interim report, and Nick, Nate, and I can’t really quarrel with its contents, except to complain that it doesn’t break a lot of new ground.

And maybe all this AI is still a little overrated. Remember that AI fake news text generator that OpenAI claimed was “too dangerous to release”? Well it’s been released, and it turns out to be bone stupid. We test it live, and the tool has a long way to go before it can scratch its way up to “underwhelming.”

Nick tells us why nobody who ever worked with the US government should even change planes in Russia these days.

In the lightning round, Paul and I ask when blowing off Congress became a thing anybody could do. Nick dumps on both sides in the Great DOH debate. I note that Ted Cruz has called out USTR for sticking Section 230 into trade deals.

We close with This Week in Pew! Pew! Pew! It really is the 21st century now that we’re using lasers to attack talking computers. Nick explains how to order fifty copies of Skating on Stilts using your neighbor’s Amazon account and a laser.

Download the 287th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the participants' firms, clients, or relatives.

This episode is a wide-ranging interview with Andy Greenberg, author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. The book contains plenty of original reporting, served up with journalistic flair. It digs deep into some of the most startling and destructive cyberattacks of recent years, from two dangerous attacks on Ukraine’s power grid, to the multibillion-dollar NotPetya, and then to a sophisticated but largely failed effort to bring down the Seoul Olympics and pin the blame on North Korea. Apart from sophisticated coding and irresponsibly indiscriminate targeting, all these episodes have one thing in common. They are all the work of Russia's GRU. 

Andy persuasively sets out the attribution and then asks what kind of corporate culture supports such adventurism – and whether there is a strategic vision behind the GRU’s attacks. The interview convinced me at least that the GRU is pursuing a strategy of muscular nihilism -- "our system doesn't work, but yours too is based on fragile illusions." It's a kind of global cyber intifada, with all the dangers and all the self-defeating tactics of the original intifadas. Don't disagree until you've listened!

Download the 286th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

We open this episode with David Kris's thoughts on the two-years-late CFIUS investigation of TikTok, of its Chinese owner, ByteDance, and of ByteDance's US acquisition of the lip-syncing company Musical.ly. Our best guess is that this unprecedented reach-back investigation will end in a more or less precedented mitigation agreement.

WhatsApp is suing NSO Group over the use of spyware on WhatsApp's network. I predict that this is going to be a highwire act for WhatsApp, given the precedents on when breaching terms of service violates the Computer Fraud and Abuse Act. I also muse on the possibility that NSO will find ways to make this a much less comfortable lawsuit for WhatsApp to pursue.

The ACLU takes this week's prize for making a PR and fundraising mountain out of a molehill of a lawsuit. Matthew Heiman and I try to decide which took less effort – cutting and pasting the ACLU's generic FOIA complaint or cutting and pasting the ACLU's generic "Oh my God, it's a surveillance dystopia" press release.

I comment on a heart-warming story about a geek in Normal, Illinois, who runs the most successful ransomware-rescue site in the world – and is going broke doing it. Advice to DHS's CISA: Isn't it time to sponsor prizes for people who post ransomware decryptors with real impact?

Mark MacCarthy discusses the guidance provided by the Defense Innovation Board on building ethical AI. I complain that political correctness seems to have outweighed considerations like, you know, winning wars.

Matthew tells us that Israel is creating its own CFIUS-like panel, and we note the longstanding tension between the US and Israel over Chinese access to Israeli technology.

David spots more decoupling: The Interior Department has grounded its entire drone fleet, citing the risk from Chinese manufacturers.

Mark and I find common ground in thinking that Facebook got the political ad censorship question more right than wrong. Twitter, not so much. We offer Strange New Respect for Herbert Hoover and the legislators who struggled with the last industry to seize control of what Americans could know -- broadcasting.

Matthew fills us in on a story suggesting that North Korea breached an Indian nuclear plant's network. He and I also briefly note that Georgia was the victim of a massive case of cyber vandalism.

In updates of past stories, I cover Coalfire's persuasive critique of the sheriff who arrested the company's pentesters in an Iowa courthouse. In another even longer-running story, the latest and perhaps the last word on the LabMD-Tiversa-FTC imbroglio can be found in an excellent New Yorker story that leaves LabMD looking good, the FTC looking bad, and Tiversa looking like a candidate for criminal prosecution. Finally, David updates the story of the 2016 Uber hack that cost the company's chief security officer his job. Now it's also going to cost the hackers their freedom, as they plead guilty to CFAA violations.

Download the 285th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

You knew we’d go there. In this episode I talk about Congresswoman Katie Hill’s “throuple” pics and whether the rush to portray her as a victim of revenge porn raises questions about revenge porn laws themselves. Paul Rosenzweig, emboldened by twin tweets – from President Trump calling Never-Trumpers like him “human scum” and from Mark Hamill welcoming him to the Rebel Scum Alliance – takes issue with me.

In a more serious vein, Brian Egan, Paul, and I dig deep into the roots of the battle over how to keep “emerging technology” out of Chinese hands.

Paul explains a Georgia Supreme Court ruling that cops need a warrant to access automobile data after an accident.

Brian and I talk about why DHS might issue a binding operational directive requiring federal agencies to adopt vulnerability disclosure programs.

Maury Shenk tells us to look for tougher cybersecurity rules in China starting December 1.

Paul unpacks the thinking behind a finding of bias in a widely used health care algorithm.

Maury reminds us that “going dark is not going dark,” at least not in India, where the Supreme Court is consolidating several legal fights over WhatsApp’s end-to-end encryption. In Afghanistan, meanwhile, the New York Times says that WhatsApp has become a key tool for communication by the government.

I note a well-written study contradicting the widespread media narrative that YouTube’s recommendation engine is what’s radicalizing Americans. According to the authors, the problem isn’t YouTube’s recommendations but an audience that is looking for the kinds of alternative content that conservatives (not to mention the Alt-Right and the Alt-Lite) are offering.

In shorter takes, Paul and I cover Microsoft beating AWS to win an enormous Pentagon cloud contract, and Brian takes on the problem of lies in political ads on Facebook. And I ask whether we would be wise to follow Russia’s example and disconnect from the Internet from time to time.

Finally, Maury and I explore the challenge that TikTok poses not just to the US but also to the Chinese government. Short take: TikTok users can get away with a lot more pro-Hong-Kong-protest speech than the NBA can, at least in the US.

Download the 284th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office of the Director of National Intelligence. Alex is now at the American University law school’s Tech, Law, and Security Program. We share stories about the difficulties of government startups and how the ODNI carved out a role for itself in the Intelligence Community (hint: It involved good lawyering). We dive pretty deep on recent FISA court opinions and the changes they have forced in FBI procedures. In the course of that discussion, I posit that every “reform” of intelligence dreamed up by Congress in the last decade has turned out to be a self-licking compliance trap, and I take back some of my praise for the DNI’s lawyering.

In the News Roundup, we’re inundated by serious new reports of cyberattacks. Dave Aitel admits that the hacking group he envies most is Turla, which was recently discovered to have totally pwned the entire attack infrastructure of an Iranian government team. Dave notes that Avast has succumbed to a second far-reaching intrusion into its network, reminiscent of the last attack, which led to the company sending out a compromised CCleaner application. We may never know whether Avast got the intruder out, Dave suggests, but his hat is off to the company’s PR team. In still more pwnage news, Dave praises two new detailed reports from security companies: FireEye’s report on APT41’s combination of espionage and cybercrime and Crowdstrike’s report on amazingly successful Chinese efforts to steal aircraft intellectual property. And one more: Cyber Command has leaked the bare minimum of information to show that Iran’s strike against Saudi oil facilities did not go unpunished. Dave and I both take our hats off to Iran’s PR team, which responded to the vague leak by claiming that Cyber Command “must have dreamt it.”

In other news, Gus Hurwitz breaks down a recent Ninth Circuit decision construing the Section 230 immunity that Congress has given to companies that filter content on the Internet. Remarkably, two judges thought that the immunity for preventing access to “objectionable” content would allow a company to filter out its competitor’s products. It's easy to see how competition might be objectionable to the company, but harder to see why Congress would have shared that view. Luckily, the two judges who got it wrong were a district court judge and the Ninth Circuit dissenter. But the close call shows how broadly the “objectionable” immunity sweeps. Which raises the question why US trade agreements should broaden the immunity and turn it into international law that can’t be amended easily, or at all. That was a point of rare bipartisan agreement at a recent House hearing. But there’s no sign yet that Congress is going to reject the trade deals that do this. Gus and I also touch on the latest flaps over social media content monitoring.

Dan Podair explains what’s good and what’s missing from the California AG’s rules implementing California’s new, sweeping privacy act.

Poor Equifax: Just when they were hoping the worst had passed, the plaintiff’s bar doxxed even more embarrassing security failings. Dave offers this cold comfort: All the mistakes that embarrased Equifax could be found in pretty much any network in the country. More cold than comfort, Dave!

And, finally, we close with This Week in Puerile Jokes: All inspired, of course, by the UK Government’s decision to drop its plan to require ID to watch sex videos online.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 Our interview is with Sultan Meghji, CEO of Neocova. We cover the large Chinese investment in quantum technology and what it means for the United States. It’s possible that Chinese physicists are just better than American physicists at extracting funding from their government by hyping their science. Indeed, it looks as though some quantum tech, such as the use of entangled particles to identify eavesdropping, may turn out to have dubious military value. But not all. Sultan thinks the threat of special purpose quantum computing to break encryption poses a real, near-term threat to US financial institutions’ security.

In the News Roundup, we cover the new California Consumer Privacy Act regulations, which devote a surprising amount of their 24 pages to fixing problems caused by the Act’s feel-good promise that consumers can access and delete the information companies have on them.

Speaking of feel-good laws that are full of liability land mines, the Supreme Court has let stand a Ninth Circuit ruling that allows blind people to sue under the Americans with Disabilities Act if websites don’t accommodate their needs. Nick Weaver and I explore a few of the harder questions raised by this seemingly simple mandate (you can accommodate the blind by providing a "read aloud" option, but what about people who are blind and deaf?) and the risks of making law by retroactively imposing liability.

Weirdly for a populist administration that says it mistrusts the big social platforms for their restricting of conservative speech, the Trump trade negotiators are actually expanding Section 230 immunities for Silicon Valley that both left and right have begun to question. The expansion is buried in hard-to-amend and even-harder-to-repeal trade agreements. By way of explanation, I lay out the Realpolitik of trade deals. As if to prove my point, the US and Japan have signed a Digital Trade Agreement that has much the same provision.

Nick and I muse on the rise of Commerce Department sanctions on individual companies. In a way, such sanctions are a less harsh alternative to OFAC sanctions, which include property seizures, but they are also like antibiotics -- they either destroy the target or help it develop better resistance for the future.

Does TLS stand for “Tough Luck, Sucker?” That’s the message of a new and clever form of malware that has been, softly attributed to the Russian FSB.

Apple, having banned, and then unbanned, an app that locates police activity in Hong Kong, has now re-banned it. Tim Cook offers an explanation for the latest move that triggers Nick’s bovine excrement detection system. In a Final Four of Hypocritical Surrender to the PRC, LeBron James and the NBA give ESPN a run for its money. South Park fails to qualify.

Matthew Heiman and I discuss India’s effort to create a national facial recognition system. Naturally BuzzFeed thinks it’s Evil. Not enough people of color in the training set, apparently, or perhaps it’s too many. Or Modi is too much like Trump. Or some damn thing. Look, it’s Evil, okay? So shut up and leave BuzzFeed alone.

Nick and I consider DHS’s request for the power to subpoena ISPs to identify owners of compromised systems. I critique Herb Lin’s suggestion that the ISPs can solve the problem without giving data to DHS.

As Matthew notes, it was just last month that the French government gave the world a stiff-necked little lecture on respecting sovereignty in cyberspace. So why are French police helping reprogram computers in Latin America? Because it’s different when the French are doing it than when it’s done to them, I surmise.

A recent “good guy with a keyboard” story offers me one more chance to tout my views on hacking back.  I ask why someone who’s rescued hundreds of victims from ransomware should have to worry for one minute about being prosecuted for compromising (again) the already compromised C2 machines that apparently held the keys.

Matthew and I try to simplify a complex ruling from two FISA courts. Among the takeaways: The FBI has been running a lot of searches against 702 databases (3.1 million a year!), which greatly complicates its compliance program, and the FISA courts are overusing the 4th amendment, which in FISA minimization cases is like trying to do brain surgery with a chainsaw.

Argh! That embarrassing Bloomberg Supermicro story is back. Sort of. Wired has shown that something like it could really be done. Which, Nick points out, we already knew.

I give a shoutout to Jennifer Daskal and Peter Swire for their useful overview of the UK-US CLOUD Act, but I wonder if the agreement's mutual “no targeting of the other country’s nationals” assurances are a scalable solution.

Finally, Matthew reviews the second volume of the SSCI report on its investigation into Russian election interference. The TL;DR? The Russians did what you think they did. The closest thing to a surprise? After starting out just trying to hurt Hillary, by the end the Russians seem to have been trying to help Trump too.

Download the 282nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Today’s episode opens with coverage of a truly disturbing bit of neocolonialist lawmaking from the Court of Justice of the European Union. The CJEU ruled that an Austrian court correctly ordered Facebook to take down statements about an Austrian politician, not just in Austria, not just in Europe, but everywhere in the world. Called an “oaf” and a “fascist,” the politician more or less proved the truth of the accusations by suing to keep that and similar statements off Facebook worldwide. I suggest that the US adopt blocking legislation to protect the First Amendment from foreign government interference and argue that President Trump should support such a law. After all, if he were ever to insult a European politician on Twitter, this ruling could lead to litigation that takes his Twitter account off the air. Heading off that threat is truly a legislative and international agenda for the Age of Trump! 

Nick Weaver returns to the podcast and gives the FDA a better report card than I expected on its approach to cybersecurity. But we agree that the state of medical device and implant security remains parlous. 

I try my hand at explaining the DC Circuit’s Net Neutrality ruling in Mozilla v. FCC. There are still some rounds to be played, but Net Neutrality, if not dead, may at least be pining for the fjords (or a Democratic administration).

We introduce a new feature: This Week in Elizabeth Warren. She has a plan to revive the Congressional Office of Technology Assessment. Nick likes the idea. I’m less enthusiastic, perhaps because I actually did some work for OTA before it disappeared.

Nick also helps unpack the flap over Google’s proposal to do DNS-over-HTTPS, and why ISPs aren’t happy about it. Bottom line: If you haven’t been paying much attention to the issue, you made the right choice. Nick explains why. Just think of how much time you saved by listening to the podcast!

Nick also explains how Uzbekistan managed to give state cyberattacks an aura, not of menace or invincibility, but of clownish incompetence.

David Kris tells us why privacy advocates and NGOs object to the French government’s use of nationwide facial recognition for its ID program. If that's the best they can do, I suggest, this may be the dumbest face recognition privacy “scandal” in history.

The cops have shut down a Dark Web data center operating from… a NATO bunker? Nick reveals that the main reason to operate from a NATO bunker is, well, marketing. 

Apparently channeling Stewart Baker, Attorney General Bill Barr is all-in on discouraging mass-market warrant-proof encryption. Nick thinks he’s picked the wrong fight and should go after phone storage encryption instead. And maybe Nick’s right, since the civil-liberties shine on Apple is looking a little scuffed these days. 

David tells us that NSA has launched a new defense directorate with Anne Neuberger at its helm. I promise to interview her on the podcast early next year.

David talks about the California man charged with delivering classified information to China’s Ministry of State Security. I want to know how many spies China has in the US if they can create what amounts to Uber for dead drops.

Dog bites man: Pervy Yahoo engineer pleads guilty to hacking emails for pornographic images. I’m surprised this doesn’t happen every month. 

And in a sign that Congress can still reach bipartisan agreement on bills that do more or less nothing, both the House and the Senate have adopted bills authorizing (but not funding) DHS “cyber hunt” teams to help local governments suffering from cyber ransom and other attacks.

Bringing back an old favorite theme, I cover the hacking of an electronic billboard to play porn – and celebrate the crowdsourcing of the facial recognition needed to identify the actresses. (At least I think it was face recognition.) Tracked down and asked for comment, one actress urged her involuntary viewers to “keep both hands on the wheel.”

Download the 281st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In this episode I cross swords with John Samples of the Cato Institute; we debate whether Silicon Valley’ is trying to disadvantage conservative speech and what to do about it. I accuse him of Panglossian libertarianism; he challenges me to identify any way in which bringing government into the dispute will make things better. I say government is already in it, citing TikTok’s PRC-friendly “community standards” and Silicon Valley’s obeisance to European norms on hate speech and terror incitement.

Disagreeing on how deep the Valley’s bias runs, we agree to put our money where our mouths are: For $50, I take the under and he takes the over on whether Donald J. Trump will last a year after leaving office without being suspended or banned from Twitter.

There’s a lot of news in the roundup, too.

David Kris explains the background of the first CLOUD Act agreement that may be signed this year with the UK.

Nate Jones and I ask, “What is the president’s beef with CrowdStrike, anyway?” We find a certain amount of common ground on the answer.

This Week in Counterattacks in the War on Terror: David and I recount the origins and ironies of Congress’s willingness to end the NSA 215 phone surveillance program. We also take time to critique the New York Times’s wide-eyed hook-line-and-sinker ingestion of an EFF attack on the FBI’s use of National Security Letters.

Edward Snowden’s got a new book out, and the Justice Department wants to make sure he never collects his royalties. Nate explains. I’m just relieved that I will be able to read it without having to shoplift it. And as this seems to be the episode for challenges, I offer Snowden a chance to be interviewed on the podcast:  Anytime, anywhere, Ed!

Matthew Heiman explains the latest NotPetya travail for FedEx: A shareholder suit alleging that the company failed to disclose how much damage the malware caused to its ongoing business.

Evan Abrams gives a hint about the contents of Treasury’s 300-page opus incorporating Congress’s overhaul of CFIUS into the CFR.

I credit David for inspiring my piece questioning how long end-to-end commercial encryption is going to last, and we note that even the New York Times seems to be raising questions about whether Silicon Valley’s latest enthusiasm is actually good for the world.

Matthew tells us that China may have a new tool to use in the trade war – or at least to keep companies toeing the party line: The government is assigning social credit scores to businesses.

Finally, Matthew outlines France’s OG take on international law and cyber conflict. France has opened up some distance between its views and those of the United States, and everyone will soon get a chance to talk at even greater length on the topic, as the UN gears up two different bodies to engage in yet another round of cyber-norm-building.

Download the 280th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Joel Trachtman thinks it’s a near certainty that the WTO agreements will complicate US efforts to head off an Internet of Things cybersecurity meltdown, and there’s a real possibility that a US cybersecurity regime could be held to violate our international trade obligations. Claire Schachter and I dig into the details of the looming disaster and how to avoid it.

In the news, Paul Rosenzweig analyzes the Ninth Circuit holding that scraping publicly available information doesn’t violate the CFAA.

The California legislature has adjourned, leaving behind a smoking ruin where Silicon Valley’s business models used to be. Mark MacCarthy elaborates: One new law would force companies like Uber and Lyft (and a boatload of others) to treat gig economy workers as employees, not contractors. Another set of votes in the legislature has left the demanding California Consumer Privacy Act more or less unscathed as its 2020 effective date looms. Really, it’s beginning to look as though even California hates Silicon Valley.

Klon Kitchen and I discuss the latest round of Treasury sanctions on North Korean hacking groups. The sanctions won’t affect anyone in North Korea, but they might affect a few of their enablers on the Internet. What I wonder, though, is this: Since sanctions violations are punishable even when they aren’t intentional, will US companies whose money is stolen by the Lazarus Group be penalized for having engaged in a prohibited transaction with a sanctioned party? Maybe the Lazarus Group should steal a Treasury license too, just to be sure.

Klon also lays out in chilling detail what the Russians were really trying to do to Ukraine’s grid – and the growing risk that someone is going to launch a destructive cyberattack that leads to a cycle of serious real-world violence. The drone attack on Saudi oil facilities shows how big that risk can be.

Paul examines reports that Israel planted spy devices near the White House. He thinks it says more about the White House than about Israel.

Paul also reports on one of the unlikelier escapades of students from his alma mater: Trading 15 minutes at the keyboard for months in jail and a lifetime of trouble on their permanent records. 

I walk back the deepfake voice scam story we discussed recently, but Klon points out that it reflects a future that is coming for us soon, if not today.

Proving the old adage about a fool for a lawyer, the Mar-a-Lago trespasser has been found guilty after an ineffective pro se defense. We may never know what she was up to.

Klon digs into a long and thoughtful op-ed by NSA’s Glenn Gerstell about the effects of the “digital revolution” on national security. And I note the recent Carnegie report trying to move the encryption debate forward. I also plug my upcoming speech in Israel on the same topic.

Download the 278th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Camille Stewart talks in this episode about a little-known national security risk: China’s propensity to acquire US technology through the bankruptcy courts -- and the many ways in which the bankruptcy system isn’t set up to combat improper tech transfers. Published by the Journal of National Security Law & Policy, Camille’s paper is available here. Camille has enjoyed great success in her young career, working with the Transformative Cyber Innovation Lab at the Foundation for Defense of Democracies, as a Cybersecurity Policy Fellow at New America, and as a 2019 Cyber Security Woman of the Year, among other achievements. Plus, of course, the great honor of working for DHS Policy.  We talk at the end of the session about life and advancement as an African American woman in cybersecurity.

In the News Roundup, Maury Shenk tells us that UK courts have so far resisted a sustained media narrative that all facial recognition tech is inherently evil. Americans seem to agree with the UK court, Matthew Heiman notes, since a majority trust law enforcement to use it responsibly. Which is more than you can say for Silicon Valley, which only 36% of Americans trust with the technology.

Mieke Eoyang and I talk about DHS’s plan to use fake identities to view publicly available social media postings and the conflict between that plan and social media sites’ terms of service. I am unsympathetic, given the need for operational security in conducting such reviews, but we agree that DHS may be biting off more than it can chew, especially in languages other than English. And really, DHS, how clueless do you look when the list of social media you'll be scrutinizing includes sites like the three-years-dead Vine but not TikTok, which Mieke notes ironically, is “what all the kids are using these days.”

Maury brings us up to speed on EU plans for the tech sector, which will be familiar to Brits contemplating the EU’s plans for them. And speaking of EU hypocrisy and incoherence (we were, weren’t we?), Erin Egan of Facebook has written a paper on data portability that deserves more attention, since it shows the impossibility of squaring the EU’s snit over Cambridge Analytica with its insistence on the inherently vague principle of “data portability.” The paper also calls out our FTC for slamming Facebook over Cambridge Analytica while Commissioner Noah Phillips is warning that restricting data transfers can be an anticompetitive weapon. I promise to invite the commissioner on the podcast again to explore that issue.

Well, that was quick: Fraudsters used AI to mimic a CEO’s voice – German accent, “melody,” and all – in an unusual cybercrime case. But it won't be unusual long. Anyone can do this now, Maury explains. 

In short hits, Mieke and I mock Denmark’s appointment of an “ambassador” to Silicon Valley. Way to cut the Valley down to size, Denmark! Maury notes that FinFisher is under investigation for violating EU export control law by selling spyware. Mieke does her best to rebut my suggestion that Silicon Valley’s bias is showing in the latest actuarial stat: Turns out that 10% of the accounts that President Trump has retweeted have already been deplatformed. Matthew and I note that China has been caught hacking several Asian telcos to spy on Uighurs. To give the devil his due, though, if the US had 5,000 citizens fighting for ISIS and al-Qaeda, as China claims to have, we’d probably be hacking all the same telcos to keep an eye on them.

State attorneys general will launch sweeping and apparently bipartisan antitrust probes into Facebook and Google this week. Good to see Silicon Valley bringing Rs and Ds together at last; who says its business model is fomenting social division? Finally, Mieke leaves us uneasy about the online security of our pensions, as hackers steal $4.2 million from one fund via compromised email.

Download the 277th Episode (mp3).

Want to hear more from Camille on bankruptcy and national security? She’ll be speaking Friday, September 13, at a lunch event hosted by the Foundation for Defense of Democracies. She’ll be joined by fellow panelists Giovanna Cinelli, and two other Cyberlaw Podcast alums, Jamil Jaffer and Harvey Rishikof, along with moderator Dr. Samantha Ravich. The event will be livestreamed at www.fdd.org/events. If you would like to learn more about the event, contact Abigail Barnes at FDD. If you are a member of the press, please direct your inquiries to press@fdd.org.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.