Skating on Stilts

This episode features a much deeper, and more diverse, examination of the Fifth Circuit decision upholding Texas's social media law than we did last week. We devote the last half of this episode to a structured dialogue  between Adam Candeub and Alan Rozenshtein about the decision. Both have written about it, Alan critically and Adam supportively. I lead off, arguing that, contrary to legal Twitter's dismissive reaction, the opinion is a brilliant and effective piece of Supreme Court advocacy. Alan thinks that's exactly the problem; he objects to the opinion's grating self-certainty and refusal to acknowledge the less convenient parts of past case law. Adam is closer to my view. We all seem to agree that the opinion succeeds as an audition for Judge Oldham to become Justice Oldham in the DeSantis Administration.

We walk through the opinion and what its critics don't like, touching on the competing free expression interests of social media users and of the platforms themselves, whether there's any basis for an injunction today, given the relative weakness of the overbreadth argument, and whether "exercising editorial discretion" is a fundamental right under the first amendment or just an artifact of older technologies. Most intriguingly, we find unexpected consensus that Judge Oldham's (and Justice Thomas's) common carrier argument may turn out to be the most powerful argument in the case when it reaches the Court.

In the news roundup, we focus on the sprint to pass additional legislation before the end of the Congress. Michael Ellis explains the debate between the Cyberspace Solarium Commission alumni and business lobbyists over enacting a statutory set of obligations for systemically critical infrastructure companies.

Adam outlines a strange-bedfellows bill that has united Sens. Amy Klobuchar (D-Minn.) and Ted Cruz (R-Texas) in an effort to give small media companies and broadcasters an antitrust immunity to bargain with the big social media platforms over the use of their content. Adam is a skeptic, Alan less so.

The Pentagon, reliably braver when facing bullets than a bad Washington Post story, is performing to type in the flap over fake social media accounts. Michael tells us that the accounts pushed pro-U.S. stories but had met with little success before Meta and Twitter caught on and kicked them off their platforms. Now the Department of Defense is conducting a broad review of military information operations. I predict fewer such efforts and don't mourn their loss.

Adam and I touch on a decision of Meta's Oversight Board criticizing Facebook's automated image takedowns. I offer a new touchstone for understanding content regulation at the Big Platforms: They just don't care, so they've turned the whole effort over to second-rate AI and second-rate employees. There's a lot of explanatory power there.

Michael walks us through the Department of the Treasury's new flexibility on sending communications software and services to Iran.

And, in quick hits, I note that:

• The Justice Department's China Initiative continues to suffer pushback,
• We should all expect bad things from the emergence of  violence as a service, and
• Russian botmasters have suddenly discovered that extradition to the U.S. may be better than going home and facing mobilization.

Download the 423rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets. Especially the pets.

The big news of the week was a Fifth Circuit decision upholding Texas's law regulating social media speech suppression. The decision was poorly received by the usual supporters of social media censorship but I found it both remarkably well written and surprisingly persuasive. That does not mean it will survive the almost inevitable Supreme Court review but Judge Oldham wrote an opinion that could be a model for a Supreme Court decision upholding the Texas law.

The big hacking story of the week was a brutal takedown of Uber, probably by the dreaded Advanced Persistent Teenager. Dave Aitel explains what happened and why no other large corporation should feel smug or certain that the same cannot happen to them. Nick Weaver piles on.

Maury Shenk explains a recent European court decision upholding sanctions on Google for its restriction of Android phone implementations.

Dave points to some of the less well publicized aspects of the Twitter whistleblower's testimony before Congress. We agree on the bottom line – that Twitter is utterly incapable of protecting either U.S. national security or even the security of its users' messages. If there were any doubt about that, it would be laid to rest by Twitter's dependence on Chinese government advertising revenue.

Maury and Nick tutor me on The Merge, which moves Ethereum from "proof of work' to "proof of stake," massively reducing the climate footprint of the cryptocurrency. They are both surprisingly upbeat about it.

Maury also lays out a new European proposal for regulating the internet of things – and, I point out, for massively increasing the cost of all those things.

China is getting into the attribution game. It has issued a report blaming the National Security Agency for intruding on Chinese educational institution networks. Dave is not impressed.

The Department of Homeland security, in breaking news from 2003, has been storing the contents of phones it seizes on the border. Dave predicts that DHS will have to further pull back on its current practices. I'm less sure.

Now that China is regulating vulnerability disclosures, are Chinese companies reluctant to disclose vulnerabilities outside China? The Atlantic Council has a report on the subject, but Dave thinks the results are ambiguous at best.

In quick hits:

• The Senate has confirmed Nate Fick as the first U.S. cyber ambassador
• I reiterate wit evidence my cynical view that Apple's app rules are not so much concerned about protecting your privacy as about taking share from Google and Facebook in the advertising market
• Nick lays out the latest Treasury Department guidance on sanctions and tornado cash
• Maury explains how the Indian government persuaded 50 million Indians to geotag their homes
• And I tell listeners how the FBI and Silicon Valley could be working together to identify conservatives for potential criminal investigation.

Download the 422nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Gus Hurwitz brings us up to speed on major tech bills in Congress. They are all dead. But some of them don't know it yet.

The big privacy bill, American Data Privacy and Protection Act, was killed by the left, but I argue that it's the right that should be celebrating, since the bill would have imposed race and gender preferences all across the economy, and the GOP members who supported the measure in the House were likely sold a bill of goods by industry lobbyists.

The big antitrust bill, American Innovation and Choice Online Act, is also a zombie, Gus argues, lurching undead toward the Senate floor but unlikely to muster the GOP votes needed to pass, mainly because content moderation has become a simple partisan issue: the GOP wants less (or fairer) moderation, Dems want more of what Silicon Valley has been dishing out for the past few years. If the bill doesn't produce viewpoint competition in the tech sector, it offers nothing for the GOP, and industry lobbyists are happily driving wedges into that divide.

The same divide also caused a stutter in the bill allowing newspapers to bargain collectively with the big platforms. It may make it to the floor, but it's already losing body parts.

Meanwhile, the White House is having a weirdly inconclusive "listening session" that might better have been called a "talking but not really proposing anything session."

When Iran launched a wiper attack on Albania because of its harboring of Mujahedin-e-Kalq, Albania broke relations with Iran and the U.S. promised consequences. In fact, all the U.S. seems to have done is impose meaningless sanctions on the already-sanctioned Iranian spy ministry. What was Iran's response? A second cyberattack on Albania. Nate Jones runs down the story. Jamil Jaffer and I question whether governmental sanctions on foreign intelligence agencies, which never promised much, are now delivering an appearance of haplessness and not of strength.

Jamil and I dwell on the criminal trial of Joe Sullivan for how he handled some hackers who got access to personal data stored by Uber. He was the chief security officer, and he decided to pay the hackers a bug bounty in exchange for their promising to destroy the data. That allowed Uber to avoid treating (and reporting) the incident as a breach. Creative lawyering or too creative by half? I could go either way, but calling it obstruction of justice and wire fraud seems like a reach. Nonetheless, that's what the Justice is charging in a case that opened last week. It is heavily politicized, and all the politics – corporate and governmental – line up against Sullivan. Whether the jury will do the same is another question. Meanwhile, everyone from other CISOs to former New York Times reporter Nicole Perlroth are questioning the prosecution's merits and warning of its likely consequences. However the case comes out, I predict that the biggest loser will be the FBI, which will never again get the kind of welcome from CISOs that it has in more innocent days.

Jamil critiques Apple's decision to support China's chip industry with new orders – and its claim that the chips it puts in its phones for the China market will stay in China.

The sanctions on Tornado Cash come back to the podcast for the second week in a row, Nate tells us, this time as litigation. Coinbase is funding an APA and constitutional challenge to Treasury's anctioning of a pile of code rather than a person or entity. My money is on the Treasury winning in the end.

In quicker hits,

• Nate and I talk about the many cryptocurrency policy papers coming out of the administration these days. Treasury plans to warn the White House that cryptocurrency needs regulation. And the White House science office thinks proof-of-work crypto mining is warming the planet unnecessarily.
• Gus and I wonder out loud whether Lina Khan's Federal Trade Commission has a fatal case of "eyes bigger than stomach."
• Nate covers the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) request for public feedback on its mandatory incident reporting rule.
• Gus and I note new criticism of the EU's AI Act.
• Gus also lays out the opening round in what could turn out to be an important Justice Department case trying to end Google's large payments to be the default search engine on popular platforms like the iPhone.

Download the 421st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This is our return-from-hiatus episode. Jordan Schneider kicks things off by covering the passage of a major U.S. semiconductor-building subsidy bill, while new contributor Brian Fleming talks with Nick Weaver about new foreign investment restrictions on chip (and maybe other) technology companies, as well as new export controls on (artificial Intelligence (AI) chips going to China. Jordan also covers a big corruption scandal arising from China’s big chip-building subsidy program, leading me to wonder when we’ll have our version.

Brian and Nick cover the month’s biggest cryptocurrency policy story, the imposition of OFAC sanctions on Tornado Cash. They agree that, while the outer limits of sanctions aren’t entirely clear, they are likely to show that sometimes the U.S. Code actually does trump digital code. Nick points listeners to his bracing essay, OFAC Around and Find Out.

Paul Rosenzweig reprises his role as the voice of reason in the debate over location tracking and Dobbs. (Literally. Paul and I did an hour-long panel on the topic last week. It’s available here.) I reprise my role as Chief Privacy Skeptic, calling the Dobbs/location fuss an overrated tempest in a teapot.

Brian takes on one aspect of the Mudge whistleblower complaint criticizing Twitter's security: Twitter’s poor record at keeping foreign spies from infiltrating its workforce and getting wide access to its customer records. Perhaps coincidentally, he notes, a former Twitter employee was just convicted of “spying lite”, proving the company is just as good at national security protection as it is at content moderation.

Meanwhile, returning to onshore aspects of U.S.-China economic relations, Jordan tells us about the survival of high-level government concerns about TikTok. I note that, in the years since these concerns first surfaced in the Trump era, TikTok’s lobbying efforts have only grown more sophisticated. Speaking of which, Klon Kitchen has done a good job of highlighting DJI’s increasingly sophisticated lobbying in Washington D.C.

The Cloudflare decision to deplatform Kiwi Farms kicks off a donnybrook, with Paul and Nick on one side and me on the other. It’s a classic Cyberlaw Podcast debate.

In quick hits and updates:

• Nick and I cover the sad story of the Dad who photographed his baby’s private parts at a doctor’s request and, thanks to Google’s lack of human appellate review, lost his email, his phone number, and all of the accounts that used the phone for 2FA.
• Paul brings us up to speed on the U.S.-EU data fight: and teases today's Federalist Society webinar on the topic.
• Nick explains the big changes likely to come to the porn world because of a lawsuit against Visa. And why Twitter narrowly averted its own child sex scandal.
• I update listeners on the flap over Google’s bias against GOP fundraising emails. It has led to an unlikely result: less spam filtering for all such emails.
• And, after waiting much too long, Brian Krebs has retracted his post about a Ubiquity “breach” that led the company to sue him.

Download the 420th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Just when you thought you had a month free of the Cyberlaw Podcast, it turns out that we are persisting, at least a little. This month we offer a bonus episode, in which Dave Aitel and I interview Michael Fischerkeller, one of three authors of "Cyber Persistence Theory: Redefining National Security in Cyberspace."

The book is a detailed analysis of how cyberattacks and espionage work in the real world – and a sharp critique of military strategists who have substituted their models and theories for the reality of cyber conflict. We go deep on the authors' view that conflict in the cyber realm is all about persistent contact and faits accomplis rather than compulsion and escalation risk. Dave pulls these threads with enthusiasm.

I recommend the book and interview in part because of how closely the current thinking at United States Cyber Command is mirrored in both.

Download the 419th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

As Congress barrels toward an election that could see at least one house change hands, efforts to squeeze a few big bills into law are mounting.  The one with the best chance (better than I expected) would drop $52 billion in cash and a boatload of tax breaks on the semiconductor

Dusty Old Trust Building, Providence, RI

industry. Michael Ellis points out that this is industrial policy without apology, and a throwback to the 1980s, when the government organized Sematech to shore up US chipmaking. Thanks to a bipartisan consensus on the need to fight a Chinese challenge, and elimination of controversial provisions that tried to hitch a ride on the bill, there now looks to be a clear path to enactment for this bill.

And if there were doubt about how serious the Chinese challenge in chips will be, we highlight an undercovered story revealing that China’s chipmaking champion, SMIC, has been making 7-nanometer chips for months without making a public announcement.  That’s a diameter that Intel and GlobalFoundries, the main US producers, have yet to reach in commercial production.

The national security implications are plain. If commercial products from China are cheap enough to sweep the market, even security-minded agencies will be forced to buy them, as it turns out the FBI and DHS have both been doing with Chinese drones. Nick recommends that policymakers read his Lawfare piece showing just how cheaply the US (and Ukraine) could be making drones.

Responding to the growing political concern about national security and Chinese products, TikTok’s owner ByteDance, has  increased its U.S. lobbying budget to more than $8 million a year, Christina Ayiotis tells us; that's an amount, I point out, that just about matches what Google spends on lobbying.

In the same vein, Nick Weaver and Michael question why the government hasn’t come up with the extra $3 billion to fund “rip and replace” for Chinese telecom gear. That effort will certainly get a boost from reports that Chinese telecom gear was offered on especially favorable terms to carriers who service America’s nuclear missile locations. I note that the Obama administration actually paid these same rural carriers to install Chinese equipment in the teens, as part of the 2009 stimulus law. I can’t help wondering why US taxpayers should pay those carriers both to install and to remove the same gear.

In news not tied to China, Nick tells us about the House’s serious progress on a compromise federal data privacy bill. It’s probably still doomed, given resistance from Dems (and maybe the GOP) in the Senate. I argue that that’s a good thing, given the bill's egregious effort to impose “disparate impact” quotas for race, color, religion, national origin, sex, and disability on the outcomes of every algorithm that processes even a little personal data. This is a transformative social engineering project, imposed by a single section (207) of  the bill without any serious debate.

Tina grades Russian information warfare based on its latest exploit:  hacking a Ukrainian radio broadcaster to spread fake news about Zelensky’s health,  As a hack, it gets a passing grade, but as a believable bit of information warfare, it’s a bust.

Tina, Michael and I evaluate YouTube’s new policy on removing “misinformation” related to abortion, and the risk that this policy, like so many Silicon Valley speech suppression schemes, will start out sounding plausible and end up enforcing political correctness. 

Nick and I celebrate DOJ’s increasing though still episodic success in seizing cryptocurrency from hackers and ransomware gangs. It may just be Darwin at work, but it’s nice to see.

Nick offers the recommended long read of the week --  Brian Krebs’s takedown of the VPN malware supplier, 911.

And in updates and quick hits:

1. That Twitter worker arrested for spying on behalf of Saudi Arabia is going to trial.
2. GCHQ’s cryptoskeptics have returned to ask how we can square end-to-end encryption with child safety. I think the answer is “Not well.”
3. GDPR's consequences are still emerging: Turns out, it means that schoolkids in Denmark won’t be able to use Chromebooks or Google Workspace.
4. And Nick takes a moment to dunk on the Three Arrows founders, whose cryptocurrency company went under in the bust and who are now giving interviews from an undisclosed location.

Listen to Episode 418 here.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed.  Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

* This week's title is an obscure Rhode Island tribute to the Industrial Trust Building, known to a generation of children as the ‘Dusty Old Trust” building until a new generation christened it the “Superman Building.” 

Kicking off a packed episode, the Cyberlaw Podcast calls on Megan Stifel to cover the first Cyber Safety Review Board (CSRB) Report. The CSRB does exactly what those of us who supported the idea hoped it would do – provide an authoritative view of how the Log4J incident unfolded along with some practical advice for cybersecurity executives and government officials.

Jamil Jaffer tees up the second blockbuster report of the week, a Council on Foreign Relations study called "Confronting Reality in Cyberspace Foreign Policy for a Fragmented Internet." I think the study's best contribution is its demolition of the industry-led claim that we must have a single global internet. That has not been a realistic prospect for a decade, and pursuing that vision has kept the U.S. from fully defending its own interests in cyberspace, so CFR's realism is welcome. Less welcome is its utterly wrong claim that the U.S. can resolve its transatlantic dispute with Europe by adopting a European-style privacy law. Europe has no real remaining beef with us on privacy regulation of industry (we surrendered); now the fight is over Europe's demand that we rewrite our intelligence and counterterrorism laws, a demand that new privacy legislation won't satisfy. Jamil Jaffer and I debate both propositions.

Megan discloses the top cybersecurity provisions added to the House defense authorization bill – notably the five year term for the head of Cybersecurity and Infrastructure Security Agency (CISA) and a cybersecurity regulatory regime for systemically critical industry. The Senate hasn't weighed in yet, but both provisions now look more likely than not to become law.

Regulatory cybersecurity measures are the flavor of the month in Washington. The latest evidence: The Biden White House is developing a cybersecurity strategy that is expected to encourage more regulation. Jamil reports on the development but is clearly hoping that my prediction of more regulation does not come true.

Speaking of cybersecurity regulation, Megan kicks off a discussion of Department of Homeland Security's CISA weighing in to encourage new regulation from the Federal Communication Commission (FCC) to incentivize a shoring up of the Border Gateway Protocol's security. Jamil thinks the FCC would do better looking for incentives than punishments.

Tatyana Bolton and I try to unpack a recent smart contract hack and the confused debate about whether "Code is Law" in web3. Answer: it is not, and never was, but that does not turn the hacking of a smart contract into a violation of the Computer Fraud and Abuse Act.

Megan covers North Korea's tactic for earning dollars while trying to infiltrate U.S. crypto firms – getting remote work employment at the firms as coders. I wonder why LinkedIn is not doing more to stop scammers like this, given the company's rich trove of data about job applicants using the site.

Not to be outdone, other ransomware gangs are now adding to the threat of doxing their victims by making it easier to search their stolen data. Jamil and I debate the best way to counter the tactic.

Tatyana reports on Sen. Mark Warner's (D-Va) effort to strongarm the intelligence community into supporting Sen. Amy Klobuchar's (D-MN) antitrust law aimed at the biggest tech platforms – despite its inadequate protections for national security.

Jamil discounts as old news the Uber leak. I agree; we didn't learn much from the orgy of coverage that we didn't already know about Uber's highhanded approach in the teens to taxi monopolies and government.

Jamil and I endorse the efforts of a Utah startup devoted to following China's IP theft using China's surprisingly open information. Why Utah, you ask? We've got the answer.

In quick hits and updates:

• Josh Schulte has finally been convicted for one of the most damaging intelligence leaks in history.
• Google gets grudging respect from me for its political jiu-jitsu. Faced with smoking gun evidence of its political bias after the company spam-blocked GOP but not Dem fundraising messages, Google turned the tables. It managed to kick off public  outrage by saying it wanted to fix its bias problem by forcing political spam on all its users. Now the GOP will have the burden of explaining that it's not trying to send us more spam; it just wants Gmail to stop favoring Democrats in running Gmail spam filters.
• And, finally, we all get to enjoy the story of the bored Chinese housewife who created an interlocking universe of fake Russian history on China's Wikipedia. She's promised to stop, but I suspect she's really just been hired to work for the world's most active producer of fake history – China's Ministry of State Security.

Download the 417th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, Dave Aitel introduces us to a deliciously shocking story about lawyers as victims -- and maybe co-conspirators -- in the hacking of law firms to win legal disputes.  The trick, it turns out, is figuring out how to benefit from hacked documents without actually dirtying one's hands with the hacking. And here too, a Shakespearean Henry (II this time) has the answer: hire a private investigator and ask "Will no one rid me of this meddlesome litigant?" Before you know it, there's a doxing site full of useful evidence on the internet.

But first Dave digs into an intriguing but flawed story of how and why the White House ended up bigfooting a possible acquisition of NSO by L3Harris. Dave spots what looks like a simple fact error, and we are both convinced that the New York Times got only half the story. I suspect the White House was surprised by the leak, popped off about how bad an idea the deal was, and then was surprised to discover that its intelligence community had signaled support.

That leads us to the reason why NSO has continuing value – its ability to break Apple's phone security. Apple is now trying a new way to reinforce security: its new, more secure and less convenient lockdown mode. Dave gives it high marks, and he challenges Google to match Apple's move.

Next, we dive into the US effort to keep Dutch firm ASML from selling chip-making machines to China. Dmitri Alperovich makes a special appearance to urge more effective use of export controls; he cautions, however, that the US must impose the same burdens on its own firms as on its allies'.

Jane Bambauer introduces the latest government proposal to take a bite out of crime by taking a bite out of end-to-end (e2e) encryption. The U.K. has introduced an amendment to its pending online safety bill that would require regulated user-to-user services to identify and swiftly take down terrorism and child sex abuse material. Identifying such material isn't easy in an e2e environment, Jane notes, so this bill could force adoption of the now-abandoned Apple proposal to do local scanning on your phone. I'm usually a cheap date for crypto-skeptical laws, but I can't help noticing that this proposal will stir up 90% as much opposition as requiring companies to intercept communications when they get a court order while  addressing only 10% of the crimes that occur on e2e networks.

Jane and I take turns pouring cold water on journalists, NGOs, and even Congress for their feverish effort to turn the Supreme Court's abortion ruling into a privacy issue. Dumbest of all, in my view, is the claim that location services will be used to gather evidence and prosecute women who visit out of state abortion clinics. As I point out, such prosecutions couldn't even muster five votes on this Court.

Dave spots another doubtful story about Russian government misuse of a red team hacking tool. He thinks it's actually a case of a red team hacking tool being used by … a red team.

Jane notes that Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) has announced a surprisingly anodyne (and arguably unnecessary) post-quantum cryptography initiative.  I'm a little less hard on DHS, but only a little.

Finally, in updates and quick hits:

• I point out that the U.S. - EU transatlantic data deal is looking a lot like vaporware. That's a worry now that Ireland is on the verge of ordering Facebook to stop moving data across the Atlantic.
• Jane and I take a whack at predicting Elon Musk's Twitter bid. I argue that Musk may escape with less than $1 billion in penalties but for years he will be to mergers what Google is to new digital products.
• And, finally, some modest good news on Silicon Valley's campaign to suppress politically incorrect speech.  Last year, Twitter suspended former NYT reporter Alex Berenson for saying several true but inconvenient things about the covid vaccine (it doesn't stop infection or transmission, and it has side effects, all of which raise real doubts about the wisdom of mandating vaccinations for everyone). Berenson sued, and Twitter has now settled, unsuspending his account. The lawsuit had narrowed down the point where Twitter probably felt it could settle without creating a precedent, but any chink in Big Social's self-righteous armor is worth celebrating.

Download the 416th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

For decades, U.S. cyber exploits were notoriously lawyer-ridden, to the point where it became a key element in attributing US cybertools. But it looks like those days are gone. Today, Israel has matched and surpassed U.S. cyberwarriors on this essential measure. Nate Jones reports on an attack claimed by a vague "hacktivist" group but widely attributed to Israel. The hackers shut down several Iranian mills in a flood of sparks and molten steel. But the most interesting thing about the attack was the video pre-roll, which went out of its way to note that the mills were under international sanction and that the attackers had sent workers warnings to avoid casualties. Some of that was prudence; when you're escalating in cyberspace, it's a good idea to emphasize the limits you're observing. But a lot of it was lawyers advertising the attack's compliance with the law of armed conflict. Coming after an earlier campaign that cut off gasoline supplies but also warned emergency medical and fire services to gas up in advance, it sure looks as though some of the best cyber attacks now come with a phalanx of lawyers.

China, meanwhile, is putting resources into exporting its Fifty Cent Army to the United States. Sultan Meghji and Maury Shenk cover a Chinese social media campaign to turn American rare earths processing into an environmental controversy. In this case, I argue, China is taking a leaf from the Russian playbook; the Russians worked hard to make fracking controversial in the US because it was holding down the price of Russian oil. I urge someone to figure out just how many of those fake American accounts are also on TikTok, and how TikTok's algorithm is treating them.

Speaking of Chinese propaganda, Maury tells us that a well-known Chinese cybersecurity firm is accusing the U.S. of planting Trojans in hundreds of important Chinese information systems, a charge that might be interesting if the report actually provided some details.

Feeling the spur of competition from Israel's cyber lawyers, NSA's counsel has opened a new front. They've persuaded the US Justice Department to fight a merger on the grounds that it will reduce competition in bidding on a single NSA program. Nate and I get stuck on the market definition problems in the case, but Sultan thinks it's an investment opportunity.

This Week in Stupid Artificial Intelligence (AI) Research: We never lack for stories in this category, but this week the two contenders are well matched.  Sultan tells us about a story that proves you can always find sex and race discrimination in AI if your study is designed badly enough. And Maury finds a group of researchers who went one better, designing a moderately effective crime prediction algorithm and then arguing that the police were racist if they put more police into high-crime neighborhoods and racist if they didn't send more police to neighborhoods with rising crime. Since the  point of most AI bias research is apparently to get your story into the press by finding that AI is racist, being able to find racism no matter how the study  turns out is a winning strategy.

Speaking of unimpressive journalism, Sultan flags a Wall Street Journal story that lazily dumps on AI research for not doing everything we want, while pretty much ignoring things it has done well.

Sultan also leads us through the wreckage of one cryptocurrency domino after another, but he thinks it's likely to put a firmer, and more regulated, foundation under the businesses that survive. Nate reprises the EU contribution to the issue – more regulation, natch – but in a surprise twist for the Cyberlaw Podcast, the Brussels proposal gets pretty high marks.

Updating a few stories from past weeks,

• Google is really getting hurt by the study showing its default spam filter favored Democratic fundraising messages over Republican messages by about 7 to 1. The GOP has always believed (correctly) that its views are being handicapped by Silicon Valley, but this time the evidence is hard to refute. Indeed, Google isn't really refuting it, just promising to do better in future, while Republicans are claiming that Gmail's bias cost them $2 billion in donations and proposing tough new transparency laws.
• The Justice Department is upping the stakes for Uber's former chief information security officer (CISO), charging Joe Sullivan with wire fraud for treating what looks like a data breach ransom as a bug bounty. The Department of Justice says this defrauded Uber drivers and customers. Sullivan is the first, but probably not the last, CISO who'll face this charge, as government stops touting "public-private partnership" as the reason for companies to report breaches and instead embraces fear of prosecution.
• And the Transportation Security Administration (TSA), after taking criticism for the harshness of its secret cybersecurity standards for pipelines, has now offered secret amendments to the standards. Is that a good thing? Who knows?

Download the 415th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

It's that time again on the Congressional calendar. All the big, bipartisan tech initiatives that looked so good a few months ago are beginning to compete for time on the floor like fat men desperate to get through a small door. And tech lobbyists are doing their best to handicap the bills they hate while advancing those they like.

We open the Cyberlaw Podcast by reviewing a few of the top contenders. Justin (Gus) Hurwitz tells us that the big bipartisan compromise on privacy is probably dead for this Congress, killed by Senator Maria Cantwell (D-WA) and the new politics of abortion. The big subsidy for domestic chip fabs is still alive, Jamil Jaffer reports, but beset by House and Senate differences, plus a proposal to regulate outward investment in China and Russia by U.S. firms. And Senator Amy Klobuchar's (D-MN) platform anti-self-preferencing bill is being picked to pieces by lobbyists trying to cleave away GOP votes over content moderation and national security. All in all, it's hard times for fat men.

Next, David Kris unpacks the First Circuit decision on telephone pole cameras and the fourth amendment. Technology and Fourth Amendment law is increasingly agoraphobic, I argue, as the Carpenter decision has left aging boomer judges on a vast featureless constitutional plain, lacking principles to guide them and forced to fall back on their sense of what was creepy in their day.

Speaking of creepy, the Australian Strategic Policy Institute (ASPI) has a detailed report oncontent moderation and privacy protections  at TikTok and WeChat. Jamil gives the highlights.   

Not that Silicon Valley has anything to brag about when it comes to creepy. I sum up This Week in Big Tech Censorship with two newly emerging rules for conservatives using social media platforms: First, obeying Big Tech's rules is no defense; it just takes a little longer before your business revenue is cut off. Second, having science on your side is no defense. As a Brown University doctor discovered, citing a study that undermines  coronavirus orthodoxy will get you suspended. Who knew we were supposed to follow the science with enough needle and thread to sew its mouth shut?

If Sen. Klobuchar's bill fails, all eyes will turn to Lina Khan's Federal Trade Commission, Gus tells us, and its defense of the "right to repair" may give a clue to how it will regulate. 

David flags a Google study of zero-days sold to governments in 2021. He finds it a little depressing, but I note that at least some of the zero-days probably require court orders to implement.

Jamil also reviews a corporate report on security, Microsoft's analysis of how Microsoft saved the world from Russian cyber espionage – or would have if you ignoramuses had just bought more cloud services. OK, it's not quite that bad, but the marketing motivations behind the report show a little too often in what is otherwise a useful review of Russian tactics.

In quick hits:

• Gus tells us about a billboard that can pick your pocket: In NYC, naturally.
• Jamil thinks we may have finally found Putin's billions, through the magic of shared email addresses.
• I offer a preview of the next U.S.-E.U. privacy spat, over sharing biometrics at the border.
• And David and I talk marijuana and security clearances. If you listen to the podcast for career advice, it's a long wait, but David delivers.

Download the 414th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast begins by digging into a bill more likely to transform tech regulation than most of the proposals you've actually heard of – a bipartisan effort to regulate US tech investment abroad. The new bill holds a mirror up to the Committee on Foreign Investment in the United States (CFIUS), Matthew Heiman reports. Where CFIUS regulates inward investment from adversary nations, the new proposal will regulate outward investment – from the U.S. to adversary nations. The goal is to slow the transfer of technical expertise (and capital) from the U.S. to China. It is opposed by the Chinese government and the same U.S. business alliance that campaigned against Senator Cornyn's CFIUS reforms in 2018. If it passes, I predict, it will be as part of must-pass legislation and will come as a big surprise to most technology observers.

The cryptocurrency world might as well make Leslie Gore its official chanteuse, because everyone is crying at the end of the crypto party. Well, except for Nick Weaver, who does a Grand Tour of all the overleveraged cryptocurrency firms on or over the verge of collapse as bitcoin values drop to $20 thousand and below.               

Scott Shapiro and I trade views on the spate of stories claiming that Microsoft is downgrading security in its products. It would unfortunately make sense for Microsoft to strip-mine value from its standalone proprietary software by stinting on security, we think, but we can't explain why the firm would neglect cloud security, as it is increasingly accused of doing.              

That brings us to NickTalk about TikTok, and a behind-the-scenes look at what has happened to the TikTok-CFIUS case in the years since former President Donald Trump left the stage. Turns out that CFIUS has been doggedly pursuing the pieces of the deal that were still on the table in 2020: localization of U.S. user data and no Chinese access to the data. The first is moving forward, Nick tells us; the second is turning out to be a morass.

Speaking of localization, India's determination to localize credit card data has been rewarded. Matthew reports that cutting off new credit card customers for noncompliant card systems did the trick: Mastercard localized its data, and India has now lifted the ban.

Scott reports on Japan's latest contribution to the techlash: a law that makes 'online insults' a crime.

Scott also notes a modest bright spot in NSO Group's litigation with Facebook: The Supreme Court granted the company's plea that the U.S. government be asked to weigh in on whether NSO could claim sovereign immunity for the hacking tools it sells to government. Nick puts his grave-dancing shoes back on to report the bad news for NSO: the Biden administration is trashing a rumored acquisition by U.S. - based L3Harris Technologies.

Scott makes short work of the idea that a Google AI chatbot has achieved sentience. Of course, as a trained philosopher, Scott seems a little reluctant to concede that I've achieved sentience. We do agree that it's a hell of a good chatbot.

And in quick hits, I note the appointment of April Doss as General Counsel for the National Security Agency Counsel after a long series of acting General Counsels.

Download the 413th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This bonus episode of the Cyberlaw Podcast is an interview with Amy Gajda, author of "Seek and Hide: The Tangled History of the Right to Privacy." Her book is an accessible history of the often obscure and sometimes "curlicued" interaction between the individual right to privacy and the public's (or at least the press's) right to know.

Gajda, a former journalist, turns what could have been a dry exegesis on two centuries of legal precedent into a lively series of stories about the conflicts behind the case law. All the familiar legal titans of press and privacy -- Louis Brandeis, Samuel Warren, Oliver Wendell Holmes – are there, but Gajda's research shows that they weren't always on the side they're most famous for defending. You may come for deep thoughts about the law of privacy and press, but you'll stick around for generous helpings of sex and hypocrisy (which, it turns out, is pretty much the core of privacy and, often, journalism). 

This interview is just a taste of what Gajda's book offers, but lawyers who are used to a summary of argument at the start of everything they read should listen to this episode first so they know up front where all the book's stories are taking them.

Download Bonus Episode 412 (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast is dominated by things that U.S. officials said in San Francisco last week at the RSA conference.  We summarize what they said and offer our views of why they said it.Bobby Chesney, returning to the podcast after a long absence, helps us assess Russian warnings that the U.S. should expect a "military clash" if it conducts cyberattacks against Russian critical infrastructure. Bobby, joined by Michael Ellis sees this as a run-of-the-mill Russian PR response to U.S. Cyber Command and NSA Director Paul M. Nakasone's remarks about doing offensive operations in support of Ukraine.

Bobby also notes an FBI analysis of the NetWalker ransomware gang, an analysis made possible by seizure of the gang's back office computer system in Bulgaria.  The unfortunate headline summary of the FBI's work was a claim that "just one fourth of all NetWalker ransomware victims reported incidents to law enforcement." Since many of the victims were outside the United States and would have had little reason to report to the Bureau, this statistic undercounts private-public cooperation. But it may, I suggest, reflect the Bureau's increasing sensitivity and insecurity about its long-term role in cybersecurity.  

Michael sees complaints about a dearth of incident reporting by the private sector as one of the themes emerging from the government's RSA appearances. A Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) executive also complained about a lack of ransomware incident reporting, a strange complaint considering that CISA can solve much of the problem by publishing an incident reporting rule that Congress authorized last year. 

In a more promising vein, two intelligence officials underlined a commitment on the part of intel agencies to sharing security data more effectively with the private sector. Michael sees that as the one positive note in an otherwise downbeat cybersecurity report from Avril Haines, Director of National Intelligence. And David Kris points to a similar theme offered by National Security Agency official Rob Joyce, who believes that sharing of (lightly laundered) intelligence  is increasing, thanks in part to the sophistication and cooperation of the cybersecurity industry. 

Michael and I are taking with a grain of salt the New York Times' claim that Russia's use of U.S. technology in its weapons has become a vulnerability due to U.S. export controls.  We think it may take months to know whether those controls are really hurting Russia's weapons production.  

Bobby explains why the Department of Justice (DOJ) was much happier to offer a "policy" -- instead of a legislative amendment -- to protectgood-faith security research from prosecution under the Computer Fraud and Abuse Act. That's understandable, but the DOJ policy doesn't protect researchers from civil lawsuits, so DOJ may yet find itself forced to look for a statutory fix. (If it were up to me, I'd be tempted to dump the civil remedy altogether.)

Michael, Bobby, and I dig into the ways in which smartphones have transformed both the war and, perhaps, the law of war in Ukraine. The change is driven by a Ukrainian government phone app that lets every Ukrainian civilian direct artillery fire onto Russians they encounter in the street. That's probably enough for the Russians to shoot all the civilians they encounter, but for armies that care about the law of armed conflict, the answer is surprisingly complicated and unsatisfying.

Finally, David, Bobby and I dig into a Forbes story, clearly meant to be a shocking expose, about the United States government's use of the All Writs Act to monitor an indicted Russian hacker's travel reservations for years until he finally headed to a country from which he could be extradited. We remain unshocked.

Download the 411th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

If you've been worrying about how a leaky U.S. government can possibly compete with China's combination of economic might and autocratic government, this episode of the Cyberlaw Podcast has a few scraps of good news. The funniest, supplied by Dave Aitel, is the tale of the Chinese gamer who was so upset at the online performance of China's tanks that he demanded an upgrade. When it didn't happen, he bolstered his argument by leaking apparently classified details of Chinese tank performance. The story inspires me to suggest that U.S. intelligence should be subtly degrading the online game performance of other Chinese weapons systems that we need more information about.

There may be similar comfort in the story of Gitee, a well-regarded Chinese competitor to Github that ran into a widespread freeze on open source projects. Jane Bambauer and I speculate that the source of the freeze was a government objection to the code or the comments in several projects. And in the long run, guessing at what it takes to avoid future government freezes will handicap China's software industry and make Western companies more competitive.

In other news, Dave unpacks the widely reported and largely overhyped story of Cyber Command conducting "hunt forward" operations in support of Ukraine.

Mark MacCarthy digs into Justice Samuel A. Alito Jr.'s opinion explaining why he would not have reinstated the district court injunction against Texas's social media regulation. Jane and I weigh in. The short version is that the Alito opinion offers a plausible justification for upholding the law. It is not be the law now, but it could be the law if Justice Alito can find two more votes. And getting those votes may not be all that hard -- at least for an opinion upholding more transparency requirements for social media companies.

Mark and Jane also dig deep into the substance and politics of national privacy legislation. Short version: House Democrats have made substantial concessions in the hopes of getting a privacy bill enacted before they must face what's expected to be a hostile electorate. But Senate Democrats may not be willing to swallow those concessions, and Republican members may think they will do better if they wait until after November. Impressed by the concessions, Jane and Mark hold out hope for a deal this year. I don't.

Meanwhile, Jane notes, California is driving forward with regulations under its privacy law. perhaps helping to persuade Republicans that preemption has lots of value for business.

Finally, revisiting two stories from earlier weeks, Dave notes

• The devastating consequences and obscure motivations of Conti's ransomware attacks on the Costa Rican government, and
• The deep tension between the U.S. government and Microsoft over export controls on intrusion tools.

Download the 410th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Paul Rosenzweig and I butt heads over the recent 11th Circuit decision mostly striking down Florida's law regulating social media platforms' content "moderation" rules. We disagree flamboyantly on pretty much everything else – including whether the Court will restore the district court injunction blocking Texas's similar law. He thinks it will, I think it won't. And, by 5-4, the Court gives Paul the win. Just after the podcast ended, we learned that the Court had made its decision and blocked the Texas law.

When it comes to content moderation, it turns out, Silicon Valley is a lot tougher on the Libs of TikTok than on the Chinese Communist Party (CCP). Instagram just suspended the Libs of Tiktok account, I report, while a recent Brookings study shows that the Chinese government's narratives are polluting Google and Bing search results on a regular basis. Google News and YouTube do the worst job of keeping the Chinese party line out of searches. Both Google News and YouTube return CCP-supportive links on the first page about a quarter of the time.

I ask Sultan Meghji to shed some light on the remarkable TerraUSD cryptocurrency crash. Which leads us, not surprisingly, from massive investor losses to whether financial regulators have jurisdiction over cryptocurrency. The short answer: Whether they have jurisdiction or not, all the incentives favor an assertion of jurisdiction, so buckle up. And Nick Weaver is with us in spirit when we flag his rip-roaring attack on every bit of cryptocurrency – a don't-miss-it interview for readers who can't get enough of Nick.

It's a big episode for Artificial Intelligence (AI) news too. Matthew Heiman contrasts the different approaches to AI regulation in three big jurisdictions. China's is pretty focused, Europe's is ambitious and all-pervading, and the United States isn't ready to do anything.

Paul thinks DuckDuckGo should be DuckDuckGone after the search engine allowed Microsoft trackers to follow users of its browser.

Sultan and I explore the many ways to bias AI algorithms. It turns out that skimping on datasets makes the algorithm especially sensitive to the order in which the data is presented. Debiasing with synthetic data has its own risks, Sultan avers. But if you're looking for good news, here's some: Self-driving car companies who are late to the party are likely to catch up fast, because they can build on a lot of data that's already been collected, as well as new training techniques.

Matthew breaks down the $150 million fine paid by Twitter for allowing ad targeting of the phone numbers its users supplied for two-factor authentication (2FA) security purposes.

Finally, in quick hits:

• Matthew recommends that we all get popcorn for Spain's planned investigation of its intelligence services following a phone hacking scandal.
• Sultan and I call time of death for the Klobuchar bill regulating Silicon Valley self-preferencing. It was the most likely of all the Silicon Valley competition bills to pass, but election year tensions and massive lobbying campaigns by industry have almost certainly made its path to enactment too steep.
• And Sultan notes that the Commerce Department has published with relatively little change its rule restricting exports of hacking tools.

Download the 409th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week's Cyberlaw Podcast covers efforts to get the Supreme Court to overturn the Texas law that treats social media platforms like common carriers and prohibits them from discriminating based on viewpoint when they take posts down. I predict that the Court won't override the appellate decision staying an unpersuasive district court opinion. Mark MacCarthy and I both think that the transparency requirements in the Texas law are defensible, but Mark questions whether viewpoint neutrality is sufficiently precise for a law that trenches on the platforms' free speech rights. I cite a story that probably tells us more about content moderation in real life than ten Supreme Court amicus briefs – the tale of an OnlyFans performer who got her Instagram account restored by using alternative dispute resolution on Instagram staff: "We met up and like I f***ed a couple of them and I was able to get my account back like two or three times," she said. Really, that explains so much.

Meanwhile, Jane Bambauer unpacks the Justice Department's new policy for charging cases under the Computer Fraud and Abuse Act. It's a generally sensible extension of some positions the Department has taken in the Supreme Court, including refusing to prosecute good faith security research or to allow companies to create felonies by writing use restrictions into their terms of service. Unless they also write those restrictions into cease and desist letters, I point out. Weirdly, the Justice Department will treat violations of such letters as potential felonies.

Mark gives a rundown of the new, Democrat-dominated Federal Trade Commission's first policy announcement – a surprisingly uncontroversial warning that the commission will pursue educational tech companies for violations of the Children's' Online Privacy Protection Act.

Maury Shenk explains the recent United Kingdom Attorney General speech on international law and cyber conflict.

Mark celebrates the demise of Department of Homeland Security's widely unlamented Disinformation Governance Board.

Should we be shocked when law enforcement officials create fake accounts to investigate crime on social media?  The Intercept is, of course. Perhaps equally predictably, I'm not. Jane offers some reasons to be cautious – and remarks on the irony that the same people who don't want the police on social media probably resonate to the New York Attorney General's claim that she'll investigate social media companies, apparently for not responding like cops to the Buffalo shooting.

Is it "game over" for humans worried about Artificial Intelligence (AI) competition? Maury explains how Google Deep Mind's new generalist AI works and why we may have a few years left.

Jane and I manage to disagree about whether federal safety regulators should be investigating Tesla's fatal autopilot accidents. Jane has logic and statistics on her side, so I resort to emotion and name-calling.

Finally, Maury and I puzzle over why Western readers should be shocked (as we're clearly meant to be) by China's requiring that social media posts include the poster's location or by India's insistence on a "know your customer" rule for cloud service providers and VPN operators.

Download the 408th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Is the European Union (EU) about to save the FBI from Going Dark by essentially outlawing end-to-end encryption? Jamil Jaffer and Nate Jones tell us that a new directive aimed at preventing child sex abuse might just do the trick. That view is backed by people who've been fighting the bureau on encryption for years.

The Biden administration is prepping to impose some of the toughest sanctions ever on Chinese camera maker Hikvision, Jordan Schneider reports. No one wants to defend Hikvision's role in enabling China's Uyghur policy, but I'm skeptical that we should spend all that ammo on a company that is far from the greatest national security threat we face. Jamil is more comfortable with the measure, and Jordan reminds me that China's economy is shaky enough that it may not pick a fight to save Hikvision. Speaking of which, Jordan schools me on the likelihood that Xi Jin Ping's hold on power will be loosened even by a combination of the Chinese tech downturn, harsh pandemic lockdowns, and the grim lesson provided by Putin's ability to move without check from tactical error to strategic blunder and then to historic disaster.

Speaking of products with more serious national security impact than Hikvision, Nate and I try to figure out why the effort to get Kaspersky software out of U.S. infrastructure is still stalled. I argue that the Commerce Department should take the blame.

In a rare triumph of common sense and science, the wave of dumb laws attacking face recognition may be receding as lawmakers finally notice what's been obvious for five years: The claim that face recognition is "racist" is false. Virginia, fresh off GOP electoral gains, has revamped its law on face recognition so it now more or less makes sense. In related news, I puzzle over why Clearview AI accepted a settlement of the ACLU's lawsuit under Illinois's biometric law.

Nate and I debate how much authority Cyber Command should have to launch actions and intrude on third country networks without going through the interagency process. A Biden White House review of that question seems to have split the difference between the laissez-faire spirit of the Trump administration and the analysis-paralysis of the Obama years.

Quelle surprise! Jamil concludes that the EU's regulation of cybersecurity is an overambitious and questionable expansion of the U.S. approach.

The EU may not be alone. Jordan notes the Defense Department's effort to keep small businesses who take its money from decamping to China once they start to succeed. Jordan and I fear that the cure may be worse than the disease.

I get to say I told you so about the unpersuasive and cursory opinion issued by United States District Judge Robert Pitman, when he enjoined Texas' social media law. The Fifth Circuit has overturned his injunction, so the bill will take effect, at least for a while. In my view some of the provisions are constitutional and others are a stretch; but Judge Pitman's refusal to do a serious severability analysis means that all of them will get a try-out over the next few weeks.

Jamil and I debate geofenced search warrants and the reasons why companies like Google, Microsoft and Yahoo want them restricted.

In quick hits,

• Jamil and I trade views on whether the Biden White House has effectively managed the lagging implementation of its landmark cybersecurity executive order.
• I note the important new protocol for implementing the Budapest Convention. On the principle that you can judge a policy by its enemies, this protocol is looking pretty good.
• Jamil highlights a study – by Europeans, no less – that suggests that General Data Protection Regulation (GDPR) is killing innovation in the Android app market.
• Jamil also flags a new study of the Chinese Offensive Cyber Landscape.
• And I suggest that the event with the biggest tech policy impact last week may have been none of these things; the real policy driver may turn out to be the meltdown in tech stocks generally and in cryptocurrency values in particular.

Download the 407th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Nick Weaver kicks off this wide-ranging episode by celebrating Treasury's imposition of sanctions on a cryptocurrency mixer that facilitated the laundering of stolen cryptocurrency. David Kris calls on Justice to step up its game in the face of this competition, while Nick urges Treasury to also sanction Tornado Cash -- and explains why this would incentivize better behavior more generally. Scott Shapiro weighs in to describe North Carolina's effort to prohibit government entities from paying ransomware gangs; he doubts it will work. 

David and Scott also further our malware education by summarizing two chilling reports about successful long-term intrusion campaigns – one courtesy of Chinese state hackers and the other likely launched by Russian government agents. I can't help wondering whether the Russian agencies haven't prioritized flashy hacks over effective ones – to Russia's cost in the war with Ukraine.

Nick provides a tutorial on why quantum cryptanalysis is worrying the Biden Administration and what it thinks we ought to do about it. I note how good U.S. physicists have gotten at selling expensive dreams to their government – and express considerable relief that Chinese physicists are apparently at least as good at extracting funding from their government.

I find a story mainstream media is already burying because it doesn't fit the "AI bias" narrative. It turns out that, in a study of face recognition systems by the Department of Homeland Security, most errors (75%) were introduced at the photo capture stage, not by the matching algorithms. What's more, the bias we keep hearing about has disappeared for the best products. Error rates were reported for the most accurate systems by gender and skin color. Errors in matching women, light-skinned subjects, and dark-skinned subjects were all as low as it's possible to be -- zero. For men, the error rate was nearly zero -- 0.8%. These tests were of authentication/identification face recognition, which is easier to do than 1:n "searches" for matching faces, but the results mean that we can expect the whole bias issue to disappear as soon as the public wises up to the ideologically driven journalism now on offer.

Nick and I spar over location data sales by software providers. I pour cold water on the notion that evil prosecutors will use location data to track women to abortion clinics in other states. Nick thinks I'm wrong and we put some money on the outcome, though it may take five years for one of us to collect.

Scott unpacks the flap over Department of Homeland Security (DHS) Disinformation Governance Board, headed by Cyberlaw Podcast alumna Nina Jankowicz, who revealed on Tiktok that I should have asked her to sing the interview. Scott and I agree that DHS is retreating quickly from the board's name and mission as negative reviews pile up for the body's name, leader, and mission.

This Week in Schadenfreude is covered by Nick, who dwells on the irony of the Spanish prime minister's phone being targeted with Pegasus spyware not long after the Spanish government was widely blamed for using Pegasus against Catalan separatists.

In quick hits,

• Scott explains why British Internet Service Providers (ISPs) are complaining about a government order that they not give British citizens access to sanctioned websites.
• Scott and I take turns mocking the fashion for phony international law agreements. These now include Silicon Valley's astroturfed Paris Call and the Biden Administration's Declaration for the Future of the Internet, better known as the "Convention for International Unicorns and Fairy Dust."
• David celebrates the one-year term extension for Gen. Nakasone, and we share views on the unwisdom of dividing the leadership of Cyber Command and NSA.
• Squeaking under the wire, I manage to bring Elon Musk into the podcast as the exit music mounts, noting that the Committee on Foreign Investment in the United States (CFIUS) is likely to complicate but not stall his acquisition of Twitter.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Retraction: An earlier episode of the Cyberlaw Podcast may have left the impression that I think Google hates mothers. I regret the error. It appears that, in reality, Google only hates Republican mothers who are running for office. But to all appearances, Google really, really hates them. A remarkable, and apparently damning study disclosed that during the most recent federal election campaign, Google’s Gmail sent roughly two-thirds of GOP campaign emails to users’ spam inboxes while downgrading less than ten percent of the Dems’ messages. Jane Bambauer lays out the details, which seem to refute most of the excuses Google might offer for the discriminatory treatment. Notably, neither Outlook nor Yahoo! mail showed a similar pattern. Tatyana thinks we should blame Google’s algorithm, not its personnel, but we’re all eager to hear Google’s explanation, whether it’s offered in the press, before the Federal Election Commission (FEC), in court, or in front of Congressional investigators after the next election.

Jordan Schneider helps us return to China’s cyber policies after a long hiatus. Things have not gotten better for the Chinese government, Jordan reports. Stringent lockdowns in Shanghai are tanking the economy and producing a surprising amount of online dissent, but with Hong Kong’s coronavirus death toll in mind, letting omicron spread unchecked is a scary prospect, especially for a leader who has staked his reputation on dealing with the virus better than the rest of the world. Among the results is hesitation in pursuing what had been an aggressive techlash regulatory campaign.

Tatyana Bolton pulls us back to the Russian-Ukrainian war. She notes that Russia Is not used to being hacked at anything like the current scale, even if most of the online attacks turn out to be pinpricks. She also flags Microsoft’s report on Russia’s extensive use of cyberattacks in Ukraine. All that said, cyber operations remain a minor factor in the war.

Michael Ellis and I dig into the ODNI’s intelligence transparency report, which inspired several differed takes over the weekend. The biggest story was that the FBI had conducted “up to” 3.4 million searches for U.S. person data in the pool of data collected under section 702 of the Foreign Intelligence Surveillance Act (FISA). Sharing a brief kumbaya moment with Sen. Ron Wyden, Michael finds the number either “alarming or meaningless,” probably the latter. Meanwhile, FISA Classic wiretaps dropped again in the face of the coronavirus. And the FBI conducted four searches without going to the FISA court when it should have, probably by mistake.

We can’t stay away from the pileup that is Elon Musk’s Twitter bid. Jordan offers views on how much leverage China will have over Twitter by virtue of Tesla’s dependence on the Chinese market. Tatyana and I debate whether Musk should have criticized Twitter’s content moderators for their call on the Biden laptop story. Jane Bambauer questions whether Musk will do half the things that he seems to be hinting. I agree, if only because European law will force Twitter to treat European sensibilities as the arbiter of what can be said in the public square. 

Jane outlines recent European developments showing, in my view, that European policymakers aren't exactly running low on crazy. A new EU court decision opens the door to data protection class actions, undermining the jurisdictional limits that have made life easier for big U.S. companies. I predict that such lawsuits will also mean trouble for big Chinese platforms.

And that’s not half of it. Europe’s Digital Services Act, now nearly locked down, is a mother lode of crazy. Jane spells out a few of the wilder provisions – only some of which have made it into legal commentary.

Orin Kerr, normally a restrained and professorial commentator on cyber law, is up in arms over a recent 9th Circuit decision holding that a preservation order is not a seizure requiring a warrant. Michael, Jane, and I explore Orin’s agita, but we have trouble sharing it. 

In quick hits:

• Jane makes short work of a report expressing shock that Amazon uses data from Alexa smart speakers pretty much exactly the way you’d expect it to.
• Michael and I unpack the latest move in the prosecution of Uber’s former Chief Security Officer, Joe Sullivan.
• Jane lays out what’s different in Colorado‘s new privacy law. Spoiler:  Just enough to make a federal privacy law with preemption look good to business.
• Michael and I wish the Biden administration well in its effort to get much-needed new authorities to address the risks of drone attacks here at home.

Download the 405th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week in Silicon Valley bias: Google is planning to tell enterprise users of its word processor that words like "motherboard" and "landlord" are insufficiently inclusive for use in polite company. We won't actually be forbidden to use those words. Yet. Though that future has apparently already arrived in Mountain View, where at least one source says that "mainboard" is the only acceptable term for the electronics that used to honor the women who raised us. In another blow for freedom, as it's now defined in the Valley, Twitter will suppress all climate talk that contradicts the views a panel of government-appointed scientist-politicos. Apparently suppressing talk that contradicted CDC scientist-politicians worked so well that Twitter is rushing to double down, presumably under the slogan, "You'll pry these red pencils from our cold, dead fingers, Elon!"

In other cyber news, Megan Stifel sums up the last week of cyberwar news: It was a lot like the week before. We're still waiting – nervously -- for Russian hackers to lift their eyes from the near target in Ukraine and focus on far targets in the West. The Five Eyes security agencies are doing their best to make sure US critical infrastructure is ready. Well, except for US cloud providers, who were exempted from the definition of really critical infrastructure in the Obama administration and successfully fought off any change in their status for the better part of a decade. Sultan Meghji and I support Congressional efforts to recognize the criticality of securing cloud providers, but it is a heavy lift, especially among Republicans.

Is DJI sabotaging Ukraine's drone fleet, presumably at China's behest? The evidence is hardly airtight, but Ukraine is understandably not taking any chances, as it moves to more expensive drones sourced from the U.S. and elsewhere. Jamil Jaffer delivers a heartfelt plea to American hobbyists to do the same.

A group of former security officials are warning that pending antitrust bills could cause national security problems by handing advantages to Chinese tech companies. POLITICO responds with a hit piece claiming (with evidence ranging from plausible to laughable) that they are influenced by their ties to Silicon Valley. I'm pretty cynical about Silicon Valley's effort to hide behind the national security interests they've mostly dismissed for the last decade, but I end up agreeing with Jamil that the antitrust bills should be amended to allow national security to moderate the trustbusters' zeal. 

Sultan and I review some of the week's stories about Artificial Intelligence (AI). We complain that a promising War on the Rocks piece about China's Plans for AI and Cognitive Warfare failed to deliver the goods. We were intrigued by a new way of imperceptibly hacking AI by corrupting its datasets. And we were interested in the story but put off by the dime-store Marxism in an MIT Technology Review story that explains how AI dataset labeling is providing a bare living for dispossessed Venezuelans.

Has Steve Ballmer been sneaking onto Microsoft's Redmond campus and whispering dreams of world domination and ruthless tactics into Satya Nadella's ear? Sultan and I think that may be the most plausible explanation for Microsoft's greedy and boneheaded demand that the federal government pay extra for a crucial security feature. 

Finally, in short hits:

• Jamil isn't shocked to find Israeli spyware on phones in the U.K. prime minister's office. Like me, he was disappointed by the relative paucity of new insights in Ronan Farrow's New Yorker piece about "How Democracies Spy on Their Citizens." 
• Sultan, meanwhile, recommends the New Yorker's story on North Korea's Hacking Army.
• I reprise the sad story of the eBay security executives who are being prosecuted for a cyberstalking campaign. 
• Jamil and I note that most of Cybersecurity Twitter owes Okta an apology now that it turns out that the Lapsus$ breach lasted only 25 minutes and affected only two customers. Sure, it could have been much worse, but the mob was mostly wrong on this one.
• I thank the new Ballmerized Microsoft for making so much good law by losing its lawsuit against HiQ for scraping Linkedin data. The Ninth Circuit ruled, in essence, that the Computer Fraud and Abuse Act isn't violated by"unauthorized" scraping of websites that are protected only by harsh words and not technical measures.
• And Jamil explains why Silk Road's Ross Ulbricht, serving life in prison, is still in a position to negotiate with the Justice Department over hundreds of millions in bitcoin. 

Download the 404th Episode (mp3) 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Whatever else the pundits are saying about the use of cyberattacks in the Ukraine war, Dave Aitel notes, they all believe it confirms their past predictions about cyberwar. And in fact, not much has been surprising about the cyber weapons the parties have deployed, Scott Shapiro agrees. The Ukrainians have been doxxing Russia’s soldiers in Bucha and its spies around the world. The Russians have been attacking Ukraine’s grid. What’s surprising is that the grid attacks have not seriously degraded civilian life, plus how hard the Russians have had to work to have any effect at all. Cyberwar isn’t a bust, exactly, but it is looking a little overhyped. In fact, Scott suggests, it’s more like a confession of weakness than of strength: “My military attack isn’t up to the job, so I’ll throw in some fancy cyberweapons to impress The Boss.”

Would it have more impact in the U.S.? We can’t know until the Russians (or someone else) gives it a try. We should certainly have a plan for responding, and Dmitri Alperovitch and Sam Charap have offered theirs: Shut down Russia’s internet for a few hours just to show we can. It’s better than no plan, but we’re not ready to say it’s the right plan, given its limited impact and high cost in terms of exploits exposed.

Much more surprising, and therefore more interesting, is the way Ukrainian mobile phone networks have become an essential part of Ukrainian defense. As discussed in a good blog post, Ukraine has made it easy for civilians to keep using their phones without paying, no matter where they travel in the country and no matter which network they find there. At the same time, Russian soldiers are finding that the network is a dangerous honeypot. Dave and I think there are lessons there for emergency administration of phone networks in other countries.

Gus Hurwitz draws the short straw and sums up the second installment of the Elon Musk v. Twitter story. We agree that Twitter’s poison pill probably kills Musk’s chances of a successful takeover. So what else is there to talk about? In keeping with the confirmation bias story, I take a short victory lap for having predicted that Musk would try to become the Rupert Murdoch of the social oligarchs. And Gus helps us enjoy the festschrift of hypocrisy from the Usual Sources declaring that the preservation of democracy depends on internet censorship, administered by their friends.

Scott takes us deep on pipeline security, citing a colleague’s article for Lawfare on the topic. He thinks responsibility for pipeline security should be moved from Transportation Security Administration (TSA) to the Federal Energy Regulatory Commission (FERC), because, well, TSA. The Biden administration is similarly inclined, but I’m not enthusiastic; TSA may not have shown much regulatory gumption until recently, but neither has FERC, and TSA can borrow all the cyber expertise it needs from its sister agency, CISA. An option that’s also open to FERC, Scott points out.

You can’t talk pipeline cyber security without talking industrial control security, so Scott and Gus unpack a recently discovered ICS malware package that is a kind of Metasploit for attacking operational tech systems. It’s got a boatload of features, but Gus is skeptical that it’s the best tool for causing major havoc in electric grids or pipelines. Also, remarkably, it seems to have been disclosed before the nation state that developed it could actually use it against an adversary. Now that’s defending forward!

As a palate cleanser, we ask Gus to take us through the latest in EU cloud protectionism. It sounds like a measure that will hurt U.S. intelligence but do nothing for Europe’s effort to build its own cloud industry. I recount the background story, from subpoena litigation to the CLOUD Act to this latest counter-CLOUD attack. The whole thing feels to me like Microsoft playing both sides against the middle.

Finally, Dave takes us on a tour of the many proposals being launched around the world to regulate the use of Artificial Intelligence (AI) systems. I note that Congressional Dems have their knives out for the face recognition vendor, id.me. And I return briefly to the problem of biased content moderation. I look at research showing that Republican Twitter accounts were four times more likely to be suspended than Democrats after the 2020 election, which seems at first glance like a smoking gun for moderator bias. But I find myself at least tentatively persuaded by further research showing that the Republican accounts were four times as likely to tweet links to sites that a balanced cross section of voters considers unreliable. Where is confirmation bias when you need it?

Download the 403rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The theme of this episode of the Cyberlaw Podcast is, “Be careful what you wish for.“  The wish for techlash regulation is still growing around the world.  Mark MacCarthy  takes us through a week’s worth of regulatory enthusiasm.  Canada is planning to force Google and Facebook to pay Canadian news media for links. It sounds simple, but arriving at the right price – and the right recipients -- will require a hefty dose of discretionary government intervention. Meanwhile, South Korea’s effort to regulate Google’s Android app store policies, which also sounds like a simple undertaking, is quickly devolving into an elaborate effort at price regulation. The movement continues, Mark notes, even in China, which once seemed to be moderating its hostility to tech platforms; yet the Chinese government just announced algorithm compliance audits for TenCent and ByteDance.

Nobody is weeping for Big Tech, but anybody who thinks this kind of thing will really hurt the tech giants has never studied the history of AT&T – or of Rupert Murdoch for that matter. Incumbent tech companies have the resources to protect themselves from undue regulatory burdens – and to make sure competitors will be crushed by them. The one missing chapter in a story of gradual mutual accommodation between Big Tech and Big Government, I argue, is a Rupert Murdoch figure – someone who will use his platform unabashedly to curry favor not from the left but from the right. It’s an unfilled niche, and a profitable one: even a moderately conservative Big Tech company is likely to find all the close regulatory calls being made in its favor as soon as the GOP takes power. If you think that’s unlikely, you missed the last week of tech news. Elon Musk, whose entire business empire is built on government spending, is already toying with occupying a Silicon Valley version of the Rupert Murdoch niche. His acquisition of nearly 10% of Twitter is an opening gambit that is likely to make him a conservative(ish) antidote to Silicon Valley’s political monoculture. Recent complaints that the internet is becoming politically splintered are wildly off the mark today, but they may yet come true.

Nick Weaver brings us back to earth with a review of the FBI’s successful (for now) takedown of the Cyclops Blink botnet – a Russian cyber weapon that was disabled before it could be fired. Nick reminds us that the operation was only made possible by a change in search and seizure procedures that the Electronic Frontier Foundation (EFF) and friends condemned as outrageous just a decade ago. In addition, he reports, Western law enforcement last week broke the Hydra dark market. In more good news, Nick takes us through the ways in which bitcoin’s traceability has enabled authorities to bust child sex rings around the globe.

Nick also brings us This Week in Bad News for Surveillance Software: FinFisher is bankrupt. The EU is investigating Israeli surveillance software on its ministers’ phones; and Google has banned apps that use particularly intrusive data collection tools, the latter having been outed by Nick’s colleagues at the International Computer Science Institute.

Finally, Europe is building a vast network to do face recognition across the continent. I celebrate the likely defeat of ideologues who’ve been trying to toxify face recognition for years. And I note that one of my last campaigns at the Department of Homeland Security (DHS) was a series of international agreements that lock European law enforcement into sharing of such data with the United States. Defending those agreements, of course, should be a high priority for the State Department’s on-again off-again (and now on again) cyber bureau.

Download the 402nd Episode (mp3

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Spurred by a Cyberspace Solarium op-ed, Nate Jones gives an overview of cybersecurity worries in the maritime sector, where there is certainly plenty to worry about. I critique the U.S. government’s December 2020 National Maritime Cybersecurity Strategy, a 36-page tome that, once the intro and summary and appendices and blank pages are subtracted, boils down to eight pages of substance. Luckily, the Atlantic Council has filled the void with its own report on the topic.

Of course, the maritime sector isn’t the only one we should be concerned about. Sultan Meghji points to the deeply troubling state of industrial control security, as illustrated by a “10 out of 10” vulnerability recently identified in a Rockwell Automation ICS system.

Still, sometimes software rot serves a good purpose. Maury Shenk tells us about decay in Russia’s SORM – a site-blocking system that may be buckling under the weight of the Ukraine invasion. Talking about SORM allows me to trash a nothingburger story perpetrated by three New York Times reporters who ought to know better. Adam Satariano, Paul Mozur and Aaron Krolik should be ashamed of themselves for writing a long story suggesting that Nokia did something wrong by selling Russia telecom gear that enables wiretaps. Since the same wiretap features are required by Western governments as a matter of law, Nokia could hardly do anything else. SORM and its abuses were all carried out by Russian companies. I suspect that, after wading through a boatload of leaked documents, these three (three!) reporters just couldn’t admit there was no there there.

Nate and I note the emergence of a new set of secondary sanctions targets as Treasury begins listing companies that it sees as part of a sanctions evasion network. We also puzzle over the surprising pushback on proposals to impose  sanctions on Kaspersky, If the WSJ is correct, and the reason is fear of cyberattacks if the Russian firm is sanctioned, isn’t that reason enough to sanction them out of Western networks?

Sultan and Maury remind us that regulating cryptocurrency is wildly popular with some, including Sen. Elizabeth Warren and the EU Parliament. Sultan remains skeptical that sweeping regulation is in the cards. He is much more bullish on Apple’s ability to upend the entire fintech field by plunging into financial services with enthusiasm. I point out that it’s almost impossible for a financial services company to maintain a standoffish relationship with government, so Apple may have to change the tune it’s been playing in the U.S. for the last decade.

Nate and I plumb some of the complexities of a story Brian Krebs broke about hackers exploiting the system by which online services provide subscriber information to law enforcement in an emergency.

Speaking of Krebs, we dig into Ubiquiti’s defamation suit against him. The gist of the complaint is that Krebs relied on a “whistleblower” who turned out to be the perp, and that Krebs didn’t quickly correct his scoop when that became apparent. My sympathies are with Krebs on this one, at least until Ubiquiti fills in a serious gap in its complaint – the lack of any allegation that the company told Krebs that he’d been misled and asked for a retraction. Without that, it’s hard to say that Krebs was negligent (let alone malicious) in reporting allegations by an apparently well-informed insider.

As the episode draws to a close, Maury brings us up to speed on the (still half-formed) U.K. online harms bill and explains why the U.K. government was willing to let the subsidiary of a Chinese company buy the U.K.’s biggest chip foundry. Sultan finds several insights in an excellent CNN story about the Great Conti Leak.

And, finally, I express my qualms about the indictment (for disclosing classified information) of Mark Unkenholz, a highly competent NSA lifer whom I knew while in government. To my mind the prosecutors are going to have to establish that Unkenholz did something very different from the kind of disclosures that were a standard part of his job. You can't do the kind of commercial outreach he did without encountering tech companies that have no security clearances but plenty of capabilities valued by the intelligence community. You either give the companies' uncleared execs enough classified information to understand what you need or you get no help. In that milieu, it simply isn't enough for prosecutors to say, "He gave classified information to someone without a clearance; he should be in jail."

Download the 401 Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

With the U.S. and Europe united in opposing Russia’s attack on Ukraine, a few tough transatlantic disputes are being swept away – or at least under the rug.  Most prominently, the data protection crisis touched off by the Court of Justice of the EU in Schrems 2 has been resolved in principle by a new framework agreement between the U.S. and the EU.  Michael Ellis and Paul Rosenzweig trade insights on the deal and its prospects before the CJEU. The most controversial aspect of the agreement is the lack of any change in U.S. legislation. That solution is the result of simple vote-counting if you’re from Washington, but the CJEU clearly expected that it was dictating legislation for the U.S. Congress to adopt, so Europe’s acquiescence in a no-legislation solution may simply kick the can down the road until the next CJEU ruling. The lack of legislation will be felt in particular, Michael and Paul aver, when it comes to providing remedies to European citizens who feel their rights have been trampled.  Instead of going to court, they’ll be going to an administrative body with executive branch guarantees of independence and impartiality. Well, it's worth a try. We congratulate several old friends of the podcast who patched this solution together.

The Russian invasion of Ukraine, meanwhile, continues to throw off new tech stories. Nick Weaver updates us on the single most likely example of Russia using its cyber weapons effectively for military purposes – the bricking of Ukraine’s (and a bunch of other European) Viasat terminals. Alex Stamos and I consider whether the social media companies recently evicted from Russia, especially Instagram, should be induced or required to provide information about their former subscribers’ interests to allow microtargeting of news that might break through Putin’s information management barriers; along the way we examine why it is that tech’s response to Chinese aggression has been so less vigorous. Speaking of microtargeting, Paul gives kudos to the FBI for its microtargeted “talk to us” Russian language ads, only visible within 100 yards of the Russian embassy in Washington. Finally, Nick Weaver and  Mike mull the significance of Israel’s determination not to sell sophisticated cell phone surveillance malware to Ukraine.

Returning to Europe-U.S. tension, Alex and I unpack the European Digital Markets Act, which regulates a handful of U.S. companies as “digital gatekeepers.“ I think it’s a plausible response to network-effect monopolization, but ruined by anti-Americanism and the persistent illusion that the EU can regulate its way to a viable tech industry. Alex has a similar take, noting that the adoption of end-to-end encryption was a big privacy victory, thanks to WhatsApp, an achievement that the Digital Markets Act may undo in its attempt to force standardized interoperable messaging on gatekeepers.

Nick walks us through the surprising achievements of the gang of juvenile delinquents known as Lapsus$. Their breach of Okta offers an occasion for speculation about how lawyers skew cyber incident response in directions that turn out to be very bad for the breach victim. Alex vividly captures the lawyerly dynamics that hamper effective response.  While we’re talking ransomware, Michael cites to a detailed report on corporate responses to REvil breaches, authored by the minority staff of the Senate Homeland security committee. Neither the FBI nor CISA comes out of it looking good.  But the bureau earns more criticism, which may explain why no one paid much attention when the FBI demanded changes to the cyber incident reporting bill.

Finally, Nick and Michael debate whether dream pop musician (and Elon Musk sweetheart) Grimes could be prosecuted for computer crimes after confessing to having DDOSed an online publication for an embarrassing photo of her. Just to be on the safe side, we conclude, maybe she shouldn’t go back to Canada. And Paul and I praise a brilliant WIRED op-ed proposing that Putin’s Soviet empire nostalgia deserves a wakeup call; according to the authors (Rosenzweig and Baker, as it happens), least ICANN should kill off the Soviet Union’s out-of-date .su country code.

And many thanks to the loyal listeners who turned up on line today to watch us record this episode live and with video. It was fun, and we'll do it again some time soon.

 Download the 400th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

A special reminder for fans of the Cyberlaw Podcast that we will be doing episode 400 live in audio and video and with audience participation on March 28, 2022 at noon Eastern daylight time. So, mark your calendar and when the time comes, use this link to join the audience:

https://riverside.fm/studio/the-cyberlaw-podcast-400

See you there!

There's nothing like a serious shooting war to bring out the paranoia and mistrust, and the Russian invasion of Ukraine is generating mistrust on all sides.

Everyone expected a much more damaging cyberattack from the Russians, and no one knows why it hasn't happened yet. Dave Aitel walks us through some possibilities. Cyberattacks take planning, and Russia's planners may have believed they wouldn't need to use large-scale cyberattacks—apart from what appears to be a pretty impressive bricking of the Viasat terminals used extensively by Ukrainian forces. Now that the Russians could use some additional cyber weapons in Ukraine, the pace of the war may be making it hard to build and deploy them. None of that is much comfort to the Western countries that have imposed sanctions, since their infrastructure makes a nice fat sitting-duck target, and may draw fire soon if American intelligence warnings prove true.

Meanwhile, Matthew Heiman reports, the effort to shore up cyber defenses is leading to a cavalcade of paranoia. Has the UK defense ministry banned the use of WhatsApp due to fears that it's been compromised by Russia? Maybe. But WhatsApp has long had known security limitations that might justify downgrading its use on the battlefield. Speaking of ambiguity and mistrust, Telegram use is booming in Russia, Dave Aitel says, either because the Russians know how to control it or because they can't.  Take your pick.

Speaking of mistrust, the German security agency has suddenly discovered that it can't trust Kaspersky products.  Good luck finding them, Dave offers, since many have been white-labeled into other companies' software. He has limited sympathy for the agency, which resolutely ignored U.S. warnings about Kaspersky for years.

Even when governments aren't subverting software, the war is producing products that can't be trusted. One open-source maintainer of a popular open-source tool turned it into a data wiper for anyone whose computer looks Belarussian or Russian. What could possibly go wrong with that plan?

Meanwhile, people who've advocated tougher cybersecurity regulation are doing a victory lap in the press about how it will bolster our defenses.  It'll help, I argue, but only some, and at a cost of new failures. The best example is TSA's effort to regulate pipeline cybersecurity, which has long struggled to find its feet while being critiqued by an industry that has been hostile to the whole effort from the start.

The most interesting impact of the war is in China. Jordan Schneider explores how China and Chinese companies are responding to sanctions on Russia. Jordan argues that Chinese companies will follow their economic interests and adhere to sanctions – at least where it's clear they're being watched – despite online hostility to sanctions among Chinese digerati.

Matthew and I think more attention needs to be paid to Chinese government efforts to police and intimidate overseas Chinese, including Chinese Americans, in the United States. The Justice Department for one is paying attention; it has arrested several alleged Chinese government agents engaged in such efforts.

Jordan unpacks China's new guidance on AI algorithms. I offer grudging respect to the breadth and value of the  topics covered by China's AI regulatory endeavors.

Dave and I are disappointed by a surprise package in the FY 22 omnibus appropriations act. Buried on page 2334 is an entire smorgasbord of regulation for intelligence agency employees who go looking for jobs after leaving the intelligence community.  This version is better than the original draft, but mainly for the intelligence agencies; intelligence professionals seem to have been left out in the cold when revisions were proposed.

Matthew does an update on the peanut butter sandwich spies who tried to sell nuclear sub secrets to a foreign power that the Justice Department did not name at the time of their arrest. Now that country has been revealed. It's Brazil, apparently chosen because the spies couldn't bring themselves to help an actual enemy of their country.

And finally, I float my own proposal for the nerdiest possible sanctions on Putin. He's a big fan of the old Soviet empire, so it would be fitting to finally wipe out the last traces of the Soviet Union on the internet, where the .su country code has lingered for thirty years too long in the Internet domain system.  Check WIRED magazine for my upcoming op-ed on the topic.

Download the 399th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.