Skating on Stilts

We kick off the episode with This Week in Mistrusting Google: Klon Kitchen points to a Wall Street Journal story about all the ways Google tweaks its search engine to yield results that look machine-made but aren’t. He and I agree that most of these tweaks have understandable justifications – but you have to trust Google not to misuse them. And increasingly no one does. The same goes for Google’s foray into amassing and organizing health data on millions of Americans. It’s a nothingburger with mayo, unless you mistrust Google. Since mistrusting Google is a growth industry, the report is getting a lot of attention, including from HHS investigators. Matthew Heiman explains, and when he’s done, my money is on Google surviving that investigation comfortably. The capital of mistrusting Google, of course, is Brussels, and not surprisingly, Maury Shenk tells us that the EU has forced Google to modify its advertising protocols to exclude data on sites visited by its customers.

A Massachusetts federal district court says suspicionless device searches at borders are not okay. Matthew and I dig into the details. Bottom line: Requiring reasonable suspicion for electronics searches isn’t a tough standard, but if CBP needs a reasonable suspicion that the phone contains contraband, we aren't going to see a lot of searches. But that’s only good news for US citizens. Searches of foreign travelers’ phones can also be justified as a search for evidence that they should not be admitted to the country, and reasonable suspicion that such evidence will be found on a phone is not hard to come by.

The US Supreme Court will be deciding whether APIs can be copyrighted (or whether copying them is fair use). I put my Supreme Court maven cred on the line, predicting that the Court is going to reverse the federal circuit and reject Oracle’s claim that it can extract hefty rent payments from Google for use of Oracle APIs.

An injunction against disseminating violent and inciting speech is causing angst in Hong Kong. Maury explains why. And Klon unpacks the story of the Chinese hackers who’ve been spying on the US National Association of Manufacturers. 

Maury and I throw shade at the federal court’s claim that it’s arbitrary and capricious for the Trump Administration to drop an unenforceable ban on the export through publication of 3D gun plans. 

In a lightning round, no one should be surprised that Microsoft is making CCPA the law of the land. Nor that Amazon sells a lot of stuff directly from China. Or, frankly, that the hullabaloo over “sophisticated” DDoS attacks on British political parties is just campaign grist.

Advertisement (you knew it would happen eventually): Steptoe is hosting a complimentary webinar on Tuesday, December 10. We’ll be talking about the impacts on retailers of the newly implemented California Consumer Privacy Act and the EU’s General Data Protection Regulation. This is a fast-moving area of the law. You can find out more and register here.

Download the 288th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Foreign Agent Registration Act is having a moment – in fact its best year since 1939, as the Justice Department charges three people with spying on Twitter users for Saudi Arabia. Since they were clearly acting like spies but not stealing government secrets or company intellectual property, FARA seems to be the only law that they could be charged with violating. Nate Jones and I debate whether the Justice Department can make the charges stick.

Nick Weaver goes off on NSO Group for its failure to supervise the way its customers intrude on cell phone contents. I’m less sure that NSO deserves its bad rap, and I wonder whether WhatsApp should have compromised what looks like 1100 legitimate law enforcement investigations because it questions 100 other investigatons using NSO malware.

Speaking of Facebook’s judgment, Paul Rosenzweig and I turn out to be surprisingly sympathetic to the company’s stand on political ads and whether “Mama Facebook” should decide their truthfulness. Meanwhile, Twitter, darling of the press, has gotten away with a no-political-ads stance that is at least as problematical.

Nate, Paul, and I go pretty far down the rabbit hole arguing whether search warrants should give police access to DNA databases.

The National Security Commission on Artificial intelligence has published its interim report, and Nick, Nate, and I can’t really quarrel with its contents, except to complain that it doesn’t break a lot of new ground.

And maybe all this AI is still a little overrated. Remember that AI fake news text generator that OpenAI claimed was “too dangerous to release”? Well it’s been released, and it turns out to be bone stupid. We test it live, and the tool has a long way to go before it can scratch its way up to “underwhelming.”

Nick tells us why nobody who ever worked with the US government should even change planes in Russia these days.

In the lightning round, Paul and I ask when blowing off Congress became a thing anybody could do. Nick dumps on both sides in the Great DOH debate. I note that Ted Cruz has called out USTR for sticking Section 230 into trade deals.

We close with This Week in Pew! Pew! Pew! It really is the 21st century now that we’re using lasers to attack talking computers. Nick explains how to order fifty copies of Skating on Stilts using your neighbor’s Amazon account and a laser.

Download the 287th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the participants' firms, clients, or relatives.

This episode is a wide-ranging interview with Andy Greenberg, author of Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin’s Most Dangerous Hackers. The book contains plenty of original reporting, served up with journalistic flair. It digs deep into some of the most startling and destructive cyberattacks of recent years, from two dangerous attacks on Ukraine’s power grid, to the multibillion-dollar NotPetya, and then to a sophisticated but largely failed effort to bring down the Seoul Olympics and pin the blame on North Korea. Apart from sophisticated coding and irresponsibly indiscriminate targeting, all these episodes have one thing in common. They are all the work of Russia's GRU. 

Andy persuasively sets out the attribution and then asks what kind of corporate culture supports such adventurism – and whether there is a strategic vision behind the GRU’s attacks. The interview convinced me at least that the GRU is pursuing a strategy of muscular nihilism -- "our system doesn't work, but yours too is based on fragile illusions." It's a kind of global cyber intifada, with all the dangers and all the self-defeating tactics of the original intifadas. Don't disagree until you've listened!

Download the 286th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

We open this episode with David Kris's thoughts on the two-years-late CFIUS investigation of TikTok, of its Chinese owner, ByteDance, and of ByteDance's US acquisition of the lip-syncing company Musical.ly. Our best guess is that this unprecedented reach-back investigation will end in a more or less precedented mitigation agreement.

WhatsApp is suing NSO Group over the use of spyware on WhatsApp's network. I predict that this is going to be a highwire act for WhatsApp, given the precedents on when breaching terms of service violates the Computer Fraud and Abuse Act. I also muse on the possibility that NSO will find ways to make this a much less comfortable lawsuit for WhatsApp to pursue.

The ACLU takes this week's prize for making a PR and fundraising mountain out of a molehill of a lawsuit. Matthew Heiman and I try to decide which took less effort – cutting and pasting the ACLU's generic FOIA complaint or cutting and pasting the ACLU's generic "Oh my God, it's a surveillance dystopia" press release.

I comment on a heart-warming story about a geek in Normal, Illinois, who runs the most successful ransomware-rescue site in the world – and is going broke doing it. Advice to DHS's CISA: Isn't it time to sponsor prizes for people who post ransomware decryptors with real impact?

Mark MacCarthy discusses the guidance provided by the Defense Innovation Board on building ethical AI. I complain that political correctness seems to have outweighed considerations like, you know, winning wars.

Matthew tells us that Israel is creating its own CFIUS-like panel, and we note the longstanding tension between the US and Israel over Chinese access to Israeli technology.

David spots more decoupling: The Interior Department has grounded its entire drone fleet, citing the risk from Chinese manufacturers.

Mark and I find common ground in thinking that Facebook got the political ad censorship question more right than wrong. Twitter, not so much. We offer Strange New Respect for Herbert Hoover and the legislators who struggled with the last industry to seize control of what Americans could know -- broadcasting.

Matthew fills us in on a story suggesting that North Korea breached an Indian nuclear plant's network. He and I also briefly note that Georgia was the victim of a massive case of cyber vandalism.

In updates of past stories, I cover Coalfire's persuasive critique of the sheriff who arrested the company's pentesters in an Iowa courthouse. In another even longer-running story, the latest and perhaps the last word on the LabMD-Tiversa-FTC imbroglio can be found in an excellent New Yorker story that leaves LabMD looking good, the FTC looking bad, and Tiversa looking like a candidate for criminal prosecution. Finally, David updates the story of the 2016 Uber hack that cost the company's chief security officer his job. Now it's also going to cost the hackers their freedom, as they plead guilty to CFAA violations.

Download the 285th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

You knew we’d go there. In this episode I talk about Congresswoman Katie Hill’s “throuple” pics and whether the rush to portray her as a victim of revenge porn raises questions about revenge porn laws themselves. Paul Rosenzweig, emboldened by twin tweets – from President Trump calling Never-Trumpers like him “human scum” and from Mark Hamill welcoming him to the Rebel Scum Alliance – takes issue with me.

In a more serious vein, Brian Egan, Paul, and I dig deep into the roots of the battle over how to keep “emerging technology” out of Chinese hands.

Paul explains a Georgia Supreme Court ruling that cops need a warrant to access automobile data after an accident.

Brian and I talk about why DHS might issue a binding operational directive requiring federal agencies to adopt vulnerability disclosure programs.

Maury Shenk tells us to look for tougher cybersecurity rules in China starting December 1.

Paul unpacks the thinking behind a finding of bias in a widely used health care algorithm.

Maury reminds us that “going dark is not going dark,” at least not in India, where the Supreme Court is consolidating several legal fights over WhatsApp’s end-to-end encryption. In Afghanistan, meanwhile, the New York Times says that WhatsApp has become a key tool for communication by the government.

I note a well-written study contradicting the widespread media narrative that YouTube’s recommendation engine is what’s radicalizing Americans. According to the authors, the problem isn’t YouTube’s recommendations but an audience that is looking for the kinds of alternative content that conservatives (not to mention the Alt-Right and the Alt-Lite) are offering.

In shorter takes, Paul and I cover Microsoft beating AWS to win an enormous Pentagon cloud contract, and Brian takes on the problem of lies in political ads on Facebook. And I ask whether we would be wise to follow Russia’s example and disconnect from the Internet from time to time.

Finally, Maury and I explore the challenge that TikTok poses not just to the US but also to the Chinese government. Short take: TikTok users can get away with a lot more pro-Hong-Kong-protest speech than the NBA can, at least in the US.

Download the 284th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office of the Director of National Intelligence. Alex is now at the American University law school’s Tech, Law, and Security Program. We share stories about the difficulties of government startups and how the ODNI carved out a role for itself in the Intelligence Community (hint: It involved good lawyering). We dive pretty deep on recent FISA court opinions and the changes they have forced in FBI procedures. In the course of that discussion, I posit that every “reform” of intelligence dreamed up by Congress in the last decade has turned out to be a self-licking compliance trap, and I take back some of my praise for the DNI’s lawyering.

In the News Roundup, we’re inundated by serious new reports of cyberattacks. Dave Aitel admits that the hacking group he envies most is Turla, which was recently discovered to have totally pwned the entire attack infrastructure of an Iranian government team. Dave notes that Avast has succumbed to a second far-reaching intrusion into its network, reminiscent of the last attack, which led to the company sending out a compromised CCleaner application. We may never know whether Avast got the intruder out, Dave suggests, but his hat is off to the company’s PR team. In still more pwnage news, Dave praises two new detailed reports from security companies: FireEye’s report on APT41’s combination of espionage and cybercrime and Crowdstrike’s report on amazingly successful Chinese efforts to steal aircraft intellectual property. And one more: Cyber Command has leaked the bare minimum of information to show that Iran’s strike against Saudi oil facilities did not go unpunished. Dave and I both take our hats off to Iran’s PR team, which responded to the vague leak by claiming that Cyber Command “must have dreamt it.”

In other news, Gus Hurwitz breaks down a recent Ninth Circuit decision construing the Section 230 immunity that Congress has given to companies that filter content on the Internet. Remarkably, two judges thought that the immunity for preventing access to “objectionable” content would allow a company to filter out its competitor’s products. It's easy to see how competition might be objectionable to the company, but harder to see why Congress would have shared that view. Luckily, the two judges who got it wrong were a district court judge and the Ninth Circuit dissenter. But the close call shows how broadly the “objectionable” immunity sweeps. Which raises the question why US trade agreements should broaden the immunity and turn it into international law that can’t be amended easily, or at all. That was a point of rare bipartisan agreement at a recent House hearing. But there’s no sign yet that Congress is going to reject the trade deals that do this. Gus and I also touch on the latest flaps over social media content monitoring.

Dan Podair explains what’s good and what’s missing from the California AG’s rules implementing California’s new, sweeping privacy act.

Poor Equifax: Just when they were hoping the worst had passed, the plaintiff’s bar doxxed even more embarrassing security failings. Dave offers this cold comfort: All the mistakes that embarrased Equifax could be found in pretty much any network in the country. More cold than comfort, Dave!

And, finally, we close with This Week in Puerile Jokes: All inspired, of course, by the UK Government’s decision to drop its plan to require ID to watch sex videos online.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 Our interview is with Sultan Meghji, CEO of Neocova. We cover the large Chinese investment in quantum technology and what it means for the United States. It’s possible that Chinese physicists are just better than American physicists at extracting funding from their government by hyping their science. Indeed, it looks as though some quantum tech, such as the use of entangled particles to identify eavesdropping, may turn out to have dubious military value. But not all. Sultan thinks the threat of special purpose quantum computing to break encryption poses a real, near-term threat to US financial institutions’ security.

In the News Roundup, we cover the new California Consumer Privacy Act regulations, which devote a surprising amount of their 24 pages to fixing problems caused by the Act’s feel-good promise that consumers can access and delete the information companies have on them.

Speaking of feel-good laws that are full of liability land mines, the Supreme Court has let stand a Ninth Circuit ruling that allows blind people to sue under the Americans with Disabilities Act if websites don’t accommodate their needs. Nick Weaver and I explore a few of the harder questions raised by this seemingly simple mandate (you can accommodate the blind by providing a "read aloud" option, but what about people who are blind and deaf?) and the risks of making law by retroactively imposing liability.

Weirdly for a populist administration that says it mistrusts the big social platforms for their restricting of conservative speech, the Trump trade negotiators are actually expanding Section 230 immunities for Silicon Valley that both left and right have begun to question. The expansion is buried in hard-to-amend and even-harder-to-repeal trade agreements. By way of explanation, I lay out the Realpolitik of trade deals. As if to prove my point, the US and Japan have signed a Digital Trade Agreement that has much the same provision.

Nick and I muse on the rise of Commerce Department sanctions on individual companies. In a way, such sanctions are a less harsh alternative to OFAC sanctions, which include property seizures, but they are also like antibiotics -- they either destroy the target or help it develop better resistance for the future.

Does TLS stand for “Tough Luck, Sucker?” That’s the message of a new and clever form of malware that has been, softly attributed to the Russian FSB.

Apple, having banned, and then unbanned, an app that locates police activity in Hong Kong, has now re-banned it. Tim Cook offers an explanation for the latest move that triggers Nick’s bovine excrement detection system. In a Final Four of Hypocritical Surrender to the PRC, LeBron James and the NBA give ESPN a run for its money. South Park fails to qualify.

Matthew Heiman and I discuss India’s effort to create a national facial recognition system. Naturally BuzzFeed thinks it’s Evil. Not enough people of color in the training set, apparently, or perhaps it’s too many. Or Modi is too much like Trump. Or some damn thing. Look, it’s Evil, okay? So shut up and leave BuzzFeed alone.

Nick and I consider DHS’s request for the power to subpoena ISPs to identify owners of compromised systems. I critique Herb Lin’s suggestion that the ISPs can solve the problem without giving data to DHS.

As Matthew notes, it was just last month that the French government gave the world a stiff-necked little lecture on respecting sovereignty in cyberspace. So why are French police helping reprogram computers in Latin America? Because it’s different when the French are doing it than when it’s done to them, I surmise.

A recent “good guy with a keyboard” story offers me one more chance to tout my views on hacking back.  I ask why someone who’s rescued hundreds of victims from ransomware should have to worry for one minute about being prosecuted for compromising (again) the already compromised C2 machines that apparently held the keys.

Matthew and I try to simplify a complex ruling from two FISA courts. Among the takeaways: The FBI has been running a lot of searches against 702 databases (3.1 million a year!), which greatly complicates its compliance program, and the FISA courts are overusing the 4th amendment, which in FISA minimization cases is like trying to do brain surgery with a chainsaw.

Argh! That embarrassing Bloomberg Supermicro story is back. Sort of. Wired has shown that something like it could really be done. Which, Nick points out, we already knew.

I give a shoutout to Jennifer Daskal and Peter Swire for their useful overview of the UK-US CLOUD Act, but I wonder if the agreement's mutual “no targeting of the other country’s nationals” assurances are a scalable solution.

Finally, Matthew reviews the second volume of the SSCI report on its investigation into Russian election interference. The TL;DR? The Russians did what you think they did. The closest thing to a surprise? After starting out just trying to hurt Hillary, by the end the Russians seem to have been trying to help Trump too.

Download the 282nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Today’s episode opens with coverage of a truly disturbing bit of neocolonialist lawmaking from the Court of Justice of the European Union. The CJEU ruled that an Austrian court correctly ordered Facebook to take down statements about an Austrian politician, not just in Austria, not just in Europe, but everywhere in the world. Called an “oaf” and a “fascist,” the politician more or less proved the truth of the accusations by suing to keep that and similar statements off Facebook worldwide. I suggest that the US adopt blocking legislation to protect the First Amendment from foreign government interference and argue that President Trump should support such a law. After all, if he were ever to insult a European politician on Twitter, this ruling could lead to litigation that takes his Twitter account off the air. Heading off that threat is truly a legislative and international agenda for the Age of Trump! 

Nick Weaver returns to the podcast and gives the FDA a better report card than I expected on its approach to cybersecurity. But we agree that the state of medical device and implant security remains parlous. 

I try my hand at explaining the DC Circuit’s Net Neutrality ruling in Mozilla v. FCC. There are still some rounds to be played, but Net Neutrality, if not dead, may at least be pining for the fjords (or a Democratic administration).

We introduce a new feature: This Week in Elizabeth Warren. She has a plan to revive the Congressional Office of Technology Assessment. Nick likes the idea. I’m less enthusiastic, perhaps because I actually did some work for OTA before it disappeared.

Nick also helps unpack the flap over Google’s proposal to do DNS-over-HTTPS, and why ISPs aren’t happy about it. Bottom line: If you haven’t been paying much attention to the issue, you made the right choice. Nick explains why. Just think of how much time you saved by listening to the podcast!

Nick also explains how Uzbekistan managed to give state cyberattacks an aura, not of menace or invincibility, but of clownish incompetence.

David Kris tells us why privacy advocates and NGOs object to the French government’s use of nationwide facial recognition for its ID program. If that's the best they can do, I suggest, this may be the dumbest face recognition privacy “scandal” in history.

The cops have shut down a Dark Web data center operating from… a NATO bunker? Nick reveals that the main reason to operate from a NATO bunker is, well, marketing. 

Apparently channeling Stewart Baker, Attorney General Bill Barr is all-in on discouraging mass-market warrant-proof encryption. Nick thinks he’s picked the wrong fight and should go after phone storage encryption instead. And maybe Nick’s right, since the civil-liberties shine on Apple is looking a little scuffed these days. 

David tells us that NSA has launched a new defense directorate with Anne Neuberger at its helm. I promise to interview her on the podcast early next year.

David talks about the California man charged with delivering classified information to China’s Ministry of State Security. I want to know how many spies China has in the US if they can create what amounts to Uber for dead drops.

Dog bites man: Pervy Yahoo engineer pleads guilty to hacking emails for pornographic images. I’m surprised this doesn’t happen every month. 

And in a sign that Congress can still reach bipartisan agreement on bills that do more or less nothing, both the House and the Senate have adopted bills authorizing (but not funding) DHS “cyber hunt” teams to help local governments suffering from cyber ransom and other attacks.

Bringing back an old favorite theme, I cover the hacking of an electronic billboard to play porn – and celebrate the crowdsourcing of the facial recognition needed to identify the actresses. (At least I think it was face recognition.) Tracked down and asked for comment, one actress urged her involuntary viewers to “keep both hands on the wheel.”

Download the 281st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In this episode I cross swords with John Samples of the Cato Institute; we debate whether Silicon Valley’ is trying to disadvantage conservative speech and what to do about it. I accuse him of Panglossian libertarianism; he challenges me to identify any way in which bringing government into the dispute will make things better. I say government is already in it, citing TikTok’s PRC-friendly “community standards” and Silicon Valley’s obeisance to European norms on hate speech and terror incitement.

Disagreeing on how deep the Valley’s bias runs, we agree to put our money where our mouths are: For $50, I take the under and he takes the over on whether Donald J. Trump will last a year after leaving office without being suspended or banned from Twitter.

There’s a lot of news in the roundup, too.

David Kris explains the background of the first CLOUD Act agreement that may be signed this year with the UK.

Nate Jones and I ask, “What is the president’s beef with CrowdStrike, anyway?” We find a certain amount of common ground on the answer.

This Week in Counterattacks in the War on Terror: David and I recount the origins and ironies of Congress’s willingness to end the NSA 215 phone surveillance program. We also take time to critique the New York Times’s wide-eyed hook-line-and-sinker ingestion of an EFF attack on the FBI’s use of National Security Letters.

Edward Snowden’s got a new book out, and the Justice Department wants to make sure he never collects his royalties. Nate explains. I’m just relieved that I will be able to read it without having to shoplift it. And as this seems to be the episode for challenges, I offer Snowden a chance to be interviewed on the podcast:  Anytime, anywhere, Ed!

Matthew Heiman explains the latest NotPetya travail for FedEx: A shareholder suit alleging that the company failed to disclose how much damage the malware caused to its ongoing business.

Evan Abrams gives a hint about the contents of Treasury’s 300-page opus incorporating Congress’s overhaul of CFIUS into the CFR.

I credit David for inspiring my piece questioning how long end-to-end commercial encryption is going to last, and we note that even the New York Times seems to be raising questions about whether Silicon Valley’s latest enthusiasm is actually good for the world.

Matthew tells us that China may have a new tool to use in the trade war – or at least to keep companies toeing the party line: The government is assigning social credit scores to businesses.

Finally, Matthew outlines France’s OG take on international law and cyber conflict. France has opened up some distance between its views and those of the United States, and everyone will soon get a chance to talk at even greater length on the topic, as the UN gears up two different bodies to engage in yet another round of cyber-norm-building.

Download the 280th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Joel Trachtman thinks it’s a near certainty that the WTO agreements will complicate US efforts to head off an Internet of Things cybersecurity meltdown, and there’s a real possibility that a US cybersecurity regime could be held to violate our international trade obligations. Claire Schachter and I dig into the details of the looming disaster and how to avoid it.

In the news, Paul Rosenzweig analyzes the Ninth Circuit holding that scraping publicly available information doesn’t violate the CFAA.

The California legislature has adjourned, leaving behind a smoking ruin where Silicon Valley’s business models used to be. Mark MacCarthy elaborates: One new law would force companies like Uber and Lyft (and a boatload of others) to treat gig economy workers as employees, not contractors. Another set of votes in the legislature has left the demanding California Consumer Privacy Act more or less unscathed as its 2020 effective date looms. Really, it’s beginning to look as though even California hates Silicon Valley.

Klon Kitchen and I discuss the latest round of Treasury sanctions on North Korean hacking groups. The sanctions won’t affect anyone in North Korea, but they might affect a few of their enablers on the Internet. What I wonder, though, is this: Since sanctions violations are punishable even when they aren’t intentional, will US companies whose money is stolen by the Lazarus Group be penalized for having engaged in a prohibited transaction with a sanctioned party? Maybe the Lazarus Group should steal a Treasury license too, just to be sure.

Klon also lays out in chilling detail what the Russians were really trying to do to Ukraine’s grid – and the growing risk that someone is going to launch a destructive cyberattack that leads to a cycle of serious real-world violence. The drone attack on Saudi oil facilities shows how big that risk can be.

Paul examines reports that Israel planted spy devices near the White House. He thinks it says more about the White House than about Israel.

Paul also reports on one of the unlikelier escapades of students from his alma mater: Trading 15 minutes at the keyboard for months in jail and a lifetime of trouble on their permanent records. 

I walk back the deepfake voice scam story we discussed recently, but Klon points out that it reflects a future that is coming for us soon, if not today.

Proving the old adage about a fool for a lawyer, the Mar-a-Lago trespasser has been found guilty after an ineffective pro se defense. We may never know what she was up to.

Klon digs into a long and thoughtful op-ed by NSA’s Glenn Gerstell about the effects of the “digital revolution” on national security. And I note the recent Carnegie report trying to move the encryption debate forward. I also plug my upcoming speech in Israel on the same topic.

Download the 278th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Camille Stewart talks in this episode about a little-known national security risk: China’s propensity to acquire US technology through the bankruptcy courts -- and the many ways in which the bankruptcy system isn’t set up to combat improper tech transfers. Published by the Journal of National Security Law & Policy, Camille’s paper is available here. Camille has enjoyed great success in her young career, working with the Transformative Cyber Innovation Lab at the Foundation for Defense of Democracies, as a Cybersecurity Policy Fellow at New America, and as a 2019 Cyber Security Woman of the Year, among other achievements. Plus, of course, the great honor of working for DHS Policy.  We talk at the end of the session about life and advancement as an African American woman in cybersecurity.

In the News Roundup, Maury Shenk tells us that UK courts have so far resisted a sustained media narrative that all facial recognition tech is inherently evil. Americans seem to agree with the UK court, Matthew Heiman notes, since a majority trust law enforcement to use it responsibly. Which is more than you can say for Silicon Valley, which only 36% of Americans trust with the technology.

Mieke Eoyang and I talk about DHS’s plan to use fake identities to view publicly available social media postings and the conflict between that plan and social media sites’ terms of service. I am unsympathetic, given the need for operational security in conducting such reviews, but we agree that DHS may be biting off more than it can chew, especially in languages other than English. And really, DHS, how clueless do you look when the list of social media you'll be scrutinizing includes sites like the three-years-dead Vine but not TikTok, which Mieke notes ironically, is “what all the kids are using these days.”

Maury brings us up to speed on EU plans for the tech sector, which will be familiar to Brits contemplating the EU’s plans for them. And speaking of EU hypocrisy and incoherence (we were, weren’t we?), Erin Egan of Facebook has written a paper on data portability that deserves more attention, since it shows the impossibility of squaring the EU’s snit over Cambridge Analytica with its insistence on the inherently vague principle of “data portability.” The paper also calls out our FTC for slamming Facebook over Cambridge Analytica while Commissioner Noah Phillips is warning that restricting data transfers can be an anticompetitive weapon. I promise to invite the commissioner on the podcast again to explore that issue.

Well, that was quick: Fraudsters used AI to mimic a CEO’s voice – German accent, “melody,” and all – in an unusual cybercrime case. But it won't be unusual long. Anyone can do this now, Maury explains. 

In short hits, Mieke and I mock Denmark’s appointment of an “ambassador” to Silicon Valley. Way to cut the Valley down to size, Denmark! Maury notes that FinFisher is under investigation for violating EU export control law by selling spyware. Mieke does her best to rebut my suggestion that Silicon Valley’s bias is showing in the latest actuarial stat: Turns out that 10% of the accounts that President Trump has retweeted have already been deplatformed. Matthew and I note that China has been caught hacking several Asian telcos to spy on Uighurs. To give the devil his due, though, if the US had 5,000 citizens fighting for ISIS and al-Qaeda, as China claims to have, we’d probably be hacking all the same telcos to keep an eye on them.

State attorneys general will launch sweeping and apparently bipartisan antitrust probes into Facebook and Google this week. Good to see Silicon Valley bringing Rs and Ds together at last; who says its business model is fomenting social division? Finally, Mieke leaves us uneasy about the online security of our pensions, as hackers steal $4.2 million from one fund via compromised email.

Download the 277th Episode (mp3).

Want to hear more from Camille on bankruptcy and national security? She’ll be speaking Friday, September 13, at a lunch event hosted by the Foundation for Defense of Democracies. She’ll be joined by fellow panelists Giovanna Cinelli, and two other Cyberlaw Podcast alums, Jamil Jaffer and Harvey Rishikof, along with moderator Dr. Samantha Ravich. The event will be livestreamed at www.fdd.org/events. If you would like to learn more about the event, contact Abigail Barnes at FDD. If you are a member of the press, please direct your inquiries to press@fdd.org.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In this bonus episode of the Cyberlaw Podcast, Alex Stamos of Stanford’s Freeman Spogli Institute talks about the Institute’s recent paper on the risk of Chinese social media interference with Taiwan’s upcoming presidential election. It’s a wide-ranging discussion of everything from a century of Chinese history to the reasons why WeChat lost a social media competition in Taiwan to a Japanese company. Along the way, Alex notes that efforts to identify foreign government election interference have been seriously degraded by (what else?) privacy law, mixed with fear of commercial consequences when China is the attacker. If companies make data about foreign government and “inauthentic” users public, the risk of liability under GDPR as well as Chinese retaliation is real, and the benefits go more to the nation as a whole rather than to the companies taking the risk.

During the interview, Alex references a paper co-authored by his colleague, Jennifer Pan, regarding the “50c party.” You can find that paper here. He also mentions his recent op-ed in Lawfare, which you can find here.

Download the 276th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

And we’re back with a podcast episode that picks the August events that will mean the most for technology law and policy this year. Dave Aitel opens, telling us that Cyber Command gave the world a hint of what “defending forward” looks like with an operation that may have knocked the Iranian Revolutionary Guard’s tanker attacks for a long-lasting loop. 

Next, David Kris lifts the curtain on China’s approach to information warfare, driven by the Hong Kong protests and its regional hegemonic ambitions. Speaking of China, it looks as though a determination to bring the Uighur population to heel ledChina to create a website devoted to compromising iPhones, in the process disclosing a few zero-days and compromising anybody who viewed the site. Dave Aitel teases out some of the less obvious lessons. He criticizes Apple for not giving security-minded users the tools they need to protect themselves. But he resists my suggestion that the FBI, which first flagged the site for Google’s Project Zero, went to Google because Apple wasn’t responsive to the Bureau’s concerns. (Alternative explanation: If you embarrass the FBI in court, don’t be surprised if they embarrass you a few years later.)

One lesson of these fights is that the US-China trade war is a lot more than a trade war. It’s a grinding, continental decoupling drift that the trade war is driving but which the Trump Administration probably couldn’t stop now if the president wanted to. We puzzle over exactly what the president does want. Then I shift to mocking CNN for its Trump derangement and inaccuracy (yes, it’s an easy target, but give me a break, I’ve been away for a month): Press claims that the president couldn’t “hereby order” US companies to speed their decoupling from China are just wrong as a matter of law. In fact, the relevant law, still in effect with modest changes, used to be called the Trading with the Enemy Act. And it’s been used to “hereby order” the decoupling of the US economy from countries like Nazi Germany, among others. Whether such an order in the case of China would be “lawful but stupid” is another question.

August saw more flareups over Silicon Valley censorship of conservative speech. Facebook has hired former Sen. Kyl to investigate claims of anticonservative bias in its content moderation, and the White House is reportedly drafting an executive order to tackle Silicon Valley bias. I ask whether either the FTC or FCC can really be expected to take up the regulatory cudgels on this issue and suggest that Bill Barr’s Justice Department might have more gumption -- and enough tools to enforce strictures against political bias in platform censorship. 

We close with the most mocked piece of tech-world litigation in recent weeks – Crown Sterling’s lawsuit against BlackHat for not enforcing its code of conduct while the company was delivering a widely disparaged sponsored talk about its new crypto system. Dave Aitel, who runs a cybersecurity conference of his own, lays out the difficulties of writing and enforcing a conference code of conduct. I play Devil’s Advocate on behalf of Crown Sterling, and by the end, Dave finds himself surprised to feel just a bit of Sympathy for the Devil.

Download the 275th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our guests this week are Paul Scharre from the Center for a New American Security and Greg Allen from the Defense Department’s newly formed Joint Artificial Intelligence Center. Paul and Greg have a lot to say about AI policy, especially with an eye toward national security and strategic competition with China. Greg sheds some light on DOD’s activity, and Paul helps us understand how the military and policymakers are grappling with this emerging technology. But at the end of the day, I want to know: Are we at risk of losing the AI race with China? Paul and Greg tell me not all hope’s lost – and how we can retain technological leadership.

In what initially seemed like a dog-bites-man story, Attorney General Barr revived the “warrant-proof” encryption debate. He brings some thoughtful arguments to the table, including references to practical proposals by GCHQ, Ray Ozzie, and Matt Tait. Nick Weaver is skeptical toward GCHQ’s proposal. But I think the future of the debate will be driven by Facebook’s apparent plan to drastically undermine end-to-end encryption by introducing content moderation to its encrypted messaging services. I argue that Silicon Valley is so intent on censoring its users that it is willing to sacrifice confidentiality and security (at least for anyone to the right of George W. Bush). News Roundup newcomer Dave Aitel thinks I’m wrong, at least in my attribution of Facebook’s motivations.

Mieke Eoyang, another News Roundup newcomer, brings us up to date on all the happenings in election security. Bob Mueller’s testimony brought Russian election meddling to the fore. His mistake, I argue, was testifying first to the hopelessly ideological House Judiciary Committee. Speaking of Congress, Mieke notes that the Senate Intel Committee released a redacted report finding that every state was targeted by Russian hackers in the 2016 election – and argues that we’re still not prepared to handle their ongoing efforts.

Congress is attempting to create a federal election security mandate through several different election security bills, but they likely will continue to languish in the Senate, despite what Mieke sees as a bipartisan consensus. Meanwhile, Director of National Intelligence Dan Coats, now on his way out, has established a new office to oversee and coordinate election security intelligence. Nick adds an extra reason to double down on election security: How else can we convince the loser that he is indeed the loser?

In other news, NSA is going back to the future by establishing a new Cybersecurity Directorate. Dave sheds light on the NSA’s history of reorganizations and what this new effort means for the Agency. Dave and I think there’s hope that this move will help NSA better reach the private sector – and even give DHS a run for its money.

I also offer Dave the opportunity to respond to critics who argued that his firm, Immunity Inc., was wrong to include a version of the BlueKeep exploit in its commercial pentesting software. The long and the short of it: If a vulnerability has been patched, then that patch gives an adversary everything they need to know to exploit that vulnerability. It only makes sense, then, to make sure your clients are able to protect themselves by testing exploits against that vulnerability.

Mieke brings us up to speed on the cybercrime blotter. Marcus Hutchins, one of Dave’s critics, pled guilty to distributing the Kronos malware but was sentenced to time served thanks in part to his work to stop the spread of the WannaCry ransomware. Mieke says that Hutchins’s case is a good example that not all black hat hackers are irredeemable. I note that it was good for him that he made his transition before he was arrested. Dave and Nick support the verdict while lamenting how badly hackers are treated by US law.

We round out the News Roundup with quick hits: Facebook had a very bad week, not least because of the multibillion dollar fine imposed by the FTC; the Department of Justice is going to launch a sweeping antitrust investigation into Big Tech; there was a wild hacking conspiracy in Brazil involving cell phones, bribes, and carwashes; Equifax reached a settlement with the FTC regarding its epic data breach. Speaking of which, we make a special offer to loyal listeners who can now claim a $125 check (or free credit monitoring, if you really prefer). Just go here, and be sure to tell them the Cyberlaw Podcast sent you. Oh, and an anti-robocall bill finally made it through both houses of Congress.

Download the 274th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Today, I interview Frank Blake, who as CEO brought Home Depot through a massive data breach. Frank’s a former co-clerk of mine, a former Deputy Secretary of Energy, and the current host of Crazy Good Turns, a podcast about people who have found remarkable, even crazy, ways to help others. In addition to his insights on what it takes to lead an organization, Frank offers his views on how technology can transform nonprofit charitable initiatives. Along the way, he displays his characteristic sense of humor, especially about himself.

 In the News Roundup, I ask Matthew Heiman if Google could have had a worse week in Washington. First Peter Thiel raised the question of whether it’s treasonous for the company to work on AI with Chinese scientists but not the US Defense Department, then Richard Clarke, hardly a conservative, says he agrees with the criticism. And, inevitably, President Trump weighs in with a Thiel-supporting tweet. Meanwhile, on the Hill, Google’s VP says the company has “terminated” Project Dragonfly, an effort to build a search engine that the Chinese government would approve. But that doesn’t prevent conservatives from lambasting the company for bias against conservatives and an unfair subsidy in the form of Section 230 of the Communications Decency Act. The only good news for Google is that despite all the thunder, no lightning has yet struck. Or so we thought for about five minutes, at which time Gus Hurwitz noted that Google is likely to face multimillion-dollar fines in an FTC investigation of child Internet privacy violations, not to mention a rule-making designed to increase the probability of future fines.

 Speaking of which, European lightning struck Amazon this week in the form of new competition law scrutiny. Gus offers skepticism about the EU’s theory, and I offer counter-skepticism.

 Julian Assange has completed his transformation from free-speech crusader to feces-speech crusader. Nick Weaver is astonished at the way Julian Assange managed to turn the Ecuadorian embassy into a fist-fighting, feces-smearing, election-meddling command post.

 Nick also predicts that Kazakhstan will lose its war with Silicon Valley browser makers over a man-in-the-middle certificate the Kazakh government is forcing on its citizens in order to monitor their Internet browsing.

 And in short hits, Gus questions whether $650 million is a harsh settlement of Equifax’s data breach liability; Nick closes the books on NSA hoarder Hal Martin’s 9-year prison sentence; and Nick explains the latest doxing of an intelligence agency – this time a contractor for the Russian FSB. 

Download the 273rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

What is the federal government doing to "illuminate" its supply chain and then excise compromised hardware and software? That’s what we ask Harvey Rishikof, coauthor of “Deliver Uncompromised,” and Joyce Corell, who heads the Supply Chain and Cyber Directorate at the National Counterintelligence and Security Center. There’s no doubt the problem is being admired to a fare-thee-well, and some evidence it’s also being addressed. Listen and decide!

In the News Roundup, Nate Jones and I disagree about the Second Circuit ruling that President Trump can’t block his critics on Twitter. We don’t disagree about that ruling, but I’m a lot more skeptical than Nate that it will be applied to that other famous Washington tweeter, Alexandria Ocasio-Cortez.

GDPR still sucks, but now it bites, too. Matthew Heiman explains just how bad the bite was for Marriott and British Airways.

Gus Hurwitz reprises how much – or little – we know about the FTC and Facebook. We won’t know much, he says, until we answer the question, “Where’s the complaint?”

Talk about hard supply chain issues. Congress banned Chinese surveillance cameras from the federal supply chain by law.  But passing a law turns out to be a lot different from actually, you know, getting rid of them.

For a change of pace, Gus and I rag on the US Patent and Trademark Office for its petition asking the Supreme Court to overturn a Fourth Circuit ruling that adding “.com” to a generic term makes it trademarkable. You tell ‘em, USPTO! It’s not like adding “.com” to a word has the same creativity and distinctiveness as adding “i” in front of “phone” or “pod.”

Nate and I spar over whether Section 301 can be used to retaliate against France for its 3% digital tax.

Matthew tells us that the Trump Administration isn’t sharing details on classified cyberattack rules with Congress, and after a modicum of mockery, we actually find ourselves agreeing with Congress’s demand to be briefed on the rules.

Finally, in quick hits, I flag the hypocrisy of social justice campaigners who love the idea of privacy until it gets in the way of doxxing people they disagree with -- plus the surprising ways that GDPR has enabled personal data breaches on an industrial scale.

Download the 272nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

This week I interview Glenn Reynolds, of Instapundit and the UT Knoxville law school, about his new book, The Social Media Upheaval. In a crisp 64 pages, Glenn analogizes social media to a primeval city, where new proximity produces periodic outbreaks of diseases that more isolated people never experienced; traces social media’s toxicity to the desperate pursuit of engagement; and proposes remedies both for individual users and for society as a whole.  All that plus thoughtful advice on dietary supplements and deadlifts!

In the news roundup, Matthew Heiman dissects a recent Third Circuit ruling that Amazon can be held strictly liable for products it markets for third parties. Unlike Matthew, I am largely persuaded by the court’s ruling on products liability – but Matthew and I both have doubts about its use of section 230 of the Communications Decency Act to protect Amazon from “failure to warn” liability.

Maury Shenk and Nick Weaver review the progress of the War on Facial Recognition. Opponents have rolled out the ultimate weapon of the modern left:  OMG, ICE is using it! But facial recognition is still winning the war, mostly because its opponents are peddling undifferentiated fear of a technology that’s already being used for many very different purposes, from anonymously tracking shoppers moving through a store (where the store doesn’t need to know the shoppers’ identities) to boarding planes (where the airline damn well better know the passengers’ identities, and the tech only has a couple of hundred faces to match).

Matthew and Nick consider China’s seizing and installing spyware on travelers’ devices. Turns out, China’s practice isn’t all that different from most government efforts to extract data from phones, except that the Chinese leave their code on Android devices, enabling security researchers to reverse engineer China’s deepest fears. And what does China fear most? Japanese heavy metal, apparently. Almost makes you feel a bit of empathy for Beijing…

Maury also highlights Big Tech’s concerns about the UK’s particularly aggressive proposal for an online “duty of care.”

Nick and I follow the problem of fake cancer cures being advertised on Facebook and YouTube down the usual ratholes – who should be responsible in the first place, and why does Silicon Valley think that algorithms will ever be able to discipline such content?

This Week in the US China trade war: No one seems to know exactly what President Trump’s concessions at the G-20 meeting amount to, but more and more US tech companies have decided that moving 30% of their tech sourcing out of China is a good idea no matter how the trade war ends. This war isn’t good for US companies, but it’s really not good for China’s. Which, come to think of it, is what President Trump has said from the start.

Finally, if you’re looking for tough government action against contractors with bad cybersecurity, CBP is your agency.  It has cut ties with Perceptics, the firm that was breached by Boris the Bullet-Dodger, and seems to be readying a debarment proceeding that will cut the firm off from future government contracts. Matthew and I speculate that there may be something more behind this harsh remedy – perhaps a lack of prompt contractor candor about the breach. Whatever the context, though, this proceeding is likely to set a precedent that haunts government contractors long into the future. 

Download the 271st Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The theme this week is China’s growing confidence in using cyberweapons in new and sophisticated ways, and the US struggle to find an answer to China’s growing ambition in this sphere. Our interview guest, Chris Bing of Reuters, talks about his story on Chinese penetration of managed service providers like HP Enterprise – a penetration that allowed APT10 access to hundreds of other companies that rely on managed service providers for most of their IT. Most chilling for the customers are strong suggestions that the providers often didn’t provide notice of the intrusions to their customers – or, worse, that the providers’ contracts may have prevented their customers from launching quick and thorough investigations when their own security systems detected anomalous behavior originating with the providers. After this episode, a lot of CISOs will be rereading their managed service contracts.  Chris also tells the story of an apparent “Five Eyes” intrusion into Yandex, the big Russian search engine.

Returning to China, in our News Roundup Nate Jones covers the latest in the US-China trade war before diving into a Wall Street Journal article (by Kate O’Keeffe) that I call the Rosetta Stone for the last two years of cyber policymaking. Looking for the unifying theme in the lobbying fight over FIRRMA, the president’s executive orders on cyber, and sanctions on companies like Sugon? Look no further than AMD, particularly its accommodation of China’s ambitions in chip manufacture and the Pentagon’s desperate effort to thwart its plans. Nate and I also consider a possible new US requirement that domestic 5G equipment be made outside China.

What is China planning to do with all that cyber power? Jordan Cannon lays out one possibility, focusing on a little-followed story in which China seems to have taken an election-tilting page straight out of Vladimir Putin’s textbook. And Nate covers a newly patient Chinese hacking cadre willing to compromise a dozen telcos for years just to collect metadata on as few as twenty telco customers.

Speaking of metadata, David Kris explains why Congress is more exercised over NSA’s access to American phone metadata than China’s. Congress took the view that NSA should not collect the metadata of innocent Americans, even if it only searched the data when it had a legal basis for doing so. Instead, Congress constructed a new Section 215 program that depended on each telco to do searches of data that remained in its hands. Unsurprisingly, the telcos have done that badly, sending the wrong data to NSA on more than one occasion. Naturally, Congress now blames NSA for “overcollecting.” Don’t hold your breath waiting for an apology from the Congressional cranks who got us into this mess.

Are you a conservative comforting yourself with the idea that Silicon Valley censorship is just a creature of platform monopoly that can be cured by more competition? Guess again. Two more conservative-hostile moves by Silicon Valley show that competition isn’t likely to end virtue signaling in the Valley. After Google banned Project Veritas’s video exposé of YouTube for, uh, privacy – that’s it, privacy – violations, its distant No. 2 competitor Vimeo responded to the competitive opportunity by also banning the video for, uh, defamation or something. And when Twitter competitor Parler offered a home to conservatives, Apple reportedly threatened (at least briefly) not to distribute the app unless it kicked some unspecified bad actors off the service.

Meanwhile, two Silicon Valley platforms that really do depend on at least a few conservative voices were singing that famous C&W song, “I hate you. I need you. And I hate that I need you.” (Okay, I made that up, but there really should be a Taylor Swift song with those lyrics.) Anyway, the needy haters of Silicon Valley have been searching for ways to show their contempt for people they’re afraid to shut down completely, and now they've found it. Reddit “quarantined” their wildly popular subreddit, r/the_donald, over posts the moderators said they’d never seen and had never been reported to them. And Twitter announced that it planned to salve its SJW conscience while still profiting from Trump’s tweets by attaching disapproving labels to them. Nate tries to hose me down, but it’s too late.

Finally, in breaking news from 1993, David reports that the Trump Administration is considering an encryption crackdown but can’t choose between a toothless statement of principles and a feckless proposal of legislation that will not pass. I offer the suggestion that the statement of principles could be enough to undercut Silicon Valley’s campaign to stop encryption controls in countries like Australia, the UK, and Germany. That’s where controls will eventually come from, David and I agree. If so, I’m looking forward to hearing all those folks who told us that GDPR was just the voice of civilization calling across the Atlantic say the same about European encryption mandates.

Download the 270th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our interview guests this week are Dick Clarke and Rob Knake, who have just finished their second joint book on cybersecurity, The Fifth Domain. We talk about what has changed and what they got right and wrong in their original book. Clarke and Knake offer surprising flashes of optimism from about the state of cybersecurity today, and the book itself is an up-to-date survey of the policy environment. Best of all, they have the courage to propose actual policy solutions to problems that others just admire. I disagree with about half of their proposals, so much light and some heat are shed in the interview, which I end by bringing back the McLaughlin Group tradition of rapid-fire questions and an opinionated "You're wrong" whenever the moderator disagrees. C'mon, you know the arguments are really why you listen, so enjoy this one!

In the News Roundup, Gus Hurwitz covers the Supreme Court's ruling on when a forum is subject to First Amendment limits. Short takeaway: There is not a single Justice who thinks Silicon Valley's platforms are public fora subject to the First Amendment. Sen. Hawley (R-MO) comes in for some mockery as a result, which prompts me to invite him to defend himself on a future episode (not so much because the First Amendment applies to this podcast but because it would be fun).

Matthew Heiman spells out the strategy behind Facebook's proposed cryptocurrency. He thinks it's all about the data; I think it's all about WeChat. Whatever the motive, every regulatory body in Europe and the US has descended on the company to extract concessions – or perhaps to kill the currency outright, as our own Nick Weaver has proposed.

Maury Shenk reports on the US government's threat to limit Indian H-1B visas if India persists in its extreme data localization policies. I suggest that the fight may be as much about terrorism finance as protectionism.

This Week behind the Silicon Curtain: Apple is considering moving 15-30% of its production capacity out of China. Matthew and I agree that that's easier said than done, but the move is inevitable.

Gus lays out the difficulties that YouTube has had meeting the child protection requirements of COPPA and the FTC's growing interest in changing YouTube's approach to videos aimed at kids.

Is China's social credit rating system a Potemkin village? Bloomberg seems to think so, but Maury has his doubts. So, if you thought you could stop fearing the system and start laughing at it, better think again.

Finally, This Week in Karma: The medical billing firm whose cybersecurity failings resulted in multiple medical data breaches has filed for bankruptcy, evidently the result of liabilities arising from the breach.

Download the 269th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

We interview David Sanger, whose recent New York Times article on US intrusions into the Russian grid was condemned as “a virtual act of treason” in a presidential tweet. Turns out that national security officials, contacted before the story ran, didn’t ask the Times to hold the story. Understandably. If you’re signaling to Putin that his grid will be at risk as long as he puts ours at risk, a front-page story in the New York Times is a pretty good way to get the word out.

We’re starting to see a lot more casualties in the New Code War between the US and China. Broadcom has issued a $2 billion warning that has shaken the global chip sector. And Hollywood is whistling past the graveyard if it thinks that China is going to stop squeezing US film profits in China. And the adjustment to a divided global tech market keeps finding new pain points. Turns out that even the F-35 depends on a Chinese supply chain.

Speaking of security holes, Nick Weaver breaks down the cause and significance of the Rowhammer exploit and its latest sibling, RAMBleed. And to complete the paranoia segment of the show, Nick explains just how easy it is to use LinkedIn to build a network of people with clearances who can be compromised by a nonexistent woman.

Should Silicon Valley face an antitrust breakup that might produce more viewpoint competition? Mark MacCarthy breaks down a speech given by the Justice Department’s antitrust chief, pointing out that conservatives crusading to make viewpoint competition part of antitrust analysis got a little more comfort than usual from the speech.

Or should Silicon Valley lose its immunity under Section 230 of the Communications Decency Act because of its high-handed treatment of conservatives? David Benger tells us that the DC Circuit does see a limit to the Section 230 immunity – but a pretty distant one. Mark points out that Congress might itself cut back on the doctrine – but only, I note, if it’s willing to violate the US-Canada-Mexico trade deal.

Finally, Nick and I have different takes on what I call the overhyped breach of the week, in which a Customs and Border Protection subcontractor lost photos of thousands of travelers. Turns out it wasn’t much of a breach for the agency, but it was a potentially devastating breach for its subcontractor.

Download the 268th Episode (mp3).

We kick off Episode 267 with Gus Hurwitz reading the runes to see whether the 50-year Chicago winter for antitrust plaintiffs is finally thawing in Silicon Valley. Gus thinks the predictions of global antitrust warming are overhyped. But he recognizes we’re seeing an awful lot of robins on the lawn: The rise of Margrethe Vestager in the EU, the enthusiasm of state AGs for suing Big Tech, and the piling on of Dem presidential candidates and the House of Representatives. Judge Koh’s Qualcomm decision is another straw in the wind, triggering criticism from Gus (“an undue extension of Aspen Skiing”) and me (“the FTC needs a national security minder when it ventures into privacy and competition law”). Matthew Heiman thinks I’m on the wrong page when I suggest that Silicon Valley’s suppression of conservative speech is the kind of detriment to consumer welfare that the antitrust laws should take into account, even in a Borkian world.

I mock Austrian Greens for suing to censor those who called it a “fascist party” – stopping their mouths not just in Austria but around the world. Yeah, guys, that’ll show ‘em who the fascists are. Less funny is the European Court of Justice’s advocate general, who more or less buys the Greens’ argument. And thereby reminds us why we miss Tom Wolfe, who famously said, “The dark night of fascism is always descending in the United States and yet lands only in Europe.”

Nate Jones answers the question, “Were the Russians much better at social media than we thought?” All the adjustments to that story, he notes, have increased our assessment of the sophistication in Russia’s social media attacks. And in This Week in Host Self-Promotion, I take advantage of Nate's remarks to urge my own solution to the utterly unsolved problem of hack-and-dox attacks by foreign governments on US candidates they don’t like: Ban the distribution of data troves stolen from candidates and officials. Nate agrees that First Amendment doctrine here is a lot friendlier to my proposal than most people think, but he cautions that the details get messy fast.

Matthew comments on Baltimore’s tragedy of errors in handling its ransomware attack. The New York Times’ effort to pin the blame on NSA's EternalBlue, which always looked tendentious and agenda-driven, now has another problem: It’s almost certainly dead wrong. EternalBlue doesn’t seem to have been used in the ransomware attack. Baltimore’s best case now is that its cybersecurity sucked so bad that other, completely unrelated hackers were using EternalBlue to wander through the city’s system at the same time as the ransom bandits.

Speaking of cybersecurity, Matthew reminds us of two increasingly common and dangerous hacker tactics: (1) putting the “P” in APT by hanging around the system so long that you’ve downloaded all the manuals, taken all the online training, and know exactly when and how to scam the system; and (2) finding someone with lousy network security who’s connected to a harder target and breaking in through the third party.

Finally, Gary Goldsholle helps us make sense of the litigation between the SEC and Kik, which first launched a cryptotoken that it insisted wasn’t a security offering and then crowdfunded a lawsuit to that effect against the SEC. So, finally: good news for lawyers if nothing else, and perhaps for future Initial Popcorn Offerings.

Download the 267th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

What can we do to counter Russian "hack and dox" interference with US election campaigns and candidates?  A lot more than we think, as long as we're willing to open the first amendment Overton window.  I posted my modest proposal on the topic over at Lawfare.  Here's the gist:

Of course, stopping the dissemination of such information raises real First Amendment questions, but the Supreme Court's pronouncements on this topic have been surprisingly qualified and leave plenty of room for legislation that would drain much of the fun out of Russian cyber-kompromat. In the leading case, Bartnicki v. Vopper, the court refused to enforce a statutory prohibition on disseminating the contents of illegally wiretapped conversations. The conversation in question was a cell phone call in which a member of a teachers' union said to the union's negotiator that if the school district didn't improve its offer to end a strike, "we're gonna have to go to their, their homes … to blow off their front porches, we'll have to do some work on some of those guys." The Supreme Court's opinion considered two principal justifications for a ban on dissemination of tapped conversations—deterring wiretapping and preserving privacy. The court dismissed the first because it thought deterrence could be achieved by prosecuting those who conducted the illegal tap. It was troubled by the second, recognizing that failing to punish the disclosure of private conversations was itself likely to restrain private speech. Nonetheless, in an expressly narrow decision, the court concluded that the conversation being disclosed was a matter of public concern, so that prohibiting dissemination would trench too far on freedom of speech. Two justices who were necessary to the majority wrote separately, narrowing the decision further by declaring that only a communication threatening physical harm or the like was of sufficient public concern to justify overriding the dissemination ban.

To my mind, this decision leaves plenty of room for imposing restraints on the distribution of private emails stolen by a foreign government. The government's interest in protecting private speech remains strong in the case of foreign government hacking, and it is bolstered by a deep national security concern that was quite lacking in Bartnicki. What's more, the Bartnicki court's notion that such thefts can be deterred by criminal prosecution is demonstrably wrong where government hackers are concerned. We've indicted Russian, Chinese and Iranian government hackers; it hasn't deterred any of them for long. Even taken at face value, the decision protects only dissemination that addresses a matter of public concern. That by itself would seem to allow Congress to restrict massive dumps of private communications that do not touch on significant public issues, let alone make threats of violence.

If you’ve lost the Germans on privacy, you’ve lost Europe, and maybe the world. That’s the lesson that emerges from my conversation with David Kris and Paul Rosenzweig about the latest declaration that the German interior minister wants to force messaging apps to decrypt chats. This comes at the same time that industry and civil society groups are claiming that GCHQ’s “ghost proposal” for breaking end-to-end encryption should be rejected. The paper, signed by all the social media giants, says that GCHQ’s proposal will erode the trust that users place in Silicon Valley. I suggest that maybe that particular argument is well past its sell-by date.

Speaking of trust, Paul outlines the latest tit-for-tat in the Silicon Curtain coming down between the US and China, as that country announces plans to publish an “unreliable entities” list of US companies. I note that the same spirit seems to be animating the announcement that China and Russia are transitioning their militaries from Microsoft Windows to other operating systems. Talk about a bonanza for the NSA: Just the coding errors alone will sustain its hackers for a generation – even in the unlikely event that the Chinese and Russians resist the temptation to seed the system with backdoors aimed at their erstwhile partners.

Maury Shenk highlights the latest German effort to regulate “broadcasting” of content on the Internet, which the German authority says will mandate transparency and diversity. I think it’s transparently about shoring up the German establishment, a view hardly contradicted by the ham-handed way CDU leader Annegret Kramp-Karrenbauer responded to the CDU’s drubbing in the EU elections. The losses were widely attributed to YouTube influencers who urged young voters to reject the main parties. The solution, AKK suggested, was more regulation of YouTube influencers. Ja, natürlich.

David brings us up to date on Iran’s latest effort to engage in social media manipulation and Facebook’s response.

Alicia Loh parses a DC Circuit ruling that all the White House has to do to comply with laws on keeping records of official communications is send out a memo. That obligation was satisfied, the court ruled, by a memo telling White House staff who use “vanishing” messaging apps to take screenshots of any official communications and preserve the messages. Alicia is practically the only member of our panel who even knows how to take a screenshot on a phone, which suggests that White House staff compliance might be, well, underwhelming.

Maury gives us a quick update on US states imitating GDPR. Short version: Watch California and then New York.

And in a lightning round, I am struck by the sight of an FTC commissioner begging the Ninth Circuit not to uphold the FTC’s position in the Qualcomm case on appeal. Maury and I note the growing demand in Silicon Valley companies for mass contract labor spurred by the need to train AI. And Paul and I speculate on the probability of antitrust cases against Google and Amazon. It’s been a long cold Chicago winter for antitrust plaintiffs, but a change in the climate may be coming.

Download the 266th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Paul Rosenzweig leads off with This Week in China Tech Fear – an enduring and fecund feature in Washington these days. We cover the Trump Administration's plan to blacklist up to five Chinese surveillance companies, including Hikvision, for contributing to Uighur human rights violations in the West of China, DHS's rather bland warning that commercial Chinese drones pose a data risk for US users, and the difficulty US chipmakers are facing in getting "deemed export" licenses for Chinese nationals.

We delve deeper into a remarkably shallow and agenda-driven New York Times article by Nicole Perlroth and Scott Shane that blames NSA for Baltimore's ransomware problem without ever asking why the city failed for two years to patch its systems. David Kris uses the story to take us into the Vulnerabilities Equities Process – and its flaws.

There may be a lot – or nothing – to the Navy email "spyware" story, but David points out just how many of today's cyber issues it touches. With the added fillip of a "Go Air Force, Beat Navy" theme not usually sounded in cybersecurity stories.

Paul expands on what I have called Cheapfakes (as opposed to Deep Fakes) – the Pelosi video manipulated to make her sound impaired. And he manages to find something approaching good news in the advance of faked video – it may mean the end of (video) blackmail.

But not the end of "revenge porn" and revenge porn laws. I ask Gus Hurwitz whether those laws are actually protected by the Constitution, and the answer turns out to be highly qualified. But, surprisingly, media lawyers aren't objecting that revenge porn laws criminalizing the dissemination of true facts are on a slippery slope to criminalizing news media. Only a bit more persuasively, though, that is the argument they're making about the expanded charges of espionage against Wikileaks founder Julian Assange. David offers his view of the pros and cons of the indictment.

And Gus closes us out with some almost unalloyed good news. Despite my suspicion of any bipartisan bill in the current climate, he insists that the Senate-passed anti-robocalling bill is a straight victory for the Forces of Good. But, he warns, the House could still screw things up by adding a private right of action along the lines of the Telephone Consumer Protection Act, which has provided the plaintiffs bar with an endless supply of class actions without actually benefiting consumers.

Download the 265th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

We begin this episode with a quick tour of the 5-4 Apple antitrust decision that pitted two Trump appointees against each other. Matthew Heiman and I consider the differences in judging styles that produced the split -- and the role that 25 years of living with Silicon Valley “platform billionaires” may have played in the decision.

Eric Emerson joins us for the first time to talk about the legal fallout from the latest tariff increases on Chinese products. Short version: companies have some short-term tactics to explore (country of origin, drawback, valuation), but large importers/resellers will have to grapple with larger and costlier strategies of supply chain diversification and localization.

Meanwhile, China has not been taking the trade war lying down. In addition to its own tariff increases, it now seems to be enforcing its demanding cybersecurity law more aggressively against foreign firms. I suggest that we may also be seeing retaliation in Chinese courts as well.

In related news, Nick Weaver and I debate the potentially sweeping new Executive Order on Securing the Information and Communications Technology and Services Supply Chain.

Maury Shenk explains the UK Supreme Court ruling that expands the court’s authority over the UK’s intelligence agencies -- despite clear Parliamentary language to the contrary. Bottom line: Bad news for UK intelligence. Hidden good news for the US: Turns out that there is something worse than activist judges interpreting a written constitution – activist judges who can more or less make up the constitution they interpret.

It was a cybersecurity disaster week for some of the biggest names in tech. Nick helps me understand which bugs were worst, Cisco’s, Intel’s, or Microsoft’s. Then we review the equally bad week that the NSO Group and its WhatsApp exploit had.

Cleaning up in a lightning round:  We cover the order requiring the Chinese owner of Grindr to sell by mid-2020. We also cover Canada’s approach to social media, which spurs me to offer unwonted praise for France’s Macron and his moderation. The EU has a plan for sanctions on cyberattackers; Matthew and I doubt it will get much use. Is too much fuss being made over leak investigators using Web bugs to see if defense counsel at Guantanamo have been leaking; Nick and I disagree, at least a bit.

And the podcast closes with yet another installment in our long-running feature, “This Week in Internet Sex Toy Law.” Suffice it to say that the latest case can’t be understood without consulting both Orin Kerr and Jerry Seinfeld.

Download the 264th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to

CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect their firms, clients, spouses, or families.