Skating on Stilts

When it comes to spurring remediation of the log4j bug, the FTC's other foot, I argue, is lodged firmly in its mouth.  It has published what can only be described as a regulatory blog post, reminding everyone of the $700 million in fines imposed on Equifax and threatening "to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j." Tatyana Bolton defends the agency from a charge of heavy-handedness, arguing that this is the best way to get companies to patch quickly and that only "reasonable steps" are required. I think we'll hear "we only asked for reasonable steps" a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more than regulatory muscle flexing. I also argue that the FTC's tough-guy pose is just that; when talking about the open source maintainers who actually have to generate many of the patches, the FTC doesn't threaten them with its "full legal authority." Instead, it acknowledges that open source coders "don't always have adequate resources and personnel," something the FTC "will consider as we work to address the root issues that endanger user security." Hmm, maybe Equifax should have pleaded inadequate resources and saved itself $700 million.

Speaking of fallible regulators, Glenn Gerstell gives us a tour of China's tech regulatory landscape, and the remarkable decline it has caused in the fortunes of consumer tech firms there, something the NYT covered in detail last week. Is that good news for Silicon Valley or for US competitiveness? Sadly, probably not, I conclude.

Mark MacCarthy explains why a proposal to combine cryptocurrency with Signal is causing angst among Signal's supporters, who fear an expansion of the end-to-end encrypted service's "regulatory attack surface."

Glenn covers the latest story about security risks and telecom gear from China. 

Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers.  The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies. 

Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has "a particular tendency to clash with lawyers." That would only make me love her more, but to my regret, Glenn (who, as NSA's top lawyer, worked with her for years) absolves her of the charge.

Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta for bringing together the boogaloo conspirators who killed a federal protective officer. It's a long shot, but if "negligent design" turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are now worried about.

Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it's mostly not breaches of cybersecurity laws). Speaking of surprises that aren't surprises, Glenn also covers the announcement by Lloyd's of London that cyber insurance won't cover cyber-attacks attributable to nation-states. 

Finally, I devote a few minutes to a rant about the Justice Department's decision to expand charges against Joe Sullivan, Uber's former CISO, for his role in paying "bug bounties" to hackers who looked more like crooks than bounty hunters when they compromised a bunch of Uber records. More than a year after charging Sullivan with obstruction of justice for using the "bug bounty" justification to keep the whole thing quiet, Justice piled on new charges of wire fraud for more or less the same thing. Glenn and I both question the decision to do this without any new facts to base the new charges on. And I point out the logical consequence of telling breach responders that they could face wire fraud charges if they decide not to disclose the breach (or maybe delay notice too long). The new Justice tack will (or should be) fatal to the FBI's desire to be called in to assist and observe while companies are dealing with breaches.  If  there's even a small risk that a decision to delay or withhold notice could lead to a criminal investigation, why would any GC want to have an FBI agent sitting in the room while the decision is being made?

Download the 389th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Among the good things about coming back from Christmas break are all the deep analyses that news outlets save up to publish over the holidays – especially those they can report from countries where celebrating Christmas isn’t that big a deal. At least that’s how I account for the recent flood of deep media dives on China technology issues. Megan Stifel takes us through a few. The first is a Washington Post article on China taking the tools it uses for measuring online dissent and focusing them on the rest of the world. The second is a New York Times article that tells us how the Chinese government takes the next step -- using its tools for suppressing internal dissent on the rest of the world when it says things China doesn’t like. Utterly unsurprising, to me at least, is how social media companies like Twitter have turned out to be hapless enablers of China’s speech police. Later in the podcast, Megan covers another story in the same vein – the growing global unease about China’s success in building Logink, a global logistics and shipping database.

Scott Shapiro and Nick Weaver walk us through the conviction of a Harvard professor for lying about his China ties. It may be too cynical to say that the Justice Department wanted Professor Charles Lieber especially badly because he’s not Asian, but there’s no doubt he’ll be Exhibit A when it defends the China Initiative against claims of ethnic profiling.

Megan takes us through another great story of hack-enabled insider trading, helicopters to Zermatt, and dueling extraditions; as the piece de resistance, NYT hints we may learn more about Russian interference with the 2016 presidential election. 

Scott explains how Apple AirTags are being used to track people. Nick gives us a feel for just how hard it is to separate good from bad in designing Air Tags. I suggest that this is a problem we could leave to the plaintiffs’ lawyers.

Nick lays out the economics of hacking as a service and introduces us to yet another company in that business – Cytrox. No one seems to last long in the business without changing their name. Nick and I explore the reasons for that, and the possibility that soon the teams that work for these companies will also move on every year or two.

Nick explains why bitcoin isn’t always a cybercriminal’s best friend. It turns out that cryptography isn’t proof against rubber hose cryptanalysis, or maybe even plea bargaining.

Drawing from my research for an article about why bias in face recognition has been overblown, I note that Canada, France, and the entire Western world is imposing sanctions on Clearview AI for privacy violations, but Clearview AI is the only U.S. company doing as good or better at face recognition than Chinese and Russian suppliers.  I argue that’s because a dubious racial bias narrative has forced IBM, Amazon, Microsoft, and Meta to retreat from the market, leaving us at the mercy of Russian and Chinese tech.

Megan explains why financial regulators and not the FBI turn out to be the biggest and most effective government enemies of end-to-end encryption; they've fined JPMorgan Chase a cool $200 million for using WhatsApp and other unbreakable encrypted messaging systems. Say, wasn't there a chip thirty years ago that would have solved that problem -- Chipper? Clipper?

Finally, in quick hits,

• I point out that soft power isn’t always America’s friend, as shown by Intel’s apology to the Chinese public for obeying U.S. law, Apple’s determination to double down on deepening its dependence on a Chinese supply chain, and a SenseTime IPO that was enormously successful for everyone except U.S. sanctions and U.S. investors.
• Scott shows the remarkable erosion of Silicon Valley’s power in conflicts with Putin’s Russia. Google and Meta are facing huge fines for not taking down content Russia doesn’t like. And they're losing lawsuits to Russians whose content they have taken down. In fact, they're losing so big that I expect Breitbart to bring its next Big Tech censorship lawsuit in Moscow.

Download the 388th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

All the cyberlawsuits that didn't get filed, or decided, over Thanksgiving finally hit the fan last week, and we're still cleaning up. But before that, I have to ask Dave Aitel for a sanity check on Log4Shell. Does it really deserve a 10 out of 10 for impact? And what does it mean for all the open source components buried in all our enterprise software? Dave's only piece of good news is that some big projects were far enough behind in updates that they haven't yet built the flaw into their products.

Turning to the first of several lawsuits covered in this episode, Jamil Jaffer and I praise Google for a particularly comprehensive and creative approach to suing cybercriminals. RICO plus a boatload of computer privacy violations are at the heart of Google's complaint against two criminals who created the Glupteba botnet. The defendants deserve credit of their own for creativity in using the blockchain to reconstitute their C2 infrastructure. If more criminals did that, Microsoft's trademark approach – using trademark violations to seize botnet infrastructure – would be less effective. Speaking of which, this week Microsoft used trademark litigation to take down a Chinese government network. Is it wrong to complain that Microsoft has been using this approach for so long that botnets are only inconvenienced, not destroyed, by the tactic?

Maury Shenk digs into the remarkable report that Apple CEO Tim Cook promised $275 billion of investment to China. Five years ago. In secret. And we're only finding out about it now, after he apparently delivered. When Congress finally gets around to the cyber incident reporting bill that it just bumped from the defense authorization act, maybe it will want to classify multibillion dollar deals with Communist China as the kind of cyber incident that ought to be reported to the U.S. government, if only so it knows how to evaluate the motives of the companies that are lobbying it.

The Tenth Circuit finished its Thanksgiving by releasing a massive opinion upholding the constitutionality of Section 702 of FISA. Jamil Jaffer, who played a role in adoption of Section 702, walks us through the decision, which was 2-1, but not on the main question. Instead, the debate was over Article III and the "advisory" nature of FISA court opinions that review intelligence agency procedures under 702. I confess to some sympathy for the dissent but wonder how it would help the defendant to strike down that structure.

Dave explains why Tor might not be as secure as we think. A mysterious and likely state-sponsored actor. is running hundreds of malicious Tor relays. And to add insult to injury, the actor is openly participating in Tor community debates, lobbying against proposals to reduce malicious Tor relays.

But wait, there's more cyberlitigation, and again Jamil talks us through it. A Saudi women's rights activist has brought a CFAA lawsuit against DarkMatter and its expat American employees for an iPhone hack that she says got her arrested. I'm a little skeptical that the lawsuit will survive a Foreign Sovereign Immunities Act motion.

Maury and I question the wisdom of a recent Italian fine penalizing Amazon over a billion euros, mainly for preferencing sellers who sign up for Prime logistics

Dave tells the sad story of Ilya Sachkov, a Russian cybersecurity whiz kid and CEO who may have believed too much that everyone sees cybersecurity as a white hat enterprise. Word is that he may have been too eager to help unravel the identities of the 2016 DNC attackers and is now paying for it with a Russian treason charge.

Maury notes that the U.S. decision to blacklist SenseTime, the Chinese AI company, was carefully timed to guarantee disruption of SenseTime's IPO. Whether the U.S. action will be more than a delaying tactic remains to be seen, but Maury thinks not.

Maury notes that Wikileaks founder Julian Assange has lost an important battle as he fights extradition to the U.S. And Jamil notes that the cyber incident reporting bill didn't make it into the defense authorization act, as mentioned earlier. He is one of the few cybersecurity buffs who isn't especially disappointed.

Maury and I disagree about a much-ballyhooed group of companies claiming to combat A.I. bias in hiring. I'll believe it when they actually expose their recommendations to public scrutiny.

For those who think left-wing bias in content moderation is not a thing, try this: Spend ten minutes with this right-wing French candidate's very effective campaign ad. Then ask yourself why exactly YouTube thought it wasn't fit for children. My guess: it was really the ad's effectiveness that YouTube disapproved of.

Dave and I puzzle over the Biden administration's unsatisfying `Initiative for Democratic Renewal' – a big international get-together that got only cursory attention in the US, perhaps because its theme is still a little hard to find.

And, finally, just to give me an excuse to publicize my latest Cybertoonz comic, Jamil asks what it means for Western militaries to "impose a cost" on ransomware gangs.

And with that, the Cyberlaw Podcast bids farewell to 2021. We will return in January.

Download the 387th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Canadian spy agency targeted foreign hackers to 'impose a cost' for cybercrime - National | Globalnews.ca

Federal district judge Robert Pitman has enjoined enforcement of Texas's law regulating social media censorship.  In this episode, the ruling sparks a fight between me and Nate Jones that ranges from how much weight should be given to  the speech rights of social media to the Kyle Rittenhouse verdict imposed by Facebook when it decided he was guilty and wouldn't let anyone disagree. On the merits, as before, we agreed that the Obama appointee was on pretty solid ground (for now) in applying the Tornillo line of cases saying that government should not directly regulate the editorial judgments of publishers. But the judge's ruling on the transparency and due process requirements of the law suggests to me that he wasn't prepared to give the law a fair shake. So look for a competitive appeal on the topic and quite possibly a more than competitive certiorari petition as well. By the time we stop beating this horse, he's long past any possible right of self-defense.

Megan Stifel has an easier task: Explaining cybersecurity recommendations for rail and other surface transportation companies. The advice is mostly the kind of simple concepts that could have been offered in the 90s, so we both puzzle over the fierce resistance from industry. Maybe it's the 24-hour requirement to notify TSA of cyber incidents, though I suggest reasons why industry shouldn't be as worried by this requirement as by a similar deadline for data breach notifications.

Nate and I explore proposals from the Biden administration to muster a group of like-minded countries in a campaign to curb sales of surveillance gear to authoritarian regimes. No doubt the initiative was reinforced by news that U.S. State Department phones were recently hacked with spyware from Israel. But I think the whole project fails for a simple reason: authoritarian governments can buy all the surveillance gear they need from China, which is happy to sell it. In the absence of credible enforcement, an international effort to condemn such sales is empty virtue signaling.

I mock an eminently mockable story from the Markup claiming that the PredPol crime prediction software is racist because it urges the police to patrol more poor black neighborhoods than rich white ones without asking whether that's where crime might be concentrated. Then, when the authors finally notice the overlap between neighborhoods with lots of arrests and neighborhoods recommended for heavy patrolling, they suddenly claim that the prediction software must be useless because the same results could be reached without the software.

Speaking of stupid, Megan explains how a "smart contract" turned out to be anything but, allowing hackers to steal $31 million in digital coin. I wonder exactly how much the hacker's feat differs from really good lawyering.

Nate and I look at how well Russia is doing in bringing Twitter to heel with a mobile slowdown. Twitter hasn't broken yet, but it's clear that the authoritarians of the world are slowly winning their battle with Silicon Valley.

Megan tells us about a cybersecurity professional at Ubiquiti who decided to stop riding with the hounds and to ride instead with the fox.  Bad choice; we know how fox hunts usually end for the fox, and this story is no exception.

In updates, I remind listeners of the elaborate gas-lighting effort by Jeff Bezos when he tried to blame the Saudis and the National Enquirer for his brother-in-law's leak of text messages that were deeply embarrassing for the CEO. All the hacking and extortion investigations that Bezos managed to trump up are over now, and the verdict is in: The Saudis didn't do it.

Finally, Megan and I note a Wall Street Journal article on how tough it is to be a spy in a world of smartphones, biometrics, and universal surveillance cameras. Our reaction: Yup.

Download the 386th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

My fourth effort at cartoon cyber commentary grows out of an endless project I'm doing on AI bias -- and the biases of the people who keep doing stories and studies about it. Many thanks to the free Clipart Library for some of the art and to ComicLife software for the parts that look good. (And if you think I should have found a way to get rid of the checkerboard background, you're right.)

Among the many problems surfaced by the current social media enthusiasm for deplatforming is this question: What do you do with all the data generated by people you deplatformed? Facebook's answer, as you'd expect, is that Facebook can do what it wants with the data, which mostly means deleting it. Even if it's evidence of a crime?  Yes, says the platform, unless law enforcement asks us to save it. The legal fight over a deplatformed group that defended historical statues (and may have shot someone in the process) will tell us something about the law of deplatformed data -- as will the fight over The Gambia's effort to recover evidence of deplatformed human rights abuses. In the end, though, we need a law on this question. Because, given their track record in content moderation, leaving the question to the discretion of social media will translate into the platforms' only preserving evidence that hurts people they hate.

Tired: Data breach reporting. Wired: Cyber incident reporting. The unanimous view of our panelists, Paul Rosenzweig  and Dmitri Alperovitch, is that cyber policy has shifted from mandatory reporting of personal data breaches to mandatory reporting of serious cyber intrusions no matter what data is compromised.  The latest example is the financial regulators' adoption of a rule requiring banks and similar institutions to report major cyber incidents within 36 hours of determination that one has occurred. But who will make that determination and with what certainty? Dmitri's money is on the lawyers. I don't disagree, but I think there's a great ER-style drama in the process: "OK, I'm going to call it.  No point in trying to keep this alive any longer. Time of determination is 2:07 pm."

Our interview segment is back after a long absence. David "moose" Wolpoff and Dan MacDonnell of Randori explain the consternation over their startup's use of a serious vulnerability to conduct realistic penetration tests of buttoned-up networks instead of reporting the vuln right away to the software provider. They argue that the value of zero-days for pentesting is great and the risk of harm from holding them is low, if they're handled responsibly. In fact, the debate sounds a lot like the arguments around the table at a government Vulnerability Equities Process ("VEP") meeting.  And that makes me wonder whether the people pushing for a stricter VEP have any idea at all what they're talking about.

Dmitri lays out the surprising complexity and sophistication of the Iranian attempt to influence the 2020 election. I'm less convinced. The Iranian effort failed, after all, and it resulted in the hackers' indictment. Hard to be impressed by failure.

I dig into a recent brief by Hikvision claiming that the FCC lacks authority to bar sales of its products in the US. I'm only half convinced by the legal claim, but I am sure of this: The Hikvision argument has created an opportunity for some enterprising politician to sponsor quick, uncontroversial legislation clearly giving the FCC the authority that Hikvision says it doesn't have.

Dmitri explains the latest advance of the hardware hack known as Rowhammer. It may not be deployed routinely even now, he says, but the exploit makes clear that we will never entirely secure our cyber infrastructure.

Paul and I agree that it's perfectly legal for government to buy advertising data that shows citizens' locations. And we more or less agree that some restraint on sales of location data – at least to the Russian and Chinese governments and maybe to anybody – are in order.

I offer muted and squeamish criticism of a Big Report claiming that child sexual abuse is exploding online. There's no doubt that it's a problem that deserves more legal and platform effort, but the authors did their cause no favors by combining kids exchanging nude selfies with truly loathsome material.

Dmitri and I perform a public service announcement about a scam that takes advantage of security habits that the banks have encouraged us to adopt. Zelle fraud is going to make us all regret those habits. Let's hope it also induces banks to use hardware tokens instead of text messages to verify our transactions.

Germany and Mandiant are at odds over attribution of the government that sponsored the Ghostwriter hacking gang. Germany, backed by the EU, says it's Russia. Mandiant says it's Belarus. Dmitri says "Never bet against Mandiant on attribution." I can't disagree.

Finally, Dmitri joins me in an appreciation of Alan Paller, who died last week. He was a major influence in cybersecurity,  and a role model for successful entrepreneurs who want to give back using their institution-creating skills.

Download the 384th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

My fourth effort at cartoon cyber commentary grows out of an endless project I'm doing on AI bias -- and the biases of the people who keep doing stories and studies about it. Many thanks to the free Clipart Library for some of the art and to ComicLife software for the parts that look good. (And if you think I should have found a way to get rid of the checkerboard background, you're right.)

Two major Senate committees have reached agreement on a cyber incident reporting mandate. And it looks like the big winners are the business lobbyists who got concessions from both committees. At least that’s my take. Dmitri Alperovitch  adds that the bill may still be in trouble because of Justice Department opposition. And Tatyana Bolton not unfairly credits the Cyber Solarium Commission for getting incident reporting this close to passage.  

Meanwhile, another piece of legislation, the Secure Equipment Act of 2021, has already been passed by Congress and signed by the President. It will lock a boatload of Chinese equipment out of U.S. markets. Dmitri explains why the FCC needed this additional authority.

Mark MacCarthy explicates the EU court ruling upholding a $2.8 billion award against Google for “self-preferencing” in shopping searches.

If you’re surprised by the Kyle Rittenhouse trial, and the strength of his self-defense claims, I argue, you can blame Facebook and Twitter, who astonishingly suppressed posts arguing that Rittenhouse had acted lawfully in self-defense. In a reverse John Adams moment, Twitter even suspended Rittenhouse’s defense counsel for defending him. And Facebook declared him guilty of a mass shooting and blocked even searches for his name.  I wouldn't call that content moderation; it's more like content mob-eration. And if you want more censorship of that sort, but this time in your podcast feed, well, no worries: the NYT is on it; the gray old lady is demanding to know why woke censorship hasn’t yet come to podcasts.

This has turned out to be a pretty good week for catching bad guys, Dmitri reports. REvil affiliates have been, arrested, indicted, and had some of their ill-gotten gains seized.

Mark unpacks yet another bipartisan tech regulation-cum-competition bill. This one aims to reduce platforms’ ability to foist "opaque algorithms" on their users. Tatyana notes that a lot of the bills trying to improve portability and competition are likely to raise cybersecurity concerns.

Dmitri and I aren’t impressed by the hoax email sent out in the FBI’s name from a poorly designed FBI website. As hacks go, it’s barely one step up from defacing the FBI’s website. I argue that the bureau ought to give the hacker a low four-figure bug bounty and call it a day, but Dmitri thinks the hacker will be on the FBI’s most wanted list for a while. I tend to agree; there is, after all, no greater crime than Knowingly Embarrassing the Bureau.

In quick hits:

• Mark gives us an overview of the states’ recently updated antitrust complaint against Alphabet's Google.
• Tatyana and Dmitri talk about the implications of the Commerce Department sending information requests to the world’s top chipmakers.
• Tatyana explains (as much as anyone can) Elon Musk’s decision to sell a bunch of Tesla stock because that’s what Elon Twitter wanted. We note that Elon promised the SEC he'd show his tweets to a lawyer in advance if they might move the market and wonder whether he actually found a lawyer who thought that tweet was a good idea.
• I do a quick victory lap for having suspected that Frances Haugen’s incoherent retreat from criticizing Facebook’s end-to-end encryption was forced on her by the Silicon Valley version of the Deep State. Thanks to Politico, we now know her European tour was run by a batch of lefty digerati who may hate Facebook, but not as much as they hate the FBI.
• And I mourn the fact that this week the U.S. government finally surrendered to Microsoft and joined the Paris Call for Trust and Security in Cyberspace.

Download the 383rd Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We're joined for this episode by Scott Shapiro, long-time listener and first-time panelist, not to mention our first philosopher. He breaks down the Biden administration sanctions against four offensive cyber firms, most notably the Israeli company, NSO. Imposing Commerce Department "entity list" sanctions on companies from friendly countries for human rights abuses is a departure from historical practice, and exactly how it will work out remains uncertain. The sanctions are not a death penalty for companies like NSO, we conclude, since U.S. companies can still buy their services even if they can't sell NSO anything more sophisticated than toilet paper. 

The Pentagon is a bastion of top-down cybersecurity regulation. In theory, that's what the Cybersecurity Maturity Model Certification program was all about – comprehensive and mandatory cybersecurity regulation for defense contractors. But as Nate Jones describes it, the Department of Defense's effort to actually put the regulations in place are a cautionary tale. Now the Pentagon has revamped and delayed its standards again. The new proposal may well be more workable and less bureaucratic than the last, but it also pushes the day of reckoning for contractors years into the future.

Jamil Jaffer thinks the good guys may have won another battle with ransomware gangs, but it's probably too soon to tell. On the heels of REvil claiming to be out of business, DarkMatter is making similar noises. But we won't really know until the gangs have gone quiet for more than a couple of months.

Decoupling is still proceeding apace. Yahoo surprises us all by announcing that it's pulling out of China. (Part of the surprise was that I'd forgotten they were still in.) Jamil and Nate note that GitHub is the last big Western web company left in China. And even for GitHub, the ice appears to be cracking under its feet. 

Scott takes us deep into jurisprudential philosophy as he covers the ACLU's threepeat loss in a case that argued for a first amendment right to read classified FISA court opinions. It may be a first for our podcast to reference Marbury v. Madison, and it's certainly a first to question whether it was correctly decided. Jamil also gives us a quick assessment of what Justice Gorsuch's willingness to take the case tells us about his future role in national security cases.

Nate and I give the backs of our hand to legislative proposals to expand from "Five Eyes" to Nine. I make the argument that we're really down to Three.

Clearview AI took a beating Down Under for breaching Australians' privacy law. Nate is short on sympathy. He thinks a more responsible set of actors might have prevented the toxification of face recognition.  I argue that the toxification came first, and the dearth of big respectable face recognition firms came later. As witness Facebook being driven from the market by a $650m award under the Illinois Biometric Privacy Act.

In quick hits:

• For old time's sake, Nate and I clash over lefty efforts to define a lack of enthusiasm for climate-based regulation as "digital hate;"
• Jamil and I offer qualified endorsements of the State Department's new cyber bureau;
• I namecheck podcast regular Paul Rosenzweig and others for a thoughtful report on Chinese platforms in the United States; and
• I see some good news for cybersecurity in the Cybersecurity and Infrastructure Security Agency's latest Binding Operational Directive mandating that federal agencies quickly patch vulnerabilities that we know are being exploited right now. The directive is addressed to federal agencies but aimed quite deliberately at private owners of critical infrastructure. Don't say you weren't warned!

Download the 382nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

For this edition of Cybertoonz, I thought I'd do the art myself. Which is how I discovered that, embarrassingly, I can't even draw stick figures as well as xkcd's Randall Munroe. Luckily, Munroe has authorized reproduction of his cartoons with credit, so I cheerfully admit that I've reproduced and then tweaked this brilliant xkcd cartoon.

In fact, that's the point.

In this episode, Dave Aitel and I dig into the new criminal law the House intelligence committee has proposed for workers at intelligence agencies. The proposal is driven by the bad decisions of three intel agency alumni who worked for the UAE under the sobriquet of Project Raven, doing phone hacking and other intrusions that the U.S. government would not have approved. Dave criticizes the broad language of the House provision, its assumption that hacking for the government teaches things you can’t learn in the private sector, and the use of criminal penalties where reporting obligations would suffice. Those interested in more details can download a podcast on the topic released by the Association of Former Intelligence Officers.

Maury Shenk and I explore the FCC’s decision to kick China Telecom off the U.S. telecommunications network. My view: this decision was overdetermined, a perfect storm of bad politics, poor decisions by China Telecom, and the fact that no American company has ever been licensed to do in China what China Telecom was allowed to spend 20 years doing in the United States.

We also dig into the proposal of a global regulatory alliance, the Financial Action Task Force (“FATF”), to impose some fairly strict requirements on cryptocurrency transactions.  A lot of companies are criticizing the proposal, but unlike five years ago, their advocacy has to contend with the rise of an entire ransomware industry that depends on cryptocurrency.

The EU, meanwhile, is struggling to implement sanctions for cyber-attacks. As usual, Europe is its own worst enemy, tied down by excessive politicization, weak intelligence collection made weaker by a lack of sharing, and aggressive judicial oversight.

Maury and I track down a tip about France trying to turn cloud security standards into a weapon for excluding U.S.-owned cloud providers. It wants the big cloud companies deemed insecure because they aren’t immune to U.S. legal process. But neither are the “big” European champions, since they too are almost certainly subject to U.S. jurisdiction. So not only will  the proposed standard leave EU buyers of cloud services stuck with providers whose market share is 2% on a good day, they still won’t be safe from the long arm of U.S. discovery. European data protection policy at its finest!

We briefly consider Facebook whistleblower Frances Haugen’s flirtation with criticizing Facebook for adopting end-to-end encryption (“e2e”). Once she discovered that criticizing e2e encryption is Not Acceptable Behavior, however, she retreated into a cloud of incomprehensibility.  I have captured the moment in my latest effort to turn cyber policy into cartoons.

Download the 381st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Who knew?  It turns out even a media heroine can't beat up the media's favorite whipping boy if that means criticizing end-to-end encryption.

We begin this episode with Michael Ellis taking a close look at the U.S. government's takedown of the REvil ransomware gang. It's a good story for the good guys, as REvil seems to have been brought down by the same tool it used against so many of its victims – malware that lingered in the backup data needed to restore the network. I note that this seems to be a continuation of efforts that were interrupted in the early summer – amid criticism that the FBI had prioritized its planned takedown over giving victims the decryption key. Now that the takedown has happened, it looks like the FBI is getting the last laugh.

The U.S. is trying . Michael thinks that the effort to hold Putin responsible for stopping Russian ransomware gangs is set back by recent statements in which the Pentagon raised doubts about whether Putin actually has the ability to stop the attacks.

One technology where Russia's does have more capability than expected is, naturally, its ability to censor and suppress criticism, both on domestic and Western platforms. David Kris discusses the kinds of hostages Russia has learned to take, and its success in bringing Western social media to heel.

The U.S. Commerce Department has released a complex new rule for the export of network intrusion tools. Meredith Rathbone, from Steptoe's trade regulation practice, boils the rule down to a few soundbites. The short version? Commerce has done a pretty good job of protecting legitimate distributors of intrusion software, but even the good guys are going to have to save a lot more receipts.

Michael and Paul Rosenzweig reprise the latest news about content moderation, particularly Twitter's own study showing that its algorithms benefit more conservative than left-wing content. That raises the question whether right-leaning commentary and news is more popular because more people want it. If so, the employees at Facebook are determined to keep it from them; recent leaks show aggressive internal efforts to squash Breitbart's reach on the platform.

David and I unpack Ian Bremmer's Foreign Affairs article on "How Big Tech Will Reshape the Global Order." David sees more in the piece than I do.

Paul and Michael kick off a discussion of US negotiations with the EU over transatlantic data flows. But in no time, all four of us join in. We offer some solutions, and plenty of criticism for the EU. (Okay, maybe "the continent that invented hypocrisy" was a little harsh.)

David notes that NSA is pursuing more collaboration with the private sector. How well that will work out is still TBD, we agree.

In quick hits and updates:

• I note with irony that Frances Haugen has discovered the limits of criticizing Facebook.  Whatever you do, you can't criticize WhatsApp's growing use of end2end encryption, even if it does allow the service to ignore foreign cyberespionage.
• Trump and TRUTH are together at last, and Paul has the details. Bottom line: it feels like a typical Donald Trump production: great hype, plenty of controversy, and weak execution.
• Hackback, isn't dead, it turns out, yet. I discuss the political and business advocates for a kinder, gentler version of private hackback, modeled on private investigators.

Download the 380th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Fresh from his launch of the Alperovitch Institute for Cybersecurity Studies, Dmitri Alperovitch kicks off this episode with a hopeful take on the 31-nation US-sponsored videoconference devoted to combatting ransomware. He and Nate Jones both think a coordinated international effort could pay off. I challenge Dmitri to identify one new initiative that this group could enforce, and he rises to the occasion.

Dmitri also previews one of the proposals for regulating Silicon Valley that might yet make it through Congress – a ban on "self-preferencing" by platforms that sell both their own and other people's products. It's all eerily similar to China's even more aggressive use of antitrust remedies against companies like meal delivery giant Meituan.

Tatyana Bolton, meanwhile, identifies a second front in the attack on Big Tech – regulation of algorithms. This leads us into a discussion of freedom of speech versus "freedom of reach" and a WSJ story on the weaknesses of Facebook's AI system for downrating (but only occasionally deleting) "hate speech." I argue that social media will ultimately rely even more heavily on AI-administered restrictions on user reach, if only as a way to make sure the victims of Silicon Valley censorship never realize how much their voices are being squelched.

Microsoft has given up its ambitions for LinkedIn's China operations, Dmitri notes, dropping the social media elements of the service and moving it closer to straight job listings. I argue that the retreat was overdetermined by the Chinese government's extraction of both financial and political concessions from Microsoft.

But if China is slowly poisoning its high-tech sector, why does a former Pentagon official think the U.S. has lost the AI race to China? Nate and I are cautiously skeptical of that view, not least because of the official's, uh, provenance.

In more news about Chinese regulation, it turns out that the Chinese ban on crypto-mining didn't quite reach the crypto miners using state resources.

Tatyana and I dig into WhatsApp's somewhat limited adoption of encrypted backups, and the policy's likely impact on law enforcement and criminals. Later, I also nod to the critique of "client-side scanning" (i.e., Apple's child porn solution) offered by All the Usual Cryptographers.

In comic relief, the governor of Missouri embarrasses himself by threatening criminal prosecution after a state website's security flaws are exposed by a reporter who seems to have done all the right things from a responsible disclosure point of view.

In other quick hits,

• I report on Facebook's appeal of the magistrate opinion unexpectedly gutting the Stored Communications Act for everyone who's ever been deplatformed by social media.  It's a workmanlike effort, but not as persuasive as fans of the SCA might have hoped. This could turn out to be real trouble for the SCA.
• Dmitri breaks down the federal government's plan to issue SD cards to all its employees for network access. It's a good idea, he thinks, but saying it will end phishing of employees is more fond hope than reasonable expectation.

Download the 379th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

I'm always looking for ways to talk about cyberpolicy without being a bore about it. Twenty-page think tank papers have their place, and I once wrote a book with over a thousand footnotes, but I started podcasting to make cyberpolicy a little more accessible.

Now I'm trying something that I hope will be even more fun – occasional cartoons. I was a big comic book fan in my youth, and in college I drew and published a few underground comix, so sooner or later it was inevitable that I'd return to the form as a way to talk about law and policy.  I couldn't draw in college and I still can't, but the Federalist Society's Regulatory Transparency Project (which takes no positions on particular legal and public policy matters) has kindly agreed to an experiment in turning my ideas into comic form. The experiment will last as long as the Project's patience and my enthusiasm do. In the meantime, I hope you enjoy them.

Here's the first, a commentary on Europe's data protection policy and just how neatly the European and Chinese penchants for discretionary punishments coincide.

The theme of this episode is the surge of creativity in the Biden administration as it searches for ways to regulate cybersecurity and cryptocurrency without new legislative authority. Paul Rosenzweig lays out the Department of Homeland Security's entries in the creativity sweepstakes: New (and frankly pretty modest) cybersecurity directives to the rail and air industry plus a much more detailed (and potentially problematic) set of requirements for pipeline companies. Matthew Heiman describes a Justice Department plan for enforcing cybersecurity rules for federal contractors that should chill the hearts of management: an initiative that raises the prospect of whistleblower suits under the False Claims Act for failure to disclose breaches to the government. I suggest that this means the notoriously short tenure of the Chief Information Security Officer (CISO) at large companies will now come with a built-in retirement compensation package.

Creativity in regulating cryptocurrency was signaled both by the White House, which is working on a broader and more coordinated regulatory approach and by the Justice Department, which is planning a major criminal investigative approach to the industry. Nick Weaver gives us the details.

Paul covers a remarkably creative assertion by the Committee on Foreign Investment in the United States (CFIUS) of jurisdiction over a Chinese firm's purchase of Magnachip, a semiconductor company with virtually no ties to the United States. Despite having no obvious skin in the game, CFIUS insisted on a CFIUS filing under President Trump and then vetoed the deal under President Biden. I suggest that the claim of extraterritorial jurisdiction, which in other circumstances might have annoyed South Korea, is in this case a good way for South Korea to avoid taking heat from China.

Paul explains why the Facebook outage was a much bigger deal than Americans realized. If you were living in Costa Rica, the loss of Facebook and WhatsApp, he says, could have greatly complicated every aspect of daily life, including calling the fire department or other emergency services.

Paul digs into the return of "hactivism" – not to mention the return of skepticism about hactivism. I marshal the evidence that the Pandora Papers were the result of hacks, not leaks – and roast the newspapers feasting on the data for their utter hypocrisy. Hey, Marty Baron, top editor at the Washington Post! We haven't forgotten that in reaction to the Democratic National Committee (DNC) leaks of 2016, you said

"Before reporting on the release of hacked or leaked information, there should be a conversation with senior editors about the newsworthiness of the information, its authenticity and whether we can determine its provenance... If a decision is made to publish a story about hacked or leaked information, our coverage should emphasize what we know—or don't know—about the source of the information and how that may fit into a foreign or domestic influence operation. Our stories should prominently explain what we know about the full context of the information we are presenting, including its origins and the motivations of the source, including whether it appears to be an effort to distract from another development."

We're still looking for that "full context" in the Pandora Papers or the Epik leaks.

Nick fills us in on Facebook's extreme reaction to the creation of a tool that allows users to escape the News Feed. I discover that I completely missed the central Facebook experience because I semi-inadvertently disabled the news feed.

Paul offers some surprising news about the limits of Artificial Intelligence (AI). Turns out, it's not that good even at some of the things it should be superb at, like radiology scanning.

Nick and I explore Google's acceptance of warrants seeking access to the identities of people using particular search terms. He thinks that this has gone on under the radar for some time because both government and Google think the public reaction will be bad for business.

Finally, in two quick hits:

• I brag that I now have proof that I'm one of the 14,000 Gmail users feared most by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU): Google caught the Russian spy agency trying to phish me with a doctored Word document.
• And Matthew reveals what the Russian SolarWinds hackers were looking for. Which leads to this bit of good news: U.S. sanctions are really getting under Putin's skin. 

And More!

Download the 378th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Industrial policy is all the rage in Washington, spurred by China's aggressive and sometimes successful use of industrial policy tools. I've lived through a few past enthusiasms for industrial policy, and I'm hoping this time we've learned lessons from the past.  That at least is the premise of my op-ed today in The Hill. Here's the lead:

At the start, we should recognize that letting governments pick economic winners and losers is wasteful, inefficient and corrupting. For the West, and open capital-market economies such as the U.S. and the UK, it’s hard to think of a worse policy — other than the alternative, which is to let China pick winners and losers for the world. 

So, we need a way to counter China without making a politicized mess of everyone’s economy. As they embark on that effort, here are six rules I’d commend to Western governments.

This is the meatiest episode in a long time, as Dmitri Alperovitch, Dave Aitel, and Mark MacCarthy go deep on the substance of a dozen stories or more. 

First up, Dmitri and I speculate on possible outcomes from the newly announced administration plan to convene 30 countries to crack down on ransomware. We also report on what may be the first confirmed death resulting from the equipment failures caused by ransomware – a newborn strangled by its umbilical cord because the hospital's usual electronic warnings weren't operating. 

Dmitri also explains a new cryptocurrency regulatory topic unrelated to its use in ransomware schemes – the move to ensure the financial stability of stablecoins. 

Dave weighs in on two surprising provisions of the House intel authorization bill. The first would respond to the Project Raven incident by imposing new controls on ex-spies working for foreign governments. No one is against the idea, but no one thinks that the problem is limited to alumni of a few intelligence agencies. And the bill’s sweep is far broader than cases like Project Raven. I fear that as written it may criminalize ex-spies giving security advice to Airbus, or perhaps even the Atlantic Council.

The second provision imposes requires reports on U.S. government purchases of computer vulnerabilities from foreign vendors. This leads to a discussion of which nation has the best offensive talent. Dave thinks the old champ has been decisively dethroned. 

In other legislative news, Dmitri covers the three committee drafts on cyber incident reporting, with special emphasis on the recently leaked bill from Senate Intel. It’s a very tough bill, perhaps designed to stake out negotiating room with the Homeland committees. I ask, “What’s the difference between Europe’s staggering fines for General Data Protection Regulation (GDPR) violations and this bill's fines for violating cyber reporting obligations?” The answer: "about two weeks," at which point the maximum fine due to the U.S. will exceed the top European fine.

Mark gives an overview and some prognostication about Google’s effort to overturn the EU’s $5 billion antitrust fine for its handling of Android. 

Dmitri and I find ourselves forced to face up to the growing soft power of Russia and China, now increasingly forcing Silicon Valley companies to project Russian and Chinese power into the West. Russia, having forced Apple and Google to send it hostages in the form of local employees, is trying to use its leverage to control what those companies do in countries like Germany. And Linkedin, the last Western social media company still standing in China, is trying to keep that status by asking Americans to self-censor their accounts.

At Dave’s request, we visit a story we missed last week and explore all the complex equities at work when the FBI decides whether to use ransomware keys for remediation or disruption.

Mark gives an overview of the new Federal Trade Commission, where regulatory ambition is high but practical authority weak, at least until the Senate confirms a third Democratic commissioner. Waiting in the wings for that event is a even more antitrust action, possible new online privacy rules and Commissioner Slaughter’s enthusiasm for imposing racial equity quotas under the guise of algorithmic fairness.

Dmitri offers his best guess about the recent Russian arrest of a cybersecurity executive for treason (that’s the second in five years if you’re counting) and the US decision to send a Russian scammer back to Russia after bitterly fighting to extradite him from Israel.

 In quick hits:

• Dmitri makes a public service announcement about the ways that Two-Factor Authentication (2FA) can be subverted. 

• I celebrate some good news for the U.S.: China is planning to encourage provincial controls on the design and use of social media algorithms. That’s bound to give US companies a new competitive advantage in a field where TikTok has surpassed them.

• Dave and I dissect the guilty plea of former Ethereum developer Virgil Griffith, accused of violating U.S. sanctions by giving a bland speech on cryptocurrency in North Korea.

• I give the highlights of two new and eminently contestable cyberlaw rulings:

• In U.S. v Wilson, the Ninth Circuit decided that law enforcement needs a warrant to open files that it knows from hashes are 99.9% certain to be child porn. The decision would be unfortunate if it weren’t meaningless; the hash itself provides probable cause, so warrants will be quickly and routinely issued. Thanks for the make-work, EFF!

• And a magistrate judge clearly gunning for promotion has written a Stored Communications Act opinion that empowers Silicon Valley’s Trust and Safety operatives to de-platform people and then turn their posts over to law enforcement without the subpoena they usually demand. I would worry more about those consequences if I thought the opinion would survive.  

• And, finally, Dmitri is pleased to find one field where AI is succeeding without controversy, as machine learning declares a famous Peter Paul Rubens painting, Samson and Delilah, to be a fake. But how long, I wonder, before this AI is forced by the FTC to correct its notorious anti-Flemish bias?

And More!

Download the 377th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, we welcome Nick Weaver back for a special appearance thanks to the time-shifting powers of podcast software. He does a sack dance over cryptocurrency, flagging both China's ban on cryptocurrency transactions and the U.S. Treasury's sanctioning of the SUEX crypto exchange.

Maury Shenk then explains the plans that the Biden administration and the EU have for Big Tech and the rest of us. Hint: it involves more content moderation in support of, er, democracy.  

Adam Candeub gives us a tour of the Wall Street Journal's deeply reported series on Facebook's difficulties managing the social consequences of, well, the internet, a responsibility that the press is determined to impose on the company. Among the quasi-scandals turned up by the Journal is the "secret elite" of users protected from Facebook's clunky and clueless content moderation algorithms. But really, in today's world, true power is all about escaping the algorithms otherwise imposed on us by various authorities. Every one of us aspires to join that elite. And perhaps we all can, if Ohio's Attorney General and its latest Senate candidate get their way, with a lawsuit to turn Google into a common carrier. (If that happens, we'll credit Adam, who wrote an amicus brief in support.)

And what's an elite without its hands on the levers of industry? China's embrace of national champions on the world stage has forced a rethinking in the West of industrial policy. Hence, the auto industry's commercial problem (they want cheap, plentiful, and antiquated chips for their cars) is suddenly a matter for White House meetings, and hints that the government might have its own supply allocation plans and powers.

In fact, regulating the private sector is so in vogue, as long as it's a tech-ish part of the private sector, that California barely made news when it imposed a new and almost undefinable regulatory obligation on warehouse companies like Amazon.  The law, requiring notice and imposing vague limits on production quotas, is at bottom, I argue, an attempt to put workers back on top of the algorithm – by demanding that it explain itself.

Maury next takes us to the heart of algorithmic power and our unease with it, explaining that Google now admits that it has no idea how to make AI less toxic.

In quick hits:

• The Washington whispers about Zoom's ties to China have grown louder, as the US government announces a national security review of Zoom's proposed acquisition of Five9 for $15 billion.
• Contrary to my understanding, at least one former intel operative who went to work for the United Arab Emirates in Project Raven landed very much on his feet – as CTO at ExpressVPN, though company employees are now expressing unhappiness about his history.
• And podcast regular Dmitri Alperovitch has an op-ed in the New York Times that (no surprise!) urges much tougher tactics in the fight against ransomware gangs.

Download the 376th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jordan Schneider rejoins us after too long an absence to summarize the tech policy coming out of Beijing today:  In essence, just about any Chinese government agency with a beef against a tech company has carte blanche to at least try it out. From Didi and others being told to stop accepting new users to cutting off Western IPOs, to forced contributions to common welfare, China's beefs with Big Tech sound a lot like those in the West (well, except for conservative complaints about AI-enabled censorship). What's different is that China has freed its agencies to actually throw a thousand buckets of sand in the gears of technology businesses. Jordan and I explore the downside of empowering agencies in this way. First, it makes the Chinese government responsible for an enormous and hard to govern part of the economy, as the government's problems with the overvalued property sector show. And it creates opportunities for companies that are better at politics than customer service to cripple their competitors.

In the U.S. something similar is afoot. Michael Weiner unpacks the new, amended complaint in FTC v. Facebook and concludes that the FTC has done a plausible job of meeting the objections that led the district court to throw out the first complaint. Then he lists several buckets of sand the Biden administration is dumping into technology merger law in the hope of slowing a massive acquisition boom: no longer granting early termination, insisting on future merger approvals in standard consent agreements, issuing "close at your own peril" letters when agencies haven't finished their review, and replacing the Vertical Merger Guidelines issued in June 2020 with, uh, nothing.

Pete Jeydel takes us on a tour of Project Raven and the deferred prosecution agreements imposed on three former U.S. government hackers who sold their services to the UAE and ended up way outside the bounds of U.S. law. The cases raise several novel legal issues, but one of the mysteries is why the prosecutors ultimately settled the cases without jail time. My guess? Graymail.

In quick hits and updates we note that:

• TikTok faces an Irish General Data Protection Regulation ("GDPR") probe over children's data and – more significantly – its transfers of data to China. What's most remarkable to me is how long TikTok staved off this scrutiny. Who says Donald Trump was bad for Chinese tech companies?
• President Biden has nominated a 5th Federal Trade Commission Commissioner. Alvaro Bedoya is a Georgetown Law professor who writes about privacy and face recognition. There's a lot of dumb stuff out there about AI bias and face recognition, but I'm pleased to say that it doesn't look as though Prof. Bedoya wrote any of it.
• The special prosecutor for Russia-Russia-Russia-gate has indicted a Perkins Coie lawyer for lying to the FBI general counsel while turning over a bunch of bogus evidence of Donald Trump's ties to Russia. Turns out, I know all of the principals in this drama; talk about uncomfortable.
• Captain Obvious, speaking for the FBI, acknowledged that there is "no indication" Russia has cracked down on ransomware gangs after President Biden yelled at Vladimir Putin about them.
• The 4th Circuit has tossed out Wikimedia's money-wasting lawsuit challenging National Security Agency's collection of overseas intelligence in the U.S.
• And Bolsonaro's ban on social media censorship of politicians has been doubly overturned, by both the Brazilian Senate and its Supreme Court, leaving Bolsonaro's decree in the same limbo as Florida's (and, probably soon, Texas's) effort to do something similar.

Download the 375th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The district court has ruled in the lawsuit between Epic and Apple over access to the Apple app store. Apple is claiming victory and Epic is appealing. But Apple's victory is not complete, and may have a worm at its core. Jamil Jaffer explains.

Surprised that ransomware gangs REvil and Groove are back – and thumbing their noses at President Biden? Dmitri Alperovitch isn't. He explains why U.S. ransomware policy has failed so far.

WhatsApp has finally figured out how to let users encrypt their chat backups in the cloud, to the surprise of many users who didn't realize their backups weren't encrypted. Meanwhile, the UK is looking for ways to hammer social media over end-to-end encryption.

Speaking of the encryption debate, Dmitri notes that Proton Mail joined the scrum this week, in a way it no doubt regrets. After all its bragging that mail users' privacy is "protected by Swiss law," Proton Mail disclosed that Swiss law can be surprisingly law enforcement friendly. Responding to a French request through Europol, Swiss authorities ordered the service to collect metadata on a particular account and overrode what had been seen as a Swiss legal requirement that users be notified promptly of such actions.

Is China suffering from GRU envy? I ask and David Kris answers: It sure looks that way, as China has begun trying to rally Chinese in America to support Chinese government positions on things like the origin of COVID. So far, China's record of success is as dismal as Russia's GRU, which has been unable to directly incite social conflict in the US, but I argue that China's effort poses a bigger problem for the body politic and for Chinese American interest groups.

Who'd have guessed? Turns out that the EU's flakey General Data Protection Regulation ("GDPR") prohibition on allowing automated decision making to affect people directly isn't just a twee nostalgia exercise; it's yet another reason that Europe is being left behind in the technology race. Jamil reports on a high-powered UK task force recommendation that the Brits dump the provision in order to allow for the growth of a British AI industry.

Brazilian President Jair Bolsonaro has banned social networks from removing political posts. David and I debate the meaning of the move for global internet governance.

And in a few quick hits:

• I praise the Biden administration (faintly) for finally kicking off serious negotiations with the EU about transatlantic data transfer.
• Dmitri dissects the undiplomatic speech of China's ambassador to the U.S.
• David downloads the inside poop on smart toilets. Among other things, they'll be identifying us with, uh, let's just call it the opposite of facial recognition. Which raises the question: Once they can identify us, how long before "woke" Silicon Valley toilet engineers start canceling those of us who commit the microaggression of leaving the toilet seat up?
• And Dmitri offers his solution for the dual European Community ("EC") encryption story.

And More!

Download the 374th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Back at last from hiatus, the podcast finds a host of hot issues to cover. Matthew Heiman walks us through the many ways that China and the US found to get in each other's way on technology. China's new data security and privacy laws take effect this fall, and in keeping with a longstanding theme of the podcast – that privacy law is mostly about protecting the privilege of the powerful -- we muse on how legal innovations in the West have empowered China's rulers. The SEC is tightening the screws on Chinese companies that want to list on American exchanges. Meanwhile, SenseTime is going forward with a $2 billion IPO in Hong Kong despite being subject to the stiffest possible Commerce Department sanctions. Talk about decoupling!

In Washington, remarkably, a bipartisan breach notification law is moving through both House and Senate. Michael Ellis explains the unorthodox (but hardly unprecedented) path the law is likely to take – a "preconference" followed by incorporation into the defense authorization bill scheduled to pass this fall.

I ask Brian Egan about tech fallout from the fall of the U.S.-backed regime in Afghanistan. All things considered, it's modest. Despite hand-wringing over data left behind, that data may not be really accessible to the Taliban. Google isn't likely to turn over government emails to the new regime, if only because US sanctions make that legally risky. The Taliban's use of WhatsApp is likely to suffer from the same sanctions barrier.  I predict a Taliban complaint that sanctions are forcing it to run a twelfth century regime with twentieth century technology.

Meanwhile, Texas Republicans are on a roll, as Dems forced to return to the State House sit on their hands. Texas has adopted a creative and aggressive antiabortion law, and tech companies have responded by canceling services for pro-life groups and promising to defend gig workers who are caught up in litigation. Texas has kept pace, adopting a bill that limits Silicon Valley censorship of political speech; it raises many of the same issues as the Florida statute, but without Florida's embarrassing prostration before the Disney theme park empire. I ask whether Texas could have used the same tactics for its interpretation of section 230 that it used in the abortion bill – authorizing private suits but not government enforcement. Such tactics work when there is a real possibility that the Supreme Court will overturn some circuit rulings, and section 230 is ripe for exactly that.

Matthew Heiman and I debate whether the Justice Department's dropping of several Chinese visa fraud cases heralds a retrenchment in Justice's China Initiative.

Michael and I dig into the Apple decision to alienate the privacy lobby in an effort to do something about child sex abuse material on iPhones – and Apple's recent decision to alienate the rest of the country by casting doubt on whether it would in fact make an effort to do something about child sex abuse material on its phones.

Finally, in quick hits, Brian doubts the significance of claims that the Israeli government is cracking down on NSO Group over spyware abuse. Michael picks apart the Cyberspace Solarium Commission's report card on Congress's progress implementing the Commission's recommendations. And Brian highlights the UK's new and much tougher version of CFIUS, the National Security and Investment Act 2021. I turn that into career advice for our listeners.

Download the 373rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The CIA's long-time acting general counsel, John Rizzo, died suddenly earlier this month. Lawfare published my tribute to the man, reproduced below.

John Rizzo and I shared a path that goes back more than 50 years. We had parallel careers in the intelligence community and then in private practice at Steptoe & Johnson, but we first met as undergrads at Brown. John used to joke that this accounted for our good working relationship. The 1960s gave us each a bottomless fund of kompromat.

In fact, the real secret was John’s deep reserve of institutional wisdom disguised as tart irony. In this regard, John’s book, “Company Man,” is as true to the man as any memoir ever written. It captures his refusal to take himself too seriously while taking with utmost seriousness his responsibility to apply the law to intelligence operations. For decades he was the last word on what CIA operatives could and could not do within the law. He knew that these judgments were as much about political prognostication as about applying abstract principles of law, and that critics of the American intelligence agencies would always second-guess his conclusions.

So he clearly foresaw the political winds that would prevent his formal promotion to CIA general counsel, though he had probably been the agency’s de facto top lawyer longer than anyone who actually held the title. He knew that using harsh interrogation techniques would sooner or later make the agency vulnerable to claims of lawlessness and torture. He may not have been convinced that the techniques in question would be crucial to preventing another attack or defeating Al-Qaeda, but he was clear that the final call should not be made by lawyers. He threw everything into the effort to give the nation’s leaders room to make the decision, including, it turned out, his own reputation.

I never heard John complain about the outcome of that chapter in his career. He was disappointed but not surprised by the attacks on the agency or on him. I think he was satisfied that he’d done his best to protect his institution from the kind of scandal that had engulfed it so often in the past. And events have largely proved him right.

He brought to that final chapter the same gentle humor that stirred realism into all his legal advice over the years. He even predicted—accurately—that his critics would use his obituary to get in a few last kicks.

John’s irony was a bit like President Truman’s 1948 “Give ’em hell, Harry” campaign. Truman insisted, “I never did give them hell. I just told the truth, and they thought it was hell.” So it was with John Rizzo. He just told the truth, and everyone treated it as humor.

I’m going to miss that. Just days before his death, John and I were exchanging messages about tricky intelligence law issues. His vision of how politics and law would shape the answer was as clear and humor-tinged as ever. But some hard truths cannot be softened by irony. The death of John’s wife, Sharon, in April of this year was one. If the official cause of his death was a heart attack, the more accurate cause was a broken heart. In the end, even knowing that he’d done his duty as he saw it was not enough to keep him going.

That’s true of us all, of course. The British political leader Enoch Powell once said that all political careers end in defeat. Certainly all public lives end in death. What matters is not the ending but the doing. Judged in that light, John’s is a life to be proud of.

The Biden administration’s effort to counter ransomware may not be especially creative, but it is comprehensive. The administration is pushing all the standard buttons on the interagency dashboard, including creation of a high-level task force and a $10 million reward program (but not including hackback authority for victims, despite headlines suggesting otherwise). And all the noise seems to be having some effect, as the REvil ransomware gang's web sites have mysteriously shut down. Nick Weaver reminds us (in song, no less) that the government’s efforts to stop scourges like Trickbot have a distinct whiff of Whac-a-Mole, and the same may be true of REvil.

Our interview is with Josh Steinman, who served as the National Security Council’s Cybersecurity Senior Director for the entire Trump administration. He offers his perspective on the issues and the personalities that drove cybersecurity policy in those chaotic years. As a bonus, Josh and I dig into his public effort to find a suitable startup, an effort we have to cut short as I start getting too close to one of the more promising possibilities.

Maury Shenk covers the Biden administration’s belated but well-coordinated international response to China’s irresponsible Microsoft Exchange hack, including the surprising revelation that China may be back to hacking like it’s 1999 – relying on criminal hackers to serve the government’s ends.

In other China news, Maury Shenk and Pete Jeydel catalog the many ways in which the current Chinese regime is demonstrating its determination to bring China’s tech sector to heel. It’s punishing Didi in particular for launching a U.S. IPO despite go-slow signals from Beijing. It’s imposing cybersecurity reviews on other companies that IPO outside China.  And it seems to be pressing for competition concessions that the big tech companies would have successfully resisted a few years ago.

It was a big week for state-sponsored attacks on secure communications. Nick and I dig in the FBI and Australian federal police coup in selling ANOM phones to criminal gangs. Previewing a forthcoming article for Lawfare, I argue that the Australian police may have to answer tough questions about whether their legal authority for the phone’s architecture really avoided introducing a systemic weakness into the phone’s security.

Law enforcement agencies around the world could face even tougher questions if they’ve been relying on NSO or Candiru, Israeli firms that compromise mobile phones for governments. Both firms have been on the receiving end of harsh forensics analyses from Amnesty International and Citizen Lab. Nick thinks the highly specific and centralized target logs are particularly a problem for NSO’s claims that it doesn’t actually know the details of how its malware is deployed.

Pete Jeydel tells us that the administration is learning to walk and chew gum on cybersecurity at the same time. While coordinating pushes on Chinese and Russian hacks, it also managed to get big chunks of the government to turn in their federal cybersecurity homework on time. Pete talks us through one of those assignments, the NTIA’s paper setting minimum elements for a Software Bill of Materials.

It wouldn’t be the Cyberlaw Podcast without a brief rant on content moderation. The Surgeon General claimed this week that “Misinformation takes away our freedom to make informed decisions about our health.” He didn’t say that administration censorship would give us our freedom back, but that seems to be the administration’s confident view, as the President, no less, accused Facebook of “killing people” by not jumping more quickly to toe the CDC’s official line. (He later walked the accusation back.)

And if you thought the censorship would stop with social media, think again.  The White House is now complaining that telecom carriers also should be screening and suppressing text messages that are hostile to vaccinations.

Finally, just to show that the world has truly turned upside down, Maury reminds me that a German – German! – court has fined American social media for violating freedom of expression by too enthusiastically censoring a lockdown protest video.

Pete tells us what’s in the new Colorado privacy bill. Short version: it joins Virginia in some of hosing down California’s excesses.

And in short takes:

• Maury explains Vietnam's version of China’s fifty-cent army.

• Nick explains why Psiphon is a better tool for evading Cuban censorship that the sleaze-infested Tor system.

• Maury updates me on the European Parliament LIBE committee’s latest proposal for accepting the U.S. intelligence community’s transatlantic surrender on data flows.

• And Pete tells us that the SEC may finally be putting the screws to companies that have been lax about reporting breaches to their investors.

And More!

Download the 371st Episode (mp3)  

Reminder: this is the last regular episode before our August hiatus, although we will do at least one episode on cryptocurrency in coming weeks.

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.