Skating on Stilts

David Kris, Paul Rosenzweig, and I dive deep on the big tech issue of the COVID-19 contagion: Whether (but mostly how) to use mobile phone location services to fight the virus. We cover the Israeli approach, as well as a host of solutions adopted in Singapore, Taiwan, South Korea, and elsewhere. I’m a big fan of Singapore, which produced in a week an app that Nick Weaver thought would take a year.

In our interview, evelyn douek, currently at the Berkman Klein Center and an SJD candidate at Harvard, takes us deep into content moderation. Displaying a talent for complexifying an issue we all want to simplify, she explains why we can’t live with social platform censorship and why we can’t live without it. She walks us through the growth of content moderation, from spam, through child porn, and on to terrorism and “coordinated inauthentic behavior” – the identification of which, evelyn assures me, does not require an existentialist dance instructor. Instead, it’s the latest and least easily defined category of speech to be suppressed by Big Tech. It’s a mare’s nest, but I, for one, intend to aggravate our new Tech Overlords for as long as possible.

Returning to the News Roundup, Nate Jones and evelyn mull the head-spinning change the virus has made in the public reputation of Big Tech, but Nate wonders if Silicon Valley's PR glow will last.

Meanwhile, China is celebrating its self-proclaimed victory over COVID-19 by borrowing Russian tactics to spread coronavirus disinformation. I argue that any country adopting Russia’s patented “Who knows what’s true?” tactics probably has something to hide. Because the Russians usually do.

We take advantage of evelyn’s Aussie ties to get a translation (and an apology) for Australia’s latest venture into the business of blocking graphic violent content.

David and Paul review the White House’s National Strategy for 5G Security. They talk for two minutes, but they say more than the strategy does.

The House of Representative has irresponsibly bolted for home without even a temporary reauthorization of expiring FISA authorities. Paul and David explain why that isn’t quite the disaster it sounds like. Quite.

The NYT finds more AI bogus bias, and I invent a new term for the practice of pretending AI is a man and then attributing racism to him. We’ll see if misanthropomorphism catches on once I learn to say it without stumbling.

David says the Justice Department has brought the first fraud case stemming from the coronavirus crisis, and I suggest that case itself has a whiff of false advertising about it.

Amazon is complaining that the Pentagon is trying to fix some of the contract award problems in the big DOD cloud procurement. Paul is more sympathetic than I am.

And Paul questions the wisdom of failing to delay CCPA enforcement while the coronavirus rages across California.

Download the 308th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

.

One of the keys to slowing a pandemic is to trace infections: Find one person who’s infected. Identify, test, and quarantine all his contacts. Then trace, test, and quarantine his contacts’ contacts. Repeat until you run out of potential victims. This is pretty much the strategy followed during the current coronavirus outbreak by countries such as Singapore, South Korea and Taiwan. All three were faster off the mark than the U.S. or Europe, largely because their experience with SARS and MERS was so traumatic that they built the legal framework and the muscle memory to act quickly in the next outbreak.

The U.S. didn’t take this approach, and it was particularly hampered by botched testing at the Centers for Disease Control and Prevention and the Food and Drug Administration, from which we still haven’t completely recovered. Tests are becoming available much faster now, but widespread testing and tracing may not be feasible in places that have been hit hard, such as New York and New Jersey. In those states, more than 30 percent of the people tested have already been infected. But there are other states, such as New Mexico or Minnesota, where testing has been growing fast and infection rates are low enough that tracking infections looks like a feasible strategy. With the caveat that these numbers are undoubtedly distorted by who gets tested and how results get reported, there are still striking differences in the results among states, according to statistics compiled by the Covid Tracking Project and adjusted per capita by Buzzfeed:

For places like Minnesota, New Mexico and even Washington, President Trump may have been right when he suggested that some parts of the country could use a strategy other than lockdowns to fight the virus. If so, the best alternative will be aggressive testing and contact tracing.

The countries that did contact tracing the most effectively relied in part on technology—phone location tracking, in particular. They’ve used the location services already built into mobile phones to find others who’ve been close to those who test positive. Privacy and civil liberties advocates hate the idea in principle, but they know no one values the privacy of their location history more highly than they value the lives of their loved ones. Rather than argue directly against phone tracking, privacy advocates such as Susan Landau have instead fallen back on a couple of practical objections.

First, they argue, we don’t have enough tests to imitate Asia. Really? I know the press is full of stories about U.S. testing shortages, and there are indeed supply bottlenecks in everything from protective gear to reagents. But a Trump-loathing press has every incentive to dwell on testing shortages as an emblem of administration errors at the start of the outbreak. In fact, testing capability in the U.S. is rising dramatically. Nationwide, testing has risen from a risible level—less than a thousand in early March—to 894,000 as of March 28. And new testing capabilities are coming online fast. The test-shortage argument may have been correct relatively recently, but if it still has merit, it won’t for long.

Indeed, we may soon have enough tests for some governors to mandate South Korean-style tracking and tracing. In fact, South Korea dodged disaster with a testing rate that isn’t any higher than New York’s or Washington’s today (around 730 per 100,000). Even more remarkable, Japan and Vietnam flattened their infection curves with per-capita testing rates that are even lower—well under 40 per 100,000.

To get a tracking program in place, we’ll need to use phone data; the alternatives are too slow and rely too much on fallible memories. Which brings us to the privacy advocates’ second argument: that phone location technology won’t do the job.

They have a point. Routine cell-sector data might identify a phone’s location within a few blocks—not exactly a fine tool for measuring the risk for infection. While triangulation and other tricks can improve that resolution substantially, it usually can’t say what floor of a large building the customer was on, and in many cases, such fine-grained resolution isn’t routinely collected. GPS signals are great if the user is outside, but not inside.

What public health officials need is a tool that will tell them who the phone’s owner has been close to—really close, like six feet or less. Luckily, the Singapore government has developed an app that does exactly that—and it’s open sourcing the software for the world. The app, called TraceTogether, uses Bluetooth to find nearby phones the way it finds our car audio or wireless earbuds.

The basic idea is simple: If two people who’ve downloaded the app come within six feet of each other and stay there for half an hour, their phones exchange unique identifiers and each phone logs the contact in encrypted memory. It remains encrypted unless one of them turns up positive for the virus. If that happens, public health officials ask for the phone’s contact log, translate the unique identifiers into phone numbers, and quickly call everyone who came within electronic range of the infected person. There are plenty of privacy safeguards built in: The logs never leave the user’s phone without his or her consent, and other users can’t learn anything about the people around them from the identifier.

In short, the app addresses most of the practical and privacy objections that American privacy advocates have put forward. It could be a game changer for states like Minnesota and New Mexico that already have strong testing programs and haven’t yet been swamped by the virus. They should be acting now, talking to Singapore officials and mobilizing local tech talent to adapt the tool and construct the back-end processes needed to get a state version off the ground.

For the app to work, it needs to be installed on a lot of phones. Some people will install it without much prompting. Who wouldn’t want to be called if they’ve unknowingly crossed paths with a coronavirus carrier? And many of us would be glad to have a log of our contacts if we test positive, instead of trying to reconstruct contacts from memory.

But asking people to download an app means delays and gaps in coverage, especially when some privacy advocates are dragging their feet, claiming as we’ve seen that the technology won’t work or arguing that it should wait until a regulatory regime has been enacted. To jump-start the program, governors should ask Apple and Google to auto-download the app to every phone in their states, along with a message explaining why users should activate it.

Actually, the governors probably don’t need to ask. Some 40 states have adopted one version or another of a model public health emergency law promulgated after 9/11. The law gives governors explicit authority to issue orders seizing “materials and facilities as may be reasonable and necessary to respond to the public health emergency.” Those facilities expressly include “communication devices,” and there’s no good reason to exclude the Android and Apple app stores from the authority.

In fact, if push comes to shove, the governors likely have authority to require that residents of their states activate the app. The law grants individual states the  emergency authority to conduct “any diagnostic or investigative analyses necessary to prevent the spread of disease.” And, since Apple and Android know which apps we’ve activated, they could be ordered to identify those who haven’t registered for contact tracing. The federal law prohibiting disclosure of subscriber information to governments without a subpoena contains an express exception for “an emergency involving danger of death or serious physical injury to any person.”

In short, a forward-leaning approach to high-tech contact tracing is feasible. It could save many lives and get the economy back on track much faster. It’s time for governors in less affected states to do this.

If more incentive is needed, there’s one more thing. There’s a good chance that the governor who makes this work will end up running for president on the strength of that performance in four years. And perhaps even sooner.

President Trump is growing so worried about the economic impact of covid-19 that he’s talking about drastic action, including ending the lockdown in states that haven’t seen lots of infections. He’s right to be worried and right to be looking for dramatic solutions. He may even be well-served in this case by his skepticism about giving government public health experts the last word on fateful economic decisions, for reasons I’ll discuss. But ending the lockdown in states with low infection numbers is the wrong answer when we haven’t tested widely; many of these states almost certainly have an underground contagion that will explode as soon as the lockdown is lifted.

There are, however, responsible alternatives that might address the underlying concern.Instead of easing the lockdown state by state, we could do it person by person.  Specifically, we could end the lockdown for people who have already recovered from COVID-19. These people offer something we badly need right now:  A workforce that probably can’t get infected and probably can’t infect others. I say probably because there is plenty we don’t know. But there is reason to believe that people who recover from the coronavirus pose much less risk of infecting others and face less risk of being reinfected themselves. There’s still much uncertainty on both counts, but that’s the way to bet.

Which means that recovered coronavirus patients could be a vital resource for public health and for the economy. They can work directly with people still fighting for their lives in hospitals. They can tend to the elderly without fear of spreading the disease. Indeed, it’s possible that their blood plasma can be used to treat the sick. And, as their numbers increase over coming weeks, they can take on other jobs that call for close interactions with the uninfected – grocery and pharmacy sales, Uber drivers, and the like. They’ll suddenly be in high demand, and just in time, since many of them have been thrown out of work by the mass lockdowns. Instead of living off stimulus payments, they’ll be earning good money, performing critical jobs, and free to go out and spend it without fear.

By itself, ending the lockdown for those who’ve recovered from the virus won’t end the economic crisis. They are a tiny population in the US right now, but one that’s growing about as fast as infections did last month, which is to say it should be more or less doubling every few days. (In Italy, a couple of weeks ahead of us, there are 8300 recovered patients.) Ending their lockdown would allow both a real and a symbolic step toward economic normalcy, not to mention the public health benefits it would offer at a time when we need as many safe caregivers as we can muster.

What would it take to free up this resource?  Three things.

First, we cannot simply presume recovered patients are safe. We need the best available public health data about recovered COVID-19 patients, to get answers about when they stop being contagious and their resistance to reinfection. It is important to note, that even with more data, we are unlikely to get complete certainty on either point, and even the recovered will need to take precautions while out and about. But the decision to end their lockdown—in the face of some degree of uncertainty—should take into account economic, as well as health, risks.

This is where the President’s famous suspicion of expertise might do him some good. The government’s public health officials are indeed experts, but only in one part of the crisis we now face. They are ruled by the same incentives that govern all bureaucracies, as the recent CDC and FDA testing failures should remind us. And the bureaucratic incentive for public health officials is to maximize public health. 

As professionals, they’ll be judged by their success in suppressing the virus – not by their role in restoring the economy. To ensure that the desperate state of the economy gets proper weight, it’s entirely appropriate for the President to force a decision now, using public health officials’ best guess about infection and reinfection risks – even if the uncertainty makes them uncomfortable. The stakes are higher here than usual, but this is the kind of call we have Presidents for.

Second, we need good ways to identify the recovered. Tests for the virus identify people who have the infection; we also need to identify recoveries by testing for the antibodies that show the virus has come and gone. Those tests are on the way, but they’re caught up in FDA approval processes. The administration should be pushing the FDA to act faster. Because until we have those tests, we’re going to have to rely on doctors to write letters identifying patients who have recovered from the virus.

Third, this system requires a mechanism to enforce rules that end lockdown for some people and not others. Because we will need to rely on physician letters at the start, we should set uniform standards for representations from doctors. And the government should make clear that false claims of recovery can be criminally prosecuted as fraud. (If this proves insufficient, states and the private sector could issue 3-D barcodes to help stores, hospitals, and lockdown enforcers verify claims of recovery using a mobile phone. Similar systems are currently used across Asia.)

Most importantly, if we want this to work, we need to do all of these things now, and as impatiently as possible.

Which, of course, is where President Trump comes in. We’ve never needed his famous impatience more -- as long as he can keep it well-targeted.

That’s the question I debate with David Kris and Nick Weaver in this episode, as we explore the ways in which governments are using location data to fight the covid-19 virus. Phone location data is being used both to enforce quarantines and to track contacts with infected people.  It’s useful for both, but Nick thinks the second application may not really be ready for a year – too late for this outbreak.

Our interview is with Jason Healey, who has a long history with Cyber Command and a deep recent oeuvre of academic commentary on cyberconflict. Jay explains Cyber Command’s doctrine of “persistent engagement” and “defending forward” in words that I finally understand.  It makes sense in terms of Cyber Command’s aspirations as well as the limitations it labored under in the Obama administration, but I wonder if in the end it will be different from “deterrence through having the best offense.” Nothing wrong with that, in my view – as long as you have the best offense by a long shot, something that is by no means proven.

We return to the news to discover the whole idea of sunsets for national security laws looking dumber than it did when it first saw the light of day (which is saying something). Several important FISA authorities have expired, Matthew Heiman reports.  That's thanks to Sens. Rand Paul and Mike Lee, I might add (though Nick blames President Trump, who certainly put his boot in too). Both House and Senate passed measures to keep FISA authorities alive, but the measures were completely different and out of sync.  Maybe the House will fix the problem this week, but only by extending the deadline for a couple of months.  Because of course by then we’ll be rested and ready, in the middle of a contagion and a Presidential campaign, for a  debate over Sen. Paul’s proposal to make it harder to wiretap and prosecute Americans who spy for foreign governments.

Maybe before they did all that naming and shaming of Russian government hackers, federal prosecutors should have worked on their aiming: The US Justice Department has now dropped Robert Mueller’s charges against a sponsor of Russian electoral interference, Matthew tells us. We explore two fever-dream narratives – that the whole prosecution was part of a witch hunt and that the Attorney General is just sabotaging Bob Mueller’s righteous crusade. You don’t have to believe either to conclude that the Mueller team should have thought a little more about how it would try the case and a little less about how convenient it was to be able to tell the IRA story in an indictment. CyberScoop – Wall Street Journal

There’s another major leak about government skullduggery in cyberspace, David tells us, and Wikileaks is, uh, nowhere to be seen.  That’s because the skulldugging government in question is Vladimir Putin’s, and Wikileaks is looking more and more like Putin’s lapdog.  So it falls to a group called Digital Revolution to publish internal FSB documents showing Russia’s determination to acquire a huge DDOS network, maybe enough to take whole nations offline.

Alan Cohn makes a guest appearance to discuss the role that DHS’s CISA is playing in the covid-19 crisis.  And it has nothing to do with cybersecurity.  Instead, CISA is ensuring the security of critical infrastructure around the country by identifying facilities that need to keep operating, notwithstanding state lockdown orders.  We talk about the federalism crisis that could come from the proliferation of critical infrastructure designations but neither of us expects it soon.

Here’s a surprise: Russia is deploying coronavirus disinformation, claiming that it is a US bioweapon. Uncharacteristically, I find myself praising the European Union for flagging the campaign.

Nick talks about the ambiguity of the cyberattack on Norsk Hydro, and I raise the risk that companies may stop releasing attribution information pointing to nation states because doing so may undercut their insurance claims.

Finally, we wrap up the story of ex-Uber autonomous driving executive Anthony Levandowski, who pled guilty to trade-secret theft and is likely headed to prison for a year or three.

Download the 307th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

If your podcast feed has suddenly become a steady diet of more or less the same COVID-19 stories, here’s a chance to listen to cyber experts talk about something they know – cyberlaw. Our interview is with Elsa Kania, adjunct senior fellow at the Center for a New American Security and one of the country's most prolific students of China, technology, and national security. We talk about the relative strengths and weaknesses of the artificial intelligence ecosystems in the two countries.

In the news, Maury Shenk and Mark MacCarthy describe the growing field of censorship-as-a-service and the competition between US and Chinese vendors.

Elsa and I unpack the report of the Cyberspace Solarium Commission. Bottom line: The report is ambitious but constrained by political reality. And the most striking political reality is that there hasn’t been a better time in 25 years to propose cybersecurity regulation and liability for the tech sector. Seizing the Zeitgeist, the report offers at least a dozen such proposals.

Nick Weaver explains the joys of trojanizing the trojanizers, and we debate whether that is fourth-party or fifth-party intelligence collection.

In a shameful dereliction, Congress has let important FISA authorities lapse, but perhaps only for a day or two (depending on the president’s temperature when the reauthorization bill reaches his desk). The reauthorization bill isn’t good for our security, but it tries to avoid crippling intelligence collection, mostly hanging new ornaments on the existing FISA Christmas tree.

Mark covers a Swedish ruling that deserves to be forgotten a lot more than the crimes and embarrassments protected by the “right to be forgotten.” This decision fines Google for failing to show sufficient zeal in covering up Sweden’s censorship orders.

Nick explains how Microsoft finds itself taking down an international botnet instead of leaving the job to the world’s governments.

Maury reports that the federal trial of a Russian hacker is exposing seamy ties between the FSB and criminal Russian hackers. Now we know why Russia fought so hard to head off extradition of the Russian hacker to the US.

Elsa helps me through recent claims that US chip makers face long-term damage from the US-China trade fight. That much is obvious to all; less obvious is what the US can do to avoid it.

Nick and I talk about Facebook’s suit against NSO Group. I claim that NSO won this round in court but lost in the media, which has finally found a company it hates more than Facebook. Nick thinks Facebook is quite happy to swap a default judgment for a chance at discovery.

In other quick hits, DOD is wisely seeking a quick do-over in the cloud computing litigation involving AWS and Microsoft. House and Senate committees have now okayed a bill to give CISA much-needed and suprisingly uncontroversial subpoena authority to identify at-risk Internet users. Rebooting my "Privacy Kills" series, I break the injunction against COVID-19 news to point out that dumb privacy laws likely delayed for weeks discovery of how widespread COVID-19 was in Seattle. And Joshua Schulte’s trial ends in a hung jury; I ask where the juicy post-trial jury interviews are.

Download the 306th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The NSA’s effort to use call detail records to spot cross-border terror plots has a long history. It began life in deepest secrecy, became public (and controversial) after Edward Snowden’s leaks, and was then "reformed" in the USA Freedom Act. Now it’s up for renewal, and the Privacy and Civil Liberties Oversight Board, or PCLOB, has weighed in with a deep report on how the program has functioned – and why NSA has suspended it.

In this episode I interview Travis LeBlanc, a PCLOB Member, about the report and the program. Travis is a highly effective advocate, bringing me around on several issues, including whether the program should be continued and even whether the authority to revive it would be useful. It’s a superb guide to a program whose renewal is currently being debated (against a March 15 deadline!) in Congress.

And, uh, asking for a friend: Do the early stages of covid-19 infection make you more susceptible to persuasion? 

Download the 305th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, families or friends.

Our interview in this episode is with Glenn Gerstell, freed at last from some of the constraints that come with government service. We cover the Snowden leaks, how private and public legal work differs (hint: it’s the turf battles), Cyber Command, Russian election interference, reauthorization of FISA, and the daunting challenges the US (and its Intelligence Community) will face as China’s economy begins to reinforce its global security ambitions.

In the news, Nate Jones and Nick Weaver talk through the new legal and technical ground broken by the United States in identifying two Chinese nationals and the $100 million in cryptocurrency they laundered for North Korean hackers.

Paul Rosenzweig lays out the challenge posed for the Supreme Court’s Carpenter decision by LocateX, which provides detailed location data commercially. This is exactly the quagmire I expected the Court to find itself in when it abandoned the third-party doctrine on a one-off basis. Nick points out that the data is only pseudonymized and tries with mixed success to teach me to say “de-pseudonymized.”

Nate and I conclude that facial recognition has achieved a kind of Kardashian status, though instead of being famous for being famous, facial recognition is toxic for being toxic. Kashmir Hill at the New York Times adds a new drop of poison in a story that could just as well have repeated “I hate Clearview AI” 50 times for all it told us about the company. And Vice, which never saw a Twitter mob it wouldn’t join, lets Anna Merlan tell us to hate Clearview because it found pictures of her that she apparently posted in public. Meanwhile, we all know the technology is evil, but we can't quite remember why. If the problem is that it doesn’t work, the stories about how Buenos Aires found a wanted man on the street using another company’s recognition tech is kind of harshing the narrative. (We're supposed to see that it's evil because the cops had mixed up two people with the same name. Not sure that’s facial recognition’s fault, guys.)

Nate and I review the Justice Department’s guidance on how threat researchers can do undercover work safely on the Dark Web. It’s a mixed bag for sure, but the biggest beneficiary of the guidance may turn out to be Dark Web criminal network administrators.

A proposed FAA drone rule is angering aviation hobbyists. Nick feels their pain but thinks it’s time for them to get over it.

Microsoft, Google, Facebook, and others have adopted international principles for enforcing laws against child abuse. But if they were hoping to stave off the EARN IT bill, they were mistaken. The bill has been introduced, with striking bipartisan sponsorship and a few changes since we last covered it. Nick and I cross swords on whether the bill would turn the companies into agents of the government for Fourth Amendment purposes.

And in short takes, I note that the Trump Administration is borrowing from Europe in one respect: CFIUS is building a wall against the export of Americans' personal data to China by overturning mergers that would give Chinese companies access to data on Americans’ hotel stays and their love lives. Paul tells us that Oz is apparently in the lead for a deal with the United States on the CLOUD Act. China’s Qihoo360 tries to beat US cyber forensics firms at the name-and-shame game but came up short. And the FISA Court offers some surprisingly tame changes in the wake of the Horowitz report detailing the botched Carter Page warrant application.

Download the 304th Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

This is a bonus episode of the Cyberlaw Podcast – a freestanding interview of Noah Phillips, a Commissioner of the Federal Trade Commission. The topic of the interview is whether privacy and antitrust analysis should be merged, especially in the context of Silicon Valley and its social media platforms.

Commissioner Phillips, who has devoted considerable attention to the privacy side of the FTC’s jurisdiction, recently delivered a speech on the topic and telegraphed his doubts in the title: “Should We Block This Merger? Some Thoughts on Converging Antitrust and Privacy.” Subject to the usual Cyberlaw Podcast injunction that he speaks only for himself and not his institution or relatives, Commissioner Phillips lays out the very real connections between personal data and industry dominance as well as the complexities that come from trying to use antitrust to solve privacy problems. Among the complexities: the key to more competition among social media giants could well be more sharing between companies of the personal data that fuels their network effects, and corporate sharing of personal data is what privacy advocates have spent a decade crusading against.

It’s a wide-ranging interview, touching on, among other things, whether antitrust can be used to solve Silicon Valley’s censorship problem (he’s skeptical) and what he thinks of suggestions in Europe that perhaps the Schrems problem can be solved by declaring that post-CCPA California meets EU data privacy standards. Commissioner Phillips is bemused; I conclude that this is just Europe seeking revenge for President Trump’s Brexit support by promoting “Calexit.”

Download the 303rd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll! 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, or relatives.

This episode features a lively (and – fair warning – long) interview with Daphne Keller, Director of the Program on Platform Regulation at Stanford University’s Cyber Policy Center. We explore themes from her recent paper on regulation of online speech. It turns out that more or less everyone has an ability to restrict users’ speech online, and pretty much no one has both authority and an interest in fostering free-speech values. The ironies abound: Conservatives may be discriminated against, but so are Black Lives Matter activists. In fact, it looks to me as though any group that doesn’t think it’s the victim of biased content moderation would be well advised to scream as loudly as possible about censorship anyway for fear of losing the victimization sweepstakes.

Feeling a little like a carny at the sideshow, I serve up one solution for biased moderation after another, and Daphne methodically shoots them down. Transparency? None of the companies is willing to allow real transparency, and the government may have a first amendment problem forcing companies to disclose how they make their moderation decisions. Competition law as a way to encourage multiple curators? It might require a "magic" API, and besides, most users like a moderated Internet experience. Regulation? Only if we want to take First Amendment law back to the heyday of broadcast regulation (which is frankly starting to sound pretty good to me).

As a particularly egregious example of foreign governments and platforms ganging up to censor Americans, we touch on the CJEU's insufferable decision encouraging the export of European defamation law to the US – with an extra margin of algorithmic censorship to keep the platform from any risk of liability. Turns out, that speech suppression regime is not just an end run around the first amendment; it's protected by the first amendment. I offer to risk my Facebook account to see if that's already happening.

In the news, FISA follies take center stage, as the March 15 deadline for reauthorizing important counterterrorism authorities draws near. No one has a good solution. Matthew Heiman explains that another kick-the-can scenario remains a live option. And Nick Weaver summarizes the problems that the PCLOB found with the FISA call detail record program. My take: The program failed because it was imposed on NSA by libertarian ideologues who had no idea how it would work in practice and who now want to blame NSA for their own shortsightedness.

Another week, another couple of artificial intelligence ethics codes: The two most recent ones come from DOD and … the Pope? Mark MacCarthy sees a lot to like. I offer my quick and dirty CTRL-F test for whether the codes are serious or flaky, and both fail.

In China news, Matthew covers China’s ever-spreading censorship regime – which now reaches Twitter users whose accounts are blocked by the Great Firewall. We also ask whether and how much the US “name and shame” campaign has actually reduced Chinese cyberespionage. And whether China is stealing tech from universities for the same reason Willie Sutton robbed banks – that’s where the IP is.

Nick recounts with undisguised glee the latest tribulations suffered by Clearview AI's facial recognition system: Its app has been banned from Android and Apple, and both its customers and its data collection methods have been doxed.

Mark notes the success of threats to boycott Pakistan on the part of Facebook, Google, and Twitter. I wonder if that will simply incentivize Pakistan to drive its social media ecosystem toward the Chinese giants.

Nick gives drug dealers a lesson in how not to store the codes for €53.6 million in Bitcoin; or is it a lesson in what to say to the police if you want that €53.6 million waiting for you when you get out of the clink?

Finally, in a few quick hits, we cover new developments in past stories: It turns out, to the surprise of no one, that removing a police tracking device from your car isn’t theft. West Virginia has apparently recovered from a fit of insanity and now does not plan to allow voting by insecure app. And the FCC is doing a slow striptease in its investigation of mobile carriers for selling customer location data; now we know who’ll be charged (pretty much everyone) and how much it will cost them ($200 million), but we still don’t know the theory or whether the inquiry is going to kill off legitimate uses of location data.

Download the 302nd Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll! 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, families or pets.

Once again, I put my Facebook account at risk to find out:

 We interview Ben Buchanan about his new book, The Hacker and the State: Cyber Attacks and the New Normal of Geopolitics. This is Ben's second book and second interview on the podcast about international conflict and cyber weapons. It's safe to say that America's strategic posture hasn't improved since the first one.

We face more adversaries with more tools and a considerably greater appetite for cyber adventurism. Ben recaps some of the stories that were under-covered in the US press when they occurred. The second large attack on Ukraine's grid, for example, was little noticed during the US election of 2016, but it looks much more ominous after a recent analysis of the tools used, and perhaps most importantly, those that were available to the GRU but not used. Meanwhile, the US is not making much progress in cyberspace on the basic requirement of a great power, which is making sure our enemies fear us.

In the news, Nick Weaver, Gus Hurwitz, and I take a quick pass at the Internet content regulation problem and Section 230 of the Communications Decency Act. I've written that Section 230 needs to be reconsidered, and I predict that the Justice Department, which held a workshop on Section 230 last week, will propose reforms. Gus and I offer two different takes on Facebook's recent white paper about content moderation. Gus is more a fan of Twitter's approach. And Nick reminds us that there are some communities on the Internet whose content causes real harm, including to innocent children.

The debate in the US is taking a distinctly European turn, I suggest, which makes Europe's determination to regulate its way to digital innovation a little less implausible than usual. Maury Shenk outlines the very tentative (and almost certainly out of date before it's launched) European plan for building a European data lake to foster a European AI and digital economy.

Speaking of AI regulation, Elon Musk hasn't given up on his concerns about the technology's risks. But the real action in media circles is attacking fairly simple machine learning tools as used by law enforcement and the justice system. I argue that the attack is wrongheaded and will either result in abandoning tools that could have disciplined true outliers or in imposing dangerous racial quotas on things like incarceration. Nick thinks there's enough institutionalization of bias in AI as it now exists that giving up such tools may be the better course.

In quick hits, Nick explains how Google's effort to stamp out ad click fraud can generate a secondary form of criminal extortion. Maury explains the latest flap over Australia's encryption law; the tl;dr is that nothing is likely to change soon. Gus makes a down payment on an emerging issue: Whether ISPs can defeat Internet privacy laws that affect them by pleading their First Amendment rights. Nick calls BS on the simplest forms of "anonymization" for credit card data. I highlight a ransomware attack on a US natural gas operator that actually affected operations and is thus a forerunner of future attacks. Nick reminds us that Julian Assange is still in court to stop a US extradition bid. And Europe's data protection advisor is questioning Google's acquisition of Fitbit.

Download the 301st Episode (mp3).

Take our listener poll at steptoe.com/podcastpoll!

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of participants' institutions, clients, family, or friends.

Yesterday, the Attorney General held a workshop on Section 230 of the Communications Decency Act. The question was whether the law can be improved. Section 230 does need work, though there's plenty of room for debate about exactly how to fix it. These are my mostly tentative and entirely personal thoughts on the question the Attorney General has asked.

Section 230 gives digital platforms two immunities – one for publishing users' speech and one for censoring users' speech. the second is the bigger problem.

1. Immunity for what users say and do online

When section 230 was adopted, the impossibility of AOL, say, monitoring its users in a wholly effective way was obvious. It couldn't afford to hire tens of thousands of humans to police what was said in its chatrooms, and the easy digital connection it offered was so magical that no one wanted it to be saddled with such costs. Section 230 was an easy sell.

A lot has changed since 1996.  Facebook and other have in fact already hired tens of thousands of humans to police what is said on their platforms. Combined with artificial intelligence, content fingerprinting, and more, these monitors work with considerable success to stamp out certain kinds of speech. And although none of these efforts are foolproof, preventing the worst online abuses has become part of what we expect from social media. The sweeping immunity Congress granted in Section 230 is as dated as the Macarena, another hit from 1996 whose appeal seems inexplicable today. Today, jurisdictions as similar to ours as the United Kingdom and the European Union have abandoned such broad grants of immunity, making it clear that they will severely punish any platform that fails to censor its users promptly.

That doesn't mean the US should follow the same path.  We don't need a special, harsher form of liability for big tech companies. But why are we still giving them a blanket immunity from ordinary tort liability for the acts of third parties? In particular, why should they be immune from liability for utterly predictable criminal use of warrant-proof encryption? I've written on this recently and won't repeat what I said there, except to make one fundamental point.

Immunity from tort liability is a subsidy, one we often give to nascent industries that capture the nation's imagination. But once they've grown big, and the harm they can cause has grown as well, that immunity has to be justified anew. In the case of warrant-proof encryption, the justifications are thin.  Section 230 allows tech companies to capture all the profits to be made from encrypting their services while exempting them from the costs they are imposing on underfunded police forces and victims of crime.

That is not how our tort law usually works. Usually, courts impose liability on the party that is in the best position to minimize the harm a new product can cause. Here, that's the company that designs and markets an encryption system with predictable impact on victims of crime. Many believe that the security value of unbreakable encryption outweighs the cost to crime victims and law enforcement. Maybe so.  But why leave the weighing of those costs to the blunt force and posturing of political debate? Why not decentralize and privatize that debate by putting the costs of encryption on the same company that is reaping its benefits? If the benefits outweigh the costs, the company can use its profits to insure itself and the victims of crime against the costs. Or it can seek creative technical solutions that maximize security without protecting criminals – solutions that will never emerge from a political debate. Either way it's a private decision with few externalities, and the company that does the best job will end up with the most net revenue. That's the way tort law usually works, and it's hard to see why we shouldn't take the same tack for encryption.

2. Immunity for censoring users Detecting bias.

The harder and more urgent Section 230 problem is what to do about Silicon Valley's newfound enthusiasm for censoring users whose views it disapproves of. I confess to being a conservative, whatever that means these days, and I have little doubt that social media content mediation rules are biased against conservative speech. This is hard to prove, of course, in part because social media has a host of ways to disadvantage speakers who are unpopular in the Valley. Their posts can be quarantined, so that only the speaker and a few persistent followers ever see them but none knows of that distribution has been suppressed. Or they can be demonetized, so that Valley-unpopular speakers, even those with large followings, cannot use ad funding to expand their reach. Or facially neutral rules, such as prohibitions on doxing or encouraging harassment, are applied with maximum force only to the unpopular. Combined with the utterly opaque talk-to-the-bot mechanisms for appeal that the Valley has embraced, these tools allow even one or two low-level but highly motivated content moderators to sabotage their target's speech.

Artificial intelligence won't solve this problem.  It is likely to make it worse. AI is famous for imitating the biases of the decisionmakers it learns from – and for then being conveniently incapable of explaining how it arrived at its own decisions. No conservative should have much faith in a machine that learns its content moderation lessons from current practice in Silicon Valley.

Foreign government interference. European governments, unbound by the first amendment, have not been shy about telling Silicon Valley to suppress speech it dislikes, which include true facts about people who claim a right to be forgotten, or charges that a politician belongs to a fascist party, or what it calls hate speech. Indeed, much of the Valley has already surrendered, agreeing to use their terms of service to enforce Europe's sweeping view of hate speech--under which the President's tweets and the Attorney General's speeches could probably be banned today.

Europe is not alone in its determination to limit what Americans can say and read.  Baidu has argued successfully that it has a first amendment right to return nothing but sunny tourist pictures when Americans searched for "Tiananmen Square June 1989." Jian Zhang v. Baidu.Com Inc., 10 F. Supp. 3d 433 (S.D.N.Y. 2014). Today, any government but ours is free to order a US company to suppress the speech of Americans the government doesn't like.

In the long run it is dangerous for American democracy to give highly influential social media firms a blanket immunity when they bow to foreign government pressure and suppress the speech of Americans. We need to armor ourselves against such tactics, not facilitate them.

Regulation deserves another look. This isn't the first time we've faced a disruptive new technology that changed the way Americans talked to each other. The rise of broadcasting a hundred years ago was at least at transformational, and as threatening to the political order, as social media today. It played a big role in the success of Hitler and Mussolini, not to mention FDR and Father Coughlin.

American politicians worried that radio and television owners could sway popular opinion in unpredictable or irresponsible ways. They responded with a remarkable barrage of new regulation – all designed to ensure that wealthy owners of the disruptive technology did not use it to unduly distort the national dialogue. Broadcasters were required to get government licenses, not once but over and over again. Foreign interests were denied the right to own stations or networks. A "fairness" doctrine required that broadcasters present issues in an honest, equitable, and balanced way. Opposing candidates for office had to be given equal air time, and political ads could to be aired at the lowest commercial rate. Certain words (at least seven) could not be said on the radio.

This entire edifice of regulation has acquired a disreputable air in elite circles, and some of it has been repealed. Frankly, though, it don't look so bad compared to having a billionaire tech bro (or his underpaid contract workers) decide that carpenters communicating with friends in Sioux Falls are forbidden to "deadname" Chelsea Manning or to complain about Congress's failure to subpoena Eric Ciaramella.

The sweeping broadcast regulatory regime that reached its peak in the 1950s was designed to prevent a few rich people from using technology to seize control of the national conversation, and it worked. The regulatory elements all pretty much passed constitutional muster, and the worst that can be said about them today is that they made public discourse mushy and bland because broadcasters were cautious about contradicting views held by a substantial part of the American public.

Viewed from 2020, that doesn't sound half bad. We might be better off, and less divided, if social media platforms were more cautious today about suppressing views held by a substantial part of the American public.

Whether all these rules would survive contemporary first amendment review is hard to know. But government action to protect the speech of the many from the censorship of the privileged deserves, and gets, more leeway from the courts than the free speech absolutists would have you believe. See, e.g., Bartnicki v. Vopper, 532 U.S. 514 (2001).

That said, regulation has many risks, not least the risk of abuse. Each political party in our divided country ought to ask what the other party would do if given even more power over what can be said on line. It's a reason to look elsewhere for solutions.

Network effects and competitive dominance. Maybe we wouldn't need a lot of regulation to protect minority views if there were more competition in social media – if those who don't like a particular platform's censorship rules could go elsewhere to express their views.

In practice, they can't.  YouTube dominates video platforms, Facebook dominates social platforms, Amazon dominates online book sales, etc. Thanks to network effects, if you want to spread your views by book, by video, or by social media post, you have to use their platforms and live with their censorship regimes.

It's hard to say without investigation whether these platforms have violated antitrust laws in acquiring their dominance or in exercising it. But the effect of that dominance on what Americans can say to each other, and thus on political outcomes, must be part of any antitrust review of their impact. Antitrust enforcement often turns on whether a competitive practice causes consumer harm, and suppression of consumer speech has not usually been seen as such a harm. It should be. Suppression of speech it dislikes may well be one way Silicon Valley takes monopoly profits in something other than cash. If so, there could hardly be a higher priority for antitrust enforcement because such a use of monopoly strikes at the heart of American free speech values.

One word of caution:  Breaking up dominant platforms in the hope of spurring a competition of ideas won't work if the result is to turn the market over to Chinese companies that already have a similar scale – and even less interest in fostering robust debate online. If we're going to spur competition in social media, we need to make sure we aren't trading Silicon Valley censorship for the Chinese brand.

Transparency. Transparency is everyone's favorite first step for addressing the reality and the perception of bias in content moderation. Surely if the rules were clearer, if the bans and demonetizations could be challenged, if inconsistencies could be forced into the light and corrected, we'd all be less angry and suspicious and the companies would behave more fairly. I tend to agree with that sentiment, but we shouldn't kid ourselves. If the rules are made public, if the procedures are made more open – hell, if the platforms just decide to have people answer complaints instead of leaving that to Python scripts -- the cost will be enormous.

And not just in money. All of the rules, all of the procedures, can be gamed, and more effectively the more transparent they are.  Speakers with bad intent will go to the very edge of the rules; they will try to swamp the procedures. And ideologues among the content moderators will still have room to seize on technicalities to nuke unpopular speakers.  Transparency may well be a good idea, but its flaws are going to be painful to behold if that's the direction our effort to discipline Section 230 takes.

3. What is to be done?

So I don't have much certainty to offer.  But if I were dealing with the Section 230 speech suppression immunity today, I'd start with something like the following:

First, treat speech suppression as an antitrust problem, asking what can be done to create more competition, especially ideological and speech competition, among social media platforms. Maybe breakups would work, although network effects are remarkably resilient. Maybe there are ways antitrust law can be used to regulate monopolistic suppression of speech. In that regard, the most promising measures probably are requiring further transparency and procedural fairness from the speech suppression machinery, perhaps backed up by governmental subpoenas to investigate speech suppression accusations.

Second, surely everyone can agree that foreign governments and billionaires shouldn't play a role in deciding what Americans can say to each other. We need to bar foreign ownership of social media platforms that are capable of playing a large role in our political dialogue. We should also use the Foreign Agent Registration Act or something like it to require that speech driven by foreign governments be prominently identified as such. And we should sanction the nations that try to do that.

And finally, here's a no-brainer. If nothing else, it's clear that Section 230 is one of the most controversial laws on the books. It is unlikely to go another five years without being substantially amended. So why in God's name are we writing the substance of Section 230 into free trade deals – notably the USMCA? Adding Section 230 to a free trade treaty makes the law a kind of a low-rent constitutional amendment, since if we want to change it in future, organized tech lobbies and our trading partners will claim that we're violating international law. Why would we do this to ourselves? It's surely time for this administration to take Section 230 out of its standard free-trade negotiating package.

Note: I have many friends, colleagues, and clients who will disagree with much of what I say here.  Don't blame them. These are my views, not those of my clients, my law firm, or anyone else.

In breaking news from 1995, the Washington Post takes advantage of a leaked CIA history paper to retell the remarkable tale (first published in the mid-90s) of Crypto AG, a purveyor of encryption products to dozens of governments – and allegedly a wholly controlled subsidiary of US and German intelligence. Nick Weaver, Paul Rosenzweig, and I are astonished at the derring-do and unapologetic enthusiasm for intelligence collection that the story displays. I mean, really: The Pope?

This week’s interview is with Jonathan Reiber, a writer and strategist in Oakland, California, and former Chief Strategy Officer for Cyber Policy and Speechwriter at the Department of Defense, currently senior advisor at Technology for Global Security and visiting scholar at the UC Berkeley Center for Long-Term Cybersecurity. His recent report offers a candid view of strained relations between Silicon Valley and the Pentagon. The interview explores the reasons for that strain, the importance of bridging the gap, and how that can best be done.

Nick reports that four PLA members have been indicted over the Equifax breach. He speculates that the US government is sending a message by disclosing a photo of one soldier that appears to have been taken by his own webcam. Paul and I note that the purpose of the hack was very likely the assembly of records on Americans not dissimilar to the records we know the Chinese keep on Uighurs – which are extraordinarily detailed and surprisingly artisanal. 

The arrest of a Bitcoin mixer allows Nick to explain how Bitcoin mixing works and why it's (sometimes) illegal.

Paul lays out the potentially serious impact of Amazon’s lawsuit to stop a $10 billion Microsoft-DOD cloud contract. We note that Amazon wants to take testimony from President Trump about political interference in the award. Thanks to his Twitter habit, we conclude, that’s not out of the question.

I preview my remarks at a February 19 Justice Department workshops on Section 230. I will reprise my article in Lawfare and the encryption debate with Nick Weaver that inspired it. And I hope to dig as well into the question whether Section 230 provides too much protection for Silicon Valley’s censors. Speaking of which, Jeff Bezos’s company has joined the censors but won’t tell us which books it’s suppressing.

Nick and I give a favorable review to CISA’s new #Protect2020 election strategy. We search for deeper meaning in IANA’s failure to complete its DNSSEC root key signing ceremony because of… a physical safe. And we all take a moment to mock and abuse the latest vote-by-phone snake-oil app seller, Voatz. If nothing else, we conclude, it will greatly reduce friction in the market for selling votes in future elections. 

Download the 300th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, or friends.

The battle between Congress and Silicon Valley has a new focus: the EARN IT Act of 2019. (The title is an embarrassing retronym that I refuse to dignify by repeating; you can safely ignore it.) A “discussion draft” of the bill is attributed to Republican Sen. Lindsey Graham and Democratic Sen. Richard Blumenthal. To hear the Electronic Frontier Foundation (EFF), the Center for Internet and Society, and Gizmodo tell it, the draft EARN IT Act is an all-out assault on end-to-end encryption.

The critics aren’t entirely wrong about the implications of EARN IT for encryption—but they’ve skipped a few steps. To understand the controversy, it’s useful to start with the structure of the bill. That will show how EARN IT could affect the deployment of end-to-end encryption—and why the draft bill makes sense as social policy.

The central change made by the bill is this: It would allow civil suits against companies that recklessly distribute child pornography. It would do this by taking away a piece of their immunity from liability when transmitting their users’ communications under Section 230 of the Communications Decency Act (CDA).

Originally added to the CDA as part of a legislative bargain, Section 230 was one of the best deals tech lobbyists ever struck. The CDA was a widely popular effort to restrict internet distribution of pornography to minors. Tech companies couldn’t stop the legislation but feared being held liable for what their users did online, so they agreed not to fight the CDA in exchange for Section 230. The next year, the law’s measures to protect children online were ruled unconstitutional, leaving the industry protections in Section 230 as more or less the only operative provision in the entire CDA.

Both Section 230 and the content monitoring it protects have become increasingly controversial in recent years. Conservatives believe they have been unfairly targeted for arbitrary deplatforming and demonetization; liberals complain that there are still too many right-wing proselytizers and rabble-rousers on the internet. Fewer and fewer people are happy that Section 230 gives tech companies broad discretion to do what they please about user content.

But the most recent attacks on Section 230 have been more focused. Congress first took aim at sites, like Backpage, that were accused of knowingly accepting ads that fostered prostitution and sex trafficking. In 2018, Congress enacted the Fight Online Sex Trafficking Act (FOSTA), which provided that internet companies could be held liable for assisting in sex trafficking if they “knew or should have known” what their customers were doing. 18 U.S.C. § 1595; 47 U.S.C. § 230(c)(5).

Silicon Valley’s advocates hated FOSTA, but their resistance didn’t matter. Times had changed. It was hard to argue that the big platforms couldn’t afford to monitor their users’ content. Much of the industry caved rather than look soft on sex trafficking. The bill passed with overwhelming bipartisan support.

This brings us to the EARN IT Act, which would treat child pornography more or less the way FOSTA treated sex trafficking content—by lifting the immunity of companies that don’t take reasonable measures to prevent its distribution. It’s a surprise that EARN IT came second to FOSTA. Sex work has defenders on the left and the libertarian right, after all, but no one defends child pornography. What’s more, ads touching on sex and companionship have a good deal more First Amendment appeal than child sexual abuse images, which are after all direct evidence of crime. But now that FOSTA has shown the way, it’s no surprise that a similar attack on child pornography has gained traction.

In seeking to counter this proposal, Silicon Valley and internet freedom advocates have moved away from the First Amendment paeans and “don’t break the internet” memes they used in their unsuccessful fight against FOSTA. Rather, they’re arguing that EARN IT will hurt end-to-end encryption.

How so? The short answer is that EARN IT imposes civil liability on companies that distribute child pornography “recklessly.” Victims—presumably the individuals whose images are being circulated—could sue online platforms that recklessly ignored the exchange of child pornography on their services. By itself, that rule is hard to quarrel with. Recklessness requires more than simple negligence. A party is reckless if he deliberately ignores a harm that he can and should prevent.

For anyone who has defended a tort case, being reassured that the jury has to find your client acted recklessly is cold comfort. You don’t know what facts you’ll be accused of ignoring. You don’t know what emails may have been sent to even low-level employees in your company. You don’t know what measures you’ll be accused of ignoring. And you don’t know when a trawl through the company’s email servers will show that someone somewhere treated the problem with insensitivity.

To address that fear, EARN IT offers a safe harbor to companies that follow best practices in addressing child pornography. Notably, this is more protective of social media defendants than FOSTA and not strictly necessary for those willing to trust the good sense of American juries. Nonetheless, the bill creates a commission to spell out the safe harbor best practices. To further protect industry, 10 of the 15 members of the commission must agree on the best practices, and six of the 15 must have worked at a computer service or in computer science, giving the commission members with a technical background a blocking minority. To protect the government’s interests, the attorney general is given authority to review and modify, with reasons, the best practices endorsed by the group. Companies that certify compliance with the best practices cannot be sued or prosecuted under federal child pornography laws. Companies that disagree with the best practices that emerge from this process can still claim the safe harbor if they implement “reasonable measures … to prevent the use of the interactive computer service for the exploitation of minors.”

To see what this has to do with encryption, just imagine that you are the CEO of a large internet service thinking of rolling out end-to-end encryption to your users. This feature provides additional security for users, and it makes your product more competitive in the market. But you know it can also be used to hide child pornography distribution networks. After the change, your company will no longer be able to thwart the use of your service to trade in child pornography, because it will no longer have visibility into the material users share with one another. So if you implement end-to-end encryption, there’s a risk that, in future litigation, a jury will find that you deliberately ignored the risk to exploited children—that you acted recklessly about the harm, to use the language of the law.

In other words, EARN IT will require companies that offer end-to-end encryption to weigh the consequences of that decision for the victims of child sexual abuse. And it may require them to pay for the suffering their new feature enables.

I don’t doubt that this will make the decision to offer end-to-end encryption harder. But how is that different from imposing liability on automakers whose gas tanks explode in rear-end collisions? If the gas tank makes its cars cheaper or more popular, the company will get the benefit; but now it will also have to pay damages to the victims of the explosions. That makes the decision to offer risky gas tanks harder, but no one weeps for the automaker. Imposing liability puts the costs and benefits of the product in the same place, making it more likely that companies will act responsibly when they introduce new features.

There is nothing radical about EARN IT’s proposal, except perhaps for the protections that the law still offers to internet companies. Most tort defendants don’t get judged on a recklessness standard. Juries can award damages if the defendant was negligent, a much lower bar. Indeed, in many contexts, the standard is strict liability: If your company is best able to minimize the harm caused by your product, or to bear its cost, the courts will make you the insurer of last resort for all the harm your product causes, whether you are negligent or not. Compared to these commonplace rules, Section 230 remains a remarkably good deal, with or without EARN IT.

But critics of EARN IT have focused on the role the bill provides for the attorney general Because Attorney General William Barr could modify the best practices recommended by the commission, critics say, Barr might unilaterally declare that end-to-end encryption is never a best practice when dealing with the scourge of child pornography. That would effectively prohibit end-to-end encryption, or so the argument goes.

There’s one problem with this: EARN IT doesn’t impose liability on companies that fail to follow the commission’s best practices. They are free to ignore the recommendations of the commission and the attorney general, which are after all just a safe harbor, and they will still have two ways to avoid liability. First, they can still claim a safe harbor as long as they adopt “reasonable measures” to prevent child sex exploitation. Second, they can persuade a jury that their product design didn’t recklessly allow the spread of child pornography.

The risk of liability isn’t likely to kill encryption or end internet security. More likely, it will encourage companies to choose designs that minimize the harm that encryption can cause to exploited kids. Instead of making loud public arguments about the impossibility of squaring strong encryption with public safety, their executives will have to quietly ask their engineers to minimize the harm to children while still providing good security to customers—because harm to children will in the long run be a cost the company bears. That, of course, is exactly how a modern compensatory tort system is supposed to work. Such systems have produced safer designs for cars and lawn mowers and airplanes without bankrupting their makers.

Maybe it’s time to apply the same rules to internet products and services.

The views expressed here do not reflect those of my firm or clients.

The next trade war will be over transatlantic data flows, and it will make the fight with China look like a picnic. That’s the subject of this episode’s interview. The European Court of Justice is poised to go nuclear – to cut off US companies’ access to European customer data unless the US lets European courts and data protection agencies refashion American intelligence capabilities according to standards no European government has ever been required to meet. It is Europe in full neocolonial mode, but the movement has so far sailed below the radar, disguised as an abstruse European legal fight. Maury Shenk and I interview Peter Swire on the Schrems cases that look nearly certain to provoke a transatlantic trade and intelligence crisis. Actually, Maury interviews Peter, and I throw bombs into the conversation. But if ever there were a cyberlaw topic that deserves more bomb-throwing, this is it.

In the News Roundup, David Kris tells us that the trial of alleged Vault7 leaker Joshua Schulte is under way. And the star of the first day is our very own podcast regular, Paul Rosenzweig.

If you’re wondering whether more cybersecurity regulation is what the country needs, you should be paying attention to the Pentagon, which has embraced cybersecurity regulation for its contractors. Matthew Heiman reports that DOD isn’t finding the path easy. DOD has released its final cybersecurity plan for contractors, but the audit process needed to enforce it remains a mystery.

That’s SNAKE spelled backwards: David tells us about a new strain of ransomware known as EKANS; ominously, it is targeting industrial control systems. I manage to find a very modest silver lining.

Nate Jones sums up the cybersecurity lessons from the voting debacle in Iowa.

Nate also reports on the FCC’s latest half-step toward suing one or more telcos for selling phone-location data.

Matthew covers the Maze ransomware that has ravaged law firms in recent weeks. He argues that it’s only a matter of time before such attacks become dog-bites-man stories.

Matthew also notes that Google and Facebook have apparently dropped plans to terminate their transpacific cable in Hong Kong. US national security concerns seem to have driven the decision. Looks like the Great Decoupling could be spurring a very real physical decoupling.

Nate makes the best of being asked to talk about the 2020 version of a Worthwhile Canadian Initiative: The third volume of the Senate Intel Committee’s Russian electoral interference report. It’s sober and responsible and bipartisan – and largely unread, sadly.

And to bring you up to speed on past stories:

• A Brazilian judge has declined to accept charges against Glenn Greenwald, “for now.”
• The poster child for our current facial recognition moral panic can’t catch a break: As I predicted, Clearview AI has been hit with orders to cease-and-desist from Google and Facebook.
• Tag-teaming with Bill Barr, child-welfare activists are attacking Facebook over its encryption plans and what that means for exploited kids.
• One of the first CCPA lawsuits has been filed, against Salesforce.
• And This Week in Silicon Valley's Suppression of the Right:
• Letterboxd banned a black libertarian film critic’s reviews.
• James O’Keefe’s Twitter account was suspended after he named a Bernie Sanders staffer who spoke fondly of gulags and electoral violence.
• And Twitter banned the widely popular Zero Hedge account after it named a Chinese researcher who it thought might have a role in coronavirus.

Download the 299th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the participants' firms, clients, friends, former friends, or family members.

 Nick Weaver and I debate Sens. Graham and Blumenthal's EARN IT Act, a proposal to require that social media firms follow best practices on preventing child abuse. If they don't, they won't get full Section 230 immunity from liability for recklessly allowing the abuse. Nick thinks the idea is ill-conceived and doomed to fail. I think there's a core of sense to the proposal, which simply asks that Silicon Valley firms who are reckless about child abuse on their networks pay for the costs they're imposing on society. Since the bill gives the attorney general authority to modify the best practices submitted by a commission of industry, academic, and civic representatives, though, critics are sure that an evil bogeyman by the name of Bill Barr will effectively prohibit end-to-end encryption.

But before we get to that that debate, Gus Hurwitz and I unpack the law and tactics behind Facebook's decision to pay $550 million to settle a facial recognition class action. And Klon Kitchen and Nick ponder the shocking corruption and coverup alleged in the case of a Harvard chemistry chairman being prosecuted for hiding the large sums he was getting from the Chinese government to boost its research into nanomaterials.

Klon also gives us a feel for just how hard it can be to enforce Iranian sanctions, and the creativity that went into one Iranian app developer's evasion scheme.

Gus and Nick offer real hope that robocalling will start to get harder, and soon: DOJ has requested restraining orders to stop telcos from facilitating fraudulent robocalls; the FTC has put 19 VoIP providers on notice for facilitating robocalls; and SHAKEN/STIR is slowly making it harder to spoof a phone number.

Gus asks a question that had never occurred to me, and certainly not to millions of homeowners who may have committed inadvertent felonies by installing Ring doorbell cameras. It turns out that Ring recordings may be illegal intercepts in states with all-party consent laws. At least that's what one enterprising New Hampshire defense lawyer is arguing.

First it cocks a snook at Brussels, and now this: The UK government is really on a roll. It's proposing an IoT security law that Nick endorses with enthusiasm. Maryland, not so much: Klon critiques a proposed state law that would make ransomware illegal – and maybe ransomware research, too.

In dog-bites-man news, the United Nations has suffered a breach – probably by a semi-competent government. Which doesn't narrow things down much, since as Nick observes, everyone but the Germans has probably pwned the UN. And the Germans are just being polite.

A lot of old stories have come back for one more turn on stage: The Russian hacker that the Russian government was afraid would sing if extradited to the US has pleaded guilty and is probably singing already. Avast has killed Jumpshot, its much-criticized data collection operation. The Bezosphone Saga continues, as Sen. Chris Murphy calls on the DNI and FBI to investigate the hacking allegations, and Bezos's girlfriend's brother is suing for defamation. Charges against the Iowa courthouse pentesters have finally been dropped. LabMD's Mike Daugherty should probably hang up his cleats. He won a great victory over the FTC, but his racketeering suit against Tiversa and lawyers is officially time-barred. Finally, it turns out that the FBI has been investigating NSO Group since 2017, though without bringing charges, so far.

Download the 298th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of our institutions, clients, friends, former friends, spouses, children, or pets.

This episode features an interview on the Bezos phone hacking flap with David Kaye and Alex Stamos. David is the UN Special Rapporteur and clinical professor of law at UC Irvine who first drew attention to an FTI Consulting report concluding that the Saudis did hack Bezos' phone. Alex is director of the Stanford Internet Observatory and was the CSO at Facebook; he thinks the technical case against the Saudis needs work, and he calls for a supplemental forensic review of the phone. 

In the news, Nate Jones unpacks the US-China "phase one" trade deal and what it means for the tech divide.

Nick Weaver and I agree that the King County (Seattle) Conservation District's notion of saving postage by having everyone vote by phone is nuts. Nick in particular reacts as you'd expect him to. Although, frankly, if anyone deserves to have Putin choose their local government, it's Seattle. He could hardly do a worse job than Seattle voters have.

Nate talks about the profound hit the credibility of the FISA process has taken as a result of the Justice Department admitting that two of four Carter Page warrants were invalid. Among other things, it opens FISA to a kitchen sink full of crazy  proposals for handcuffing national security wiretaps. Like this one from Sen. Ron Wyden and Sen. Steve Daines (who should know better).

Brazil has charged Glenn Greenwald with "cybercrimes" on evidence that would be thin at best in the US, Nate argues. Nick agrees and is only sad that the Bolsonaro government has put him in the position of defending the unspeakably unpleasant Greenwald.

Google is redesigning its search results again, blurring even further the line between ads and organic results. Living up to its new motto ("Don't be caught being evil"), Google announces that it's just testing its design, and everyone should chill. Nick and I are skeptical that A/B testing will tell Google anything other than which redesign fools consumers most effectively and thus makes more protection money for Google.

And speaking of protection money, this episode was not brought to you by Avast, the company that probably would have paid the most not to be mentioned on the podcast this week. Because they've been caught getting largely uninformed consent to the monitoring of their customers' Web activities – right down to their porn preferences.

Download the 297th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the participants' institutions, clients, friends, spouses, children, or pets.

This week’s episode includes an interview with Bruce Schneier about his recent op-ed on privacy. Bruce and I are both dubious about the current media trope that facial recognition technology was spawned by the Antichrist. He notes that what we are really worried about is a lot bigger than facial recognition, and he offers ways in which the law could address that deeper worry. I’m less optimistic about our ability to write or enforce laws designed to restrict use of personal information , which after all gets cheaper to collect, to correlate, and to store every year. It’s a good, civilized exchange.

The News Roundup is a little truncated due to a technical failure. (It was a glitch in Zencastr for those of you keeping score, and I definitely am). As a result, we lost Nick Weaver’s audio for about half the program, including a hammer and tongs debate with me over Apple’s fight with the FBI. (But never fear, opportunities for that debate come by about as often as the Red Line comes to Dupont Circle.) 

That said, it’s still a feisty episode. It begins with Michael Vatis teeing off on the California Consumer Privacy Act, the worst-drafted law he’s worked with in over 30 years of practice – and not much better on policy grounds.

We then return to Illinois’s recent law regulating AI hiring interviews systems like HireVue, and sparks fly again as Mark MacCarthy and I mix it up over allegations of AI “bias.” (I’m a skeptic, to put it mildly.) 

Matthew Heiman covers the surprisingly thin claim that the GRU has phished its way into Burisma Holdings. And Nick comments on (yet another!) Italian surveillance tech firm getting into trouble by misusing its capabilities. 

Not-so-Big Tech has begun asking Congress for antitrust help against Big Tech. Mark is skeptical; I’m a little less so.

Matthew and I compliment frequent contributor David Kris on his speed in delivering an amicus report on the FBI’s Horowitz reforms -- between one Cyberlaw Podcast episode and the next – and before his Congressional critics can even finish a letter questioning his appointment. One lingering, and possibly salutary, effect of the kerfuffle is that some good questions are now being directed at the FISA Court itself, asking why it didn’t do a better job of policing the Carter Page excesses. 

Mark reports on an unusual effort by Europe’s chief privacy officer to exempt academic researchers from strict compliance with data protections laws. Privacy law, as I've said for years, is all about privileging the powerful, and academics qualify, so of course they deserve a data protection exemption.

In quick hits, Matthew notes that Erdogan has bowed to the Turkish Supreme Court and reinstated access to Wikipedia. He also reports on the U.S. Department of the Interior permanently grounding its drone fleet over spying concerns. Nick chuckles over China’s APT 40 getting doxxed, and we both give credit to NSA’s Anne Neuberger for disclosing and enabling the patch by Microsoft of a major vulnerability in the Crypt32 library. Finally, I predict that Clearview will be sued for violating terms of service to obtain the facial recognition data it uses to provide identification services to law enforcement. Because privacy law is all about protecting the privileged, and crime victims don't qualify.

Download the 296th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of our institutions, clients, spouses, families, or pets

There’s a fine line between legislation addressing deepfakes and legislation that is itself a deep fake. Nate Jones reports on the only federal legislation addressing the deepfake problem so far. I claim that it is well short of a serious regulatory effort – and pretty close to a fake itself.

In contrast, India seems serious about imposing liability on companies whose unbreakable end-to-end crypto causes harm, at least to judge from the howls of the usual defenders of such products. David Kris explains how the law will work. I ask why Silicon Valley gets to impose the externalities of encryption-facilitated crime on society when we’d never let Big Tech leave us with the tab for water or air pollution just because their products are so cool. In related news, the FBI may be turning the Pensacola military terrorism attack into a slow-motion replay of its San Bernardino fight with Apple, this time with more top cover (and probably better lawyering).

Poor Nate seems to draw all the fake legislation in this episode. He explains a 2020 appropriations rider requiring the State Department to report on how it issues export licenses for cyber espionage capabilities; this is a follow-up to investigative reporting on the way such capabilities ended up being used against human rights activists in the UAE. As we agree, it’s an interesting and likely unsolvable policy problem, so the legislation opts for the most meaningless of remedies, requiring the Directorate of Defense Trade Control to report “on cybertools and capabilities licensing, including licensing screening and approval procedures as well as compliance and enforcement mechanisms” within 90 days.

Nate also gets to cover some decidedly un-fake requirements in the 2019 NDAA limiting how defense contractors can use Chinese technology. The other shoe is about to drop, and if the first one was a baby shoe, the second is a Clydesdale’s horseshoe.

It’s hard to call it fake, but the latest export control rule restricting sales of AI could hardly be narrower. Maury Shenk and I speculate that this is because a long-term turf war has broken out again in export control policy circles. Maury’s money is on the business side of that fight, and the narrowness of the AI rule gives weight to his views.

And here’s some Christmas cheer for DOJ and national security officials: A federal district court put a lump of coal in Fast Eddie Snowden's stocking, denying him royalties from a book that violated his nondisclosure agreement. Nate thinks it’s safe for me to buy a copy, but I’m waiting for appellate confirmation.

Less festive news comes from the European Court of Justice’s advocate general opinion in Schrems II, a case that could greatly complicate EU-US data transfers by purporting to put Europeans in charge of how the US defends itself from terrorism. Maury explains; I complain.

David unpacks with clarity a complex Second Circuit decision on the constitutionality of FISA 702 collection. On the whole, Judge Lynch did a creditable job with a messy and unprecedented set of claims, though I question the wisdom of erecting a baroque mansion of judge-made limits on a slippery and narrow foundation like the Fourth Amendment’s requirement that searches be “reasonable.”

And in short hits:

• Maury tells us that Italy has imposed a French-style revenue tax on Internet companies.
• The Russians claim to have successfully found a way to disconnect from the Internet. Now if we could only get them to stay that way.
• Illinois has a new, mostly fake law imposing modest regulations on the use of AI in video job interviews.
• The TRACED Act rises above fakeness in attacking robocalls but just barely.
• And the FAA released an NPRM calling for a pretty serious requirement for remote ID of drones.

Finally, to put everyone back in the Christmas spirit, LabMD won nearly a million dollars in fees from the Federal Trade Commission for the FTC’s bullheaded pursuit of the company despite the many flaws in its case. The master’s opinion makes clear just how badly the FTC erred in hounding LabMD.

Download the 295th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect those of their spouses, children, clients, firms, or institutions. 

In this special edition of the Cyberlaw Podcast, we’ve convened a panel of experts on intelligence and surveillance law to examine the many failings of the Crossfire Hurricane investigation of the Trump campaign and Russian influence. We unpack the Department of Justice Inspector General’s report on the FBI’s use of FISA, undercover operatives, and the Bureau's many errors in the high-stakes matter. We also ask what can be done to cure what ails the FBI -- including the IG's recommendations, FBI Director Wray’s response, and a public order issued by the Foreign Intelligence Surveillance Court. 

If you're looking for a single episode to make sense of the investigation and its faults, you can't do better than to listen to our team of FISA aficionados. Joining me on the panel:

• Bob Litt, former general counsel of the Office of the Director of National Intelligence.
• David Kris, who wrote the book on FISA and previously headed the DOJ’s National Security Division, which is responsible for FISA warrants.
• Bobby Chesney of the University of Texas School of Law, as well as a founder of Lawfare and co-host of the National Security Law Podcast.

And with that, the Cyberlaw Podcast is going on hiatus for the holidays. We’ll be back in January with more insights into the latest events in technology, security, privacy, and government.

Download the 294th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, family and (mostly former) friends.

This week Maury Shenk guest hosts the podcast and takes us on a world tour of computer insecurity.

Even with a "phase one" trade deal with China apparently agreed, there's of course plenty still at stake between China and the US in the tech space. Nate Jones reports on the Chinese government order for government offices to purge foreign software and equipment within three years and the plans of Arm China to develop chips  using “state-approved” cryptography. Nick Weaver and Maury agree that, while there are some technical challenges on this road, there's a clear Chinese agenda to lose dependency on US suppliers. 

In the Department of Hacking, the aptly-named Plundervolt allows hackers to steal data using the power supply of Intel chips. The immediate hole has been closed, but Nick thinks the hack suggests bigger problems for Intel down the road. We also discuss Apple's flirtation with the using DMCA to get Twitter to de-tweet an encryption key compromising a less-than-critical aspect of iPhone 11 security, and Maury reporte on an 11th Circuit decision on insurance coverage for losses from spear-phishing.

Maury points out that it's not just the EU that is going after Big Tech. Amazon's new-ish Ring subsidiary seems to have scored a couple of own-goals with privacy and security practices for its smart doorbells – Nick explains in detail. And Maury relates the Wall Street Journal report that the FTC is considering seeking an injunction of Facebook app integration, and the big 7.5% tax that Turkey will levy on digital services beginning in March.

Finishing up in the Gulf, we look at a “very big” cyberattack on Iranian banks that the Iranian government claims is state-sponsored. Nate doubts intimations that the US is involved, and we agree that political and commercial motives are difficult to disentangle in this type of attack. Across the Strait of Hormuz, we explore the involvement of former counterterrorism czar Richard Clarke in helping the United Arab Emirates build its DREAD (who thought that was a good name?) counterterrorism unit and the policy implications and slippery slope of allowing US expertise to be used for such efforts.

Download the 293rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of participants' firms, clients, institutions, families, or pets.

The apparent terror attack at Naval Air Station Pensacola spurs a debate among our panelists about whether the FISA Section 215 metadata program deserves to be killed, as Congress has increasingly signaled it intends to do. If the Pensacola attack involved multiple parties acting across US borders, which looked possible as we taped, then it would be just about the first such attacks since 9/11 – and exactly the kind of attack the metadata program was designed to identify in advance. Now may not be the best time to dump it, after all.

Nick Weaver tells us that China has resurrected the Great Cannon to attack a popular Hong Kong forum for protesters. The Cannon depends on users from outside China connecting without TLS to Chinese sites. I ask why Google hasn’t started issuing warnings to Web users before letting them cross the Great Firewall without enabling HTTPS. That could spike the Great Cannon, but Google employees are too busy complaining about the United States government, I suggest. Meanwhile, Microsoft is working hard to make GitHub, an early Great Cannon victim, an essential part of China’s IT infrastructure. Remarkably, we verify in real time that, despite the lure of the Chinese market, Microsoft has apparently not told GitHub to dump the content that offended the Chinese government.

In more China news, the trial lawyers are circling TikTok as though it were a wounded wildebeest on the veldt. A California class action alleges that TikTok harvested and sent data to China, and an Illinois class action charges the company with violating COPPA by marketing to children without sufficient privacy safeguards.

Paul Rosenzweig and I dig deep into the 20-year history behind DHS's now-abandoned proposal to conduct airport facial scans on US citizens leaving the country. We reach broad agreement that this is one of the rare privacy versus national security debates in which there’s precious little privacy or national security at stake.

Matthew Heiman lays out the remarkable international food fight over taxes on digital business. USTR is threatening big tariffs on French wine to counter France’s digital tax. Spain is apparently eager to join France in the fight. And the effort to work everything out at the OECD, where the EU has a 20-1 voting advantage over the US, has predictably not worked out well from the US point of view.

Cue the white cat: The United States has actually imposed sanctions on an entity called “Evil Corp.” SPECTRE was apparently unavailable. Nick explains. This is part of criminal charges against two highly effective Russian bank hackers – and arguably a confession of weakness on the US government’s part.

Meanwhile, Amazon’s efforts to avoid tort liability for third-party sales on its site look to be suffering a long strategic defeat in the courts. The latest example is a Sixth Circuit ruling allowing plaintiffs to pursue product tort claims against the Internet giant.

I offer a quick update and some rare kind words for Nancy Pelosi, who is calling for modification of the North American free trade deal to drop the provision turning Section 230 of the Communications Decency Act into international law. This provision has garnered genuinely bipartisan opposition, so perhaps she’ll prevail.

Paul gets stuck explaining two dog-bites-man stories. The FBI says any Russian app could be a counterintelligence threat. Well, what else would they say? And the European Commission, when asked what US regulation of encryption would mean for Europe, says more or less that the EU may have to escalate from eyebrow-lifting to throat-clearing.

Nick closes the program with advice about the new Android exploit that works (in the right circumstances) to compromise apps running on a fully patched and up-to-date Android phone.

Download the 292nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Algorithms are at the heart of the Big Data/machine learning/AI changes that are propelling computerized decision-making. In their book, The Ethical Algorithm, Michael Kearns and Aaron Roth, two Computer Science professors at Penn, flag some of the social and ethical choices these changes are forcing upon us. My interview with them touches on many of the hot-button issues surrounding algorithmic decision-making.

I have long suspected that much of the fuss over bias in machine learning is a way of smuggling racial and gender quotas and other academic social values into the algorithmic outputs. Michael and Aaron may not agree with that formulation, but the conversation provides a framework for testing it – and leaves me more skeptical about claims that “AI bias" is the problem it's been portrayed.  

Less controversial, but equally fun, is our dive into the ways in which Big Data and algorithms defeat old-school anonymization – and the ways in which that problem can be solved. The cheating husbands of Philadelphia help me understand the value and technique of differential privacy.

And if you wondered why, say, much of the social science and nutrition research of the last 50 years doesn’t hold up to scrutiny, blame Big Data and algorithms that reliably generate a significant correlation once in every 20 tries.

Michael and Aaron also take us  into the unexpected social costs of algorithmic optimization. It turns out that a recommendation engine that produces exactly what we want, even when we didn’t know we wanted it, is great for the user, at least in the moment, but maybe not so great for society. In this regard, it's a little like creating markets in areas once governed by social norms. The switch to market pricing instead of societal mores often optimizes individual choice but at considerable social cost. It turns out that algorithms can do the same – optimize individual gratification in the moment while roiling our social and political order in unpredictable ways. We would react badly to a proposal that dating choices be turned into more efficient microeconomic transactions (otherwise known as prostitution) but we don’t feel the same way about reducing them to algorithms.

Maybe we should.

Download the 291st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

This Week in the Great Decoupling: The Commerce Department has rolled out proposed telecom and supply chain security rules that are aimed at but never once mention China. Acually, what the Department rolled out was more a sketch of its preliminary thinking about proposed rules. Brian Egan and I tackle the substance and history of the proposal and conclude that policymakers are still fighting each other about the meaning of a policy they've already announced.

And to show that decoupling can go both ways, a US-based chip-tech group is moving to Switzerland to reassure its Chinese participants. Nick Weaver and I conclude that there’s a little less here than Reuters seems to think.

Mark MacCarthy tells us that reports of UChicago weather turning sunny and warm for hipster antitrust are probably overdone. Even so, Silicon Valley should be at least a little nervous that Chicago School enforcers are taking a hard look at personal data and free services as sources of anti-competitive conduct.

Mark highlights my favorite story of the week, in which the Right to be Forgotten discredits itself in, where else, Germany. Turns out that you can kill two people and wound a third on a yacht in the Atlantic, get convicted, serve 20 years, and then demand that everybody just forget it happened. The doctrine hasn’t just jumped the shark. It’s doubled back and put a couple of bullets in the poor shark for good measure.

Nick explains why NSA is so worried about TLS inspection. And delivers a rant on the bad cybersecurity software that makes NSA's worries so plausible.

It’s been a bad week for TikTok, which was caught blocking an American Muslim teen who posted about Uighurs in China and offered an explanation that was believable only because US social media companies have offered explanations for their content moderation that were even less credible. I suggest that all the criticism will just lead to social media dreaming up more and sneakier ways to downgrade disfavored content without getting caught. Brian tells us how the flap might affect TikTok’s pending CFIUS negotiation.

Nick ladles out abuse for the bozo who thought it was a good idea to offer Kim Jong Un’s cyber bank robbers advice on using cryptocurrency to avoid sanctions. Brian points out that the prosecution will have to tiptoe past the First Amendment.

Senate Democrats have introduced the Consumer Online Privacy Rights Act, an online privacy bill with an unfortunate acronym (think fossilized dinosaur poop). Mark and I conclude that the bill is a sign that Washington isn’t going to do privacy before 2021.

Who can resist GPS crop circle spoofing by sand pirates? Not Nick. Or me. Arrrr.

I update our story on DHS’s CISA, which has now issued in draft its binding operational directive on vulnerability disclosure policies for federal agencies. It’s taking comments on GitHub; Nick approves.

And in quick hits: The death of the Hippie Internet, part 734: Apple changes its map to show Crimea as Russian, but only for Russians. And part 735: Facebook accepts "fake news" correction notice from the Singapore government. Our own Paul Rosenzweig will be an expert witness in the government’s prosecution of the Vault 7 leaker;. And Apple’s bad IT cost it $467,000 for sanctions violations; I ask whether we should be blaming Scooby-Doo for the error.

Join Steptoe for a complimentary webinar on Tuesday, December 10. We’ll be talking about the impacts on retailers of the newly implemented California Consumer Privacy Act and the EU’s General Data Protection Regulation. This is a fast-moving area of the law; we can keep you up to date. You can find out more and register here.

Download the 290th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the speakers' families, friends, former friends, clients, or institutions. Or spouses.  I've been instructed to specifically mention spouses.