Skating on Stilts

Here's my favorite story from this episode: David Kris told us about a report from the Privacy and Civil Liberties Oversight Board that spelled out the enormous value that European governments have gotten in their fight against terrorism from the same American surveillance programs that European institutions have been trying for twenty years to shut down.  The PCLOB report is a delightful takedown of European virtue-signaling, and I hope the Biden Administration gives the PCLOB a new name and mission in honor of the report.

The news roundup actually begins with a review of the US-China tech relationship and how it might change under a Biden administration. The Justice Department has given itself a glowing report card for its contribution to decoupling – by opening a new China-related counterintelligence case every 10 hours. I ask how long this can go on before China starts arresting American businessmen – something that will surely kick off another round of decoupling.

Speaking of decoupling, the latest legislation aimed at prison labor in China may be getting uncomfortably close to Apple, which is quietly lobbying to water down a bill that is expected to pass soon by overwhelming majorities. Megan Stifel and I conclude that the provision that probably scares Apple most is an obligation to make representations about whether the company’s products include parts made with prison labor. That is increasingly difficult to figure out as China has limited audits for such purposes, putting Apple in a tight spot. Sympathy for Tim Cook, however, is in short supply from our panel.

Speaking of legacy burnishing, the Trump White House has issued its own set of guidelines for federal agencies using artificial intelligence. Nick Weaver thinks they're actually not bad – light touch on most topics – which may be the nicest thing he’s said about a product of this White House in four years. Sticking with AI, Nick comments on the prospect for putting humans in the loop of AI decision making.  He thinks that’s a recipe for lousy AI, and that campaigns to get a “Human in the Loop” for lethal systems have already lost the technology fight. At best, he suggests, we can hope to have our poky old brains “on the loop” in future AI conflicts.

Some good news:  An IOT security bill that Megan and I both like (Megan more than I) has passed both houses of Congress and been sent to the President for signature. It only sets standards for the IOT that the federal government buys, but that’s a good first step.

As a former NSAer, I explain “GCHQ envy” to David, and he provides the latest reason why it should be rampant at the Fort this year, as the agency introduces a new offensive cyber unit to take on organized crime and hostile states.

David also takes on the question whether there’s a legal problem with the U.S. military buying location data from apps companies.  Short answer: Nope.

Megan explains a now-patched Facebook Messenger bug that would have allowed hackers to listen in on users. Nick tells us why the FBI needed to hire robots to retrieve sensitive files. Megan gives us some staggering statistics about the prevalence of ransomware. Hint: if you thought COVID-19 was a pandemic, you ain’t seen nothin’ yet. And I give a quick summary of the TikTok and WeChat ban litigation, where the government is unlimbering a host of new technical arguments.

I take a moment to give a shoutout to Sean Joyce, whose principles led him to walk away from what is probably going to be serious money when Airbnb goes public. The company’s leadership hired him as chief trust officer. Taking trust seriously, he argued for limits on when and how much data about individual users the company gave to the Chinese government.  But the debate reportedly ended when one of the founders declared, “We’re not here to promote American values.” That's not a good look for Airbnb, but the incident says a lot about Joyce, who left the company within weeks because he didn't share its principles.

And, finally, it turns out that the FCC is in its last weeks of Trump legacy burnishing; facing a deadline in January 2020, it had to choose between starting to write regulations about the scope of section 230 and dealing with foreign products in the 5G infrastructure.  It chose 5G.

And more.

Download the 339^th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week sees yet another Trump administration initiative to hasten America's decoupling from China. As with MIRV warheads, the theory seems to be that if you launch enough of them, the next administration can't shoot them all down.  Brian Egan lays out this week's initiative, which lifts from obscurity a DoD list of Chinese military companies and excludes the companies from U.S. capital markets. 

Our interview is with Frank Cilluffo and Mark Montgomery. Mark is Senior Fellow at the Foundation for Defense of Democracies and Senior Advisor to the congressionally mandated Cyberspace Solarium Commission. Previously, he served as Policy Director for the Senate Armed Services Committee under Senator John S. McCain—and before that served for 32 years in the U.S. Navy as a nuclear trained surface warfare officer, retiring as a Rear Admiral in 2017. Frank is director of Auburn University's Director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. He served on the Cyberspace Solarium Commission and chaired the Homeland Security Advisory Council's subcommittee on economic security.

We talk about the unexpected rise of the industrial supply chain as a national security issue. Both Frank and Mark were moving forces in two separate reports highlighting the issue, as was I. (See also my op-ed on the same topic.) So, if we seem suspiciously in agreement on supply chain issues, it's because we are suspiciously in agreement on supply chain issues. Still, as an introduction to one of the surprise hot issues of the year, it's not to be missed.

After our interview in episode 336 of a Justice Department official on how to read Schrems II narrowly, you knew it was only a matter of time before we heard from Europe. Charles Helleputte reviews the European Data Protection Board's effort to give more authoritative and less comfortable advice to U.S. companies that want to keep relying on the standard contractual clauses. The Justice Department take on the topic manages to squeak through without a direct hit from the privacy bureaucrats.  Still, the EDPB (and the EDPS even more so) makes clear that anyone following the DOJ's lead is in for an uphill fight. (For those who want more of Charles's thinking on the topic, see this short piece.)

Zoom has been allowed to settle an FTC proceeding for deceptive conduct (claiming that its crypto was end to end when it wasn't, and more). Mark MacCarthy gives us details.  I throw shade on the FTC's failure to ask any serious national security questions about a company that deserves some. 

Brian brings us up to speed on TikTok.  Only one of the Trump administration penalties remains unenjoined. My $50 bet with Nick Weaver -- that CFIUS will overcome the judicial skepticism that IEEPA could not -- is hanging by a thread. Casey Stengel makes a brief appearance to explain why TikTok might win. 

Brian also reminds us that export control policymaking is even slower and less functional on the other side of the Atlantic, as Europe tries, mostly ineffectively, to adopt stricter limits on exports of surveillance tech. 

Mark and I admire the new Aussie critical-infrastructure cybersecurity initiative, for its clarity if not for its likely political appeal. 

Charles explains and I decry the enthusiasm of European courts for telling Americans what they can say and read on line, as an Austrian court tells Facebook to take down worldwide the description of an Austrian politician as belonging to a "fascist party." Apparently, we aren't allowed to say that political censorship is what members of a fascist party tend to advocate; but don't worry about our liability; we can't pronounce the plaintiff's name.  

So, in retrospect, how did the United States do in policing all the new cyberish threats to the 2020 election? 

• Brian gives the government credit for preventing foreign interference. I question the whole narrative of foreign interference, which didn't have much effect in 2016 or 2020 (other than the hack and dump operation against the DNC) but did align conveniently with Democratic messaging in both years (Hillary only lost because of the Russians! Ignore Trump's corruption allegations because they're just more Russian interference!).
• Mark and I wonder what Silicon Valley thinks it's accomplishing with its extended bans on political advertising after the election.  After all, it's almost always election season somewhere (see, e.g., Georgia).
• DHS's CISA did produce a detailed rumor control site that helped correct misunderstandings -- but may have corrected one too many of the President's tweets.  In consequence, Under Secretary Chris Krebs, familiar to Cyberlaw Podcast listeners, may be on the chopping block. That would be a shame for DHS and CISA; for Chris it's probably a badge of honor. Frank Cilluffo and Mark Montgomery weigh in with praise for Chris as well.

And more.

Download the 338th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

An excerpt from my latest Washington Post article:

The report of the Homeland Security Advisory Council will be posted here under Recommendations. The Cyberspace Solarium paper is here.

This episode's interview with Dr. Peter Pry of the EMP Commission raises an awkward question: Is it possible that North Korea already has enough nuclear weapons to cause the deaths of hundreds of millions of Americans -- by permanently frying our electrical infrastructure with a single high-altitude blast?  And if he doesn't, could the sun accomplish pretty much the same thing?  The common factor in both scenarios is EMP – electro-magnetic pulse. We explore the problem in detail, from the capabilities of adversaries to the controversy that has pitted Dr. Pry and the EMP Commission against the power industry and the Energy Department, which are decidedly more confident that the US would withstand a major EMP event. And, for those disinclined to trust those sources, Dr. Pry offers a few tips on how to make it more likely that your systems will survive an EMP.

In the news, the election turned out not to be hacked, not to be violence-plagued, and not to be the subject of serious disinformation. That didn't stop Twitter and YouTube from overreacting when a leftie hate-object, Steve Bannon, used hyperbole ("heads on pikes") to express his unhappiness with Dr. Fauci. Really, Twitter's Trust and Safety operation is so blinkered it can't be fixed and should be nuked from orbit.  Oh, wait, there goes my Twitter account and my YouTube career!

In legal tech news, Michael Weiner explains what's at stake in the Justice Department's antitrust lawsuit challenging Visa's $5.3 billion acquisition of Plaid. I wonder if that means the Department is out of antitrust-litigating ammo.  And it might be, except that you can buy a lot of ammo with $1 billion worth of Silk Road bitcoins, now being claimed by the US. Sultan Meghji says the real question is why it took the U.S. so long to lay claim to the coins.

 Just when private companies have come up with plans to comply with California's privacy law, the voters there change everything.  Well, maybe not everything.  It looks, Dan Podair suggests, as though compliance with the new CPRA will mostly involve complying with the old CCPA plus a whole bunch more. Meanwhile, I'm fascinated by the idea that California initiatives can say, "Oh, and by the way, this law can only be amended to make it more demanding." 

 We bring Michael back to the conversation to brief us on the FTC's plan to launch an antitrust case against Facebook using its own administrative law judges to hear the evidence. Michael admits that some might call that a kangaroo court; I suggest that LabMD's Mike Dougherty be called as an expert witness.

 Sultan and I note the ongoing failure of media and rights groups to successfully toxify facial recognition technology; now it's been used to identify a "mostly peaceful" protestor who allegedly took a break from peacefulness to punch a cop.  And it's hard to argue with using face recognition when it confirms a picture ID the suspect left behind in Lafayette Square. 

 Next, Sultan and I take on Toxification II, the campaign to make people believe that racist artificial Intelligence is a thing. Poorly trained AI is definitely a thing, Sultan argues, but that doesn't make for the same kind of story.

 Charles Helleputte analyzes the latest rumor that the EU is planning to prohibit end-to-end crypto. He notes that the EU is also pursuing more infrastructure security and wonders whether the two initiatives can be sustained together.

It turns out that other people on Zoom can, in theory and under the right conditions, guess what you're typing.  It's one more reason to be careful about webcams and security. I make the sort of cheap Jeffrey Toobin joke you've come to expect from me.

 And more.

Download the 337th Episode (mp3)

Music by Weissman Sound Design. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview this week is a deep dive into the mess created by the EU Court of Justice in Schrems II – and some pretty good ideas for how companies might avoid the mess, courtesy of a U.S. Government white paper. I interview Brad Wiegmann, Senior Counselor for the National Security Division at the US Department of Justice about the white paper. We cover a host of arguments and new facts that may help companies navigate the wreckage of Privacy Shield and preserve the standard corporate clauses they’ve relied on for transAtlantic data transfers. And, yes, the phrase “hypocritical European imperialism” does cross my lips.

In the news, we can’t let election eve pass without a look at all the election security threats and countermeasures now being deployed.  I argue that the election security threat is the second coming of Y2K – a threat that is almost certainly an overhyped bogeyman, but one we can’t afford to ignore.  Jamil Jaffer and Pete Jeydel push back. Silicon Valley’s effort to ensure that no one questions the legitimacy of a Biden victory also comes in for some criticism on my end – and is defended by Nate Jones. My nomination for Flakiest Silicon Valley Election Security Techno-nostrum is the banning of post-election political ads. That just guarantees that speech about the election will default to the biggest “organic” voices on the internet and to the speech police at each platform. Or was that the intent?

Confused about all the TikTok and WeChat litigation? It's pretty simple, really: the US hasn’t won a single case, and it’s gone down hard in three separate opinions, the latest by US District Judge Beetlestone of Philadelphia. This could be Trump Derangement at work, but the fact is that the Chinese platforms have a plausible argument that Congress prohibited the use of IEEPA to "indirectly regulate" distribution of speech. Banning a social platform might seem to fit within that prohibition, but the result is crazy: it implies that TikTok could replay all the Russian election interference memes from 2016, and the government would be helpless to stop it. On appeal, we may see the courts taking a broader view of the equities. Or they may be tempted to say, “Well, Congress screwed this up, let Congress unscrew it.” 

Nate and I try to sum up what we learned from the social media speech suppression hearing on the Hill. Nate sees no common ground emerging despite wide unhappiness with Silicon Valley’s role in regulating speech. I am more optimistic that a Congress looking to make progress could agree on first steps toward transparency practices on the platforms. The companies themselves seem to have decided that this is table stakes as they strive to avoid worse. 

Nate gives us a quick view of the platform speech debate in Europe.  My summary: Silicon Valley is already incentivized by EU law to oversuppress; now they’re asking for immunity when they oversuppress, which means, of course, even more suppression. 

In quick hits, Pete talks about the ransomware threat to US health care. Nate explains the tensions between law enforcement and intelligence in Canada. And Pete tells us why fertility clinics are the latest national security concern for CFIUS. 

And more!

Download the 336th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, I interview Rob Knake, Senior Fellow at the Council on Foreign Relations, about his recent report, "Weaponizing Digital Trade -- Creating a Digital Trade Zone to Promote Online Freedom and Cybersecurity." The theme of the report is what the US can salvage from the wreckage of the 1990s Magaziner Consensus about the democratizing and beneficent influence of an unregulated Silicon Valley. I suggest that, when you're retreating from global ambition to a battered band of democratic nations, talking about "weaponization"  is delusional; what the paper really proposes is a kind of "Digital Dunkirk." Rob and I proceed to disagree about the details but not the broad outlines of his proposal.

In the news roundup, we finally have a Google antitrust complaint to pore over, and I bring Steptoe's Michael Weiner on to explain what the complaint means. Bottom line: it's a minimalist stub of a case, unlikely to frighten Google or produce structural changes in the market -- unless a new administration (or a newly incentivized Trump Justice Department) keeps adding to the charges as the investigation wears on.

Speaking of Justice Department filings that serve up less than meets the eye, DOJ has indicted GRU hackers for practically every bad thing that has happened on the internet in the last five years, other than the DNC hack. (In fact, I lost an unsaved Word document in 2017 that I'm hoping will be added to the charges soon.) The problem, of course, is that filing the charges is the easy part; bringing these state hackers to justice is so hard as to be more or less inconceivable.  So one wonders (along with Jack Goldsmith) whether a policy that requires a stream of indictments for all the cyberattacks on the US and its allies is a wise use of resources. Maury Shenk thinks it might be, at least as a way of demonstrating US attribution capabilities, which are indeed impressively showcased in the indictment.

While we're on the subject of questionably effective US retaliation for cyberattacks, Maury notes that the Treasury Department has imposed sanctions on the unpronounceable Russian institute, TsNIIKhM, that seems to have developed the industrial control malware that caused massive outages in Saudi Arabia and that may still be planted in US energy systems as well. Again, no one doubts that heavy penalties should be imposed; the question is whether these penalties will actually ever reach TsNIIKhM.

In another law enforcement action against cyberattacks, Nick Weaver celebrates the German government's dawn raid on spyware exporter, FinFisher. And Maury expresses modest hope for Facebook's Oversight Board now that it has started reviewing content moderation cases. Color me skeptical.

Now that we've seen the actual complaint, Nick has his doubts about Microsoft's legal attack on Trickbot. It may be working, he says, but why is Microsoft doing something that the FBI could have done? I pile on, raising questions about the most recent legal theory Microsoft has rolled out in support of its proposed remedies.

Finally, in quick hits:  I hum a few bars from "John Henry" in response to a Bloomberg story suggesting that CEOs are successfully beating the AI engines parsing their analyst calls and trading on the results. Maury then debunks the parts of the story that made it fun, but not before I've asked whether Spinal Tap was decades ahead of its time in repackaging failure for AI consumption. Maury notes what I predict will be ho-hum Judiciary Committee testimony of Twitter and Facebook CEOs about their suppression of the New York Post "laptop from hell" Hunter Biden story.  I'm much more interested in the Commerce Committee's subpoenaing of contacts between the campaigns and those companies.  Because you just know the campaigns have a whole strategy for working the speech referees of Silicon Valley, and it would be an education to see how they do it.  Nick and I congratulate Edward Snowden on the confirmation that he'll be in Russia forever. And I mock the Portland City Council as well as all the journalists who tried to make face recognition toxic – until it turned out that face recognition might help antifa dox the police.  Suddenly we can't expect to stop the march of technology.

Download the 335th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode features an interview with Ronald Deibert, Professor of Political Science, and Director of the Citizen Lab at the Munk School of Global Affairs & Public Policy, University of Toronto. We talk about his new book, Reset: Reclaiming the Internet for Civil Society. We also talk about the unique Canadian talent for debating with bare-fisted politesse. Ron gets to use that talent often in our discussion of what’s wrong with the technology ecosystem and whether it can be improved by imposing “restraint” on government and the private sector.

In the news roundup, I urge Twitter to bring back the Fail Whale to commemorate its whale of a fail in trying to suppress a New York Post story that is bad news for Joe Biden. It’s a disaster on all fronts, with Twitter unable to offer a satisfactory explanation for its suppression of the news report, or to hold to any particular enforcement policy for more than a day, and it ended with an embarrassing insistence that the Post can’t have its account back until it deletes tweets that Twitter would probably allow the Post to post today.  

And not surprisingly, the episode is encouraging everyone to think that they can do this better than Twitter.  The FCC is going to start work on an effort to add an administrative gloss to section 230. Mark MacCarthy thinks the Commission lacks authority to interpret the provision; I disagree. We do agree that Justice Thomas’s thoughts on section 230 are surprisingly detailed – and make Supreme Court review of the provision a lot more likely. 

Megan Stifel tells us that the ransomware business is getting even more specialized.  Together we wonder if that specialization opens the door to new, even more creative, ways to take down organized cybercrime. 

David Kris notes the pearl-clutching over search warrants that identify a pattern of conduct rather than an individual.  He almost agrees with me that this is just what probable cause looks like in the twenty-first century. 

This week puts on display Europe’s trademarked "Tough Privacy Talk and Slow Privacy Walk" policy approach: David teams with Charles Helleputte to make sense of two data protection rulings in Europe that bring a lot more thunder than lightning to the debate: First, an attack on the privacy standards, such as they are, for online advertiser  real time bidding. Second, the proclamations of France’s top court and its DPA about sending health data to US cloud providers. 

Megan notes two stories that deepen trends we knew were coming: hackers chaining VPN and ZeroLogon bugs to attack US government networks, maybe including election agencies,   and Iranian state hacker group resorting  to ransomware attacks. 

We cover a few updates of past weeks’ stories: The fallout continues from OFAC’s ransomware advisory. (Rumors that the agency will be renamed WTF OFAC are unconfirmed.) And Tik/Chat seems to be settling in for a longer court battle before the government’s arguments start to take hold. (As a bonus, our Cyberlaw grammarian makes a surprise appearance to announce the rule of English usage that prevents TikTok from ever being TokTik). 

In quick hits, we boldly predict that the government will launch an antitrust suit against Google, some day. We speculate on why Tesla’s autopilot AI might be fooled by projected images. And we note New York’s claim that Twitter is systemically important to the nation’s financial system -- which is just about the most 2020 thing I’ve heard in a while.

And more! 

 Download the 334th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! And thanks for our new theme music to Ken Weissman of Weissman Sound Design.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In our latest episode I interview David Ignatius about the technology in his latest spy novel, The Paladin. Actually, while we do cover such tech issues as deepfakes, hacking back, Wikileaks, and internet journalism, the interview ranges more widely, from the steel industry of the 1970s, the roots of Donald Trump’s political worldview, and the surprisingly important role played in the Trump-Obama-Russia investigation by one of David Ignatius’s own opinion pieces.

Download the 333^rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! Our thanks to Ken Weissman of Weissman Sound Design for the new theme music.  

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

It’s a law-heavy tech news week, so this episode is all news. If you come for the interviews, though, do not fear.  We’ll be releasing episode 333 tomorrow, and it’s all interview, as I talk with David Ignatius about the tech issues in his latest spy novel, The Paladin.

To kick things off in episode 332, Matthew Heiman returns to the podcast; he analyzes a new decision of the Court of Justice of the EU. The CJEU claims in its headline holding to put limits on governments' mass collection of mobile and internet data, but both Matthew and I think the court's footnotes take away much of the doctrine the headlines proclaims – and maybe in a way that will help the US as it tries to work around the CJEU’s foolhardy decision in Schrems II.

Sultan Meghji tells us that Trickbot has attracted the attention of both Cyber Command and Microsoft’s lawyers.  Unfortunately, even that combination isn’t proving fatal, and I wonder whether Microsoft’s creative lawyering has gone a step too far.

The Democrat-controlled House Judiciary Committee has released a blockbuster tech antitrust report. It’s hardly news that Democrats and Republicans on this most partisan of committees disagree about the issue, but Matthew and I are struck by how modest the disagreements are.  In contrast, despite our conservative leanings, Matthew and I manage to disagree pretty profoundly on how antitrust principles should apply to Big Tech.

Sultan, meanwhile, draws the short straw and has to explain the mother of all metaphor bombs that exploded in the Supreme Court during oral argument in Google v. Oracle. It was a discouraging argument for those of us who admire the Justices, whose skills at finding apt metaphors completely failed them. I offer my past experience as a Supreme Court advocate to critique the argument and lay odds on the outcome. (Short version: Google has a nearly 50-50 chance of winning, and the Court has about the same chance of producing a respectable opinion.

Brian Egan joins us to talk about the Justice Department’s sober report on how law enforcement can combat terrorist and criminal use of cryptocurrency.

I claim to have caught Twitter and Facebook in a clear example of improper suppression of conservative (or at least Trumpist) speech, as they suppress as misleading a Trump tweet that turns out to be, well, true.

Brian and I dig into the latest litigation over banning TikChat from US markets. Short version: the Justice Department has filed a strong brief seeking to overturn WeChat’s first amendment protection from the ban. If you’re looking for raw disagreement, listen for Brian coming out of his chair when I start comparing Silicon Valley and Chinese Communist Party net censorship regimes.

Matthew explains why Sweden and Switzerland are fighting over a crypto company widely reported to have been compromised by US and German intelligence fifty years ago.

And for our sensitive male listeners, this may be the point where you turn the podcast off, as I explain the dire consequences of combining bad IOT security and male chastity devices.  Though, come to think of it, an angle grinder would make a pretty effective chastity device by itself.

And more!

Download the 332^nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug. Thanks to Ken Weissman of Weissman Sound Design for our theme music.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, Jamil Jaffer, Bruce Schneier, and I mull over the Treasury announcement that really raises the stakes even higher for ransomware victim.  The message from Treasury seems to be that if the ransomware gang is the subject of OFAC sanctions, as many are, the victim needs to call Treasury and ask for a license to pay – a request that starts with a “presumption of denial.”  

Someone has been launching a series of coordinated attacks designed to disrupt Trickbot. Bruce explains.

CFIUS is baring its teeth on more than one front. First comes news that a newly resourced CFIUS staff has begun retroactively scrutinizing past Chinese tech investments. This is the first widespread reconsideration of investments that escaped notice when they were first made, and it could turn ugly. Next comes evidence that the TikTok talks with CFIUS could be getting ugly themselves, as Nate Jones tells us that Treasury Secretary Mnuchin has laid down the elements the US must have if TikTok is to escape a shutdown. None of us think this ends well for TikTok, as China and the US try to prove how tough they are by asking for mutually exclusive structures.

The US government is giving US companies some free advice about how to keep sending their data to the US despite the European Court of Justice decision in Schrems II: First-time participant Charles Helleputte offers a European counterpoint to my perspective, but we both agree that there’s a lot of value in the US white paper. If nothing else, it offers a defensible basis for most companies to conclude that they can use the standard contractual clauses to send data to the US notwithstanding the court’s egregiously anti-American opinion. The court may not agree with the white paper, but the reasoning could buy everyone another three years and might be the basis of yet another US-EU agreement.

The UK seems to be preparing to take Bruce’s advice on regulating IOT security, but he thinks that banning easy default passwords is just table stakes.

Bruce and I once again review the bidding on voting by phone, and once again we agree: No. Just No.

Nate questions the press stories (and FBI director testimony) claiming that the FBI is pivoting to a new strategy for punishing hackers by sending Cyber Command after them. He thinks it’s less a pivot and more good interagency citizenship, which I suspect is still a change of pace for the Bureau.

Bruce and I explore the possibility of attributing exploits to individuals based on their coding style. You might say that their quirks leave fingerprints for the authorities, except that at least one hapless hacker has one-upped them by leaving his actual fingerprints behind in an effort to get himself approved in a biometric authentication system.

And in updates, we note that Microsoft has a new and unsurprising annual report on cyberattacks it has seen; the Senate will be subpoenaing the CEOs of Big Social to talk section 230 in an upcoming  hearing; and the House intel committee has a bunch of suggestions for improving the performance of the intelligence community against evolving Chinese threats.

And more!

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

Download the 331^st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our news roundup is dominated by the seemingly endless ways that the US and China can find to quarrel over tech policy.  The Commerce Department’s plan to use an executive order to cut TikTok and WeChat out of the US market has now been enjoined. But the $50 Nick Weaver bet me that TikTok could tie its forced sale up until January is still at risk, because the administration has a double-barreled threat to use against that company – not just the executive order but also CFIUS – and the injunction so far only applies to the first. 

I predict that President Xi is likely to veto any deal that appeals to President Trump, just to show the power of his regime to interfere with US plans. That could spell the end of TikTok, at least in the US. Meanwhile, Dave Aitel points out, a similar but even more costly fate could await much of the electronic gaming industry, where WeChat parent TenCent is a dominant player. 

And just to show that the US is willing to do to US tech companies what it’s doing to Chinese tech companies, leaks point to the imminent filing of at least one and perhaps two antitrust lawsuits against Google. Maury Shenk leads us through the law and policy options.

The panelists dismiss as PR hype the claim that it was the threat of “material support” liability that caused Zoom to drop support for a PFLP hijacker’s speech to American university students. Instead, it looks like garden variety content moderation aimed this time at a favorite of the far left.

Dave explains the good and the bad of the CISA order requiring agencies to quickly patch the critical Netlogon bug. 

Maury and I debate whether Vladimir Putin is being serious or mocking when he proposes an election hacking ceasefire and a “reset” in the cyber relationship. We conclude that there’s some serious mocking in the proposal.

Dave and I also marvel at how Elon Musk, for all his iconoclasm, sure has managed to cozy up to both President Xi and President Trump, make a lot of money in both countries, and take surprisingly little flak for doing so.  The story that spurs this meditation is the news that Tesla is so dependent on Chinese chips for its autonomous driving engine that it’s suing the US to end the tariffs on its supply chain. 

 In quick hits and updates, we note a potentially big story: The Trump administration has slapped new restrictions on exports to Semiconductor Manufacturing International Corporation, China’s most advanced maker of computer chips. 

The press that lovingly detailed the allegations in the Steele dossier about President Trump’s ties to Moscow hasn’t been quite so enthusiastic about covering the dossier’s astounding fall from grace. The coup de grace came last week when it was revealed that the main source for the juiciest bits was flagged by the FBI ten years ago as a likely Russian foreign agent; he escaped a FISA order only because he left the country for a while in 2010. 

 The FISA court has issued an opinion on what constitutes a “facility” that can be tapped with a FISA order. It rejected the advice of Cyberlaw Podcast regular David Kris in an opinion that includes all the court’s legal reasoning but remains impenetrable because the facts are all classified. Maury and I come up with a plausible explanation of what was at stake.

The Trump administration has proposed section 230 reform legislation similar to the white paper we covered a couple of months ago. The proposal so completely occupies the reasonable middle of the content moderation debate that a Biden administration may not be able to come up with its own reforms without sounding fatally similar to President Trump. 

And in yet more China news, Maury and Dave explore the meaning of Nvidia’s bid for ARM, and Maury expresses no surprise at all that WeWork is selling off a big chunk of its Chinese operations 

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

Download the 330th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

John Yoo, Mark MacCarthy, and I kick off episode 329 by jumping with both feet into the cyberspace equivalent of a dumpster fire. There is probably a pretty good national security case for banning TikTok. In fact, China made the case a lot better than the Trump administration when it declared, "You know that algorithm that tells all your kids what to watch all day? That's actually a secret national security asset of the People's Republic of China." But the administration's process for addressing the national security issue was unable to keep up with President Trump's eagerness to announce some kind of deal. The haphazard and easily stereotyped process probably also contributed to the casual decision of a magistrate in San Francisco to brush aside US national security interests in the WeChat case, postponing the order on dubious first amendment grounds that John Yoo rightly takes to task.

Megan Stifel tells us that the bill for decoupling from China is going to be high – up to $50 billion just for chips if you listen to the Semiconductor Industry Association.

Speaking of big industry embracing big government, Pete Jeydel explains IBM's slightly jarring suggestion that the government should slap export controls on a kind of face recognition technology that Big Blue doesn't sell any more. Actually, when you put it like that, it kind of explains itself.

Megan tells us that the House has passed a bill on the security of IOT devices. The bill, which has also moved pretty far in the Senate, is modest, setting standards only for what the federal government will buy, but Megan has hopes that it will prove to be the start of a broader movement to address IOT security.

I reprise the latest demonstrations that Silicon Valley hates conservatives, and how far it will go to suppress their speech.  My favorite is Facebook deciding that a political ad that criticizes transwomen competing in women's sports must be taken down because it "lacks context". Unlike every other political ad since the beginning of time, apparently. Although Twitter's double standard for a "manipulated media" label is pretty rich too: Turns out that in the Twitterverse, splicing Trump's remarks to make him say what the Biden camp is sure he meant is perfectly fair , but splicing a Biden interview so he says what the Trump camp is sure he meant is Evil Incarnate.

Finally, Megan rounds out the week with a host of hacker news. The North Koreans are in bed with Russian cybercrime gangs.  (I can't help wondering which one wakes up with fleas.) The Iranians are stealing 2FA codes and some of them have now been indicted by the US Justice Department, though not apparently for the 2FA exploit.  A long-running Chinese cybergang has also been indicted.  That won't actually stop them, but it will be hard on their Malaysian accomplices, who are already in jail.

Our interview this week is with Michael Brown, a remarkably influential defense technologist. He's been CEO of Symantec, co-wrote the report that led to the passage of FIRRMA and the transformation of CFIUS, and he now runs the Defense Innovation Unit in Silicon Valley. He explains what DIU does and some of the technological successes it has already made possible.

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

Download the 329^th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Belfer Center has produced a distinctly idiosyncratic report ranking the world's cyber powers – though they should have called it Jane's Fighting Nerds. Bruce Schneier (@schneierblog) and I puzzle over its rankings, but at least the authors provided the underlying assessments that led them, among other oddities, to rank the Netherlands No. 5, and Israel nowhere in the top ten. The US is number one, but that's partly due to the Center's insistence that the US ranking should be boosted because we're a norms superpower. In my book, that should have cost us a 20% discount off our offensive capabilities ranking.  Don't agree? Download the report and pick your own fight!

Our interview today is with Cory Doctorow, diving deep on his pamphlet/book, "How to Destroy Surveillance Capitalism." It's a robust and entertaining three-cornered fight – me, Cory, and the absent Shoshana Zuboff, whose 700-page tome launched the surveillance capitalism meme. You'll enjoy hearing me ask Cory, a Red Diaper Baby born to Trotskyists, to explain why his solution to tech's overreach is so similar to Attorney General Bill Barr's.

Elsewhere in the news roundup, Nate Jones (@n8jones81) and I unpack the Pandora's Box of pain loosed by the European Court of Justice in Schrems II. Facebook is fighting a multilevel rearguard action – in the courts, in two capitals, and in its terms of service -- to try to salvage its current business model.

I cover the latest Tok in the TikTok saga.  Oracle has won … something or other. Sultan Meghji (@sultanmeghji) and I puzzle over how the TikTok algorithm can stay in China while the dataset it's training on remains in the United States. 

The Justice Department's antitrust lawsuit against Google is getting nearer and nearer, judging from the thrashing in the underbrush. But we still don't have a good idea what part of Google's business will be targeted. Sultan explains the state of play. 

In a news flash as surprising as a report that the weather in San Diego will be sunny and fair, Microsoft has confirmed that the Chinese, Iranians, and Russians have launched cyber-attacks on Biden and Trump campaigns. For reasons unknown, the press can't get enough of this thin gruel.

Bruce and Sultan chart the reasons and tactics behind the rise of ransomware and the importance of being a reliable criminal if you want to make money in extortion. 

Nate unpacks China's global data security initiative so you don't have to waste your time. The tl;dr is that other countries shouldn't do any of the things China is doing or aspiring to do. 

Speaking of things you don't have to read because we took the hit, Bruce tells us what's in the new White House cyber-security policy for space systems. Really, it's all "shoulds" and puts nobody in charge of enforcement. It would be kind to call it the beta version of a space cybersecurity policy.

Sultan argues that there may after all be a limit to the EU's ability to get every part of the internet economy to enforce EU speech codes, and the domain name registries hope they're on the other side of that line. 

You probably saw the "op-ed" that an AI "wrote," explaining why humans need not fear it.   Bruce, Sultan, and I have plenty of fun mocking Open AI's penchant for Open Hype.  But Bruce reminds us that sooner or later the hype will be real, and more than half of Twitter will be machines talking to other machines.  Judging from my Twitter feed, that will be an improvement. 

Finally,  This Week in Sore Losing: In honor of AWS's brief complaining that it should have beat Microsoft to the lucrative JEDI contract, I update an old lawyer's motto: If you've got the law on your side, pound the law. If you've got the facts, pound the facts. And if you've got neither, pound the Orange Man.

And more!

Download the 328th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

327: “I’ll Take Hacking Tesla for One Million Dollars, Alex”

In the 327th episode of the Cyberlaw Podcast, Stewart is joined by Nick Weaver (@ncweaver), David Kris (@DavidKris), and Dave Aitel (@daveaitel). We are back from hiatus, with a one-hour news roundup to cover the big stories of the last month. 

Pride of place goes to the WeChat/Tiktok mess, which just gets messier as the deadline fdraws near. TikTok is getting all the attention but WeChat is by far the thornier policy and technical problem. I predict delays as Commerce wrestles with them. Nick Weaver predicts that TikTok’s lawsuit will push resolution of its situation into January.  I’ve got fifty bucks that says it won’t. Lawfare wins either way.

Dave Aitel digs into the attempted Tesla hack. Second best question in the segment: Who’s the insider that enabled an attack on his employer and is still working there three years later?  Best question: How many CSO’s can say with confidence that none of their employees would take $1 million to plug a USB stick into the company network? 

This Month in Overhyped Judicial Decisions about FISA: David Kris lays out the seven-years-late Ninth Circuit decision that has been billed as striking at the FISA warrantless surveillance law. Talk about overtaken by events. The opinion grumbles about the fourth amendment but doesn’t actually rule on that ground (and its analysis is so partial that it isn’t even persuasive dicta). It boldly finds that the collection violated a statute that has been repealed anyway. And then it says that doesn’t matter because suppression of the evidence isn’t a remedy and the violation didn’t taint the trial.  The only really good news for the libertarian left is that Justice can’t appeal to the Supreme Court because, well, it won.

David also takes on the other overhyped FISA decision, a lengthy FISA court review of agencies’ minimization practices with respect to Americans’ data collected under section 702. The court approved practically everything but was predictably and not improperly upset at the FBI’s inability to design social and IT systems that prevent dumb violations of the rules. 

Speaking of FISA, important national security provisions remain unsettled, in large part because of Trump’s misguided opposition. Who, David asks, could possibly persuade GOP members that there’s a FISA reform that responds to their sense of grievance over the Russian collusion investigation?  I volunteer, with lengthy testimony to the PCLOB and a shorter piece in Lawfare.

Dave Aitel asks why we’re surprised that Iranian hackers are monetizing access to networks that don’t offer national security value to their government. Or that hackers are following their targets into specialized software markets. If you know your target is a law firm, he suggests, you’d be better off looking for flaws in Relativity than in Windows…. Uh, excuse me, but I just felt someone walk over my grave.

Nick and Dave are both critical of the Justice Department’s indictment of Joe Sullivan for obstruction of justice and misprision of felony. That is beginning to look like a case Sullivan can win, and one he just might take it to trial. 

Nick thinks the Justice Department is playing a long game in pretending it can seize 280 cryptocurrency accounts used by hackers. It can’t get the funds, but it sure can make it hard for the hackers to get them. 

U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021. 

And more!

Download the 327th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Chairman of the U.S. Privacy and Civil Liberties Oversight Board has, perhaps unwisely, invited me to provide written input on ways to reform the country’s intelligence collection authorities. I have commented publicly on the topic many times since my tenure as general counsel of the National Security Agency in the early 1990s. Because recent commentators have failed to address the most pressing need for intelligence reform, I am grateful for the opportunity to do so again. I am posting my testimony here, in advance of the PCLOB's publication so that readers of my shorter piece on the same topic will have the benefit of the more detailed analysis and sourcing in the full testimony.

Download Stewart Baker PCLOB testimony

Our interview this week focuses on section 230 of the Communications Decency Act and features Lauren Willard, counsel to the Attorney General and a moving force behind the well-received Justice Department report on section 230 reform. Among the surprises: Just how strong the case is for FCC rule-making jurisdiction over section 230.

In the news, David Kris and Paul Rosenzweig talk through the fallout from Schrems II, the Court of Justice decision that may yet cut off all data flows across the Atlantic.

Paul and I speculate on the new election interference threat being raised by House Democrats. We also pause to praise the Masterpiece Theatre of intelligence reports on Russian cyber-attacks.

Nick Weaver draws our attention to a remarkable lawsuit against Apple. Actually, it’s not the lawsuit, it’s the conduct by Apple that is remarkable, and not in a good way. Apple gift cards are being used to cash out scams that defraud consumers in the US, and Apple’s position is that, gee, it sucks to be a scam victim but that’s not Apple’s problem, even though Apple is in a position to stop these scams and actually keeps 30% of the proceeds. I point out that Western Union – on better facts than Apple's– ended up paying hundreds of millions of dollars in an FTC enforcement action - - and still facing harsh criminal sanctions.

Paul and David talk us through the 2021 National Defense Authorization Act, which is shaping up to make a lot of cyber-security law, particularly law recommended by the Cyber Solarium Commission. On one of its recommendations – legislatively creating a White House cyber coordinator – we all end up lukewarm at best.

David analyzes the latest criminal indictment of Chinese hackers, and I try to popularize the concept of crony cyberespionage.

Paul does a post-mortem on the Twitter hack. And speaking only for myself, I can’t wait for Twitter to start charging for subscriptions to the service, for reasons you can probably guess.

David digs into the story that gives this episode its title – an academic study claiming that face recognition systems can be subverted by poisoning the training data with undetectable bits of cloaking data that wreck the AI model behind the system. How long, I wonder, before Facebook and Instagram start a “poisoned for your protection” service on their platforms?

In quick takes, I ask Nick to comment on the claim that US researchers will soon be building an “unhackable” quantum Internet. Remarkably his response is both pithy and printable.

And more!                                                                                                                 

Download the 326th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The decision of the European Court of Justice (CJEU) in Schrems II is gobsmacking in its mix of judicial imperialism and Eurocentric hypocrisy. The decision invalidates the Privacy Shield agreement between the U.S. and the EU on the ground that U.S. protections for individual rights are not "adequate," by which the court means not "essentially equivalent" to the rights provided to individuals under European law. It manages to do this while acknowledging that the court and the EU have no authority to elaborate or enforce these rights against any of the EU's member states. That, the court says, is "irrelevant." It is making the rules for benighted foreign lands like Canada and the United States, not for Europeans. Freed from the prospect that any of the governments that appoint them will have to live with these rules, the judges of the CJEU declare that large chunks of U.S. intelligence law—including some of America's most productive and essential authorities, such as Section 702 of the Foreign Intelligence Surveillance Act (FISA)—are beyond the pale.

In theory, this means that the United States is a privacy-inadequate nation, and any company sending personal data here may be fined under the General Data Protection Regulation (GDPR) up to four percent of gross global income. (Yes, the court left open the question whether a special set of corporate contract clauses remained a legal basis for transferring data to the U.S., but very few lawyers think those clauses will actually provide any protection when challenged, since no private contract can undo the obligations of Section 702.)

It is astonishing that a European court would assume it has authority to kill or cripple critical American intelligence programs by raising the threat of massive sanctions on American companies. In so doing, the court overrode a formal executive agreement reached by the EU with the U.S.; it also rejected the view of the European Commission that U.S. law was adequate to protect individual rights.

Still, the court clearly does think it can force its views on not just the United States but the rest of the world as well. It has already told the Canadians that they don't measure up. Australia and India have been kept in limbo for a decade due to doubts about whether their democracies dance sufficiently to the justices' tune.

Perhaps, had the court been less stiff-necked, it might have forced a change in the laws of these countries. But now the entire project is bound for disaster. China, which is already a great power when it comes to personal data, has signaled to Europe that it will not tolerate interference with its internal affairs. Yet rather than confront a country that clearly lacks protections for individual rights, European bureaucrats have spent 20 years chivvying the United States over data transfers, signing and breaking half a dozen agreements, always asking for more and usually getting additional concessions—including appointment of a special U.S. "ombudsperson" to hear European complaints; enforcement of European law by U.S. agencies like the Federal Trade Commission and Commerce Department; and a special Judicial Redress Act, passed for Europe in 2015, that grants Europeans the right to file FOIA petitions. None of that was good enough for the CJEU. This history shows that, even if the U.S. again tried to modify its law to meet the court's rigid demands in Schrems II, more litigation and more demands—not peace—would be the result.

The time for American concessions is over. Throughout the emergence of this issue, the U.S. has insisted—and the EU has agreed—that data flows across the Atlantic should not be interrupted. Indeed, the World Trade Organization (WTO) agreement signed by Europe makes clear that data flows may not be regulated in the name of privacy if the regulation is a means of "arbitrary or unjustifiable discrimination between countries where like conditions prevail." Nothing could be more discriminatory or arbitrary than 20 years of pursuing the United States for the privacy equivalent of parking tickets while ignoring similar infractions by the member states and an endless series of privacy felonies by the People's Republic of China. It's time for the U.S. to get serious about ending this campaign of harassment.

What can the United States do? Plenty. Here are a few options that belong on the table in the interagency process.

1. Rescind the concessions the U.S. made to get the now-broken deal. This is a no-brainer. Europe has broken the deal it made, and it cannot keep the parts of the deal it likes. The U.S. attorney general should withdraw the special status of European nationals under the Freedom of Information Act and the Judicial Redress Act. The Office of the Director of National Intelligence should abolish the office of the ombudsperson created to give Europeans comfort that their complaints about intelligence collection would be heard. President Trump should rescind PPD-28, the Obama-era set of politically correct limitations on intelligence community activities, which has been kept alive as part of the Privacy Shield negotiations.

2. Prepare to retaliate in a way that shows the U.S. is serious. Americans have never paid much attention to periodic eruptions of the data transfer issue. We are always a little inclined to think that maybe Europeans have something to teach us about privacy and human rights, so righteous American anger about intrusion on our sovereignty has been slow to ignite. But now is the time to show Europe that the U.S. is serious about keeping in place effective counterterrorism measures—and keeping the right to write U.S. laws without getting permission from European governments.

Because this decision violates U.S. rights under the WTO, the executive branch has authority under Section 301 of the Trade Act of 1974 to impose tariffs and other import restrictions on the countries of the European Union. And it should. If the U.S. wants to get Europe's attention, it needs to get Germany's attention, which probably means heavy tariffs on German cars and perhaps car parts. Airplanes and airplane parts are also a touchpoint. As usual, the list of retaliation candidates will need to include something of great value to each member state—Irish whiskey, say, or French wines.

The retaliation process will take a few months. The goal is not to impose the tariffs but to put an end to the crisis—and to Europe's peculiar arrogance about imposing its personal data law on the rest of the world.

3. Make common cause with the U.K., Canada, Australia and perhaps India. The U.S. doesn't have to stand alone. The EU has been threatening the U.K. with an "inadequacy" determination as punishment for Brexit. Its court has already struck at Canadian law. And Australia and India surely know they are next. The U.S. should include these nations in any negotiation, but only if they join America in preparing sanctions against Europe.

4. Find a stopgap solution in one of the member states. The CJEU's admission that it doesn't have anything to say about how member states protect personal data isn't just a confession of hypocrisy. It could be an opportunity to do an end run on the whole mess created by the court. If any one of the member states—Poland, say, or Ireland or Hungary—were willing to sign a national security agreement with the United States, it would be acting within the national security authority conferred on it by Article 4(2) of the Treaty of the European Union.

Suppose, in the pursuit of its national security interests, Poland agreed to allow personal data to flow to the United States without restriction, in exchange for which the United States agreed to share with Poland any counterterrorism data it was able to obtain by virtue of its worldwide intelligence collection. That would only apply to data transferred from Poland, of course, but companies could set up subsidiaries in Warsaw, transfer their data holdings there from elsewhere in Europe—after all, the EU is a single market—and then let them move to the United States.

Or suppose that Poland's government and data protection authority agreed that data exports to the United States could be challenged on the ground that protections for Europeans from U.S. intelligence were inadequate—but only by a plaintiff who could demonstrate concrete economic injury. Since the European objection to U.S. law has been almost entirely theoretical, this has the double advantage of providing redress for actual human rights violations while exposing the fact that, by and large, no one in Europe can point to any.

Whether these one-country solutions would withstand the inevitable legal wrangling, I don't know, but the court left no time for companies to adjust. Getting a Polish exit visa for data from that country would give them breathing room even if the shelter doesn't ultimately survive its journey through the courts.

5. Negotiate an agreement that ends the threat to American companies. If the U.S. can get European governments to take seriously American objections to the notion that Europe can write U.S. law, there is a simple solution to this problem. The CJEU's opinion, though written as though grounded in the rights of man, is in fact based on a European regulation and a European treaty. As a matter of international law, both of those can be overridden by a newer treaty. Indeed, the U.S. entered into a binding executive agreement—the international equivalent of a treaty—when it bargained for the adequacy determination that the court overturned.

How could the court overturn a binding agreement, then? The Americans who negotiated the deal under the Obama administration gave a lot of binding promises about how they would handle European data, but they didn't get a binding promise in return that U.S. law would be deemed adequate and that data flows of compliant companies would not be restricted. Maybe they got snookered. Maybe they couldn't muster the will to draw a line in the sand. Whatever the reason, the agreement is utterly one-sided—all American concessions, plus a little European mood music.

So the U.S. should ask for the concessions it should have gotten last time: a binding assurance that U.S. protections for individual rights are not in need of European editing and that data flows will never be threatened again over this issue.

As democracies with long histories of protecting civil liberties—histories that stand up well next to those of most EU members—the United Kingdom, Australia and Canada should get the same assurances. The CJEU's only source of power to undo the deal is the GDPR and the Treaty of the European Union (which is also the source of the Charter of Fundamental Rights of the European Union). All of those instruments must yield to a binding international agreement with the United States and other democratic nations.

The big news of the week was the breathtakingly arrogant decision of the European Court of Justice, announcing that it would set the  rules for how governments could use personal data in fighting crime and terrorism.

Even more gobsmacking, the court decided to impose those rules on every government on the planet – except the members of the European Union, which are beyond its reach. Oh, and along the way the court blew up the Privacy Shield, exposing every transatlantic business to massive liability, and put the EU on a collision course with China over China's most sensitive domestic security operations. This won’t end well.  It's the CJEU's version of our Court's Dred Scott ruling. Paul Hughes helps me make sense of the decision.

In the interview, I interview Darrell West, co-author of Turning Point - Policymaking in the Era of Artificial Intelligence..We mostly agree on where AI is already making a difference, where it's still hype, and how it will transform war. Where we disagree is over the policy prescriptions for avoiding the worst outcomes. I disagree with the relentless focus of the book (and every other book in recent years) on the questionable claim of AI bias, and Darrell and I have a spirited disagreement over my claim that his prescription will hide numerical racial and gender quotas in every aspect of life that AI touches.  

Iranian cyberspies make pretty good training videos, Sultan Meghji tells us, but they’re not taking any bows after leaving the videos exposed online.

If you thought Twitter’s content resembled middle school, wait until you see their security measures in action. Nate Jones has the details, but my takeaway is that middle school science projects are usually handled  a lot more responsibly than Twitter’s “god mode” dashboard. 

BIPA, the Illinois biometric privacy act, has inspired lawsuits against users of a database assembled to reduce AI bias. Mark MacCarthy explains that the law prohibits use of biometrics (like  pictures of your face) without consent. I observe that this makes BIPA the COVID-19 of privacy law.  Anyone who touches this database will be infected with liability, at least if the plaintiff’s surprisingly plausible theory holds up.

Sultan reminds us that the PRC has now been caught twice requiring companies in China to use tax software with built-in malware. You know what they say: “Once is happenstance. Twice is coincidence. Three times is enemy action.”  I don’t think we’ll need to wait long to see number three.

Nate gives us a former government lawyer’s take on the CIA’s new authority to conduct cyber covert action. (Yahoo, Lawfare) Ordinarily he’d be skeptical of keeping those decisions away from the White House, but in this case, he’ll make an exception. My take: If unshackling the CIA has produced the APT34 and FSB hacks and data dumps, what’s not to like?

In short takes, I mock the Justice Department spokesperson who claimed that Ghislaine Maxwell was engaged in “a misguided effort to evade detection” when she wrapped her cellphone in tin foil. And Mark and I cross swords over Reddit’s capture by the Intolerant Left. You make the call: When Reddit declares that exposing fake hate crimes as hoaxes is a form of hate speech, is that anecdotal evidence of left-wing bias or stone-cold proof of epistemic closure?

Download the 325th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview today is with Bruce Schneier, who has coauthored a paper about how to push security back up the Internet-of-things supply chain: The Reverse Cascade: Enforcing Security on the Global IoT Supply Chain.  His solution is hard on IOT affordability and hard on big retailers and other middlemen, who will face new liabilities, but we conclude that it’s achievable and maybe necessary. In fact, the real question is who’ll get there first, a combination of DHS’s CISA and the FTC or the California Secretary of State.

In the News Roundup Megan Stifel (@MeganStifel), Nate Jones (@n8jones81), and David Kris (@DavidKris) and I discuss TikTok's unenviable position -- holding the ball at the wrong end of the court as the clock winds down to 00:00.  Every week seems to bring a new administration initiative that could hurt or kill TikTok's US business.  The government’s options include a simple ban on TikTok sales to US buyers based on a finding that the company is a threat to national security or the security of Americans. That’s the applicable legal standard under Executive Order 13873; it's brand-new (the regs aren’t even final yet)  but it relies on tools that have long been used under the International Economic Emergency Powers Act (IEEPA). A straightforward application of IEEPA remedies would cut TikTok off from the US market, I argue.

Meanwhile, another little-advertised but equally sweeping rule for government contractors is on its way to implementation. It will deny federal contracts, not just contractors who want to deliver certain Chinese products but it will also cut off contractors who jsut use those products themselves.

Not to be outdone by the contracting officers, the Federal Trade Commission and Justice Department are attacking TikTok from a different direction – investigating claims that the company failed to live up to last year’s consent decree on the privacy of children using the app.

And, on top of everything, private sector CISOs are drawing a bead on the app, too, as Wells Fargo and (briefly) Amazon told their employees to take the app off their work phones.

It’s no surprise in the face of these developments that TikTok is working overtime to decouple itself in the public’s mind from China, including going so far as to join the rest of Silicon Valley in signaling discomfort with Hong Kong’s new security rules (and ruler). Megan and I question whether this strategy will succeed.

If Chief Justice Roberts were running for office, he couldn’t have produced a better platform than the Court’s latest tech decision – upholding most of a law that makes  robocalls illegal while striking down the one part that authorizes robocalls for collection of government debt.  David Kris explains.

Nate unpacks a new Florida DNA privacy law prohibiting life, disability and long-term care insurance companies from using genetic tests for coverage purposes. I express skepticism.

Nate also explains the mysteriously quiet launch of the UK-US Bilateral Data Access Agreement. Four years in the making, and neither side wanted to announce that it had taken effect – what are they worried about, I wonder?

FBI Director Wray gives a compelling speech on the counterintelligence and economic espionage threat from China. He says the bureau opens a new such case every ten hours.  And right on schedule comes the prosecution of a professor charged with taking $4M in US grant money to conduct research -- for China.

David and I puzzle over the surprisingly lenient sentence handed to a former Yahoo engineer for hacking the personal accounts of more than 6,000 Yahoo Mail users looking for sexually explicit images and videos.

For This Week in Silicon Valley Speech Suppression, I out Reddit as a particularly fanatical convert to SJW orthodoxy in censoring the right, as the service apparently tells its moderators that it’s hate speech to post stories or video showing a person of color as the aggressor in a confrontation. 

And Nate closes us out by drawing again from a bottomless well of problems faced by technological contact tracing.  

Download the 324^th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In the News Roundup, Dave Aitel (@daveaitel), Mark MacCarthy (@Mark_MacCarthy), and Nick Weaver (@ncweaver) and I discuss how French and Dutch investigators pulled off the coup of the year this April, when they totally pwned a shady “secure phone” system used by large numbers of European criminals. Nick Weaver explains that hacking the phones of Entrochat users gave the police access to big troves of remarkably candid criminal text conversations. And, I argue, it shows a flaw in the argument of encryption defenders who say that restricting Silicon Valley encryption will send criminals to less savory companies. That's true, but sleazeball companies are inherently more prone to compromise, as happened here.

This week the EARN IT Act went from Washington-controversial to Washington consensus in the usual way.  It was amended into mush. Indeed, there’s an argument that, by guaranteeing that nothing bad will happen to social platforms who adopt end-to-end encryption, the successful Leahy amendment actually makes e2e crypto more attractive than it already is under current law. That’s my view, but Mark MacCarthy still thinks the twitching corpse of EARN IT might cause harm by allowing states to adopt stricter liability for child sex abuse material. He also thinks that it won’t pass.  I have ten bucks that says it will, and by the end of the year.    

Dave Aitel, new to the news roundup, discusses the bad week TikTok had in its second biggest market.  India has banned the app. And judging from some of the teardowns of the code, its days may be numbered elsewhere as well.   Dave points to reports that Angry Birds was used to collect user information as well when it was at the height of its popularity. We wax philosophic about why advertising and not national security agencies are breaking new ground in building our Brave New World.

Mark once worked for a credit card association, so he’s the perfect person to comment on the next story, in which the founder of gab discovers that being labeled a “hate speech” platform won’t just get you boycotted by Silicon Valley but by the credit card associations as well. Once we’re in this vein, we mine it, covering Silicon Valley’s concerted campaign to make sure Donald Trump can’t possibly repeat 2016 in 2020. He’s been deplatformed at Twitch this week for something he said in 2016.  And Reddit dumped his enormous subreddit for failure to observe its censorship rules – which I point out are designed to censor only people in "the majority." I argue it’s time to defund the speech police. 

Nick takes us to a remarkable Washington story. He thinks it’s about a questionable Trump administration effort to redirect $10 million in “freedom tools” funding from cryptolibertarians to Falun Gong coders. I point out that US government funds going to the cryptolibertarians were paying the salary of the notorious Jake Applebaum and buying tools like TAILS that have protected appalling sextortionist criminals. Really, taking the money away from those projects would be a good idea if all we did with it was to burn the bills on cold days to warm the homeless on the Mall.

Returning to This Week in Hacked Phones, Nick explains the latest "man in the middle" attack that works as soon as the phone user visits a website. Any website.  Dave sets out the strikingly sophisticated and massive international surveillance system China is now aiming at Uighers all around the world.  And Nick warns of two bugs that, if you haven’t spent the weekend fixing, may already be compromising your network.

In quick hits, I mock MIT for thinking that “pedophile” is a racial or ethnic slur but confess that its researchers must know more bad words than I do.  What, I ask, is a c****e, anyway? If MIT was cheating on the number of asterisks, we have an idea, but that really is cheating.  If you know, please don’t tweet the answer; send it to our email.

Download the 323^rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

For the first time in twenty years, the Justice Department is finally free to campaign for the encryption access bill it has always wanted.  Sens. Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.), and Marsha Blackburn (R-Tenn.) introduced the Lawful Access To Encrypted Data Act. (Ars Technica, Press Release) As Nick Weaver points out in the news roundup, this bill is not a compromise. It’s exactly what DOJ wants – a mandate that every significant service provider or electronic device maker build in the ability, when served with a warrant, to decrypt any data it has encrypted. 

In our interview, Under Secretary Chris Krebs, head of the Cybersecurity and Infrastructure Security Agency, drops in for a chat on election security, cyberespionage aimed at coronavirus researchers, why CISA needs new administrative subpoena authority, the value of secure DNS, and how cybersecurity has changed in the three years since he took his job.

Germany’s highest court has ruled that the German competition authority can force Facebook to obtain user consent for internal data sharing, to prevent abuse of a dominant position in the social networking market. Maury Shenk and I are dubious about the use of competition law for privacy enforcement. Those doubts could also send the ruling to a still higher forum – the European Court of Justice. 

You might think that NotPetya is three years in the rear-view mirror, but the idea of spreading malware via tax software, pioneered by the GRU with NotPetya, seems to have inspired a copycat in China. Maury reports that a Chinese bank is requiring foreign firms to install a tax app that, it turns out, has a covert backdoor. (Ars Technica, Report, NBC)

The Assange prosecution is looking less like a first amendment case and more like a garden variety hacking conspiracy thanks to the government’s amended indictment. (DOJ, Washington Post) And, as usual, the more information we have about Assange, the worse he looks.

Jim Carafano, new to the podcast, argues that face recognition is coming no matter how hard the press and NGOs work to demonize it. And working hard they are. The ACLU has filed a complaint against the Detroit police, faulting them for arresting the wrong man based on a faulty match provided by facial recognition software. (Ars Technica, Complaint)

The Facebook advertiser moral panic is gaining adherents, including Unilever and Verizon, but Nick and I wonder if the reason is politics or a collapse in ad budgets. Whatever the cause, it’s apparently led Mark Zuckerberg to promise more enforcement of Facebook’s policies.

 In short hits, the U.S. Department of Homeland Security sent a letter to chief executives of five large tech companies asking them to ensure social media platforms are not used to incite violence. Twitter has permanently suspended the account of leak publisher DDoSecrets. (Ars Technica, Cyber Scoop). Rep. Devin Nunes (R-Calif.) was told what he must have known when he filed his case: he cannot sue Twitter for defamation over tweets posted by a parody account posing as his cow. (Ars Technica, Ruling) Nick explains why it’s good news all around as Comcast partners with Mozilla to deploy encrypted DNS lookups on the Firefox browser. And Burkov gets a nine-year sentence for his hacking. 

Download the 322nd Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This is the week when the movement to reform Section 230 of the Communications Decency Act got serious. The Justice Department released a substantive report suggesting multiple reforms. I was positive about many of them (my views here). Meanwhile, Sen. Josh Hawley (R-MO) has proposed a somewhat similar set of changes in his bill, introduced this week. Nate Jones and I dig into the provisions, and both of us expect interest from Democrats as well as Republicans. 

 The National Security Agency has launched a pilot program to provide secure DNS resolver services for US defense contractors. If that’s such a good idea, I ask, why doesn’t everybody do it, and Nick Weaver tells us they can. Phil Reitinger’s Global Cyberalliance offers Quad9 for this purpose. 

 Gus Hurwitz brings us up to date on a host of European cyberlaw developments, from terror takedowns (Reuters, Tech Crunch) to competition law to the rise of a disturbingly unaccountable and self-confident judiciary. Microsoft’s Brad Smith, meanwhile, wins the prize for best marriage of business self-interest and Zeitgeist in the twenty-first century.

Hackers used LinkedIn’s private messaging feature to send documents containing malicious code which defense contractor employees were tricked into opening. Nick points out just what a boon LinkedIn is for cyberespionage (including his own), and I caution listeners not to display their tats on LinkedIn.

 Speaking of fools who kind of have it coming, Nick tells the story of the now former eBay executives who have been charged with sustained and imaginatively-over-the-top harassment of the owners of a newsletter that had not been deferential to eBay. (Wired, DOJ)

 It’s hard to like the defendants in that case, I argue, but the law they’ve been charged under is remarkably sweeping. Apparently it’s a felony to intentionally use the internet to cause substantial emotional distress. Who knew? Most of us who use Twitter thought that was its main purpose. I also discover that special protections under the law are extended not only to prevent internet threats and harassment of service animals but also horses of any kind. Other livestock are apparently left unprotected. PETA, call your office.

Child abusers cheered when Zoom buckled to criticism of its limits on end-to-end encryption, but Nick insists that the new policy offers safeguards for policing misuse of the platform. (Ars Technica, Zoom)

 I take a minute to roast Republicans in Congress who have announced that no FISA reauthorization will be adopted until John Durham’s investigation of FISA abuses is done, which makes sense until you realize that the FISA provisions up for reauthorization have nothing to do with the abuses Durham is investigating. So we’re giving international terrorists a break from scrutiny simply because the President can’t keep the difference straight.

 Nate notes that a story previewed in April has now been confirmed: Team Telecom is recommending the blocking of a Hong Kong-US undersea cable over national security concerns.

 Gus reminds us that a bitter trade fight between the US and Europe over taxes on Silicon Valley services is coming. (Politico, Ars Technica)

 Nick and I mourn the complete meltdown of mobile phone contact tracing. I argue that from here on out, some portion of coronavirus deaths should be classified as mechanogenic (caused by engineering malpractice). Nick proposes instead a naming convention built around the Therac-25. 

And we close with a quick look at the latest data dump from Distributed Denial of Secrets. Nick thinks it’s strikingly contemporaneous but also surprisingly unscandalizing.

Download the 321st Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Section 230 of the Communications Decency Act seems to inspire bipartisan antipathy.

Joe Biden said it “should be revoked, immediately,” and President Trump characteristically topped that by tweeting “REVOKE 230!”

They’re both right, at least directionally. Section 230, which dates to 1996,  shields platforms from civil liability stemming from third-party content on their sites. It has been central to the success of crowdsourced platforms like YouTube, Twitter and Facebook, protecting them from potentially staggering liability for the online misbehavior of their users. But by exempting the platforms from the usual rules of liability, Section 230 is also a kind of subsidy, and one that protects some of the biggest companies in the world from expensive litigation.

Such a subsidy made more sense in 1996, when there were only 36 million internet users in the world. Now that 4.6 billion people regularly go online, it’s fair to ask why the U.S. should give internet platforms a sweeping exemption from the laws that govern everyone else. In recent years, more and more politicians on either side of the aisle have been pointedly asking this question, though perhaps for different reasons: Some Democrats still blame social media for making Trump’s election possible, while Republicans fault the industry for how publicly it has regretted its role in the 2016 campaign.

But revoking Section 230 is not a good idea. Mad as people may be at the platforms, those companies will need at least some liability protection if they’re going to keep giving us the crowdsourced content we all consume today. Platforms particularly need protection from defamation liability, which falls on both the author and the publisher. No social media company can police its content for libelous posts. The platforms simply are not equipped to evaluate which statements are true and which are false and defamatory.

That doesn’t end the debate, though. The industry may need an exemption from defamation liability, but why should it be immune if it ignores user misconduct that is entirely predictable and largely preventable? That question led Congress, on an overwhelmingly bipartisan basis, to amend Section 230 by  adopting FOSTA, the Allow States and Victims to Fight Online Sex Trafficking Act of 2017. FOSTA withdrew immunity from online platforms that knowingly let their users facilitate sex trafficking. And it turned out that most platforms didn’t need protection for facilitating sex trafficking. A few online sites that depended on prostitution ad revenue went out of business, but Big Social Media continued to thrive.

So the next questions for Section 230 skeptics on both sides of the aisle should be, “Where else has Congress given social media an immunity it didn’t need? And how can policymakers chip away at this overgenerous subsidy without putting at risk the survival of social media?”

The most thoughtful answers I’ve seen come from a Justice Department report released this month. Without grandstanding, it offers several proposals that ought to have bipartisan appeal.

The report begins by acknowledging that social media companies still need protection from liability for things they can’t be expected to police, like defamation. But the report sees a vast difference between being unable to stop criminal behavior and actively promoting it, as the sex trafficking sites did before FOSTA. It draws a simple lesson in FOSTA’s success—the online platforms worth propping up don’t need immunity for facilitating or soliciting illegal conduct.

The Justice Department also suggests that platforms should be required to go further in regulating user conduct— they should face liability if they fail to take reasonable steps to prevent the distribution of child sex abuse materials and terrorist and cyberstalking content. The only thing surprising about this proposal is that Section 230 doesn’t already demand it; the law confers its immunity without asking the platforms to do anything at all in return. It’s past time to spell out exactly what is expected of platforms in exchange for the subsidy they receive. Reasonable efforts to stop things like child sex abuse is certainly not too much to ask.

Among its other suggestions for trimming Section 230 immunity, the report rejects the extreme applications of the law that have gained currency since 1996. Most notably, online platforms have argued that Section 230 creates an immunity from antitrust claims. This is outrageous. If today’s monolithic platforms use their control of the national discourse to suppress criticism of their power or praise for their competitors, they don’t deserve immunity; they deserve an injunction and treble damages. Similarly, there’s no justification for extending platforms’ defamation immunity to the point where they can ignore court libel rulings without consequences (as, for example, Yelp has done).

So far, so bipartisan. If a reformed Section 230 forces social media to be more cautious about facilitating criminal conduct online, neither party will weep. There’s less unanimity about reforming a second immunity granted by Section 230. (Yes, there are two!) The second immunity protects the platforms not when they allow speech but when they suppress it. Conservatives think (rightly, in my view) that Silicon Valley tilts against them in these decisions, whether the result is a takedown or a warning label or a “shadow ban.”

The second immunity protects online platforms from liability when they take down content that is sexual, violent, harassing or “otherwise objectionable,” as long as they act in “good faith.” In an age when everyone objects to everything, this language invites weaponization. It is only prudent for Congress to narrow the definition of “otherwise objectionable” speech so that the provision gives special protection to the platforms mainly when they’re taking down speech that violates the law.

Republicans who think they’ve been victimized by social media censorship will of course find something to support here, but so too can anyone else uncomfortable with letting a handful of Silicon Valley monoliths decide what can and can’t be said online. For starters, unlike the first immunity, which protects against the clear risk of ruinous defamation liability, it’s not even fully clear what lurking liability the second immunity is needed to head off. Successful lawsuits for refusing to publish someone else’s work are not exactly thick on the ground.

The Justice Department’s other recommendation here is to attach some more tangible standards to the statute’s requirement that content be policed in “good faith.” To meet this requirement, the department urges, content moderation policies should be stated “plainly and with particularity” and takedown decisions should be notified in a timely way and explain “with particularity the factual basis for the restriction.” This will certainly be popular on the right, which thinks it’s unfairly targeted for suppression. But plenty of speakers on the left feel the same way. The only obvious cure for the widespread mistrust of platforms is for them to embrace greater transparency and candor. They have resisted, sometimes with good reason, sometimes without; but “trust us” is no longer a persuasive argument. This proposal would encourage them to move away from their largely opaque content moderation practices.

In short, and surely surprising to some, this Justice Department has made a real contribution toward bipartisan reform of Section 230. The temptation among Democrats will be to score partisan points by dismissing the report.

That would be a mistake.

Because, having embraced a candidate tied to the unrealistic position that “section 230 should be revoked, immediately,” Democrats are going to need more workable solutions that keep the essential core of Section 230 while cutting  back the platforms’ now-unjustifiable government subsidy.

And, when they go looking for those ideas, they’re going to find that a big chunk of them are already in this report.

Our interview this week is with Chris Bing, a cybersecurity reporter with Reuters, and John Scott-Railton, Senior Researcher at Citizen Lab and PhD student at UCLA. John coauthored Citizen Lab’s report last week on BellTroX and Indian hackers for hire, and Chris reported for Reuters on the same organization’s activities – and criminal exposure – in the United States.

The most remarkable aspect of the story is how thoroughly normalized the hacking of legal and lobbying opponents seems to have become, at least in parts of the US legal and investigative ecosystem. I suggest that instead of a long extradition battle, the US should give the head of BellTroX a ticket to the US and a guaranteed income for the next few years as a witness against his customers.

In the news roundup, Nick Weaver tells the remarkable story of how Facebook funded an exploit aimed at taking down a particularly vile online abuser of young girls -- one who was rendered nearly invulnerable by his use of TAILS, the secure, thumb drive-based communication system (Vice, Gizmodo). This is a great story because it really doesn’t conform to any of the stilted narratives into which most internet security stories are usually jammed.

Nick also notes Big Tech’s pledge to do more to stop child abuse online. I suggest that only Dr. Evil would be impressed by the amounts of money being invested in the campaign.

Well, another week, another Zoom bomb.  Now the company is taking heat because it terminated several Tiananmen Square commemorative Zoom sessions after China complained (NYT, Zoom). David Kris and I don’t think Zoom had much choice about cutting off the Chinese customers.  Terminating the US account holder who organized a session, however, was a bad move – and one that’s since been corrected by the company.

Nate Jones and I square off again for Round 545 on content moderation, spurred this time by reports that Sen. Josh Hawley is drafting legislation inspired by the Trump Administration’s Section 230 Executive Order. Meanwhile several Republican senators are pushing the FCC to act on the order. Nate and I find rare bipartisan common ground on the proposal that Congress require social media companies to take down foreign government online propagands – and maybe work with the US government to stop it at the source.

David reports on a (deservedly) obscure EU cloud independence project. It seems to have been embraced by Microsoft, which I accuse of going full AT&T – embracing government regulation as a competitive differentiator. As if to prove my point, Microsoft announces that it’s getting out of the business of doing facial recognition for the police – until it can persuade Congress to regulate its competitors.  

Why are spies targeting vaccine research? Nate has the answer; he draws on the excellent Risky Biz newsletter analysis of what drives COVID-19 cyberespionage.

Nick flags the potential significance of ARM wrestling, as the UK chip designer ARM fights its JV partner for control of its Chinese joint venture. In a story that made the cut because of Twitter and Linkedin feedback, Nick assigns a “moderate” threat label to the latest Universal Plug n Pwn exploit. (It’s only moderate because there are so many pwned IOT devices already in a position to DDOS targets of opportunity.)

In quick hits, I note that Israel has halted its controversial use of intelligence capabilities to monitor the spread of the coronavirus, but the government reserves the right to revive monitoring if a second wave shows up (JPost, Yahoo). Poor Brewster Kahle is looking like an internet hippie who fell asleep at Woodstock and woke up at Altamont. The Internet Archive is ending its program of offering free, unrestricted copies of e-books, but the publishers who sued over that program may decide to keep suing until they’ve broken his entire “digital library” model, and maybe the Internet Archive as well (NYT, Ars Technica). That would be a shame. Finally, even if you have a thousand talents, honesty may not be one of them. Charles Lieber, the Harvard University professor arrested for lying about his lucrative China thousand-talents contracts, has now been indicted on false statement charges.

Download the 320th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.