Skating on Stilts

Episode 40 of the Steptoe Cyberlaw Podcast is done.  Our guest this week is Bob Litt, the General Counsel of the Office of the Director of National Intelligence.  Bob has had a distinguished career in government, from his clerkship with Justice Stewart, his time as a prosecutor in the Southern District of New York and at Main Justice, and more than five years in the ODNI job.  This week in NSA:  The latest fad in news coverage of the agency is a hunt for possible conflicts of interest in its leadership.  And it’s having an effect.  Two high-ranking NSA seniors, the CTO and the head of signals intelligence have recently left positions that drew scrutiny for getting too close to private industry.  I ask him whether we should be pleased or worried about the trend toward individual converts to Islam carrying out random attacks with whatever weapon comes to hand.  Prudently, he refuses to be drawn into my comparison of Islamists to the Manson Family.  We debate whether the USA Freedom Act has a chance of passage in the lame duck Congress – and whether it should, focusing among other things on how the act’s FISA civil liberties advocates would function and what ethical rules would govern their day jobs.  And we explore another ODNI project – implementing the President’s directive on protecting the privacy of foreign nationals while gathering intelligence.  Are the nation’s spies really required to wait until a foreign target’s speech goes beyond what the first amendment protects before they collect and analyze the remarks?  Will the requirement for advance justification for collection projects institutionalize risk aversion at NSA?  And can government officials look forward to intelligence reports that read like this: “[SYRIAN NATIONAL 1] asked [IRAQI NATIONAL 1] to kill [US PERSON 1]”?

Our news roundup begins with the sudden press interest in possible conflicts of interest in NSA’s leadership.  The Supreme Court takes another privacy case – one with no obvious federal connection.  Lots of city ordinances require hotels to keep guest registries – and to let the police inspect those registries on demand.  But the 9th circuit recently held en banc that these laws touch the privacy interests of the hotel owner, not just the guests, and that the laws are unconstitutional if they offer no opportunity for prior judicial review of the police demand.  Just what we need:  another opportunity for the Roberts Court to pad a narrow ruling with a lot of ill-considered dicta about Smith v. Maryland.

 Harking back to last week’s interview with Tom Finan about insurance coverage for cyber incidents, we discover that where there’s insurance coverage there are also insurance coverage disputes.  The head of Steptoe’s insurance coverage practice explains the P.F. Chang dispute with Travelers Insurance and hints that it’s in the first wave of what could be thirty years of litigation.  Not that there’s anything wrong with that.

FBI Director Comey isn’t alone in complaining about Silicon Valley’s reluctance to help law enforcement.  Leslie Caldwell, the new head of the Justice Department’s criminal division, has joined the chorus. 

According to the Stored Communications Act, companies like Google may not provide the contents of emails in response to subpoenas.  So what do civil litigants do when they need access to Gmail accounts in, say, divorce cases?  The usual solution is for the court with jurisdiction over the civil suit to order the litigants to “consent” to the disclosure of their email messages.  But is court-ordered consent really consent?  According to a California appeals court, it is.  Michael explains.

Whoa!  The FCC really is taking cybersecurity seriously.  It’s proposing $10 million in fines for two carriers who stored hundreds of thousands of “Obamaphone” beneficiaries’ personal data on a server accessible by anyone on the internet.

Confusion over when you need a warrant to get third party information continues to roil the courts.  The Florida Supreme Court raises the bar for cell-site location data.  And the NJ AG plots a counter-attack on a billing record warrant requirement in the Garden State.  Michael suggests a new feature to keep all the litigation straight:  This Week in Smith v. Maryland.

Lawyers with banks for clients have a new reason to upgrade their cybersecurity.  As the banks struggle with increasingly sophisticated intrusions, they’re sharing the pain, demanding that their contractors and suppliers adopt stronger cybersecurity.  Law firms are expressly included, since they’ve been targeted frequently for what inevitably will be called “bank shot” intrusions. 

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Cast.

As I mentioned, I have been doing a weekly podcast on security, privacy, government and law with a couple of my partners, Michael Vatis and Jason Weinstein.   This week, in episode 39, our guest is Tom Finan, Senior Cybersecurity Strategist and Counsel at DHS’s National Protection and Programs Directorate (NPPD), where he is currently working on policy issues related to cybersecurity insurance and cybersecurity legislation.  Marc Frey asks him why DHS, specifically NPPD, is interested in cybersecurity insurance, what trends they are seeing in this space for carriers and other stakeholders, and what is next for their role in this space.  He is forthcoming in his responses and even asks listeners to email him  with their feedback.      

This week in NSA:   The House and Senate Judiciary chairs call for action on USA Freedom Act.  And nobody cares.  We conclude that the likelihood of action before the election is zero, and the likelihood of action in a lame duck is close to zero.  But next week we’ll be interviewing Bob Litt, one of the prime negotiators for the intelligence community on this issue, and he may have a different view.

The Great Cable Unbundling seems finally upon us, as several content providers announce that they’re willing to sell content direct to consumers over the Internet.  Does that mean more support for net neutrality?  Not necessarily.  Stephanie Roy explains.

Are parents responsible for what their adolescent kids do and say on Facebook?  That makes sense, if you’ve never had adolescent kids.  Maybe that explains why Michael Vatis sees merit in the Georgia appellate court decision finding potential liability.  It reversed the trial court, which had granted summary judgment in favor of the parents of a kid who set up a fake and defamatory Facebook page in the name of a classmate he hated.  The facts are a little odd.  The kid who set up the page never took it down, even after he’d been caught and punished by school and parents.  The appeals court thought that the parents had a “supervisory” obligation to make their child delete the fake account, and that they could be held liable for negligently failing to do so.  It’s quite possible, though, that everyone in this case is a Privacy Victim; the issue could have been hashed out with a phone call from the parents of the victim to the parents of the perpetrator, but according to the press, “the child’s parents didn’t immediately confront the boy’s parents because their school refused to identify the culprit.”  Because privacy.

FBI Director Comey comes out swinging for CALEA reform, saying in a speech at Brookings that the law needs to be updated to require cooperation from makers of new communications systems when the FBI has a court order granting access to those systems. 

When it comes to regulating on other topics, though, the Justice Department is a little less restrained; it has opened the door to a round of new disability claims against websites, offering a roadmap to what it thinks the law requires.

The right to be forgotten is attracting more flak in Europe, as the BBC announces a competing “right to remember” website devoted to publicizing stories that Google has delinked.  It’s Auntie BBC v. Nanny Europe.  Cue popcorn.  Unhappily, a “progressive” group most famous for relentlessly sliming Google on privacy issues has urged the search engine to bring the right to be forgotten  to the United States.  Sigh.

In breach news, TD Bank pays $850,000 to the state AGs over a “breach” that may never have happened.  TD lost a backup tape in transit, and the data wasn’t encrypted.  Was anyone’s data actually compromised by the loss of the tape?  The AGs don’t say.  They just want their money.  And they get it. 

The Russians are getting sloppy, or maybe they’re taking a leaf from China’s book – figuring it doesn’t matter if they get caught. And caught they have been, by iSight Partners, which reports that Russian hackers used a Microsoft zero-day to target Western governments and Ukraine.  Meanwhile, the FBI is warning about another and even more sophisticated set of Chinese government hackers.  And hackers are now adding a new form of targeted attack to their arsenal a tactic that combines spearphishing with watering hole attacks.  They’re targeting ads at users that take them to a compromised website that serves malware.

And, in good news for privacy skeptics, the Video Privacy Protection Act gets a narrow reading.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email ([email protected]) or voicemail ( +1 202 862 5785) and that the views expressed by the participants are their own, not the firm's. 

Download the thirty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Cast.

I've spent much of this year doing a weekly podcast on security, privacy, government and law with a couple of my partners, Michael Vatis and Jason Weinstein.  (The RSS feed is here.)  I thought readers of this blog might like a taste of the podcast, which has attracted a substantial audience in Washington.  This week, in episode 38, our guest is Shaun Waterman, editor of POLITICO Pro Cybersecurity.   Shaun is an award-winning journalist who has worked for the BBC and United Press International; and an expert on counterterrorism and cybersecurity.

We begin as usual with the week’s NSA news.  NSA has released its second privacy transparency report.  We’ve invited Becky Richards, NSA’s privacy and civil liberties watchdog, on the program to talk about it, so I’m using this post to lobby her to become a guest soon:   Come on in, Becky, it’s a new day at the NSA!

Laura Poitras’s new film about Snowden gets a quick review.   We question the hyped claim that there’s a “second leaker” at NSA; most of the leaked information described in the film was already pretty widely known. 

Two more post-Snowden pieces of litigation are also in the news.  We dig into the Justice Department’s botched handling of the notice that must be given to parties on the receiving end of FISA taps and section 702 of FISA.  As often turns out to be the case, the Justice Department develops a limp, and all the other agencies have to put stones in their shoes:  It looks as though OFAC is going to be dragged into this comedy of errors. 

The second piece of litigation began as a humdrum piece of FOIA litigation (though with a bit of Glomar for spice).  It has now has produced a much more interesting result:  Judge Pauley, ordinarily a good friend to the government, declares that he has lost confidence in the Justice Department’s representations about the risks of releasing  FISA opinions; he insists on reviewing the FIS court’s opinions himself in camera to decide what can be released.

In other national security litigation, we all know that a canary can emit a twitter, but can Twitter emit a canary?  The social media giant is going to court to get approval for its “warrant canary,” claiming a first amendment right to list the orders it has not (yet) received under national security surveillance laws.  Meanwhile, on the opposite coast, the government’s authority to issue gag orders in national security letters is argued before the Ninth Circuit, which seems to find the issue at least a little troubling.

Maybe it’s a coincidence, but just as Europol is raising the possibility that the internet might be used to kill people, the FDA is trying to do something about it, issuing cybersecurity guidelines for manufacturers.   We damn them with faint praise, note that our refrigerators have been trying to kill us slowly for years, and wonder when the National Highway Safety Administration will issue security guidelines for self-driving cars.

The pendulum may be swinging toward privacy in the US but it swings hard the other way in the Southern Hemisphere.   First New Zealand gives Snowden a swift kick and now the Australian government is enacting surveillance reforms that increase government authority to conduct national security intercepts.

There’s a bit of good news in our update on the right to be forgotten.  The European Commission has poured cold water on the European Court of Justice, hinting strongly that the court’s enthusiasm for sacrificing free expression is a bad idea.  Sad to say, though, the notion seems as communicable as Ebola; even Japan is getting in the act, as a Tokyo court orders Google to take down search links at the request of an individual.

 The prize for Dumbest Judicial Opinion of the Month goes (where else?) to the Ninth Circuit, which expressed shock and dismay over the idea that a Navy investigator conducted “surveillance of all the civilian computers in an entire state” in the course of looking for military personnel trading child porn.  Turns out that the investigator in question simply looked at images being shared publicly online using a common file-sharing program, Gnutella.  And when he had the IP address of someone sharing child porn images he checked to see if the suspect worked for the military.  When that turned out not to be the case, he turned the information over to civilian law enforcement, giving the Ninth Circuit a severe case of the vapors and ultimately leading to exclusion of the evidence.   Because posse comitatus.  You won’t want to miss my translation from the Latin.

We unpack the controversy over Ross Ulbricht and how the FBI managed to captcha him.  And we congratulate the FCC for a regulatory action near and dear to anyone who’s ever paid too much for bad Wi-Fi in a good hotel.

Finally, we remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast[at]steptoe.com) or voicemail( +1 202 862 5785).  And to prove it, I read a message from Dick Mills, a libertarian blogger who started out tagging me as the Great Satan of statism but ended by admitting that the podcast occasionally changed his mind.  We can’t ask for more than that.