Episode 40 of the Steptoe Cyberlaw Podcast is done. Our guest this week is Bob Litt, the General Counsel of the Office of the Director of National Intelligence. Bob has had a distinguished career in government, from his clerkship with Justice Stewart, his time as a prosecutor in the Southern District of New York and at Main Justice, and more than five years in the ODNI job. This week in NSA: The latest fad in news coverage of the agency is a hunt for possible conflicts of interest in its leadership. And it’s having an effect. Two high-ranking NSA seniors, the CTO and the head of signals intelligence have recently left positions that drew scrutiny for getting too close to private industry. I ask him whether we should be pleased or worried about the trend toward individual converts to Islam carrying out random attacks with whatever weapon comes to hand. Prudently, he refuses to be drawn into my comparison of Islamists to the Manson Family. We debate whether the USA Freedom Act has a chance of passage in the lame duck Congress – and whether it should, focusing among other things on how the act’s FISA civil liberties advocates would function and what ethical rules would govern their day jobs. And we explore another ODNI project – implementing the President’s directive on protecting the privacy of foreign nationals while gathering intelligence. Are the nation’s spies really required to wait until a foreign target’s speech goes beyond what the first amendment protects before they collect and analyze the remarks? Will the requirement for advance justification for collection projects institutionalize risk aversion at NSA? And can government officials look forward to intelligence reports that read like this: “[SYRIAN NATIONAL 1] asked [IRAQI NATIONAL 1] to kill [US PERSON 1]”?
Our news roundup begins with the sudden press interest in possible conflicts of interest in NSA’s leadership. The Supreme Court takes another privacy case – one with no obvious federal connection. Lots of city ordinances require hotels to keep guest registries – and to let the police inspect those registries on demand. But the 9th circuit recently held en banc that these laws touch the privacy interests of the hotel owner, not just the guests, and that the laws are unconstitutional if they offer no opportunity for prior judicial review of the police demand. Just what we need: another opportunity for the Roberts Court to pad a narrow ruling with a lot of ill-considered dicta about Smith v. Maryland.
Harking back to last week’s interview with Tom Finan about insurance coverage for cyber incidents, we discover that where there’s insurance coverage there are also insurance coverage disputes. The head of Steptoe’s insurance coverage practice explains the P.F. Chang dispute with Travelers Insurance and hints that it’s in the first wave of what could be thirty years of litigation. Not that there’s anything wrong with that.
FBI Director Comey isn’t alone in complaining about Silicon Valley’s reluctance to help law enforcement. Leslie Caldwell, the new head of the Justice Department’s criminal division, has joined the chorus.
According to the Stored Communications Act, companies like Google may not provide the contents of emails in response to subpoenas. So what do civil litigants do when they need access to Gmail accounts in, say, divorce cases? The usual solution is for the court with jurisdiction over the civil suit to order the litigants to “consent” to the disclosure of their email messages. But is court-ordered consent really consent? According to a California appeals court, it is. Michael explains.
Whoa! The FCC really is taking cybersecurity seriously. It’s proposing $10 million in fines for two carriers who stored hundreds of thousands of “Obamaphone” beneficiaries’ personal data on a server accessible by anyone on the internet.
Confusion over when you need a warrant to get third party information continues to roil the courts. The Florida Supreme Court raises the bar for cell-site location data. And the NJ AG plots a counter-attack on a billing record warrant requirement in the Garden State. Michael suggests a new feature to keep all the litigation straight: This Week in Smith v. Maryland.
Lawyers with banks for clients have a new reason to upgrade their cybersecurity. As the banks struggle with increasingly sophisticated intrusions, they’re sharing the pain, demanding that their contractors and suppliers adopt stronger cybersecurity. Law firms are expressly included, since they’ve been targeted frequently for what inevitably will be called “bank shot” intrusions.