Skating on Stilts

Our guest for episode 90 is Charlie Savage, New York Times reporter, talking about Power Wars, his monumental new book on the law and politics of terrorism in the Obama (and Bush) administrations.  I pronounce it superb, deeply informative, and fairly unbiased, “for a New York Times reporter.”  With that, the fat is in the fire, and Charlie and I trade views – and occasional barbs – about how the Bush and Obama administrations handled the surveillance issues that arose after 9/11.

In the news roundup, Michael Vatis and I puzzle over the FTC’s astonishing loss on its own home court.  We wonder why the FTC failed to do the right thing and drop the LabMD case when the FTC’s source began to lose credibility by the shovel-load.  I suggest that FTC leadership was suffering from the rarely spotted “Darrel Issa Derangement Syndrome.”     

Jason Weinstein deconstructs the claim that the European Union is “cracking down” on bitcoin in response to the attacks in Paris. 

Stepping out of character, I defend the value of diplomatic “words on paper,” finding promise in the G20’s announcement that all twenty members join in condemning cyberespionage for commercial purposes.  

Michael recaps the latest in litigation over the nearly expired NSA 215 program.  D.C. Circuit Judge Kavanagh has explained why Judge Leon is wrong about the program, depriving the district court judge of the last word on the subject and demonstrating that its lawfulness can be assessed without resort to exclamation points.

Working a technology help desk could drive a man to suicide.  Until ISIS opened its own terrorist help line, though, we thought that was a bug not a feature.  In the same vein, I mock Glenn Greenwald for insisting that Snowden taught ISIS nothing about security about a week before we got to see a tech manual, apparently in use by the terror group, which invokes Fast Eddie’s advice about which remote storage systems are safe to use. 

As always, the Cyberlaw Podcast welcomes feedback.  Send e-mail to [email protected] or leave a message at +1 202 862 5785. 

Download the ninetieth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The U.S.-China Economic and Security Review Commission has finished its nearly 600-page annual report to Congress for 2015. The Commission's report is, as usual, a thoughtful and detailed assessment of the US-China economic relationship.  So it's no surprise that the Commission addresses the problem of commercial cyberespionage.

More surprising -- and satisfying -- is the Commission's interest in allowing US companies to "hack back" against Chinese intrusions.  This is an approach I've long believed should be on the table, though with limitations.  

The Commission comes to the same posture,  notably avoiding the stiff-necked cant displayed by the Department of Justice when the idea comes up.  The Commission recommends that

Congress assess the coverage of U.S. law to determine whether U.S.-based companies that have been hacked should be allowed to engage in counterintrusions for the purpose of recovering, erasing, or altering stolen data in offending computer networks. In addition, Congress should study the feasibility of a foreign intelligence cyber court to hear evidence from U.S. victims of cyber attacks and decide whether the U.S. government might undertake counterintrusions on a victim’s behalf.

The first idea is now fairly widespread in policy circles.  The second not so much. There are plenty of people who think the US intelligence community should help US companies when they're under attack, but the Commission heard testimony that the intelligence community may be reluctant to do so:

Asked at the June Commission hearing to comment on one suggestion that U.S. intelligence agencies could aid U.S.-based companies whose IP or competitive bids had been stolen by a Chinese company, Mr. Poindexter responded: ‘‘We have a lot of restrictions on what the Intelligence Community is allowed to supply a business, and the Intelligence Community doesn’t want to supply that because they know what the problems are going to be. . . . Who do you support? Do you support BAE, a big British company? They are in the United States. They get hacked. What do we do then? Do we do the same kind of work?

I'm more skeptical that there's a lack of IC authority to help companies under attack. If a US company is losing trade secrets to a foreign government's cyberspies, identifying both the foreign government and the recipients of the stolen IP is a task that fits comfortably under the rubric of counterintelligence, for which the intelligence community has plenty of authority.  And I certainly don't think we need a special court to say so.  But it is nice to see creativity creeping into discussions of the cyberespionage problem.

Most importantly, the Commission's recommendation is another sign of growing government openness to active defense measures.  The Commission members aren't full-time government officials, but the Commission is established by statute, and its members are appointed by the Republican and Democratic leadership of Congress.  So there's real significance in having such an establishment group put this option on the table.

No policy proposal succeeds in Washington until it has become humdrum.  With the Commission's report, the idea of letting companies step outside their networks to defend themselves can't be dismissed as beyond the pale. It is now entering the sweet spot of policy entrepreneurship -- vetted but still edgy.

The NSA metadata program that is set to expire in two weeks was designed to provide early warning of a terror attack planned in a foreign safe haven and carried out inside the United States.  Those are some of the most deadly terror attacks we’ve seen, from 9/11 to Mumbai.  And now Paris. 

So should the United States be terminating the 215 program just as the Paris attacks show why it was created?  That’s the question I ask in Episode 89 of the podcast as we watch the DC circuit cut short Judge Leon’s undignified race to give the program one last kick before it’s terminated. 

Our guest for the podcast is Mark Shuttleworth, founder of Thawte and Canonical/Ubuntu.  He makes it clear from the start that he could hardly disagree with me less on issues such as encryption and intelligence collection.  But we nonetheless get a great tour of the technology horizon.  Mark is helping to build the future of computing, from the internet of things to mobile phones, the desktop, and the cloud.  We explore what that means for privacy and security; we even touch on artificial intelligence and just how suddenly its risks will be upon us.  

In other news, Michael Vatis and I unpack Microsoft’s ground-breaking effort to avoid US jurisdiction over its cloud -- by storing data in Germany under the control of a German company.

Meanwhile, Alan Cohn and I handicap the US-EU talks aimed at reaching Safe Harbor 2.0.  A deal appears to be within reach in principle; the main question is how many additional enforcement concessions the EU can wring from the US.  The Paris attacks will make US concessions less likely and weaken European determination to extract them, we suspect.

Finally, Michael explains how New York is showing its determination to out-regulate the feds when it comes to bank and insurance cybersecurity.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to [email protected] or leave a message at +1 202 862 5785.

Download the eighty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

I offered a modest proposal today for dealing with Europe's refugee problem and its Daesh problem in today's New York Times "Room for Debate" page.  Here's the heart of it:

 A German parliamentarian is talking about conscripting military-age Germans to provide the services that displaced Syrians need. Maybe instead, Europeans should be conscripting military-age Syrian refugees, training them, and sending them back to fight for their own country. (According to the United Nations, in this wave of migrants, the men outnumber the women by nearly five to one.) Why shouldn’t those men be asked to help create the refuge that they and their families need -- in Syria, where they need it most.

Such a measure would not just help to solve the problem at its source. It would separate true refugees from those who are simply hoping to dodge the Syrian draft or find a more prosperous place to work. And it has a proud history in the West, as the Polish pilots who fought the Battle of Britain could attest, along with theFrench, Belgian and Dutch soldiers who fought the Nazis across Normandy to build a true refuge in their own countries.

Some may object that drafting combatants to fight for territory would be viewed as an act of war against Daesh.

Well, yes. But that’s a war that France’s Prime Minister, at least, has already declared.

This would be one way to show that he means it.

Where the hell are the FTC, Silicon Valley, and CDT when human rights and privacy are on the line? If the United States announced that it had been installing malware on 2% of all the laptops that crossed US borders, the lawsuits would be flying thick and fast, and every company in Silicon Valley would be rolling out technical measures to defeat the intrusion.

But when China injects malware into 2% of all the computers whose queries cross into Chinese territory, no one says boo. Not the US government, not CDT or EFF, and not the big browser companies. That’s the lesson I draw from episode 88 of the podcast, featuring an in-depth discussion of China’s Great Cannon with Adam Kozy and Johannes Gilger of Crowdstrike. They expand on their 2015 Blackhat talk about China’s deployment of Great Firewall infrastructure to hijack American and Taiwanese computers and use them in a DDOS attack against Github.

China’s first internet email, in 1987, said “Across the Great Wall we can reach every corner of the world.” And boy, did they mean it. The question now is what the other corners of the world are going to do about it.

In other news, Michael Vatis covers the latest Safe Harbor developments, as the European Commission releases a statement saying, more or less, that American companies can expect years of litigation over the adequacy of US privacy law. Remarkably, that’s meant to be good news.

Speaking of dubious European claims to offer good news, Michael and I note that the UK deputy data protection commissioner has announced with pride that the Right to Be Forgotten hasn’t actually “stopped the internet working.” So far; but the net is young.

I summarize an earlier blog post claiming that the crypto wars are over and USTR has handed Jim Comey a loss while Mary Jo White gets a win. This because the Trans-Pacific Partnership trade deal included language prohibiting members from demanding encryption keys for most purposes other than financial regulation. I also acknowledge a significant caveat drawn to my attention by Simon Lester of Cato: Despite the TPP, a member is free to adopt any measure “that it considers necessary for … the protection of its own essential security.” If Jim Comey’s lawyers can’t squeeze his key access proposals into that provision, the “essential security” of their jobs is seriously at risk.

As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to [email protected] or leave a message at +1 202 862 5785.

Download the eighty-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The TransPacific Partnership trade agreement has been released, and it goes way beyond resolving a few trade and tariff disputes.  US and other trade negotiators leaped into a host of policy and legal matters, including the fight over when governments can demand access to encryption keys.

The outcome to the crypto wars is one that no one would have expected:  Jim Comey loses.  NSA director Mike Rogers loses.  But SEC chairman Mary Schapiro Jo White wins.

In an annex to a chapter on Technical Barriers to Trade, the trade deal specifies that no government may require any company to provide cryptographic keys to its products.   The only exceptions are for products or networks that actually belong to the government and for "supervisory, investigatory or examination [measures] relating to financial institutions or markets."

So the trade negotiators have spoken.  No point in any more debate.  The FBI and NSA are out in the cold, but the chairman of the Securities and Exchange Commission can require companies to cough up their encryption keys.  

UPDATE:  Corrected SEC chair's name.  My fault for reading this Google search too quickly.

Here's one more surprise in the newly released TPP.  It could have a big impact on cybersecurity.  That's because the deal prohibits nations from asking mass market software companies for access to their source code. See TPP article 14.17.  The ban doesn't apply to code run on critical infrastructure, which will make for endless disputes, since there's very little mass market software that doesn't run on computers involved in critical infrastructure.

Right now, this is a measure US software companies want.  That's because we make most of the mass market software in the market.  But that's likely to change, especially given the ease of entry into smart phone app markets.  We're going to want protection against the introduction of malware into such software.  The question of source code inspection is a tough one.  If other countries can inspect US source code, they'll find it easier to spot security flaws, so the US government would like to keep other countries from doing that.  But I doubt US security agencies are comfortable letting Vietnam write apps that end up on the phones of their employees without the ability to inspect the source.  In short, this is a tough policy call that is likely to look quite different in five years than it does today.

Which is why it's a bad topic for a trade deal.  Trade negotiations have sprawled out of simple tariff deals and into "nontariff trade barriers" -- which can be anything international business doesn't like about other countries' policies.

In practice, this is a challenge to our normal democratic processes. To begin with, the US Trade Representative's office is an unapologetic advocate for the interests of US companies; its negotiators ask what US businesses want from other countries and then go out to get it. Of course, whatever deal USTR brings back inevitably pleases some industries more than others, so USTR has to assemble a coalition in support of its package deal, which means a festival of log-rolling, but only for those lucky enough to have a seat at the table.  (In this administration, unions and environmentalists have had a seat too, but expanding the table hasn't changed the process,)

Once negotiated, the whole messy package is presented to Congress for and up-or-down, take-it-or-leave-it vote, no amendments allowed.  A vote against the deal becomes a vote against the entire business community, if not against the modern era of increasing international trade.  And the product of that dubious style of lawmaking is is not just unamendable on the floor.  It's unamendable more or less forever, because any change at a later time violates the trade treaty, and invites trade sanctions from every other country that signed the deal. It makes a more permanent change in US law than anything short of a constitutional amendment.

That's one reason the left has already bailed out on trade deals.  Approval of the TPP will depend almost entirely on Republican votes.  If the source code provision leads GOP national security hawks to rethink their support for the deal, the deal will be in real trouble on the Hill.

Now that both the House and Senate have passed information sharing bills that are strikingly similar but not identical, the prospects for a change in the law are good.  But what changes, and how much difference will they make to network defenders?  That’s the topic we explore in episode 87 with our guest, Ari Schwartz.  Ari has just finished a tour as senior director for cybersecurity on the United States National Security Council Staff at the White House.  He and I and Alan Cohn go deep into the weeds so you won’t have to. 

Our conclusion?  The main value of the bill is that it frees some companies from aging privacy rules that prevented information sharing with groups that include the government.  It also enables companies to monitor their networks without fear of liability under even older privacy laws preventing interception of communications without all parties’ consent.  The other lesson to be drawn from the bill is that privacy groups are still something of a paper tiger without business support.  More than seventy senators voted for CISAover the bleeding bodies of every privacy group in the country. 

 In other news, Maury Shenk and I unpack the latest claim that the US and EU have agreed in principle on a deal to replace the Safe Harbor struck down by the European Court of Justice.  We’re profoundly skeptical that a deal will be reached quickly, or that it will actually give companies much in the way of safety. 

 Jason Weinstein provides a blow by blow recounting of the fight between Apple and the Justice Department.  The real question is whether Magistrate Judge Orenstein will call the fight for Apple before the defendant is sentenced.  We think he will.

 Also under the heading, “Please put me in the newspaper, I’m a pro-privacy judge,” the Fourth Circuit panel that insisted on a warrant for historical cell tower location data had better enjoy their fifteen minutes of fame now.  Their opinion is going to be reviewed en banc – and Jason and I are betting it won’t survive.  

 Finally, it looks as though privacy groups didn’t just waste money asking the Second Circuit to block the last month of the section 215 bulk collection program.  They actually managed to negate the only court of appeals decision finding the program unlawful.  In rejecting the privacy campaigners’ motion for an injunction, the Second Circuit declared that Congress had knowingly authorized it and therefore that it no longer violated the relevant statute.  Pyrrhus salut.

 As always, the Cyberlaw Podcast welcomes feedback.  Send an e-mail to [email protected] or leave a message at +1 202 862 5785.

 Download the eighty-seventh episode (mp3).

 Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!