Skating on Stilts

Our guest for the Cyberlaw podcast interview is Noah Phillips, recently appointed FTC Commissioner and former colleague of Stewart Baker at Steptoe. Noah fields questions about the European Union, privacy, and LabMD, about whether Silicon Valley suppression of conservative speech should be a competition law issue, about how foreign governments’ abuse of merger approvals can be disciplined, and much more.

The imminent adoption of the must-pass National Defense Authorization Act yields a deep dive on the bill. Most important for business lawyers, the bill will include a transformative rewrite of CFIUS’s investment-review procedures and policies.

Gus Hurwitz lays out many of the cyber issues addressed by the NDAA, while Dr. Megan Reiss explains the act’s creation of a “Solarium” commission designed to force serious strategic thinking about cybersecurity and cyberweapons. I offer my contribution to that debate – an effort to think the unthinkable and come up with tougher options for responding to serious cyberattacks. Since we’re trying to think the unthinkable, I argue, we’re really rooting for the itheberg, so I’ve dubbed it the Itheberg Project.  I do, however, make an unusual double-barreled offer to those who might want to participate in the Itheberg Project.

All that pales next to a surprisingly lively discussion of circuits splitting over insurance coverage of cyber-related fraud losses. Gus and Matthew Heiman predict that the Supreme Court (or an insurance contract rewrite) will be necessary to resolve the issue – and both of them think the issue is well worth the Court’s time. No one tell Judge Kavanaugh or he may just decide to stay on the DC Circuit!

In a “lightning” round that the FTC may soon investigate for deceptive labeling:

• Gus mocks the ACLU’s rigged test of Amazon’s face recognition software.
• China screws Qualcomm despite the US deal to save ZTE, letting the NXP acquisition die of neglect.
• The New York Public Service Commission revokes its 2016 conditional approval of the Charter-Time Warner merger.
• And India chooses favorable ground for a fight with WhatsApp over end-to-end encryption.

Download the 228th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this episode, Bobby Chesney charts the emergence of undetectably forged videos.  They’re not here yet, but before we’re ready the internet will be awash with fake revenge porn, fake human rights atrocities, and fake political scandals.  My talk with Bobby revolves around a recent paper by him and Danielle Citron.  I confess to having seriously considered federal support for a fake video involving Osama bin Laden and kumquats (not what

Patt Cannaday and Stewart Baker 

you’re thinking, though that would have been good too). Bobby and I discuss the ways in which the body politic – and particular political bodies – might protect themselves.  This leads Bobby to propose a Cyberlaw Podcast mug prize for listeners who suggest what – and where – I should get inked as my last line of defense.  He’s on.  Send your suggestions to cyberlawpodcast@steptoe.com.

In the news, Maury Shenk and I puzzle over the EU’s questionable competition ruling (and $5 bn fine) for Google’s alleged abuse of a dominant position in mobile operating systems.  Once again I find myself agreeing more with Donald Trump than his critics.

Patt Cannaday, a Steptoe summer associate, finds what’s new in the Justice Department’s Cyber Digital Task Force report:  principally a set of rules to make sure that outing foreign governments interfering in our elections doesn’t become Justice Department interference in our elections.  We both think Justice plans to give social media platforms privileged access to data about foreign governments’ tactics and plans.  I propose that any such access be conditioned on the platforms pledging not to use the information to squelch speech that they just don’t like.

Nick Weaver explains why the recent Spectre and other side channel attacks on speculative execution are going to continue – and how big a performance hit our computers will take as we try to protect ourselves.

Congress is negotiating with the administration on penalties for ZTE. Nick thinks the result has been confusion between the export control penalties, which can be compromised, and supply chain restrictions, which shouldn’t be.

All the states have now asked for federal aid to defend their electoral systems from hackers.   I argue that it’s now on them to prepare for attacks, including efforts to disrupt rather than throw this fall’s election.

All those podcasts with Steve Vladeck have left Bobby more comfortable blocking left hooks, but he and I still manage to engage profitably on the Carter Page FISA application document dump.  We cover its implications for Devin Nunes’s early memo.  We question the durability of the application’s reliance on early press stories claiming that Trump forces tilted the GOP platform against Ukraine.  And I suggest that higher officials in Justice and the intelligence community should have demanded more overt vetting (and disclosure) of any partisanship tainting the evidence.  It’s a blind spot they wouldn’t have had, I argue, if the FBI wanted to wiretap Carter Page while he infiltrated the ACLU.

Download the 227th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In Episode 226 of The Cyberlaw Podcast, I'm deep in the Cologado wilderness, and the News Roundup team (Brian Egan with Matthew Heiman, Jim Lewis, and Dr. Megan Reiss) muddles through without him.

Matthew and Jim discuss Friday’s indictment of 12 Russian GRU personnel by the Department of Justice and Special Counsel Mueller. Matthew explains that, while we shouldn’t expect extradition proceedings to take place any time soon (or ever), DOJ has a theory for pursuing these types of indictments in selected cases. I weigh in by Twitter, bemoaning somewhat surprisingly (given the source) that the indictments reflect a poor interagency coordination process and a lack of appreciation for diplomacy. From Jim’s perspective, these indictments are about as good as diplomacy is going to get on this issue…

Matthew walks through the continued bipartisan work in the Senate on the Secure Elections Act, which would facilitate information sharing amongst the states on election threats and take other steps in an attempt to improve election cybersecurity. Matthew explains that federalism may well end up limiting what can be done (or what Congress will agree to do) on this issue.

Megan weighs in on Commerce’s announcement on Friday that it lifted the Denial Order against ZTE after ZTE paid an additional $1.4 billion in penalties and took other steps pursuant to the new settlement agreement reached in June. Megan forecasts continued pressure on ZTE from Capitol Hill, even if the additional penalties against ZTE are generally seen as significant. Jim thinks that the US government’s approach to ZTE is shortsighted and may end up harming national security interests down the road.  

Megan and Jim also discuss the efforts of another Chinese company – the video surveillance camera company Hikvision – to fight back against US government concerns related to espionage. We ask ourselves: is there anything that a Chinese company can do to rebut US espionage and related concerns? And Jim weighs in on the “state of the state” of the 2015 "no commercial cyberespionage" handshake agreement between the US and China, which the State Department confirms is the rare international deal entered into under President Obama that has not yet been ripped up by President Trump.

Elsewhere, Matthew explains why Twitter follower numbers dropped precipitously last week after Twitter’s latest attempts to clean up suspicious accounts. (Justin Bieber and Katy Perry were hit hard, but my account may be down to zero.) Luckily, Jim has some practical tips for maintaining one’s Twitter follower numbers.

And finally, Jim weighs in on a workmanlike GAO report on the Committee on Foreign Investment in the United States, the Department of Defense, and national security concerns – which concludes, among other things, that (1) technology transfers should be an area of concern for the US government and (2) the US government is poorly situated to identify the areas of technology transfer that should be of concern. Over to you, Congress!

I prerecorded the interview of Woody Hartzog, author of Privacy’s Blueprint: The Battle to Control the Design of New Technologies, and a professor of law and computer science at Northeastern. Woody’s thesis is that traditional privacy law has focused unduly on notice and consent, yielding unreadable privacy notices and consents that mean nothing but have great legal impact. Instead, he suggests a focus on how platforms design their user interfaces, borrowing from consumer protection and products liability law. My skeptical of the open-ended nature of the obligations Woody would like Silicon Valley to undertake, but they both at least agree that designers and government are surprisingly well-matched bedfellows.

Download the 226th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Our interview is with Gen. Michael Hayden, author of The Assault on Intelligence: American National Security in an Age of Lies. Gen. Hayden is a former head of the CIA and NSA, and a harsh critic of the Trump Administration. We don’t agree on some of his criticisms, but we have a productive talk about how intelligence should function in a time of polarization and foreign intervention in our national debates.

General Michael Hayden and Stewart Baker

In the news, David Kris reports that ZTE has gotten a limited life-support order from the Commerce Department. Meanwhile, Nate Jones tells us that China Mobile’s application to provide telecom service to Americans is also likely to bite the dust – after nearly seven years of dithering. Taking advantage of my preview of stories on Facebook, Tony Rutkowski suggests we call this the revenge of the “neocoms.” So we do.

Remarkably, the European Parliament fails to live down to my expectations, showing second thoughts about self-destructive copyright maximalism. Nick Weaver thinks this outbreak of common sense may only be temporary.

Paul Rosenzweig confesses to unaccustomed envy of EU security hardheadedness. Turns out that Europe has been rifling through immigrants’ digital data in a fashion the Trump Administration probably wouldn’t dare to try. More predictably, the Israelis are digging deep into social media to combat the stabbing attacks that afflicted the country until recently.

The DNC is trying to improve security, and it has trained 80% of its staff not to click on bad links. But as Nick Weaver and Paul Rosenzweig point out, that’s not good enough – even though there are few institutions that can get much above the DNC’s 80%. The answer? Nick says it’s two-factor authentication. We join forces to nudge Firefox toward offering the same level of support for 2FA as Google Chrome.

The feds are getting wise to the Dark Web, Nick tells us. They’re focusing on compromising the money launderers – and then their customers. This looks like a strategy that could work for the long haul.

Finally, David Kris revisits NSA’s still-troubled metadata program, asking whether “the juice is worth the squeeze.”

We’re going to keep tweeting and posting some of the week’s stories that look like candidates for the News Roundup. Please reply to or retweet those you think we should cover. Relevant feeds: @stewartbaker on Twitter, Stewart Baker on LinkedIn, and stewart.a.baker on Facebook.

Download the 225th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this episode I interview Duncan Hollis, another Steptoe alumnus patrolling the intersection of international law and cybersecurity. With Matt Waxman, Duncan has written an essay on why the US should make the Proliferation Security Initiative (PSI) a model for international rulemaking for cybersecurity. Since “coalition of the willing” was already taken, we settle on “potluck cyber policy” as shorthand for the proposal. To no one’s surprise, Duncan and I disagree about the value of international law in the field, but we agree on the value of informal, agile, and “potluck” actions on the world stage -- pretty much what PSI represents. In further support, I offer Baker’s Law of International Institutions: “The secretariat is the natural enemy of the United States.”

In closing, Duncan briefly mentions his work with Microsoft on international rulemaking, leading me to throw down on “Brad Smith’s godforsaken proposal.” Brad, if you are willing to come on the podcast to defend that proposal, I’ve promised Duncan a highly coveted Cyberlaw Podcast mug.

In the news, California has a new privacy law, as Steptoe summer associate Laura Hillsman explains, though what it will look like when it finally takes effect in 2020 remains to be seen. 

Chris Conte reports that the SEC has charged a second Equifax manager with insider trading. I ask whether he shouldn’t also have been charged with lousy site design.

The White House draws a line in the sand over ZTE in a letter to the Hill – but Maury and I suspect the real message is in the lack of a veto threat. Maury thinks President Trump’s “go big, then go deal” negotiating strategy is also at work in his decision only to beat up Chinese investments once rather than twice over trade tensions.

NSA’s metadata program was restructured to rely on telecom companies rather than NSA’s own programmers. Congressional ideologues' insistence on leaving the metadata with the companies rather than in NSA’s computers predictably produced a private-sector meltdown. Which they’ll probably blame on NSA.  Jamil Jaffer and I discuss.

What do you know? Reality does win in the end, and Reality Winner finally got the hint (as well as a pretty good plea deal).

Nextgov reveals an unimpressive showing for the Cybersecurity Information Sharing Act’s (CISA) information-sharing provisions, at least as far as sharing with DHS goes. Jamil and I agree, though, that information sharing within the private sector may be a better measure of CISA’s value.

In other news, The Intercept continues to pioneer relevance-free journalism. And trust in social media is collapsing, especially among Republicans, who (remarkably) now think tech companies need more regulation.

Finally, in an experiment we may abandon at any moment, I’m going to start tweeting and posting some the stories this week that look like candidates for the News Roundup. Please reply to or retweet those you think we should cover. Relevant feeds: @stewartbaker on Twitter, Stewart Baker on LinkedIn, and stewart.a.baker on Facebook.

 Download the 224th Episode (mp3).

Laura Hillsman, Chris Conte, and Stewart Baker

 You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!