Skating on Stilts

The theme of this week’s podcast seems to be the remarkable reach of American soft power. Really. We elect Donald Trump, and suddenly everybody’s trolling.

The Justice Department criminally charges a Russian troll factory’s accountant, and before David Kris can finish explaining it, she’s on YouTube, trolling the prosecutors with a housewife schtick.

She’s not alone. Faced with the news that President Trump is using a commercial iPhone for many of his calls – and, Nate Jones points out, getting wiretapped by China, Russia, and others as a result – China has a suggestion that scores at the top of the POTUS Troll Scale.

Tim Cook, meanwhile, goes to Europe to troll Android – and me – with a speech that pushes all my buttons: Europhilia, Apple sanctimony in pursuit of profit, and blind enthusiasm for privacy regulation. But at the end of the day, it's just another Apple-bites-Android story. 

Last in the troll parade comes what can only be described as the understated trolling deployed by the British government when it was asked by the Belgians to investigate whether a Belgian ISP might have been hacked by GCHQ. 

This week’s interview is with Dr. Dipayan Ghosh, Pozen Fellow at Harvard’s Shorenstein Center and co-author of a new report, “Digital Deceit II: A Policy Agenda to Fight Disinformation on the Internet.” It's an interesting mix of good insights and warmed-over Obama-era nostalgia (Carly Rae Jepsen makes a brief appearance). Dipayan and I tangle on privacy but struggle toward common ground on how to limit the power of the Big Platforms. He’s open-minded and flexible about the details of his proposal, so for fans of civil policy debate who are worried about where the platforms’ dominance and ad revenue are taking us, this episode is a keeper.

More news: Why would a Russian technical institute design malware used in an effort to sabotage a major petrochemical plant in Saudi Arabia? Nate Jones lays out the story. Originally suspected of being an Iranian operation, the attack may have originated in Iran, but FireEye persuasively links the underlying (and flawed) malware to Moscow. One possibility is that it’s a Russian false flag job, minus the embarrassing GRU operatives and their Uber receipts. My guess, though, is that the Russian institute is just amortizing malware development costs by selling off exploits developed for the GRU. If so, this may turn out to be another slow motion disaster for the thugs in the Aquarium.

In other news, Yahoo settled a class action over the enormous breach affecting 200 million people and three billion accounts. The price of that settlement? After the lawyers have been paid, the settlement works out to about 25 cents per victim. Seems pretty cheap to me.

For a brief moment, reality has descended on the left coast. It looks like California isn’t eager to get a judicial ruling on its campaign to nullify federal net neutrality law.

In the UK, Facebook is fined the maximum under pre-GDPR law, for what the privacy agency calls a failure to protect personal data from Cambridge Analytica – or, more likely, for the unspeakable crime of not having prevented the election of Donald Trump. And now that GDPR is in effect, the bien pensants of Europe have served notice; failure to prevent the President’s re-election will cost Silicon Valley billions.

Finally, what goes around comes around for the Uber “bounty” hackers. David and I think that this story pretty much answers the question whether they were just confused bounty hunters or extortionists with a clever line of patter.

Download the 237th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this week's interview we ask whether the midterm elections are likely to suffer as much foreign hacking and interference as we saw in 2016. The answer, from Christopher Krebs, Under Secretary for National Protection and Programs Directorate (soon to be the Cybersecurity and Infrastructure Security Agency), is surprisingly comforting, though hardly guaranteed. Briefly, it’s beginning to look as though the Russians (and maybe the Iranians) are holding their fire for the main event in 2020.

In the News Roundup, Maury Shenk highlights the role of Twitter, trolls, and Saudi royals in the Khashoggi killing. He also explains the apparently ridiculous result in the EU Android competition matter. It may be a case of Google giving the EU what it asked for – good and hard.

Terry Albury certainly got it good and hard from a federal judge. He was sentenced to four years in prison for leaking classified documents to The Intercept. Jamil Jaffer explains why Albury’s claim of being a whistleblower didn’t win him much relief. I suggest that maybe the only people willing to read Intercept articles to the end are federal agents trying to find clues to the leakers’ identities; whatever they’re doing, it’s working.

Maury and I marvel over the flood of venture capital money into China – and a potential ebb tide for Chinese money in Silicon Valley.

Jamil explains the latest SEC report flagging the cost of email fraud; nine firms lost $100 million to cyberfraud.  And to add insult to injury, the SEC hints broadly that future victims may be tagged for violating SEC accounting standards, which should be sufficient to prevent such fraud.

I point to the ABA’s recent ethics opinion mandating breach disclosure to clients – and quite a bit more. Maury instructs me on the question of whether putting names on doorbells violates GDPR. Vienna says yes; Germany, no. Maury is sure the Germans have this right.

Finally, I update listeners on the Equifax data breach engineer who figured out that his company must have been breached and traded on his suspicion. In an act of relative mercy for the clueless engineer, he was fined and sentenced to eight months of home confinement.

Download the 236th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Today we interview Doug, the chief legal officer of GCHQ, the British equivalent of NSA. It’s the first time we’ve interviewed someone whose full identify is classified. Out of millions of possible pseudonyms, he’s sticking with “Doug.” Listen in as he explains why. More seriously, Doug covers the now-considerable oversight regime that governs GCHQ’s intercepts and other intelligence collection, Britain’s view of how the law of war applies in cyberspace, the prospects for UN talks on that topic, the value of attribution, and whether a national security agency should be responsible for civilian cybersecurity (the UK says yes, the US says no).

In the news, Nick Weaver and Matthew Heiman comment on the undying dumpster fire that is Bloomberg’s Chinese supply-chain-attack story. We may not know for sure whether the story is bogus, at least not for a while. But it’s not too late, I argue, to fund a journalist version of the Ig-Nobel Prize. Call it the Bullitzer, for the story with the most potent mix of consequences and BS. Right now, Bloomberg is definitely in the running.

Matthew tells us that Treasury has announced its CFIUS pilot program, which will require the filing of notices for Chinese acquisitions in 27 critical industries. I argue that this is one more sign that a predisposed bureaucracy has made President Trump a transformational president in terms of relations with China.

Speaking of bureaucratic predispositions, DOJ is carrying out its predisposition to haul Chinese spies into court. What’s remarkable is that it was able to do that from across the Atlantic. While not a cyberespionage case, the recent arrest and extradition of an accused Chinese economic spy is easy to read as DOJ's answer to those who say that indictments of government spies are ineffectual and a sign of weakness.

Everybody’s going to have to choose sides as Trump and Xi continue on their collision course. Except Google. At least according to Google, which bailed out of a Pentagon program because it didn’t meet Google’s values --oh, and because Google had no chance of winning the contract. Talk about virtue signaling on the cheap!

The EU’s virtue signaling isn’t nearly as cheap, at least for Google, which is now appealing a massive EU competition fine. I can’t help wondering who the hell uses Google Shopping to buy stuff; the EU fine feels like it must be $1 billion for every Google Shopping search ever conducted.

Nick reports on two troubling government reports. He believes one — worrying about the cybersecurity of DOD weapons systems . He’s less impressed by White House concerns about the health of the defense industrial base, having recently done some “Buy America” electronics procurement himself.

Finally, in the latest dog-bites-man story, Vietnam will force local data storage despite Silicon Valley’s protests. Nick, Matthew, and I explore the continuing delusion of US foreign policymakers that the Internet must be borderless and open and free.

Download the 235th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Bloomberg Businessweek’s claim that the Chinese buggered Supermicro motherboards leads off our News Roundup. The story is controversial not because it couldn’t happen and not because the Chinese wouldn’t do it but because the story has been denied by practically everyone close to the controversy, including DHS. Bloomberg Businessweek stands by the story. Maybe it’s time for the law, in the form of a libel action, to ride to the rescue.

Congress, astonishingly, has been doing things other than watch the Kavanaugh hearings. It produced a conferenced version of the FAA authorization including authority for DHS and DOJ to intercept drone communications and seize drones without notice or a warrant. This effort to get in front of dangerous technology yields the usual whines from the usual Luddite “technology advocates.” Meantime, Congress has also adopted a bill to change the name of DHS’s cyber and infrastructure security agency to, well, the Cybersecurity and Infrastructure Security Agency.

ZTE’s troubles continue, as a federal judge slammed the company for violating the terms of its probation. The judge extended ZTE’s probationary term and the term of its monitor – meaning the company now has two US monitors watching as it tries to rebuild its business.

The Trump Administration is following in the Obama Administration’s footsteps, Gus Hurwitz reports, trying to build consensus around norms for cyber conflict. I remain dubious, but at least this effort is limited to countries not actively engaged in cyber hostilities with the United States.

California has its own air pollution standards; why not its own net neutrality law? Probably because the FCC under Ajit Pai is not the EPA. Gus and I discuss whether any part of California’s law can withstand preemption.

The hits just keep on coming for the GRU, a formerly vaunted Russian intelligence service, which now can’t even keep secret the names of its most secret agents. Bellingcat, a private website, totally pantses the agency, outing not just its nerve agent operatives but 300 others for good measure. Piling on, the Justice Department indicts another batch of GRU operatives for hacking sports anti-doping authorities. Even Germany musters the courage to join the UK in fingering Russia for its cyberattacks while the mighty Dutch counter-hacking team joins in the sack dance.

Is the Turing test easier if you only have to convince Californians that you’re human? That may be the theory behind California’s SB 1001, making it unlawful for a bot to deceive a Californian about its botitude “in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.”

More bad news for Justice in Silicon Valley, according to leaks from a court case in which the Department is rumored to have sought a court order forcing Facebook to cooperate in a wiretap of MS-13 members.

Finally, Dr. Megan Reiss reports, North Korea is apparently getting rich robbing banks. Surprisingly, though, it seems not to be robbing American banks. Yet.

Download the 234th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this news-only episode, Nick Weaver and I muse over the outing of a GRU colonel for the nerve agent killings in the United Kingdom. I ask the question that is surely being debated inside MI6 today: Now that he’s been identified, should British intelligence make it their business to execute Col. Chepiga?

On a lighter note, Uber is paying $148 million to state AGs for a data breach that apparently had no  adverse consequences and might not even have been a breach. That's a lot to pay just to show that the company is now under new and more responsible management.

About a year too late, a consensus of sorts is emerging among Republicans that Silicon Valley needs broad privacy regulation. The Trump Administration is asking for comment on data privacy principles. And the tech giants are pushing lawmakers for federal privacy rules. But the catalyst is an increasing need for federal preemption in the face of California’s new law, and the Dems who are expected to take the House will be hard to sell on preemption. So despite the emerging consensus, a logjam that lasts years could still be in our future.

The sentencing of an NSA employee for taking sensitive  hacking tools home – and getting them compromised by Kaspersky – leaves Nick with plenty of additional questions about the source of the tools disclosed by Russian proxies in recent years.

Evan Abrams gives us a summary of the NY AG’s report on virtual markets and cryptocurrency. Bottom line: New York is likely to pursue regulation with vigor.

Meanwhile, undeterred by NSA's inability to secure its own systems, West Virginia had embraced a mobile voting app for the 2018 election. Remarkably, despite its firm deployment of blockchain buzzwords, none of us thinks West Virginia has solved the security problem.

And in quick hits:

• The GRU is taking the “P” in APT way too seriously.
• A content moderator has sued Facebook, claiming that her job gave her PTSD. I think it probably did, but I doubt Facebook will be held liable.
• India’s Supreme Court has upheld, with limits, the government’s massive Aadhaar digital ID program.
• Facebook suffered a breach affecting 50 million user accounts and probably 40 million “log on with Facebook” accounts.  Will we hear about more?  Who knows?  We’re getting these facts piecemeal thanks to the EU’s dumb 72-hour deadline for reporting breaches under GDPR.
• President Trump says China is interfering in the 2018 elections. But unlike the Russian version, all of China’s fake news is on actual newsprint.
• Finally, a quick report roundup:
  • The EU is forcing Silicon Valley to restrict disinformation without actually defining, you know, disinformation. Probably because the EU doesn't want to admist that it thinks everything Trump tweets should be banned as disinformation.
  • DOJ’s otherwise pretty good best practices report sadly doubles down on hating hackback. Now with added rationales!
  • China is back to stealing our commercial secrets, but more quietly, think tanks report.
  • House AI report – pro: bipartisan; con: mostly content-free.
  • And here's yet another set of IoT security guidelines