Skating on Stilts

This episode features an interview on the Bezos phone hacking flap with David Kaye and Alex Stamos. David is the UN Special Rapporteur and clinical professor of law at UC Irvine who first drew attention to an FTI Consulting report concluding that the Saudis did hack Bezos' phone. Alex is director of the Stanford Internet Observatory and was the CSO at Facebook; he thinks the technical case against the Saudis needs work, and he calls for a supplemental forensic review of the phone. 

In the news, Nate Jones unpacks the US-China "phase one" trade deal and what it means for the tech divide.

Nick Weaver and I agree that the King County (Seattle) Conservation District's notion of saving postage by having everyone vote by phone is nuts. Nick in particular reacts as you'd expect him to. Although, frankly, if anyone deserves to have Putin choose their local government, it's Seattle. He could hardly do a worse job than Seattle voters have.

Nate talks about the profound hit the credibility of the FISA process has taken as a result of the Justice Department admitting that two of four Carter Page warrants were invalid. Among other things, it opens FISA to a kitchen sink full of crazy  proposals for handcuffing national security wiretaps. Like this one from Sen. Ron Wyden and Sen. Steve Daines (who should know better).

Brazil has charged Glenn Greenwald with "cybercrimes" on evidence that would be thin at best in the US, Nate argues. Nick agrees and is only sad that the Bolsonaro government has put him in the position of defending the unspeakably unpleasant Greenwald.

Google is redesigning its search results again, blurring even further the line between ads and organic results. Living up to its new motto ("Don't be caught being evil"), Google announces that it's just testing its design, and everyone should chill. Nick and I are skeptical that A/B testing will tell Google anything other than which redesign fools consumers most effectively and thus makes more protection money for Google.

And speaking of protection money, this episode was not brought to you by Avast, the company that probably would have paid the most not to be mentioned on the podcast this week. Because they've been caught getting largely uninformed consent to the monitoring of their customers' Web activities – right down to their porn preferences.

Download the 297th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the participants' institutions, clients, friends, spouses, children, or pets.

This week’s episode includes an interview with Bruce Schneier about his recent op-ed on privacy. Bruce and I are both dubious about the current media trope that facial recognition technology was spawned by the Antichrist. He notes that what we are really worried about is a lot bigger than facial recognition, and he offers ways in which the law could address that deeper worry. I’m less optimistic about our ability to write or enforce laws designed to restrict use of personal information , which after all gets cheaper to collect, to correlate, and to store every year. It’s a good, civilized exchange.

The News Roundup is a little truncated due to a technical failure. (It was a glitch in Zencastr for those of you keeping score, and I definitely am). As a result, we lost Nick Weaver’s audio for about half the program, including a hammer and tongs debate with me over Apple’s fight with the FBI. (But never fear, opportunities for that debate come by about as often as the Red Line comes to Dupont Circle.) 

That said, it’s still a feisty episode. It begins with Michael Vatis teeing off on the California Consumer Privacy Act, the worst-drafted law he’s worked with in over 30 years of practice – and not much better on policy grounds.

We then return to Illinois’s recent law regulating AI hiring interviews systems like HireVue, and sparks fly again as Mark MacCarthy and I mix it up over allegations of AI “bias.” (I’m a skeptic, to put it mildly.) 

Matthew Heiman covers the surprisingly thin claim that the GRU has phished its way into Burisma Holdings. And Nick comments on (yet another!) Italian surveillance tech firm getting into trouble by misusing its capabilities. 

Not-so-Big Tech has begun asking Congress for antitrust help against Big Tech. Mark is skeptical; I’m a little less so.

Matthew and I compliment frequent contributor David Kris on his speed in delivering an amicus report on the FBI’s Horowitz reforms -- between one Cyberlaw Podcast episode and the next – and before his Congressional critics can even finish a letter questioning his appointment. One lingering, and possibly salutary, effect of the kerfuffle is that some good questions are now being directed at the FISA Court itself, asking why it didn’t do a better job of policing the Carter Page excesses. 

Mark reports on an unusual effort by Europe’s chief privacy officer to exempt academic researchers from strict compliance with data protections laws. Privacy law, as I've said for years, is all about privileging the powerful, and academics qualify, so of course they deserve a data protection exemption.

In quick hits, Matthew notes that Erdogan has bowed to the Turkish Supreme Court and reinstated access to Wikipedia. He also reports on the U.S. Department of the Interior permanently grounding its drone fleet over spying concerns. Nick chuckles over China’s APT 40 getting doxxed, and we both give credit to NSA’s Anne Neuberger for disclosing and enabling the patch by Microsoft of a major vulnerability in the Crypt32 library. Finally, I predict that Clearview will be sued for violating terms of service to obtain the facial recognition data it uses to provide identification services to law enforcement. Because privacy law is all about protecting the privileged, and crime victims don't qualify.

Download the 296th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of our institutions, clients, spouses, families, or pets

There’s a fine line between legislation addressing deepfakes and legislation that is itself a deep fake. Nate Jones reports on the only federal legislation addressing the deepfake problem so far. I claim that it is well short of a serious regulatory effort – and pretty close to a fake itself.

In contrast, India seems serious about imposing liability on companies whose unbreakable end-to-end crypto causes harm, at least to judge from the howls of the usual defenders of such products. David Kris explains how the law will work. I ask why Silicon Valley gets to impose the externalities of encryption-facilitated crime on society when we’d never let Big Tech leave us with the tab for water or air pollution just because their products are so cool. In related news, the FBI may be turning the Pensacola military terrorism attack into a slow-motion replay of its San Bernardino fight with Apple, this time with more top cover (and probably better lawyering).

Poor Nate seems to draw all the fake legislation in this episode. He explains a 2020 appropriations rider requiring the State Department to report on how it issues export licenses for cyber espionage capabilities; this is a follow-up to investigative reporting on the way such capabilities ended up being used against human rights activists in the UAE. As we agree, it’s an interesting and likely unsolvable policy problem, so the legislation opts for the most meaningless of remedies, requiring the Directorate of Defense Trade Control to report “on cybertools and capabilities licensing, including licensing screening and approval procedures as well as compliance and enforcement mechanisms” within 90 days.

Nate also gets to cover some decidedly un-fake requirements in the 2019 NDAA limiting how defense contractors can use Chinese technology. The other shoe is about to drop, and if the first one was a baby shoe, the second is a Clydesdale’s horseshoe.

It’s hard to call it fake, but the latest export control rule restricting sales of AI could hardly be narrower. Maury Shenk and I speculate that this is because a long-term turf war has broken out again in export control policy circles. Maury’s money is on the business side of that fight, and the narrowness of the AI rule gives weight to his views.

And here’s some Christmas cheer for DOJ and national security officials: A federal district court put a lump of coal in Fast Eddie Snowden's stocking, denying him royalties from a book that violated his nondisclosure agreement. Nate thinks it’s safe for me to buy a copy, but I’m waiting for appellate confirmation.

Less festive news comes from the European Court of Justice’s advocate general opinion in Schrems II, a case that could greatly complicate EU-US data transfers by purporting to put Europeans in charge of how the US defends itself from terrorism. Maury explains; I complain.

David unpacks with clarity a complex Second Circuit decision on the constitutionality of FISA 702 collection. On the whole, Judge Lynch did a creditable job with a messy and unprecedented set of claims, though I question the wisdom of erecting a baroque mansion of judge-made limits on a slippery and narrow foundation like the Fourth Amendment’s requirement that searches be “reasonable.”

And in short hits:

• Maury tells us that Italy has imposed a French-style revenue tax on Internet companies.
• The Russians claim to have successfully found a way to disconnect from the Internet. Now if we could only get them to stay that way.
• Illinois has a new, mostly fake law imposing modest regulations on the use of AI in video job interviews.
• The TRACED Act rises above fakeness in attacking robocalls but just barely.
• And the FAA released an NPRM calling for a pretty serious requirement for remote ID of drones.

Finally, to put everyone back in the Christmas spirit, LabMD won nearly a million dollars in fees from the Federal Trade Commission for the FTC’s bullheaded pursuit of the company despite the many flaws in its case. The master’s opinion makes clear just how badly the FTC erred in hounding LabMD.

Download the 295th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect those of their spouses, children, clients, firms, or institutions.