Skating on Stilts

Our interview this week focuses on section 230 of the Communications Decency Act and features Lauren Willard, counsel to the Attorney General and a moving force behind the well-received Justice Department report on section 230 reform. Among the surprises: Just how strong the case is for FCC rule-making jurisdiction over section 230.

In the news, David Kris and Paul Rosenzweig talk through the fallout from Schrems II, the Court of Justice decision that may yet cut off all data flows across the Atlantic.

Paul and I speculate on the new election interference threat being raised by House Democrats. We also pause to praise the Masterpiece Theatre of intelligence reports on Russian cyber-attacks.

Nick Weaver draws our attention to a remarkable lawsuit against Apple. Actually, it’s not the lawsuit, it’s the conduct by Apple that is remarkable, and not in a good way. Apple gift cards are being used to cash out scams that defraud consumers in the US, and Apple’s position is that, gee, it sucks to be a scam victim but that’s not Apple’s problem, even though Apple is in a position to stop these scams and actually keeps 30% of the proceeds. I point out that Western Union – on better facts than Apple's– ended up paying hundreds of millions of dollars in an FTC enforcement action - - and still facing harsh criminal sanctions.

Paul and David talk us through the 2021 National Defense Authorization Act, which is shaping up to make a lot of cyber-security law, particularly law recommended by the Cyber Solarium Commission. On one of its recommendations – legislatively creating a White House cyber coordinator – we all end up lukewarm at best.

David analyzes the latest criminal indictment of Chinese hackers, and I try to popularize the concept of crony cyberespionage.

Paul does a post-mortem on the Twitter hack. And speaking only for myself, I can’t wait for Twitter to start charging for subscriptions to the service, for reasons you can probably guess.

David digs into the story that gives this episode its title – an academic study claiming that face recognition systems can be subverted by poisoning the training data with undetectable bits of cloaking data that wreck the AI model behind the system. How long, I wonder, before Facebook and Instagram start a “poisoned for your protection” service on their platforms?

In quick takes, I ask Nick to comment on the claim that US researchers will soon be building an “unhackable” quantum Internet. Remarkably his response is both pithy and printable.

And more!                                                                                                                 

Download the 326th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The decision of the European Court of Justice (CJEU) in Schrems II is gobsmacking in its mix of judicial imperialism and Eurocentric hypocrisy. The decision invalidates the Privacy Shield agreement between the U.S. and the EU on the ground that U.S. protections for individual rights are not "adequate," by which the court means not "essentially equivalent" to the rights provided to individuals under European law. It manages to do this while acknowledging that the court and the EU have no authority to elaborate or enforce these rights against any of the EU's member states. That, the court says, is "irrelevant." It is making the rules for benighted foreign lands like Canada and the United States, not for Europeans. Freed from the prospect that any of the governments that appoint them will have to live with these rules, the judges of the CJEU declare that large chunks of U.S. intelligence law—including some of America's most productive and essential authorities, such as Section 702 of the Foreign Intelligence Surveillance Act (FISA)—are beyond the pale.

In theory, this means that the United States is a privacy-inadequate nation, and any company sending personal data here may be fined under the General Data Protection Regulation (GDPR) up to four percent of gross global income. (Yes, the court left open the question whether a special set of corporate contract clauses remained a legal basis for transferring data to the U.S., but very few lawyers think those clauses will actually provide any protection when challenged, since no private contract can undo the obligations of Section 702.)

It is astonishing that a European court would assume it has authority to kill or cripple critical American intelligence programs by raising the threat of massive sanctions on American companies. In so doing, the court overrode a formal executive agreement reached by the EU with the U.S.; it also rejected the view of the European Commission that U.S. law was adequate to protect individual rights.

Still, the court clearly does think it can force its views on not just the United States but the rest of the world as well. It has already told the Canadians that they don't measure up. Australia and India have been kept in limbo for a decade due to doubts about whether their democracies dance sufficiently to the justices' tune.

Perhaps, had the court been less stiff-necked, it might have forced a change in the laws of these countries. But now the entire project is bound for disaster. China, which is already a great power when it comes to personal data, has signaled to Europe that it will not tolerate interference with its internal affairs. Yet rather than confront a country that clearly lacks protections for individual rights, European bureaucrats have spent 20 years chivvying the United States over data transfers, signing and breaking half a dozen agreements, always asking for more and usually getting additional concessions—including appointment of a special U.S. "ombudsperson" to hear European complaints; enforcement of European law by U.S. agencies like the Federal Trade Commission and Commerce Department; and a special Judicial Redress Act, passed for Europe in 2015, that grants Europeans the right to file FOIA petitions. None of that was good enough for the CJEU. This history shows that, even if the U.S. again tried to modify its law to meet the court's rigid demands in Schrems II, more litigation and more demands—not peace—would be the result.

The time for American concessions is over. Throughout the emergence of this issue, the U.S. has insisted—and the EU has agreed—that data flows across the Atlantic should not be interrupted. Indeed, the World Trade Organization (WTO) agreement signed by Europe makes clear that data flows may not be regulated in the name of privacy if the regulation is a means of "arbitrary or unjustifiable discrimination between countries where like conditions prevail." Nothing could be more discriminatory or arbitrary than 20 years of pursuing the United States for the privacy equivalent of parking tickets while ignoring similar infractions by the member states and an endless series of privacy felonies by the People's Republic of China. It's time for the U.S. to get serious about ending this campaign of harassment.

What can the United States do? Plenty. Here are a few options that belong on the table in the interagency process.

1. Rescind the concessions the U.S. made to get the now-broken deal. This is a no-brainer. Europe has broken the deal it made, and it cannot keep the parts of the deal it likes. The U.S. attorney general should withdraw the special status of European nationals under the Freedom of Information Act and the Judicial Redress Act. The Office of the Director of National Intelligence should abolish the office of the ombudsperson created to give Europeans comfort that their complaints about intelligence collection would be heard. President Trump should rescind PPD-28, the Obama-era set of politically correct limitations on intelligence community activities, which has been kept alive as part of the Privacy Shield negotiations.

2. Prepare to retaliate in a way that shows the U.S. is serious. Americans have never paid much attention to periodic eruptions of the data transfer issue. We are always a little inclined to think that maybe Europeans have something to teach us about privacy and human rights, so righteous American anger about intrusion on our sovereignty has been slow to ignite. But now is the time to show Europe that the U.S. is serious about keeping in place effective counterterrorism measures—and keeping the right to write U.S. laws without getting permission from European governments.

Because this decision violates U.S. rights under the WTO, the executive branch has authority under Section 301 of the Trade Act of 1974 to impose tariffs and other import restrictions on the countries of the European Union. And it should. If the U.S. wants to get Europe's attention, it needs to get Germany's attention, which probably means heavy tariffs on German cars and perhaps car parts. Airplanes and airplane parts are also a touchpoint. As usual, the list of retaliation candidates will need to include something of great value to each member state—Irish whiskey, say, or French wines.

The retaliation process will take a few months. The goal is not to impose the tariffs but to put an end to the crisis—and to Europe's peculiar arrogance about imposing its personal data law on the rest of the world.

3. Make common cause with the U.K., Canada, Australia and perhaps India. The U.S. doesn't have to stand alone. The EU has been threatening the U.K. with an "inadequacy" determination as punishment for Brexit. Its court has already struck at Canadian law. And Australia and India surely know they are next. The U.S. should include these nations in any negotiation, but only if they join America in preparing sanctions against Europe.

4. Find a stopgap solution in one of the member states. The CJEU's admission that it doesn't have anything to say about how member states protect personal data isn't just a confession of hypocrisy. It could be an opportunity to do an end run on the whole mess created by the court. If any one of the member states—Poland, say, or Ireland or Hungary—were willing to sign a national security agreement with the United States, it would be acting within the national security authority conferred on it by Article 4(2) of the Treaty of the European Union.

Suppose, in the pursuit of its national security interests, Poland agreed to allow personal data to flow to the United States without restriction, in exchange for which the United States agreed to share with Poland any counterterrorism data it was able to obtain by virtue of its worldwide intelligence collection. That would only apply to data transferred from Poland, of course, but companies could set up subsidiaries in Warsaw, transfer their data holdings there from elsewhere in Europe—after all, the EU is a single market—and then let them move to the United States.

Or suppose that Poland's government and data protection authority agreed that data exports to the United States could be challenged on the ground that protections for Europeans from U.S. intelligence were inadequate—but only by a plaintiff who could demonstrate concrete economic injury. Since the European objection to U.S. law has been almost entirely theoretical, this has the double advantage of providing redress for actual human rights violations while exposing the fact that, by and large, no one in Europe can point to any.

Whether these one-country solutions would withstand the inevitable legal wrangling, I don't know, but the court left no time for companies to adjust. Getting a Polish exit visa for data from that country would give them breathing room even if the shelter doesn't ultimately survive its journey through the courts.

5. Negotiate an agreement that ends the threat to American companies. If the U.S. can get European governments to take seriously American objections to the notion that Europe can write U.S. law, there is a simple solution to this problem. The CJEU's opinion, though written as though grounded in the rights of man, is in fact based on a European regulation and a European treaty. As a matter of international law, both of those can be overridden by a newer treaty. Indeed, the U.S. entered into a binding executive agreement—the international equivalent of a treaty—when it bargained for the adequacy determination that the court overturned.

How could the court overturn a binding agreement, then? The Americans who negotiated the deal under the Obama administration gave a lot of binding promises about how they would handle European data, but they didn't get a binding promise in return that U.S. law would be deemed adequate and that data flows of compliant companies would not be restricted. Maybe they got snookered. Maybe they couldn't muster the will to draw a line in the sand. Whatever the reason, the agreement is utterly one-sided—all American concessions, plus a little European mood music.

So the U.S. should ask for the concessions it should have gotten last time: a binding assurance that U.S. protections for individual rights are not in need of European editing and that data flows will never be threatened again over this issue.

As democracies with long histories of protecting civil liberties—histories that stand up well next to those of most EU members—the United Kingdom, Australia and Canada should get the same assurances. The CJEU's only source of power to undo the deal is the GDPR and the Treaty of the European Union (which is also the source of the Charter of Fundamental Rights of the European Union). All of those instruments must yield to a binding international agreement with the United States and other democratic nations.

The big news of the week was the breathtakingly arrogant decision of the European Court of Justice, announcing that it would set the  rules for how governments could use personal data in fighting crime and terrorism.

Even more gobsmacking, the court decided to impose those rules on every government on the planet – except the members of the European Union, which are beyond its reach. Oh, and along the way the court blew up the Privacy Shield, exposing every transatlantic business to massive liability, and put the EU on a collision course with China over China's most sensitive domestic security operations. This won’t end well.  It's the CJEU's version of our Court's Dred Scott ruling. Paul Hughes helps me make sense of the decision.

In the interview, I interview Darrell West, co-author of Turning Point - Policymaking in the Era of Artificial Intelligence..We mostly agree on where AI is already making a difference, where it's still hype, and how it will transform war. Where we disagree is over the policy prescriptions for avoiding the worst outcomes. I disagree with the relentless focus of the book (and every other book in recent years) on the questionable claim of AI bias, and Darrell and I have a spirited disagreement over my claim that his prescription will hide numerical racial and gender quotas in every aspect of life that AI touches.  

Iranian cyberspies make pretty good training videos, Sultan Meghji tells us, but they’re not taking any bows after leaving the videos exposed online.

If you thought Twitter’s content resembled middle school, wait until you see their security measures in action. Nate Jones has the details, but my takeaway is that middle school science projects are usually handled  a lot more responsibly than Twitter’s “god mode” dashboard. 

BIPA, the Illinois biometric privacy act, has inspired lawsuits against users of a database assembled to reduce AI bias. Mark MacCarthy explains that the law prohibits use of biometrics (like  pictures of your face) without consent. I observe that this makes BIPA the COVID-19 of privacy law.  Anyone who touches this database will be infected with liability, at least if the plaintiff’s surprisingly plausible theory holds up.

Sultan reminds us that the PRC has now been caught twice requiring companies in China to use tax software with built-in malware. You know what they say: “Once is happenstance. Twice is coincidence. Three times is enemy action.”  I don’t think we’ll need to wait long to see number three.

Nate gives us a former government lawyer’s take on the CIA’s new authority to conduct cyber covert action. (Yahoo, Lawfare) Ordinarily he’d be skeptical of keeping those decisions away from the White House, but in this case, he’ll make an exception. My take: If unshackling the CIA has produced the APT34 and FSB hacks and data dumps, what’s not to like?

In short takes, I mock the Justice Department spokesperson who claimed that Ghislaine Maxwell was engaged in “a misguided effort to evade detection” when she wrapped her cellphone in tin foil. And Mark and I cross swords over Reddit’s capture by the Intolerant Left. You make the call: When Reddit declares that exposing fake hate crimes as hoaxes is a form of hate speech, is that anecdotal evidence of left-wing bias or stone-cold proof of epistemic closure?

Download the 325th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview today is with Bruce Schneier, who has coauthored a paper about how to push security back up the Internet-of-things supply chain: The Reverse Cascade: Enforcing Security on the Global IoT Supply Chain.  His solution is hard on IOT affordability and hard on big retailers and other middlemen, who will face new liabilities, but we conclude that it’s achievable and maybe necessary. In fact, the real question is who’ll get there first, a combination of DHS’s CISA and the FTC or the California Secretary of State.

In the News Roundup Megan Stifel (@MeganStifel), Nate Jones (@n8jones81), and David Kris (@DavidKris) and I discuss TikTok's unenviable position -- holding the ball at the wrong end of the court as the clock winds down to 00:00.  Every week seems to bring a new administration initiative that could hurt or kill TikTok's US business.  The government’s options include a simple ban on TikTok sales to US buyers based on a finding that the company is a threat to national security or the security of Americans. That’s the applicable legal standard under Executive Order 13873; it's brand-new (the regs aren’t even final yet)  but it relies on tools that have long been used under the International Economic Emergency Powers Act (IEEPA). A straightforward application of IEEPA remedies would cut TikTok off from the US market, I argue.

Meanwhile, another little-advertised but equally sweeping rule for government contractors is on its way to implementation. It will deny federal contracts, not just contractors who want to deliver certain Chinese products but it will also cut off contractors who jsut use those products themselves.

Not to be outdone by the contracting officers, the Federal Trade Commission and Justice Department are attacking TikTok from a different direction – investigating claims that the company failed to live up to last year’s consent decree on the privacy of children using the app.

And, on top of everything, private sector CISOs are drawing a bead on the app, too, as Wells Fargo and (briefly) Amazon told their employees to take the app off their work phones.

It’s no surprise in the face of these developments that TikTok is working overtime to decouple itself in the public’s mind from China, including going so far as to join the rest of Silicon Valley in signaling discomfort with Hong Kong’s new security rules (and ruler). Megan and I question whether this strategy will succeed.

If Chief Justice Roberts were running for office, he couldn’t have produced a better platform than the Court’s latest tech decision – upholding most of a law that makes  robocalls illegal while striking down the one part that authorizes robocalls for collection of government debt.  David Kris explains.

Nate unpacks a new Florida DNA privacy law prohibiting life, disability and long-term care insurance companies from using genetic tests for coverage purposes. I express skepticism.

Nate also explains the mysteriously quiet launch of the UK-US Bilateral Data Access Agreement. Four years in the making, and neither side wanted to announce that it had taken effect – what are they worried about, I wonder?

FBI Director Wray gives a compelling speech on the counterintelligence and economic espionage threat from China. He says the bureau opens a new such case every ten hours.  And right on schedule comes the prosecution of a professor charged with taking $4M in US grant money to conduct research -- for China.

David and I puzzle over the surprisingly lenient sentence handed to a former Yahoo engineer for hacking the personal accounts of more than 6,000 Yahoo Mail users looking for sexually explicit images and videos.

For This Week in Silicon Valley Speech Suppression, I out Reddit as a particularly fanatical convert to SJW orthodoxy in censoring the right, as the service apparently tells its moderators that it’s hate speech to post stories or video showing a person of color as the aggressor in a confrontation. 

And Nate closes us out by drawing again from a bottomless well of problems faced by technological contact tracing.  

Download the 324^th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In the News Roundup, Dave Aitel (@daveaitel), Mark MacCarthy (@Mark_MacCarthy), and Nick Weaver (@ncweaver) and I discuss how French and Dutch investigators pulled off the coup of the year this April, when they totally pwned a shady “secure phone” system used by large numbers of European criminals. Nick Weaver explains that hacking the phones of Entrochat users gave the police access to big troves of remarkably candid criminal text conversations. And, I argue, it shows a flaw in the argument of encryption defenders who say that restricting Silicon Valley encryption will send criminals to less savory companies. That's true, but sleazeball companies are inherently more prone to compromise, as happened here.

This week the EARN IT Act went from Washington-controversial to Washington consensus in the usual way.  It was amended into mush. Indeed, there’s an argument that, by guaranteeing that nothing bad will happen to social platforms who adopt end-to-end encryption, the successful Leahy amendment actually makes e2e crypto more attractive than it already is under current law. That’s my view, but Mark MacCarthy still thinks the twitching corpse of EARN IT might cause harm by allowing states to adopt stricter liability for child sex abuse material. He also thinks that it won’t pass.  I have ten bucks that says it will, and by the end of the year.    

Dave Aitel, new to the news roundup, discusses the bad week TikTok had in its second biggest market.  India has banned the app. And judging from some of the teardowns of the code, its days may be numbered elsewhere as well.   Dave points to reports that Angry Birds was used to collect user information as well when it was at the height of its popularity. We wax philosophic about why advertising and not national security agencies are breaking new ground in building our Brave New World.

Mark once worked for a credit card association, so he’s the perfect person to comment on the next story, in which the founder of gab discovers that being labeled a “hate speech” platform won’t just get you boycotted by Silicon Valley but by the credit card associations as well. Once we’re in this vein, we mine it, covering Silicon Valley’s concerted campaign to make sure Donald Trump can’t possibly repeat 2016 in 2020. He’s been deplatformed at Twitch this week for something he said in 2016.  And Reddit dumped his enormous subreddit for failure to observe its censorship rules – which I point out are designed to censor only people in "the majority." I argue it’s time to defund the speech police. 

Nick takes us to a remarkable Washington story. He thinks it’s about a questionable Trump administration effort to redirect $10 million in “freedom tools” funding from cryptolibertarians to Falun Gong coders. I point out that US government funds going to the cryptolibertarians were paying the salary of the notorious Jake Applebaum and buying tools like TAILS that have protected appalling sextortionist criminals. Really, taking the money away from those projects would be a good idea if all we did with it was to burn the bills on cold days to warm the homeless on the Mall.

Returning to This Week in Hacked Phones, Nick explains the latest "man in the middle" attack that works as soon as the phone user visits a website. Any website.  Dave sets out the strikingly sophisticated and massive international surveillance system China is now aiming at Uighers all around the world.  And Nick warns of two bugs that, if you haven’t spent the weekend fixing, may already be compromising your network.

In quick hits, I mock MIT for thinking that “pedophile” is a racial or ethnic slur but confess that its researchers must know more bad words than I do.  What, I ask, is a c****e, anyway? If MIT was cheating on the number of asterisks, we have an idea, but that really is cheating.  If you know, please don’t tweet the answer; send it to our email.

Download the 323^rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.