Skating on Stilts

Our interview in this episode is with Michael Daniel, formerly the top cybersecurity adviser in the Obama NSC and currently the CEO of the Cyber Threat Alliance.  Michael lays out CTA’s mission. Along the way he also offers advice to the Biden cyber team – drawing in part on the wisdom of Henry Kissinger.

In the news roundup, Michael joins Jamil Jaffer and Nate Jones to mull the significance of Bruce Reed’s appointment to coordinate technology issues in the Biden White House.  Reed’s tough take on Silicon Valley companies and section 230 may form the basis of a small-ball deal with Republicans on things like child sex abuse material, but none of us thinks a broader reconciliation on content moderating obligations is in the offing.

When it comes to regulating the tech sector, Brussels is a fount of proposals. The latest, unpacked by Jamil and Maury Shenk, is intended to build on the dubious success of GDPR in jumpstarting the EU’s technology industry. If it reminds you of the brilliant success of European regulation in creating a large certification authority industry, you won't be far wrong.

Maury and I puzzle over exactly how a Russian divorcee won a court order allowing access to her estranged son’s Gmail account. Our guess: the court stretched a point to conclude that the son had consented.

Another day, another China-punishing measure from the Trump administration: Jamil explains the administration’s vision of a bloc of countries that will unite in resistance to China’s punitive trade retaliation against inconvenient Western countries, most notably Australia, now getting hit hard by China.

Meanwhile, Maury reports that the administration has identified nearly 90 Chinese companies that are closely tied to the Chinese military for purposes of export control licenses. The only good news for US exporters is that the list eliminates some ambiguity about the status of some companies.

Maury also gives an overview of what most of us think is an oxymoron: Privacy in China. In fact, there is growing attention to protecting privacy at least from commercial companies. But harsh penalties, as always, are going to make observers wonder “who did that company piss off?” before they wonder “what did that company do wrong?”

Maury also reports on the effort to revive Privacy Shield – and on just how little the negotiators have to work with.

Jamil comments on the ever-rising cost of cybersecurity, and the possible implications for bank consolidation.

Nate reviews privacy and security doubts about Amazon’s Sidewalk feature, which turns Alexa devices into neighborhood WiFi networks.

Maury and I note that the deadline for a TikTok sale is a week away and maybe always will be.

Jamil wonders why ZTE asked the FCC to reconsider its exclusion of the company from the US telecoms infrastructure. The FCC order denying the request was not exactly a marketing triumph.

Jamil and I have fun asking how much snooping will go on in a proposed new fiber-optic network linking Saudi Arabia and Israel. Biggest loser? Egypt.

Nate is not surprised that France is pushing its tax for the (US) tech sector, but we debate whether the timing will turn out to be good for France or bad. I claim that White House ADHD will be France’s best friend.

Maury and I try to figure out whether there’s a public policy case in favor of the Rivada plan to take over a bunch of DoD spectrum and rent out whatever is excess to DoD needs. Maybe there is, but we can’t find it.

Download the 340^th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Here's my favorite story from this episode: David Kris told us about a report from the Privacy and Civil Liberties Oversight Board that spelled out the enormous value that European governments have gotten in their fight against terrorism from the same American surveillance programs that European institutions have been trying for twenty years to shut down.  The PCLOB report is a delightful takedown of European virtue-signaling, and I hope the Biden Administration gives the PCLOB a new name and mission in honor of the report.

The news roundup actually begins with a review of the US-China tech relationship and how it might change under a Biden administration. The Justice Department has given itself a glowing report card for its contribution to decoupling – by opening a new China-related counterintelligence case every 10 hours. I ask how long this can go on before China starts arresting American businessmen – something that will surely kick off another round of decoupling.

Speaking of decoupling, the latest legislation aimed at prison labor in China may be getting uncomfortably close to Apple, which is quietly lobbying to water down a bill that is expected to pass soon by overwhelming majorities. Megan Stifel and I conclude that the provision that probably scares Apple most is an obligation to make representations about whether the company’s products include parts made with prison labor. That is increasingly difficult to figure out as China has limited audits for such purposes, putting Apple in a tight spot. Sympathy for Tim Cook, however, is in short supply from our panel.

Speaking of legacy burnishing, the Trump White House has issued its own set of guidelines for federal agencies using artificial intelligence. Nick Weaver thinks they're actually not bad – light touch on most topics – which may be the nicest thing he’s said about a product of this White House in four years. Sticking with AI, Nick comments on the prospect for putting humans in the loop of AI decision making.  He thinks that’s a recipe for lousy AI, and that campaigns to get a “Human in the Loop” for lethal systems have already lost the technology fight. At best, he suggests, we can hope to have our poky old brains “on the loop” in future AI conflicts.

Some good news:  An IOT security bill that Megan and I both like (Megan more than I) has passed both houses of Congress and been sent to the President for signature. It only sets standards for the IOT that the federal government buys, but that’s a good first step.

As a former NSAer, I explain “GCHQ envy” to David, and he provides the latest reason why it should be rampant at the Fort this year, as the agency introduces a new offensive cyber unit to take on organized crime and hostile states.

David also takes on the question whether there’s a legal problem with the U.S. military buying location data from apps companies.  Short answer: Nope.

Megan explains a now-patched Facebook Messenger bug that would have allowed hackers to listen in on users. Nick tells us why the FBI needed to hire robots to retrieve sensitive files. Megan gives us some staggering statistics about the prevalence of ransomware. Hint: if you thought COVID-19 was a pandemic, you ain’t seen nothin’ yet. And I give a quick summary of the TikTok and WeChat ban litigation, where the government is unlimbering a host of new technical arguments.

I take a moment to give a shoutout to Sean Joyce, whose principles led him to walk away from what is probably going to be serious money when Airbnb goes public. The company’s leadership hired him as chief trust officer. Taking trust seriously, he argued for limits on when and how much data about individual users the company gave to the Chinese government.  But the debate reportedly ended when one of the founders declared, “We’re not here to promote American values.” That's not a good look for Airbnb, but the incident says a lot about Joyce, who left the company within weeks because he didn't share its principles.

And, finally, it turns out that the FCC is in its last weeks of Trump legacy burnishing; facing a deadline in January 2020, it had to choose between starting to write regulations about the scope of section 230 and dealing with foreign products in the 5G infrastructure.  It chose 5G.

And more.

Download the 339^th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week sees yet another Trump administration initiative to hasten America's decoupling from China. As with MIRV warheads, the theory seems to be that if you launch enough of them, the next administration can't shoot them all down.  Brian Egan lays out this week's initiative, which lifts from obscurity a DoD list of Chinese military companies and excludes the companies from U.S. capital markets. 

Our interview is with Frank Cilluffo and Mark Montgomery. Mark is Senior Fellow at the Foundation for Defense of Democracies and Senior Advisor to the congressionally mandated Cyberspace Solarium Commission. Previously, he served as Policy Director for the Senate Armed Services Committee under Senator John S. McCain—and before that served for 32 years in the U.S. Navy as a nuclear trained surface warfare officer, retiring as a Rear Admiral in 2017. Frank is director of Auburn University's Director of Auburn University's McCrary Institute for Cyber and Critical Infrastructure Security. He served on the Cyberspace Solarium Commission and chaired the Homeland Security Advisory Council's subcommittee on economic security.

We talk about the unexpected rise of the industrial supply chain as a national security issue. Both Frank and Mark were moving forces in two separate reports highlighting the issue, as was I. (See also my op-ed on the same topic.) So, if we seem suspiciously in agreement on supply chain issues, it's because we are suspiciously in agreement on supply chain issues. Still, as an introduction to one of the surprise hot issues of the year, it's not to be missed.

After our interview in episode 336 of a Justice Department official on how to read Schrems II narrowly, you knew it was only a matter of time before we heard from Europe. Charles Helleputte reviews the European Data Protection Board's effort to give more authoritative and less comfortable advice to U.S. companies that want to keep relying on the standard contractual clauses. The Justice Department take on the topic manages to squeak through without a direct hit from the privacy bureaucrats.  Still, the EDPB (and the EDPS even more so) makes clear that anyone following the DOJ's lead is in for an uphill fight. (For those who want more of Charles's thinking on the topic, see this short piece.)

Zoom has been allowed to settle an FTC proceeding for deceptive conduct (claiming that its crypto was end to end when it wasn't, and more). Mark MacCarthy gives us details.  I throw shade on the FTC's failure to ask any serious national security questions about a company that deserves some. 

Brian brings us up to speed on TikTok.  Only one of the Trump administration penalties remains unenjoined. My $50 bet with Nick Weaver -- that CFIUS will overcome the judicial skepticism that IEEPA could not -- is hanging by a thread. Casey Stengel makes a brief appearance to explain why TikTok might win. 

Brian also reminds us that export control policymaking is even slower and less functional on the other side of the Atlantic, as Europe tries, mostly ineffectively, to adopt stricter limits on exports of surveillance tech. 

Mark and I admire the new Aussie critical-infrastructure cybersecurity initiative, for its clarity if not for its likely political appeal. 

Charles explains and I decry the enthusiasm of European courts for telling Americans what they can say and read on line, as an Austrian court tells Facebook to take down worldwide the description of an Austrian politician as belonging to a "fascist party." Apparently, we aren't allowed to say that political censorship is what members of a fascist party tend to advocate; but don't worry about our liability; we can't pronounce the plaintiff's name.  

So, in retrospect, how did the United States do in policing all the new cyberish threats to the 2020 election? 

• Brian gives the government credit for preventing foreign interference. I question the whole narrative of foreign interference, which didn't have much effect in 2016 or 2020 (other than the hack and dump operation against the DNC) but did align conveniently with Democratic messaging in both years (Hillary only lost because of the Russians! Ignore Trump's corruption allegations because they're just more Russian interference!).
• Mark and I wonder what Silicon Valley thinks it's accomplishing with its extended bans on political advertising after the election.  After all, it's almost always election season somewhere (see, e.g., Georgia).
• DHS's CISA did produce a detailed rumor control site that helped correct misunderstandings -- but may have corrected one too many of the President's tweets.  In consequence, Under Secretary Chris Krebs, familiar to Cyberlaw Podcast listeners, may be on the chopping block. That would be a shame for DHS and CISA; for Chris it's probably a badge of honor. Frank Cilluffo and Mark Montgomery weigh in with praise for Chris as well.

And more.

Download the 338th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

An excerpt from my latest Washington Post article:

The report of the Homeland Security Advisory Council will be posted here under Recommendations. The Cyberspace Solarium paper is here.

This episode's interview with Dr. Peter Pry of the EMP Commission raises an awkward question: Is it possible that North Korea already has enough nuclear weapons to cause the deaths of hundreds of millions of Americans -- by permanently frying our electrical infrastructure with a single high-altitude blast?  And if he doesn't, could the sun accomplish pretty much the same thing?  The common factor in both scenarios is EMP – electro-magnetic pulse. We explore the problem in detail, from the capabilities of adversaries to the controversy that has pitted Dr. Pry and the EMP Commission against the power industry and the Energy Department, which are decidedly more confident that the US would withstand a major EMP event. And, for those disinclined to trust those sources, Dr. Pry offers a few tips on how to make it more likely that your systems will survive an EMP.

In the news, the election turned out not to be hacked, not to be violence-plagued, and not to be the subject of serious disinformation. That didn't stop Twitter and YouTube from overreacting when a leftie hate-object, Steve Bannon, used hyperbole ("heads on pikes") to express his unhappiness with Dr. Fauci. Really, Twitter's Trust and Safety operation is so blinkered it can't be fixed and should be nuked from orbit.  Oh, wait, there goes my Twitter account and my YouTube career!

In legal tech news, Michael Weiner explains what's at stake in the Justice Department's antitrust lawsuit challenging Visa's $5.3 billion acquisition of Plaid. I wonder if that means the Department is out of antitrust-litigating ammo.  And it might be, except that you can buy a lot of ammo with $1 billion worth of Silk Road bitcoins, now being claimed by the US. Sultan Meghji says the real question is why it took the U.S. so long to lay claim to the coins.

 Just when private companies have come up with plans to comply with California's privacy law, the voters there change everything.  Well, maybe not everything.  It looks, Dan Podair suggests, as though compliance with the new CPRA will mostly involve complying with the old CCPA plus a whole bunch more. Meanwhile, I'm fascinated by the idea that California initiatives can say, "Oh, and by the way, this law can only be amended to make it more demanding." 

 We bring Michael back to the conversation to brief us on the FTC's plan to launch an antitrust case against Facebook using its own administrative law judges to hear the evidence. Michael admits that some might call that a kangaroo court; I suggest that LabMD's Mike Dougherty be called as an expert witness.

 Sultan and I note the ongoing failure of media and rights groups to successfully toxify facial recognition technology; now it's been used to identify a "mostly peaceful" protestor who allegedly took a break from peacefulness to punch a cop.  And it's hard to argue with using face recognition when it confirms a picture ID the suspect left behind in Lafayette Square. 

 Next, Sultan and I take on Toxification II, the campaign to make people believe that racist artificial Intelligence is a thing. Poorly trained AI is definitely a thing, Sultan argues, but that doesn't make for the same kind of story.

 Charles Helleputte analyzes the latest rumor that the EU is planning to prohibit end-to-end crypto. He notes that the EU is also pursuing more infrastructure security and wonders whether the two initiatives can be sustained together.

It turns out that other people on Zoom can, in theory and under the right conditions, guess what you're typing.  It's one more reason to be careful about webcams and security. I make the sort of cheap Jeffrey Toobin joke you've come to expect from me.

 And more.

Download the 337th Episode (mp3)

Music by Weissman Sound Design. You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview this week is a deep dive into the mess created by the EU Court of Justice in Schrems II – and some pretty good ideas for how companies might avoid the mess, courtesy of a U.S. Government white paper. I interview Brad Wiegmann, Senior Counselor for the National Security Division at the US Department of Justice about the white paper. We cover a host of arguments and new facts that may help companies navigate the wreckage of Privacy Shield and preserve the standard corporate clauses they’ve relied on for transAtlantic data transfers. And, yes, the phrase “hypocritical European imperialism” does cross my lips.

In the news, we can’t let election eve pass without a look at all the election security threats and countermeasures now being deployed.  I argue that the election security threat is the second coming of Y2K – a threat that is almost certainly an overhyped bogeyman, but one we can’t afford to ignore.  Jamil Jaffer and Pete Jeydel push back. Silicon Valley’s effort to ensure that no one questions the legitimacy of a Biden victory also comes in for some criticism on my end – and is defended by Nate Jones. My nomination for Flakiest Silicon Valley Election Security Techno-nostrum is the banning of post-election political ads. That just guarantees that speech about the election will default to the biggest “organic” voices on the internet and to the speech police at each platform. Or was that the intent?

Confused about all the TikTok and WeChat litigation? It's pretty simple, really: the US hasn’t won a single case, and it’s gone down hard in three separate opinions, the latest by US District Judge Beetlestone of Philadelphia. This could be Trump Derangement at work, but the fact is that the Chinese platforms have a plausible argument that Congress prohibited the use of IEEPA to "indirectly regulate" distribution of speech. Banning a social platform might seem to fit within that prohibition, but the result is crazy: it implies that TikTok could replay all the Russian election interference memes from 2016, and the government would be helpless to stop it. On appeal, we may see the courts taking a broader view of the equities. Or they may be tempted to say, “Well, Congress screwed this up, let Congress unscrew it.” 

Nate and I try to sum up what we learned from the social media speech suppression hearing on the Hill. Nate sees no common ground emerging despite wide unhappiness with Silicon Valley’s role in regulating speech. I am more optimistic that a Congress looking to make progress could agree on first steps toward transparency practices on the platforms. The companies themselves seem to have decided that this is table stakes as they strive to avoid worse. 

Nate gives us a quick view of the platform speech debate in Europe.  My summary: Silicon Valley is already incentivized by EU law to oversuppress; now they’re asking for immunity when they oversuppress, which means, of course, even more suppression. 

In quick hits, Pete talks about the ransomware threat to US health care. Nate explains the tensions between law enforcement and intelligence in Canada. And Pete tells us why fertility clinics are the latest national security concern for CFIUS. 

And more!

Download the 336th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.