Skating on Stilts

Who knew?  It turns out even a media heroine can't beat up the media's favorite whipping boy if that means criticizing end-to-end encryption.

We begin this episode with Michael Ellis taking a close look at the U.S. government's takedown of the REvil ransomware gang. It's a good story for the good guys, as REvil seems to have been brought down by the same tool it used against so many of its victims – malware that lingered in the backup data needed to restore the network. I note that this seems to be a continuation of efforts that were interrupted in the early summer – amid criticism that the FBI had prioritized its planned takedown over giving victims the decryption key. Now that the takedown has happened, it looks like the FBI is getting the last laugh.

The U.S. is trying . Michael thinks that the effort to hold Putin responsible for stopping Russian ransomware gangs is set back by recent statements in which the Pentagon raised doubts about whether Putin actually has the ability to stop the attacks.

One technology where Russia's does have more capability than expected is, naturally, its ability to censor and suppress criticism, both on domestic and Western platforms. David Kris discusses the kinds of hostages Russia has learned to take, and its success in bringing Western social media to heel.

The U.S. Commerce Department has released a complex new rule for the export of network intrusion tools. Meredith Rathbone, from Steptoe's trade regulation practice, boils the rule down to a few soundbites. The short version? Commerce has done a pretty good job of protecting legitimate distributors of intrusion software, but even the good guys are going to have to save a lot more receipts.

Michael and Paul Rosenzweig reprise the latest news about content moderation, particularly Twitter's own study showing that its algorithms benefit more conservative than left-wing content. That raises the question whether right-leaning commentary and news is more popular because more people want it. If so, the employees at Facebook are determined to keep it from them; recent leaks show aggressive internal efforts to squash Breitbart's reach on the platform.

David and I unpack Ian Bremmer's Foreign Affairs article on "How Big Tech Will Reshape the Global Order." David sees more in the piece than I do.

Paul and Michael kick off a discussion of US negotiations with the EU over transatlantic data flows. But in no time, all four of us join in. We offer some solutions, and plenty of criticism for the EU. (Okay, maybe "the continent that invented hypocrisy" was a little harsh.)

David notes that NSA is pursuing more collaboration with the private sector. How well that will work out is still TBD, we agree.

In quick hits and updates:

• I note with irony that Frances Haugen has discovered the limits of criticizing Facebook.  Whatever you do, you can't criticize WhatsApp's growing use of end2end encryption, even if it does allow the service to ignore foreign cyberespionage.
• Trump and TRUTH are together at last, and Paul has the details. Bottom line: it feels like a typical Donald Trump production: great hype, plenty of controversy, and weak execution.
• Hackback, isn't dead, it turns out, yet. I discuss the political and business advocates for a kinder, gentler version of private hackback, modeled on private investigators.

Download the 380th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Fresh from his launch of the Alperovitch Institute for Cybersecurity Studies, Dmitri Alperovitch kicks off this episode with a hopeful take on the 31-nation US-sponsored videoconference devoted to combatting ransomware. He and Nate Jones both think a coordinated international effort could pay off. I challenge Dmitri to identify one new initiative that this group could enforce, and he rises to the occasion.

Dmitri also previews one of the proposals for regulating Silicon Valley that might yet make it through Congress – a ban on "self-preferencing" by platforms that sell both their own and other people's products. It's all eerily similar to China's even more aggressive use of antitrust remedies against companies like meal delivery giant Meituan.

Tatyana Bolton, meanwhile, identifies a second front in the attack on Big Tech – regulation of algorithms. This leads us into a discussion of freedom of speech versus "freedom of reach" and a WSJ story on the weaknesses of Facebook's AI system for downrating (but only occasionally deleting) "hate speech." I argue that social media will ultimately rely even more heavily on AI-administered restrictions on user reach, if only as a way to make sure the victims of Silicon Valley censorship never realize how much their voices are being squelched.

Microsoft has given up its ambitions for LinkedIn's China operations, Dmitri notes, dropping the social media elements of the service and moving it closer to straight job listings. I argue that the retreat was overdetermined by the Chinese government's extraction of both financial and political concessions from Microsoft.

But if China is slowly poisoning its high-tech sector, why does a former Pentagon official think the U.S. has lost the AI race to China? Nate and I are cautiously skeptical of that view, not least because of the official's, uh, provenance.

In more news about Chinese regulation, it turns out that the Chinese ban on crypto-mining didn't quite reach the crypto miners using state resources.

Tatyana and I dig into WhatsApp's somewhat limited adoption of encrypted backups, and the policy's likely impact on law enforcement and criminals. Later, I also nod to the critique of "client-side scanning" (i.e., Apple's child porn solution) offered by All the Usual Cryptographers.

In comic relief, the governor of Missouri embarrasses himself by threatening criminal prosecution after a state website's security flaws are exposed by a reporter who seems to have done all the right things from a responsible disclosure point of view.

In other quick hits,

• I report on Facebook's appeal of the magistrate opinion unexpectedly gutting the Stored Communications Act for everyone who's ever been deplatformed by social media.  It's a workmanlike effort, but not as persuasive as fans of the SCA might have hoped. This could turn out to be real trouble for the SCA.
• Dmitri breaks down the federal government's plan to issue SD cards to all its employees for network access. It's a good idea, he thinks, but saying it will end phishing of employees is more fond hope than reasonable expectation.

Download the 379th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

I'm always looking for ways to talk about cyberpolicy without being a bore about it. Twenty-page think tank papers have their place, and I once wrote a book with over a thousand footnotes, but I started podcasting to make cyberpolicy a little more accessible.

Now I'm trying something that I hope will be even more fun – occasional cartoons. I was a big comic book fan in my youth, and in college I drew and published a few underground comix, so sooner or later it was inevitable that I'd return to the form as a way to talk about law and policy.  I couldn't draw in college and I still can't, but the Federalist Society's Regulatory Transparency Project (which takes no positions on particular legal and public policy matters) has kindly agreed to an experiment in turning my ideas into comic form. The experiment will last as long as the Project's patience and my enthusiasm do. In the meantime, I hope you enjoy them.

Here's the first, a commentary on Europe's data protection policy and just how neatly the European and Chinese penchants for discretionary punishments coincide.

The theme of this episode is the surge of creativity in the Biden administration as it searches for ways to regulate cybersecurity and cryptocurrency without new legislative authority. Paul Rosenzweig lays out the Department of Homeland Security's entries in the creativity sweepstakes: New (and frankly pretty modest) cybersecurity directives to the rail and air industry plus a much more detailed (and potentially problematic) set of requirements for pipeline companies. Matthew Heiman describes a Justice Department plan for enforcing cybersecurity rules for federal contractors that should chill the hearts of management: an initiative that raises the prospect of whistleblower suits under the False Claims Act for failure to disclose breaches to the government. I suggest that this means the notoriously short tenure of the Chief Information Security Officer (CISO) at large companies will now come with a built-in retirement compensation package.

Creativity in regulating cryptocurrency was signaled both by the White House, which is working on a broader and more coordinated regulatory approach and by the Justice Department, which is planning a major criminal investigative approach to the industry. Nick Weaver gives us the details.

Paul covers a remarkably creative assertion by the Committee on Foreign Investment in the United States (CFIUS) of jurisdiction over a Chinese firm's purchase of Magnachip, a semiconductor company with virtually no ties to the United States. Despite having no obvious skin in the game, CFIUS insisted on a CFIUS filing under President Trump and then vetoed the deal under President Biden. I suggest that the claim of extraterritorial jurisdiction, which in other circumstances might have annoyed South Korea, is in this case a good way for South Korea to avoid taking heat from China.

Paul explains why the Facebook outage was a much bigger deal than Americans realized. If you were living in Costa Rica, the loss of Facebook and WhatsApp, he says, could have greatly complicated every aspect of daily life, including calling the fire department or other emergency services.

Paul digs into the return of "hactivism" – not to mention the return of skepticism about hactivism. I marshal the evidence that the Pandora Papers were the result of hacks, not leaks – and roast the newspapers feasting on the data for their utter hypocrisy. Hey, Marty Baron, top editor at the Washington Post! We haven't forgotten that in reaction to the Democratic National Committee (DNC) leaks of 2016, you said

"Before reporting on the release of hacked or leaked information, there should be a conversation with senior editors about the newsworthiness of the information, its authenticity and whether we can determine its provenance... If a decision is made to publish a story about hacked or leaked information, our coverage should emphasize what we know—or don't know—about the source of the information and how that may fit into a foreign or domestic influence operation. Our stories should prominently explain what we know about the full context of the information we are presenting, including its origins and the motivations of the source, including whether it appears to be an effort to distract from another development."

We're still looking for that "full context" in the Pandora Papers or the Epik leaks.

Nick fills us in on Facebook's extreme reaction to the creation of a tool that allows users to escape the News Feed. I discover that I completely missed the central Facebook experience because I semi-inadvertently disabled the news feed.

Paul offers some surprising news about the limits of Artificial Intelligence (AI). Turns out, it's not that good even at some of the things it should be superb at, like radiology scanning.

Nick and I explore Google's acceptance of warrants seeking access to the identities of people using particular search terms. He thinks that this has gone on under the radar for some time because both government and Google think the public reaction will be bad for business.

Finally, in two quick hits:

• I brag that I now have proof that I'm one of the 14,000 Gmail users feared most by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU): Google caught the Russian spy agency trying to phish me with a doctored Word document.
• And Matthew reveals what the Russian SolarWinds hackers were looking for. Which leads to this bit of good news: U.S. sanctions are really getting under Putin's skin. 

And More!

Download the 378th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Industrial policy is all the rage in Washington, spurred by China's aggressive and sometimes successful use of industrial policy tools. I've lived through a few past enthusiasms for industrial policy, and I'm hoping this time we've learned lessons from the past.  That at least is the premise of my op-ed today in The Hill. Here's the lead:

At the start, we should recognize that letting governments pick economic winners and losers is wasteful, inefficient and corrupting. For the West, and open capital-market economies such as the U.S. and the UK, it’s hard to think of a worse policy — other than the alternative, which is to let China pick winners and losers for the world. 

So, we need a way to counter China without making a politicized mess of everyone’s economy. As they embark on that effort, here are six rules I’d commend to Western governments.

This is the meatiest episode in a long time, as Dmitri Alperovitch, Dave Aitel, and Mark MacCarthy go deep on the substance of a dozen stories or more. 

First up, Dmitri and I speculate on possible outcomes from the newly announced administration plan to convene 30 countries to crack down on ransomware. We also report on what may be the first confirmed death resulting from the equipment failures caused by ransomware – a newborn strangled by its umbilical cord because the hospital's usual electronic warnings weren't operating. 

Dmitri also explains a new cryptocurrency regulatory topic unrelated to its use in ransomware schemes – the move to ensure the financial stability of stablecoins. 

Dave weighs in on two surprising provisions of the House intel authorization bill. The first would respond to the Project Raven incident by imposing new controls on ex-spies working for foreign governments. No one is against the idea, but no one thinks that the problem is limited to alumni of a few intelligence agencies. And the bill’s sweep is far broader than cases like Project Raven. I fear that as written it may criminalize ex-spies giving security advice to Airbus, or perhaps even the Atlantic Council.

The second provision imposes requires reports on U.S. government purchases of computer vulnerabilities from foreign vendors. This leads to a discussion of which nation has the best offensive talent. Dave thinks the old champ has been decisively dethroned. 

In other legislative news, Dmitri covers the three committee drafts on cyber incident reporting, with special emphasis on the recently leaked bill from Senate Intel. It’s a very tough bill, perhaps designed to stake out negotiating room with the Homeland committees. I ask, “What’s the difference between Europe’s staggering fines for General Data Protection Regulation (GDPR) violations and this bill's fines for violating cyber reporting obligations?” The answer: "about two weeks," at which point the maximum fine due to the U.S. will exceed the top European fine.

Mark gives an overview and some prognostication about Google’s effort to overturn the EU’s $5 billion antitrust fine for its handling of Android. 

Dmitri and I find ourselves forced to face up to the growing soft power of Russia and China, now increasingly forcing Silicon Valley companies to project Russian and Chinese power into the West. Russia, having forced Apple and Google to send it hostages in the form of local employees, is trying to use its leverage to control what those companies do in countries like Germany. And Linkedin, the last Western social media company still standing in China, is trying to keep that status by asking Americans to self-censor their accounts.

At Dave’s request, we visit a story we missed last week and explore all the complex equities at work when the FBI decides whether to use ransomware keys for remediation or disruption.

Mark gives an overview of the new Federal Trade Commission, where regulatory ambition is high but practical authority weak, at least until the Senate confirms a third Democratic commissioner. Waiting in the wings for that event is a even more antitrust action, possible new online privacy rules and Commissioner Slaughter’s enthusiasm for imposing racial equity quotas under the guise of algorithmic fairness.

Dmitri offers his best guess about the recent Russian arrest of a cybersecurity executive for treason (that’s the second in five years if you’re counting) and the US decision to send a Russian scammer back to Russia after bitterly fighting to extradite him from Israel.

 In quick hits:

• Dmitri makes a public service announcement about the ways that Two-Factor Authentication (2FA) can be subverted. 

• I celebrate some good news for the U.S.: China is planning to encourage provincial controls on the design and use of social media algorithms. That’s bound to give US companies a new competitive advantage in a field where TikTok has surpassed them.

• Dave and I dissect the guilty plea of former Ethereum developer Virgil Griffith, accused of violating U.S. sanctions by giving a bland speech on cryptocurrency in North Korea.

• I give the highlights of two new and eminently contestable cyberlaw rulings:

• In U.S. v Wilson, the Ninth Circuit decided that law enforcement needs a warrant to open files that it knows from hashes are 99.9% certain to be child porn. The decision would be unfortunate if it weren’t meaningless; the hash itself provides probable cause, so warrants will be quickly and routinely issued. Thanks for the make-work, EFF!

• And a magistrate judge clearly gunning for promotion has written a Stored Communications Act opinion that empowers Silicon Valley’s Trust and Safety operatives to de-platform people and then turn their posts over to law enforcement without the subpoena they usually demand. I would worry more about those consequences if I thought the opinion would survive.  

• And, finally, Dmitri is pleased to find one field where AI is succeeding without controversy, as machine learning declares a famous Peter Paul Rubens painting, Samson and Delilah, to be a fake. But how long, I wonder, before this AI is forced by the FTC to correct its notorious anti-Flemish bias?

And More!

Download the 377th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.