Skating on Stilts

Federal district judge Robert Pitman has enjoined enforcement of Texas's law regulating social media censorship.  In this episode, the ruling sparks a fight between me and Nate Jones that ranges from how much weight should be given to  the speech rights of social media to the Kyle Rittenhouse verdict imposed by Facebook when it decided he was guilty and wouldn't let anyone disagree. On the merits, as before, we agreed that the Obama appointee was on pretty solid ground (for now) in applying the Tornillo line of cases saying that government should not directly regulate the editorial judgments of publishers. But the judge's ruling on the transparency and due process requirements of the law suggests to me that he wasn't prepared to give the law a fair shake. So look for a competitive appeal on the topic and quite possibly a more than competitive certiorari petition as well. By the time we stop beating this horse, he's long past any possible right of self-defense.

Megan Stifel has an easier task: Explaining cybersecurity recommendations for rail and other surface transportation companies. The advice is mostly the kind of simple concepts that could have been offered in the 90s, so we both puzzle over the fierce resistance from industry. Maybe it's the 24-hour requirement to notify TSA of cyber incidents, though I suggest reasons why industry shouldn't be as worried by this requirement as by a similar deadline for data breach notifications.

Nate and I explore proposals from the Biden administration to muster a group of like-minded countries in a campaign to curb sales of surveillance gear to authoritarian regimes. No doubt the initiative was reinforced by news that U.S. State Department phones were recently hacked with spyware from Israel. But I think the whole project fails for a simple reason: authoritarian governments can buy all the surveillance gear they need from China, which is happy to sell it. In the absence of credible enforcement, an international effort to condemn such sales is empty virtue signaling.

I mock an eminently mockable story from the Markup claiming that the PredPol crime prediction software is racist because it urges the police to patrol more poor black neighborhoods than rich white ones without asking whether that's where crime might be concentrated. Then, when the authors finally notice the overlap between neighborhoods with lots of arrests and neighborhoods recommended for heavy patrolling, they suddenly claim that the prediction software must be useless because the same results could be reached without the software.

Speaking of stupid, Megan explains how a "smart contract" turned out to be anything but, allowing hackers to steal $31 million in digital coin. I wonder exactly how much the hacker's feat differs from really good lawyering.

Nate and I look at how well Russia is doing in bringing Twitter to heel with a mobile slowdown. Twitter hasn't broken yet, but it's clear that the authoritarians of the world are slowly winning their battle with Silicon Valley.

Megan tells us about a cybersecurity professional at Ubiquiti who decided to stop riding with the hounds and to ride instead with the fox.  Bad choice; we know how fox hunts usually end for the fox, and this story is no exception.

In updates, I remind listeners of the elaborate gas-lighting effort by Jeff Bezos when he tried to blame the Saudis and the National Enquirer for his brother-in-law's leak of text messages that were deeply embarrassing for the CEO. All the hacking and extortion investigations that Bezos managed to trump up are over now, and the verdict is in: The Saudis didn't do it.

Finally, Megan and I note a Wall Street Journal article on how tough it is to be a spy in a world of smartphones, biometrics, and universal surveillance cameras. Our reaction: Yup.

Download the 386th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

My fourth effort at cartoon cyber commentary grows out of an endless project I'm doing on AI bias -- and the biases of the people who keep doing stories and studies about it. Many thanks to the free Clipart Library for some of the art and to ComicLife software for the parts that look good. (And if you think I should have found a way to get rid of the checkerboard background, you're right.)

Among the many problems surfaced by the current social media enthusiasm for deplatforming is this question: What do you do with all the data generated by people you deplatformed? Facebook's answer, as you'd expect, is that Facebook can do what it wants with the data, which mostly means deleting it. Even if it's evidence of a crime?  Yes, says the platform, unless law enforcement asks us to save it. The legal fight over a deplatformed group that defended historical statues (and may have shot someone in the process) will tell us something about the law of deplatformed data -- as will the fight over The Gambia's effort to recover evidence of deplatformed human rights abuses. In the end, though, we need a law on this question. Because, given their track record in content moderation, leaving the question to the discretion of social media will translate into the platforms' only preserving evidence that hurts people they hate.

Tired: Data breach reporting. Wired: Cyber incident reporting. The unanimous view of our panelists, Paul Rosenzweig  and Dmitri Alperovitch, is that cyber policy has shifted from mandatory reporting of personal data breaches to mandatory reporting of serious cyber intrusions no matter what data is compromised.  The latest example is the financial regulators' adoption of a rule requiring banks and similar institutions to report major cyber incidents within 36 hours of determination that one has occurred. But who will make that determination and with what certainty? Dmitri's money is on the lawyers. I don't disagree, but I think there's a great ER-style drama in the process: "OK, I'm going to call it.  No point in trying to keep this alive any longer. Time of determination is 2:07 pm."

Our interview segment is back after a long absence. David "moose" Wolpoff and Dan MacDonnell of Randori explain the consternation over their startup's use of a serious vulnerability to conduct realistic penetration tests of buttoned-up networks instead of reporting the vuln right away to the software provider. They argue that the value of zero-days for pentesting is great and the risk of harm from holding them is low, if they're handled responsibly. In fact, the debate sounds a lot like the arguments around the table at a government Vulnerability Equities Process ("VEP") meeting.  And that makes me wonder whether the people pushing for a stricter VEP have any idea at all what they're talking about.

Dmitri lays out the surprising complexity and sophistication of the Iranian attempt to influence the 2020 election. I'm less convinced. The Iranian effort failed, after all, and it resulted in the hackers' indictment. Hard to be impressed by failure.

I dig into a recent brief by Hikvision claiming that the FCC lacks authority to bar sales of its products in the US. I'm only half convinced by the legal claim, but I am sure of this: The Hikvision argument has created an opportunity for some enterprising politician to sponsor quick, uncontroversial legislation clearly giving the FCC the authority that Hikvision says it doesn't have.

Dmitri explains the latest advance of the hardware hack known as Rowhammer. It may not be deployed routinely even now, he says, but the exploit makes clear that we will never entirely secure our cyber infrastructure.

Paul and I agree that it's perfectly legal for government to buy advertising data that shows citizens' locations. And we more or less agree that some restraint on sales of location data – at least to the Russian and Chinese governments and maybe to anybody – are in order.

I offer muted and squeamish criticism of a Big Report claiming that child sexual abuse is exploding online. There's no doubt that it's a problem that deserves more legal and platform effort, but the authors did their cause no favors by combining kids exchanging nude selfies with truly loathsome material.

Dmitri and I perform a public service announcement about a scam that takes advantage of security habits that the banks have encouraged us to adopt. Zelle fraud is going to make us all regret those habits. Let's hope it also induces banks to use hardware tokens instead of text messages to verify our transactions.

Germany and Mandiant are at odds over attribution of the government that sponsored the Ghostwriter hacking gang. Germany, backed by the EU, says it's Russia. Mandiant says it's Belarus. Dmitri says "Never bet against Mandiant on attribution." I can't disagree.

Finally, Dmitri joins me in an appreciation of Alan Paller, who died last week. He was a major influence in cybersecurity,  and a role model for successful entrepreneurs who want to give back using their institution-creating skills.

Download the 384th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

My fourth effort at cartoon cyber commentary grows out of an endless project I'm doing on AI bias -- and the biases of the people who keep doing stories and studies about it. Many thanks to the free Clipart Library for some of the art and to ComicLife software for the parts that look good. (And if you think I should have found a way to get rid of the checkerboard background, you're right.)

Two major Senate committees have reached agreement on a cyber incident reporting mandate. And it looks like the big winners are the business lobbyists who got concessions from both committees. At least that’s my take. Dmitri Alperovitch  adds that the bill may still be in trouble because of Justice Department opposition. And Tatyana Bolton not unfairly credits the Cyber Solarium Commission for getting incident reporting this close to passage.  

Meanwhile, another piece of legislation, the Secure Equipment Act of 2021, has already been passed by Congress and signed by the President. It will lock a boatload of Chinese equipment out of U.S. markets. Dmitri explains why the FCC needed this additional authority.

Mark MacCarthy explicates the EU court ruling upholding a $2.8 billion award against Google for “self-preferencing” in shopping searches.

If you’re surprised by the Kyle Rittenhouse trial, and the strength of his self-defense claims, I argue, you can blame Facebook and Twitter, who astonishingly suppressed posts arguing that Rittenhouse had acted lawfully in self-defense. In a reverse John Adams moment, Twitter even suspended Rittenhouse’s defense counsel for defending him. And Facebook declared him guilty of a mass shooting and blocked even searches for his name.  I wouldn't call that content moderation; it's more like content mob-eration. And if you want more censorship of that sort, but this time in your podcast feed, well, no worries: the NYT is on it; the gray old lady is demanding to know why woke censorship hasn’t yet come to podcasts.

This has turned out to be a pretty good week for catching bad guys, Dmitri reports. REvil affiliates have been, arrested, indicted, and had some of their ill-gotten gains seized.

Mark unpacks yet another bipartisan tech regulation-cum-competition bill. This one aims to reduce platforms’ ability to foist "opaque algorithms" on their users. Tatyana notes that a lot of the bills trying to improve portability and competition are likely to raise cybersecurity concerns.

Dmitri and I aren’t impressed by the hoax email sent out in the FBI’s name from a poorly designed FBI website. As hacks go, it’s barely one step up from defacing the FBI’s website. I argue that the bureau ought to give the hacker a low four-figure bug bounty and call it a day, but Dmitri thinks the hacker will be on the FBI’s most wanted list for a while. I tend to agree; there is, after all, no greater crime than Knowingly Embarrassing the Bureau.

In quick hits:

• Mark gives us an overview of the states’ recently updated antitrust complaint against Alphabet's Google.
• Tatyana and Dmitri talk about the implications of the Commerce Department sending information requests to the world’s top chipmakers.
• Tatyana explains (as much as anyone can) Elon Musk’s decision to sell a bunch of Tesla stock because that’s what Elon Twitter wanted. We note that Elon promised the SEC he'd show his tweets to a lawyer in advance if they might move the market and wonder whether he actually found a lawyer who thought that tweet was a good idea.
• I do a quick victory lap for having suspected that Frances Haugen’s incoherent retreat from criticizing Facebook’s end-to-end encryption was forced on her by the Silicon Valley version of the Deep State. Thanks to Politico, we now know her European tour was run by a batch of lefty digerati who may hate Facebook, but not as much as they hate the FBI.
• And I mourn the fact that this week the U.S. government finally surrendered to Microsoft and joined the Paris Call for Trust and Security in Cyberspace.

Download the 383rd Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We're joined for this episode by Scott Shapiro, long-time listener and first-time panelist, not to mention our first philosopher. He breaks down the Biden administration sanctions against four offensive cyber firms, most notably the Israeli company, NSO. Imposing Commerce Department "entity list" sanctions on companies from friendly countries for human rights abuses is a departure from historical practice, and exactly how it will work out remains uncertain. The sanctions are not a death penalty for companies like NSO, we conclude, since U.S. companies can still buy their services even if they can't sell NSO anything more sophisticated than toilet paper. 

The Pentagon is a bastion of top-down cybersecurity regulation. In theory, that's what the Cybersecurity Maturity Model Certification program was all about – comprehensive and mandatory cybersecurity regulation for defense contractors. But as Nate Jones describes it, the Department of Defense's effort to actually put the regulations in place are a cautionary tale. Now the Pentagon has revamped and delayed its standards again. The new proposal may well be more workable and less bureaucratic than the last, but it also pushes the day of reckoning for contractors years into the future.

Jamil Jaffer thinks the good guys may have won another battle with ransomware gangs, but it's probably too soon to tell. On the heels of REvil claiming to be out of business, DarkMatter is making similar noises. But we won't really know until the gangs have gone quiet for more than a couple of months.

Decoupling is still proceeding apace. Yahoo surprises us all by announcing that it's pulling out of China. (Part of the surprise was that I'd forgotten they were still in.) Jamil and Nate note that GitHub is the last big Western web company left in China. And even for GitHub, the ice appears to be cracking under its feet. 

Scott takes us deep into jurisprudential philosophy as he covers the ACLU's threepeat loss in a case that argued for a first amendment right to read classified FISA court opinions. It may be a first for our podcast to reference Marbury v. Madison, and it's certainly a first to question whether it was correctly decided. Jamil also gives us a quick assessment of what Justice Gorsuch's willingness to take the case tells us about his future role in national security cases.

Nate and I give the backs of our hand to legislative proposals to expand from "Five Eyes" to Nine. I make the argument that we're really down to Three.

Clearview AI took a beating Down Under for breaching Australians' privacy law. Nate is short on sympathy. He thinks a more responsible set of actors might have prevented the toxification of face recognition.  I argue that the toxification came first, and the dearth of big respectable face recognition firms came later. As witness Facebook being driven from the market by a $650m award under the Illinois Biometric Privacy Act.

In quick hits:

• For old time's sake, Nate and I clash over lefty efforts to define a lack of enthusiasm for climate-based regulation as "digital hate;"
• Jamil and I offer qualified endorsements of the State Department's new cyber bureau;
• I namecheck podcast regular Paul Rosenzweig and others for a thoughtful report on Chinese platforms in the United States; and
• I see some good news for cybersecurity in the Cybersecurity and Infrastructure Security Agency's latest Binding Operational Directive mandating that federal agencies quickly patch vulnerabilities that we know are being exploited right now. The directive is addressed to federal agencies but aimed quite deliberately at private owners of critical infrastructure. Don't say you weren't warned!

Download the 382nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

For this edition of Cybertoonz, I thought I'd do the art myself. Which is how I discovered that, embarrassingly, I can't even draw stick figures as well as xkcd's Randall Munroe. Luckily, Munroe has authorized reproduction of his cartoons with credit, so I cheerfully admit that I've reproduced and then tweaked this brilliant xkcd cartoon.

In fact, that's the point.

In this episode, Dave Aitel and I dig into the new criminal law the House intelligence committee has proposed for workers at intelligence agencies. The proposal is driven by the bad decisions of three intel agency alumni who worked for the UAE under the sobriquet of Project Raven, doing phone hacking and other intrusions that the U.S. government would not have approved. Dave criticizes the broad language of the House provision, its assumption that hacking for the government teaches things you can’t learn in the private sector, and the use of criminal penalties where reporting obligations would suffice. Those interested in more details can download a podcast on the topic released by the Association of Former Intelligence Officers.

Maury Shenk and I explore the FCC’s decision to kick China Telecom off the U.S. telecommunications network. My view: this decision was overdetermined, a perfect storm of bad politics, poor decisions by China Telecom, and the fact that no American company has ever been licensed to do in China what China Telecom was allowed to spend 20 years doing in the United States.

We also dig into the proposal of a global regulatory alliance, the Financial Action Task Force (“FATF”), to impose some fairly strict requirements on cryptocurrency transactions.  A lot of companies are criticizing the proposal, but unlike five years ago, their advocacy has to contend with the rise of an entire ransomware industry that depends on cryptocurrency.

The EU, meanwhile, is struggling to implement sanctions for cyber-attacks. As usual, Europe is its own worst enemy, tied down by excessive politicization, weak intelligence collection made weaker by a lack of sharing, and aggressive judicial oversight.

Maury and I track down a tip about France trying to turn cloud security standards into a weapon for excluding U.S.-owned cloud providers. It wants the big cloud companies deemed insecure because they aren’t immune to U.S. legal process. But neither are the “big” European champions, since they too are almost certainly subject to U.S. jurisdiction. So not only will  the proposed standard leave EU buyers of cloud services stuck with providers whose market share is 2% on a good day, they still won’t be safe from the long arm of U.S. discovery. European data protection policy at its finest!

We briefly consider Facebook whistleblower Frances Haugen’s flirtation with criticizing Facebook for adopting end-to-end encryption (“e2e”). Once she discovered that criticizing e2e encryption is Not Acceptable Behavior, however, she retreated into a cloud of incomprehensibility.  I have captured the moment in my latest effort to turn cyber policy into cartoons.

Download the 381st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.