Skating on Stilts

All of Washington is back from Christmas break, and suddenly the Biden Administration is showing a sharp departure from the Obama and Clinton years where regulation of Big Tech is concerned. Regulatory swagger is everywhere.

Treasury regulatory objections to Facebook’s cryptocurrency project have forced the Silicon Valley giant to  abandon the effort, Maury Shenk tells us, and the White House is initiating what looks like a major interagency effort to regulate cryptocurrency on national security grounds. The Federal Energy Regulatory Commission is getting serious (sort of) about monitoring the internal security of electric grid systems, Tatyana Bolton reveals. The White House and Environmental Protection Agency are launching a “sprint” to bring some basic cybersecurity to the nation’s water systems. SEC Chairman Gary Gensler is full of ideas for expanding the Security and Exchange Commission’s security requirements for brokers, public companies, and those who service the financial industry. And the Federal Trade Commission is entertaining a rulemaking petition that could profoundly affect companies now enjoying the gusher of online ad money generated by aggregating consumer data. And that's just this week.

In other news, Dave Aitel gives us a thoughtful assessment of why the log4j vulnerability isn’t creating as much bad news as we first expected. It’s a mildly encouraging story of increased competence and speed in remediation, combined with the complexity (and stealth) of serious attacks built on the flaw.

Dave also dives deep on the story of the Belarussian hacktivists (if that’s what they are) now trying to interfere with Putin’s threatened invasion of Ukraine. It’s hard to say whether they’ve actually succeeded in delaying trains carrying Russian tanks to the Belarussian-Ukrainian border, but this is one group that has consistently pulled off serious hacks over several years as they harass the Lukashenko regime.

In a blast from the past, Maury Shenk takes us back to 2011 and the Hewlett Packard (HP)-Autonomy deal, which was repudiated as tainted by fraud almost as soon as it was signed. Turns out, HP is getting a long-delayed vindication, as Autonomy’s founder and CEO is found liable for fraud and ordered extradited to the U.S. to face criminal charges. Both rulings are likely to be appealed, so we’ll probably still be following court proceedings over events from 2011 in 2025 or later.

Speaking of anachronistic court proceedings, the EU’s effort to punish Intel for abusing its dominant position in the chip market has long outlived Intel’s dominant position in the chip market, and we’re nowhere near done with the litigation. Intel won a big decision from the European general court, Maury tells us. he and I agree that it’s only the European courts that stand between Silicon Valley and a whole lot more European regulatory swagger.

Finally, Dave brings us up to date on a New York Times story about how Israel used NSO’s hacking capabilities in a campaign to break out of years of diplomatic isolation.

Download the 392nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

That’s the question I had after reading Law and Policy for the Quantum Age, by Chris Hoofnagle and Simson Garfinkel. It’s a gracefully written and deeply informative look at the commercial and policy prospects of quantum computing and several other (often more promising) quantum technologies, including sensing, communications, and networking. And it left me with the question that heads this post. So, I invited Chris Hoofnagle to an interview and came away thinking the answer may be “close to half – and for sure all the quantum projects grounded in fear and envy of the National Security Agency.” My exchange with Chris makes for a bracing and fast-paced half hour of futurology and policy and is not to be missed. Neither is the book.

Also not to be missed: Conservative Catfight II – Now With More Cats. That’s right, Jamil Jaffer and I reprise our past debate over Big Tech regulation, this time focusing on S.2992, the American Innovation and Choice Online Act, just voted out of the Senate Judiciary committee with a bipartisan set of supporters and detractors. In essence, the bill would impose special “no self-preferencing” obligations on really large platforms. Jamil, joined by Gus Hurwitz, thinks this is heavy handed government penalization of a few unpopular companies and completely unmoored from any harm to consumers. Jordan Schneider weighs in to point out that it is almost exactly the solution chosen by the Chinese government in its most recent policy shift. I argue that platforms are usually procompetitive when they start but inherently open to a host of subtle abuses once entrenched, so only a specially crafted regime will keep a handful of companies from amassing enormous economic and political power.

Doubling down on controversy, I ask Nate Jones to explain Glenn Greenwald’s objections to the subpoena practices of Congress’s  Jan. 6 Committee. I think the committee’s legal arguments boil down to “When Congress wrote the rules for government, it clearly didn’t intend for the rules to apply to Congress.” And Greenwald is right in arguing that the Supreme Court in the 1950s treated Communists better than the January 6 committee is treating anyone even tangentially tied to the attack on the Capitol.

Nate and I try to figure out what Forbes was smoking when it tried to gin up a scandal from a standard set of metadata subpoenas sent to WhatsApp. Whatever it was, Forbes will need plenty of liquids and a few hours in a dark quiet room to recover.

In quick hits, Gus explains what it means that the Biden administration is rewriting the DOJ/FTC merger guidelines: essentially, the more the administration tries to make them mean, the less deference they’ll get in court. And Jordan and I puzzle over the emphasis on small and medium business in China’s latest five-year plan for the digital economy.

Download the 391st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Just one week of antitrust litigation news shows how much legal turbulence Facebook and Google are facing. Michael Weiner gives us a remarkably compact summary of those issues, from the deeply historical (Facebook's purchase of Instagram) to the cutting edge of tech (complaints about Oculus self-preferencing). In all, he brings us current on two state AG case, two FTC cases, and one DOJ case against the twin giants of surveillance advertising.

Speaking of litigation, no major new technology has been greeted with more litigation in its infancy than face recognition. So this week we do a long interview with Hoan Ton-That, the CEO of what must be the most controversial tech startup in decades, Clearview AI. We probe deeply into face recognition's reputation for race and gender bias, and what the company is doing about it. Hoan offers a clear rebuttal to misconceptions about the technology; he is clearly taking the controversy in stride and confident that the technology will overcome efforts to turn it toxic. Meanwhile, I note, the debate is clearing out what would have been formidable competition from the likes of Microsoft, Amazon, and IBM.  If you think face recognition should be banned as racist, sexist, and inaccurate, this interview is worth a listen; it will make you think.

Meanwhile, David Kris notes, rumors of war are rampant on the Russian-Ukrainian border – and in cyberspace. So far, it's a bit of a phony cyberwar, featuring web defacing and dormant file wipers. But it could blow up at any time, and we may be surprised how much damage can be done with a keyboard.

Speaking of damage done with a keyboard, open source software is showing what can be done without even trying (although at least one developer has in fact been trying pretty hard). Nick Weaver and I dig into Log4j and other messes, and evaluate the White House effort to head off future open source debacles.

David is in charge of good news this week. It looks as though Russia has arrested a bunch of REvil coconspirators, including one person that the White House holds responsible for the Colonial Pipeline attack. It's surely not a coincidence that this hint of cooperation from Vladimir Putin comes when he'd very much like to have leverage with the Biden administration over Ukraine.

The EU is now firmly committed to cutting itself off from a host of technologies that are offered, often for free, by Silicon Valley. Google Analytics is out, according to Austrian authorities, because it sends pseudonymized data to the U.S. Ironically, this means that the European Parliament has been violating European law. Nick reminds us that Analytics and the Like button aren't all that could be cut off by this interpretation. Google Translate apparently also depends on transatlantic data flows and could become unavailable in Europe. I offer an incendiary solution to that problem.

End-to-end secure messaging is still under attack, but this week it's European governments, not the FBI, that are taking the shots. The UK government is planning an ad campaign against end-to-end encryption, and Germany is growling about shutting down Telegram for allowing hate speech. Nick issues a heartfelt complaint about the disingenuity of both sides in the crypto debate.

Speaking of Germans who can't live up to their reputation for protecting privacy, Nick notes that German police did exactly what Gapple feared, using a coronavirus contact-tracing app to find potential witnesses to an event unrelated to covid-19.

Meanwhile, in another bit of good news, Twitter gets a suitable reward for the woke colonialism that led it to suspend Nigeria's president from the service for threatening secessionists with war. Instead of the secessionists, President Buhari went to war with Twitter, saying, in effect, "You can't suspend me, I'm suspending you."  Twitter has now unconditionally surrendered to the Nigerian government.

Finally, I claim kinship with Joe Rogan as one of the podcasters that left-leaning NGOs and academics hope to censor. My plan is to create a joint defense fund to which Joe and I will each contribute 1% of our podcasting revenues.

Download the 390th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

When it comes to spurring remediation of the log4j bug, the FTC's other foot, I argue, is lodged firmly in its mouth.  It has published what can only be described as a regulatory blog post, reminding everyone of the $700 million in fines imposed on Equifax and threatening "to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j." Tatyana Bolton defends the agency from a charge of heavy-handedness, arguing that this is the best way to get companies to patch quickly and that only "reasonable steps" are required. I think we'll hear "we only asked for reasonable steps" a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more than regulatory muscle flexing. I also argue that the FTC's tough-guy pose is just that; when talking about the open source maintainers who actually have to generate many of the patches, the FTC doesn't threaten them with its "full legal authority." Instead, it acknowledges that open source coders "don't always have adequate resources and personnel," something the FTC "will consider as we work to address the root issues that endanger user security." Hmm, maybe Equifax should have pleaded inadequate resources and saved itself $700 million.

Speaking of fallible regulators, Glenn Gerstell gives us a tour of China's tech regulatory landscape, and the remarkable decline it has caused in the fortunes of consumer tech firms there, something the NYT covered in detail last week. Is that good news for Silicon Valley or for US competitiveness? Sadly, probably not, I conclude.

Mark MacCarthy explains why a proposal to combine cryptocurrency with Signal is causing angst among Signal's supporters, who fear an expansion of the end-to-end encrypted service's "regulatory attack surface."

Glenn covers the latest story about security risks and telecom gear from China. 

Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers.  The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies. 

Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has "a particular tendency to clash with lawyers." That would only make me love her more, but to my regret, Glenn (who, as NSA's top lawyer, worked with her for years) absolves her of the charge.

Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta for bringing together the boogaloo conspirators who killed a federal protective officer. It's a long shot, but if "negligent design" turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are now worried about.

Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it's mostly not breaches of cybersecurity laws). Speaking of surprises that aren't surprises, Glenn also covers the announcement by Lloyd's of London that cyber insurance won't cover cyber-attacks attributable to nation-states. 

Finally, I devote a few minutes to a rant about the Justice Department's decision to expand charges against Joe Sullivan, Uber's former CISO, for his role in paying "bug bounties" to hackers who looked more like crooks than bounty hunters when they compromised a bunch of Uber records. More than a year after charging Sullivan with obstruction of justice for using the "bug bounty" justification to keep the whole thing quiet, Justice piled on new charges of wire fraud for more or less the same thing. Glenn and I both question the decision to do this without any new facts to base the new charges on. And I point out the logical consequence of telling breach responders that they could face wire fraud charges if they decide not to disclose the breach (or maybe delay notice too long). The new Justice tack will (or should be) fatal to the FBI's desire to be called in to assist and observe while companies are dealing with breaches.  If  there's even a small risk that a decision to delay or withhold notice could lead to a criminal investigation, why would any GC want to have an FBI agent sitting in the room while the decision is being made?

Download the 389th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Among the good things about coming back from Christmas break are all the deep analyses that news outlets save up to publish over the holidays – especially those they can report from countries where celebrating Christmas isn’t that big a deal. At least that’s how I account for the recent flood of deep media dives on China technology issues. Megan Stifel takes us through a few. The first is a Washington Post article on China taking the tools it uses for measuring online dissent and focusing them on the rest of the world. The second is a New York Times article that tells us how the Chinese government takes the next step -- using its tools for suppressing internal dissent on the rest of the world when it says things China doesn’t like. Utterly unsurprising, to me at least, is how social media companies like Twitter have turned out to be hapless enablers of China’s speech police. Later in the podcast, Megan covers another story in the same vein – the growing global unease about China’s success in building Logink, a global logistics and shipping database.

Scott Shapiro and Nick Weaver walk us through the conviction of a Harvard professor for lying about his China ties. It may be too cynical to say that the Justice Department wanted Professor Charles Lieber especially badly because he’s not Asian, but there’s no doubt he’ll be Exhibit A when it defends the China Initiative against claims of ethnic profiling.

Megan takes us through another great story of hack-enabled insider trading, helicopters to Zermatt, and dueling extraditions; as the piece de resistance, NYT hints we may learn more about Russian interference with the 2016 presidential election. 

Scott explains how Apple AirTags are being used to track people. Nick gives us a feel for just how hard it is to separate good from bad in designing Air Tags. I suggest that this is a problem we could leave to the plaintiffs’ lawyers.

Nick lays out the economics of hacking as a service and introduces us to yet another company in that business – Cytrox. No one seems to last long in the business without changing their name. Nick and I explore the reasons for that, and the possibility that soon the teams that work for these companies will also move on every year or two.

Nick explains why bitcoin isn’t always a cybercriminal’s best friend. It turns out that cryptography isn’t proof against rubber hose cryptanalysis, or maybe even plea bargaining.

Drawing from my research for an article about why bias in face recognition has been overblown, I note that Canada, France, and the entire Western world is imposing sanctions on Clearview AI for privacy violations, but Clearview AI is the only U.S. company doing as good or better at face recognition than Chinese and Russian suppliers.  I argue that’s because a dubious racial bias narrative has forced IBM, Amazon, Microsoft, and Meta to retreat from the market, leaving us at the mercy of Russian and Chinese tech.

Megan explains why financial regulators and not the FBI turn out to be the biggest and most effective government enemies of end-to-end encryption; they've fined JPMorgan Chase a cool $200 million for using WhatsApp and other unbreakable encrypted messaging systems. Say, wasn't there a chip thirty years ago that would have solved that problem -- Chipper? Clipper?

Finally, in quick hits,

• I point out that soft power isn’t always America’s friend, as shown by Intel’s apology to the Chinese public for obeying U.S. law, Apple’s determination to double down on deepening its dependence on a Chinese supply chain, and a SenseTime IPO that was enormously successful for everyone except U.S. sanctions and U.S. investors.
• Scott shows the remarkable erosion of Silicon Valley’s power in conflicts with Putin’s Russia. Google and Meta are facing huge fines for not taking down content Russia doesn’t like. And they're losing lawsuits to Russians whose content they have taken down. In fact, they're losing so big that I expect Breitbart to bring its next Big Tech censorship lawsuit in Moscow.

Download the 388th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.