Skating on Stilts

GDPR has finally arrived, Maury Shenk reminds us, bringing both expected and unexpected consequences. Among the expected: New Schrems lawsuits for more money from the same old defendants; and the wasting away of the cybersecurity resource that is WHOIS, as German courts ride to the rescue of insecurity — in the name of privacy.

Also probably to be expected, at least for those who have paid attention to the history of technology regulation: The biggest companies are likely to end up boosting their market dominance.

Less expected: The decision of some big US media to just say no to European readers, recognizing them as the Typhoid Marys of the Internet, carrying a painful and stupid regulatory infection to every site they visit.

In other unsurprising news, Gus Hurwitz and Megan Reiss note, Kaspersky has now lost both its lawsuits against US government bans in a single district court ruling.

In genuinely troubling news, Iran is signaling a willingness to attack US industrial controls, which run the electric grid and pipelines and sewage systems, using the same malware it used against the Saudis. Since Iran was willing to launch DDoS attacks on US banks the last time negotiations over its nuclear program hit a snag, this is a threat that needs to be taken seriously.

The good news is that the US government released two reports this week on how to we’ll respond to both threats — cyberattacks on our grid and DDoS attacks on our web companies. The bad news is that both reports suck. If you were feeling optimistic before this, I argue, a close reading of the reports will leave you with a sinking feeling that this is the fourth administration in a row without a clue about how to deal with such attacks.

Quick Hits

Russia wants Apple’s help in subduing Telegram, Maury reports. I predict that Tim Cook will fold like a cheap lawn chair. I’m guessing that it’s really only American law enforcement that he’s willing to thwart.

North Korea is getting credit for peacemaking while spreading malware to US and South Korean infrastructure. A lot of the attacks are enabled by phishing emails built around hot news about the Trump-Kim summit. Which, come to think of it, may be the real reason Kim keeps turning the summit off and on: He’s got to generate clickbait for all those phishing emails.

Trump wants to relieve ZTE of its company-killing Commerce sanctions, but Congress may not let him. Hardest hit? Paul Ryan, who’ll have to decide whether to let the House take a free vote to thwart the President on national security grounds. 

Gus takes us quickly through the next big security issue: IMSI catchers and SS7 exploitation. This is a big problem, or really two big problems that are bound to get real media attention – just as soon as civil liberties groups figure out how to blame them on Trump.

In other news, I’ll be hosting a Reddit AMA on r/legaladvice on June 6 starting at 2pm ET. The best questions may be read in the next episode, so be sure to contribute. You can find more information in the announcement here.

Download the 220th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

This episode features a conversation with Nick Bilton, author of American Kingpin: The Epic Hunt for the Criminal Mastermind Behind the Silk Road.  His book, out today in paperback, tells the story of Ross Ulbricht, the libertarian who created the hidden Tor site known as the Silk Road, and rode it to massive wealth, great temptation, and, finally, a life sentence. 

It’s a fine read in its own right, but for those who know the federal government, the most entertaining parts concern the investigators who bring Ulbricht down.  They all have ambitions and flaws that mirror the stereotypes of their agencies, even -- or perhaps especially -- when the agents go bad. It’s got everything – sales of body parts, murder (maybe!), rogue cops, turf fights, and justice in the end. 

Sadly, I predict this episode will generate more hate mail than any other.  Why?  You’ll have to listen to find out.  Feel free to question my judgment with emails to CyberlawPodcast@steptoe.com.lp

Download the 219th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions and suggestions for topics or interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In this episode, Markham Erickson highlights the Mugshots.com prosecution. The site had a loathsome business model, publishing mugshots for free and charging hundreds of bucks to people who wanted the record of their arrests taken down. Now the owners are being prosecuted in a case that combines the worst of European crazy (“surely criminals have a right to be forgotten”) and California crazy (“profits are being earned here – surely that calls for a criminal investigation”). Markham explains why this may be a hard case for California to win – and then joins me in expressing schadenfreude for the owners, whose mugshots are even now spread all across the internet.

Meanwhile, the ZTE mess gets messier as Congress moves to block President Trump’s proposed sanctions relief. Democrats are joining national security Republicans to move legislation on the topic. Who says President Trump is the divider-in-chief?

Michael Vatis digs into the FBI’s latest high-profile problem: it grossly overstated the number of encrypted phones it encountered last year. Was it a mistake or a misrepresentation? Our panel leans toward mistake.

Michael and I also criticize President Trump’s decision to dump government security for his phone. Michael reminds us of the President’s scathing treatment of Hillary Clinton’s insecure email server and asks why an insecure cell phone is different.

And in a new feature that we still haven’t made up our mind about, we do a lightning round of stories we couldn’t get to:

• GDPR has arrived at last, and typically, the European Parliament isn’t ready.
• Suspected CIA leaker Joshua Schulte was busted for kiddie porn but should have been arrested for stone stupidity.
• Kaspersky sets up shop in Switzerland; will that save the business? I’m skeptical.
• Ecuador’s budget for protecting Assange ran into the millions of dollars, and it looks as though he may be on the street any minute now. A bad week for hackers and leakers. ;-)
• Germany’s misbegotten effort to tame hate on Facebook is going to end up censoring what Americans can read. When will Congress act to preserve the first amendment from other governments?
• China’s bragging that its social credit system has blocked people from 11 million flights already; when will that system be expanded to everyone in the hacked OPM files?
• In a declassified report, a federal commission treats EMP attacks as a serious threat, not the stuff of an Alex Jones rant, as elite opinion seems to think.
• There’s a circuit split regarding border cell phone searches.
• The NTSB has issued a gobsmacking preliminary report on the fatal crash involving Uber’s autonomous vehicle.

Download the 218th Episode (mp3).

 You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions and suggestions for topics or interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In our 217th episode of The Cyberlaw Podcast, the blockchain and cryptocurrency team seizes control of the podcast again.

Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and cryptocurrency to discuss recent regulatory developments and the current state of play of the industry.

Our episode begins by looking at the Department of Treasury’s letter regarding initial coin offerings (“ICOs”). Jack Hayes tells us the key takeaways from the letter, including that persons engaged in ICOs could be considered a Money Transmitter under FinCEN’s regulations. Not only does the letter address companies based in the US that are issuing tokens, but also those based outside of the US that may have a substantial part of their business in the US or be issuing tokens to US persons. The idea that FinCEN can reach outside of the US border is not a new one. Last summer we saw a civil enforcement action against BTC-e, a foreign cryptocurrency exchange.

Jack and Alan also discuss the New York Attorney General’s recent voluntary transparency questionnaire sent to both US and non-US cryptocurrency exchanges. New York has seen its fair share of controversy with respect to cryptocurrency with the implementation of the BitLicense and the resulting exodus of a number of cryptocurrency companies.

Lisa Zarlenga provides an expert overview of the Internal Revenue Service’s (“IRS”) activity in the space starting with IRS Notice 2014-21. For tax purposes, convertible virtual currency (“CVC”) is treated as property, which means that every time you buy or sell CVC you are engaging in a taxable event and need to report capital gains or losses. The Notice did not provide much guidance on accounting for and determining basis of cryptocurrency. Lisa also discusses whether exchanging one cryptocurrency for another cryptocurrency is a like-kind exchange and how the 2018 Tax Reform Bill changes things. With the increasing popularity of airdrops, Lisa and Alan tell us about the tax treatment of tokens received during an airdrop.

Chelsea Parker discusses trends coming out of New York Blockchain Week 2018. Consensus 2018 was three times bigger than Consensus 2017 and there were almost three dozen other official conferences and events that were part of NY Blockchain Week. Needless to say, interest in blockchain appears to be at an all-time high, and there was a particularly high international presence. Government officials from countries such as Gibraltar and Bermuda highlighted their proactive steps to implement regulation while still encouraging innovation and protecting consumers. This idea of balancing regulation while still encouraging innovation was a common theme across panels.

Alan highlights Steptoe’s panel “Blockchain in Supply Chain, Navigating the Legal Waters” and the key questions discussed during Alan Cohn and Lisa Zarlenga’s presentations on the tax treatment of digital currencies and tokens at the Accounting Blockchain Coalition’s conference. Finally, the panelists highlight where they see the industry going next in terms of adoption and regulation. Lisa discusses the possibility of additional guidance from the IRS while Jack discusses the future of sovereign cryptocurrencies and the resulting regulatory challenges.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 217th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The Cyberlaw Podcast has now succumbed to an irresistible media trend: We begin the episode with a tweet from President Trump. In this one, he promises to get ZTE “back in business, fast.” Paul Rosenzweig and Nick Weaver provide the backstory, and a large helping of dismay, at the President’s approach to the issue.

I question the assumption that this will make the life of Chinese telecom equipment makers easier in the US. If anything it could be worse. The 2019 NDAA being drafted in the House will make it very difficult for telecom companies that do business with the Pentagon to rely on Chinese (or Russian) equipment. If anything, the President probably ensured a unanimous Democratic vote for the measure.

The cyber coordinator position in the White House is on the endangered list. Paul explains why it should survive. His take is not completely snark-free. Summing up the first two stories, I suggest that it proves the maxim (which, come to think of it, might be my maxim) that every President gets the White House he deserves.

Nick explains how badly American democracy could be harmed by a relatively trivial Russian (or Iranian, or North Korean) cyberattack on voter registration databases later in 2018. Indeed, they had a chance to launch such an attack in 2016, according to the Senate Intelligence Committee. This is an avoidable disaster if election officials take action now, I point out, but Paul doubts they will.

Paul and I lament the insouciance and ahistoricity of the Fourth Circuit’s ruling adding half a dozen new judicial constraints to border searches of cell phones.

Speaking of cyberattacks, you’d better buckle up, because Iranian retribution for US withdrawal from the Joint Comprehensive Plan of Action is probably being prepared as you read this. And according to a highly educational Recorded Future/Insikt report, Iran’s semi-privatized hacking ecosystem is likely to err on the side of escalation.

The Iranians aren’t the only ones upping their game. Nick summarizes an excellent Crowdstrike report on the new sophistication of Nigerian scammers.

We close with Nick’s dissection of the troubling code decisions underlying a pedestrian death caused by Uber’s autonomous vehicle. 

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 216th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Our interview is with Nick Schmidle, staff writer for the New Yorker. His report on cybersecurity work that goes to the edge of the law and beyond turns up some previously unreported material, including the tale of Shawn Carpenter, a cybersecurity researcher with a talent for showing up in all the best hackback stories.

In the news, Jamil Jaffer reports on domain fronting, a weird form of protection for people hiding the site they’re connecting to behind some bland Google or AWS site. Some of those people are dissidents in authoritarian lands; many are authoritarian governments hacking secrets out of corporate networks.  In any event, domain fronting is disappearing before it had even made an impression on the public’s mind. I say good riddance, bolstered in my opinion by the wailing of professional privacy groups that, do I have to remind you?, don’t care about your security at all.

The Supreme Court takes a case of great interest to social media and other tech firms who attract class actions. Jennifer Quinn-Barabanov explains the law and the likely outcome. I mostly quibble about how to pronounce “cy pres.”

Move fast and break things probably isn’t the best motto if the thing you’re likely to break is, um, you. Megan Reiss talks about the death of Aaron Traywick, and the risks of bringing the hacking ethic to genetic engineering.

Europol and a host of allies were bragging last week about taking down ISIS’s online recruiting and propaganda infrastructure. But this week they’ve had to admit that ISIS is back on line. Jamil and I talk about what lessons can be drawn from cyber-whac-a-molery.

For Chinese phone makers, it never rains but it pours. Fresh off a ban on Chinese phones from US military retail stores, there may be even more pain in the works for ZTE and other Chinese mobile infrastructure providers.

Finally, Megan Reiss and I dig deep into Rep. Ruppersberger’s thoughtful take on cybersecurity, information sharing and DHS.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 215th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

This episode of the Cyberlaw Podcast features a new technology-and-privacy flap: The police finally catch a sadistic serial killer, and the press can’t stop whining about DNA privacy. I argue that DNA privacy is in the running for Dumbest Privacy Issue of the Decade, in which it turns out that privacy is all about making sure the police can’t use your data to catch killers. Paul Rosenzweig refuses to take the other side of that debate.

Ray Ozzie has released a technical riposte to the condescending Silicon Valley claim that math proves the impossibility of securely accommodating law enforcement access. Paul and I muse on the aftermath, in which Silicon Valley may actually have to try winning the debate rather than claiming that there is none.

Jim Lewis and I note the likelihood that ZTE is contemplating litigation against the US ban on technology sales to the company.  What really bothers Jim, though, is the likelihood that the US sanction will accelerate China’s move to complete self-sufficiency in the technology sphere. That’s something that neither the US government nor US industry is really ready for.

The House intel committee’s report on Russia and the election is out. It finds no scandal, other than Russia’s shocking attack on our institutions, though it does criticize “ill-advised” action by Trump campaign officials. The minority report says that the investigation should have gone on even longer. Paul and I have different takes on the value of the exercise.

Gen. Paul Nakasone is about to take over at NSA, after a remarkably easy ride to confirmation. Jim Lewis finds comfort and diversion in the effort of privacy campaigners to add some bumps to the general’s road.

Finally, Paul and I debate whether Donald J. Trump Jr. committed a Computer Fraud and Abuse Act felony by logging on to an opposition website with “guessed” credentials supplied by Wikileaks.  Actually, there isn’t much debate about whether that’s a crime, but I question whether criminalizing such a trivial violation of network mores raises more questions about the CFAA than about DJT Jr.

And a bit of special pleading: How can there possibly not be any reviews of The Cyberlaw Podcast on Stitcher Radio?  Yet it appears to be true.  Please get out there and comment, loyal Stitcher listeners to the podcast!

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 214th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

In a news-only episode, we get a cook’s tour of the RSA conference from attendees Paul Rosenzweig, Jim Lewis, and Stewart Baker.  Instead of spending a week at RSA, you can listen to us talk for five minutes about the top trends we saw at RSA: more nations attacking cybersecurity firms over attribution, more companies defending themselves outside their own networks (aka hackback), and growing (if still modest) respect for DHS’s role in cybersecurity. Oh, and Microsoft’s Digital Geneva Convention is still a mashup of profound naïveté and deep cynicism, but Microsoft’s Cyber Tech Accord may do better – at least until the FTC gets hold of it.

In other news, ZTE is being hammered for showing contempt for US export control enforcement. But the back-splatter on US suppliers will be severe as well. The United States is picking a big, big fight with China on the future of technology, and it’s going to need a strategy. 

Speaking of fights, Telegram is in a doozy with Russia over its refusal to supply crypto keys to the government. It looks as though Telegram’s use of Google and other domains as proxies (“domain fronting”) is making it hard for Russia to work its will without harming other internet companies. So far, Russia seems willing to do just that, but the game isn’t over yet.

In what may be related news, Google is engineering domain fronting out of its products. The press’s whining about the civil liberties implications of Google’s moves triggers a classic Baker rant about how privacy zealots don’t really care about security – since they’re trying to preserve domain fronting despite its role in defeating network security and facilitating crime.  

And while my rant is rolling, why not include the EU’s shameful drive-by execution of the WHOIS database. I call on the Obama NTIA officials who killed off our last leverage over ICANN to apologize to Ted Cruz for the debacle. Don’t hold your breath.

Maury Shenk lays out the remarkable parallelism between the US CLOUD Act and a new EU regulation on cross-border data sharing for law enforcement. This foretells a big change for internet companies.

Finally, or nearly so, Paul unpacks the way in which liability for the SWIFT hacks may drive cybersecurity standards for banks.

And in closing, I note that China is now the clear leader in face recognition, having found a single suspect in a crowd of 60,000 concertgoers using the technique. It’s the leader not because of China’s technical strength, though that’s impressive, but because of Silicon Valley’s politically correct refusal to develop such tools. Remember that stance when law enforcement agencies end up buying Chinese face recognition tech and then pay the cybersecurity price.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, click here.

And if you're wondering what happened to episode 212, I was at RSA and missed it, but the writeup is here.

Our interview is with Chris Bing and Patrick Howell O’Neill of Cyberscoop. They’ve broken two cyberscoops in the last week or so. First, an in-depth look at Kaspersky’s outing of a US cyberespionage program aimed at foreign terrorists. Hint to Kaspersky: Bringing out a brass band to warn terrorists that are being tracked by the US government is not likely to help you win your PR and legal battles in the United States. Chris Bing also covers his other scoop – the surprisingly advanced talks among the leaders of the Senate Judiciary Committee on a bill to address the FBI’s “going dark” problem.

In the news, Jennifer Quinn-Barabanov and I debate the impact of two recent incidents on the future of self-driving cars. She thinks they’ll weather these events, and that the lives such cars save will outweigh the deaths. I’m less sure, mainly because the mistakes that lead to autonomous vehicle deaths are so different from the usual human-driver error and therefore inherently compelling and disquieting.

Nick Weaver and I cover the Grindr security flap and the company's transmission of HIV status without complete encryption protection. I think there’s less to the story than meets the eye, and that Grindr is getting more heat than it deserves. Senators Markey and Blumenthal, on the other hand, deserve a lot more heat than they’ve gotten so far.

How clueless can they be to send thirteen “when did you stop beating your husband” questions to Grindr’s CEO and not notice that he’s based in Hong Kong? In fact, Grindr was bought last year by a Chinese company. Neither senator, though, bothers to ask where this authoritative database of gay American men is stored and what access the Chinese government has to it. Or how that deal got through CFIUS. Sad! To coin a phrase. 

Nick covers the big new IOT botnet’s tryout and asks why it was the banks that got attacked. I’ve got some theories, as does Nick. Along the way, he dispenses advice for people who have just realized that the router is probably the weakest link in their home network security.

When does the first amendment allow researchers to violate websites’ terms of service? Judge Bates has some preliminary answers in the Sandvik case, says Brian Egan, who thinks the case may turn into an important and perhaps unhappy ruling for websites.

In other topics, Softbank is getting a CFIUS workout. YouTube’s demonetization policy leads to a mass shooting and suicide at company headquarters. Stingrays blanket DC. And Keeper can’t even get through a news cycle about its lame lawsuit without another story about its lame security.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 211th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

In the news roundup, Nick Weaver, Ben Wittes, and I talk about the mild reheating of the encryption debate, sparked not just by renewed FBI pleading but by the collapse of the left-lib claim that building law enforcement access into IT devices is impossible because, uh, math. The National Academy report on encryption access has demonstrated that access is well within the zone of plausible technology policy, with support from a group of prominent tech experts, such as Ray Ozzie, all of whom know math.

Speaking of law enforcement, it was a good week for cybercrime enforcement. Nick and I touch on two victories for the good guys, with the Carbanak mastermind busted in Spain and Yevgeny Nikulin extradited to the US over Russian objections.

Meanwhile, DHS is moving forward on one of the more significant new efforts to control terrorist travel across borders  -- using social media data. The agency will be requiring social media names (but not passwords) from visa applicants, according to a proposed rule now gathering comments. Maury Shenk, Ben, Nick, and I talk about the privacy and first amendment issues implicated by the proposal. We don’t agree on most of those issues.

But we find surprising unanimity in mocking Julian Assange for deservedly losing his internet access at the Ecuador embassy. The panel even endorses Matt Green’s wicked suggestion for trolling Assange from the sidewalk outside Assange’s Ecuadoran squat.

We close  the news with a quick sack dance over the prone form of Keeper Security, which has dropped its libel suit against Dan Goodin and Ars Technica, probably because it was going to lose; the defendants’ coverage of Keeper’s serious security problems was straight and fair. Bottom line: there are plenty of good password managers; why use one whose management sues to suppress news about its product’s security holes? When that sinks in, Keeper won’t just be a loser; here’s hoping it will be a weeper too.

Our interview with David Sanger covers the vulnerability of the US grid, the psychic income and electoral popularity that Vladimir Putin gets from crossing the West’s red lines, and whether we’d be better off sparking an escalating set of cyberattacks now, rather than later when we'll be even more vulnerable.

If the last question reminds you that John Bolton will soon be the National Security Adviser, you’re not alone. We take a few minutes off from cyberlaw to explore just what kind of national security adviser Bolton will be. My bottom line: better than his reputation, and maybe much better.

 As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 210th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

It was a cyberlaw-packed week in Washington. Congress jammed the CLOUD Act into the omnibus appropriations bill, and boom, just like that, it was law, and you could wave good-bye to the Microsoft Ireland case just argued in the Supreme Court. Maury Shenk offers a view of the Act from the United Kingdom, the most likely and maybe the only beneficiary of the Act. Biggest losers? For sure the ACLU and EFF and their ilk, who were more or less rendered irrelevant without the funding and implicit backing of Silicon Valley business interests.

But wait, there’s more Congressional action, and this time it’s bad news even for Silicon Valley business interests. For the first time, the immunity conferred on social media platforms by Section 230 of the Communications Decency Act has been breached. Jamil Jaffer and I discuss FOSTA/SESTA, adopted this week. In theory the act only criminalizes media platforms that intentionally promote or facilitate prostitution, but any platforms that actually read their own content are likely at risk. Which is what Craigslist concluded, killing its personals section in response to the act. Worse for Silicon Valley, this may just be the beginning, as its unpopularity with left and right alike starts coming home to roost.

Not to be upstaged by Congress, President Trump announces a plan to impose $60 billion in tariffs on Chinese goods and new investment limits on Chinese money. Sue Esserman explains the plan and just how serious an issue it’s addressing.

Jim Lewis tells us about the FCC’s rumored plan to pile on Chinese telecom manufacturers, adopting a rule to bar the use of Universal Service funds to purchase Chinese telecom infrastructure gear. If we want to keep China out of our telecom infrastructure, he says, we should be prepared to pay a hefty price.

Speaking of hating Silicon Valley, there’s a wave of criticism – and a lawsuit – building against Uber in what may be a self-driving car accident that better tech could have prevented. Jamil urges caution in reaching conclusions.

 In any other week, Jim and Jamil would get to spend quality time chewing over the indictment and sanctioning of Iranian hackers charged with massive thefts of IP. Not this week. They give us their bottom line up front: indictments and sanctions are a good first step but can’t be our only response.

We barely have time to nod at the massive flap over Facebook and Cambridge Analytica. Still I can’t help noting that in 2012, when the Obama campaign bragged about stripping the social graph of its Facebook followers, there was no privacy scandal. Today, after Cambridge Analytica made dubious claims to have done something similar, the EU’s Vera Jourova sees a “threat to democracy.” If you’re a conservative who supports new privacy attacks on Facebook, don’t blame me when it turns out that the new privacy law is weaponized against the right, just as the old one has been.

And, as a token bit of international news, China’s social credit system is being implemented in a totalitarian fashion that reminds me of Lyft’s embrace of the McCarthyite Southern Poverty Law Center, in that both systems deny transportation to those suffering from wrongthink. Maury Shenk says it also tells us something about the efficiency and clarity of authoritarian uses of new technology.

Speaking of wrongthink, Google’s YouTube is banning firearms demo videos. Some of the banned videos may soon be hosted on pornhub, which at least will allow all those guys who used to read Playboy “for the articles” to visit pornhub “for the gun instructional videos.”

Finally, in our interview, Cyberlaw Podcast joins forces with the hosts of National Security Law Today, a podcast of the ABA Standing Committee on Law and National Security.

We interview Michael Page of OpenAI, a nonprofit devoted to a developing safe and beneficial artificial intelligence. It’s a deep conversation, but lawyers will want to spend time with the latest study suggesting that AI reads contracts faster and better than most lawyers. Luckily, I have the solution:  We'll prevent AI from running amok by requiring it to obey the entire United States Code.  And when it can't figure out what the code prohibits, well, it'll have to go to court to get the answer.  So at least one lawyer will have full employment!

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 209th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

All of Washington is mad at Silicon Valley these days, as our news roundup reveals. Dems and the media have moved on from blaming Hillary Clinton’s loss on Vladimir Putin; now they’re blaming Facebook and Cambridge Analytica. Gus Hurwitz and I have doubts about the claims of illegality, but I reprise my frequent critique of privacy laws: they are uniquely likely to be enforced against those who annoy governing elites (because they’re so vague and disconnected from objectionable conduct that they can be enforced against almost anyone).

Alan Cohn describes the many regulatory agencies now feeling emboldened to take a whack at cryptocurrencies. He’s hopeful that only bad actors will actually feel the blow.

I lay out the remarkably aggressive, and novel, enforcement philosophy behind CFIUS’s rejection of the Broadcom-Qualcomm deal – and the steadily advancing Congressional effort to regulate Silicon Valley’s Chinese connections more closely. That effort has featured some remarkably harsh political attacks on tech giants like IBM and GE.

Is all this hate for techies good or bad for the effort to reimpose net neutrality through the courts? The states? Stephanie Roy maps the terrain, which turns out to be every bit as muddled as you thought the last time you read about it.

Need another reason to hate technology? How about this: hackers are soon going to kill someone. I explain the latest scary reports from Saudi Arabia’s industrial control system – and America’s.

Pressed for time, we do quick hits on stories that deserved more but got crowded out:

• Why you won’t go wrong betting that privacy zealots hate cybersecurity.
• Trouble in AMD’s chipsets raises backdoor and supply chain worries.
• Treasury sanctions the usual Russians for election meddling.
• Hal Martin’s dumb argument for making mass theft of classified documents harder (“Geez, who can keep track of a single document when you’re stealing terabytes?”) is rejected.
• And for those who wonder why the right is starting to hate Big Tech as much as the left does, here’s one week’s worth of stories from Silicon Valley that got heavy attention from conservative sites:
  • Twitter suspends comedian Steven Crowder for a video in which an intern crashed an LGBTQ meeting in SXSW claiming to identify as a computer.
  • YouTube follows suit.
  • Yet somehow Louis Farrakhan keeps both his Twitter account and its coveted blue check while tweeting crap like this: “the FBI has been the worst enemy of Black advancement. The Jews have control over those agencies of government.”
  • At the same time that it’s broadcasting Farrakhan, Twitter seems to be blocking much of the Drudge Report.
  • And Western Journal (WJ)says Facebook’s new algorithm for “giving a boost to quality news” reduced lefty site traffic by 2 percent and righty site traffic by 14 percent. As an example, comparing two NY tabloids with very different politics, WJ says the change boosted Facebook’s traffic to the lefty Daily News by 24 percent and cut the righty NY Post’s traffic by 11 percent. (Similar claims were made by another conservative site using a different methodology.

Finally, our interview is with Pete Chronis, Turner’s Chief Information Security Officer, and author of the new book, The Cyber Conundrum. Pete lays out his vision for a cybersecurity moon shot, and the two of us explore particular cybersecurity remedies that make up the effort. We take detours to consider the vulnerabilities equities process, both here and in China. We also touch on the unwise purist stand being taken by IETF on TLS 1.3;  the engineers seem determined to offer internet users what might be called “Privacy and Insecurity – By Design.” (And to bring this post full circle, if you were wondering why ordinary people are getting sick of dancing to the tune of Silicon Valley engineers, the IETF’s stiff-necked and counterproductive position on security for corporate network users would be a good place to start.)

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 208th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Our interview this week is with Ambassador Nathan Sales, the State Department’s Counterterrorism Coordinator.  We cover a Trump administration diplomatic achievement in the field of technology and terrorism that has been surprisingly undercovered (or maybe it’s not surprising at all, depending on how cynical you are about press coverage of the Trump administration). We also explore new terrorism technology challenges and opportunities in social media, State’s role in designating terrorists, the difference a decade can make in tech and terror policy, and how the Ambassador lost his cowboy boots.

In the news roundup, China seems to be hiding behind half our stories this week. Brian Egan and I sift through the entrails of CFIUS’s pronouncements on the Qualcomm/Broadcom takeover fight charts, where Chinese competition in 5G is an ever-present subtext.

More broadly, we point to a flood of stories suggesting that the US government is just beginning to struggle with the challenge posed by an economically strong adversary nation. These include accusations of “weaponized capital,” naïve and compromised US academic institutions, and what amounts to a Chinese intelligence-industrial-unicorn complex.

The SEC says digital coin exchanges may be unlawful; bitcoin takes a market hit. But Matthew Heiman, in his first appearance on the podcast, expresses some doubt about the SEC’s authority over many of the businesses the agency called out.

If the SEC wants something else to worry about, maybe it should be paying more attention to the Internet Engineering Task Force (IETF), where techno-privacy zealots are getting ready to cripple the ability of business enterprises to secure their networks and comply with employee monitoring requirements.  Living down to my rock-bottom view of privacy campaigners, the IETF seems to be saying that in order to signal their virtue on privacy issues, they are happy to sacrifice our security – and compliance with law.

Part of the problem may be a lack of technically sophisticated staffers in government; Matthew and Jamil Jaffer chew over the cyber staffing crisis in government, and what can be done about it.

Finally, Jamil and Matthew comment on FBI director Wray’s statement that the FBI is not looking to blow a regulatory whistle on data-breached companies that ask for the Bureau’s help.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices. If you are interested, visit our website at Steptoe.com/careers.

Download the 207th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Our interview features an excellent and mostly grounded exploration of how artificial intelligence could become a threat as a result of the cybersecurity arms race. Maury Shenk does much of the interviewing in London. He talks to Miles Brundage, AI Policy Research Fellow at the Future of Humanity Institute at Oxford and Shahar Avin of the Centre for the Study of Existential Risk and Research Associate at Cambridge. They are principal authors of a paper The Malicious Use of Artificial Intelligence: Forecasting, Prevention and Mitigation. The discussion was mostly grounded, as I said, but I do manage to work in a reference to the all-too-plausible threat of a hacking, bargaining AI sent by aliens from other star systems.

In the news roundup, semi-regular contributor Gus Hurwitz does a post-mortem on the oral argument in Microsoft’s Ireland case. 

Maury notes that Google has issued its most detailed report yet on how it’s implementing the right to be forgotten. My takeaway: apart from censoring media in their own countries, everyone’s favorite censorship targets seem to be US sites. I am not comforted that 90 percent of the censorship stays home, since the other ten percent seems aimed at keeping true facts from, well, you and me.

Gus evaluates the latest Securities and Exchange Commission cybersecurity guidance. Bottom line: no surprises, but a good thing nonetheless.

I do a quick recap of the CFIUS butcher’s bill for Chinese deals. It’s every bit as ugly as you’d expect. The Xcerra and Cogint deals have collapsed over chip and personal data worries. The Genworth deal is on the bubble. And CFIUS is taking unprecedented action to intervene in the Qualcomm-Broadcom proxy fight.

A new contributor, Megan Reiss, of the R Street Institute, unpacks a couple of security industry reports covering the emergence of false flag hacks at the Olympics (or should that be "Olympic hacker-athletes from Russia"?) and the increasingly blurred line between criminal and state cyberespionage.

Maury covers the latest EU effort to wrongfoot Big Tech over scrubbing terrorist content. And I try to broaden the point, noting that the idea of a tech “platform” immunity has begun to fray even in the US, the land of its birth.

For those listeners afraid to traverse the feverswamps of conservative media, I bring back a story that shows why the loss of Big Tech platform immunity is shaping up as a bipartisan issue. Would you believe that CNN has bought an industrial washing machine so that it can spin stories more efficiently before airing them?  Do you need Snopes.com to tell you that’s satire? Does anyone need an anonymous Big Tech finger-wagger to tell you it’s fake news and threaten the site with penalties for repeat offenses? If not, you can see why the right is increasingly uncomfortable with Big Tech as media gatekeeper.

Finally, as a bit of comic relief, last week Edward Snowden took to Twitter to criticize Apple for posing as a protector of privacy while actually cozying up to a dictatorship.

Really.

You can’t make this stuff up.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

The Cyberlaw Podcast is thinking of hiring a part-time intern for our Washington, DC offices. If you are interested, watch for an announcement at Steptoe.com/careers.

Download the 206th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Today’s news roundup begins with Maury Shenk and Brian Egan offering their views about the Supreme Court oral argument in the Microsoft Ireland case. We highlight some of the questions that may tip the Justices’ hand.

Brian and I dig into the Dems' reply memo on the Carter Page FISA application. I’m mostly unshocked by the outcome of the dueling memos, though I find one sentence of the application utterly implausible. I also foresee a possible merging of the Clinton-Obama Trump-smearing scandal with the Trump-Russia collusion scandal – call it the scandularity!

In other Russia news, the Justice Department is standing up a task force on all things cyber. Jim Lewis and I disagree about whether Russian hacking of the electoral infrastructure is likely to be a serious problem in 2018. We agree that the Twitter bot war on the American body politic will continue, since it seems to be a pretty cheap hobby for Putin’s favorite supplier of catered meals.  Indeed, he seems to have gotten into the business as a way of squelching online protests that his school lunches were lousy. I suggest that Michelle Obama probably wishes she’d heard about that tactic sooner.

Google has announced an Advanced Protection program for people who think they may be high value targets for government cyberespionage. In a Cyberlaw Podcast first, I offer a product review. Short version: I’m still using it, despite some flaws in what looks like a beta program, but as a supply chain buff, I can’t help wondering who the hell Feitian Technologies is and what ties they have to the Chinese government.

March 1 is D-Day for Apple moving the crypto keys for Chinese IPhones' iCloud data to China.  

And Keeper continues to pursue its misguided STFU libel suit against Ars Technica. Ars Technica’s answering brief is here. While security researchers have been wasting their time on politically correct whining about the Computer Fraud and Abuse Act, libel suits are turning into far more effective tools for chilling security research.

Finally, for fans of the podcast in the Washington area, Steptoe is thinking of hiring a part-time intern to handle much of the organizational work associated with the podcast. If you’re interested, keep an eye on www.Steptoe.com/careers , which is where we’ll post the position if this idea bears fruit.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 205th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Looking for a Baker-free episode of The Cyberlaw Podcast?  This is your week; I miss the podcast to teach grandchildren how to ski cross country.  Brian Egan and Jamil Jaffer hold the fort, covering a few implications of Special Counsel Mueller’s indictment from Friday – the legal theories of the case and what the indictment does and doesn’t cover – as well as the follow-on false statement indictment against a former associate of a major law firm. In an amazing convergence of viewpoints, everyone, from Presidents Obama and Trump to Brian and Jamil – agrees that Russia appears to be winning, and the US is losing, when it comes to interference with US elections.

At the same time, the state secretaries of state gathered in Washington last week to discuss cybersecurity and US elections – coming in the face of a fairly damning report published by the Council on American Progress on shortcomings in US election-related cyber defenses. In light of these threats, we ponder whether a return to the old – paper ballots, or even the  “mail only” approach that is operative in a few states, is better than an electronic ballot.

In other Russia-related news, Kaspersky turned to (literally) one of the oldest pages in the book – the Bill of Attainder clause in the US Constitution – in suing to block the application of a provision in the NDAA that prohibits federal agencies from using Kaspersky products. Jamil posits that the case is less frivolous than may appear at first blush, while Brian muses about the history of Bill of Attainder litigation in the United States.

Finally, Jamil and Brian discuss the US and UK decision to attribute the NotPetya attack to Russia and the continued trend in the Obama and Trump Administrations to publicly identify perpetrators of state-sponsored cyber attacks (along with the risks inherent in this approach). Notwithstanding the NotPetya attribution, as well as a recent White House report on the increased economic costs of cyberattacks and Congressional hearings on data breaches, we explain why we believe it to be unlikely that Congress will pass federal data breach/data notification legislation any time soon.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 204th Episode (mp3).

Subscribe to The Cyberlaw Podcast here.  We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

In this episode, Jamil Jaffer and I interview Glenn Gerstell, the General Counsel of the National Security Agency. Glenn explains what it was like inside the effort to reauthorize section 702 of FISA. Jamil and I ask him whether the FISA court has the authority to deal with material omissions in FISA applications, and he actually answers. Glenn also touches on how it feels to discover that data subject to a judicial retention order has been inadvertently deleted, on his secret exercise regime, on his future plans, and on how the United States should respond to the cybersecurity crisis.

Download the 203rd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Cyberlaw Podcast alumnus Marten Mickos was called before the Senate Commerce Committee to testify about HackerOne’s bug bounty program. But the unhappy star of the hearings was Uber, which was heavily criticized for having paid out a large bonus under cloudy circumstances. Sen. Blumenthal and others on the Hill treated the payment as more ransom than bounty and pilloried Uber for not disclosing what they called a breach. Even Uber, under new management, was critical of its performance.

As the only cyberlaw podcast with a Davos correspondent, we ask Alan Cohn to give highlights of the event from a cybersecurity point of view. I bring the color commentary and snark.

With Microsoft Ireland case heading to argument, the Justice Department and Big Tech are hoping to head the Court off with a legislative solution. Jamil Jaffer explains what the CLOUD Act will do. I point out who’s missing from the Grand Coalition and question whether Big Privacy has the clout to stop the act.

Fancy Bear hackers seeking high-tech weapons data from US defense contractors get lucky – up to 40% of their phishing links strike paydirt. Michael Mutek explains what this likely means for the Defense Department – more regulation, probably. Whether more regs and more compliance will produce more security is the question no one can answer.

A cyberdiplomacy office is back from the dead, sort of:  Secretary Tillerson now says he’ll create a bureau for cyberspace headed by an Assistant Secretary. And, as Jamil explains, the fight switches to which undersecretary will oversee the office.

Nick Weaver and Jamil comment on the news that Justice has pulled in an impressive haul of cyber-fraudsters, bookended by doubts whether any hackers can ever be extradited from places like the UK and Ireland. Because, face it, how many can’t claim to be on the spectrum?

I close with a tribute to John Perry Barlow, who died last week. If you wanted to know how many women would fall for a combination Grateful Dead lyricist, technologist, and cowboy, John could tell you. Exactly.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 202nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The crypto wars return to The Cyberlaw Podcast in episode 201, as I interview Susan Landau about her new book on the subject, Listening In: Cybersecurity in an Insecure Age. Susan and I have been debating each other for decades now, and this interview is no exception.

In the news roundup, Brian Egan and Nick Weaver join me for the inevitable mastication of the Nunes memo. (My take: the one clear scandal here is the way Glenn Simpson and Chris Steele treated the US national security apparatus, including the national security press, as just another agency to be lobbied – and the success they had in milking it for partisan advantage and private profit.)

Meanwhile, if you needed a reminder of just how enthusiastically and ham-handedly China conducts its espionage, just ask the African Union, whose Chinese-built headquarters is pwned from top to bottom.

Brian lays out a significant Ninth Circuit Anti-Terrorism Act case absolving Twitter of liability for providing “material assistance” to ISIS by requiring a more direct relationship between Twitter’s acts and the harm suffered by the private plaintiffs. Not a surprise, but a relief for Silicon Valley.

Nick fulminates about the security threat posed by a sophisticated recent malvertising campaign and wonders when enterprises will start requiring ad blockers on corporate internet software. In a related story, we wonder how much incentive Twitter really has to kill off its armies of fake followers.

Are the Dutch paying the price for punching above their weight in the cyberespionage game? And did American leaks kill their success? All we can do is speculate, unfortunately.

You know you’ve missed This Week in Sex Toy Security, so we bring it back to cover yet another internet-connected vibrator company trying to shake off a privacy class action. At least half of our audience will enjoy my stumbling effort to understand the appeal of the product.

Finally, as a sign that we’ve finally reached Peak Cybersecurity and Peak Privacy, both topics are ending up on the agendas of international trade negotiators.  The EU says its privacy rules are untouchable in negotiations (although other countries’ overly protectionist data flow policies are fair game) and the NAFTA negotiators have reportedly agreed to add to NAFTA cyber security “principles” based on the NIST Cyber Security Framework.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 201st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

Jim Comey has tweeted his support for Andrew McCabe, who is leaving the No. 2 post at FBI early:  "Special Agent Andrew McCabe stood tall over the last 8 months, when small people were trying to tear down an institution we all depend on. He served with distinction for two decades."  I'm sure Andrew McCabe was an able agent for decades, but I can't join Jim Comey in celebrating the way McCabe did his job over the past year or two. That doesn’t mean that all the White House and Congressional attacks on the FBI are justified, simply that we ought to delay McCabe’s canonization until the facts are in.

As most people now know, Andrew McCabe’s wife ran for State Senate in Virginia in 2015 with the enthusiastic support of Terry McAuliffe, former Democratic party chief and then Democratic governor of Virginia.  McAuliffe’s PAC and the state Democratic party gave Jill McCabe financial and in-kind support totalling more than $650 thousand – over a third of her entire warchest.   The PAC had a lot to give in part because Hillary Clinton was a featured speaker at a fundraiser for it in June 2015.

At the time, McCabe was the head of the FBI’s Washington Field Office.  He announced that he would take no part in his wife’s campaign, and he sought ethics advice from the Bureau’s compliance officer and its general counsel.  The advice had two parts: he should recuse himself from corruption investigations of Virginia politicians, and his future participation in “any investigation that may present an actual or perceived conflict of interest” was to be reviewed by the field office’s ethics expert; if an investigation posed even a “potential” conflict of interest, McCabe was to be excluded from all aspects of the case.   McCabe may have followed that last procedure for a time, but there’s little sign that the procedure survived his rapid promotion in the months that followed.  In July 2015, he took the No. 3 position at the FBI, and in February 2016 the No. 2 job.

As deputy director, McCabe took on substantial responsibility for overseeing the Clinton investigation.  I can’t say for sure whether he kept conducting an “actual or perceived conflict of interest review” of the investigations he supervised, but  if he had, it’s hard to believe he would have continued to supervise the Clinton probe.  I say that because McCabe ultimately did recuse himself from the investigation, but only after guiding it for months, all the way to the conclusion that no charges were justified.  He did not recuse himself until the second, lightning-round Clinton investigation, and then most likely because of a Wall Street Journal article that shone a harsh light on connections between McCabe, his wife, Terry McAuliffe, and Clinton.

The Trump investigation was well under way at that point, but not public.  Perhaps the Trump campaign probes were never put through the recommended procedure; the protocol could have been formally or informally dropped, either when his wife lost her campaign or when McCabe was promoted.  Even so, one would have thought that the experience of unceremoniously exiting the Clinton probe would have sensitized him to the appearance of continuing to investigate Clinton’s rival.  But McCabe stayed with that investigation, to the point of playing a crucial role in the FBI’s interview of Michael Flynn.

Flynn’s interview was crucial to the investigators, fatal to him, and consistent with the FBI playbook:  Interview the subject in a friendly, disarming context.  Introduce issues on which the subject will be tempted to dissemble.  Lock the dissembling into a concrete lie. And -- boom! – just like that the bureau has a felony to work with.

The interview with Flynn seems to have fit that mold.  Flynn was known to have denied that he discussed sanctions with Amb. Kislyak.  But the Bureau apparently had a recording of the call that contradicted those assurances.  If Flynn repeated his denials to an FBI investigative team, he’d be toast.  But Flynn was unlikely to meet with a criminal or counterintelligence team investigating him without getting legal counsel and perhaps taking a moment to reconsider what up to that point had simply been the sort of lies that are all too common in politics and government.  So it was crucial that Flynn not know the purpose of the meeting.  Enter Andrew McCabe.    According to NBC News:

A brief phone call from the office of Andrew McCabe, the deputy FBI director, to a scheduler for Flynn on Jan. 24 set the interview in motion, according to people familiar with the matter. The scheduler was told the FBI wanted to speak with Flynn later that day, these people said, and the meeting was placed on Flynn’s schedule. The scheduler didn't ask the reason for the meeting, and the FBI didn't volunteer it, one person familiar with the matter said.

This strikes me as remarkable and troubling.  Flynn was the national security adviser.  He would expect to get all kinds of FBI briefings, and to resolve disputes the FBI might have with other agencies.  His routine interface with the Bureau would be with the Director or the Deputy Director.  So McCabe’s call seeking a meeting for his agents would raise no questions, while a call directly from the investigators would.  If NBC News is right, and he did set up the meeting in so surreptitious a fashion, McCabe was not just supervising the investigation, he was an integral part of it. What’s more, the tactic worked.  Flynn took the meeting, the bureau got the false statements it expected, and not long after that, Michael Flynn was gone.

I can’t say I’m sorry.  Flynn’s judgment, especially on the Russians, was highly suspect.   But it’s hard to justify McCabe’s reported actions.  The bureau is allowed to dissemble and even lie in the course of its investigations, but I doubt the bureau would have done the same to Susan Rice, even if a FISA tap had caught her saying one thing to a foreign government and another to a rival US official, something that I suspect happens quite often.  It’s even harder to believe that the FBI’s deputy director would have joined personally in the sting.

In short, it is fair to conclude that McCabe’s family ties to Clinton’s circle of supporters created at least the appearance of a conflict of interest for McCabe -- whether he was investigating Team Clinton or Team Trump.  More pointedly, if McCabe intervened personally to construct a perjury trap for the Trump administration’s national security adviser, there’s reason to believe that the conflict was more than just apparent.   If nothing else, McCabe’s blind spot for the apparent conflict – and the understandable mistrust it created in the Trump White House – makes McCabe’s departure entirely appropriate.

Whether they call it the fitbit or the “Ohsh*t!bit” governments are learning that the exercisers' internet of things is giving away their geospatial secrets at a rapid clip. Nick Weaver walks us through what most in the US government would call a security disaster – and how it could become an intelligence bonanza. As an example of what can be done, Jeffrey Lewis highlights Taiwan's secret cruise missile command center.

Of course, as soon as authoritarian governments learn to use fitbits to oppress their people, we can expect the European Union and the Wassenaar export control group to slap export controls on them.  Meredith Rathbone reports on the effort to persuade Europe and Wassenaar not to throw the security industry out with the bathwater. Turns out that progress is being made on both fronts.

Nick and I talk through the latest stories on Russian cyberspying. Meduza and Buzzfeed have a persuasive and dispiriting story about how Eugene Kaspersky might have been forced to cooperate with the Russian FSB. Looking at questions being raised about US firms allowing the Russians to inspect their source code, we conclude that Balkanization of cybersecurity products is a near certainty, with the only question being how many markets there will be. Speaking of Russia, a recent story claims that the Dutch, not prominent among hacking intelligence agencies until now, have apparently counted cybercoup on the Russians.

Meredith and I dig into the latest round in the European Court of Justice between Max Schrems and Facebook. We call it a draw, with special props to Facebook for creativity in arguing that Schrems is no longer a consumer because he’s obviously turned suing Facebook into a profession.

And, in an overdue event, jackpotting is coming to an ATM near you.

Finally, in the interview, we talk to Tim Maurer, co-director of the Cyber Policy Initiative and author of the new book, “Cyber Mercenaries – The State, Hackers, and Power.”  Tim tells us the story behind his book’s title and then jumps into a fascinating comparative study of how different governments try to control (or don’t) the hackers they recruit. Because it turns out that they all recruit hackers, just in very different ways.  Tim points out an increasing fad for having hackers from one country move to another country to ply their trade (North Koreans to China; Chinese to Africa) and the additional deterrence options this offers the US government.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 200th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

In this guestless episode 199 of the Cyberlaw Podcast, Michael Vatis, Markham Erickson, and Nick Weaver join me to explore the intense jockeying that led to passage of S. 139 and gave section 702 of FISA a new lease on life. The administration team responsible for shepherding the bill did well, weathering the President’s tweets, providing a warrant process for backend searches that will likely be used once a year if that, and -- almost without anyone noticing -- pulling the unmasking reform provisions from the bill and substituting an ODNI rule. Why? My guess is that dropping unmasking from the bill was a bargaining chip that made it easier for Dems to vote yea; if so, it worked.

And just in time, as the days after passage brought new whiffs of scandal, from the four-page House Republican memo alleging improprieties in the FBI’s application for a FISA wiretap on a Trump campaign hanger-on to two cases in which the FBI and NSA destroyed evidence they were supposed to be preserving. Michael Vatis and I cross sword over whether the FISA abuse memo is worth taking seriously or just partisan flak.

Nick and I delve into the gigabytes of hacked data mislaid by another player in the phone hacking game – Lebanese intelligence. Nick wonders if the data was obtained by EFF or Lookout violating the Computer Fraud and Abuse Act. I suspect it may have been, but that EFF ain't talking because it doesn't want to legitimize such hacking for those whose motives aren't Certified Pure by Civil Society (TM).

The first known death by SWAT-ing has yielded charges; the egregious SWAT-er for hire, SWauTistic, has been charged with involuntary manslaughter. Hard to argue with that.

Scariest news of the week? Electric system malware is getting remarkably sophisticated, and common.

The Microsoft Ireland case will be argued next month, and there are dozens of amici briefs, including one by our own Michael Vatis, who lays out his direct appeal to Justice Gorsuch’s property-based view of the fourth amendment.

Matt Green (and Nick Weaver) have some questions for Apple about moving its China iCloud data to a third party Chinese cloud provider. I’ve got one too. If treating Taiwan as a separate country from China leads to humiliating penalties for Western companies, and it does, has China prohibited Apple from storing Taiwanese and Hong Kong user data outside China?

And, for once on the podcast: a sweet life-long love story, spelled out cryptographically.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 199th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

It turns out that the most interesting policy story about Kaspersky software isn’t why the administration banned its products from government use. It’s why the last administration didn’t.  Shane Harris is our guest for the podcast, delving into the law and politics of the Kaspersky ban.  Along the way, I ask why the Foreign Sovereign Immunities Act, which allows suits against foreign governments for torts committed in the United States, shouldn’t allow suits against foreign governments that hack computers located in the United States.

In the news, the House comfortably adopts a bill to reauthorize 702 surveillance; the Senate is expected to act today as well. While the House bill makes some changes to the law, it endorses the most moderate of the reform proposals.

In case you haven’t heard, Apple is handing off its iCloud operations in China to a local cloud storage company – with none of the histrionic civil liberties posturing the company displays in the United States.  Whose data is being transferred to the tender mercies of the Chinese authorities? Who knows? Not Apple, which can’t even send out notices to its customers without getting confused about who’s covered by the new policy.

It’s a threepeat for state authority to make online companies collect sales tax from their customers.  The Supreme Court has agreed to reconsider a dormant commerce clause doctrine that it has already affirmed twice.

I apologize to Uber for snarking on their “bounty” payment of $100,000 to a hacker who exposes a serious security flaw and gained access to large amounts of personal data. A good New York Times article demonstrates that the decision to pay up was at least plausibly justified. But as if to demonstrate why the company never gets the benefit of the doubt, Bloomberg reports on Uber’s latest scofflaw-ware scandal. Luckily for journalists everywhere, Uber continues to adopt colorfully damaging nicknames for its scofflaw-ware. In this case their product locked or deleted data sought by local law enforcement with the touch of a panic button. It was named, of course, after Sigourney Weaver’s character, Ripley, who declared that the only way to deal with an alien-infested installation was to “nuke it from orbit.”

Sheila Jackson-Lee gets an admiring mention for winning House passage of a cyber vulnerability disclosure bill that is probably nuanced enough to be adopted by the Senate as well.

And Deputy Attorney General Rosenstein makes a short pitch for “responsible” encryption that actually manages to move the debate forward a step.

Talk about 21st century warfare. Russia is claiming it fought off swarms of drones with cyberweapons. As Nick Weaver points out, that’s just the beginning.

Brian assesses the state of CFIUS reform legislation and the claim that Sen. Cornyn’s bill would result in CFIUS’s regulation of technology transfers that would be better addressed through export controls.

Finally, having already critiqued Apple and Uber, I feel obliged to offer equal time to Twitter, which remarkably can’t even identify advertisements that invite users to log on to fake Twitter sites and steal their credentials. If you want to understand the worst of Silicon Valley, I argue, you shouldn’t look to the big rich companies; it’s the struggling would-be unicorns who show what the Valley really cares about. And security ain’t it. Speaking of which, where is that Ad Transparency Center that Twitter promised any day now back in the fall of 2017?

 As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 198th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

While the US was transfixed by posturing over the Trump presidency, China has been building the future. Chances are you’ll find one part of that future – social credit scoring – both appalling in principle and irresistible in practice. That at least is the lesson I draw from our interview of Mara Hvistendahl, National Fellow at New America and author of the definitive article on the allure, defects and mechanics of China’s emerging social credit system.

In the news roundup, Nick Weaver dives deep on the Spectre and Meltdown security vulnerabilities while I try to draw policy and litigation implications from the debacle. TL;DR? This is bad, but the class actions will settle for pennies. Oh, and xkcd has all you need to know.

I note that US Customs and Border Protection under Trump has imposed new limitations on border searches of electronic devices. So naturally the press is all "Trump has stepped up border searches aggressively." No good deed unpunished, as they say.

Maury Shenk explains President Macron’s latest plans to regulate cyberspace in the name of fighting Russian electoral interference and fake news. The Germans, meanwhile, have begun implementing their plan to fight hate speech on the internet. Predictably, it looks as though hate speech is winning.

In the litigation outrage of the month, a company called Keeper (apparently a competitor of LastPass and other password managers) got caught distributing software with a security flaw. So they did what any security-conscious company would – they sued the website that publicized the flaw for libel. It’s a crappy suit, and we should all hope they end up assessed with costs and fees. But the real question is this: Google found and disclosed the flaw, while Microsoft distributed Keeper to its users. When will they file as amici to say that no company with a mature security model files STFU libel suits against people who point out legitimate security problems?  TL;DR? Keeper: Loser.

Finally, Hal Martin pleads guilty to one of twenty-plus counts and takes a ten-year sentence. So far, so ordinary in the world of plea bargaining. But as Nick points out, this wasn’t a bargain. Martin can still be tried and sentenced on all the other counts. And it effectively stipulates the maximum sentence for the one count he’s pleading guilty to. There must be a strategy here, but we can’t say for sure what it is.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 197th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

In the United States, the latest Iranian protests have sparked a kind of debate in which we argue fervently about whether the US should tweet its support or just shut up.  At the risk of making the Trump administration look moderate, I think we can choose between more than waving our hands or sitting on them. 

Remember, when the Iranian regime decided it didn’t like US activities in Iraq, it found considerably more direct ways to express its disapproval.

It just started killing American troops.

A lot of them.  According to CENTCOM, Iranian actors like Hezbollah and the Qds Force killed 500 US troops in Iraq – roughly ten percent of all our casualties.  Iranian operatives used a variety of sophisticated tactics, but by far the most deadly was the introduction of explosively formed penetrators, or EFPs.  EFPs are IEDs that use explosives to turn a carefully machined metal disk into a targeted, high-velocity slug of molten metal that can breach the most elaborate armor.  Three hundred Americans died – and many more were grievously wounded -- because Iran introduced this weapon into the Iraq insurgency. 

EFPs are particularly effective when used by lightly armed opposition forces that face well-armored government troops.  EFPs are equalizers.  Buried in the road and used against carefully selected targets, their impact on morale can be devastating.

If anyone in the world deserves to understand just how devastating, it’s the folks who have used their monopoly on guns and tanks to kill protestors, especially since they’re the same folks who brought EFPs to the streets of the Middle East.

I’m sure there are plenty of pearl-clutching reasons to think twice before we provide EFPs and related technology to Iran’s protestors.  It might crater the nuclear deal.  It could lead to revenge attacks on American forces or leaders elsewhere in the world.  It may violate some law professor’s idea of what the law of armed conflict permits.  Perhaps the Iranian opposition isn’t ready, organizationally or psychologically, to use EFPs yet.

Maybe so.  But to tell the truth, right now, all I really want is for the Iranian government and its murderous stooges to know that sending a few of Iran’s EFPs back home is on our list of options.