Skating on Stilts

In Episode 261, blockchain takes over the podcast again. We dive right into the recent activity from the SEC, namely, the Framework for “Investment Contract” Analysis of Digital Assets and the No-Action Letter issued to TurnKey Jet, Inc. (TurnKey) for a digital token. Gary Goldsholle noted this guidance has been eagerly anticipated since July 2017 when the SEC first applied the Howey Test to a digital token with the DAO report. The current framework focuses primarily on the reasonable expectation of profits and efforts of others prongs of the Howey Test. While the framework lays out a number of factors to consider when determining whether a token is a security, the practicality of those factors is still up for debate.

Will Turner explained that the TurnKey No-Action Letter was most useful for parties interested in structuring a private, permissioned, centralized blockchain, but believes the guidance in the Framework would allow for alternative structures. The key from the SEC’s perspective is that there is no expectation of profits for token holders, since the token is a stablecoin pegged to the value of USD and there is no use of the token outside of TurnKey’s network. Jeff Bandman noted the irony that the first No-Action Letter related to blockchain and cryptocurrency involves private jets, particularly since “Mr. and Ms. 401(k)”—the retail investors SEC Chairman Jay Clayton is focused on protecting—are not likely to become private jet users anytime soon.

Jeff emphasized the importance of network functionality and observed that the network for private jet use was already established. Alan Cohn highlighted this tension between the need for centralization to achieve functionality, and need for decentralization as a means to avoid meeting the “derived from the efforts of others” prong of the Howey Test.

Gary then turned to Blockstack’s Regulation A filing, the most comprehensive effort to register a token under Reg. A that we have seen to date. Blockstack is seeking to be a Tier 2 issuer, meaning they can raise up to $50 million in 12 months, which comes with heightened disclosure obligations and requires audited financials. While they seek to raise capital as a security today, their ultimate goal – and a central risk factor in their offering circular – is to achieve the requisite level of decentralization such that they no longer would meet the definition of a security.

Meanwhile, in Congress, the recently reintroduced Token Taxonomy Act of 2019 would exempt a newly defined category of digital tokens from the definition of a security, as well as provide some clarity on tax issues for cryptocurrency users and exchanges. Jeff observed that these amendments might contribute further to a gap in federal regulation over spot trading markets. While the CFTC has enforcement authority, they do not have the authority to directly supervise the bitcoin trading market.

Turning to the interview, Jeff describes how he co-founded Global Digital Finance (GDF), along with other co-founders in Europe, Asia, and the United States, in order to address the lack of international standards surrounding the blockchain industry – or even a general consensus of terminology. Jeff describes how GDF has a number of working groups focused on developing high-level principles and standards on a range of topics, including stablecoins, custody, tax, and security tokens. GDF is trying to fill in some of the gaps that appear when jurisdictions regulate cryptocurrencies and crypto-assets differently.  As an example of its work, GDF’s KYC/AML/CTF group recently commented on FATF’s standards, issuing two comments in October 2018 and April 2019.

Jeff is also in the process of launching a new transfer agent service, Block Agent, focused on enabling and supporting SEC-regulated issuances. As markets mature, it is increasingly important to have the necessary post-trade infrastructure, and he is committed to offering services that recognize the novel features and efficiencies around these new technologies.

For our listeners in the DC area, Steptoe is hosting a half-day complimentary regulatory symposium this Thursday, May 2, in our DC office. Our plenary speakers include current and former commissioners and high-level officials with agencies such as the Federal Energy Regulatory Commission, the Surface Transportation Board, and the Environmental Protection Agency. We will also have breakout panels focused on four separate topics: Deference, Globalization, Regulatory/Legislative Approach, and Preemption. To register, click here.

Download the 261st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In this episode, Nick Weaver and I discuss new Internet regulations proposed in the UK. He’s mostly okay with its anti-nudge code for kids, but not with requiring proof of age to access adult material. I don’t see the problem; after all, who wouldn’t want to store their passport information with Pornhub?

Sri Lanka’s government has suspended social media access in the wake of the Easter attack. As Matthew Heiman notes, the reaction in the West is more or less a shrug – far different from the universal contempt and rejection displayed toward governments who did much the same during the 2011 Arab Spring rebellions. What made the difference? I argue that it’s Putin’s remarkably successful 2016 social media counterattack on Hillary Clinton as payback for her social media campaign against him in 2011.

DNS hijacking is just getting more brazen, according to a new Cisco Talos report. Nick and I talk about why that is and what could be done about it.

Paul Rosenzweig, back from hiatus and feisty as ever, mocks the EU Commission for its on-again, off-again criticism of Kaspersky’s security. Short version: The Commission wants badly to play in cybersecurity because it’s the Hot New Thing, but it has no institutional competence there, in either sense of the word. Speaking of Kaspersky, someone is doing a bad job of trying to compromise its critics with ham-handed private investigator-imposters.

Naked Kitten? Nick and I have a good laugh at the doxxing of Iranian government hackers, including their tools (and, naturally, their girlfriends).

Man bites dog: The Trump Administration is taking interagency processes seriously, and doing a better job than Obama’s team – at least when it comes to use of Cyber Command. Matthew dives into the repeal of PPD-20.

Paul brings us up to date on the Mar-a-Lago Thumb Drive Affair. Maybe it wasn’t malware after all. My guess? Schizophrenia.

Remember that face recognition software that the NGOs said was so crappy it had to be banned? Now, the New York Times reports that it’s so good it has to be banned. Not so fast, says Microsoft: Our face recognition software is still so crappy that it can’t be sold to law enforcement, and it ought to be export controlled so that China can sell – and keep improving – its own face recognition tools.

Bet you thought we forgot the Mueller Report. Nope! In fact, I offer the one conclusion about the report that everyone across the political spectrum can agree on. Anti-climactically, Paul and I point out that the report throws sidelights on the "Going Dark" debate and Bitcoin anonymity. Nick points out that we already knew everything the Mueller Report tells us on those topics.

Finally, Nick and I wrangle over the lessons to be drawn from Facebook’s privacy travails.

Download the 260th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Our News Roundup is hip deep in China stories. The inconclusive EU - China summit gives Matthew Heiman and me a chance to explain why France understands – and hates – China’s geopolitical trade strategy more than most. Maury Shenk notes that the Pentagon’s reported plan to put a bunch of Chinese suppliers on a blacklist is a tribute to China’s own schedule of sectors where Western companies. are blacklisted. And Matthew discloses reason to believe that China has finally begun to use all the US personnel data it stole from OPM. I’m so worried it may yet turn my hair pink, at least for SF-86 purposes.

And in a sign that it really is better to be lucky than to good, Matthew and I muse on how the Trump Administration’s China policy is reinforcing broader economic trends to make US companies reconsider their reliance on Chinese manufacturing.

It’s not all China, though. To kick things off, Nick Weaver and I schadenfreude our way through an otherwise serious take on the Julian Assange story and its strikingly narrow Computer Fraud and Abuse Act charge – and why extradition is likely to be a pain.

We also delve into the Google Sensorvault story. Nick and I agree that law enforcement access to location data, especially under the conditions set by Google, isn’t much of a privacy scandal, at least compared to private access to the same data. But that doesn’t mean it won’t raise endless legal problems for all concerned, partly because asking for a warrant to start the process isn’t quite the right legal or privacy framework.

Pete Jeydel notes two examples of CFIUS’s new toughness: It’s forcing a Russia-linked firm to sell its stake in a cybersecurity company, and it has handed out a $1 million fine to a company that blew off obligations under a mitigation agreement.

Maury covers the German data protection commissioner’s refusal to let German cops store data in the Amazon cloud. The commissioner blames the CLOUD Act and the risk that US authorities may get cross-border access to the data. I flag the commissioner for hypocrisy and ignoring international law. Turns out that the Justice Department has a good new whitepaper out on the CLOUD Act, and it points out that remote access to offshore data has been an implicit part of the Budapest Convention since the ‘90s.

Returning once more to China, Maury and I touch on the Chinese government’s use of AI to find Uighurs in crowds of Han Chinese. In my view, the only thing surprising about this story is that the New York Times thinks we should be surprised by it.

Download the 259th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

Our News Roundup leads with the long, slow death of Section 230 immunity. Nick Weaver explains why he thinks social media’s pursuit of engagement has led to a poisonous online environment, and Matthew Heiman replays the astonishing international consensus that Silicon Valley deserves the blame – and the regulation – for all that ails the Internet. The UK is considering holding social media execs liable for “harmful” content on their platforms. Australia has already passed a law to punish social media companies for failure to remove “abhorrent violent material.” And Singapore is happily drafting behind the West, avoiding for once the criticism that its press controls are out of step with the international community. Even Mark Zuckerberg is reading the writing on the wall and asking for regulation. I note that lost in the one-minute hate directed at social media is any notion that other countries shouldn’t be able to tell Americans what they can and can’t read. I also wonder whether the consensus that platforms should be editors will add to conservative doubts about maintaining Section 230 at all – and in the process endanger the US-Mexico-Canada Agreement that would enshrines Section 230 in US treaty obligations.

Nate Jones and I summarize the latest Reuters piece on American hackers working for the UAE. The short version? This is more a victory lap combined with journalists’ special pleading than a major new story.

Nate also briefs us on the latest tale of woe from Silicon Valley, where taking Chinese money and tech means you’re likely to get burned – in a government-ordered fire sale.

Nick and I disagree about how flawed facial recognition is, but not on the fact that NGOs are working overtime to turn the technology toxic.

Nate gives Kaspersky’s lawyers high grades for imagination and effort but not for credibility in their claim that we can trust the company’s software because Russian law doesn’t authorize Putin to intercept its data feeds.

And, with a hat tip to Gus Coldebella for the story, Matthew and I dig into the Washington attorney general’s $12 million settlement with Motel 6 for its cooperation with ICE. We think Motel 6 could have defended on federal preemption grounds and maybe gotten help from the Justice Department. But if the problem was bad publicity, that defense would have just made things worse.

Our interview is with Adam Segal, the Council on Foreign Relations’ expert on all things digital and China. Adam prognosticates on the likely fate of US-China trade talks, data localization in China, and on the future of China’s commercial cyberespionage plans.

Download the 258th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of our spouses (especially our spouses!), our clients, or our institutions.

In today’s News Roundup, Klon Kitchen adds to the sory of the North Korean Embassy invasion by an unknown group. Turns out some of the participants fled to the US and lawyered up, but the real tipoff about attribution is that they’ve given some of the data they stole to the FBI. That rules out CIA involvement right there.

Nick Weaver talks about Hal Martin pleading guilty to unlawfully retaining massive amounts of classified NSA hacking data. It’s looking more and more as though Martin was just a packrat, making his sentence of nine years in prison about right. But as Nick points out, that leaves unexplained how the Russians got hold of so much NSA data themselves.

Paul Hughes explains the seamy Europolitics behind the new foreign investment regulations that will take effect this month.

Nick explains the deeply troubling compromise of update certs at ASUS and the company’s equally troubling response. I ask why the only agency with clear authority over an incident with important national security implications is the FTC.

Nick and I comment on the FTC’s pending investigation of the privacy practices of seven Internet service providers.

Speaking of sensitive data practices, Klon talks about the Committee on Foreign Investment in the United States’ belated recognition that maybe the Chinese shouldn’t have access to the most intimate desires of the US LGBTQ community. I try to explain the difference between Tik Tok and Yik Yak and mostly fail.

Meanwhile, in splinternet news, the EU Parliament has approved the controversial Copyright Directive. A bunch of MEPs, soon to be running for reelection, claim they meant to vote against it, really, but somehow ended up voting for it.

The Department of Housing and Urban Development is suing Facebook for violating the Fair Housing Act. I ask listeners for help in finding guests who can talk about whether it’s a good idea to bar ad targeting that lets companies look for more customers like the ones they already have, even if their customers already skew toward particular genders and ethnicities.

Finally, Nick and I break down Gavin de Becker’s claim that the real killer in the Bezos sexting flap was Saudi Arabia. Plenty of smoke there, but the lack of a reference to any forensic evidence raises doubts about de Becker’s version of events.

Download the 257th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

I know. The title could be talking about pretty much any national strategy written in the last 15 years. And that’s the point. In the interview, Dr. Amy Zegart and I discuss the national cyber strategy and what’s wrong with it, besides all the bloviating. We also explore the culture clash between DOD and Silicon Valley (especially Google), and whether the right response to the Mueller report would be to conduct a thorough investigation into how the Intelligence Community and Justice handled the collusion allegations at the start of the Trump Administration. As a bonus, Amy answers this burning question: “If a banana republic is a country where losing an election means getting criminally investigated, what do you call a country where winning an election means getting criminally investigated?”

In the news roundup, we talk about the New Zealand massacre and whether six months from now it will feel as though we overreacted to distribution of the video of the attack. Along the way, we  are amazed to discover that New Zealand actually still has a “Chief Censor.”

If you thought the Boeing 737MAX approval cast the FAA in a bad light, there’s some good news for that embattled agency: The FDA is even worse at dealing with software risks. Matthew Heiman and I talk about the agency’s unimpressive handling of a flaw that would let hackers control defibrillators implanted in patients.

Conservatives v. Silicon Valley. Apparently looking for Odd Couple of the Month coverage, Sen. Josh Hawley is sounding all Sen. Elizabeth Warren-y about Facebook and Silicon Valley. And Devin Nunes is renewing claims of social media bias against conservatives. Indeed, he’s putting his lawyers where his mouth is, suing Twitter and his fake Twitter Mom for defamation. It’s an uphill battle, but I would really love to read the internal Twitter emails about Nunes if his case gets to discovery.  That's his best chance to show actual malice.

Matthew tells us that the latest European fine of $1.7 billion means that Google has been hit with $7.6 billion in EU fines since 2017 – mostly for “in the eye of the beholder” abuses of a dominant position.

Jennifer Quinn-Barabanov makes a guest appearance to read the tea leaves in the SCOTUS remand of a cy pres case without decision. Bottom line: The Court is likely to cut back on cy pres settlements, which may be good policy, but which also means trouble for defendants as well as the plaintiffs’ bar.

Matthew and I talk about the most fun caper involving North Korea in the last fifty years (since most of the other capers seemed to end in people dying). This time, the good guys got away after physically pwning the entire North Korean embassy in Spain. Spanish papers claim it was the CIA, but that’s what Spanish papers would say, isn't it? This time, though, I’d like to think it’s true.

Maury Shenk explains why US chip makers don’t actually want massive new guaranteed orders as part of a China trade deal.

And Matthew tells us how Egypt is taking advantage of the cover provided by Australia and New Zealand to tighten control of websites and social media accounts that pose a “threat to national security.”

Download the 256th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

In our interview, Elsa Kania and Sam Bendett explain what China and Russia have learned from the American way of warfighting – and from Russia’s success in Syria. The short answer: everything. But instead of leaving us smug, I argue it ought to leave us worried about complacency followed by unpleasant military surprises. Elsa and Sam both try to predict where the surprises might come from. Yogi Berra makes an appearance.

In the News Roundup, David Kris explains the Fourth Circuit’s decision to turn a hostile spouse-swap dispute into an invitation to screw up the law of stored electronic communications for a generation.

And in other litigation, a Trump-appointed judge dismisses a lawsuit charging Silicon Valley with unlawfully censoring the right. Nate Jones and I agree that, while the decision is broadly consistent with law, it may spell trouble for Silicon Valley in the long run. That’s because it depends on an idiosyncratic DC Court of Appeals interpretation of the District’s public accommodation law. I speculate that Alabama or Texas or Mississippi could easily draft a law prohibiting discrimination on the basis of viewpoint in public accommodations like,say,  Internet platforms.

Nick Weaver and I note the UN report that North Korea has stolen $571 million, much of it in cryptocurrency. I ask whether the US Treasury could seize those ill-gotten bits. Maybe, says Nick, but it would really bollix up the world of cryptocurrency (not that he minds).

I explain that DHS will be rolling out facial scanning technology to a boatload of US airports – and why there’s no hidden privacy scandal in the initiative.

And this story kind of makes you wonder about their banks and their chocolate: Nick gloats as Switzerland’s proposed Internet voting system follows his predicted path from questionable undertaking to deep, smoking crater.

Elsa Kania and I offer praise for the Navy Secretary’s willingness to accept scathing criticism of the Navy’s cybersecurity.

And Nick and I close with an effort to draw lessons from the disastrous software and human factor interactions at the heart of the Boeing 737 MAX crashes.

Download the 255th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

You've begged for it in the comments, so here it is.  With Stewart Baker off the grid at the bottom of the Grand Canyon, literally, David Kris, Maury Shenk, and Brian Egan take merciless advantage to extol the virtues of data privacy and the European Union.

Maury interviews James Griffiths, a journalist based in Hong Kong and the author of the new book, The Great Firewall of China: How to Build and Control an Alternative Version of the Internet.

In the news, David and Brian discuss last week’s revelation that the NSA is considering whether it will continue to seek renewal of the of the Section 215 “call detail record” program authority when it expires in December. We plug last week’s Lawfare podcast in which the national security advisor to House Minority Leader McCarthy made news when he reported that the NSA hasn’t been using this program for several months. David waxes poetic on the little-known and little-used “lone wolf” authority, which is also up for renewal this year.

We explore the long lineup of politicians and government officials who are coming up with new proposals to “get tough” on large technology companies. Leading the charge is Senator Warren, who promises to roll out a plan to break up “platform utilities” – basically, large Internet companies that run their own marketplaces – if she is elected president. Not to be outdone, the current chair of the Federal Trade Commission has urged that Congress provide new authorities for the FTC to impose civil enforcement penalties on tech (and presumably other) companies that violate their data privacy commitments. And last – but never least – the French finance minister announced that he will propose a 3% tax on the revenue of the 30 largest Internet businesses in France, most of which are US companies.

David discusses how one technology company is using a more familiar tool – litigation – to fight back against Chinese companies for creating and then selling fake Facebook and Instagram accounts.

In the “motherhood and apple pie” category, Maury explains French President Macron’s call for the creation of a “European Agency for the Protection of Democracies” to protect elections against cyberattacks. And Brian covers a recently re-introduced bill, the Cyber Deterrence and Response Act, which would impose sanctions on “all entities and persons responsible or complicit in malicious cyber activities aimed against the United States.”

If you are in London this week, you can see James Griffiths during his book tour. On March 13, he will be at the Frontline Club, and on March 14, he will be at Chatham House. You can also see him later this month at the Hong Kong Foreign Correspondents Club.

Download the 254th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The second half of my interview with Cyber Insecurity News has been posted, here.  It deals with a lot of stuff from my career, including DHS, European privacy negotiations, Snowden, and cybersecurity.  (The first half is here.)  Here's an excerpt that captures some of my thinking on cybersecurity:

CIN: Is the government providing enough intelligence information—threats they’re aware of—to companies? I know that’s sometimes a complaint that companies have.

SB: Yeah, I do hear that. And I take that with a grain of salt. One thing I’ve learned from watching the intelligence community for 25 years is that intelligence in the abstract is almost never useful. For the intelligence to get good, you have to have a customer who understands the intelligence and how it’s being collected, and can tell the intelligence officers exactly what he wants and what’s wrong with the intelligence that has been collected. You don’t get good intelligence if you just try to go out and steal the best secrets you can. Because you usually don’t know what secrets really matter. You need a very sophisticated consumer who can say, “OK, I see what you’ve brought me. There are some interesting things here. But it isn’t exactly what I need. Go look for X.” The spies on their own would never think to look for X. They’re just not as deep into the technology or the situation as the consumer. So for an exchange of intelligence to be really useful, you have to make the companies your customer. I don’t think that’s likely to happen. Part of the private sector’s unhappiness with what they’re being given is their assumption that since what they got wasn’t that useful, they must not have gotten the good stuff. That’s not how intelligence works, in my experience. There isn’t “good stuff” just hiding out there. The good stuff—you have to dig it out as a customer. That isn’t likely ever to be something that the intelligence community does for individual companies.

 

CIN: What can companies be doing better?

SB: I think companies need to ask themselves—and they’re starting to do this—not so much what’s on my checklist of technologies to deploy, but who wants my stuff? And what tactics and tools are they using this week to get it? Those are things that are knowable. Those are things that you can get from intelligence. You can get it from the private sector forensics people as well. So knowing that there’s a North Korean or Chinese campaign to get information on, let’s say, windpower means that, if you’re a windpower company, you suddenly have a whole new set of adversaries, and you’re going to have to spend a whole hell of a lot more money on cybersecurity or lose your technology.  You constantly have to do a cost-benefit analysis there. But the key is knowing who’s breaking into your system, and why: Are they motivated by money, are they motivated by the desire to steal your technology? Are they criminals or governments? All of those are things that should be part of your cybersecurity planning.

 

CIN: You just said the magic word: “money.” When I talk to CISOs at companies, if we talk long enough and they feel comfortable enough, they will almost always say something about budgets, and how the management of companies so often underestimates how much is needed. And they routinely underfund cybersecurity budgets. What do you think?

SB: I agree. But I would also like to speak up for management and the board. Their most common complaint is: “My CISO comes in and says, ‘Bogeyman, bogeyman, bogeyman! Give me more money!’ He tells me that the North Koreans could do these things to me. Should I be worried about that or not? I feel as though I’m chasing goal posts that will always recede.” So there is a culture clash there. That’s one of the reasons that I like a model that asks, “Who wants my stuff, and what are they doing to get it?” Once you have that answer, you can also ask the question, “What would it cost to make sure they don’t get it? What do I have to do to defeat every one of the tools and tactics they currently are using?” Then, when I know how much that will cost, I can compare the cost of letting them win to the cost of making sure they don’t.  So I think you can reduce this to a cost-benefit analysis, if you’re disciplined about identifying who’s likely to attack companies like yours, and if you have up-to-date intelligence on how they’re getting into the systems they attack.

 

CIN: If you were the country’s cybersecurity czar, what would be the first things you would do?

SB: I would say, “If you are in a business that the lives of a large number of Americans depend upon—pipelines, refineries, electrical power grids, water, sewage systems—you’re going to have to meet certain cybersecurity standards. We’re going to continue to use regulatory agencies that you are familiar with, if you are regulated already at the federal level, but we’re going to find a way to make you meet these standards. And when we’re done getting you to meet those standards, the people that you do business with are going to have to meet those standards. We can’t afford to have weak links in our security process.” I hate to say that, because I see all the downsides to regulation. It slows everything down. It raises the cost of everything. It locks in a lack of competition. But there’s no obvious alternative, other than saying, “If you’re hacked, we’re going to expropriate your company, because you don’t deserve to be in business.” That would motivate people—sort of like the death penalty for companies. I don’t think we really want to do that. So, better to come up with a constantly shifting set of best practices, and impose them on people who currently don’t care enough to adopt them. They’re not evil people; they just don’t have enough skin in the game to worry about security.

 

CIN: What advice would you like to dispense before we conclude this conversation? Anything special you have to say to general counsel?

SB: Yes. It’s from a theme that we’ve been talking about—the need to think about who your adversary is. And it’s one of the hidden advantages in having your general counsel involved in cybersecurity. Engineers are used to protecting against inanimate nature. They’re really comfortable asking whether gravity is going to bring a bridge down. They’re much less comfortable asking, “What if the Russians wanted to bring it down, and they had all the explosives they needed?” They don’t do adversarial thinking as a routine part of their job description. And neither do the risk managers, who are most comfortable asking questions like, “Is this a risk we can self-insure, or do we have to get insurance for it?” In contrast, if you’re a good general counsel, you wake up every day and you say, “I know there are people—maybe competitors, maybe the plaintiffs bar, maybe governments—people out there who want to do my company harm using legal tools. I need to know who they are. I need to know what tools they will use to attack, and I need an early warning as they develop new ones. When the plaintiffs bar develops new lawsuits, I want to watch that. I hope that they try them out on somebody else first. But if they don’t, my job is to figure out what we will do in response.” In other words, the way of thinking about cybersecurity that I’m advocating is a way of thinking about corporate interests that lawyers are already familiar with. It should give general counsel a little bit of confidence that they have a perspective to bring to cybersecurity that isn’t just, “What will the regulators think if we don’t do this?” They can insist on more deeply adversary-based cybersecurity planning.

 

CIN: Based on your experience as an outside lawyer who advises general counsel, do you think that many GCs have a sense that cybersecurity is a really important part of their jobs, and have a seat at the table at their companies to help tackle it?   

SB: Yes and yes. First, you’d be crazy as a CEO not to give your general counsel a seat at the table, because liability is a significant part of the calculation here. In practically every tabletop exercise we run, people start turning to the general counsel almost routinely. It’s odd how often questions that easily could be answered by somebody else—there’s no necessary connection to the law—end up getting lateraled to the general counsel for one reason or another. I’m a little less confident that general counsel always bring to the task a breadth of strategic thinking that maximizes their value to the company. They will always say, “I can tell you what our regulatory obligations are. I can tell you what our privacy statement says. I can tell you what the liability decisions of the court might be, or what the FTC would say about this.” Those are all things that general counsel should be doing. I feel a little bit like a proselytizer when I say, “No, that isn’t enough; what you need to bring to this, in addition to all that, is the sense that your company is engaged in an eternal battle with institutional opponents, and that your job is to make sure your company is as fully armed for that battle as possible.”

Our interview is with two men who overcame careers as lawyers and journalists to become successful serial entrepreneurs -- and who are now trying to solve the “fake news” problem. Gordon Crovitz and Steve Brill co-founded NewsGuard to rate news sites on nine journalistic criteria. Using, of all things, real people instead of algorithms. By the end of the interview, I’ve confessed myself a reluctant convert to the effort. This despite NewsGuard’s treatment of Instapundit, which Gordon Crovitz and I both read regularly but which has not received a green check.

In the news, Klon Kitchen talks about the latest on cyberconflict with Russia: CYBERCOM’s takedown of the Russian troll farm during 2018 midterms. The Russians are certainly feeling abused. They are using US attacks to justify pursuing their “autonomous Internet,” and they’ve sentenced two Kaspersky Lab experts to long jail terms for treason, likely because of their law enforcement cooperation with the United States.

Gus Hurwitz, Klon, and Nick Weaver muse on the latest evidence that information intermediaries still haven’t found a way to deal with wayward members of their ecosystems. Amazon marketplace sellers will now have the ability to remove what they deem counterfeit listings. Amazon has let the FTC discipline fake paid Amazon reviews. And Facebook is being criticized for the costs of using human beings to enforce Facebook’s content rules. (The failure of Silicon Valley to get a handle on this problem is, of course, the key to NewsGuard’s business model.)

Finally, just to give me an excuse to link to this Dr. Strangelove clip, Gus tells us that not even our prosthetic arms are safe from IoT hacking.

Download the 253rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

I recently wrote a piece for Lawfare on illegal immigration and the "compromise" appropriations bill that avoided another government shutdown.  Here's the introduction: 

While Congress and cable news chatter emergency powers and President Trump’s wall, there’s a far more important immigration fight under way on the southwest border. At a time when judicial deference to the executive on immigration law has nearly vanished, the country is one court ruling away from a disastrous immigration outcome. It was summarized this way by one Honduran caravan member, who traveled to the border because: “she had heard … that bringing her daughter would guarantee them admission into the United States.”

She got it right—with one caveat. To avoid this outcome, the Trump administration is now telling applicants to wait for their asylum hearings in Mexico instead of the United States. That “remain in Mexico” policy, however, is fiercely contested and could be set aside by the courts tomorrow. If it is, anyone who crosses the border with a son or daughter will be more or less guaranteed admission, plus a work permit for some years, plus a realistic shot at staying in the country illegally for a lifetime.

I worked at the Department of Homeland Security (DHS) under President George W. Bush, and I played a large role in shaping and trying to pass comprehensive immigration reform legislation. I’m not a knee-jerk immigration restrictionist. But you don’t have to be a restrictionist to think that it is bad policy to offer years of legal U.S. residence to anyone who can pass a background check and walk across the southwest border with a child in tow. There are probably a billion people around the globe who’d take that offer tomorrow. Worse, the policy effectively invites busloads of children and parents to cross without notice in some remote spots, swamping Border Patrol stations that were never built for child care. From a national security point of view, these mass border crossings are a major vulnerability; they can be exploited by smugglers who use them as cover to sneak in drugs and dangerous individuals elsewhere along the border while Border Patrol agents are busy handing out diapers and juice boxes.

So a lot depends on the Trump administration’s effort to cut this Gordian knot of laws and court rulings with a “remain in Mexico” policy. A group of non-governmental organizations have already challenged the new approach in court, and they stand more than a decent chance of prevailing. Avoiding an adverse ruling will require creative lawyering and and aggressive international diplomacy on the government’s part. In that effort, the administration may have gotten some unintended help from the drafters of the “compromise” appropriations bill that avoided another government shutdown. That, at least, is the thesis of this article.

Here's the rest: https://www.lawfareblog.com/how-appropriations-bill-can-strengthen-remain-mexico 

This week, we interview Dmitri Alperovitch of CrowdStrike on the company’s 2019 Global Threat Report, which features a ranking of Western cyber adversaries based on how long it takes each of them to turn a modest foothold into code execution on a compromised network. The Russians put up truly frightening numbers – from foothold to execution in less than twenty minutes – but the real surprise is the North Koreans, who clock in at 2:20. The Chinese take the bronze at just over 4 hours. Dmitri also gives props to a newcomer – South Korea – whose skills are substantial.

In the News Roundup, I cheer the police for using “reverse location search warrants” to compel Google to hand over data on anyone near a crime scene. Nick Weaver agrees and puts the focus on Google and others who collect the data rather than police who use it to solve crimes.

A committee of the UK House of Commons has issued a blistering final report on disinformation and fake news. I offer this TL;DR: that all right-thinking Brits must condemn Facebook because Leave won, just as all right-thinking Americans must condemn Facebook because Trump won. Maury Shenk takes a more nuanced view.

Nick and Dmitri explain just how scary the growth of DNSpionage has become. The only thing as scary seems to be the continuing effort to put voting systems on the Internet. Nick reacts to this in the typical way of his people.

The mysterious Facebook Title III case won’t be unsealed, so we really still don’t know what the Justice Department was trying to get Facebook to do.

The New York Times claims that India is proposing Internet censorship à la Chinois. I think that’s just the New York Times’s bias showing and that India is mainly imitating Europe. Maury rides to the New York Times’s rescue.

In breaking news, The Cyberlaw Podcast has developed AI podcasting so good we don’t dare tell you about it.

This Week in Chutzpah: Alleged hacker Lauri Love has lost his bid to recover the data he stole. I want to know why we didn’t give it back to him with a couple of keyloggers installed. The temptation to decrypt  it – and give prosecutors new evidence – would be irresistible.

In closing, Nick and I dwell on YouTube’s pedophile comment problem and whether recommendation engines are more to blame than human nature.

In other news:

• Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare.
• Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

Download the 252nd Episode (mp3).

The backlash against Big Tech dominates this episode, as we cover new regulatory initiatives in the US, EU, Israel, Russia, and China. The misbegotten link tax and upload filter provisions of the EU copyright directive have survived the convoluted EU legislative gantlet. My prediction: the link tax will fail because Google wants it to fail, but the upload filter will succeed because Google wants YouTube’s competitors to fail.

Rumors are flying that the FTC and Facebook will agree on a billion-dollar-plus fine on the company for failure to adhere to its consent decree. My guess? This is not so much about law as about the climate of hostility around the company since it took the blame for Trump’s election.

And, in yet another attack on Big Tech, the EU is targeting Google and Amazon for unfair practices as sales platforms. Uncharacteristically, I refuse to criticize the EU over this policy.

Artificial intelligence is so overworked a tech theme that it has even attracted the attention of the White House and DOD. We ask a new contributor, Jessica “Zhanna” Malekos Smith, to walk us through the President’s Executive Order on AI. I complain that it’s a cookie-cutter order that could as easily apply to alien abductions. DOD’s AI strategy, in contrast, is somewhat more substantive.

If you can’t beat ‘em, ban ‘em. Instead of regulating Big Tech, Russia is looking to take its own Internet offline in an emergency. The real question is whether Russia is planning to cause the emergency it’s protecting itself against. If so, the West is profoundly unready.

CFIUS is contagious! Brian Egan tells us that under US pressure Israel is considering restrictions on Chinese investment as the world keeps choosing sides in the new cold war.

China’s Ministry of Public Security is now authorized to conduct no-notice penetration testing of Internet businesses operating in China. I must say, it was nice of them to offer the service in beta to OPM, Anthem, and Equifax. Speaking of which, this  mayspell (more) trouble for Western firms doing business in China.

Brian touches on Treasury’s new sanctions against Iranian organizations for supporting intelligence and cyber operations targeting US persons. It turns out that the hackers had help – and that there is no ideology so loathsome it can’t win converts among Americans.

Nate Jones describes the EU’s plan to use “cyber sanctions” to fend off hackers during upcoming elections.

This Week in Old Guys You Shouldn’t Mess With: Nate reveals how 94-year-old William H. Webster helped take down a Jamaican scam artist. Of course, if he was any younger, he probably wouldn't have picked up when the landline rang.

Our colleagues Nate Jones and David Kris have launched the Culper Partners Rule of Law Series. Be sure to listen as episodes are released through Lawfare.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here.

Download the 251st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

This is admittedly self-indulgent, but I was recently interviewed by Cyberinsecurity News about my involvement in technology and national security policy over the years, and the result might be of interest to those who weren't there for the fights that still shape the policy environment.  A sample:

    Now, you cannot overestimate how significant the decryption victories of World War II were in shaping NSA’s culture. They were, one way or another, part of breaking Japanese codes, and Nazi codes, and everyone agreed that those decryption achievements shortened the war and maybe made it possible to win the war. Given the stakes, no one wanted to be caught in the situation again where we did not have an overwhelming advantage with respect to dealing with foreign nations’ codes. At the same time, the Soviets, who had seen that experience, had developed formidable capabilities of their own. We only occasionally got little glimpses of what was going on inside Russian communications, because their encryption was so good and so disciplined. So everybody was aware that what we had achieved in World War II was not ours by birthright. It was going to have to be something we scrapped and clawed at if we wanted to get that advantage again. So NSA was reluctant to surrender any advantage, including export controls on encryption.

     For Microsoft and the rest of Silicon Valley, they were already deep into the cycle of destroying other people’s businesses by turning them into software. Microsoft had done that successfully and become a massive new company at a time when new companies were rare. Basically by eating other people’s businesses and saying, “Oh, sorry about that!” and moving on. I think they started out with the assumption that NSA’s encryption and decryption advantage was just one more business model that was not going to survive Microsoft’s software advantages. They were more confident maybe than they should have been, but they had plenty of experience and a lot of achievement behind them. You had two very proud, very self-confident organizations dueling with each other over matters that each of them thought was central to their future.

 

If you get SMS messages on your phone and think you have two-factor authentication, you’re kidding yourself. That’s the message Nick Weaver and David Kris extract from two stories we cover in this week’s episode of The Cyberlaw Podcast – DOJ’s indictment of a couple of kids whose hacker chops are modest but whose social engineering skillz are remarkable. They used those skills to bribe or bamboozle phone companies into changing the phone numbers of their victims, allowing them to intercept all the two-factor authentication they needed to steal boatloads of cryptocurrency. For those with better hacking chops than social skills, there’s always exploitation of SS7 vulnerabilities, which allow interception of text messages without all the muss and fuss of changing SIM cards.

Okay, it ain’t “When Harry Met Sally,” but for a degraded age, “When Bezos Exposed Pecker” will have to do. David keeps us focused on the legal questions: Was the Enquirer letter really extortion? Would publication of the pics be actionable? And is there any way the Enquirer could get those text messages without someone committing a crime? Plus, of course, whether the best way to woo your new girlfriend is to send her brother to jail.

Social media – privacy law threat or competition law menace? That’s the question European (naturally) regulators are weighing. But Matthew Heiman and I have a pretty good idea what their answer will be: Both! We look at the Twitter-mobbing of Facebook by regulators and ask whether the competition charges make more sense than the privacy claims.

Looks like the net effect of the Obama-Xi agreement on not stealing commercial secrets is that a better class of Chinese officials is stealing our commercial secrets. President Xi kicked the PLA to the curb and brought in the professionals from China’s Ministry of State Security. So now Chinese tradecraft is a little better, and DOJ is indicting MSS officials instead of PLA soldiers. David sums up.

NERC is proposing a $10 million fine for cybersecurity violations on a utility reported to be Duke Energy. Matthew and I are shocked. Not by the fine, which was negotiated, or by the violations, many of them self-reported, but by the cheese-paring, penny-ante nature of so-called cybersecurity enforcement at NERC and FERC. All this Sturm und Drang to make sure utilities use six-character passwords? When security guys complain about compliance trumping security, these NERC rules will be Exhibit A.

Finally, add another chapter to the Annals of Failed Civil Liberties Campaigns, as EFF and likeminded reporters try to get us outraged about the FBI using court orders to identify a North Korean botnet. Nick points out that academics have been conducting research that is more intrusive for years without unduly disturbing even conservative university lawyers.

Well, maybe one more item: I close by thanking HoyaSaxaSD for a podcast review that honors our own inimitable Nick Weaver:

“I got a fever, and the only cure is more Weaver. Love the show. I’m a lawyer but not in tech or security law, but it’s still fascinating. My teenage sons also like most episodes, especially the Nick Weaver segments. And I concur. There needs to be Weaver in every episode, and more of him. In fact, an hour of Weaver and Baker debating/discussing would be the perfect show.”

In return, I am moved to channel Peggy Lee. And if more good reviews don’t pour in, I may make that performance a weekly feature. David Kris, I’m sure, would consider that extortion, on the ground that no one has a right to butcher Peggy Lee’s oeuvre like that.

Do you have policy ideas for how to improve cybercrime enforcement? Our friends at Third Way and the Journal of National Security Law & Policy are accepting proposals for their upcoming Cyber Enforcement Symposium. You can find the call for papers here: https://www.thirdway.org/letter/2019-cyber-symposium-call-for-papers

Download the 250th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

My latest op-ed tries to open the Overton window on responding to cyberattacks:

Cyber weapons have allowed Russia to reinvent deterrence on the cheap. Recent reports reveal a prolonged, systematic, and not particularly subtle Russian campaign to infiltrate the U.S. power grid.

It raises the prospect that Russian strongman Vladimir Putin has the ability to cut off power to large parts of the United States, as he has done already in Ukraine. He has “prepare[d] the battlefield, without pulling the trigger,” said one former U.S. official.

All of which raises the question: how to deter him? After all, where Putin goes, Iranian mullahs and Kim Jong Un will not be far behind. If any of these actors knock out even a small segment of our power grid, we will need to retaliate, and not with restraint. It’s time to start thinking the unthinkable.

Four principles should guide American decision makers in developing tough responses to other nations’ cyber provocation ...

Read the rest at Fifth Domain. 

In this episode, I interview Chris Bing and Joel Schectman about their remarkable stories covering the actions of what amount to US cyber-mercenary hackers. We spare a moment of sympathy for one of those hackers, Lori Stroud, who managed to go from hiring Edward Snowden to hacking for the UAE in the space of a few years.

In the news, I ask my partner Phil Khinda whether the $29 million Yahoo breach settlement opens a new front in breach derivative litigation or is a black swan event. He says it’s more of a red herring – and explains why.

This week in black ops: I ask Nate Jones to comment on the tradecraft used in an apparent effort to smear Citizen Lab for its reports on NSO. My take: This feels a lot like what BlackCube did for Harvey Weinstein, except that this was the low-budget version.

I'm not sure the indictments are working.  The Russians are so far from being shamed that now they’re engaged in fake hacking. Dr. Megan Reiss notes Special Counsel Mueller’s recent claim that Russians are leaking discovery materials and pretending they came from a hack of the counsel’s office. Remember the remarkably adroit robot that turned out to be a Russian in a robot suit?  That's what this reminds us of.

Maury Shenk and I discuss Google’s latest imitation of Apple’s “law enforcement lockout” feature and Google's claim that hurting law enforcement was an “unintended side effect.” I call BS.

Maury also notes the flap over a flaw in Apple’s FaceTime that allows for eavesdropping. Predictably, New York State is investigating.

And in possibly related news, Apple went out of its way to publicly embarrass Facebook and Google over their use of corporate certificates to sideload apps to record the browsing habits of paid volunteers. I'm not convinced that the fuss is justified.  Whatever those users sold their data for, it's a lot more than I'm getting.

Quick hits:

This week in dogs biting men: Ukraine says Russia is trying to disrupt its upcoming election, and the Pentagon is reportedly failing to stay ahead of cyber threats. Megan covers the first and Nate the second.

I offer one and a half cheers for Japan’s pioneering and mildly intrusive survey of bot-vulnerable IoT devices. Unfortunately, it's not intrusive enough to really address the problem.

Finally, EPIC is calling on the FTC to impose a $2 billion fine, structural changes, and more on Facebook, claiming that “the algorithmic bias of the [Facebook] news feed reflects a predominantly Anglo, male world view.” If you still need evidence that privacy law is the legal equivalent of a Twitter mob – an always-ready tool for punishing unpopular views – EPIC’s filing should do the trick.

Download the 249th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

If the surgeon about to operate on you has been disciplined for neglecting patients, wouldn’t you like to know? Well, the mandarins of European Union privacy law beg to differ. Google has been told by a Dutch court not to tell anyone about the disciplined doctor, and there seems to have been a six-month lag in disclosing even the court ruling. Gus Hurwitz and I are appalled. I repeat my long-standing view that in the end, privacy law just protects the privileged. Gus agrees.

This week's interview is with John Carlin, author of Dawn of the Code War. It’s a great inside story of how we came to indict China’s hacker-spies for attacking US companies.

In other news, the Illinois Supreme Court has demonstrated just how bad Illinois’ biometric privacy law is – by the simple expedient of applying it the way it’s written.

Dr. Megan Reiss and I air our ambivalence about the latest site hosting collections of doxed messages. We lack enthusiasm for indiscriminate doxing of the kind highlighted on Distributed Denial of Secrets, but if it’s got to happen, it couldn’t happen to a nicer Russian dictator. 

Nick Weaver explains the DHS emergency order telling civilian agencies to protect themselves against DNS hijacking, and why the shutdown may have made those agencies more vulnerable.

Nick and I debate YouTube’s latest algorithmic tweak to avoid recommending “borderline” material. He notes that the  tweak is to correct an algorithm that used to push people toward extremes. I counter that this tweak turns out to be a suspiciously good way for YouTube Social Justice Warriors to suppress videos they don’t like but can’t actually show to be violating YouTube’s terms of service.

Speaking of which, maybe the real singularity will be when Silicon Valley SJWs join forces with Beijing to produce technology to suppress WrongThink once and for all. If so, the singularity is nigh, in the form of a Chinese app that allows you to identify all the people around you who deserve to be shamed. Of course, when it comes from Twitter, instead of identifying those who haven’t paid their debts, the app will identify anyone who ever wore a MAGA hat. And it will have a cooler name. Maybe #Punchable.

Download the 248th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

So says the remarkable Jeff Jonas, CEO of Senzing. And he’s got a claim to be doing just that. A data scientist before data science was cool, Jeff has used his technical skills and an intuitive grasp of complex data problems to stop card counters in Las Vegas and terrorists targeting the US, and then to launch an initiative making voter registration more accurate and widespread. Most recently, in the course of an effort to improve maritime security around Singapore, he also found a key to identifying asteroids that are about to collide with each other and head off on a new course (one that might intersect with, well, ours).

The media has been hyping a strikingly bad magistrate judge’s opinion giving 5th Amendment protection to biometric phone security. This leads Gus Hurwitz and me to question why Congress ever promoted US magistrates to “magistrate judges” in the first place. We suggest striking the word “judge” from the title given to these Article I judicial aides; call it the Truth in Judging Act.

Congress and the President can’t even agree on a compromise that would end the partial government shutdown. So what genius decided that our security from terrorist attacks should depend on Congress and the President agreeing every couple of years on yet another part of our counterterrorism system? Like it or not, though, 2019 will feature another cliffhanger debate over several national security provisions of FISA  that are scheduled to come to an end unless renewed. Jamil Jaffer and David Kris talk about the provisions and possible outcomes. I plead for a compromise that takes seriously the Trumpist concern about partisan abuse of the law.

I suspect the government would have imposed serious fines on the owner of EDGAR for enabling a new form of insider trading -- if the SEC didn't own EDGAR itself. Jamil and Gus debate the harder question: How can hackers with access to guaranteed market moving info manage to make only $4 million in six months of trading?

The Department of Justice’s Office of Legal Counsel has reversed an Obama-era interpretation limiting the scope of federal criminal laws governing online gambling. David provides the background; I introduce our listeners to the Baptist-bootlegger coalition.

If you would like to hear more from Jeff Jonas and you’ll be in London on January 29, be sure to attend his talk, “AI for Entity Resolution,” at the SAGE Ocean speaker series. Event details can be found here.

Download the 247th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Readers of this blog may be interested in my Lawfare post about the news that the FBI made President Trump the subject of a counterintelligence investigation after he fired their boss.  My take:

The political and bureaucratic motives mixed into this incident are reminiscent of the motives mixed into the decision to launch an investigation of Russia and the Trump campaign, the decision to rely on Christopher Steele’s research despite his partisan funding, and the decision to interrogate national security adviser Michael Flynn in the slipperiest of fashions. There are reasons why all of these things might have seemed necessary to honest, committed cops just doing their job. But they also offer a roadmap for how to abuse counterintelligence authority to serve partisan ends—a roadmap that more or less begins where the civil liberties protections of the 1970s end.

My concern is that we’re not taking that risk seriously because so many former officials and commentators believe that President Trump deserves all this and more. Some of them still hope that the election of 2016 can be undone, or at least discredited. This leads to a perseverating focus on leaks and scraps from the investigation and a determined lack of concern about the investigation’s sometimes tawdry origins. (Yes, I’m talking to you, #BabyCannon!)

If we’re going to prevent future scandals, we need to look at both. We need to know the answers to a lot of questions that are not being seriously addressed today: To what extent was politics involved in the decision to open the Trump-Russia investigation; to what extent did politics drive its direction; to what extent was politics involved in the Obama administration’s transition intelligence leaks; and, finally, to what extent was politics involved in adding the president to the counterintelligence probe?

The only independent review of any of these questions seems to be the investigation launched by Justice Department Inspector General Michael Horowitz. He’s examining the FISA application for Carter Page. That’s a good start, but it’s only a start. It’s a commonplace insight that President Trump’s norm-defying conduct has triggered norm-defying payback by others. I’m sure we’re going to learn about the first, but we can’t ignore the second.

It’s time to expand the Horowitz inquiry, or something like it, into all of these events.

Brazen Russian intrusions into the US electricity grid lead our episode. I ask Matthew Heiman and Nick Weaver whether Russia intended for us to know about their intrusions (duh, yes!) and how we should respond to the implicit threat to leave Americans freezing in the dark. Their answers and mine show creativity if not exactly sobriety.

In what may be good news about emerging European sobriety, Google gets a favorable opinion from the advocate general to the European Court of Justice (ECJ) on the question of whether to extend Europe’s “right to be forgotten” censorship regime to benighted Americans, and Turks, and Russians, and Chinese. Most of those countries would be glad to impose their censorship regime on Europeans, consideration of which may be enough to overcome the America Derangement Syndrome the ECJ has displayed in earlier tech privacy cases.

DHS was right, and EFF was wrong. That’s the lesson Maury Shenk, Nick, and I derive from the latest drone crisis at Gatwick Airport. In response, the UK is seeking police powers that DHS recently obtained – over EFF’s bitter opposition.

Matthew unpacks the Fourth Circuit ruling that a politician cannot block constituents on her official Facebook page because it has become a public forum.

Nick explains how the Hal Martin Saga keeps getting weirder – and we try on the full aluminum foil hat to explain how the whole thing could have been orchestrated by the GRU to turn Kaspersky Lab into a hero.

Ron Wyden and Motherboard combined to get mobile phone companies to stop selling location data to third parties. I wonder whether we’ll regret the result. Nobody else does.

Happy New Year from Big Brother: Vietnam takes a leaf from the EU and Chinese playbooks, threatening Facebook with fines for allowing prohibited posts and failing to localize data.

For comic relief, we cover the cybersecurity misadventures of “El Chapo.” Nick Weaver sums up the lesson: bespoke security is almost always bad security. Oh, and never use a phone provided by a paranoid boss.

We close with a quick review of how China has misused the Great Firewall to launch cyberattacks and what Silicon Valley (or the rest of us) can do in response.

Download the 246th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

Nate Jones, David Kris, and I kick off 2019 with a roundup of the month of news since we took our Christmas break. First, we break down the utterly predictable but undismissable Silicon Valley claim that the administration’s new export control strategy will hurt the emerging AI industry.

Then we draw on our guests’ expertise in counterintelligence prosecutions to review the APT10 indictment – and the claim by Jack Goldsmith and Robert Williams that the strategy is a failure. We conclude that it isn’t a magic bullet, but that’s not quite the same as a failure. I tease my plan to propose two dozen more or less unthinkable retaliatory responses the US could deploy if and when it decides to get serious about deterring adversarial cyber operations.

We quickly cover three new hacks that once looked as though they might be government sponsored. Now we suspect that two were less strategic than that. The denial of service attack on newspaper printing may have been a profit-motivated ransomware attack, and the guy who doxxed the German political establishment may have been a lone hacker (hopefully not one weighing 400 pounds or we’ll never hear the end of it).

We quickly review the bidding on the US-China “quantum arms race,” which may be a bit less critical than the press suggests.

David and Nate also review the mixed bag of rulings on three motions to suppress in Hal Martin’s NSA theft case, which just gets weirder and weirder. David and I are in surprising agreement (along with the judge) that the FBI overreached in using handcuffs, a flashbang, and a SWAT team to conduct “noncustodial” questioning of Martin.

Today’s forecast: Windy with a high probability of litigation as Los Angeles sues The Weather Company for collecting and sharing location information in its apps. We suspect that, in claiming a lack of adequate disclosure about location collection, Los Angeles is relying on the ancient legal maxim, “Damned if you do and damned if you don’t.”

In other litigation news, Illinois’s biometric privacy law continues to encounter judicial skepticism. But the Illinois state courts, unburdened by federal standing law, may yet give teeth to this seriously dumb law as Rosenbach v. Six Flags rolls on in the Illinois Supreme Court.

In Quick Hits, I am examine the claim that a clever generative adversarial AI “cheated” at a mapping task. In fact, the lesson is both less exciting and more troubling: If you don’t understand how your AI is accomplishing the task you’ve set for it, you are in for some rude surprises.

Despite all the talk of stasis and crisis in Washington, Congress is still passing modestly useful legislation on cyber issues. Nate describes the SECURE Technology Act, which sets vulnerability disclosure policy and calls for bug bounties at DHS.

And, finally, I recommend a fascinating and deeply ambivalating (okay, that's not a word, but it should be) report on the many ways third-party sellers game Amazon’s Marketplace rules.

Download the 245th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

In the News Roundup, Nick Weaver and I offer very different assessments of Australia’s controversial encryption bill. Nick’s side of the argument is bolstered by special guest Denise Howell, the original legal podcaster, with 445 weekly episodes of This Week in Law to her credit.

Later in the program, I interview Rep. Jim Langevin (D-RI), who’s been a force for cybersecurity both on the Homeland Security Committee and on the Armed Services subcommittee that oversees Cyber Command and DARPA – a subcommittee that insiders expect him to be chairing in the next Congress.

Turning back to news, the Marriott hack, already one of the biggest in history, has developed a new and more interesting angle, Gus Hurwitz explains: It may have been a Chinese intelligence operation.

The Khashoggi killing has backfired on… Israeli and Italian hacking companies? Yes, indeed. Hacking Team and NSO are now immersed in legal hot water. And as a sign of how much the Middle East has changed, Nate Jones tells us that a Saudi dissident is now waging lawfare in the courts of Tel Aviv.

We also touch on what the detention in Canada of Huawei’s CFO means for US-China technology relations as well as on a new DOD report on the risks of EMP. Nick explains why he doesn’t worry about EMP but nonetheless loves the EMP alarmists.

Download the 243rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

This episode features an interview with Michael Tiffany, the co-founder and president of White Ops and a deep student of how to curtail adtech fraud. Michael explains the adtech business, how fraudsters take advantage of its structure, and what a coalition of law enforcement and tech companies did to wreck one of the most successful fraud networks, known as 3ve. You can read more about the take down in the joint White Ops and Google report, “The Hunt for 3ve.”

In the news, David Kris covers the Supreme Court argument in the Apple antitrust standing case. At stake: whether Illinois Brick should apply outside a brick-and-mortar context. Our panel guesses that it won’t.

You knew this was coming: Megan Reiss covers US proposals to screen Chinese students for espionage risk before giving them visas. We think it’s a good idea, but really wish there were a way to score every student in China for how compliant they are with government wishes…oh, wait…

Nobody trolls like the Russians troll. David Kris covers a Russian trollsuit claiming that Facebook has unfairly censored Russian speech. Showing that they know their opponents’ weakness, the suit includes broad hints that censoring Russians is … racist. Maury Shenk covers the bookend – Russian government threats to sue Google for not complying with Russian censorship demands. And I suggest that Putin’s Data Protection law will be just that – a law to protect Putin’s data. Speaking of privacy law always protecting the powerful, Michael Tiffany offers several reasons why GDPR has been good for Google and Facebook ad market share and bad for European competitors. It’s the tragedy of EU mercantilism: always aiming at the United States and usually hitting itself in the foot.

Another day, another Iranian hacking/ransomware indictment. What’s different about this one, Megan tells us, is that it includes a Treasury order freezing the bitcoin the Iranians collected. That’s a potentially new and powerful law enforcement tool. With only a little cajoling, David Kris acknowledges that this is one Trump administration initiative that is both novel and a good idea.

Wrapping up, David Kris ponders the surprisingly straightforward Fourth Amendment issues raised when the police have to stop an autonomous-mode Tesla going 70 on the 101 with a passed out “driver.” And Megan and I ponder the difficulty posed for social media by the “yellow-vest” riots in Paris. Which model applies: Arab Spring or Russian interference? You know what the Macron administration will say. Buckle up, Big Tech. To paraphrase Peter Parker’s Uncle Ben, with great power comes utter confusion.

Download the 242nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

This episode’s should be titled "Baker’s Law of Evil Technology," as it explains Twitter’s dysfunctional woke-ness, Yahoo’s crappy security, and Uber’s deadly autonomous vehicles. Companies with lots of revenue can afford to offer benefits that they don’t much care about, including protection of minority voices, network security, and, um, not killing people. But as Uber’s travails show, all that gets tossed out the window when corporate survival is at stake. And here’s Baker’s Law in action: Airline algorithms that deliberately break up families sitting on the plane so they can charge to put the kids back in the same row.

I do a mini-interview of Adam Candeub, who has disclosed that the supposedly populist, supposedly Silicon-Valley-skeptical Trump Administration has proposed a massive and antidemocratic subsidy for conservative-censoring social platforms.  Worse, it's written into the virtually unamendable NAFTA 2.0. I rant (briefly) about it and pray that Congress kills the provision in the lame duck.

Merrick Garland may now be available. But, we ask Jamil Jaffer and Gus Hurwitz, is a Facebook Supreme Content Court a good idea?

Speaking of Facebook, even 98-lb weaklings seem to be kicking sand in the company’s face. I lay out the latest, incredible tale about how an app that finds all your friends’ bikini pics ended up spurring an international breach of US confidentiality orders – at the behest of the UK Parliament’s serjeant at arms. And when I say it's an incredible tale, I mean just that; the story told by the participants is extraordinarily hard to believe.

Jamil and Gus note that Commerce has begun identifying an enormous list of “emerging” technologies to be restricted for export. Is this a kind of defense-industrial policy? And will it work? The panel disagrees.

Paul Rosenzweig reports that Airbnb now has its own (woker-than-thou, naturally) foreign policy. He thinks it may violate a host of state anti-BDS laws.

Nick Weaver gives us the latest Bear Facts. Both Cozy and Fancy are back with a vengeance – and not much concern about avoiding attribution.

Download the 241st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with Stewart on social media: @stewartbaker on Twitter and on LinkedIn. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!