Skating on Stilts

It's surely fitting that a decision released on the 4th of July would set off fireworks on the Cyberlaw Podcast. The source of the drama was U.S. District Court Judge Terry Doughty's injunction prohibiting multiple federal agencies from leaning on social media platforms to suppress speech the agencies don't like. Megan Stifel, Paul Rosenzweig, and I could not disagree more about the decision, which seems quite justified to me, given the threatening and incessant White House message telling the platforms exactly whose speech they should suppress. Paul and Megan argue that it's not censorship, that the judge got standing law wrong, and that I ought to invite a few content moderation aficionados on for a full hour episode on the topic.

That all comes after a much less divisive review of recent stories on artificial intelligence. Sultan Meghji downplays OpenAI's claim that they've taken a step forward in preventing the emergence of a "misaligned" – i.e., evil -- superintelligence. We note what may be the first real-life "liar's dividend" from deep faked voice. Even more interesting is the prospect that large language models will end up poisoning themselves by consuming their own waste – that is, by being trained on recent internet discourse that includes large volumes of text created by earlier models. That might stall progress in AI, Sultan suggests. But not, I predict before government regulation tries to do the same; as witness, New York City's law requiring companies that use AI in hiring to disclose all the evidence needed to sue them for discrimination. Also vying to load large language models with rent-seeking demands are Big Content lawyers. Sultan and I try to separate the few legitimate intellectual property claims against AI from the many bogus ones.  I channel a recent New York gubernatorial candidate in opining that the rent-seeking is too damn high. 

Paul dissects China's most recent self-defeating effort to deter the West from decoupling from Chinese supply chains. It looks as though China was so eager to punish the West that it rolled out supply chain penalties before it had the leverage to make the punishment stick. Speaking of self-defeating Chinese government policies, the government's two-minute hate directed at China's fintech giants is apparently coming to an end.

Sultan walks us through the wreckage of the American cryptocurrency industry, pausing to note the executive exodus from Binance and the end of the view that cryptocurrency could be squared with U.S. regulatory authorities. That won't happen in this administration, and maybe not in any, an outcome that will delay financial modernization here for years. I renew my promise to get Gus Coldebella on the podcast to see if he can turn the tide of negativism. 

In quick hits and updates:

• There's an effort afoot to amend the National Defense Authorization Act  to prevent American government agencies, and only American government agencies, from buying data available to everyone else. We are skeptical that it will pass. 
• The EU and the U.S. have reached a (third) transatlantic data transfer deal, and just in time for Meta, which was facing a new set of competition attacks on its data protection compliance.
• Canada, which already looks ineffectual for passing a link tax that led Facebook and Google to simply drop their links to Canadian media, now looks ineffectual and petty, announcing it has pulled its paltry advertising budget from Facebook.
• Oh, and last year's social media villain is this year's social media hero, at least on the left, as Meta launches Threads and threatens Twitter's hopes for recovery from a year of turmoil.

Download 467th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Geopolitics has always played a role in prosecuting hackers. But it’s getting a lot more complicated, as Kurt Sanger reports. Responding to a U.S. request, a Russian cybersecurity executive has been arrested in Kazakhstan, accused of having hacked Dropbox and Linkedin more than ten years ago. The executive, Nikita Kislitsin, has been hammered by geopolitics in that time. The firm he joined after the alleged hacking, Group IB, has seen its CEO arrested by Russia for treason – probably for getting too close to U.S. cyber investigators. Group IB sold off all its Russian assets and moved to Singapore, while Kislitsin stayed behind, but showed up in Kazakhstan as a result of the Ukraine war broke out. Now both Russia and the U.S. have dueling extradition requests before the Kazakh authorities; Paul Stephan points out that Kazakhstan’s tenuous independence from Russia will be tested by the tug of war.

In more hacker geopolitics, Kurt and Justin Sherman examine the hacking of a Russian satellite communication system that served military and civilian users. It’s reminiscent of the Viasat hack that complicated Ukrainian communications, and a bunch of unrelated commercial services, when Russia invaded. Kurt explores the law of war issues raised by an attack with multiple impacts. Justin and I consider the claim that the Wagner group carried it out as part of their aborted protest march on Moscow. We end up thinking that the hack makes more sense as the Ukrainians serving up revenge for Viasat at a time when it might complicate Russian’s response to the Wagner group.  But when hacking meets geopolitics, who really knows?

Paul outlines the legal theory – and antitrust nostalgia – behind the  FTC’s planned lawsuit targeting Amazon’s exploitation of its sales platform.  We also ask whether the FTC will file the case in court or before the FTC’s own administrative law judge. The latter course may smooth the lawsuit’s early steps, but it will also bring to the fore arguments that Lina Khan should recuse herself because she’s already expressed a view on the issues to be raised by the lawsuit. I’m not Chairman Khan’s biggest fan, but I don’t see why her strongly held policy views should lead to recusal; they are, after all, why she was appointed in the first place.

Justin and I cover the latest Chinese law raising the risk of doing business in that country by adopting a vague and sweeping view of espionage.

Paul and I try to straighten out the EU’s apparently endless series of laws governing data, from the General Data Protection Regulation (GDPR) and the AI Act to the Data Act (not to be confused with the Data Governance Act). This week, Paul summarizes the Data Act, which sets the terms for access and control over nonpersonal data. It’s based on a plausible idea – that government can unleash the value of data by clarifying and making fair the rules for who can use data to create new businesses. Of course, the EU is unable to resist imposing its own views of fairness, thus upsetting existing commercial arrangements without really providing any certainty about what will replace them. The outcome is likely to reduce, not improve, the certainty that new data businesses want.

Speaking of which, that’s the critique of the AI Act now being offered by dozens of European business executives, whose open letter slams the way the AI Act kludged the regulation of generative AI into a framework where it didn’t really fit. They accuse the European Parliament of “wanting to anchor the regulation of generative AI in law and proceeding with a rigid compliance logic [that] is as bureaucratic …  as it is ineffective in fulfilling its purpose.” And you thought I was the EU-basher.

Justin recaps an Indian court’s rejection of Twitter’s lawsuit challenging the Indian government’s orders to block users who’ve earned the government’s ire. Kurt covers a matching story about whether Facebook should suspend Hun Sen’s Facebook account for threatening users with violence. I take us to Nigeria and question why social media thinks governments can be punished for threatening violence.

Finally, in two updates,

• I note that Google has joined Facebook in calling Canada’s bluff by refusing to link to Canadian news media, thus avoiding the Canadian link tax. For Cybertoonz's comment on Google's response, see below.
• And I do a victory lap for the Cyberlaw Podcast’s Amber Alert One week after we nominated the Commerce Department’s much delayed and nearly invisible IT supply chain security program for an Amber Alert, the Department answered the call by posting the Executive Director job in USAJOBS.

Download 466th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

And the latest from Cybertoonz:

Max Schrems is the lawyer and activist behind the first and second (and, probably soon, a third) legal challenge to the adequacy of US law to protect European personal data. Thanks to the Federalist Society's Regulatory Transparency Project, Max and I were able to spend an hour debating the law and policy behind Europe's generation-long fight with the United States over transatlantic data flows.  It's civil, pointed, occasionally raucous, and wide-ranging – a fun, detailed introduction to the issues that will almost certainly feature in the next round of litigation over the latest agreement between Europe and the US.  Matthew Heiman acted as moderator.

Download Episode 465 (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Sen. Schumer (D-NY) has announced an ambitious plan to produce a bipartisan AI regulation program in a matter of months. Jordan Schneider admires the project; I'm more skeptical. The rest of our commentators, Chessie Lockhart and Michael Ellis, also weigh in on AI issues. Chessie lays out the case against panicking over existential AI threats, this week canvassed in the MIT Technology Review. I suggest that anyone complaining that the EU or China is getting ahead of the US in AI regulation (lookin' at you, Sen Warner!) doesn't quite understand the race we're running. Jordan explains the difficulty the US faces in trying to keep China from surprising us in AI.

Michael catches us up on Canada's ill-advised effort to force Google and Meta to pay Canadian media whenever a user links to a Canadian story.  Meta has already said it would rather ban such links. The end result could be that even more Canadian news gets filtered through American media, hardly a popular outcome north of the border.

Speaking of ill-advised regulatory initiatives, Michael and I comment on Australia's threatening Twitter with a fine for allowing too much hate speech on the platform post-Elon.

Chessie gives an overview of the DELETE Act, a relatively  modest bipartisan effort to regulate data brokers' control of personal data.  

Michael and I talk about the growing tension between EU member states with real national security responsibilities and the Brussels establishment, which has enjoyed a 70-year holiday from national security history and expects the next 70 to be more of the same. The latest conflict is over how much leeway to give member States when they feel the need to plant spyware on journalists' phones.  Remarkably, both sides think government should have such leeway; the fight is over how much.

Michael and I are surprised that the BBC feels obliged to ask, "Why is it so rare to hear about Western cyber-attacks?" Because, BBC, the agencies carrying out those attacks are on our side and mostly respect rules we support.

In updates and quick hits:

• I bring listeners up to date on how things turned out for the lawyers who filed a ChatGPT-hallucinated brief in federal court: Not well.
• Chessie flags the creation of a new Justice Department section in the National Security Division: Natsec Cyber
• Chessie also welcomes the growing recognition, some of it in cold, hard cash, for cyber security clinics.

Download Episode 464 (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Senator Ron Wyden (D-OR) is to moral panics over privacy what Andreessen Horowitz is to cryptocurrency startups. He's constantly trying to blow life into them, hoping to justify new restrictions on government or private uses of data.  His latest crusade is against the intelligence community's purchase of behavioral data, most of which is already generally available to everyone from Amazon to the GRU. He has relaunched his campaign several times, introducing legislation, holding up Avril Haines's confirmation over the issue, and extracting a DNI report on the topic that has now been declassified. The report was a sober and reasonable explanation of why commercial data is valuable for intelligence purposes, so naturally WIRED magazine's headline summary was, "The U.S. Is Openly Stockpiling Dirt on All Its Citizens." Matthew Heiman takes us through the story, sparking a debate that pulls in Michael Karanicolas and Cristin Flynn Goodwin.

Next, Michael explains IBM's announcement that it has made a big step forward in quantum computing.

Meanwhile, Cristin tells us, the EU has taken another incremental step forward in producing its AI Act – mainly by piling even more demands on artificial intelligence companies. We debate whether Europe can be a leader in AI regulation if it has no AI industry. (I think it makes the whole effort easier, since the EU doesn't have to worry about whether its regulatory regime is even remotely plausible. This looks like the EU's working strategy, to judge by a Stanford study suggesting that every AI model on the planet is already in violation of the AI Act's requirements.)

Michael and I discuss a story claiming persuasively that an Amazon driver's dubious allegation of racism led to an Amazon customer being booted out of his own "smart" home system for days. This leads us to the question of how Silicon Valley's many "local" monopolies enable its unaccountable power to dish out punishment to customers it doesn't approve of.

Matthew recaps the administration's effort to prevail in the debate over renewal of section 702 of FISA. This week, it rolled out some impressive claims about the cyber value of 702, including 702's role in identifying the Colonial Pipeline attackers (and getting back some of the ransom). The administration also introduced yet another set of FBI reforms, this time designed to ensure that agents face career consequences for breaking the rules on accessing 702 data.

Cristin and I award North Korea the "Most Improved Nation State Hacker" prize for the decade, as the country triples its cryptocurrency thefts and shows real talent for social engineering and supply chain exploits. Meanwhile, the Russians who are likely behind Anonymous Sudan decided to embarrass Microsoft with a DDOS attack on its application level. The real puzzle is what Russia gains from the stunt.

Finally, in updates and quick hits, we give deputy national cyber director Rob Knake a fond sendoff, as he moves to the private sector; we anticipate an important competition decision in a couple of months as the FTC tries to stop the Microsoft-Activision Blizzard merger in court, and I speculate on what could be a Very Big Deal – the possible breakup of Google's adtech business.

Download 463rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

It was a disastrous week for cryptocurrency in the United States, as the SEC filed suit against the two biggest exchanges, Binance and Coinbase, on a theory that makes it nearly impossible to run a cryptocurrency exchange in the US that is competitive with overseas exchanges. Nick Weaver lays out the difference between securities "process crimes" and "crime crimes," and how it helps to distinguish the two lawsuits. The SEC action marks the end of an uneasy truce between regulators and the cryptocurrency industry, but not the end of the debate. Both exchanges have the funds for a hundred-million-dollar criminal defense and lobbying campaign. So you can expect to hear more about this issue for years (and years) to come.

I bring up two AI regulation stories. First is Mark Andreessen's post trying to head off AI regulation, which is pretty persuasive until the end, where he says that the risk of bad people using AI for bad things can be addressed by using AI to stop them.  Sorry, Mark, it doesn't work that way. We aren't, for example, stopping the crimes that modern encryption makes possible by throwing more crypto at the culprits.

My nominee for the AI Regulation Hall of Fame, though, goes to Japan, which has decided to address the phony issue of AI copyright infringement by declaring that it's a phony issue and there'll be no copyright liability for their AI industry if it trains its models on copyrighted content.  That's the right answer, in my view, but it's also a brilliant way of borrowing and subverting the EU's GDPR model, in which aggressively regulating global data transfers turns out to be a pretty good trade barrier. Now Japan proposes to write the global copyright rules for AI, at least as a practical matter. Why? Because Japan's policy effectively gives immunity from copyright claims to any AI company that builds a dataset or trains its models in Japan. The rest of the world can follow suit or watch their industries flock to Japan to train their models in relative regulatory certainty. This has to be the smartest piece of international AI regulation any jurisdiction has come up with so far. (It helps, of course, that copyright claims against AI are mostly rent-seeking by Big Content.)

Kurt Sanger, just back from a NATO cyber conference in Estonia, explains why military cyber defenders are stressing their need for access to the private networks they'll be defending. Whether they'll get it, we agree, is another kettle of fish entirely.

David Kris turns to public-private cooperation issues in another context. The Cyberspace Solarium Commission has another report out. It calls on the government to refresh and rethink the aging orders that regulate how the government deals with the private sector on cyber matters.

Kurt and I consider whether Russia is committing war crimes by DDOSing emergency services in Ukraine at the same time as it's bombing Ukrainian cities. We agree that the evidence isn't there yet.

Nick and I dig into two recent exploits that stand out from the crowd. Barracuda's security appliance has been so badly compromised that the only remedial measure involves a woodchipper. Nick is confident that the tradecraft here suggests a nation-state attacker. I wonder if the remedy is also a way to move Barracuda's customers to the cloud.

The other compromise is an attack on MOVEit Transfer. Flaws in the secure file transfer system have allowed ransomware gang Clop to download so much proprietary data that they have resorted to telling their victims to self-identify and pay the ransom rather than wait for Clop to figure out who they've pwned.

Kurt, David, and I talk about the White House effort to sell section 702 of FISA for its cybersecurity value -- and my effort, with Michael Ellis, to sell 702 (packaged with intelligence reform) to a conservative caucus that is newly skeptical of the intelligence community. David finds himself uncomfortably close to endorsing our efforts.

Finally, in quick updates:

• Nick talks about Tesla's Full Self Driving, and the accidents it's been involved in.
• I warn listeners that Virginia has joined the ranks of states that require users to produce ID proving their age to access Pornhub. I predict that twenty states will adopt such a requirement in the next year

Download 462nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast kicks off with a spirited debate over AI regulation. Mark MacCarthy dismisses AI researchers' recent call for attention to the existential risks posed by AI; he thinks it's a sci-fi distraction from the real issues that need regulation – copyright, privacy, fraud, and competition. I'm utterly flummoxed by the determination on the left to insist that existential threats are not worth discussing, at least while other, more immediate regulatory proposals have not been addressed. Mark and I cross swords about whether anything on his list really needs new, AI-specific regulation when Big Content is already pursuing copyright claims in court, the FTC is already primed to look at AI-enabled fraud and monopolization, and privacy harms are still speculative. Paul Rosenzweig reminds us that we are apparently recapitulating a debate being held behind closed doors in the Biden administration. Paul also points to potentially promising research from OpenAI on reducing AI hallucination.

Gus Hurwitz breaks down the week in FTC news: Amazon has settled an FTC claim over children's privacy and another over security failings at Amazon's Ring doorbell operation. The bigger story is the FTC's effort to impose a commercial death sentence on Meta's line of children's advertising and services -- for a crime that looks to Gus and me like a misdemeanor. Meta thinks, with some justice, that the FTC is just looking for an excuse to rewrite the 2019 consent decree, something Meta says only a court can do.

Paul flags a batch of China stories:

• China's version of Bloomberg has begun quietly limiting the information  that is available to overseas users.
• TikTok is accused of storing influencers' sensitive financial information in China, contrary to its promises.
• Malaysia won't ban Huawei from it 5G network.
• The former Harvard chair convicted of lying about taking Chinese money has been sentenced to just two days in prison.
• And another professor charged and then exonerated by the US of commercial espionage has won the right to sue the FBI for his arrest.

Gus tells us that Microsoft has effectively lost a data protection case in Ireland and will face a fine of more than $400 million. I seize the opportunity to plug my upcoming debate with Max Schrems over the Privacy Framework meant to spare big tech companies from fines for simply moving personal data across the Atlantic.

Paul is surprised to find even the State Department rising to the defense of section 702 of Foreign Intelligence Surveillance Act ("FISA").

Finally, Gus asks whether automated tip suggestions should be condemned as "dark patterns" and whether the FTC needs to investigate the New York Times' stubborn refusal to let him cancel his subscription. He also previews California's impending Journalism Preservation Act.

Download 461st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this bonus episode of the Cyberlaw Podcast, I interview Jimmy Wales, the cofounder of Wikipedia. Wikipedia is a rare survivor from the Internet Hippie Age, coexisting like a great herbivorous dinosaur with Facebook, Twitter, and the other carnivorous mammals of Web 2.0. Perhaps not coincidentally, Jimmy is the most prominent founder of a massive internet institution not to become a billionaire. We explore why that is, and how he feels about it.

I ask Jimmy whether Wikipedia's model is sustainable, and what new challenges lie ahead for the online encyclopedia. We explore the claim that Wikipedia has a lefty bias, and whether a neutral point of view can be maintained by including only material from trusted sources. I ask Jimmy about a concrete example -- what looks to me like an idiosyncratically biased entry in Wikipedia for "Communism."

We close with an exploration of the opportunities and risks posed for Wikipedia by ChatGPT and other large language AI models.

Download 460th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast features the second half of my interview with Paul Stephan, author of The World Crisis and International Law. But it begins the way many recent episodes have begun, with the latest AI news. And, since the story is squarely in scope for a cyberlaw podcast, we devote some time to the so-appalling-you-have-to-laugh-to-keep-from-crying story of the lawyer who relied on ChatGPT to write his brief. As Eugene Volokh noted in his post on the story, the AI returned exactly the case law the lawyer wanted – because it made up the cases, the citations, and even the quotes. The lawyer said he had no idea that AI would do such a thing.

I cast a skeptical eye on that excuse, since when challenged by the court to produce the cases he relied on, the lawyer turned not to Lexis-Nexis or Westlaw but to ChatGPT, which this time made up eight cases on point. And when the lawyer asked ChatGPT, "Are the other cases you provided fake," the model denied it. Well, all right then. Who among us has not asked Westlaw, "Are the cases you provided fake?" and accepted the answer without checking? Somehow, I can't help suspecting that the lawyer's claim to be an innocent victim of ChatGPT is going to get a closer look before this story ends. So if you're wondering whether AI poses existential risk, the answer for at least one law license is almost certainly "yes."

But the bigger stories of the week were the cries from Google and Microsoft leadership for government regulation of their new AI tools. Microsoft's President, Brad Smith has, as usual, written a thoughtful policy paper on what AI regulation might look like. Jeffery Atik and Richard Stiennon point out that, as usual, Brad Smith is advocating for a process that Microsoft could master pretty easily. Google's Sundar Pichai also joins the "regulate me" party, but a bit half-heartedly. I argue that the best measure of Silicon Valley's confidence in the accuracy of AI is easy to find: Just ask when Google and Apple will let their AI models identify photos of gorillas. Because if there's anything close to an extinction event for those companies it would be rolling out an AI that once again fails to differentiate between people and apes.

Moving from policy to tech, Richard and I talk about Google's integration of AI into search; I see some glimmer of explainability and accuracy in Google's willingness to provide citations (real ones, I presume) for its answers. And on the same topic, the National Academy of Sciences has posted research suggesting that explainability might not be quite as impossible as researchers once thought.

Jeffery takes us through the latest chapters in the U.S. - China decoupling story. China has retaliated, surprisingly weakly, for U.S. moves to cut off high-end chip sales to China. It has banned sales of U.S. - based Micron memory chips to critical infrastructure companies. In the long run, the chip wars may be the disaster that Invidia's CEO foresees. Certainly, Jeffery and I agree, Invidia has much to fear from a Chinese effort to build a national champion in AI chipmaking. Meanwhile, the Biden administration is building a new model for international agreements in an age of decoupling and industrial policy. Whether the effort to build a China-free IT supply chain will succeed is an open question, but we agree that it marks an end to the old free-trade agreements rejected by both former President Trump and President Biden.

China, meanwhile, is overplaying its hand in Africa. Richard notes reports that Chinese hackers attacked the Kenyan government when Kenya looked like it wouldn't be able to repay China's infrastructure loans. As Richard points out, lending money to a friend rarely works out. You are likely to lose both the money and the friend, even if you don't hack him.

Finally, Richard and Jeffery both opine on Ireland's imposing – under protest – a $1.3bn fine on Facebook for sending data to the United States despite the Court of Justice of the European Union's (CJEU) two Schrems decisions. We agree that the order simply sets a deadline for the U.S. and the EU to close their third deal to satisfy the CJEU that U.S. law is "adequate" to protect the rights of Europeans. Speaking of which, anyone who's enjoyed my rants about the EU will want to tune in for a June 15 Teleforum in which Max Schrems and I will  debate the latest privacy framework. If we can, we'll release it as a bonus episode of this podcast, but listening live should be even more fun!

Download 459th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast features part 1 of our two-part interview with Paul Stephan, author of The World Crisis and International Law – a are deeper and more entertaining read than the title suggests. Paul lays out the long historical arc that links the 1980s to the present day. It’s not a pretty picture, and it gets worse as he ties those changes to the demands of the Knowledge Economy. How will these profound political and economic clashes resolve themselves?  We’ll cover that in part 2.

Meanwhile, in the news roundup, I tweak Sam Altman for his relentless embrace of regulation for his industry during testimony last week in the Senate.  I compare him to another Sam with a similar regulation-embracing approach to Washington, but Chinny Sharma thinks it’s more accurate to say he was simply doing the opposite of everything Mark Zuckerberg did in past testimony. Chinny and Sultan Meghji unpack some of Altman’s proposals, from a new government agency to license large AI models, to safety standards and audit.

I mock Sen. Blumenthal for his complaint that “Europe is ahead of us” in industry-killing regulation.  That earns him immortality in the form of a new Cybertoon, below (as before, a hat tip to Bing Image Creator for the graphic help). 
Speaking of Cybertoonz, I note that an earlier Cybertoon scooped a prominent Wall Street Journal article covering bias in AI models was scooped – by two weeks.

Paul explains the Supreme Court’s ruling on social media liability for assisting ISIS, and why it didn’t tell us anything of significance about section 230.

Chinny and I analyze reports that the FBI misused its access to a section 702 database.  All of the access mistakes came before the latest round of procedural reforms, and, on reflection, I think the fault lies less with the FBI and more with DOJ and the DNI, who came up with access rules that all but guaranteed mistakes and didn’t ensure that the database could be searched when security requires it.

Chinny reviews a bunch of privacy scandal wannabe stories

• The UK flap over efforts to create a modern version of pen/trap records. I explain that this initiative is largely a reaction to bad data protection law.
• Two surveillance camera stories,
  • one story that documents the use of surveillance cameras and facial recognition to monitor public housing residents. In a rare moment of “check your privilege” one-upsmanship, I chide Chinny for not honoring the needs of public housing residents who value security from crime higher than privacy in the laundry room, and
  • another story on the more or less inevitable networking of cheap surveillance cameras in the suburbs
• And finally, a government privacy scandal ripped from the headlines of the 1920s: It turns out that the US Post Office can keep track of what’s written on the outside of the envelopes it delivers. Several Congressmen are shocked.

Download the 458th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Maury Shenk opens this episode with an exploration of three efforts to overcome notable gaps in the performance of large language AI models. OpenAI has developed a tool meant to address the models' lack of explainability. It uses, naturally, another large language model to identify what makes individual neurons fire the way they do. Maury is skeptical that this is a path forward, but it's nice to see someone trying. Another effort, Anthropic's creation of an explicit "constitution" of rules for its models, is more familiar and perhaps more likely to succeed. We also look at the use of "open source" principles to overcome the massive cost of developing new models and then training them. That has proved to be a surprisingly successful fast-follower strategy thanks to a few publicly available models and datasets. The question is whether those resources will continue to be available as competition heats up.

The European Union has to hope that open source will succeed, because the entire continent is a desert when it comes to institutions making the big investments that look necessary to compete in the field. Despite (or maybe because) it has no AI companies to speak of, the EU is moving forward with its AI Act, an attempt to do for AI what the EU did for privacy with GDPR. Maury and I doubt the AI Act will have the same impact, at least outside Europe. Partly that's because Europe doesn't have the same jurisdictional hooks in AI as in data protection. It is essentially regulating what AI can be sold inside the EU, and companies are likely to be quite willing to develop their products for the rest of the world and bolt on European use restrictions as an afterthought. In addition, the AI Act, which started life as a coherent if aggressive policy about high risk models, has collapsed into a welter of half-thought-out improvisations in response to the unanticipated success of ChatGPT.

Anne-Gabrielle Haie is more friendly to the EU's data protection policies, and she takes us through a group of legal rulings that will shape liability for data protection violations. She also notes the potentially protectionist impact of a recent EU proposal to say that U.S. companies cannot offer secure cloud computing in Europe unless they partner with a European cloud provider.

Paul Rosenzweig introduces us to one of the U.S. government's most impressive technical achievements in cyberdefense – tracking down, reverse engineering, and then killing Snake, possibly Russia's best hacking tool.

Paul and I chew over China's most recent self-inflicted wound in attracting global investment – the raid on Capvision. I agree that it's going to discourage investors who need information before they part with their cash. But I also offer a lukewarm justification for China's fear that Capvision's business model encourages leaks.

Maury reviews Chinese tech giant Baidu's ChatGPT-like search add-on. I wonder whether we can ever trust any such models for search, given their love affair with plausible falsehoods.

Paul reviews the technology that will be needed to meet what's looking like a national trend to  require social media age verification.

Maury reviews the ruling upholding the lawfulness of the UK's interception of Encrochat users. And Paul describes the latest crimeware for phones, this time centered in Italy.

Finally, in quick hits:

• I note that both the director and the career deputy director are likely to leave NSA in the next several months.
• And Maury and I both enthuse over Google's new "passkey" technology.

Download the 457th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The willingness of Lina Khan's FTC to pursue untested -- and sometimes unlikely -- legal theories has been the subject of much sober commentary. But really, what fun is sober commentary?  So here's the Cybertoonz take on the FTC's new litigation strategy.  And, again, many thanks to Bing's Image Creator, which draws way better than I do.

The "godfather of AI" has left Google, offering warnings about the existential risks for humanity of the technology. Mark MacCarthy calls those risks a fantasy, and a debate breaks out between Mark, Nate Jones, and me. There's more agreement on the White House summit on AI risks, which seems to have followed Mark's "let's worry about tomorrow tomorrow" prescription. I think existential risks are a real concern, but I am deeply skeptical about other efforts to regulate AI, especially for bias, as readers of Cybertoonz know. I revert to my past view that regulatory efforts to eliminate bias are an ill-disguised effort to impose quotas, which provokes lively pushback from both Jim Dempsey and Mark.

Other prospective AI regulators, from the FTC's Lina Khan to the Italian data protection agency, come in for commentary. I'm struck by the caution both have shown, perhaps a sign they recognize the difficulty of applying old regulatory frameworks to this new technology. It's not, I suspect, because Lina Khan's FTC has lost its enthusiasm for pushing the law further than it can reasonably be pushed. This week's example of litigation overreach at the FTC include a dismissed complaint in a location data case against Kochava, and a wildly disproportionate 'remedy" for what look like Facebook foot faults in complying with an earlier FTC order.

Jim brings us up to date on a slew of new state privacy laws in Montana, Indiana, and Tennessee. Jim sees them as business-friendly alternatives to the EU's General Data Protection Regulation (GDPR) and California's privacy law.

Mark reviews  Pornhub's reaction to the Utah law on kids' access to porn. He thinks age verification requirements are due for another look by the courts.

Jim explains the state appellate court decision ruling that the NotPetya attack on Merck was not an act of war and thus not excluded from its insurance coverage.

Nate and I recommend Kim Zetter's revealing story on the  SolarWinds hack. The details help to explain why the Cyber Safety Review Board hasn't examined SolarWinds – and why it absolutely has to. The reason is the same for both: Because the full story is going to embarrass a lot of powerful institutions.

In quick hits,

• Mark makes a bold prediction about the fate of Canada's law requiring Google and Facebook to pay when they link to Canadian media stories: Just like in Australia, he predicts, the tech giants and Canadian media will reach a deal.
• Jim and I comment on the three-year probation sentence for Joe Sullivan in the Uber "misprision of felony" case -- and the sentencing judge's wide-ranging commentary.
• I savor the impudence of the hacker who broke into Russian intelligence agencies' bitcoin wallets and burned the money to post messages doxing the agencies involved.
• And for those who missed it, Rick Salgado and I wrote a Lawfare article on why CISOs should support renewal of Foreign Intelligence Surveillance Act (FISA) section 702, and Metacurity has now named it one of the week's "Best Infosec-related Long Reads."

Download 456th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Lawfare has published an op-ed on this topic by Rick Salgado and me.  The gist is that the government has been adapting FISA section 702 to thwart cyberspies and ransomware gangs. We argue that this gives CISOs a stake in the debate over renewing 702:

For Section 702 to be an effective weapon against cyberattacks, CISOs must become informed participants in the debate. If you are one of the many CISOs who think the government should do more to thwart attacks on your networks, your voice in defense of 702 is critical. But you should also hold the government's feet to the fire to make 702's potential real, through effective real-time threat sharing.

Perhaps the easiest way for corporate CISOs to get started is by educating company government affairs staff. Once you've explained what Section 702 could do to protect the company—especially if the government adopts measures to quickly share information with CISOs—you just need to ask that the company's public stance on Section 702 take into account the big contribution the law could make toward protecting the company's own networks.

We open this episode of the Cyberlaw Podcast with some actual news about the debate over renewing section 702 of FISA. That's the law that allows the government to target foreigners for a national security purpose and to intercept their communications in and out of the U.S. A lot of attention has been focused on what happens to those communications after they've been intercepted and stored, with some arguing that the FBI should get a second court authorization -- maybe even a warrant based on probable cause -- to search for records about an American. Michael J. Ellis reports that the Office of the Director of National Intelligence has released new data on such FBI searches. Turns out, they've dropped from almost 3 million last year to nearly 120 thousand this year. In large part the drop reflects the tougher restrictions imposed by the FBI on such searches.  Those restrictions were made public this week. It has also emerged that the government is using the database millions of times a year to identify the victims of cyberattacks. That's the kind of problem 702 is made for: some foreign hackers are a national security threat, and their whole business model is to use U.S. infrastructure to communicate (in a very special way) with U.S. networks. So it turns out that all those civil libertarians who want to make it hard for the government to search the 702 database for the names of Americans are actually proposing ways to slow down and complicate the process of warning hacking victims. Thanks a bunch, folks!

Justin Sherman covers China's plans to attack and even take over enemy (i.e., U.S.) satellites. The story is apparently drawn from the Discord leaks, and it has the ring of truth. I opine that DOD has gotten a little too comfortable waging war against people who don't really have an army, and that the Ukraine conflict shows how much tougher things get when there's an organized military on the other side. (Again, credit for our artwork goes to Bing Image Creator.)

Adam Candeub flags the next Supreme Court case to nibble away at the problem of social media and the law.  The Court will hear argument next year on the constitutionality of public officials blocking people who post mean comments on the officials' Facebook pages.

Justin and I break down a story about whether Twitter is complying with more government demands now that Elon Musk is in charge. The short answer is yes. This leads me to ask why we expect social media companies to spend large sums fighting government takedown and surveillance requests when it's so much cheaper just to comply. So far, the answer has been that mainstream media and Good People Everywhere will criticize companies that don't fight. But with criticism of Elon Musk's Twitter already turned up to 11, that's not likely to persuade him.

Adam and I are impressed by Citizen Labs' report on search censorship in China. We'd both like to see Citizen Lab do the same thing for U.S. censorship, which somehow gets less attention.  If you suspect that's because there's more U.S. censorship than U.S. companies want to admit, here's a bit of supporting evidence: Citizen Lab reports that the one American company still providing search services in China, Microsoft Bing, is actually more aggressive about stifling Chinese political speech than China's main search engine, Baidu. This jibes with my experience, when Bing's Image Creator refused to construct an image using Taiwan's flag. (It was OK using U.S. and German flags, but it also balked at China's.) To be fair, though, Microsoft has fixed that particular bit of overreach: You can now create images with both Taiwanese and Chinese flags.

Adam covers the EU's enthusiasm for regulating other countries' companies. It has designated 19 tech giants as subject to its online content rules. Of the 19, one is a European company, and two are Chinese (counting TikTok). The rest are American.

I introduce a case that I think could be a big problem for the Biden administration as it ramps up its campaign for cybersecurity regulation. Iowa and a couple of other states are suing to block the EPA's effort to impose cybersecurity requirements on public water systems. The problem from EPA's standpoint is that it used an "interpretation" of a statute that doesn't actually say much about cybersecurity.

Michael Ellis and I cover a former NSA director's business ties to Saudi Arabia – and confess our unease at the number of generals and admirals moving from command of U.S. forces abroad to a consulting gig with the countries where they just served. Recent restrictions on the revolving door for intelligence officers gets a mention.

Adam covers the Quebec decision awarding $500 thousand to a man who couldn't get Google to consistently delete a false story portraying him as a pedophile and conman.

Justin and I debate whether Meta's Reels feature has what it takes to be a plausible TikTok competitor. Justin is skeptical. I'm a little less so. Meta's claims about the success of Reels aren't entirely persuasive, but I think it's too early to tell.

The D.C. Circuit has killed off the state antitrust case trying to undo Meta's long-ago acquisition of WhatsApp and Instagram. The states waited too long, the court held. That doctrine doesn't apply the same way to the FTC, which will get to pursue the same lonely battle against long odds for years. If the FTC is going to keep sending its lawyers into dubious battles as though they were conscripts in Bakhmut, I ask, when will the Commission start recruiting in Russian prisons?

Well, that was fast. Adam tells us that the Brazil court order banning Telegram because it wouldn't turn over information on neo-Nazi groups has been overturned on appeal. But Telegram isn't out of the woods. The appeal court left in place fines of $200 thousand a day for noncompliance. That seems unsustainable for Telegram.

And in another regulatory walkback, Italy's privacy watchdog is letting ChatGPT return to the country. I suspect the Italian government is cutting a deal to save face as it abandons its initial position that ChatGPT violated data protection principles when it scraped public data to train the model.

Finally, in policies I wish they would walk back, four U.S. regulatory agencies claimed (plausibly) that they had authority to bring bias claims against companies using AI in a discriminatory fashion. Since I don't see any way to bring those claims without arguing that any deviation from proportional representation constitutes discrimination, this feels like a surreptitious introduction of quotas into several new parts of the economy, just as the Supreme Court seems poised to cast doubt on such quotas in higher education.

Download 455th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

For those who are interested in the Canadian Ski Marathon, here's my very informal introduction to the 2023 event.

Every government on the planet -- or nearly so -- announced last week an ambition to regulate artificial intelligence. Nate Jones and Jamil Jaffer take us through the announcements. What's particularly discouraging is the lack of imagination, as governments mostly dusted off their old prejudices to handle this new problem. Europe is obsessed with data protection, the Biden administration just wants to talk and wait and talk some more, while China must have asked an AI chatbot to assemble every regulatory proposal for AI ever made by anyone and translate it into Chinese law.

Meanwhile, companies trying to satisfy everyone are imposing weird limits on their AI, such as Microsoft's rule that asking for an image of Taiwan's flag is a violation of its terms of service. (For the record, so is asking for China's flag but not asking for an American or German flag.)

Matthew Heiman and Jamil take us through the strange case of the airman who leaked classified secrets on Discord. Jamil thinks we brought this on ourselves by not taking past leaks sufficiently seriously.

Jamil and I cover the imminent Montana statewide ban on TikTok. He thinks it's a harbinger; I think it may be a distraction that, like Trump's ban, produces more hostile judicial rulings.

Nate unpacks the California Court of Appeals' unpersuasive opinion on law enforcement use of geofencing warrants.

Matthew and I dig into the unanimous Supreme Court decision that should have independent administrative agencies like the FTC and SEC trembling. The court held that litigants don't need to wend their way through years of proceedings in front of the agencies before they can go to court and challenge the agencies' constitutional status. We both think that this is just the first shoe to drop. The next will be a full-bore challenge to the constitutionality of agencies beholden neither to the executive or Congress. If the FTC loses that one, I predict, the old socialist realist statue "Man Controlling Trade" that graces its entry may be replaced by one that both PETA and the Chamber of Commerce would probably like better. My thanks to Bing's Image Creator for the artwork.

In quick hits:

• I update listeners on the fight over renewal of Section 702 of the Foreign Intelligence Surveillance Act and the FBI's search of its 702 database for messages about Congressman Darin LaHood (R-IL). It's far from a scandal, and it may show that the whole effort to treat such searches as shocking privacy intrusions is bogus.
• Hackers have claimed deep access to Western Digital systems. The good news is that they seem unable to encrypt it all, so they're relying on doxing threats to earn the ransom they want.
• The Indian government has given itself authority to "fact check and order the deletion of social media posts. Nobody thinks that's a good idea, but when I ask whether it's all that different from the CDC/social media alliance that suppressed true information during COVID, Jamil disagrees. If you've missed our conservative catfights, you'll enjoy this.

Download 453rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, we dive into some of the AI safety reports that have been issued in recent weeks. Jeffery Atik first takes us through the basics of attention-based AI, and then into reports on AI safety from OpenAI and Stanford. Exactly what AI safety covers remains opaque (and toxic, in my view, after the ideological purges committed in the name of "trust and safety" by Silicon Valley's content suppression bureaucracies). But there's no doubt that a potential existential issue lurks below the surface of the most ambitious AI projects.

Whether or not ChatGPT's stochastic parroting will ever pose a threat to humanity, Nick Weaver reports, it clearly poses a threat to a lot of people's reputations.

I confess that there's surprisingly little cyberlaw in the biggest intel leak of the last decade. It turns out that leakers can do as much damage as cyberspies, just by folding, carrying, and photographing classified documents. While there's some evidence that the Russian government may have piggybacked on the leak to sow disinformation, Nick says, the real puzzle is the leaker's motivation. That leads us to the question whether being a griefer is grounds for losing your clearance.

Paul Rosenzweig educates us about the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act, which would empower the administration to limit or ban TikTok. He highlights the most prominent argument against the bill, which is, no surprise, the discretion the act would confer on the executive branch. The bill's authors, Sen. Mark Warner (D-VA) and Sen. John Thune (R-SD), have responded to this criticism, but it looks as though they'll be offering substantive limits on executive discretion only in the heat of Congressional action.

Nick is impressed by the law enforcement operation that shuttered Genesis Market, where credentials were widely sold to hackers. The data seized by the FBI in the operation will pay dividends for years.

I give a warning to anyone who has left a sensitive intelligence job to work in the private sector: If your new employer has ties to a foreign government, the Director of National Intelligence has issued a new directive that (sort of) puts you on notice that you could be violating federal law. The directive has detailed provisions for how the intelligence community will tell its current employees about the new post-employment restrictions, but it offers very little guidance to intelligence community alumni who have already moved to the private sector.

Nick is enthusiastic about the tough tone taken by the Treasury in its report on the illicit finance risk in decentralized finance.

Paul and I cover Utah's bill requiring teens to get parental approval to join social media sites. After twenty years of mocking red states and their Congressional delegations for trying to control the internet's impact on kids, it looks to me as though Knowledge Class parents are getting worried about their own children. When the idea of age-checking internet users gets endorsed by the UK, Utah, and The New Yorker, I suggest, those arguing against the proposal may have a tougher time than they did in the 90s.

And in quick hits:

• Nick comments on the massive 3CX supply-chain hack, which seems to have been a fishing-with-dynamite effort to steal a few people's cryptocurrency.
• I raise doubts about a much-cited claim that a Florida city's water system was the victim of a cyber attack.
• Nick unloads on Elon Musk for drawing a German investigation over Twitter's failure to promptly remove hate speech.
• Paul and I note the UK's most recent paper on how to exercise cyber power responsibly.
• Nick and I puzzle over the conflict between the Biden administration and the New York Times about a government contract that supposedly undermined the administration's stance on spyware.
• And for those who listen to the podcast for news about the Canadian Ski Marathon, I have released a low-fi video that should appeal to both of you.

Download 452nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Dmitri Alperovitch joins the Cyberlaw Podcast to discuss the state of semiconductor decoupling between China and the West. It's a broad movement, fed by both sides. China has announced that it's investigating Micron to see if its memory chips should still be allowed into China's supply chain (spoiler: almost certainly not). Japan has tightened up its chip-making export control rules, aligning them with U.S. and Dutch restrictions, all with the aim of slowing China's ability to make the most powerful chips. Meanwhile, South Korea is boosting its chipmakers with new tax breaks, and Huawei is reporting a profit squeeze.

The Biden administration spent much of last week on spyware policy, Winnona DeSombre Berners reports. How much it actually accomplished isn't clear. The spyware executive order restricts U.S. government purchases of surveillance tools that threaten U.S. security or that have been misused against civil society targets. And a group of like-minded nations have set forth the principles they think should govern sales of spyware. But it's not as though countries that want spyware are going to have a tough time finding it, I observe, despite all the virtue signaling. Case in point: Iran is getting plenty of new surveillance tech from Russia these days. And spyware campaigns continue to proliferate.

Winnona and Dmitri nominate North Korea for the title "Most Innovative Cyber Power," acknowledging its creative use of social engineering to steal cryptocurrency and gain access to U.S. policy influencers.

Dmitri covers the Tiktok beat, including the prospects of the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act., which he still rates high despite criticism from the right. Winnona and I debate the need for another piece of legislation given the breadth of CFIUS review and International Emergency Economic Powers Act sanctions.

Dmitri and I note the arrival of GPT-4 cybersecurity, as Microsoft introduces "Security Copilot." We question whether this will turn out to be a game changer, but it does suggest that bespoke AI tools could play a role in cybersecurity (and pretty much everything else).

In other AI news, Dmitri and I wonder at Italy's decision to cut itself off from access to ChatGPT by claiming that it violates Italian data protection law. That may turn out to be a hard case to prove, especially since the regulator has no clear jurisdiction over OpenAI, which is now selling nothing in Italy. In the same vein, there may be a safety reason to be worried by how fast AI is proceeding these days, but the letter proposing a six-month pause for more safety review  is hardly persuasive – especially in a world where "safety" seems to mostly be about stamping out bad pronouns.

In news Nick Weaver will kick himself for missing, Binance is facing a bombshell complaint from the Commodities Futures Trading Commission (CFTC). (The Binance response is here.) The CFTC clearly had access to the suicidally candid messages exchanged among Binance's compliance team. I predict criminal indictments in the near future and wonder if the CFTC's taking the lead on the issue has given it a jurisdictional leg up on the SEC in the turf fight over who regulates cryptocurrency.

Finally, we close with a review of a  book arguing that pretty much anyone who ever uttered the words "China's peaceful rise" was the victim of a well-planned and highly successful Chinese influence operation.

Download 451st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Capitol Hill hearings featuring TikTok's CEO lead off episode 450 of the Cyberlaw Podcast. The CEO handled the endless stream of Congressional accusations and suspicion about as well as could have been expected.  And it did him as little good as a cynic would have expected. Jim Dempsey and Mark MacCarthy think Congress is moving toward action on Chinese IT products – probably in the form of the bipartisan Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act. But passing legislation and actually doing something about China's IT successes are two very different things.

The FTC is jumping into the policy arena on cloud services, Mark tells us, and it can't escape its DNA; it's dwelling on possible industry concentration and lock-in and not asking much about the national security implications of knocking off a bunch of American cloud providers when the alternatives are largely Chinese cloud providers. The FTC's myopia means that the administration won't get as much help as it could from the FTC on cloud security measures. I reissue my standard objection to the FTC's refusal to follow the FCC's lead in deferring on national security to executive branch concerns. Mark and I disagree about whether the FTC Act requires the Commission to limit itself to consumer protection.

Jim Dempsey reviews the latest AI releases, including Google's Bard, which seems to have many of the same hallucination problems as OpenAI's. Jim and I debate what I consider the wacky and unjustified fascination in the press with catching AI engaging in wrongthink. I believe it's just a mechanism for justifying the imposition of left-wing values on AI output – which already scores left/libertarian on 14 of 15 standard tests for identifying ideological affiliation. Similarly, I question the effort to stop AI from hallucinating footnotes in support of its erroneous facts. If ever there were a case for a separate AI citechecker, for generative AI correction of AI errors, the fake citation problem seems like a natural.

Speaking of Silicon Valley's lying problem, Mark reminds us that social media is absolutely immune for false user speech, even after it gets notice that the speech is harmful and false. He reminds us of his thoughtful argument in favor of tweaking section 230 to more closely resemble the notice and action obligations found in the Digital Millennium Copyright Act (DMCA). I argue that the DMCA has not so much solved the incentives for overcensoring speech as it has surrendered to them.  

Jim introduces us to an emerging trend in state privacy law: privacy bills that industry supports.  Iowa's new law is the exemplar; Jim questions whether it will satisfy users in the long run.  

I summarize Hachette v. Internet Archive, in which Judge John G. Koeltl delivers a harsh rebuke to internet hippies everywhere, ruling that the Internet Archive violated copyright in its effort to create a digital equivalent to public library lending. The judge's lesson for the rest of us: You might think fair use is a thing, but it's not. Get over it.

In quick hits,

• I note that the Cyberlaw Podcast scooped WIRED in covering the GSA's lies about the security of login.gov and its later effort to justify those lies by invoking "equity" – currently replacing patriotism as the last resort of scoundrels.
• And I offer a brief, nostalgic requiem for Toshiba, which is being broken up for scrap by what's left of Japan Inc. Thirty years ago, Toshiba was treated on the Hill like Huawei is today – a scary and unstoppable competitor who threatened the American way of life.  Now, not so much.

Download 450th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

GPT-4's rapid and tangible improvement over ChatGPT has more or less guaranteed that it or a competitor will be built into most new and legacy IT products. Some of those applications will be pointless; but some will change users' world. In this episode, Sultan Meghji, Jordan Schneider, and Siobhan Gorman explore the likely impact of GPT4, from Silicon Valley to China.

Kurt Sanger joins us to explain why Ukraine's IT Army of volunteer hackers creates political, legal, and maybe even physical risks for the hackers and for Ukraine. This may explain why Ukraine is looking for ways to "regularize" their international supporters, and probably to steer them toward defending Ukraine's infrastructure rather than attacking Russia's.

Siobhan and I dig into the Biden administration's latest target for cybersecurity regulation  -- cloud providers.  I wonder if there isn't a bit of bait and switch in operation here. The administration seems at least as intent on regulating cloud providers to catch hackers as to improve defenses.

Say this for China: It never lets a bit of leverage go to waste, even when it should. Case in point: To further buttress its seven-dash-line claim to the South China Sea, China is demanding that companies get Chinese licenses to lay submarine cable in the contested territory. That, of course, incentivizes the laying of cables much further from China, out where they'll be harder for the Chinese to deal with in a conflict. That doesn't sound smart, but some Beijing bureaucrat will no doubt claim it as a win for the wolf warriors. Ditto for the Chinese ambassador's response to the Netherlands restricting chip-making equipment sales to China, which boiled down to "We will make you pay for that. We just don't know how yet." The U.S. is not always good at dealing with other countries or the private sector, so it's nice to be competing with a country that is demonstrably worse at it.

The Security and Exchange Commission has gone from catatonic to hyperactive on cybersecurity. Siobhan notes its latest 48-hour incident reporting requirement and the difficulty of reporting anything useful in that time frame.

Kurt and Siobhan bring their expertise as parents of teens and aspiring teens to the TikTok debate.

I linger over the extraordinary and undercovered mess created by "18F" -- the General Service Administration's effort to bring Silicon Valley's can-do culture to the government's IT infrastructure. It looks like they managed to bring Silicon Valley's arrogance, its political correctness, and its penchant for breaking things but forgot to bring either competence or honesty. Login.gov was 18F's online identity verification for federal agencies disbursing  benefits or otherwise dealing with the public. 18F sold it to a host of federal agencies that wanted to control fraud during the pandemic. But it never delivered the biometric checks that federal standards required. First, 18F lied to its federal customers about how or whether it was using biometrics. When it finally admitted the lie, it brazenly claimed it was not checking because the technology was, wait for it, racially biased. This claim ran counter to the only available evidence (GSA claimed that it did its own bias research, research that was apparently never published). Oh, and it refused to give back the $10 million it charged its victims, arguing that the work it did on the project cost more than it billed them, so they didn't lose anything. Except for the fraud that bad identity checks likely enabled in the middle of COVID handouts, a loss everyone has been decidedly incurious about.  And one more thing: Among the victims of 18F's scam was Senator Ron Wyden (Ore.), who touted login.gov and its phony biometric checks as the "good" alternative to ID.me, a private identity-checker that encountered political flak over its contract with the IRS. Bottom line advice for 18F alumni: It's not too late to start scrubbing the entity from your LinkedIn profile.

The Knicks have won some games. Blind pigs have found some acorns. But Madison Square Garden (and Knicks) owner, Jimmy Dolan is still pouring good money into his unwinnable but highly entertaining fight to use facial recognition against lawyers he does not want in the Garden. Kurt offers commentary, and probably saves himself the cost of Knicks tickets for all future playoff games.

Finally, in listener feedback, I give Simson Garfinkel's answer to a question I asked (and should have known the answer to) in episode 448.

Download 449th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast kicks off with the sudden emergence of a serious bipartisan effort to impose new national security regulations on what companies can be part of the U.S. information technology and content supply chain. Spurred by a stalled CFIUS negotiation with TikTok, Michael Ellis tells us, a dozen well-regarded Democrat and Republican Senators have joined to endorse the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act, which authorizes the exclusion of companies based in hostile countries from the U.S. economy. The administration has also jumped on the bandwagon, making the adoption of some legislation on the topic more likely than in the past. 

Jane Bambauer takes us through the district court decision upholding the use of a "geofence warrant" to identify January 6th rioters. We end up agreeing that this decision (and the context) turned out to be the best possible for the Justice Department, silencing the usual left-leaning critics of law enforcement technological adaptation.

Just a few days after issuing a cybersecurity strategy that calls for more regulation, the administration is delivering what it called for. The Transportation Security Administration (TSA) has issued emergency cybersecurity orders for airports and aircraft operators that, I argue, take the regulatory framework from a few baby steps to a plausible set of minimum requirements. Things look a little different in the water and sewage sector, where the regulator is the Environmental Protection Agency (EPA) – not known for its cybersecurity expertise – and the authority to regulate is grounded if at all in very general legislative language. To make the task even harder, EPA is planning to impose its cybersecurity standards using an interpretive rule, against a background in which Congress has done just enough cybersecurity legislating to undermine the case for adopting a broad interpretation.

Jane explores the story that Google was deterred from releasing its impressive AI technology by fear of bad press. That leads us to a meditation on politics inside companies with a guaranteed source of revenue. I offer hope that Google's fears about politically incorrect AI will infect Chinese tech firms.

Jane and I reprise the debate over the United Kingdom's Online Safety Act and end-to-end encryption, which leads to a poli-sci tour of European policymaking institutions.

The other cyber and national security news in Congress is the ongoing debate over renewal of section 702 of the Foreign Intelligence Surveillance Act (FISA), in which it appears that the FBI scored an own-goal. An FBI analyst did unauthorized searches in the 702 database for intelligence on one of the House intelligence committee's moderates, Rep. Darin LaHood, R-Ill. Details are sketchy, Michael notes, but the search was disclosed by Rep. LaHood, and it is bound to have led to harsh questioning during the FBI director's classified testimony, Meanwhile, at least one member of the President's Civil Liberties and Oversight Board is calling for what could be a crippling "reform" of 702 database searches.

Jane and I unpack the controversy surrounding the Federal Trade Commission's investigation of Twitter's compliance with its most recent consent decree. On the law, Elon Musk's Twitter is on its back foot. On the political front, however, the two organizations are more evenly matched. Chances are, both parties are overestimating their own strengths, which could foretell a real donnybrook.

Michael assesses the stories saying that the Biden administration  is preparing new rules to govern outbound investment in China. He is skeptical that we'll see heavy regulation in this space.

In quick hits,  

• Jane explains the 9th Circuit decision saying that Twitter can be prohibited from publishing a full report on how many FBI probes it answered
• Jane and I puzzle over reports that a Colorado Catholic group bought app data to track gay priests.

Download 448th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

I've finished the second in what I hope will be a series of posts exploring the risk of partisan abuse of U.S. intelligence authorities. (For the other, see this opinion piece, coauthored with Michael Ellis.) Section 702 renewal is on the agenda for Congress in 2023, and building support for renewal means taking seriously complaints on the right that intelligence agencies were affected by partisan bias in their treatment of Donald Trump's candidacy, presidency, and staff. This means asking whether past practices created at least an appearance or a risk of partisan abuse -- and thus whether any intelligence reforms should address those risks.

In my latest look at the issue, in Lawfare, I note that "respectable" opinion is finally acknowledging that press stories about a Trump-Russia connection may have been slanted by mainstream media, and I examine the role that media bias played in the early stages of the FBI's investigation of Trump world. A few excerpts below:

The Trump-Russia media saga began with a bit of journalistic malpractice. As the GOP convention was preparing to nominate Trump, Gerth tells us, the Washington Post ran one of the early attacks on Trump for kowtowing to Russian interests: a July 18 opinion column from Josh Rogin headlined, "Trump campaign guts GOP's anti-Russian stance on Ukraine." It was wrong. In Gerth's understated words:

The story would turn out to be an overreach. Subsequent investigations found that the original draft of the platform was actually strengthened by adding language on tightening sanctions on Russia for Ukraine-related actions, if warranted, and calling for "additional assistance" for Ukraine. What was rejected was a proposal to supply arms to Ukraine, something the Obama administration hadn't done.

A critical part of the FBI's case against Page was the claim that his many contacts with Russians were part of what its affidavit called "a well-developed conspiracy of cooperation" between the Trump campaign and the Russian government. That's a remarkable claim, and it naturally gives rise to the question of exactly what the parties did to advance this "well-developed conspiracy." The FBI's answer was the GOP platform change—it was presented as a clear step by Trump's associates to move GOP policy closer to protecting Putin's interests.

As evidence of this crucial element, the affidavit relied on what it called an "article in an identified news organization" (that is, Rogin's op-ed) and "assesse[d] that, following Page's meetings in Russia, Page helped influence [the Republican Party] and [the Trump] campaign to alter their platforms to be more sympathetic to the Russian cause." That "assessment" had no basis in fact or any independent investigation; it relied entirely on the inaccurate opinion pieces in the Post, the Times, and the Atlantic.

I go on to suggest FISA reforms to address the problems surfaced by an FBI performance in the Crossfire Hurricane investigation that was disappointing at best -- and a partisan abuse of FISA at worst. You can read the whole thing here: https://www.lawfareblog.com/vicious-cycle-how-press-bias-fed-fisa-abuse-trump-russia-panic

Our last episode of the Cyberlaw Podcast (No. 446) was a long interview on the U.S. national cybersecurity strategy with Chris Inglis, until recently the national cybersecurity director.  So this episode 447 focuses only on the most controversial recommendation in the strategy – liability for certain security flaws.  Nick Weaver, Maury Shenk and I explore the pros and cons of what's become known as cybersecurity's third rail.

Turning to the U.K., Maury brings us up to date on the pending Online Safety Bill. Signal has threatened to "walk" out of the U.K. if the bill's protections for children threaten its end-to-end encryption ideology. Far from being deterred, members of Parliament are pushing for a tougher bill, and the government is being forced to accommodate them with tough criminal penalties for Big Tech execs who do not take their obligations sufficiently seriously.

Is the Biden administration getting ready to impose restrictions on outbound U.S. investment in critical Chinese industries?  The Wall Street Journal says it is, but Justin Sherman thinks that the administration may just be meeting Congress's requirements for a briefing on the topic. Meanwhile, I wonder whether we've got this tech control thing backwards. If ASPI , the Australian think tank, is right, the U.S. has already lost the lead to China in 37 of 44 critical new technologies, so what we really need to worry about is Chinese restrictions on U.S. access to its technology.  

Maury and I explore "woke AI," the notion that the "ethical guardrails" built into ChatGPT and other engines are simply disguised forms of political bias. Maury notes that Justice Gorsuch has questioned whether AI engines might have the protection of section 230. That seems like a legally dubious proposition to us, but don't underestimate the willingness of Big Tech's lawyers to argue the point.

TikTok suffered a setback on the Hill last week, as Republicans passed out of committee a bill effectively banning the app. It was a party line vote, showing how what had been a bipartisan issue is now fraying into partisanship, at least in the House. In the Senate, though, Senate Intelligence Committee Chair Mark Warner is working toward a similar outcome on a bipartisan basis, creating real jeopardy for the company over the next two years. If anyone should be hoping China does not sell arms to Russia, I suggest, it is TikTok.

Speaking of China, the most eye-opening story of the week comes from the Globe and Mail. It breaks a story about how aggressively China tried (and with real success) to tilt the 2021 Canadian national election toward the Liberals, using tactics we are bound to see in other countries.  My favorite? Persuading China-friendly companies to hire students from China in Canada and then release them to "volunteer" for the CCP's favored candidate.

In other China news, Maury and Nick note that Elon Musk's remarks lending credibility to the Wuhan lab leak theory drew a brushback pitch from official Chinese sources, and Nick and I puzzle over stories that China plans to launch 13,000 satellites to keep up with Starlink. Meanwhile, Twitter's revenue continues to sink. I think we can see bottom for the company, but Nick thinks not.

Nick overcomes my skepticism about Meta's deployment of a tool for taking down nude photos and worse. It is a variant of existing methods, but it has the advantage of not requiring victims to send their nude photos to Meta.

Justin responds to my criticism a few episodes back of Duke's study claiming that Americans' mental health data is being sold by data brokers.

In quick hits,

• Nick boldly predicts that autonomous drones are coming to the Ukraine war. In fact, there's a good chance that he'll be sending them there himself.
• Nick schools me on the (qualified) success of 3D-printed guns.
• I note that the Biden administration is now beginning to make the case for renewal of section 702 of FISA.
• Nick and I chew over LastPass's explanation of how it lost control of everyone's passwords.  Our most troubling conclusion is that unless some cybercriminal starts exploiting that breach, we should all assume that the passwords were stolen for espionage, likely by China.
• And, finally, Nick gets to plug his very good paper on the likely Death of Cryptocurrency.

Download 447th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.