Skating on Stilts

Whatever else the pundits are saying about the use of cyberattacks in the Ukraine war, Dave Aitel notes, they all believe it confirms their past predictions about cyberwar. And in fact, not much has been surprising about the cyber weapons the parties have deployed, Scott Shapiro agrees. The Ukrainians have been doxxing Russia’s soldiers in Bucha and its spies around the world. The Russians have been attacking Ukraine’s grid. What’s surprising is that the grid attacks have not seriously degraded civilian life, plus how hard the Russians have had to work to have any effect at all. Cyberwar isn’t a bust, exactly, but it is looking a little overhyped. In fact, Scott suggests, it’s more like a confession of weakness than of strength: “My military attack isn’t up to the job, so I’ll throw in some fancy cyberweapons to impress The Boss.”

Would it have more impact in the U.S.? We can’t know until the Russians (or someone else) gives it a try. We should certainly have a plan for responding, and Dmitri Alperovitch and Sam Charap have offered theirs: Shut down Russia’s internet for a few hours just to show we can. It’s better than no plan, but we’re not ready to say it’s the right plan, given its limited impact and high cost in terms of exploits exposed.

Much more surprising, and therefore more interesting, is the way Ukrainian mobile phone networks have become an essential part of Ukrainian defense. As discussed in a good blog post, Ukraine has made it easy for civilians to keep using their phones without paying, no matter where they travel in the country and no matter which network they find there. At the same time, Russian soldiers are finding that the network is a dangerous honeypot. Dave and I think there are lessons there for emergency administration of phone networks in other countries.

Gus Hurwitz draws the short straw and sums up the second installment of the Elon Musk v. Twitter story. We agree that Twitter’s poison pill probably kills Musk’s chances of a successful takeover. So what else is there to talk about? In keeping with the confirmation bias story, I take a short victory lap for having predicted that Musk would try to become the Rupert Murdoch of the social oligarchs. And Gus helps us enjoy the festschrift of hypocrisy from the Usual Sources declaring that the preservation of democracy depends on internet censorship, administered by their friends.

Scott takes us deep on pipeline security, citing a colleague’s article for Lawfare on the topic. He thinks responsibility for pipeline security should be moved from Transportation Security Administration (TSA) to the Federal Energy Regulatory Commission (FERC), because, well, TSA. The Biden administration is similarly inclined, but I’m not enthusiastic; TSA may not have shown much regulatory gumption until recently, but neither has FERC, and TSA can borrow all the cyber expertise it needs from its sister agency, CISA. An option that’s also open to FERC, Scott points out.

You can’t talk pipeline cyber security without talking industrial control security, so Scott and Gus unpack a recently discovered ICS malware package that is a kind of Metasploit for attacking operational tech systems. It’s got a boatload of features, but Gus is skeptical that it’s the best tool for causing major havoc in electric grids or pipelines. Also, remarkably, it seems to have been disclosed before the nation state that developed it could actually use it against an adversary. Now that’s defending forward!

As a palate cleanser, we ask Gus to take us through the latest in EU cloud protectionism. It sounds like a measure that will hurt U.S. intelligence but do nothing for Europe’s effort to build its own cloud industry. I recount the background story, from subpoena litigation to the CLOUD Act to this latest counter-CLOUD attack. The whole thing feels to me like Microsoft playing both sides against the middle.

Finally, Dave takes us on a tour of the many proposals being launched around the world to regulate the use of Artificial Intelligence (AI) systems. I note that Congressional Dems have their knives out for the face recognition vendor, id.me. And I return briefly to the problem of biased content moderation. I look at research showing that Republican Twitter accounts were four times more likely to be suspended than Democrats after the 2020 election, which seems at first glance like a smoking gun for moderator bias. But I find myself at least tentatively persuaded by further research showing that the Republican accounts were four times as likely to tweet links to sites that a balanced cross section of voters considers unreliable. Where is confirmation bias when you need it?

Download the 403rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The theme of this episode of the Cyberlaw Podcast is, “Be careful what you wish for.“  The wish for techlash regulation is still growing around the world.  Mark MacCarthy  takes us through a week’s worth of regulatory enthusiasm.  Canada is planning to force Google and Facebook to pay Canadian news media for links. It sounds simple, but arriving at the right price – and the right recipients -- will require a hefty dose of discretionary government intervention. Meanwhile, South Korea’s effort to regulate Google’s Android app store policies, which also sounds like a simple undertaking, is quickly devolving into an elaborate effort at price regulation. The movement continues, Mark notes, even in China, which once seemed to be moderating its hostility to tech platforms; yet the Chinese government just announced algorithm compliance audits for TenCent and ByteDance.

Nobody is weeping for Big Tech, but anybody who thinks this kind of thing will really hurt the tech giants has never studied the history of AT&T – or of Rupert Murdoch for that matter. Incumbent tech companies have the resources to protect themselves from undue regulatory burdens – and to make sure competitors will be crushed by them. The one missing chapter in a story of gradual mutual accommodation between Big Tech and Big Government, I argue, is a Rupert Murdoch figure – someone who will use his platform unabashedly to curry favor not from the left but from the right. It’s an unfilled niche, and a profitable one: even a moderately conservative Big Tech company is likely to find all the close regulatory calls being made in its favor as soon as the GOP takes power. If you think that’s unlikely, you missed the last week of tech news. Elon Musk, whose entire business empire is built on government spending, is already toying with occupying a Silicon Valley version of the Rupert Murdoch niche. His acquisition of nearly 10% of Twitter is an opening gambit that is likely to make him a conservative(ish) antidote to Silicon Valley’s political monoculture. Recent complaints that the internet is becoming politically splintered are wildly off the mark today, but they may yet come true.

Nick Weaver brings us back to earth with a review of the FBI’s successful (for now) takedown of the Cyclops Blink botnet – a Russian cyber weapon that was disabled before it could be fired. Nick reminds us that the operation was only made possible by a change in search and seizure procedures that the Electronic Frontier Foundation (EFF) and friends condemned as outrageous just a decade ago. In addition, he reports, Western law enforcement last week broke the Hydra dark market. In more good news, Nick takes us through the ways in which bitcoin’s traceability has enabled authorities to bust child sex rings around the globe.

Nick also brings us This Week in Bad News for Surveillance Software: FinFisher is bankrupt. The EU is investigating Israeli surveillance software on its ministers’ phones; and Google has banned apps that use particularly intrusive data collection tools, the latter having been outed by Nick’s colleagues at the International Computer Science Institute.

Finally, Europe is building a vast network to do face recognition across the continent. I celebrate the likely defeat of ideologues who’ve been trying to toxify face recognition for years. And I note that one of my last campaigns at the Department of Homeland Security (DHS) was a series of international agreements that lock European law enforcement into sharing of such data with the United States. Defending those agreements, of course, should be a high priority for the State Department’s on-again off-again (and now on again) cyber bureau.

Download the 402nd Episode (mp3

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Spurred by a Cyberspace Solarium op-ed, Nate Jones gives an overview of cybersecurity worries in the maritime sector, where there is certainly plenty to worry about. I critique the U.S. government’s December 2020 National Maritime Cybersecurity Strategy, a 36-page tome that, once the intro and summary and appendices and blank pages are subtracted, boils down to eight pages of substance. Luckily, the Atlantic Council has filled the void with its own report on the topic.

Of course, the maritime sector isn’t the only one we should be concerned about. Sultan Meghji points to the deeply troubling state of industrial control security, as illustrated by a “10 out of 10” vulnerability recently identified in a Rockwell Automation ICS system.

Still, sometimes software rot serves a good purpose. Maury Shenk tells us about decay in Russia’s SORM – a site-blocking system that may be buckling under the weight of the Ukraine invasion. Talking about SORM allows me to trash a nothingburger story perpetrated by three New York Times reporters who ought to know better. Adam Satariano, Paul Mozur and Aaron Krolik should be ashamed of themselves for writing a long story suggesting that Nokia did something wrong by selling Russia telecom gear that enables wiretaps. Since the same wiretap features are required by Western governments as a matter of law, Nokia could hardly do anything else. SORM and its abuses were all carried out by Russian companies. I suspect that, after wading through a boatload of leaked documents, these three (three!) reporters just couldn’t admit there was no there there.

Nate and I note the emergence of a new set of secondary sanctions targets as Treasury begins listing companies that it sees as part of a sanctions evasion network. We also puzzle over the surprising pushback on proposals to impose  sanctions on Kaspersky, If the WSJ is correct, and the reason is fear of cyberattacks if the Russian firm is sanctioned, isn’t that reason enough to sanction them out of Western networks?

Sultan and Maury remind us that regulating cryptocurrency is wildly popular with some, including Sen. Elizabeth Warren and the EU Parliament. Sultan remains skeptical that sweeping regulation is in the cards. He is much more bullish on Apple’s ability to upend the entire fintech field by plunging into financial services with enthusiasm. I point out that it’s almost impossible for a financial services company to maintain a standoffish relationship with government, so Apple may have to change the tune it’s been playing in the U.S. for the last decade.

Nate and I plumb some of the complexities of a story Brian Krebs broke about hackers exploiting the system by which online services provide subscriber information to law enforcement in an emergency.

Speaking of Krebs, we dig into Ubiquiti’s defamation suit against him. The gist of the complaint is that Krebs relied on a “whistleblower” who turned out to be the perp, and that Krebs didn’t quickly correct his scoop when that became apparent. My sympathies are with Krebs on this one, at least until Ubiquiti fills in a serious gap in its complaint – the lack of any allegation that the company told Krebs that he’d been misled and asked for a retraction. Without that, it’s hard to say that Krebs was negligent (let alone malicious) in reporting allegations by an apparently well-informed insider.

As the episode draws to a close, Maury brings us up to speed on the (still half-formed) U.K. online harms bill and explains why the U.K. government was willing to let the subsidiary of a Chinese company buy the U.K.’s biggest chip foundry. Sultan finds several insights in an excellent CNN story about the Great Conti Leak.

And, finally, I express my qualms about the indictment (for disclosing classified information) of Mark Unkenholz, a highly competent NSA lifer whom I knew while in government. To my mind the prosecutors are going to have to establish that Unkenholz did something very different from the kind of disclosures that were a standard part of his job. You can't do the kind of commercial outreach he did without encountering tech companies that have no security clearances but plenty of capabilities valued by the intelligence community. You either give the companies' uncleared execs enough classified information to understand what you need or you get no help. In that milieu, it simply isn't enough for prosecutors to say, "He gave classified information to someone without a clearance; he should be in jail."

Download the 401 Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

With the U.S. and Europe united in opposing Russia’s attack on Ukraine, a few tough transatlantic disputes are being swept away – or at least under the rug.  Most prominently, the data protection crisis touched off by the Court of Justice of the EU in Schrems 2 has been resolved in principle by a new framework agreement between the U.S. and the EU.  Michael Ellis and Paul Rosenzweig trade insights on the deal and its prospects before the CJEU. The most controversial aspect of the agreement is the lack of any change in U.S. legislation. That solution is the result of simple vote-counting if you’re from Washington, but the CJEU clearly expected that it was dictating legislation for the U.S. Congress to adopt, so Europe’s acquiescence in a no-legislation solution may simply kick the can down the road until the next CJEU ruling. The lack of legislation will be felt in particular, Michael and Paul aver, when it comes to providing remedies to European citizens who feel their rights have been trampled.  Instead of going to court, they’ll be going to an administrative body with executive branch guarantees of independence and impartiality. Well, it's worth a try. We congratulate several old friends of the podcast who patched this solution together.

The Russian invasion of Ukraine, meanwhile, continues to throw off new tech stories. Nick Weaver updates us on the single most likely example of Russia using its cyber weapons effectively for military purposes – the bricking of Ukraine’s (and a bunch of other European) Viasat terminals. Alex Stamos and I consider whether the social media companies recently evicted from Russia, especially Instagram, should be induced or required to provide information about their former subscribers’ interests to allow microtargeting of news that might break through Putin’s information management barriers; along the way we examine why it is that tech’s response to Chinese aggression has been so less vigorous. Speaking of microtargeting, Paul gives kudos to the FBI for its microtargeted “talk to us” Russian language ads, only visible within 100 yards of the Russian embassy in Washington. Finally, Nick Weaver and  Mike mull the significance of Israel’s determination not to sell sophisticated cell phone surveillance malware to Ukraine.

Returning to Europe-U.S. tension, Alex and I unpack the European Digital Markets Act, which regulates a handful of U.S. companies as “digital gatekeepers.“ I think it’s a plausible response to network-effect monopolization, but ruined by anti-Americanism and the persistent illusion that the EU can regulate its way to a viable tech industry. Alex has a similar take, noting that the adoption of end-to-end encryption was a big privacy victory, thanks to WhatsApp, an achievement that the Digital Markets Act may undo in its attempt to force standardized interoperable messaging on gatekeepers.

Nick walks us through the surprising achievements of the gang of juvenile delinquents known as Lapsus$. Their breach of Okta offers an occasion for speculation about how lawyers skew cyber incident response in directions that turn out to be very bad for the breach victim. Alex vividly captures the lawyerly dynamics that hamper effective response.  While we’re talking ransomware, Michael cites to a detailed report on corporate responses to REvil breaches, authored by the minority staff of the Senate Homeland security committee. Neither the FBI nor CISA comes out of it looking good.  But the bureau earns more criticism, which may explain why no one paid much attention when the FBI demanded changes to the cyber incident reporting bill.

Finally, Nick and Michael debate whether dream pop musician (and Elon Musk sweetheart) Grimes could be prosecuted for computer crimes after confessing to having DDOSed an online publication for an embarrassing photo of her. Just to be on the safe side, we conclude, maybe she shouldn’t go back to Canada. And Paul and I praise a brilliant WIRED op-ed proposing that Putin’s Soviet empire nostalgia deserves a wakeup call; according to the authors (Rosenzweig and Baker, as it happens), least ICANN should kill off the Soviet Union’s out-of-date .su country code.

And many thanks to the loyal listeners who turned up on line today to watch us record this episode live and with video. It was fun, and we'll do it again some time soon.

 Download the 400th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

A special reminder for fans of the Cyberlaw Podcast that we will be doing episode 400 live in audio and video and with audience participation on March 28, 2022 at noon Eastern daylight time. So, mark your calendar and when the time comes, use this link to join the audience:

https://riverside.fm/studio/the-cyberlaw-podcast-400

See you there!

There's nothing like a serious shooting war to bring out the paranoia and mistrust, and the Russian invasion of Ukraine is generating mistrust on all sides.

Everyone expected a much more damaging cyberattack from the Russians, and no one knows why it hasn't happened yet. Dave Aitel walks us through some possibilities. Cyberattacks take planning, and Russia's planners may have believed they wouldn't need to use large-scale cyberattacks—apart from what appears to be a pretty impressive bricking of the Viasat terminals used extensively by Ukrainian forces. Now that the Russians could use some additional cyber weapons in Ukraine, the pace of the war may be making it hard to build and deploy them. None of that is much comfort to the Western countries that have imposed sanctions, since their infrastructure makes a nice fat sitting-duck target, and may draw fire soon if American intelligence warnings prove true.

Meanwhile, Matthew Heiman reports, the effort to shore up cyber defenses is leading to a cavalcade of paranoia. Has the UK defense ministry banned the use of WhatsApp due to fears that it's been compromised by Russia? Maybe. But WhatsApp has long had known security limitations that might justify downgrading its use on the battlefield. Speaking of ambiguity and mistrust, Telegram use is booming in Russia, Dave Aitel says, either because the Russians know how to control it or because they can't.  Take your pick.

Speaking of mistrust, the German security agency has suddenly discovered that it can't trust Kaspersky products.  Good luck finding them, Dave offers, since many have been white-labeled into other companies' software. He has limited sympathy for the agency, which resolutely ignored U.S. warnings about Kaspersky for years.

Even when governments aren't subverting software, the war is producing products that can't be trusted. One open-source maintainer of a popular open-source tool turned it into a data wiper for anyone whose computer looks Belarussian or Russian. What could possibly go wrong with that plan?

Meanwhile, people who've advocated tougher cybersecurity regulation are doing a victory lap in the press about how it will bolster our defenses.  It'll help, I argue, but only some, and at a cost of new failures. The best example is TSA's effort to regulate pipeline cybersecurity, which has long struggled to find its feet while being critiqued by an industry that has been hostile to the whole effort from the start.

The most interesting impact of the war is in China. Jordan Schneider explores how China and Chinese companies are responding to sanctions on Russia. Jordan argues that Chinese companies will follow their economic interests and adhere to sanctions – at least where it's clear they're being watched – despite online hostility to sanctions among Chinese digerati.

Matthew and I think more attention needs to be paid to Chinese government efforts to police and intimidate overseas Chinese, including Chinese Americans, in the United States. The Justice Department for one is paying attention; it has arrested several alleged Chinese government agents engaged in such efforts.

Jordan unpacks China's new guidance on AI algorithms. I offer grudging respect to the breadth and value of the  topics covered by China's AI regulatory endeavors.

Dave and I are disappointed by a surprise package in the FY 22 omnibus appropriations act. Buried on page 2334 is an entire smorgasbord of regulation for intelligence agency employees who go looking for jobs after leaving the intelligence community.  This version is better than the original draft, but mainly for the intelligence agencies; intelligence professionals seem to have been left out in the cold when revisions were proposed.

Matthew does an update on the peanut butter sandwich spies who tried to sell nuclear sub secrets to a foreign power that the Justice Department did not name at the time of their arrest. Now that country has been revealed. It's Brazil, apparently chosen because the spies couldn't bring themselves to help an actual enemy of their country.

And finally, I float my own proposal for the nerdiest possible sanctions on Putin. He's a big fan of the old Soviet empire, so it would be fitting to finally wipe out the last traces of the Soviet Union on the internet, where the .su country code has lingered for thirty years too long in the Internet domain system.  Check WIRED magazine for my upcoming op-ed on the topic.

Download the 399th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Download the 398th Episode (mp3).

A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So mark your calendar and when the time comes, use this link to join the audience:

https://riverside.fm/studio/the-cyberlaw-podcast-400

See you there! You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Much of this episode is devoted to the new digital curtain falling across Europe. With usual host Stewart Baker away from the microphone, Gus Horwitz and Mark-MacCarthy review the tech boycott that has seen companies like Apple, Samsung, Microsoft and Adobe pull their service from Russia. Nick Weaver describes how Russia has cracked down on independent Russian media outlets and blocked access to the websites of foreign media including the BBC and Facebook.  Gus reports on an apparent Russian decision to require all servers and domains to transfer Russian zone, thereby disconnecting itself from the global internet.

Mark describes decisions by private companies in the U.S. to exclude Russian media from their systems, including how DirecTV’s decision to drop RT America led the Russian 24-hour news channel to shutter its operations. In contrast, the EU officially shut down all RT and Sputnik operations, including their apps and websites. Nick wonders if the enforcement mechanism is up to the task of taking down the websites. Gus, Dave and Mark discuss the mythmaking in social media about the Ukrainian war such as the Ghost of Kyiv, and wonder if fiction might do some good to keep up the morale of the besieged country.

Dave Aitel reminds us that despite the apparent lack of cyberattacks in the war, more might be going on under the surface. He also he gives us details about the internal attack that affected the Conti Ransomware gang when they voiced support for Russia. Nick opines that cryptocurrencies do not have the volume to serve as an effective way around the financial sanctions against Russia. Sultan Meghji agrees that the financial sanctions will accelerate the move away from the dollar as the world’s reserve currency and is skeptical that a principles-based constraint will do much good to halt that trend.

A few things happened other than the war in Ukraine, including President Biden’s first state of the union address. Gus notices that much of the speech was devoted to tech. He notes that the presence in the audience of Frances Haugen, the Facebook whistleblower, highlighted Biden’s embrace of stronger online children’s privacy laws and that the presence of Intel CEO Patrick Gelsinger gave the President the opportunity to pitch his plan to support domestic chip production.

Sultan and Dave discuss the cybersecurity bill that passed out of the Senate unanimously. It would require companies in critical sectors to report cyberattacks and ransomware to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). They also analyze the concerns that companies have about providing information to the FBI. Dave thinks the bills that were discussed in this week’s House Commerce hearing to hold Big Tech accountable, respond to widespread public concerns about tech’s surveillance business model, but still he thinks they are unlikely to  become law.

Gus says that Amazon’s certification that it has responded to the Federal Trade Commission’s inquiries about its proposed $6.5 billion MGM merger triggers a statutory deadline for the agency to act. It is not the company’s fault, he says, that the agency has a 2-2 between Democrats and Republicans that will likely prevent them opposing the merger in time. Mark takes the opportunity to note that the Senate Commerce committee sent the nominations of Alvaro Bedoya for the Federal Trade Commission and Gigi Sohn for the Federal Communications Commission to the Senate floor, but that it will likely be several months before the full Senate would act on the nominations.

Finally, Nick argues that certain measures in the European Commission’s proposed digital identity framework, aiming to improve authentication on the web, would in practice have the opposite effect -- potentially dramatically weakening web security.

Finally, two or three announcements about the podcast.  We have decided to celebrate episode 400 by inviting our listeners to watch in real time.  We'll be doing the podcast at noon Eastern on March 28, with the exact mechanism for listener viewing and participation still to be determined.  More on that to come, but this is the time to mark your calendars.  

We're still thinking about doing an episode in person as well, but lingering covid restrictions mean that we've postponed that event for a month or two.

And, finally, with the upcoming departure of our sound and substance guru, Jacob Nelson, we're in the market for a replacement.  The job is part-time, and it will pay, though maybe not a lot. If you'd like a chance to meet the cast of the episode, think deep thoughts about cyberlaw, and master podcasting. this could be the job for you.  Send your CV to cyberlawpodcast@steptoe.com. We'll be making our decision by early summer.

Download the 397th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Much of this episode is devoted to how modern networks and media are influencing what has become a major shooting war between Russia and Ukraine. Dmitri Alperovitch gives us a sweeping overview. Ukraine and its President, Volodymyr Zelensky, clearly won the initial stages of the war in cyberspace, turning broad Western sympathy into a deeper commitment using short videos from downtown Kyiv at a time when Zelensky was expected to be racing for the border. The narrative of determined Ukrainian resistance and hapless Russian arrogance was set in cement by the end of the week, and Zelensky's ability to casually dial in to EU ministers' meetings (and just as casually say that this might be the last time the ministers saw him alive) changed official Europe's view of the conflict permanently. Putin's failure to seize Ukraine's capital and telecom facilities in the first day of the fight thus may guarantee a long, grinding conflict.

Russia is doing its best to control the narrative on Russian networks by throttling Facebook, Twitter, and other Western media. And it's essentially telling those companies that they need to distribute pro-Russian media in the West if they want a future in Russia. Dmitri doesn't believe that's a price Silicon Valley will pay for access to a country where every third bank and company is already off-limits due to Western sanctions. Jane Bambauer weighs in with the details of Russia's narrative-control efforts -- and their failure.

And what about the cyber-attacks that press coverage led us to expect in this conflict between two technically capable adversaries? Nate Jones and Dmitri agree that, while network wiping and ransomware have occurred, their impact on the battle has not been obvious. Russia seems not to have sent its A-team to take down any of Ukraine's critical infrastructure. Meanwhile, as Western nations pledge more weapons and more sanctions, Russian cyber reprisals have been scarce, perhaps because Western counter-reprisals are clearly being held in reserve.

All that said, and despite unprecedented financial sanctions and export control measures, the initiative in the conflict remains with Putin, and none of the panel is looking forward to finding out how Putin will react to Russia's early humiliations in cyberspace and on the battlefield.

In other tech news, the EU has not exactly turned over a new leaf when it comes to milking national security for competitive advantage over U.S. industry. Nate and Jane unpack the proposed European Data Act, best described as an effort to write a GDPR (General Data Protection Regulation) for nonpersonal data. And, as always, it's chasing the dream that Europe can regulate a European tech industry into existence.

Nate and I dig into a Foreign Affairs op-ed by Chris Inglis, the Biden administration's National Cyber Director. It calls for a new Cyber Social Contract between government and industry.  I hit CTRL-F and "regulation" but don't find the word, likely thanks to White House copy editors, but the op-ed clearly thinks that more regulation is the key to ensuring public-private cooperation.

Jane reprises a story from the estimable "Rest of World" tech site.  It turns out that corrupt and abusive companies and governments have better tools for controlling their image than Vladimir Putin – all thanks to the European Parliament and the U.S. Congress, which approved GDPR and the Digital Millennium Copyright Act respectively. These turn out to be great laws for suppressing stories that make third-world big shots uncomfortable. I remind the audience about another of Baker's Law: "Privacy Law Principally Protects the Privileged and the Powerful."

In closing, Jane and I catch us up on the IRS's latest position on face recognition – and the wrongheadedness of the NGOs campaigning against the technology.

Download the 396th Episode (mp3)

Announcement:  We're thinking about having a live recording of episode 400, maybe on the web and maybe in person here in Washington.  That would be March 28, 2022. If you want to attend, please send us a message to that effect at CyberlawPodcast@steptoe.com.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Troops and sanctions and accusations are coming thick and fast in Ukraine as we record the podcast. Michael Ellis draws on his past experience at the National Security Council (NSC) to guess how things are going at the White House, and we both speculate on whether the conflict will turn into a cyberwar that draws the United States in. Neither of us thinks so, though for different reasons.

Meanwhile, Nick Weaver reports, the Justice Department is gearing up for a fight with cryptocurrency criminals. Nick thinks it couldn't happen to a nicer industry. Michael and I contrast the launching of this initiative with the slow death of the China initiative due to a few botched prosecutions and a whole lot of anti-American racial political correctness.   

Speaking of political correctness, Michael and I do a roundup of news (all bad) for face recognition technology. District Judge Sharon Johnson Coleman (ND IL) gets our prize for least persuasive first amendment analysis of the year -- in an opinion holding that collecting and disclosing people's public images can be punished with massive civil liability even if no damages have been shown. After all, the judge declares in an analysis that covers a full page and a half (double-spaced!), the Illinois law imposing liability "does not restrict a particular viewpoint nor target public discussion of an entire topic." Well, that settles that.

But if you're a first amendment fan, don't worry; the amendment is bound to get a heavy defense in the next big face recognition lawsuit – the Texas Attorney General's effort to extract hundreds of billions of dollars from Facebook for tagging the faces of their users. My bet? This one will make it to the Supreme Court. Next, we review the IRS's travails in trying to use face recognition to verify taxpayers who want access to their returns. I shamelessly urge everyone to read my latest op-ed on the topic in the Washington Post.

Finally, I mock the wokesters at Amnesty International who think that people living in high-crime New York neighborhoods should be freed from the burden of face recognition cameras that could identify and jail street criminals. After all, if facial recognition were more equitably allocated, think of how many Staten Island scofflaws could be identified for letting their dogs poop on the sidewalk.

Nick and I dig into the pending collision between European law enforcement agencies and privacy zealots in Brussels who want to ban EU use of NSO's Pegasus surveillance tech. Meanwhile, in a rare bit of good news for Pegasus's creator, an Israeli investigation is now casting doubt on press reports of Pegasus abuse.

Finally, Michael and I mull over the surprisingly belated but still troubling disclosures about just how opaque TikTok has made its code and methods of operation. Two administrations in a row have started out to do something about this sus app, I note, and neither has delivered – for reasons that demonstrate the deepest flaws of both.

Download the 395th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter.

Here's a special request. We've thought of doing episode 400 in person, or at least in a public Zoom session that listeners to see live.  If you think you'd attend, and you support either a live or a Zoom session, please send a note to that effect to CyberlawPodcast@steptoe.com. If we get enough interest in one or the other, we'll try to make it happen.

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Here are excerpts from my op-ed in today's Washington Post on the controversy over IRS use of face recognition:

 

The plan sent Congress into a tizzy. Sen. Ron Wyden (D-Ore.) complained that "many facial recognition technologies are biased in ways that negatively impact vulnerable groups, including people of color, women, and seniors." Fifteen Republican senators objected that the face recognition system threatened to make taxpayers "pay the toll of giving up their most personal information, biometric data."

 

Cowed by the accusations of bias and privacy, the IRS announced that it will "transition away" from face recognition. But both accusations are false, and the price that you and I will pay for this panicky retreat is enormous.

...

 Wyden wants the IRS to switch to "verification by humans." Talk about lose-lose. At this point, the technology is much better than humans: Even human "super-recognizers" can't beat the algorithms. Their best accuracy rates are around 95 percent, well behind today's machines, and ordinary mortals, with an error rate of about 81 percent, aren't even close. They will almost certainly show more bias, too; humans are notorious for having trouble recognizing people outside their ethnic group.

 

Meanwhile, taxpayers would get worse service that costs more. If you've flown home from overseas in the past few years, you've probably skipped the customs line served by a human officer and headed straight for a kiosk that uses face recognition to match you to your passport. And I'll wager money you never want to go back to the old system.

 

But when it comes to protecting yourself from identity theft, that's exactly what the bipartisan critics in Congress want the IRS to do to you. Instead of a quick, automated process, you will wait on the phone to be verified by a human being. That human being will be working for the same understaffed IRS that has not even gotten around to opening and logging all the returns it received in the mail nearly two years ago.

 

But that's what's in store for all of us if the bipartisan group of congressional critics gets its way. If it's any consolation, we probably won't be on hold for the whole two years.

 

But it sure will feel that way.

The Cyberlaw Podcast has decided to take a leaf from the (alleged) Bitcoin Bandits' embrace of cringe rap. No more apologies. We're proud to have been cringe-casting for the last six years. Scott Shapiro, however, shows that there's a lot more to the bitcoin story than embarrassing social media posts. In fact, the government's filing after the arrest of Ilya Lichtenstein and Heather Morgan paints a forbidding picture of how hard it is to actually cash out $4.5 billion in bitcoin. That's what the government wants us to think, of course, but it's persuasive nonetheless, and both Scott and David Kris recommend it as a read.

Like the Rolling Stones performing their greatest hits from 1965 in 2021, U.S. Senator Ron Wyden of Oregon is replaying his favorite schtick from 2013 – complaining that the government has an intelligence program that collects U.S. person data under a legal theory that would surprise most Americans. Based on the Privacy and Civil Liberties Oversight Board staff recommendations, Dave Aitel and David Kris conclude that this doesn't sound like much of a scandal, but it may lead to new popup boxes on intel analysts' desktops as they search their databases.

In an entirely predictable but still discouraging development, Dave Aitel points to persuasive reports from two forensics firms that an Indian government body has compromised the computers of a group of Indian activists and then used its access not just to spy on the activists but to load fake and incriminating documents onto their computers.

In the EU, meanwhile, crisis is drawing nearer over the EU General Data Protection Regulation (GDPR) and the European Court of Justice decision in the Schrems cases. David Kris covers a surprising trend. The Court may have been aiming at the United States, but its ruling is starting to hit European companies; they may soon have to choose between getting free Silicon Valley services and incurring serious GDPR liability. That's the message in the latest French ruling that websites using Google Analytics are in breach of GDPR. Next to face the choice may be European publishers who rely on data-dependent advertising; the structure that supports such ads has seen its legality gravely undercut by the Belgian data protection authority.

Scott and I dig into the IRS's travails in trying to use facial recognition to authenticate taxpayers seeking access to their records. I reprise my defense of face recognition in Lawfare. Nobody is going to come out of this looking good, Scott and I agree, but I predict that abandoning facial recognition technology is going to mean more fraud as well as more costly and lousier service for taxpayers.

I cover to the only field where Silicon Valley still seems to be innovating – new ways to tell conservatives that they should just die already. Airbnb has embraced the Southern Poverty Law Center, whose business model is smearing mainstream conservative groups as "hate" mongers. Airbnb told Michelle Malkin that her speech to a SPLC-designated "hate" group meant that she was forever barred from using Airbnb – and so was her husband. By my count that's guilt by association three times removed. Equally remarkable, Facebook is now telling Bjorn Lomborg that he cannot repeat true facts if he's using them to support the Wrong Narrative.  Silicon Valley isn't in content moderation land any more: Truth is not a defense, and firms that control access to real things in real life are denying those things to people whose views they don't like.

Scott and I unpack the EARN IT (Eliminating Abusive and Rampant Neglect of Interactive Technologies) Act, again reported out of committee to a chorus of boos from privacy NGOs. At the same time, anti-child-abuse campaigners aren't waiting for EARN IT. A sex trafficking lawsuit against Pornhub has survived a section 230 challenge.

Download the 394th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Another week, another industry-shaking antitrust bill from Senate Judiciary:  This time, it’s the Open App Store Act, and Mark MacCarthy reports that it’s got more bipartisan support than the last one. Maybe that’s because there are only two losers, and probably only one really big loser: Apple. The bill would force an end to Apple’s app store monopoly. Apple says that would mean less privacy and security for users; Mark thinks there’s something to that, but Bruce Schneier thinks that’s hogwash. Our panel is mostly on Bruce’s side of the debate.  Meanwhile, Apple’s real contribution to the debate is the enormous middle finger it’s extending to other regulators trying to rein in Apple’s app store fees.

Megan Stifel reports that Anne Neuberger, the deputy national security adviser for cyber issues, has been traveling Europe to beef up our allies’ cyber defenses as a Russian war looms in Ukraine. Details about how she’s doing that are unsurprisingly sparse.

Meanwhile, Europe is finally coming to grips with the logical consequences of the EU General Data Protection Regulation (GDPR). Turns out, the whole internet as we know it is illegal in the EU. The Belgian data protection authority brought down a big chunk of the roof in holding the IAB liable for adtech bidding procedures that it decided violate the GDPR. And a German court fined some poor website for using Google fonts, which are downloaded from Google and tell that company (located in *gasp* America) a lot about every user who goes to the website. Nick Weaver explains how the tech works. I argue that the logical consequence is that it's illegal for one site to give out an IP address to get data from another site – which is kinda how the internet functions. Nick thinks the damage can be limited to Facebook, Google, and surveillance capitalism, so he isn’t shedding any tears over that outcome.

This leads us to a broader discussion of Facebook’s travails, as its revenue model becomes the target of regulators, Apple, TikTok, Google, liberals, and conservatives --- all while subscriber growth starts to stall. It's not pretty. So I remind listeners of Baker’s Law of Evil Technology: “You won’t know how evil a technology can be until the engineers who built it begin to fear for their jobs.”

Megan and I break down the American Airlines lawsuit against The Points Guy over an app that syncs frequent flyer data.  I think American will lose – and that it should.

Mark and I talk about the latest content moderation flareups, from Spotify and Rogan to Gofundme’s defunding of the Canadian lockdown protest convoy. Mark flogs his Forbes article, and I flog my latest Cybertoonz commentary on tech-enabled content moderation. Mark tells me to buckle up, more moderation is coming.

Megan tells the story of PX4, who is hacking North Korea because it hacked him. Normally, that’s the kind of moxie that appeals to me, but this effort feels a little amateurish and ill-focused.

In quicker hits, Nick and I debate the flap over ID.me, and I try to rebut claims that face recognition has a bias problem. Megan explains the brief fuss over a legislative provision that would have enabled more and faster Treasury regulation of cryptocurrency. Mark touches on the Senate's latest version of the EARN IT bill, as its downsizing continues. I express surprise that Facebook would not only allow people hoping to enter the US illegally to solicit help from human traffickers on the site but would put the policy in writing.

Download the 393rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

All of Washington is back from Christmas break, and suddenly the Biden Administration is showing a sharp departure from the Obama and Clinton years where regulation of Big Tech is concerned. Regulatory swagger is everywhere.

Treasury regulatory objections to Facebook’s cryptocurrency project have forced the Silicon Valley giant to  abandon the effort, Maury Shenk tells us, and the White House is initiating what looks like a major interagency effort to regulate cryptocurrency on national security grounds. The Federal Energy Regulatory Commission is getting serious (sort of) about monitoring the internal security of electric grid systems, Tatyana Bolton reveals. The White House and Environmental Protection Agency are launching a “sprint” to bring some basic cybersecurity to the nation’s water systems. SEC Chairman Gary Gensler is full of ideas for expanding the Security and Exchange Commission’s security requirements for brokers, public companies, and those who service the financial industry. And the Federal Trade Commission is entertaining a rulemaking petition that could profoundly affect companies now enjoying the gusher of online ad money generated by aggregating consumer data. And that's just this week.

In other news, Dave Aitel gives us a thoughtful assessment of why the log4j vulnerability isn’t creating as much bad news as we first expected. It’s a mildly encouraging story of increased competence and speed in remediation, combined with the complexity (and stealth) of serious attacks built on the flaw.

Dave also dives deep on the story of the Belarussian hacktivists (if that’s what they are) now trying to interfere with Putin’s threatened invasion of Ukraine. It’s hard to say whether they’ve actually succeeded in delaying trains carrying Russian tanks to the Belarussian-Ukrainian border, but this is one group that has consistently pulled off serious hacks over several years as they harass the Lukashenko regime.

In a blast from the past, Maury Shenk takes us back to 2011 and the Hewlett Packard (HP)-Autonomy deal, which was repudiated as tainted by fraud almost as soon as it was signed. Turns out, HP is getting a long-delayed vindication, as Autonomy’s founder and CEO is found liable for fraud and ordered extradited to the U.S. to face criminal charges. Both rulings are likely to be appealed, so we’ll probably still be following court proceedings over events from 2011 in 2025 or later.

Speaking of anachronistic court proceedings, the EU’s effort to punish Intel for abusing its dominant position in the chip market has long outlived Intel’s dominant position in the chip market, and we’re nowhere near done with the litigation. Intel won a big decision from the European general court, Maury tells us. he and I agree that it’s only the European courts that stand between Silicon Valley and a whole lot more European regulatory swagger.

Finally, Dave brings us up to date on a New York Times story about how Israel used NSO’s hacking capabilities in a campaign to break out of years of diplomatic isolation.

Download the 392nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

That’s the question I had after reading Law and Policy for the Quantum Age, by Chris Hoofnagle and Simson Garfinkel. It’s a gracefully written and deeply informative look at the commercial and policy prospects of quantum computing and several other (often more promising) quantum technologies, including sensing, communications, and networking. And it left me with the question that heads this post. So, I invited Chris Hoofnagle to an interview and came away thinking the answer may be “close to half – and for sure all the quantum projects grounded in fear and envy of the National Security Agency.” My exchange with Chris makes for a bracing and fast-paced half hour of futurology and policy and is not to be missed. Neither is the book.

Also not to be missed: Conservative Catfight II – Now With More Cats. That’s right, Jamil Jaffer and I reprise our past debate over Big Tech regulation, this time focusing on S.2992, the American Innovation and Choice Online Act, just voted out of the Senate Judiciary committee with a bipartisan set of supporters and detractors. In essence, the bill would impose special “no self-preferencing” obligations on really large platforms. Jamil, joined by Gus Hurwitz, thinks this is heavy handed government penalization of a few unpopular companies and completely unmoored from any harm to consumers. Jordan Schneider weighs in to point out that it is almost exactly the solution chosen by the Chinese government in its most recent policy shift. I argue that platforms are usually procompetitive when they start but inherently open to a host of subtle abuses once entrenched, so only a specially crafted regime will keep a handful of companies from amassing enormous economic and political power.

Doubling down on controversy, I ask Nate Jones to explain Glenn Greenwald’s objections to the subpoena practices of Congress’s  Jan. 6 Committee. I think the committee’s legal arguments boil down to “When Congress wrote the rules for government, it clearly didn’t intend for the rules to apply to Congress.” And Greenwald is right in arguing that the Supreme Court in the 1950s treated Communists better than the January 6 committee is treating anyone even tangentially tied to the attack on the Capitol.

Nate and I try to figure out what Forbes was smoking when it tried to gin up a scandal from a standard set of metadata subpoenas sent to WhatsApp. Whatever it was, Forbes will need plenty of liquids and a few hours in a dark quiet room to recover.

In quick hits, Gus explains what it means that the Biden administration is rewriting the DOJ/FTC merger guidelines: essentially, the more the administration tries to make them mean, the less deference they’ll get in court. And Jordan and I puzzle over the emphasis on small and medium business in China’s latest five-year plan for the digital economy.

Download the 391st Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Just one week of antitrust litigation news shows how much legal turbulence Facebook and Google are facing. Michael Weiner gives us a remarkably compact summary of those issues, from the deeply historical (Facebook's purchase of Instagram) to the cutting edge of tech (complaints about Oculus self-preferencing). In all, he brings us current on two state AG case, two FTC cases, and one DOJ case against the twin giants of surveillance advertising.

Speaking of litigation, no major new technology has been greeted with more litigation in its infancy than face recognition. So this week we do a long interview with Hoan Ton-That, the CEO of what must be the most controversial tech startup in decades, Clearview AI. We probe deeply into face recognition's reputation for race and gender bias, and what the company is doing about it. Hoan offers a clear rebuttal to misconceptions about the technology; he is clearly taking the controversy in stride and confident that the technology will overcome efforts to turn it toxic. Meanwhile, I note, the debate is clearing out what would have been formidable competition from the likes of Microsoft, Amazon, and IBM.  If you think face recognition should be banned as racist, sexist, and inaccurate, this interview is worth a listen; it will make you think.

Meanwhile, David Kris notes, rumors of war are rampant on the Russian-Ukrainian border – and in cyberspace. So far, it's a bit of a phony cyberwar, featuring web defacing and dormant file wipers. But it could blow up at any time, and we may be surprised how much damage can be done with a keyboard.

Speaking of damage done with a keyboard, open source software is showing what can be done without even trying (although at least one developer has in fact been trying pretty hard). Nick Weaver and I dig into Log4j and other messes, and evaluate the White House effort to head off future open source debacles.

David is in charge of good news this week. It looks as though Russia has arrested a bunch of REvil coconspirators, including one person that the White House holds responsible for the Colonial Pipeline attack. It's surely not a coincidence that this hint of cooperation from Vladimir Putin comes when he'd very much like to have leverage with the Biden administration over Ukraine.

The EU is now firmly committed to cutting itself off from a host of technologies that are offered, often for free, by Silicon Valley. Google Analytics is out, according to Austrian authorities, because it sends pseudonymized data to the U.S. Ironically, this means that the European Parliament has been violating European law. Nick reminds us that Analytics and the Like button aren't all that could be cut off by this interpretation. Google Translate apparently also depends on transatlantic data flows and could become unavailable in Europe. I offer an incendiary solution to that problem.

End-to-end secure messaging is still under attack, but this week it's European governments, not the FBI, that are taking the shots. The UK government is planning an ad campaign against end-to-end encryption, and Germany is growling about shutting down Telegram for allowing hate speech. Nick issues a heartfelt complaint about the disingenuity of both sides in the crypto debate.

Speaking of Germans who can't live up to their reputation for protecting privacy, Nick notes that German police did exactly what Gapple feared, using a coronavirus contact-tracing app to find potential witnesses to an event unrelated to covid-19.

Meanwhile, in another bit of good news, Twitter gets a suitable reward for the woke colonialism that led it to suspend Nigeria's president from the service for threatening secessionists with war. Instead of the secessionists, President Buhari went to war with Twitter, saying, in effect, "You can't suspend me, I'm suspending you."  Twitter has now unconditionally surrendered to the Nigerian government.

Finally, I claim kinship with Joe Rogan as one of the podcasters that left-leaning NGOs and academics hope to censor. My plan is to create a joint defense fund to which Joe and I will each contribute 1% of our podcasting revenues.

Download the 390th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

When it comes to spurring remediation of the log4j bug, the FTC's other foot, I argue, is lodged firmly in its mouth.  It has published what can only be described as a regulatory blog post, reminding everyone of the $700 million in fines imposed on Equifax and threatening "to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j." Tatyana Bolton defends the agency from a charge of heavy-handedness, arguing that this is the best way to get companies to patch quickly and that only "reasonable steps" are required. I think we'll hear "we only asked for reasonable steps" a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more than regulatory muscle flexing. I also argue that the FTC's tough-guy pose is just that; when talking about the open source maintainers who actually have to generate many of the patches, the FTC doesn't threaten them with its "full legal authority." Instead, it acknowledges that open source coders "don't always have adequate resources and personnel," something the FTC "will consider as we work to address the root issues that endanger user security." Hmm, maybe Equifax should have pleaded inadequate resources and saved itself $700 million.

Speaking of fallible regulators, Glenn Gerstell gives us a tour of China's tech regulatory landscape, and the remarkable decline it has caused in the fortunes of consumer tech firms there, something the NYT covered in detail last week. Is that good news for Silicon Valley or for US competitiveness? Sadly, probably not, I conclude.

Mark MacCarthy explains why a proposal to combine cryptocurrency with Signal is causing angst among Signal's supporters, who fear an expansion of the end-to-end encrypted service's "regulatory attack surface."

Glenn covers the latest story about security risks and telecom gear from China. 

Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers.  The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies. 

Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has "a particular tendency to clash with lawyers." That would only make me love her more, but to my regret, Glenn (who, as NSA's top lawyer, worked with her for years) absolves her of the charge.

Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta for bringing together the boogaloo conspirators who killed a federal protective officer. It's a long shot, but if "negligent design" turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are now worried about.

Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it's mostly not breaches of cybersecurity laws). Speaking of surprises that aren't surprises, Glenn also covers the announcement by Lloyd's of London that cyber insurance won't cover cyber-attacks attributable to nation-states. 

Finally, I devote a few minutes to a rant about the Justice Department's decision to expand charges against Joe Sullivan, Uber's former CISO, for his role in paying "bug bounties" to hackers who looked more like crooks than bounty hunters when they compromised a bunch of Uber records. More than a year after charging Sullivan with obstruction of justice for using the "bug bounty" justification to keep the whole thing quiet, Justice piled on new charges of wire fraud for more or less the same thing. Glenn and I both question the decision to do this without any new facts to base the new charges on. And I point out the logical consequence of telling breach responders that they could face wire fraud charges if they decide not to disclose the breach (or maybe delay notice too long). The new Justice tack will (or should be) fatal to the FBI's desire to be called in to assist and observe while companies are dealing with breaches.  If  there's even a small risk that a decision to delay or withhold notice could lead to a criminal investigation, why would any GC want to have an FBI agent sitting in the room while the decision is being made?

Download the 389th Episode (mp3)  

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Among the good things about coming back from Christmas break are all the deep analyses that news outlets save up to publish over the holidays – especially those they can report from countries where celebrating Christmas isn’t that big a deal. At least that’s how I account for the recent flood of deep media dives on China technology issues. Megan Stifel takes us through a few. The first is a Washington Post article on China taking the tools it uses for measuring online dissent and focusing them on the rest of the world. The second is a New York Times article that tells us how the Chinese government takes the next step -- using its tools for suppressing internal dissent on the rest of the world when it says things China doesn’t like. Utterly unsurprising, to me at least, is how social media companies like Twitter have turned out to be hapless enablers of China’s speech police. Later in the podcast, Megan covers another story in the same vein – the growing global unease about China’s success in building Logink, a global logistics and shipping database.

Scott Shapiro and Nick Weaver walk us through the conviction of a Harvard professor for lying about his China ties. It may be too cynical to say that the Justice Department wanted Professor Charles Lieber especially badly because he’s not Asian, but there’s no doubt he’ll be Exhibit A when it defends the China Initiative against claims of ethnic profiling.

Megan takes us through another great story of hack-enabled insider trading, helicopters to Zermatt, and dueling extraditions; as the piece de resistance, NYT hints we may learn more about Russian interference with the 2016 presidential election. 

Scott explains how Apple AirTags are being used to track people. Nick gives us a feel for just how hard it is to separate good from bad in designing Air Tags. I suggest that this is a problem we could leave to the plaintiffs’ lawyers.

Nick lays out the economics of hacking as a service and introduces us to yet another company in that business – Cytrox. No one seems to last long in the business without changing their name. Nick and I explore the reasons for that, and the possibility that soon the teams that work for these companies will also move on every year or two.

Nick explains why bitcoin isn’t always a cybercriminal’s best friend. It turns out that cryptography isn’t proof against rubber hose cryptanalysis, or maybe even plea bargaining.

Drawing from my research for an article about why bias in face recognition has been overblown, I note that Canada, France, and the entire Western world is imposing sanctions on Clearview AI for privacy violations, but Clearview AI is the only U.S. company doing as good or better at face recognition than Chinese and Russian suppliers.  I argue that’s because a dubious racial bias narrative has forced IBM, Amazon, Microsoft, and Meta to retreat from the market, leaving us at the mercy of Russian and Chinese tech.

Megan explains why financial regulators and not the FBI turn out to be the biggest and most effective government enemies of end-to-end encryption; they've fined JPMorgan Chase a cool $200 million for using WhatsApp and other unbreakable encrypted messaging systems. Say, wasn't there a chip thirty years ago that would have solved that problem -- Chipper? Clipper?

Finally, in quick hits,

• I point out that soft power isn’t always America’s friend, as shown by Intel’s apology to the Chinese public for obeying U.S. law, Apple’s determination to double down on deepening its dependence on a Chinese supply chain, and a SenseTime IPO that was enormously successful for everyone except U.S. sanctions and U.S. investors.
• Scott shows the remarkable erosion of Silicon Valley’s power in conflicts with Putin’s Russia. Google and Meta are facing huge fines for not taking down content Russia doesn’t like. And they're losing lawsuits to Russians whose content they have taken down. In fact, they're losing so big that I expect Breitbart to bring its next Big Tech censorship lawsuit in Moscow.

Download the 388th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

All the cyberlawsuits that didn't get filed, or decided, over Thanksgiving finally hit the fan last week, and we're still cleaning up. But before that, I have to ask Dave Aitel for a sanity check on Log4Shell. Does it really deserve a 10 out of 10 for impact? And what does it mean for all the open source components buried in all our enterprise software? Dave's only piece of good news is that some big projects were far enough behind in updates that they haven't yet built the flaw into their products.

Turning to the first of several lawsuits covered in this episode, Jamil Jaffer and I praise Google for a particularly comprehensive and creative approach to suing cybercriminals. RICO plus a boatload of computer privacy violations are at the heart of Google's complaint against two criminals who created the Glupteba botnet. The defendants deserve credit of their own for creativity in using the blockchain to reconstitute their C2 infrastructure. If more criminals did that, Microsoft's trademark approach – using trademark violations to seize botnet infrastructure – would be less effective. Speaking of which, this week Microsoft used trademark litigation to take down a Chinese government network. Is it wrong to complain that Microsoft has been using this approach for so long that botnets are only inconvenienced, not destroyed, by the tactic?

Maury Shenk digs into the remarkable report that Apple CEO Tim Cook promised $275 billion of investment to China. Five years ago. In secret. And we're only finding out about it now, after he apparently delivered. When Congress finally gets around to the cyber incident reporting bill that it just bumped from the defense authorization act, maybe it will want to classify multibillion dollar deals with Communist China as the kind of cyber incident that ought to be reported to the U.S. government, if only so it knows how to evaluate the motives of the companies that are lobbying it.

The Tenth Circuit finished its Thanksgiving by releasing a massive opinion upholding the constitutionality of Section 702 of FISA. Jamil Jaffer, who played a role in adoption of Section 702, walks us through the decision, which was 2-1, but not on the main question. Instead, the debate was over Article III and the "advisory" nature of FISA court opinions that review intelligence agency procedures under 702. I confess to some sympathy for the dissent but wonder how it would help the defendant to strike down that structure.

Dave explains why Tor might not be as secure as we think. A mysterious and likely state-sponsored actor. is running hundreds of malicious Tor relays. And to add insult to injury, the actor is openly participating in Tor community debates, lobbying against proposals to reduce malicious Tor relays.

But wait, there's more cyberlitigation, and again Jamil talks us through it. A Saudi women's rights activist has brought a CFAA lawsuit against DarkMatter and its expat American employees for an iPhone hack that she says got her arrested. I'm a little skeptical that the lawsuit will survive a Foreign Sovereign Immunities Act motion.

Maury and I question the wisdom of a recent Italian fine penalizing Amazon over a billion euros, mainly for preferencing sellers who sign up for Prime logistics

Dave tells the sad story of Ilya Sachkov, a Russian cybersecurity whiz kid and CEO who may have believed too much that everyone sees cybersecurity as a white hat enterprise. Word is that he may have been too eager to help unravel the identities of the 2016 DNC attackers and is now paying for it with a Russian treason charge.

Maury notes that the U.S. decision to blacklist SenseTime, the Chinese AI company, was carefully timed to guarantee disruption of SenseTime's IPO. Whether the U.S. action will be more than a delaying tactic remains to be seen, but Maury thinks not.

Maury notes that Wikileaks founder Julian Assange has lost an important battle as he fights extradition to the U.S. And Jamil notes that the cyber incident reporting bill didn't make it into the defense authorization act, as mentioned earlier. He is one of the few cybersecurity buffs who isn't especially disappointed.

Maury and I disagree about a much-ballyhooed group of companies claiming to combat A.I. bias in hiring. I'll believe it when they actually expose their recommendations to public scrutiny.

For those who think left-wing bias in content moderation is not a thing, try this: Spend ten minutes with this right-wing French candidate's very effective campaign ad. Then ask yourself why exactly YouTube thought it wasn't fit for children. My guess: it was really the ad's effectiveness that YouTube disapproved of.

Dave and I puzzle over the Biden administration's unsatisfying `Initiative for Democratic Renewal' – a big international get-together that got only cursory attention in the US, perhaps because its theme is still a little hard to find.

And, finally, just to give me an excuse to publicize my latest Cybertoonz comic, Jamil asks what it means for Western militaries to "impose a cost" on ransomware gangs.

And with that, the Cyberlaw Podcast bids farewell to 2021. We will return in January.

Download the 387th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Canadian spy agency targeted foreign hackers to 'impose a cost' for cybercrime - National | Globalnews.ca

Federal district judge Robert Pitman has enjoined enforcement of Texas's law regulating social media censorship.  In this episode, the ruling sparks a fight between me and Nate Jones that ranges from how much weight should be given to  the speech rights of social media to the Kyle Rittenhouse verdict imposed by Facebook when it decided he was guilty and wouldn't let anyone disagree. On the merits, as before, we agreed that the Obama appointee was on pretty solid ground (for now) in applying the Tornillo line of cases saying that government should not directly regulate the editorial judgments of publishers. But the judge's ruling on the transparency and due process requirements of the law suggests to me that he wasn't prepared to give the law a fair shake. So look for a competitive appeal on the topic and quite possibly a more than competitive certiorari petition as well. By the time we stop beating this horse, he's long past any possible right of self-defense.

Megan Stifel has an easier task: Explaining cybersecurity recommendations for rail and other surface transportation companies. The advice is mostly the kind of simple concepts that could have been offered in the 90s, so we both puzzle over the fierce resistance from industry. Maybe it's the 24-hour requirement to notify TSA of cyber incidents, though I suggest reasons why industry shouldn't be as worried by this requirement as by a similar deadline for data breach notifications.

Nate and I explore proposals from the Biden administration to muster a group of like-minded countries in a campaign to curb sales of surveillance gear to authoritarian regimes. No doubt the initiative was reinforced by news that U.S. State Department phones were recently hacked with spyware from Israel. But I think the whole project fails for a simple reason: authoritarian governments can buy all the surveillance gear they need from China, which is happy to sell it. In the absence of credible enforcement, an international effort to condemn such sales is empty virtue signaling.

I mock an eminently mockable story from the Markup claiming that the PredPol crime prediction software is racist because it urges the police to patrol more poor black neighborhoods than rich white ones without asking whether that's where crime might be concentrated. Then, when the authors finally notice the overlap between neighborhoods with lots of arrests and neighborhoods recommended for heavy patrolling, they suddenly claim that the prediction software must be useless because the same results could be reached without the software.

Speaking of stupid, Megan explains how a "smart contract" turned out to be anything but, allowing hackers to steal $31 million in digital coin. I wonder exactly how much the hacker's feat differs from really good lawyering.

Nate and I look at how well Russia is doing in bringing Twitter to heel with a mobile slowdown. Twitter hasn't broken yet, but it's clear that the authoritarians of the world are slowly winning their battle with Silicon Valley.

Megan tells us about a cybersecurity professional at Ubiquiti who decided to stop riding with the hounds and to ride instead with the fox.  Bad choice; we know how fox hunts usually end for the fox, and this story is no exception.

In updates, I remind listeners of the elaborate gas-lighting effort by Jeff Bezos when he tried to blame the Saudis and the National Enquirer for his brother-in-law's leak of text messages that were deeply embarrassing for the CEO. All the hacking and extortion investigations that Bezos managed to trump up are over now, and the verdict is in: The Saudis didn't do it.

Finally, Megan and I note a Wall Street Journal article on how tough it is to be a spy in a world of smartphones, biometrics, and universal surveillance cameras. Our reaction: Yup.

Download the 386th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

My fourth effort at cartoon cyber commentary grows out of an endless project I'm doing on AI bias -- and the biases of the people who keep doing stories and studies about it. Many thanks to the free Clipart Library for some of the art and to ComicLife software for the parts that look good. (And if you think I should have found a way to get rid of the checkerboard background, you're right.)

Among the many problems surfaced by the current social media enthusiasm for deplatforming is this question: What do you do with all the data generated by people you deplatformed? Facebook's answer, as you'd expect, is that Facebook can do what it wants with the data, which mostly means deleting it. Even if it's evidence of a crime?  Yes, says the platform, unless law enforcement asks us to save it. The legal fight over a deplatformed group that defended historical statues (and may have shot someone in the process) will tell us something about the law of deplatformed data -- as will the fight over The Gambia's effort to recover evidence of deplatformed human rights abuses. In the end, though, we need a law on this question. Because, given their track record in content moderation, leaving the question to the discretion of social media will translate into the platforms' only preserving evidence that hurts people they hate.

Tired: Data breach reporting. Wired: Cyber incident reporting. The unanimous view of our panelists, Paul Rosenzweig  and Dmitri Alperovitch, is that cyber policy has shifted from mandatory reporting of personal data breaches to mandatory reporting of serious cyber intrusions no matter what data is compromised.  The latest example is the financial regulators' adoption of a rule requiring banks and similar institutions to report major cyber incidents within 36 hours of determination that one has occurred. But who will make that determination and with what certainty? Dmitri's money is on the lawyers. I don't disagree, but I think there's a great ER-style drama in the process: "OK, I'm going to call it.  No point in trying to keep this alive any longer. Time of determination is 2:07 pm."

Our interview segment is back after a long absence. David "moose" Wolpoff and Dan MacDonnell of Randori explain the consternation over their startup's use of a serious vulnerability to conduct realistic penetration tests of buttoned-up networks instead of reporting the vuln right away to the software provider. They argue that the value of zero-days for pentesting is great and the risk of harm from holding them is low, if they're handled responsibly. In fact, the debate sounds a lot like the arguments around the table at a government Vulnerability Equities Process ("VEP") meeting.  And that makes me wonder whether the people pushing for a stricter VEP have any idea at all what they're talking about.

Dmitri lays out the surprising complexity and sophistication of the Iranian attempt to influence the 2020 election. I'm less convinced. The Iranian effort failed, after all, and it resulted in the hackers' indictment. Hard to be impressed by failure.

I dig into a recent brief by Hikvision claiming that the FCC lacks authority to bar sales of its products in the US. I'm only half convinced by the legal claim, but I am sure of this: The Hikvision argument has created an opportunity for some enterprising politician to sponsor quick, uncontroversial legislation clearly giving the FCC the authority that Hikvision says it doesn't have.

Dmitri explains the latest advance of the hardware hack known as Rowhammer. It may not be deployed routinely even now, he says, but the exploit makes clear that we will never entirely secure our cyber infrastructure.

Paul and I agree that it's perfectly legal for government to buy advertising data that shows citizens' locations. And we more or less agree that some restraint on sales of location data – at least to the Russian and Chinese governments and maybe to anybody – are in order.

I offer muted and squeamish criticism of a Big Report claiming that child sexual abuse is exploding online. There's no doubt that it's a problem that deserves more legal and platform effort, but the authors did their cause no favors by combining kids exchanging nude selfies with truly loathsome material.

Dmitri and I perform a public service announcement about a scam that takes advantage of security habits that the banks have encouraged us to adopt. Zelle fraud is going to make us all regret those habits. Let's hope it also induces banks to use hardware tokens instead of text messages to verify our transactions.

Germany and Mandiant are at odds over attribution of the government that sponsored the Ghostwriter hacking gang. Germany, backed by the EU, says it's Russia. Mandiant says it's Belarus. Dmitri says "Never bet against Mandiant on attribution." I can't disagree.

Finally, Dmitri joins me in an appreciation of Alan Paller, who died last week. He was a major influence in cybersecurity,  and a role model for successful entrepreneurs who want to give back using their institution-creating skills.

Download the 384th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.