Header graphic for print

Steptoe Cyberblog

9/11 Commission Gingerly Embraces “Direct Action” Against Hackers

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

I’ve long been an advocate for fewer restraints on how the private sector responds to hacking attacks.  If the government can’t stop and can’t punish such attacks, in my view the least it could do is not threaten the victims with felony prosecution for taking reasonable measures in self-defense.  I debated the topic with co-blogger Orin Kerr here.  I’m pleased to note that my side of the debate continues to attract support, at least from those not steeped in the “leave this to the professionals” orthodoxy of the US Justice Department.

The members of the 9/11 Commission, who surely define bipartisan respectability on questions of national security, have issued a tenth anniversary update to the Commission’s influential report.  The update repeats some of the Commission’s earlier recommendations that have not been implemented.  But it also points to new threats, most notably the risk of attacks on the nation’s computer networks.  No surprise there, but I was heartened to see the commissioners’ tentative endorsement of private sector “direct action” as a response to attacks on private networks:

Congress should also consider granting private companies legal authority to take direct action in response to attacks on their networks.

This “should consider” formulation avoids a full embrace of particular measures, and in that respect it parallels another establishment endorsement of counterhacking.  The Commission on Theft of American Intellectual Property, said in its 2013 report:

Finally, new laws might be considered for corporations and individuals to protect themselves in an environment where law enforcement is very limited.  Statutes should be formulated that protect companies seeking to deter entry into their networks and prevent exploitation of their own network information while properly empowered law-enforcement authorities are mobilized in a timely way against attackers.  Informed deliberations over whether corporations and individuals should be legally able to conduct threat-based deterrence operations against network intrusion, without doing undue harm to an attacker or to innocent third parties, ought to be undertaken.

If repeated tentative embraces are the way new policy ideas become respectable, “direct action” is well on its way.  The 9/11 Commission deserves credit, not just for moving the debate but for contributing a label that gives counterhacking a kind of anarcho-lefty frisson.

A Privacy Law’s “Unintended” But Remarkably Convenient Results

Posted in Privacy Regulation

HIPAA is an arguably well-intentioned privacy law that seems to yield nothing but “unintended” consequences.  I put “unintended” in quotes because the consequences are often remarkably convenient, at least for those with power.  I’m not sure you can call something that convenient “unintended.”

The problem has gotten so bad that even National Public Radio and the Pro Publica organization – hotbeds of bien pensant liberalism – have started to notice. This story, for example, could be mined for a host of dubious achievements in privacy law:

In the name of patient privacy, a security guard at a hospital in Springfield, MO., threatened a mother with jail for trying to take a photograph of her own son.

In the name of patient privacy, a Daytona Beach, FL., nursing home said it couldn’t cooperate with police investigating allegations of a possible rape against one of its residents.

In the name of patient privacy, the US Department of Veterans Affairs allegedly threatened or retaliated against employees who were trying to blow the whistle on agency wrongdoing.

When the federal Health Insurance Portability and Accountability Act passed in 1996, its laudable provisions included preventing patients’ medical information from being shared without their consent and other important privacy assurances.

But as a litany of recent examples show, HIPAA, as the law is commonly known, is open to misinterpretation — and sometimes provides cover for health institutions that are protecting their own interests, not patients’.

“Sometimes it’s really hard to tell whether people are just genuinely confused or misinformed, or whether they’re intentionally obfuscating,” said Deven McGraw, partner in the healthcare practice of Manatt, Phelps & Phillips and former director of the Health Privacy Project at the Center for Democracy & Technology.

At this point, we’ve seen a boatload of stories in which HIPAA produces stupid or bad results.  The real question is whether there are any stories in which HIPAA has produced unequivocally good results – things that wouldn’t have happened without the law.  Otherwise, we’re looking at a law passed to prevent nonexistent abuses that has become a source of abuse itself.  In my view, that’s a recipe for repeal – and pretty much the story of most privacy law.

Steptoe Cyberlaw Podcast – Interview with Orin Kerr

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is noted computer law guru Orin Kerr, and the podcast is a deep dive into technology and law.

This Week in NSA:  Snowden claims without substantiation that NSA employees are passing naked pix around.  And Greenwald’s venture reports that GCHQ has developed the ability to send spam and to rig web polls.  It’s a true Dr. Evil moment.  What will they think of next – tools that write linkbait article titles?  Really, you won’t believe how this Glenn Greenwald story will break your heart!

Well, that was fast. Last week the UK government announced that it was pursuing legislation ensuring that data retention would continue and ending legal challenges by US companies to the scope of UK investigative powers.  This week, the proposal has passed both houses of Parliament.  It is now law.

Advocates of the right to be forgotten also want you to forget about how the censorship will work.  They successfully pressured Google not to tell users when their search results are bowdlerized.  Now they’re pressuring Google not to tell content owners when their links are dropped down the memory hole.  They also want to make sure the censorship regime applies to the United States and Google’s .com engine.  As the Chinese government has already taught us, it’s not enough to censor Internet news; you also have to censor Internet news about the censorship of Internet news.  Come to think of it, the Chinese also demand that Internet companies self-censor in response to vague hints from regulators, and now so do the Europeans.  Really, if the Chinese had a business method patent on Internet censorship, they could sue Europe for infringing.

And, speaking of privacy law abuses, the Veterans Administration finds that the best way to prevent whistleblowers from complaining about mistreatment of patients is to declare that talking about patient’s mistreatment is a violation of patient privacy.  Lois Lerner’s hard drive also makes an appearance.

The FBI says it’s worried about driverless Google getaway cars.  Of course you’d have to hack them to go faster than a golf cart.  Which raises the question:  Would hacking a car violate the CFAA?  The DMCA?  I ask the experts.

I wouldn’t ordinarily recommend the FBI affidavits that accompany indictments as reading material, but Agent Noel Neeman’s affidavit about Chinese cyberespionage tactics and motivations is remarkably entertaining – and instructive.   

In other news, it sure looks like the movement of class action privacy lawyers to West Virginia will begin in Illinois.  And to the surprise of the entire Internet, other than anyone familiar with actual law, the Massachusetts high court declares that, yes, you really can be forced to decrypt your files if the government already knows they’re yours.

Finally, with a critical mass of computer crime lawyers on the show, the four of us perform the lawyer equivalent of speed dating, covering most of the hot topics in technology and law, including the Microsoft search warrant case, the future of the third party doctrine, the evergreen question whether the Computer Fraud and Abuse Act is violated by those who exceed their authorized network access, and the prospects for legislation changing the CFAA or ECPA reform.

Download the twenty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

And Who’s Protected by Taxpayer Privacy Laws? Hint: Not Taxpayers

Posted in Privacy Regulation

When you’re in the business of pointing out how often privacy law ends up protecting power and privilege, you never run out of material.

Everyone remembers Lois Lerner, the IRS official who pleaded the fifth amendment and refused to testify about her role in the agency’s scrutiny of Tea Party nonprofits.  And everyone remembers her mysterious computer crash making years of emails unavailable in 2011.

Could the messages be recovered with advanced forensics?  We’ll never know, because the IRS so systematically nuked Lerner’s drives that no one could ever recover anything from them.

Why? According to The Hill, “the agency said in court filings Friday that the hard drive was destroyed in 2011 to protect confidential taxpayer information.”

I’m sure the taxpayers will find a way to show their gratitude.

Steptoe Cyberlaw Podcast – Interview with David Medine

Posted in Cybersecurity and Cyberwar, Data Breach, International, PCLOB, Privacy Regulation, Security Programs & Policies

Our guest this week is Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), David Medine. We do a deep dive into the 702 program and the PCLOB’s report recommending several changes to it. Glenn Greenwald’s much-touted “fireworks finale” story on NSA may have fizzled, but this week David and I deliver sparks to spare.

I question the PCLOB’s enthusiasm for giving new responsibilities to the flawed Foreign Intelligence Surveillance Court (Judge Lamberth and his wall make an appearance). I challenge David’s notion (shared with Judge Wald) that the 702 program, crucial as it is for our terrorism defenses, nonetheless stands balanced so close to the edge of constitutionality that without new minimization restrictions it could tip over into constitutional unreasonableness at any moment. David gets a chance to comment on stories about U.S. citizens whose data is stored by the NSA, including Glen Greenwald’s disclosure of the Americans targeted by NSA and Bart Gellman’s defense of his Washington Post article. (There we find common ground; like me, David has doubts about the significance of Gellman’s claim that “9 out of 10 accountholders” in NSA’s database aren’t targets.) And we argue over whether NSA analysts need 89,000 new make-work assignments justifying their targets, let alone a massive judicial logjam before they can search data already gathered lawfully. All in all, a rewarding workout.

The news roundup is truncated to allow more time for the Medine dialogue, but this week in NSA features includes more Snowdenista journalist misrepresentations, including the demonstrably false claim that NSA has flagged the Linux Journal as an “extremist forum.”

The Senate Intelligence Committee produces a cybersecurity information sharing bill as a bookend to the House’s bill, but getting it to the floor and then to the President is going to be tough in today’s climate and under the current calendar. Maury Shenk tells us the Russians are planning to balkanize the Internet and in the name of privacy no less. He also reports that the UK is pursuing stopgap legislation to make sure it doesn’t lose its data retention authority in the wake of an unfavorable ECJ decision, and to allow UK law enforcement to require foreign entities to turn over data under a warrant. David can’t help intervening to remind us that the UK has also proposed creating their very own PCLOB.

Download the twenty-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with David Heyman

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is David Heyman, who recently completed a tour as DHS’s Assistant Secretary for Policy (my old job). David has had a long and productive career in homeland security, in government, and in the private sector. We take a tour of DHS’s horizon, covering DHS’s impressive progress in cybersecurity implementation, the Quadrennial Homeland Security Review, the reasons Europe now seems less hostile to DHS’s mass data collection, even as it takes aim at NSA’s, and the challenges and successes of John Pistole’s TSA.

It was a surprisingly newsy week for NSA. In part that’s because of news that didn’t break, as Glenn Greenwald, panting to disclose the individual Americans who have been targeted for surveillance, discovers that there really are some government secrets worth keeping – and pays the price in abuse from lib/left haters. The Washington Post seems to have mined a similar dataset to tell us that there’s a lot of information in NSA’s stores about Americans with ties to foreign intelligence targets, but the paper’s claim that “9 out of 10” accounts in the database sure looks like a statistic chosen to scare more than educate. NSA Director Mike Rogers says that Snowden’s thefts can be managed. The 7th Circuit ruled that FISA intercepts can’t be routinely shown to defense counsel, even defense counsel with clearances.

And the early favorite for Dumbest NSA Story of the Month goes to Ellen Nakashima and Bart Gellman for revealing that NSA thinks it may have to gather foreign intelligence from (gasp!) pretty much every country in the world. In other breaking news, the Pope is still Catholic.

Finally, government reports triggered by Snowden continue to proliferate. The PCLOB report largely supports the 702 program – and the PCLOB pays the price in abuse from lib/left haters. (We’ll invite David Medine to defend the report on next week’s program.) ODNI has its own transparency report on NSA intercepts, revealing a strikingly small number of targets, a report that generates abuse from, well, you know.

Microsoft’s fight with the US government over warrants for overseas data gets more support, this time in the form of European Commission press pronouncements.

Google reveals a bit more about how it’s applying the right to be forgotten, and the British press isn’t too happy. No word yet on Stewart’s “Does this search engine make me look fat?” request for the deletion of outdated and overweight photos.

This week in vindication for the Steptoe Cyberlaw podcast: NY’s cyberbullying law is struck down, fast enough to leave heads spinning.

The SEC has finally gotten off its duff and begun investigating network intrusions, but the only known investigation is of Target – probably the most predictable and also the lamest investigative target the SEC could have chosen. Really, does anyone think that the problem with Target was a failure to disclose the intrusion? Rather than piling on the already flattened retailer, one wonders why the SEC is not pushing for disclosure of intrusions that are likely to have a big competitive impact, such as ongoing foreign nation-state hacks on behalf of state-owned competitors?

Download the twenty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Steptoe Cyberlaw Podcast – Interview with Dmitri Alperovich

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

This week in NSA: We take a look at the other half of the Lofgren amendment, which prohibits NSA and CIA from asking a company to “alter its product or service to permit electronic surveillance.”  So if Mullah Omar orders a phone from Amazon, the government can’t ask Amazon to put a bug in it – but a bomb is fine.  Another step forward for human rights!  NSA’s bulk collection program is extended again. And Keith Alexander is doing just fine in the private sector, to judge from the consulting fees he’s asking.

The big news of the week is the Supreme Court’s 9-0 decision in Riley, refusing to allow police to routinely search the cell phones carried by people they arrest.  What does it mean for other techno-libertarian arguments before the Court?  Michael and Jason weigh in.

Facebook is breaking new ground, or trying to, by challenging 300+ search warrants on behalf of the targets.  So far, the publicity has been good; the law, not so much.

Taking a break from covering LabMD’s FTC travails, we note that Wyndham won a little and lost a little, but the win may give us an appellate decision on the FTC’s jurisdiction over Internet privacy and security.

And speaking of privacy, Jason Weinstein discloses a long-secret Steptoe project – a free data breach legal toolkit.

Our guest on the podcast is Dmitri Alperovich, CEO of Crowdstrike, a well-known incident response cybersecurity startup whose recent report introduced the world to another unit of the PLA hacking force – one that is quite distinct from unit 61398, which was exposed by Mandiant last year, six of whose members were indicted recently by the Justice Department.  Crowdstrike identifies unit 61486.  (And don’t we all hope the PLA numbering scheme for its hacker units doesn’t start at 00001?)  This unit, which Crowdstrike labeled “Putter Panda” because of its use of golf-related malware documents, specialized in stealing secrets from satellite, aerospace, and communications firms.  Crowdstrike outs one of the unit’s hackers, Chen Ping, including the now-familiar social media pix of the guy, his buddies, and a possible girlfriend.  We talk about the importance of attribution as a response to sophisticated cyberespionage, and the role that incident response firms play in that effort.

Download the twenty-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Steptoe Cyberlaw Podcast – Interview with Ralph Langner

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

This week in NSA: The House passes an NDAA amendment to regulate “secondary” searches of 702 data, and the prize for Dumbest NSA Story of the Month Award goes to Andrea Peterson of the Washington Post for exposing NSA’s shocking use of “Skilz points” to encourage its analysts to use new tools to do their jobs.  And GCHQ defends its view that sending email thru Yahoo and Hotmail is an “external” communication.

Good news for LabMD is bad news for the FTC: Darryl Issa raises questions about the FTC’s investigation and asks for an IG investigation.  Maybe the FTC did nothing wrong, but once it’s in the crosshairs that may not matter; the IG is bound to find something to criticize.  Of course, LabMD probably feels exactly the same way. The rest of us just want more popcorn.

Privacy campaigners in Europe lose another round against US companies obeying national security orders, an Irish court backs the Irish data protection authority’s decision not to investigate Facebook for cooperating with NSA.  But now the issue is moving to a body where anything can happen, no matter how wacky: the European Court of Justice.  Who are those guys?  Maury Shenk explains.

Michael Vatis and the Eighth Circuit give banks a tutorial on how to avoid liability to customers for weak security.  Just keep giving your customers more security choices until they turn one down.  It’s the miracle of choice!

I explain why I’ve always been leery of the Senate Intelligence Committee’s information sharing bill: It purports to legalize private-private information sharing that is already legal, and then to impose privacy requirements as the price for legalizing the already legal.  But that risk is much diminished in Chairman Feinstein’s latest draft.  Unamended, it would likely be fine, but it won’t take much amending to turn it into “back door” privacy regulation again.

Michael Vatis explains how to beat privacy class actions, building his lesson on the recent deflation of lawsuits against Hulu and Linkedin.

And our guest for the week is the man who decoded Stuxnet – and opened our eyes to a whole new realm of warfare — industrial control system sabotage.  Ralph Langner heads the Langner Group, which specializes in industrial control system security.  He is also a nonresident fellow at the Brookings Institution.

Ralph talks about how he unpacked Stuxnet.  I ask whether attacks on commercial industrial control systems could cause mass casualties among civilians.  Ralph is not comforting.  I ask whether all the talk about cyberattacks on water, power, refineries, and factories has at least produced concrete steps to improve their security.  Ralph is not comforting.  I ask about prospects for future improvement.  Ralph is, well, you know the rest.  Really, have a drink before you listen to this one.

Download the twenty-fifth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Steptoe Cyberlaw Podcast – Interview with Paul Rosenzweig

Posted in China, Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

Our guest for the week, Paul Rosenzweig, is as knowledgeable as anyone about cybersecurity and intelligence law.  He blogs on the topics for Lawfare, writes for the Homeland Security Institute, consults for Red Branch Consulting, and lectures for the Great Courses on Audible.

So this week we let him comment on the stories of the week, as well as dig into ICANN, which spares the rest of us from having to learn more about that institution.  This he does, admirably, making the case for a slow and conditional transition of ICANN to an alternative governance structure.  Don’t miss his just-released paper on the topic for the Heritage Foundation.

Meanwhile, NSA news is blessedly sparse this week.  A federal judge in San Francisco announced that she was not willing to take the Justice Department’s word that several FOIA’d FISA court opinions cannot be partially declassified and demanded that they be produced for in camera inspection.

Meanwhile, China is making plenty of news, none of it good for China’s government.  Crowdstrike outs another PLA hacker by name (not to mention his picture and his personal blog).  Paul describes his lunch with Chinese embassy staff and their tone-deaf claim that the US government needs to provide more information about alleged Chinese hacking.  The DoD authorization bill is due to add a few more provisions tightening restrictions on China’s IT sector.  And China earns an early Privy nomination for charging dissenters with privacy violations, a practice about which privacy groups and the European Union have been unaccountably silent.

Michael Vatis explains Microsoft’s legal objections to getting a warrant for other people’s data stored in Ireland – and the amicus brief that he just filed in support of Microsoft.  In other fourth amendment news, Wi-Fi moochers have no expectation of privacy, but how to treat location data stored by cell phone companies continues to drive the federal courts to distraction, as Judge Sentelle travels south to vindicate his lower court opinion in Jones.

I talks about a study that Jim Lewis of CSIS and I unveiled last week on the cost of cybercrime — $445 billion globally, if you’re keeping track.

Jason explains why the entire class data breach class action bar may move en masse to West Virginia.  And the FCC catches up to the FTC and SEC in cybersecurity “nudge” regulation.

Download the twenty-fourth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

China’s Use of Privacy Law Raises Questions for Privacy Advocates

Posted in China, International, Privacy Regulation

China seems to have found a reliable legal tool for suppressing dissent.  A prominent Chinese human rights lawyer, Pu Zhiqiang, has been arrested after a meeting in a private home to commemorate the 25th anniversary of the killings at Tiananmen Square.  The charge?  “Illegal access to the personal information of citizens,” a crime punishable by three years in prison.

But where are EFF and EPIC and CDT and the ACLU?  This is not the first time China has brought privacy charges against politically disfavored defendants.  Why haven’t these advocates of more privacy law vocally condemned China’s use of privacy law to foster oppression?

The same question might be asked of the Article 29 Working Party in the European Union, along with a second one: How is China’s law different from the data protection laws that Europe has been urging the world to adopt?