Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Debate with Harley Geiger

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

The Steptoe Cyberlaw Podcast is on hiatus in August, but we’ve brought it back for a special appearance – a debate over Senator Leahy’s version of the USA Freedom Act sponsored by the Federalist Society.  Moderated by Christian Corrigan, the debate pitted me against Harley Geiger, Senior Counsel and Deputy Director for the Freedom, Security and Surveillance Project at the Center for Democracy and Technology.  Surprisingly, Harley and I manage to find some significant points of agreement, not only on the superiority of the Senate’s definition of ‘special selection term’ over the House’s but also on the need to deal with what ethical and conflicts standards should apply to special advocates appearing before the Foreign Intelligence Surveillance Court – a topic that neither the House nor the Senate Bill now addresses.

Download the thirty-first episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

As Evidence Mounts, It’s Getting Harder to Defend Edward Snowden

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

The evidence is mounting that Edward Snowden and his journalist allies have helped al Qaeda improve their security against NSA surveillance.  In May, Recorded Future, a predictive analytics web intelligence firm, published a persuasive timeline showing that Snowden’s revelations about NSA’s capabilities were followed quickly by a burst of new, robust encryption tools from al Qaeda and its affiliates:

This is hardly a surprise for those who live in the real world.  But it was an affront to Snowden’s defenders, who’ve long insisted that journalists handled the NSA leaks so responsibly that no one can identify any damage that they have caused.

In damage control mode, Snowden’s defenders first responded to the Recorded Future analysis by pooh-poohing the terrorists’ push for new encryption tools.  Bruce Schneier declared that the change might actually hurt al Qaeda: “I think this will help US intelligence efforts.  Cryptography is hard, and the odds that a home-brew encryption product is better than a well-studied open-source tool is slight.”

Schneier is usually smarter than this.  In fact, the product al Qaeda had been recommending until the leaks, Mujahidin Secrets, probably did qualify as “home-brew encryption.”  Indeed, Bruce Schneier dissed Mujahidin Secrets in 2008 on precisely that ground, saying “No one has explained why a terrorist would use this instead of PGP.”

But as a second Recorded Future post showed, the products that replaced Mujahidin Secrets relied heavily on open-source and proven encryption software.  Indeed, one of them uses Schneier’s own, well-tested encryption algorithm, Twofish.

Faced with facts that contradicted his original defense of Snowden, Schneier was quick to offer a new reason why Snowden’s leaks and al Qaeda’s response to them still wouldn’t make any difference:

Whatever the reason, Schneier says, al-Qaida’s new encryption program won’t necessarily keep communications secret, and the only way to ensure that nothing gets picked up is to not send anything electronically.  Osama bin Laden understood that.  That’s why he ended up resorting to couriers.

Upgrading encryption software might mask communications for al-Qaida temporarily, but probably not for long, Schneier said….”It is relatively easy to find vulnerabilities in software,” he added.  ”This is why cybercriminals do so well stealing our credit cards.  And it is also going to be why intelligence agencies are going to be able to break whatever software these al-Qaida operatives are using.”

So, if you were starting to think that Snowden and his band of journalist allies might actually be helping the terrorists, there’s no need to worry, according to Schneier, because all encryption software is so bad that NSA will still be able to break the terrorists’ communications and protect us.  Oddly, though, that’s not what he says when he isn’t on the front lines with the Snowden Defense Corps.  In a 2013 Guardian article entitled “NSA surveillance: A guide to staying secure,“ for example, he offers very different advice, quoting Snowden:

“Encryption works.  Properly implemented strong crypto systems are one of the few things that you can rely on.”

Scheier acknowledges that hacking of communication endpoints can defeat even good encryption, but he’s got an answer for that, too:

Try to use public-domain encryption that has to be compatible with other implementations. …Since I started working with Snowden’s documents, I have been using GPG, Silent Circle, Tails, OTR, TrueCrypt, BleachBit, and a few other things I’m not going to write about.…

The NSA has turned the fabric of the internet into a vast surveillance platform, but they are not magical.  They’re limited by the same economic realities as the rest of us, and our best defense is to make surveillance of us as expensive as possible.

Trust the math.  Encryption is your friend.  Use it well, and do your best to ensure that nothing can compromise it.  That’s how you can remain secure even in the face of the NSA.

It sounds as though al Qaeda took Bruce Schneier’s advice to heart, thanks to leaks from Edward Snowden – even if Schneier is still doing everything he can to avoid admitting it.

UPDATE:  The description of Recorded Future was changed at the request of the company, which said, “While this may seem like splitting hairs, in the world of data analysis software “predictive analytics” has specific technical meaning which implies something different.  We use the term web intelligence to reduce this confusion.”

More On The Microsoft Search Warrant Case

Posted in International, Privacy Regulation, Security Programs & Policies

Few people are as widely cited as Orin Kerr when it comes to the Stored Communications Act, so in the Microsoft search warrant case it’s nice to have him as an ally – even (or perhaps especially) an ally who came to our side a bit reluctantly.

Earlier, I posted my response to Orin’s first two blog posts about the Microsoft case, pointing out where we agreed and disagreed.  Orin has now  “Fisked” my response (dissecting it and replying point by point), but try as he might, he can’t wriggle free of our embrace.  I won’t belabor the points on which we differ, but will just emphasize two key points of agreement.

First, Orin agrees that a government seizure of the emails would occur when Microsoft copied them in Ireland.  This is a critical point, because the government contends that the statute would not be applying extraterritorially since no search or seizure would be occurring outside the United States.  In the government’s view, “The warrant is served upon the provider here; the provider must produce its records to a law enforcement agent here; and if the provider fails to do so, the provider is subject to court sanction imposed here. There is no extraterritorial application of domestic law under these circumstances.”  But if, as Orin acknowledges, a seizure would occur outside the US at the moment Microsoft copied the emails in Ireland in order to comply with the warrant, then the government’s argument that no relevant action would take place outside the United States falls to pieces.

In his latest post, Orin seems to walk back from his earlier acknowledgment that a seizure would occur in Ireland.  He asserts now that a “Fourth Amendment seizure” would occur only if “the target is a US person with Fourth Amendment rights”—something we don’t yet know.  But this misses the point.  The question here is not whether the seizure would violate someone’s Fourth Amendment rights.  The relevant issue is whether the warrant is directing that an action take place outside the United States.  Orin agrees that it is.  Since the warrant is indeed directing that an action take place outside the United States, then the government is clearly seeking to have the SCA apply extraterritorially.

The US government stands alone, then, in thinking that nothing relevant would be occurring on Irish soil.  Certainly the European Union, the Irish government, and the owner of the email account would all agree with Orin and Microsoft (and Verizon and the Electronic Frontier Foundation) that the warrant is directing that action take place in Ireland.

Here’s an analogy: Imagine that the government wanted to obtain the contents of a file cabinet located in back of an office building in Mexico.  Instead of asking the Mexican authorities to seize and transfer the files to the US, or sending in a team of DEA agents under cover of night to steal the files and bring them home, the government decided on a third way: hiring a drone operator in Texas to send a drone over the border into Mexico, where the plane deployed a mechanical arm to lift up the cabinet and bring the files back to Texas for examination.  Would anyone seriously contend that no seizure took place in Mexico, just because the drone was operated by a person sitting in Texas and the files weren’t examined until they were in Texas?  I doubt it.  The answer shouldn’t be any different here just because the relevant evidence is in electronic form.  The evidence still has a physical location, and it has to be taken from that location and brought back to the US.

Second, Orin agrees that “the current version of Rule 41” does not “authorize[] warrants for searches abroad” except in rare and irrelevant circumstances (involving US diplomatic posts and the like).  That shouldn’t be surprising, given the plain language of the Rule and ample precedent saying that Rule 41 doesn’t authorize warrants for searches or seizures abroad.  So that brings us back to the question of whether the SCA clearly authorizes warrants for searches and seizures abroad, and, as I noted in my earlier post, Orin agrees that it does not.

Finally, one other point is worth mentioning.  Orin originally argued that if Microsoft won this case, the government could turn around and simply use a subpoena to get the same emails, under the Bank of Nova Scotia line of cases holding that grand jury subpoenas can be used to obtain company records held abroad.  This, he suggested, would result in less privacy protection for Microsoft’s subscribers than requiring the government to establish probable cause and get a warrant from a judge.  In response to my argument that it seemed unlikely that the government would or could use a subpoena to get a person’s emails abroad (which are in no sense Microsoft’s own business records), Orin now takes a new tack.  He suggests that the government could, instead of obtaining just a search warrant, use “a combined subpoena and warrant”—“(1) a grand jury subpoena ordering the provider to transport a copy of the emails to the grand jury inside the US together with (2) a warrant ordering the provider to disclose the emails to investigators.”  This is an interesting idea, but it doesn’t change the fact that the government has apparently never sought to use a subpoena to force a company to bring back into the US anything other than its own business records, and there’s no authority indicating that it could do so.

Moreover, even if it were viable, Orin’s alternative approach would actually provide more privacy protection than what the government is currently trying to do, not less.  For it would require the government both to use a subpoena—which would require passing the Bank of Nova Scotia balancing test where production would violate foreign law—and to obtain a warrant from a judge, after proving probable cause.  That’s what some might call a “belt and suspenders” approach.

Metaphors aside, ultimately this case is one of statutory interpretation.  Did Congress clearly express an intent that the SCA permit the government to use a warrant to obtain emails located outside the US?  The litigants and the bloggers have had their say.  Now it’s up to the courts.

Verizon’s Response to Orin Kerr’s Posts on the Microsoft Search Warrant Case

Posted in International, Privacy Regulation, Security Programs & Policies

As our readers and podcast listeners know, Steptoe filed an amicus brief for Verizon Communications Inc. in the case in which Microsoft has moved to vacate a search warrant seeking emails located in Ireland.  The issue in the case is whether a US search warrant can be used to obtain the content of emails stored outside the United States.  Microsoft and Verizon have argued that neither Rule 41 of the Federal Rules of Criminal Procedure (which outlines the rules governing search warrants generally) nor the Stored Communications Act (which sets out the rules governing access by law enforcement to electronic communications) authorizes a search warrant to be used to obtain emails stored abroad.

Orin Kerr has blogged (here and here) about the case, taking issue with some of the arguments raised by both sides, but ultimately agreeing with the companies’ central contention that the Stored Communications Act does not expressly address the question of whether warrants can be used to obtain communications located outside the United States.  Orin’s concession should resolve the case (in Microsoft’s favor), since statutes are presumed not to apply extraterritorially unless Congress expressly says otherwise.  My response to Orin’s posts is posted on The Volokh Conspiracy (part of The Washington Post) here, and is repeated in full below:

Why the government cannot use a search warrant to get e-mail located outside the US — unless Congress changes the law.

Orin Kerr has written two interesting posts about some of the legal issues raised by a case in which Microsoft has moved to vacate a US search warrant for a subscriber’s e-mails that are located in Ireland.  Microsoft’s central argument is that a US warrant cannot be used to obtain emails located abroad because warrants have no extraterritorial reach.  Steptoe filed an amicus brief in the case on behalf of Verizon Communications Inc., so I thought it would be helpful to provide our perspective on the legal issues.  (I won’t discuss here the profound business and policy implications of the government’s position.  For that, see the Verizon brief.)

While we disagree with Orin on some of his subsidiary points (as discussed below), we very much agree with the central thrust of his first post:  ”[T]he Stored Communications Act just wasn’t drafted with the problem of territoriality in mind.  It assumed a US Internet with US servers and US users.”

This recognition that Congress wasn’t thinking about extraterritoriality when it passed the SCA is the crux of the Microsoft case.  There is a well-established doctrine called the “presumption against extraterritoriality,” which holds that “legislation of Congress, unless a contrary intent appears, is meant to apply only within the territorial jurisdiction of the United States.” Morrison v. Nat’l Austl. Bank Ltd., 561 U.S. 247, 248 (2010).  Thus, a statute is presumed not to have extraterritorial application unless Congress has “clearly expressed” its “affirmative intention … to give [the] statute extraterritorial effect.”  Id.  Orin’s acknowledgment that the SCA does not address the extraterritoriality issue should be the end of the story.  As the Supreme Court said in Morrison:  “When a statute gives no indication of an extraterritorial application, it has none.” Id.

Orin doesn’t discuss the presumption against extraterritoriality.  But it is at the core of the Microsoft case.

The government has sought to sidestep the presumption against extraterritoriality by arguing that the statute would not actually be applying outside the United States in this case, even though the e-mails it seeks are in Ireland, because the warrant was served on Microsoft in the United States and because the e-mails wouldn’t actually be seized or searched until they were in the government’s hands in the United States.  The government cites no cases supporting this novel argument.  Regardless, the government ignores two key facts ‒ Microsoft’s computers would be searched when Microsoft ‒ acting at the behest, and as an agent, of the government ‒ looks for the responsive e-mails in Ireland.  Moreover, those e-mails would be seized in Ireland when they are copied.  On this point, Orin agrees that “the seizure would be occurring outside the United States.”  As a result, it seems undeniable that at least a seizure would be occurring in Ireland, meaning that the search warrant would indeed be applying extraterritorially.

Orin raises an argument different from the government’s, asserting that “recent amendments to [Federal] Rule [of Criminal Procedure] 41 … expressly allow extraterritorial warrants.”  But these amendments permit (in certain limited circumstances, such as terrorism investigations) only searches of property outside of the issuing court’s district.  They say nothing about searches or seizures of property located outside of the country.  Not surprisingly, then, courts have uniformly held that Rule 41 does not authorize searches or seizures outside of the territory of the United States.  See, e.g., US v. Odeh, 552 F.3d 157, 169 (2d Cir. 2008).  Moreover, the Supreme Court rejected a proposed amendment to Rule 41 that would have allowed warrants for searches and seizures of property located outside the United States.  See Fed. R. Crim. Proc. 41, Notes of Advisory Committee on Rules ‒ 1990 Amendment.  Not surprisingly, then, the US government has not advanced the argument that Rule 41 authorizes a search warrant for e-mails (or other property) located outside the United States.

There is one narrow exception ‒ Rule 41 authorizes warrants for searches conducted in United States territories, diplomatic missions, and residences owned by the US and used by diplomatic personal outside the US.  But this is not what Orin seems to be talking about, and it is not what the Microsoft case is about.  Moreover, this exception shows that Congress knows how to make a warrant apply outside of the US when it wants to, which just underscores that it did not do so for any other circumstances in Rule 41.

Thus, neither the SCA nor Rule 41 authorizes warrants for searches or seizures of e-mails (or anything else) outside of the United States.  The presumption of extraterritoriality therefore comes into play, and Microsoft wins.  Case closed.

A second, two-hundred-and-ten-year old doctrine holds that “an act of Congress ought never to be construed to violate the law of nations if any other possible construction remains.”  Murray v. Schooner Charming Betsy, 6 U.S. (2 Cranch) 64, 118 (1804).  The Supreme Court has repeatedly re-affirmed this principle, stating that US laws should be interpreted “to avoid unreasonable interference with the sovereign authority of other nations.”  F. Hoffman-La Roche Ltd. v. Empagran S.A., 542 US 155, 164 (2004).  Orin doesn’t discuss this Charming Betsy doctrine, but it provides another, independent reason that the SCA should not be construed as authorizing warrants for e-mails located abroad.  For if it were construed in this manner, it could easily lead to conflicts with the laws of the nations where the e-mails are stored.

That is clearly the case here.  For example, EU officials such as Viviane Reding, the Vice-President of the European Commission, have stated that if Microsoft disclosed the e-mails in Ireland, it would run afoul of the EU Data Protection Directive.  It would also run counter to the Mutual Legal Assistance Treaty (MLAT) between the US and Ireland, which presupposes that the US will request assistance from the Irish government when it wants to get its hands on evidence located in Ireland.

So the case for Microsoft seems pretty clear.  Orin goes on to argue that if Microsoft wins, the government could just turn around and use a subpoena to get the same data, which might result in less privacy protection for e-mails than a probable-cause based warrant.  There are two problems with this argument.

First, it strikes me as doubtful that the government would actually try to use a subpoena to obtain the content of e-mails located abroad.  After all, the Justice Department has now given up using anything but warrants to get communications content in general, following the decisions of the Sixth Circuit (in US v. Warshak, 631 F.3d 266 (6th Cir. 2010)) and other courts holding that the Fourth Amendment requires the government to use a warrant to get any communications content.  The Attorney General and other Justice Department officials have also said the Department favors amending ECPA to require a warrant to obtain any communications content as part of a criminal investigation.  Thus, even if the Fourth Amendment’s warrant requirement doesn’t apply to property located outside the US, it seems doubtful to me that the government would try to use a subpoena to obtain e-mail content because of the privacy ramifications (Fourth Amendment aside).  Moreover, using a subpoena, based on a mere relevance standard, would only worsen the international uproar caused by the government’s attempt to unilaterally obtain communications stored abroad.  And it would be sure to generate intense opposition from US communications and cloud service providers.

Second, it is not at all clear that the government could use a subpoena to obtain the content of e-mails that are in electronic storage for less than 180 days old.  (The SCA allows certain other communications content to be obtained with a subpoena, but those are not at issue in this colloquy, so let’s set them aside.)  Orin asserts that if the court agrees that the SCA doesn’t authorize an extraterritorial warrant, then the SCA’s legal protections ‒ in particular, the statutory requirement to use a warrant to get e-mail content ‒ “necessarily … don’t apply,” either.  I don’t think that’s right.  Neither Rule 41 nor the SCA expressly authorizes warrants to be used to get data abroad, so the presumption against extraterritoriality and the Charming Betsy doctrine kick in.  But Section 2702 of the SCA does expressly say that an electronic communications service provider may not knowingly divulge communications content except as authorized by Section 2703 (and a few other provisions), and Section 2703 requires the government to get a warrant.  Section 2702 may not apply to communications providers located outside the United States.  But it clearly does apply to providers inside the United States.  So the SCA legally prohibits Microsoft from divulging any communications content to the government without a warrant.

Moreover, the cases in which the government has been able to get information stored abroad by serving a company in the United States all involve the business records of that company or an affiliate under that company’s control.  I’m not aware of any case in which a court has permitted the government to use a subpoena to a US company to obtain property belonging to someone else or the content of another person’s communications.  Thus, as Microsoft suggests in its reply brief, the government might be able to use a subpoena to a US bank to obtain the business records of the bank’s subsidiary in Switzerland, but it could not use it to obtain the contents of a customer’s safe deposit box there.  It might be able to use a subpoena to a US hotel company to get the records in France concerning one of the company’s properties in Paris, but it could not use one to obtain the belongings of a hotel guest from his room in that Paris hotel.  Similarly, the government might be able to use a subpoena to obtain an e-mail provider’s own business records stored in Dublin (if those records are under the US provider’s custody, possession, or control and the balancing test set out in the Restatement (Second) of Foreign Relations Law of the United States weighs in favor of the government).  But I don’t know of any authority that holds that a subpoena can be used to obtain the content of a subscriber’s e-mails stored abroad.

Does this smack of the providers’ wanting to have it both ways ‒ that is, the SCA doesn’t authorize warrants to obtain the content of e-mails abroad, but it forbids providers from disclosing e-mails in response to a subpoena, regardless of where the e-mails are located?  It may seem that way.  But all it really means is that Congress hasn’t addressed the extraterritoriality issue in the SCA.  This leads us back to the point Orin and I agree on:  if Congress wants search warrants to apply to data stored abroad, despite the negative impact that would have on the business of American e-mail and cloud providers and on the United States’ relationship with other countries, and despite the fact that the government can usually get the information it wants through assistance from foreign law enforcement, it needs to amend the statute to say so expressly.  Balancing the negative effects on business and foreign relations against the needs of law enforcement is a quintessential policy decision that should be made by Congress, not by a prosecutor or judge in the Southern District of New York.

Steptoe Cyberlaw Podcast – Interview with Richard Danzig

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Wow, that was quick. I haven’t even turned on the air conditioning at home yet, and already we’ve done the last podcast of the summer.  The Steptoe Cyberlaw Podcast will go on hiatus for August and return after Labor Day!

This week in NSA: The Senate Judiciary Committee, the most anti-NSA of the Senate committees with jurisdiction over the agency, says that it has come up with a new version of the section 215 reform bill passed by the House.  Chairman Leahy says his draft does a better job of protecting privacy than the House bill, and privacy activists agree.  Ordinarily that would mean it’s worse for security, but based on press reports, the bill may actually be an improvement on the lame “selection term” menu proposed by the House.  (And, now that I’ve seen the Leahy bill, that prediction turns out to be right; its definition of “specific selection term” is much more workable.)

Looking distinctly like the proprietor of a fireworks display whose finale fizzled, Glenn Greenwald strains ever harder to find outrage in the quotidian.  NSA, he discloses, has a limited intelligence sharing arrangement with Saudi Arabia.  The Saudis, of course, have a lot of terrorists and jihadists, some of whom have also attacked the United States (Osama bin Laden, to name one).  But none of that matters to Greenwald, who seems to think we should learn about terrorists only from countries with no human rights violations.

The effort to cripple NSA’s overseas intelligence collection program almost as thoroughly as its section 215 program has picked up four Senators – Tester, Begich, Merkley, and Walsh, who send a letter to that effect.

In other news: Sony settles its traumatic, service-suspending hack for $15 million worth of free stuff for users.  Hats off to Sony’s GC, who struck a brilliant deal.

The 9/11 Commission issues a soft endorsement of “direct action” by private parties who are hacked. Stewart Baker celebrates.

The phenomenon of dueling celebrity magistrates continues.  Is this the first time someone outside of the FISC has felt obliged to write an opinion granting a search warrant?  How sad is that?

Vladimir Putin signs legislation to keep Russian data in Russia.  And the Russian government offers a bounty for attacks on the TOR network.

The Washington Post tells us that the FBI “Going Dark” is real, quoting our own Jason Weinstein.   We’re sure there’s a drinking game to be built around the President’s plan to talk about drone privacy, but we’re not imaginative enough to find it.  And Congress votes to end DMCA protection for locked cell phones.

Our guest for the day is the eminent Richard Danzig, former Secretary of the Navy, and a defense intellectual’s defense intellectual.  Richard has at last turned his attention to cyber insecurity, with a paper entitled “Surviving on a Diet of Poisoned Fruit.”

Richard’s view is that we can’t treat cyber insecurity as a technical problem, or assume that there are technical solutions.  He advocates for limiting the use of digital technology when it comes to managing critical national security systems, and he defines critical national security assets in a refreshingly direct way.  If the deliberate crashing of a digital system could dissuade the US government from pursuing its national security interests, that system is critical to national security. Stewart wonders if we aren’t already past that point.

Richard argues for international norms limiting cyberattacks, focusing on those that would destabilize mutual assured nuclear destruction.  Stewart expresses doubts about the durability and verifiability of such norms.  We agree on the need for deterrence but not on the mechanisms.

It’s a great workout for cybersecurity wonks, and a good way to ease into Richard’s thoughtful paper.

Download the thirtieth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

9/11 Commission Gingerly Embraces “Direct Action” Against Hackers

Posted in Cybersecurity and Cyberwar, Security Programs & Policies

I’ve long been an advocate for fewer restraints on how the private sector responds to hacking attacks.  If the government can’t stop and can’t punish such attacks, in my view the least it could do is not threaten the victims with felony prosecution for taking reasonable measures in self-defense.  I debated the topic with co-blogger Orin Kerr here.  I’m pleased to note that my side of the debate continues to attract support, at least from those not steeped in the “leave this to the professionals” orthodoxy of the US Justice Department.

The members of the 9/11 Commission, who surely define bipartisan respectability on questions of national security, have issued a tenth anniversary update to the Commission’s influential report.  The update repeats some of the Commission’s earlier recommendations that have not been implemented.  But it also points to new threats, most notably the risk of attacks on the nation’s computer networks.  No surprise there, but I was heartened to see the commissioners’ tentative endorsement of private sector “direct action” as a response to attacks on private networks:

Congress should also consider granting private companies legal authority to take direct action in response to attacks on their networks.

This “should consider” formulation avoids a full embrace of particular measures, and in that respect it parallels another establishment endorsement of counterhacking.  The Commission on Theft of American Intellectual Property, said in its 2013 report:

Finally, new laws might be considered for corporations and individuals to protect themselves in an environment where law enforcement is very limited.  Statutes should be formulated that protect companies seeking to deter entry into their networks and prevent exploitation of their own network information while properly empowered law-enforcement authorities are mobilized in a timely way against attackers.  Informed deliberations over whether corporations and individuals should be legally able to conduct threat-based deterrence operations against network intrusion, without doing undue harm to an attacker or to innocent third parties, ought to be undertaken.

If repeated tentative embraces are the way new policy ideas become respectable, “direct action” is well on its way.  The 9/11 Commission deserves credit, not just for moving the debate but for contributing a label that gives counterhacking a kind of anarcho-lefty frisson.

A Privacy Law’s “Unintended” But Remarkably Convenient Results

Posted in Privacy Regulation

HIPAA is an arguably well-intentioned privacy law that seems to yield nothing but “unintended” consequences.  I put “unintended” in quotes because the consequences are often remarkably convenient, at least for those with power.  I’m not sure you can call something that convenient “unintended.”

The problem has gotten so bad that even National Public Radio and the Pro Publica organization – hotbeds of bien pensant liberalism – have started to notice. This story, for example, could be mined for a host of dubious achievements in privacy law:

In the name of patient privacy, a security guard at a hospital in Springfield, MO., threatened a mother with jail for trying to take a photograph of her own son.

In the name of patient privacy, a Daytona Beach, FL., nursing home said it couldn’t cooperate with police investigating allegations of a possible rape against one of its residents.

In the name of patient privacy, the US Department of Veterans Affairs allegedly threatened or retaliated against employees who were trying to blow the whistle on agency wrongdoing.

When the federal Health Insurance Portability and Accountability Act passed in 1996, its laudable provisions included preventing patients’ medical information from being shared without their consent and other important privacy assurances.

But as a litany of recent examples show, HIPAA, as the law is commonly known, is open to misinterpretation — and sometimes provides cover for health institutions that are protecting their own interests, not patients’.

“Sometimes it’s really hard to tell whether people are just genuinely confused or misinformed, or whether they’re intentionally obfuscating,” said Deven McGraw, partner in the healthcare practice of Manatt, Phelps & Phillips and former director of the Health Privacy Project at the Center for Democracy & Technology.

At this point, we’ve seen a boatload of stories in which HIPAA produces stupid or bad results.  The real question is whether there are any stories in which HIPAA has produced unequivocally good results – things that wouldn’t have happened without the law.  Otherwise, we’re looking at a law passed to prevent nonexistent abuses that has become a source of abuse itself.  In my view, that’s a recipe for repeal – and pretty much the story of most privacy law.

Steptoe Cyberlaw Podcast – Interview with Orin Kerr

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is noted computer law guru Orin Kerr, and the podcast is a deep dive into technology and law.

This Week in NSA:  Snowden claims without substantiation that NSA employees are passing naked pix around.  And Greenwald’s venture reports that GCHQ has developed the ability to send spam and to rig web polls.  It’s a true Dr. Evil moment.  What will they think of next – tools that write linkbait article titles?  Really, you won’t believe how this Glenn Greenwald story will break your heart!

Well, that was fast. Last week the UK government announced that it was pursuing legislation ensuring that data retention would continue and ending legal challenges by US companies to the scope of UK investigative powers.  This week, the proposal has passed both houses of Parliament.  It is now law.

Advocates of the right to be forgotten also want you to forget about how the censorship will work.  They successfully pressured Google not to tell users when their search results are bowdlerized.  Now they’re pressuring Google not to tell content owners when their links are dropped down the memory hole.  They also want to make sure the censorship regime applies to the United States and Google’s .com engine.  As the Chinese government has already taught us, it’s not enough to censor Internet news; you also have to censor Internet news about the censorship of Internet news.  Come to think of it, the Chinese also demand that Internet companies self-censor in response to vague hints from regulators, and now so do the Europeans.  Really, if the Chinese had a business method patent on Internet censorship, they could sue Europe for infringing.

And, speaking of privacy law abuses, the Veterans Administration finds that the best way to prevent whistleblowers from complaining about mistreatment of patients is to declare that talking about patient’s mistreatment is a violation of patient privacy.  Lois Lerner’s hard drive also makes an appearance.

The FBI says it’s worried about driverless Google getaway cars.  Of course you’d have to hack them to go faster than a golf cart.  Which raises the question:  Would hacking a car violate the CFAA?  The DMCA?  I ask the experts.

I wouldn’t ordinarily recommend the FBI affidavits that accompany indictments as reading material, but Agent Noel Neeman’s affidavit about Chinese cyberespionage tactics and motivations is remarkably entertaining – and instructive.   

In other news, it sure looks like the movement of class action privacy lawyers to West Virginia will begin in Illinois.  And to the surprise of the entire Internet, other than anyone familiar with actual law, the Massachusetts high court declares that, yes, you really can be forced to decrypt your files if the government already knows they’re yours.

Finally, with a critical mass of computer crime lawyers on the show, the four of us perform the lawyer equivalent of speed dating, covering most of the hot topics in technology and law, including the Microsoft search warrant case, the future of the third party doctrine, the evergreen question whether the Computer Fraud and Abuse Act is violated by those who exceed their authorized network access, and the prospects for legislation changing the CFAA or ECPA reform.

Download the twenty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

And Who’s Protected by Taxpayer Privacy Laws? Hint: Not Taxpayers

Posted in Privacy Regulation

When you’re in the business of pointing out how often privacy law ends up protecting power and privilege, you never run out of material.

Everyone remembers Lois Lerner, the IRS official who pleaded the fifth amendment and refused to testify about her role in the agency’s scrutiny of Tea Party nonprofits.  And everyone remembers her mysterious computer crash making years of emails unavailable in 2011.

Could the messages be recovered with advanced forensics?  We’ll never know, because the IRS so systematically nuked Lerner’s drives that no one could ever recover anything from them.

Why? According to The Hill, “the agency said in court filings Friday that the hard drive was destroyed in 2011 to protect confidential taxpayer information.”

I’m sure the taxpayers will find a way to show their gratitude.

Steptoe Cyberlaw Podcast – Interview with David Medine

Posted in Cybersecurity and Cyberwar, Data Breach, International, PCLOB, Privacy Regulation, Security Programs & Policies

Our guest this week is Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), David Medine. We do a deep dive into the 702 program and the PCLOB’s report recommending several changes to it. Glenn Greenwald’s much-touted “fireworks finale” story on NSA may have fizzled, but this week David and I deliver sparks to spare.

I question the PCLOB’s enthusiasm for giving new responsibilities to the flawed Foreign Intelligence Surveillance Court (Judge Lamberth and his wall make an appearance). I challenge David’s notion (shared with Judge Wald) that the 702 program, crucial as it is for our terrorism defenses, nonetheless stands balanced so close to the edge of constitutionality that without new minimization restrictions it could tip over into constitutional unreasonableness at any moment. David gets a chance to comment on stories about U.S. citizens whose data is stored by the NSA, including Glen Greenwald’s disclosure of the Americans targeted by NSA and Bart Gellman’s defense of his Washington Post article. (There we find common ground; like me, David has doubts about the significance of Gellman’s claim that “9 out of 10 accountholders” in NSA’s database aren’t targets.) And we argue over whether NSA analysts need 89,000 new make-work assignments justifying their targets, let alone a massive judicial logjam before they can search data already gathered lawfully. All in all, a rewarding workout.

The news roundup is truncated to allow more time for the Medine dialogue, but this week in NSA features includes more Snowdenista journalist misrepresentations, including the demonstrably false claim that NSA has flagged the Linux Journal as an “extremist forum.”

The Senate Intelligence Committee produces a cybersecurity information sharing bill as a bookend to the House’s bill, but getting it to the floor and then to the President is going to be tough in today’s climate and under the current calendar. Maury Shenk tells us the Russians are planning to balkanize the Internet and in the name of privacy no less. He also reports that the UK is pursuing stopgap legislation to make sure it doesn’t lose its data retention authority in the wake of an unfavorable ECJ decision, and to allow UK law enforcement to require foreign entities to turn over data under a warrant. David can’t help intervening to remind us that the UK has also proposed creating their very own PCLOB.

Download the twenty-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.