Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast — News Roundup

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Episode 161: News Roundup

In this episode, Alan Cohn and Maury Shenk look at questions in Europe and elsewhere in Stewart’s absence.  Maury delves into why Google was ordered to turn over foreign data accessible from US, a decision that seems at odds with the Microsoft Ireland case.  Alan considers claims made by David Sanger and William Broad in The New York Times that US blew up North Korea’s most recent missile test, and Jeffrey Lewis’s rebuttal in Foreign Policy.  Alan and Maury both remain skeptical.

Leaving the Korean peninsula, Maury discusses the current effort by EU data protection regulators to enact e-privacy regulations that would, among other things, put in place detailed standards for location tracking and content associated with metadata.  No surprises, but potentially more headaches for US industry.   And back on US soil, Alan comments on the US Justice Department’s apparent decision to reconsider criminal charges against Wikileaks for the CIA cyber-tools leak.  Maury provides some color on the Trump Administration’s (lack of) views on Privacy Shield.

Finally, Alan reviews the bidding on dual-use export controls and cyber technologies, explaining both the most recent negotiations under the Wassenaar Arrangement and the EU’s efforts to amend its dual-use export controls to include cyber-surveillance technologies.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 161st Episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast — News Roundup with Julian Sanchez and Gus Hurwitz

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation

Episode 160: News Roundup with Julian Sanchez and Gus Hurwitz

This week the podcast features an extended news roundup with two guest commentators – Julian Sanchez of the Cato Institute and Gus Hurwitz of Nebraska Law School.

We talk about the latest, mostly overhyped, Shadowbrokers dump, and whether Google Translate can be taught to render plain text into Shadowbrokerese as well as Klingon.

Stephanie Roy kicks off speculation about the future of net neutrality in the Pai FCC. The future looks bright for litigators.

Abbott Labs takes a short but brutal session in the woodshed from the FDA. Looks like Abbott’s now-subsidiary, St. Jude Medical, knew for years that its backdoor could be found by outsiders, but it stuck to the view that hardcoded access was a feature not a bug.  Too bad Uber has already trademarked the name, because if ever there were a feature that deserved to be called “God mode,” this is it.

Burger King triggers a technical battle with Google and an editing war with Wikipedia with a commercial that begins, “Okay, Google, what’s a Whopper burger?”  But, law nerds that we are, all we can talk about is whether Burger King is liable under the Computer Fraud and Abuse Act.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 160th Episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe partner Stewart Baker with Julian Sanchez

Steptoe partner Stewart Baker with Julian Sanchez

Steptoe Cyberlaw Podcast – Interview with Nicholas Weaver

Posted in Data Breach, International, Privacy Regulation

Episode 159: Interview with Nicholas Weaver

Our guest interview is with Nick Weaver, of Berkeley’s International Computer Science Institute.  It covers the latest dumps of hacker tools, the vulnerability equities process, the so-bad-you-want-to-cover-your-eyes story of Juniper and the Dual_EC hacks, and ends with a tour of recent computer security disasters, from the capture of a bank’s entire online presence, to the pwning of Dallas’s emergency sirens, and a successful campaign to compromise the outsourcing firms that supply IT to small and medium sized businesses.

In the news roundup, Maury Shenk, and Jamil Jaffer, of George Mason’s National Security Law & Policy Program, talk with me about the likely outcome of the European movement to regulate encryption.  The bad news for Silicon Valley is that the US isn’t likely to play much of a moderating role when the Europeans tighten the screws.

In other news, Jennifer Quinn-Barabanov explains the two-front battle that Wendy’s is facing (and mostly losing) over data breach liability.

I acknowledge the latest Silicon Valley fad:  filing lawsuits on behalf of their customers’ privacy.  So far, Twitter has chalked up a win, and Facebook a loss.

LabMD has also chalked up another win, this time in a Bivens action to hold FTC officials personally liable for aggressively enforcing the law against the company as punishment for its outspoken critique of the Commission.  The case has mostly survived a motion to dismiss.

Meanwhile in Massachusetts, outmoded privacy laws continue to burden would-be undercover journalists, and Jennifer reports that the prospects for invalidating a law banning recordings of oral conversations on first amendment grounds took a hit last week, at least as it relates to public officials.

Finally, in other computer security news around the globe, Germany’s security services are claiming a lack of authority to take needed action in response to cyber threats.  In India, in contrast, enthusiasts for better attribution of India’s populace are forcing everyone to register in a detailed identity database – despite the efforts of India’s top court to ensure that the system remains voluntary.  The death of anonymity will be a prolonged affair, but the outcome seems inevitable

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 159th Episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe partner Stewart Baker with Nick Weaver

Steptoe partner Stewart Baker with Nick Weaver

Steptoe partner Stewart Baker with Jamil Jaffer

Steptoe Cyberlaw Podcast – Triple Entente Beer Summit III

Posted in International, Privacy Regulation, Security Programs & Policies

Episode 158 is a bonus episode – the Triple Entente Beer Summit, where members of the Steptoe Cyberlaw Podcast, the Lawfare Podcast, and the Rational Security Podcast assemble over beer to comment on the events of the week – or in this case, the day, since it was among the most news-filled days of President Trump’s young presidency.  We cover the (then pending) attack on Assad’s forces in Syria, the future of the Russia election/surveillance investigation, and the meaning of changes to the National Security Council.  It’s also the time each year when our audience gets to ask us questions, and that turns out to be among the most entertaining parts of the program.

As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 158th Episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe partners Michael Vatis (left) and Stewart Baker (right) at Triple Entente Beer Summit

Steptoe partners Michael Vatis (left) and Stewart Baker (right) at Triple Entente Beer Summit

Stewart Baker Announces Winner Podcast Mug

Stewart Baker Announces Winner Podcast Mug

 

Steptoe Cyberlaw Podcast Mug Winner

Steptoe Cyberlaw Podcast Mug Winner

Live audience

Live audience

Steptoe Cyberlaw Podcast – Interview with Joshua Corman and Justine Bone

Posted in Privacy Regulation, Security Programs & Policies

Episode 157 digs into the security of the medical internet of things.  Which, we discover, could be described more often than we’d like as an internet of things that want to kill us.  Joshua Corman of the Atlantic Council and Justine Bone, CEO of MedSec, talk about the culture clash that has made medical cybersecurity such a treacherous landscape for security researchers, manufacturers, regulators, and, unfortunately, a lot of patients who remain in the dark about the security of devices they carry around inside them.

In the news roundup, Phil Khinda takes us through the likely trend in SEC cybersecurity enforcement in the new administration.  Stephen Heifetz does the same for the Committee on Foreign Investment in the United States, or CFIUS.

I claim that Eli Lake’s Bloomberg story finally explains why Republicans think that Obama administration surveillance and unmasking of Trump team members needs to be investigated. Stephen calls it a distraction.

In other news, Buzzfeed gets taken down by a lawyer with a sense of humor, big claims are made for the impact of the third Wikileaks Vault7 document dump, and Donald Trump may have forgiven Apple.  Finally, Jim Comey’s twitter account may have been outed; that’s the story, because the tweets themselves are anodyne in the extreme.

For those wanting to dig deeper into medical device cybersecurity, Joshua Corman recommends the following links, all referenced in the interview:

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 157th Episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Michael Daniel

Posted in Cybersecurity and Cyberwar, International

156: Interview with Michael Daniel

Our interview is with Michael Daniel, former Special Assistant to the President and Cybersecurity Coordinator at the White House and current President of the Cyber Threat Alliance.  We ask Michael how the new guys are doing in his job, what he most regrets not getting done, why we didn’t float thumb drives filled with “The Interview” into North Korea on balloons, and any number of other politically incorrect questions.  His answers are considerably more nuanced.

In the news roundup, we note that the second Wikileaks release is a damp squib, full of outmoded Apple exploits.

Michael Vatis and I unpack the Third Circuit ruling upholding imposition of contempt penalties on a defendant who has “forgotten” the password to his child porn trove.  It turns out that the case offers a road map for prosecutors and police who want to make sure no one ever forgets a password in their jurisdiction.

Stephanie Roy notes that Congress has begun the process of repealing the ISP privacy and security regulations adopted under Chairman Wheeler.  What, if anything, will replace them, and when, is a matter for lengthy speculation.

I note that the privacy zealots of Silicon Valley have fatally miscalculated the kind of support they’ll get in Europe for end-to-end encryption.  Face it, guys, Europe hates you no matter what you do, and they’ll happily impose massive fines both for violating user privacy and for protecting it too well.

Does GCHQ spy on Americans for NSA?  Nope.  The real question is whether Rick Ledgett, number 2 at NSA, has already stopped sounding like a government employee when he talks to the press.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 156th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe partner Stewart Baker pictured with Michael Daniel

Steptoe partner Stewart Baker pictured with Michael Daniel

 

Steptoe Cyberlaw Podcast – Debate with Greg Nojeim and Jamil Jaffer

Posted in Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

155: Debating Hackback

Episode 155 of the podcast offers something new:  equal time for opposing views.  Well, sort of, anyway.  In place of our usual interview, we’re running a debate over hacking back that CSIS sponsored last week.  I argue that US companies should be allowed to hack back; I’m opposed by Greg Nojeim, Senior Counsel at the Center for Democracy & Technology and Jamil Jaffer, Vice President for Strategy & Business Development of IronNet Cybersecurity.  (Jeremy Rabkin, who was supposed to join me in arguing the affirmative, was trapped in Boston by a snowstorm.)

In the news, we can’t avoid the unedifying – and cynical – spat between press and White House over wiretapping.  Turning to legal news, I note the DC circuit’s adoption of a cursory and unpersuasive reading of the Foreign Sovereign Immunities Act in the context of state-sponsored hacking of activists in the United States.  Maury Shenk unpacks the latest ECJ opinion refusing to apply the “right to be forgotten” across the board to government databases.  So far, the only clear application is to American tech giants.  That’s also true of the latest German proposal to make the internet safe for censors, government and nongovernment alike.  As Maury explains, the German Justice Minister is proposing fines up to $50 million for tech giants that don’t censor online speech fast enough or hire enough European private censors to keep up with the workload.

The Justice Department’s indictments in the Yahoo! hack show just how remarkably intertwined Russian intelligence and Russian cybercrime have become.

Alan Cohn and I chew over the latest developments in the new administration’s approach to cybersecurity – a determination to cripple botnets more effectively, and a willingness to exempt SHS cyber programs from what looks like a drastic set of budget cuts for nondefense agencies.  Whether the administration can make progress on botnets while sticking to voluntary measures is uncertain; equally uncertain is whether the plus-ups for DHS cyber reflects satisfaction with the agency’s performance on that mission in recent years.

Finally, Maury and I ask whether the German government is surrendering to reality in pursuing more effective video surveillance of possible criminals and terrorists.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 155th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Curtis Dukes and Tony Sager

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

Episode 154:  What cybersecurity experts tell their Moms about computer security

In this week’s episode, we ask two acknowledged NSA cybersecurity experts, Curtis Dukes and Tony Sager, both from the Center for Internet Security, what they tell their family members about how to keep their computers, phones, and doorbells safe from hackers.

Joining us for the news round-up is Carrie Cordero, a Washington lawyer who focuses on national security law, homeland security law, cybersecurity and data protection issues.  She is also an adjunct professor of Law at Georgetown University.

Topping the news is the Wikileaks Vault7 release, including Assange’s mischievous offer to work with Silicon Valley to fix vulnerabilities before they’re disclosed.  Carrie, Markham Erickson, and I comment.

Stephanie Roy reports that the FCC is investigating a 911 outage at AT&T; so far the agency has been tight-lipped about the details.

Home Depot is nearing the finish line in its data breach ordeal, Jennifer Quinn-Barabanov reports.  The banks that had to reissue credit cards were among the last holdouts; they’re getting $25 million, which sounds like a lot until you do the math and realize it’s two bucks a card.

Jennifer tells us that another defense effort to moot a TCPA class action by picking off a named plaintiff has been thwarted – this time by the Second Circuit.

Tom Graves (R-GA) has introduced a hackback defense to CFAA liability.  Markham and I trade barbs over the wisdom of allowing hackback defenses, but we reach agreement on the depth of Uber’s greyballing problems – and the risk that more companies will use big data to disfavor some customers without telling them.

Carrie reports on developments in the FBI-Geek Squad imbroglio, and I mock the reporters who have bought the deeply unappealing defendant’s claim to be a civil liberties victim.

Last, and well worth the wait, Jennifer and I update our listeners on the latest in CyberSexToy privacy.  Turns out the records of interactions with your internet-enabled vibrator can be compromised for a surprisingly low settlement price.  Maybe now we really ought to call the time of death for internet privacy.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 154th episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe partner Stewart Baker pictured with Curtis Davis, Tony Sager and Carrie Cordero

Steptoe partner Stewart Baker pictured with Curtis Dukes, Tony Sager, and Carrie Cordero

Steptoe Cyberlaw Podcast – Interview with Matt Tait

Posted in China, Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

Episode 153:  Fancy Bear, Cozy Bear, and … Sneaky Bear?

In this episode, Matt Tait, aka @PwnAllTheThings, takes us on a tour of Russia’s cyberoperations.  Ever wonder why there are three big Russian intel agencies but only two that have nicknames in cybersecurity research?  Matt has the answer to this and all your other Russian cyberespionage questions.

In the news, we mourn the loss of Howard Schmidt, the first cyber czar and one of the most decent men in government.  Then we descend into the depths of the Trump wiretap story.  I reprise some of my views from Lawfare.  Michael Vatis is not persuaded.

After Microsoft’s refusal to provide data stored in the cloud outside the US was upheld in the Second Circuit, things looked rosy for its position.  But now two magistrates in a row have rejected that position.  Michael and I discuss the latest ruling.

Maury Shenk is now our official commentator on the legal consequences of Internet-enabled toys.  This time it’s teddy bears, whose interactions with children and parents were exposed by hackers.

More seriously, Maury praises an impressive new analysis of China’s 50c army of tweeters.  It turns out that everything we thought we knew about the 50c army is wrong. 

Just in time for an early spring, we have harbingers of the coming fight over reauthorization of the 702 intercept program.  Director of National Intelligence candidate Coats promises to put a number on the US persons whose communications are caught up in the program, the Electronic Frontier Foundation (EFF) and other NGOs turn on both the US government and Silicon Valley to urge that Privacy Shield be held hostage to changes in the program.  And the incoming Commerce Secretary, Wilbur Ross, endorses Privacy Shield, a move that may validate EFF’s tactics.

As always, the Cyberlaw Podcast welcomes feedback.  Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785

Download the 153rd episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

Steptoe Cyberlaw Podcast – News Roundup with Paul Rosenzweig

Posted in Cybersecurity and Cyberwar, International, Security Programs & Policies

Episode 152: “Alexa, do you have first amendment rights?”

Our guest for episode 152 is Paul Rosenzweig, and we tour the horizon with him.

In the news roundup, Stephanie Roy outlines the deregulatory tangle around ISPs, privacy, security, and the FCC.  Maury Shenk briefs us on the European legislation authorizing the quashing of terrorist advocacy on line.  Jennifer Quinn-Barabanov explains when standing is a defense against privacy claims and when it isn’t.  Together, we remark on the latest example of formerly stodgy banks embracing their inner plaintiffness.

Maury explains why the Germans have banned Cayla the talking (and listening!) doll.  I ask whether the Germans next plan to ban speakerphones.  (Likely answer:  only if they come from America.)

Paul and I dig into the Amazon claim that the first amendment prevents enforcement of a criminal discovery order seeking Amazon Echo recordings.  Hey, the suspect might have been ordering books, and that’s a first amendment activity, says Amazon, and anyway, what Alexa said back to the suspect was an exercise of Amazon’s first amendment rights.  These arguments cry out for the command most frequently heard by my music-playing Echo:  “Alexa, that’s enough.”

Almost as unpersuasive to Paul and me is magistrate judge David Weisman’s refusal to issue an order allowing the police to search a home and make anyone on the premises put their fingers on their iPhones to unlock them.  That act is testimonial in Weisman’s opinion because, well, because he says it is.  (His fourth amendment analysis is better, but hardly compelling.)

Paul explains the dramatic clash of cultures hidden in the otherwise esoteric battle between the GSA’s inspector general and “18F,” an Obama-meets-Silicon-Valley effort to streamline government IT development.  Like any good tragedy, you knew from the start that this trainwreck was coming, but you still can’t look away.

The draft cyber executive order still isn’t out, despite what looks like a much more disciplined vetting process than other EOs went through. What’s the reward for running a good interagency process in a White House not noted for such discipline?  The Homeland Security Council may get folded under the National Security Council.

No one has heard of the National Association of Secretaries of State in 50 years.  And if you want to know why, we say, look no further than NASS’s foolish resolution objecting to the designation of electoral systems as “critical infrastructure.”

Finally, Paul and I noodle over DHS’s request that Chinese visitors to the US voluntarily disclose their social media handles.  I predict that this puts the frog in the pot and the stove on simmer.  Meanwhile, Paul finds one border security measure that even I wouldn’t adopt.

As always, the Cyberlaw Podcast welcomes feedback.  Send email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 152nd episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunesPocket Casts, and Google Play!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.