LXBN TV interviewed me about the recently announced IRS rules on Bitcoin and the future of the virtual currency. The interview can be found here:
We used to talk about the “borderless” environment of the Internet. These days, that view is looking increasingly outmoded and utopian, in large part because of the intersection of law enforcement and privacy concerns. Steady increases in regulation (and enforcement of existing regulation) in these areas is increasingly prompting two types of responses by global businesses:
- delivery of Internet services using servers and other facilities located in the country or region (e.g. the European Union) where the services are provided; and
- global compliance with the regulation of one country or region.
A couple of developments in the first half of April illustrate these two approaches:
- The European Court of Justice (ECJ) found the European Data Retention Directive inconsistent with EU privacy and data protection law, as my colleague Daniella Terruso has already reported on this blog. This 2006 directive required all EU member states to adopt laws requiring public communications operators to retain data on user communications for 6 to 24 months. One of the bases for the ECJ decision was that the directive did not require retention of data within the EU (although some member states have imposed such a requirement via their national legislation). In our experience, many US-headquartered companies were already pursuing local retention strategies – for data retained under the directive, and otherwise – and the ECJ decision is likely to accelerate this trend.
- Microsoft obtained confirmation from the national data protection authorities of the EU’s 28 member states that its cloud services are subject to requirements of EU data protection law wherever the data are stored (at least for customers who opt to accept these protections through a contractual addendum), and therefore are fully compliant with that law for global customers.
Earlier examples of both types of responses are numerous, and in fact it is US regulation which has previously been the largest driver of such actions. Global companies are familiar with the need to comply with US law that has extraterritorial effect on such areas as securities, mergers, export control, and anti-corruption. And the US FBI has long worked with other US regulators to strongly encourage foreign operators to maintain facilities in the United States to permit interception of communications. We have long expected this approach to bite back at US companies, and now, increasingly, it is. Major emerging markets like China, India, Brazil, and Turkey have been among the quickest to apply their national laws aggressively to maintain jurisdiction over foreign companies that wish to access their growing markets.
Beyond explicit regulation, there are increasing commercial drivers for businesses to retain locally or comply globally. For example, for the last few years, many European providers of Internet and cloud services have argued that non-US customers should be reluctant to use US service providers, because of accessibility of data in the United States to US law enforcement. In fact, this argument is suspect from a legal perspective, because US law and practice are significantly more protective of the privacy of customer data than the law and practice of many European countries. For example, in the UK, the Regulation of Investigatory Powers Act 2000 allows a huge number of government bodies (including tax authorities and fire departments) to obtain communications data (e.g. information on caller and calling party, location for mobile calls, etc.) without court involvement. And Italy leads the world in real-time wiretaps of communications. But these points have started to ring a little hollow in the wake of the Snowden disclosures, and have prompted significant action.
In short, watch this space. Localization of Internet facilities and globalization of compliance with data regulation are likely to continue to increase in coming years.
Depending on the new Commission’s level of ambition when it takes office in the Autumn, this week’s European Court of Justice preliminary ruling (Cases C-293/12 and C-594/12), which found a 2006 Directive invalid, could prove an opportunity to re-think the EU approach to privacy and protecting personal data.
When we think about the EU and privacy, the controversial data protection reform package with its headline-grabbing features (e.g. anti-trust style fines [subscription required] for data breaches of up to 2% of a company’s global turnover), springs to mind. While this package is, indeed, the key-stone to Union privacy law, other legislation also deserves attention.
This week, the spotlight was turned on the 2006 Data Retention Directive (DRD, for which Home Affairs Commissioner, currently Cecila Malström, is responsible) and the 2002 e-Privacy Directive (Digital Agenda Commissioner, currently Vice-President Neelie Kroes, is responsible). Both contain provisions on data retention for law enforcement purposes. Both will be reviewed shortly. The Court’s preliminary ruling invalidated the DRD and will augment the pressure for rapid reform.
Joined cases brought by privacy advocates from Ireland and Austria gave the European Court of Justice the opportunity to set out its views on how far restrictions to EU citizens’ rights may be justified in the general interest and how much discretion may be left to Member States to legislate within the single market.
The first notable point is that the Court underscored the extent to which the DRD impinges on EU citizen’s rights. The Court stated that the DRD “entails an interference with the fundamental rights of practically the entire European population.” It “covers, in a generalized manner, all persons and all means of electronic communication as well as all traffic data without any differentiation, limitation or exception.”
Second, the Court found that the DRD “interferences” could only be justified if clear and precise rules had been set out in the legislation as well as minimum safeguards against the risk of abuse and unlawful access and use of the data collected. The Court found it unacceptable that important aspects of the Directive had been left to Member State discretion.
Third the Court faulted the legislators for not requiring the data to be retained within the European Union, stating this ran counter to Article 8(3) of the European Charter of Fundamental Rights and settled case-law requiring control of the data by an “independent authority of compliance.” The full implications of this aspect of the ruling remain to be seen but this could boost the campaign by some Europeans to create a so-called “Schengen cloud” to store European data.
In many respects, most of this ruling is relatively unsurprising. The DRD has been a challenge from the start. A handbook of best practices, a non-binding tool to assist industry, law enforcers, and Member States replaced what should have been greater clarity in the legislative text. Questions have been raised for some time about the mismatch between DRD obligations and actual needs. Given the differing national retention requirements, cross-border police and judicial cooperation is rather difficult and operators highlight the high cost of compliance.
The Commission had been expected to await the outcome of the negotiations on the data protection package, and the review of the e-Privacy Directive before embarking on any reform of the DRD. The Court ruling may mean this sequence of events is now revised. Now that legal action is complete, the Commission may also resume infringement proceedings against Member States for faulty DRD implementation.
The next Justice, Home and Digital Agenda Commissioners should make protecting personal data an early priority and complete the legislative framework in the initial years of their new term of office. Pressure from the Court and elsewhere will ensure that European solutions are prioritized. Meantime, for data retention, market operators will remain subject to national legislation.
In this week’s episode, we explore the latest FOIA tussle between the FBI and ACLU over NSA and the dog-bites-man story of Larry Klayman losing another long-shot appeal. This Week in NSA focuses on the Bloomberg story claiming that the agency is exploiting the Heartbleed flaw. Kudos to NSA for managing to persuasively deny the thinly sourced and dubious story before the day’s news cycle was complete. Even so, the White House defensively rolls out a new policy on zero-days. We chew on the critical question: Can you win a Pulitzer for writing a false story if it prompts a new White House policy?
Jason notes the largely unsurprising result in the Wyndham case and the FTC’s effort to lock Facebook and Whatsapp into their current privacy policies. And just to show that we don’t always harsh on the FTC, Jason describes the commission’s charges against a site that really lived up to its name – jerk.com.
The European Court of Justice makes news, striking down parts of the data retention directive that have long distinguished Europe as a far less privacy-protective jurisdiction than the United States. Maury Shenk, our European correspondent, has the analysis.
Continuing a tutorial in class action tactics, Jason talks about the Target litigation being consolidated in Minnesota.
The Justice Department and the FTC issue antitrust guidance designed to ease the fears of companies that sharing cybersecurity information will create antitrust liability. It doesn’t say anything that couldn’t have been said fourteen years ago – and was. I’d call it Groundhog Day II but I think that’s recursive.
International cyberdiplomacy is slowly recovering from the Snowden leaks, though successes are still thin on the ground. The US tries a creative (if rather handwringing) response to Iran’s DOS attacks on banks, and it tries candor (without much success) on China.
Our special guest, Dan Sutherland, served under all four DHS secretaries and is now the chief lawyer for the DHS component charged with cybersecurity, biometrics, and telecommunications. He comments on the antitrust agencies information-sharing guidance and conveys DHS’s latest thinking on how regulatory agencies will use the NIST cybersecurity framework to incentivize better network hygiene.
This week’s podcast features a conversation with none other than Lawfare’s own Ben Wittes. But it begins as usual with This Week in NSA: A Reuters story claims that researchers showed something bad about the way NSA influenced the Dual EC encryption standard. The story glided insouciantly over two of the more newsworthy aspects of the researchers’ work: (1) They couldn’t actually find the weakness everyone has been assuming and (2) Practically no one is using the supposedly flawed standard, so practically no one is at risk. In other NSA news, a civil libertarian academic who was part of the President’s expert’s group NSA published a candid assessment of the agency – almost all of it positive. And Yahoo! has finally been able to encrypt its back-office communications – aiming at NSA and hitting foreign law enforcement squarely between the eyes.
In This Week in Reruns, LabMD is back from the dead, maybe. Michael Vatis discusses the company’s latest filing and its chances of turning the case around. Jason Weinstein reports that the banks that sued Target’s security assessor have had second thoughts. Microsoft’s search of Hotmail to protect its property yields a guilty plea; but the company will still be cleaning up after the search long after this defendant has served his sentence. And the latest chapter in Google’s struggle with the most famous ten-second video performance in history ends abruptly.
Despite its name, The Onion Router doesn’t really turn your messages into spoofed news stories (cool as that would be). Also known as TOR, it is the US-government-funded security tool that has won fans among human rights campaigners and pedophiles. Now, Jason reports, law enforcement is finding ways to at least dent the security TOR provides.
And a handful of federal magistrates have discovered the sweetest gig in the judicial branch. They can make law that goes viral without worrying about being reversed. As long as they rule against the government. As many have been doing, imposing limits on computer search warrants as a condition of signing them. Jason and I discuss the merits and motivations of these rulings – and what Justice can do about them.
Finally, Ben Wittes joins the fray, previewing his testimony to the House Foreign Affairs Committee. He discovers hidden connections between the AUMF and section 702 interception authority. Speaking of section 702, Ben and I dig deeper into the House Intelligence Committee’s redraft of the section 215 metadata authority, which could be marketed as 702 Jr. We explore the politics and policy behind the bill, and the President’s determination to carve out a sliver of difference with the committee, and what’s wrong with the widespread assumption that the telcos have at least eighteen months’ worth of back data that can be exploited even if NSA destroys its current database.
Last week the IRS announced that Bitcoin would be treated as property, rather than currency, for tax purposes. That means the virtual currency will be subject to very real capital gains taxes when used to make purchases. So is this good or bad for Bitcoin? Well, that depends on whether you view the glass on Bitcoin as half-empty or half-full.
If your glass is half-empty, you’ll see the rule as creating a practical obstacle to using Bitcoin in everyday transactions that undermines the ease of use that was part of its appeal in the first place. Under the new rule, if you pay for a product or service with Bitcoins, you’ll have to pay tax on the increase in value from the date you acquired each Bitcoin to the day you spent it. That’s not an easy thing to keep track of, especially since Bitcoin’s volatility means you may have paid very different prices for your Bitcoins. That’s sort of like paying for something at a store with individual shares of stock that you may have acquired on different days and at different prices, and trying to select the share that will result in the smallest capital gains. You may also bristle at the fact that wages paid in Bitcoins are subject to income-tax withholding and that payments of $600 or more made in Bitcoins are subject to IRS reporting requirements, which complicates the anonymity relished by many Bitcoin users.
But if your glass is half-full, you’ll see the IRS rule as a step toward further legitimacy for Bitcoin, a recognition that it’s an increasing presence in our economy as both a medium for transactions and as an asset. You’ll view increasing certainty regarding the regulatory treatment of Bitcoin as good for its development. And if you hold Bitcoins for investment, you may even focus on the fact that Bitcoins now will be subject to a lower tax rate than if they were taxed as a currency.
More generally, the IRS rule raises the fundamental Catch-22 of Bitcoin: the more it’s regulated, the more stable it will become, but the more it may drive away those “early adopters” who were drawn to it precisely because it was anonymous and unregulated. I’ve written more about that issue here.
Warren Buffett recently called Bitcoin a “mirage,” and it’s fair to say that no one ever made money betting against Warren Buffett. (Speaking of which, Mr. B – is there a prize for getting the fewest number of games correct in the NCAA Tournament? If so, call me.) But prominent venture capitalists continue to be bullish on Bitcoin’s future, and more retailers are accepting Bitcoins seemingly every week.
The bet here is that Bitcoin has sufficient momentum that it’s not going away anytime soon. Especially if some smart app developers figure out how to automate the tax calculation process to offset some of the practical complications for users. But if those app developers get paid in Bitcoins, they should remember to pay their taxes.
Our special guest this week is Michael Allen, former Majority Staff Director of the House intelligence committee. Mike is the founder of Beacon Global Strategies and the author of Blinking Red, the story of the creation of the Director of National Intelligence.
We drag him into the program from the beginning, getting his take on his old committee’s proposal to replace NSA’s 215 metadata program with one where the data remains with the telephone companies. I puzzle over the Obama administration’s booted opportunity to work with a bipartisan coalition on reforming 215 and its determination to instead pursue the affections of privacy lobbyists who want the FISA court to review every search of the telcos’ data.
Mike Allen reflects on the most significant contributions of Chairman Mike Rogers to the intelligence committee from which he is unexpectedly retiring. He evidently plans to become a radio show host concentrating on national security affairs. I speculate that he was forced into Old Media because the niche for podcasts on national security law has now been so definitively filled by the Steptoe Cyberlaw Podcast.
In other news, the FISA court is getting a new chief judge. And China has promised to bolster its cybersecurity while protesting news that Huawei was hacked by NSA; it would only be fair if the administration declared, as China has so often when accused of hacking a US defense contractor, “Hey, we’re victims of hacking too. Tell us what you know about this alleged hacking and maybe we can help.”
This Week in Target produces a surprise — banks suing not just Target but also its security assessor. Is this a sign of strength or an admission that Target itself may have a pretty good defense to claims that it violated the PCI standards? Jason Weinstein thinks it’s an augur of things to come, and that other security auditors may face such litigation, especially if they provide some of the services they’re supposed to be auditing.
Microsoft is in the privacy cement mixer this week. After admitting that it opened a subscriber’s Hotmail account to track an employee who was leaking its business secrets, it first said it had every right to do so, then said it would only do so with the approval of a retired federal judge, and finally said it would leave that sort of thing to law enforcement. Michael Arrington, who rarely misses an opportunity to make headlines, accused Google of doing the same with Gmail. But the incident was years ago, and Google has denied it — while acknowledging that, like Microsoft, its terms of service very likely permit it to access Gmail for that purpose. Michael Vatis and I speculate about what this means for actions to protect Microsoft customers, since many webmail security measures require that the operator aggressively investigate malware distributors using its network; if those security measures must now wait for law enforcement investigations, we’ll all be pwned by the end of the year, and we’ll have privacy to thank for it.
Jason reports that Bitcoin is getting a modest amount of establishment recognition, but bitcoin owners will get new paperwork headaches and the traceability of their holdings will increase dramatically, as the IRS starts treating bitcoins as assets subject to capital gains calculations.
The sordid, pigs-at-the-trough spectacle of nonprofits squabbling over who will get the windfall from cy pres settlements of privacy suits reaches new heights as a new $8.5 million payout is finally approved. And the European Court of Justice rules that ISPs must block copyright infringing sites. (How? Don’t bother us with details, we’re European jurists.) And the actress who’s gotten more publicity, public sympathy, and judicial somersaults from a ten-second YouTube performance than anyone in history is back to complain that Google isn’t doing enough to keep her performance from the public.
Returning to Mike Allen, we talk about his book, and how Henry Hyde killed one version of the 9/11 intelligence reform bill with a well-timed bon mot on the intelligence of House and Senate members. The difference in style between Bush and Obama legislative relations is explored, gingerly. And Mike reflects on what produced the astonishing breakdown in relations between the CIA and the Senate Intelligence Committee.
According to the New York Times, the President has decided to kill the existing NSA phone metadata program and come up with a substitute that leaves the metadata with the phone companies. The decision will limit the government’s ability to find older connections, since few companies hold records for three or more years; it will also be hard to construct a social graph that combines customers of different carriers.
This may have been inevitable but even so, the President’s decision is disappointing for other reasons. The key passage for the future is this passage in the NYT story:
In recent days, attention in Congress has shifted to legislation developed by leaders of the House Intelligence Committee. That bill, according to people familiar with a draft proposal, would have the court issue an overarching order authorizing the program, but allow the N.S.A. to issue subpoenas for specific phone records without prior judicial approval.
The Obama administration proposal, by contrast, would retain a judicial role in determining whether the standard of suspicion was met for a particular phone number before the N.S.A. could obtain associated records.
The administration’s proposal would also include a provision clarifying whether Section 215 of the Patriot Act, due to expire next year unless Congress reauthorizes it, may in the future be legitimately interpreted as allowing bulk data collection of telephone data.
The House intelligence committee has been working to produce a bipartisan replacement for the metadata program. The President had a chance, rare for him, to embrace bipartisanship and work with the House committee. This certainly looks doable, since it appears from press coverage that the differences between the White House and the House approach are modest.
Instead, the White House just couldn’t resist sniping at the House and posturing itself as a hair more privacy protective than the bipartisan House approach. This is a sadly familiar story; the White House did the same thing on CISPA, the cybersecurity information sharing bill. There the White House tacked left at the last minute, threatening to veto a bipartisan House bill because it lacked privacy protections that the President’s own bill hadn’t included.
So which approach is better? Looking at the press coverage, the White House is highlighting two differences in approach. One seems completely symbolic — deciding how section 215 should be interpreted between the time the new bill passes and the time section 215 expires. But there may be no such interim, since legislation takes a long time to pass, and in any event the new bill is likely to repeal the current program.
The other difference, requiring the FISA court to evaluate each request for phone data, is a bigger deal. It’s also problematic. First, it is inconsistent with criminal practice, where subpoenas are routinely served by investigators without court involvement. Does the administration think that stopping cross-border terror attacks is less urgent than investigating bank robberies?
Second, I’m not aware of any circumstances where judges make “reasonable articulable suspicion” determinations in advance. In fact the whole point of the “articulable” part of that test is that the government needs to be able to explain itself later to a judge. What does judicial review of such a standard look like? Do the judges have to decide that the phone number also looks suspicious to them or just that it’s reasonable for the government to be suspicious?
Third, the metadata program is needed mainly to speed up a cumbersome process of mapping contacts more or less by hand, but the administration’s proposal adds new delays by injecting the court into the front end of the process. No one knows how or whether that will work, because we’ve never put the courts into that stage.
Finally, there is at least some reason to worry that the administration is going to inject the court into every request for data from the carriers. I hope not, because that would be completely unworkable. Remember, in the new system, all the data remains with the phone companies, so assembling one suspicious character’s social graph means first assembling a list of all the people he calls, which is easy — just serve his phone company with the request — and then assembling a list of his contacts’ contacts. That’s the second hop. To collect second-hop records means obtaining records from every carrier whose customers showed up on the first hop. Right now, NSA can move from the first hop to the second with the click of a mouse. But under the proposed new system, every hop requires a batch of new subpoenas to a batch of carriers. That’s going to slow the process quite a bit. Adding the courts to the process, though, will turn it into a morass. I hope that’s not what the administration has in mind.
At best, this is an opportunity missed. The President seems genuinely convinced that his efforts to build bridges to Republicans have failed because of right-wing intransigence. Sorry, Mr. President, it’s stupid point-scoring by your staff, like this leak, that makes you look like someone who either can’t do Congress or doesn’t care to.
For some reason, debates about Snowden are thick on the ground these days, and I’ve joined a couple of them. The most fun was the Oxford Union, which has been preparing future Parliamentarians (and Prime Ministers) all around the British Commonwealth since 1823. The Oxford Union debate was “This House would call Edward Snowden a Hero.” My argument to the contrary is here:
Highlights of the debate included the arguments of Jeffrey Toobin, with whom I agree on nothing but Snowden, and P.J. Crowley, lately of the Clinton State Department — both of them well worth watching. I also thought Chris Huhne and Chris Hedges did particularly well in support of the motion. And Charlie Vaughan, the Aussie student who stepped in to support our side, already shows signs of being a formidable politician. They can all be found here.
The motion carried, but narrowly (something like 212-175), which I thought a moral victory with a university audience outside the United States. (And an audience that thinks very highly of itself; Even at Harvard I would have expected a laugh when I declared that being a toady was the key to debating success and then immediately told the audience that it was the most intelligent I had ever appeared before. At Oxford, no one saw anything remotely humorous in the suggestion.)
UCLA also held a debate, on “Snowden — Patriot or Traitor,” a choice I wasn’t fond of, since I think there’s an element of intent in being a traitor that is hard to judge from this distance. Luckily the school left room for a third choice, “Neither,” so I encouraged the audience to vote for anything but patriot. I was paired with Judge James Carr of the N.D. Ohio, formerly of the FISA court. Our opponents included Jesselyn Radack and Trevor Timm. Bruce Fein argued for “neither” though his attack on the government was unrelenting.
UCLA took two votes, one before and one after the debate. Gratifyingly, the room flipped after hearing the argument. The vote was 43-33 in favor of “Patriot,” at the outset, but it declined to 34-51 when the debate was done. Here’s the UCLA debate from beginning to end. (I show up at 29:00 and again at 1:26:20.)
I’ve also started to take straw polls of audiences on the question “Snowden, Good or Bad?” Snowden doesn’t do well in that binary choice. He lost about 10:1 at a Suits and Spooks conference for civil liberties and security researchers three weeks ago, and he lost about 4:1 at a conference of minority corporate counsel where I spoke a week ago.
All this suggests that Snowden is wearing out his welcome with the American public as he compromises intelligence program after intelligence program without producing anything more shocking than the fact that NSA is an aggressive, effective collector of intelligence in a dangerous world.
This week’s cyberlaw podcast begins as always with the week in NSA. We suspect that a second tech exec meeting with the President (for two hours!) bodes ill for the intelligence community, or at least the 215 metadata program, as does the shifting position of usually stalwart NSA supporters like Dianne Feinstein and Dutch Ruppersberger.
We introduce a new feature, Silliest Press Angle of the Week, for the Guardian’s claim that NSA’s GC somehow contradicted tech companies when he said that the recipients of 702 orders know that intercepts are going on. The companies that got orders didn’t deny knowing about the orders, obviously, but downstream users were likely to be in the dark, and no one outside NSA had ever heard of PRISM. Ten minutes of fact-checking would have killed the story. Which may be why the story wasn’t checked.
We ask whether hyperventilation about the NSA’s ability to “reach into the past” would sound as scary if we were talking about my VCR — and whether a story on NSA hacking Huawei meets any of the justifications that Snowden has offered for his leaks. We also observe that Brazil has already abandoned its dream of digital autarky – in favor of something equally dubious.
Illinois’s law against recording conversations in the absence of all parties’ consent turns out to be an infringement of free speech (like most “privacy” law, in my view), and the Illinois Supreme Court has struck it down for overbreadth, casting a shadow over some but not all such laws in other states. here and here
All-party consent laws also lost a round in front of Judge Koh of the San Francisco federal district court. After a startling ruling that suggested massive liability for Google because it did not get all parties’ consent to Gmail scanning, she took away the plaintiffs’ main leverage, denying class certification. In deference to March Madness, we debate whether the decision resembles a basketball ref’s makeup foul call.
In other privacy litigation a ground-breaking settlement compensates even those who have suffered no injury from a data breach. The theory is unjust enrichment. And so, we suspect, is the outcome. After all, you don’t have to suffer much injury to be considered a proper litigant, as Michael reminds us in discussing a privacy case where alleged the harm is battery power lost when personal data is extracted from an Android phone.
We update the “Innocence of Muslims” YouTube ban and offer skepticism about whether the Supreme Court will review the Ninth Circuit’s decision. And the SSCI-CIA fight continues in a lower key. We’ll explore that in more detail with next week’s guest, Michael Allen, himself a former staff director of the House intelligence committee.
This week’s guest is Jim Lewis of the Center for Strategic and International Studies. Jim is the most thoughtful outside commentator on international cybersecurity issues, and he gives us a tour of the horizon on cyberwar norms, confidence-building measures, and post-Snowden diplomacy. He also predicts the course of cybersecurity legislation and the prospects for regulatory adoption of the NIST cybersecurity framework. And he gives the 215 metadata program a year to live. All in a tight, one-hour package, for those still shell-shocked by the 85-minute sprawl of episode 11.