Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Orin Kerr

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is noted computer law guru Orin Kerr, and the podcast is a deep dive into technology and law.

This Week in NSA:  Snowden claims without substantiation that NSA employees are passing naked pix around.  And Greenwald’s venture reports that GCHQ has developed the ability to send spam and to rig web polls.  It’s a true Dr. Evil moment.  What will they think of next – tools that write linkbait article titles?  Really, you won’t believe how this Glenn Greenwald story will break your heart!

Well, that was fast. Last week the UK government announced that it was pursuing legislation ensuring that data retention would continue and ending legal challenges by US companies to the scope of UK investigative powers.  This week, the proposal has passed both houses of Parliament.  It is now law.

Advocates of the right to be forgotten also want you to forget about how the censorship will work.  They successfully pressured Google not to tell users when their search results are bowdlerized.  Now they’re pressuring Google not to tell content owners when their links are dropped down the memory hole.  They also want to make sure the censorship regime applies to the United States and Google’s .com engine.  As the Chinese government has already taught us, it’s not enough to censor Internet news; you also have to censor Internet news about the censorship of Internet news.  Come to think of it, the Chinese also demand that Internet companies self-censor in response to vague hints from regulators, and now so do the Europeans.  Really, if the Chinese had a business method patent on Internet censorship, they could sue Europe for infringing.

And, speaking of privacy law abuses, the Veterans Administration finds that the best way to prevent whistleblowers from complaining about mistreatment of patients is to declare that talking about patient’s mistreatment is a violation of patient privacy.  Lois Lerner’s hard drive also makes an appearance.

The FBI says it’s worried about driverless Google getaway cars.  Of course you’d have to hack them to go faster than a golf cart.  Which raises the question:  Would hacking a car violate the CFAA?  The DMCA?  I ask the experts.

I wouldn’t ordinarily recommend the FBI affidavits that accompany indictments as reading material, but Agent Noel Neeman’s affidavit about Chinese cyberespionage tactics and motivations is remarkably entertaining – and instructive.   

In other news, it sure looks like the movement of class action privacy lawyers to West Virginia will begin in Illinois.  And to the surprise of the entire Internet, other than anyone familiar with actual law, the Massachusetts high court declares that, yes, you really can be forced to decrypt your files if the government already knows they’re yours.

Finally, with a critical mass of computer crime lawyers on the show, the four of us perform the lawyer equivalent of speed dating, covering most of the hot topics in technology and law, including the Microsoft search warrant case, the future of the third party doctrine, the evergreen question whether the Computer Fraud and Abuse Act is violated by those who exceed their authorized network access, and the prospects for legislation changing the CFAA or ECPA reform.

Download the twenty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

And Who’s Protected by Taxpayer Privacy Laws? Hint: Not Taxpayers

Posted in Privacy Regulation

When you’re in the business of pointing out how often privacy law ends up protecting power and privilege, you never run out of material.

Everyone remembers Lois Lerner, the IRS official who pleaded the fifth amendment and refused to testify about her role in the agency’s scrutiny of Tea Party nonprofits.  And everyone remembers her mysterious computer crash making years of emails unavailable in 2011.

Could the messages be recovered with advanced forensics?  We’ll never know, because the IRS so systematically nuked Lerner’s drives that no one could ever recover anything from them.

Why? According to The Hill, “the agency said in court filings Friday that the hard drive was destroyed in 2011 to protect confidential taxpayer information.”

I’m sure the taxpayers will find a way to show their gratitude.

Steptoe Cyberlaw Podcast – Interview with David Medine

Posted in Cybersecurity and Cyberwar, Data Breach, International, PCLOB, Privacy Regulation, Security Programs & Policies

Our guest this week is Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB), David Medine. We do a deep dive into the 702 program and the PCLOB’s report recommending several changes to it. Glenn Greenwald’s much-touted “fireworks finale” story on NSA may have fizzled, but this week David and I deliver sparks to spare.

I question the PCLOB’s enthusiasm for giving new responsibilities to the flawed Foreign Intelligence Surveillance Court (Judge Lamberth and his wall make an appearance). I challenge David’s notion (shared with Judge Wald) that the 702 program, crucial as it is for our terrorism defenses, nonetheless stands balanced so close to the edge of constitutionality that without new minimization restrictions it could tip over into constitutional unreasonableness at any moment. David gets a chance to comment on stories about U.S. citizens whose data is stored by the NSA, including Glen Greenwald’s disclosure of the Americans targeted by NSA and Bart Gellman’s defense of his Washington Post article. (There we find common ground; like me, David has doubts about the significance of Gellman’s claim that “9 out of 10 accountholders” in NSA’s database aren’t targets.) And we argue over whether NSA analysts need 89,000 new make-work assignments justifying their targets, let alone a massive judicial logjam before they can search data already gathered lawfully. All in all, a rewarding workout.

The news roundup is truncated to allow more time for the Medine dialogue, but this week in NSA features includes more Snowdenista journalist misrepresentations, including the demonstrably false claim that NSA has flagged the Linux Journal as an “extremist forum.”

The Senate Intelligence Committee produces a cybersecurity information sharing bill as a bookend to the House’s bill, but getting it to the floor and then to the President is going to be tough in today’s climate and under the current calendar. Maury Shenk tells us the Russians are planning to balkanize the Internet and in the name of privacy no less. He also reports that the UK is pursuing stopgap legislation to make sure it doesn’t lose its data retention authority in the wake of an unfavorable ECJ decision, and to allow UK law enforcement to require foreign entities to turn over data under a warrant. David can’t help intervening to remind us that the UK has also proposed creating their very own PCLOB.

Download the twenty-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with David Heyman

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is David Heyman, who recently completed a tour as DHS’s Assistant Secretary for Policy (my old job). David has had a long and productive career in homeland security, in government, and in the private sector. We take a tour of DHS’s horizon, covering DHS’s impressive progress in cybersecurity implementation, the Quadrennial Homeland Security Review, the reasons Europe now seems less hostile to DHS’s mass data collection, even as it takes aim at NSA’s, and the challenges and successes of John Pistole’s TSA.

It was a surprisingly newsy week for NSA. In part that’s because of news that didn’t break, as Glenn Greenwald, panting to disclose the individual Americans who have been targeted for surveillance, discovers that there really are some government secrets worth keeping – and pays the price in abuse from lib/left haters. The Washington Post seems to have mined a similar dataset to tell us that there’s a lot of information in NSA’s stores about Americans with ties to foreign intelligence targets, but the paper’s claim that “9 out of 10” accounts in the database sure looks like a statistic chosen to scare more than educate. NSA Director Mike Rogers says that Snowden’s thefts can be managed. The 7th Circuit ruled that FISA intercepts can’t be routinely shown to defense counsel, even defense counsel with clearances.

And the early favorite for Dumbest NSA Story of the Month goes to Ellen Nakashima and Bart Gellman for revealing that NSA thinks it may have to gather foreign intelligence from (gasp!) pretty much every country in the world. In other breaking news, the Pope is still Catholic.

Finally, government reports triggered by Snowden continue to proliferate. The PCLOB report largely supports the 702 program – and the PCLOB pays the price in abuse from lib/left haters. (We’ll invite David Medine to defend the report on next week’s program.) ODNI has its own transparency report on NSA intercepts, revealing a strikingly small number of targets, a report that generates abuse from, well, you know.

Microsoft’s fight with the US government over warrants for overseas data gets more support, this time in the form of European Commission press pronouncements.

Google reveals a bit more about how it’s applying the right to be forgotten, and the British press isn’t too happy. No word yet on Stewart’s “Does this search engine make me look fat?” request for the deletion of outdated and overweight photos.

This week in vindication for the Steptoe Cyberlaw podcast: NY’s cyberbullying law is struck down, fast enough to leave heads spinning.

The SEC has finally gotten off its duff and begun investigating network intrusions, but the only known investigation is of Target – probably the most predictable and also the lamest investigative target the SEC could have chosen. Really, does anyone think that the problem with Target was a failure to disclose the intrusion? Rather than piling on the already flattened retailer, one wonders why the SEC is not pushing for disclosure of intrusions that are likely to have a big competitive impact, such as ongoing foreign nation-state hacks on behalf of state-owned competitors?

Download the twenty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Steptoe Cyberlaw Podcast – Interview with Dmitri Alperovich

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

This week in NSA: We take a look at the other half of the Lofgren amendment, which prohibits NSA and CIA from asking a company to “alter its product or service to permit electronic surveillance.”  So if Mullah Omar orders a phone from Amazon, the government can’t ask Amazon to put a bug in it – but a bomb is fine.  Another step forward for human rights!  NSA’s bulk collection program is extended again. And Keith Alexander is doing just fine in the private sector, to judge from the consulting fees he’s asking.

The big news of the week is the Supreme Court’s 9-0 decision in Riley, refusing to allow police to routinely search the cell phones carried by people they arrest.  What does it mean for other techno-libertarian arguments before the Court?  Michael and Jason weigh in.

Facebook is breaking new ground, or trying to, by challenging 300+ search warrants on behalf of the targets.  So far, the publicity has been good; the law, not so much.

Taking a break from covering LabMD’s FTC travails, we note that Wyndham won a little and lost a little, but the win may give us an appellate decision on the FTC’s jurisdiction over Internet privacy and security.

And speaking of privacy, Jason Weinstein discloses a long-secret Steptoe project – a free data breach legal toolkit.

Our guest on the podcast is Dmitri Alperovich, CEO of Crowdstrike, a well-known incident response cybersecurity startup whose recent report introduced the world to another unit of the PLA hacking force – one that is quite distinct from unit 61398, which was exposed by Mandiant last year, six of whose members were indicted recently by the Justice Department.  Crowdstrike identifies unit 61486.  (And don’t we all hope the PLA numbering scheme for its hacker units doesn’t start at 00001?)  This unit, which Crowdstrike labeled “Putter Panda” because of its use of golf-related malware documents, specialized in stealing secrets from satellite, aerospace, and communications firms.  Crowdstrike outs one of the unit’s hackers, Chen Ping, including the now-familiar social media pix of the guy, his buddies, and a possible girlfriend.  We talk about the importance of attribution as a response to sophisticated cyberespionage, and the role that incident response firms play in that effort.

Download the twenty-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Steptoe Cyberlaw Podcast – Interview with Ralph Langner

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

This week in NSA: The House passes an NDAA amendment to regulate “secondary” searches of 702 data, and the prize for Dumbest NSA Story of the Month Award goes to Andrea Peterson of the Washington Post for exposing NSA’s shocking use of “Skilz points” to encourage its analysts to use new tools to do their jobs.  And GCHQ defends its view that sending email thru Yahoo and Hotmail is an “external” communication.

Good news for LabMD is bad news for the FTC: Darryl Issa raises questions about the FTC’s investigation and asks for an IG investigation.  Maybe the FTC did nothing wrong, but once it’s in the crosshairs that may not matter; the IG is bound to find something to criticize.  Of course, LabMD probably feels exactly the same way. The rest of us just want more popcorn.

Privacy campaigners in Europe lose another round against US companies obeying national security orders, an Irish court backs the Irish data protection authority’s decision not to investigate Facebook for cooperating with NSA.  But now the issue is moving to a body where anything can happen, no matter how wacky: the European Court of Justice.  Who are those guys?  Maury Shenk explains.

Michael Vatis and the Eighth Circuit give banks a tutorial on how to avoid liability to customers for weak security.  Just keep giving your customers more security choices until they turn one down.  It’s the miracle of choice!

I explain why I’ve always been leery of the Senate Intelligence Committee’s information sharing bill: It purports to legalize private-private information sharing that is already legal, and then to impose privacy requirements as the price for legalizing the already legal.  But that risk is much diminished in Chairman Feinstein’s latest draft.  Unamended, it would likely be fine, but it won’t take much amending to turn it into “back door” privacy regulation again.

Michael Vatis explains how to beat privacy class actions, building his lesson on the recent deflation of lawsuits against Hulu and Linkedin.

And our guest for the week is the man who decoded Stuxnet – and opened our eyes to a whole new realm of warfare — industrial control system sabotage.  Ralph Langner heads the Langner Group, which specializes in industrial control system security.  He is also a nonresident fellow at the Brookings Institution.

Ralph talks about how he unpacked Stuxnet.  I ask whether attacks on commercial industrial control systems could cause mass casualties among civilians.  Ralph is not comforting.  I ask whether all the talk about cyberattacks on water, power, refineries, and factories has at least produced concrete steps to improve their security.  Ralph is not comforting.  I ask about prospects for future improvement.  Ralph is, well, you know the rest.  Really, have a drink before you listen to this one.

Download the twenty-fifth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Steptoe Cyberlaw Podcast – Interview with Paul Rosenzweig

Posted in China, Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

Our guest for the week, Paul Rosenzweig, is as knowledgeable as anyone about cybersecurity and intelligence law.  He blogs on the topics for Lawfare, writes for the Homeland Security Institute, consults for Red Branch Consulting, and lectures for the Great Courses on Audible.

So this week we let him comment on the stories of the week, as well as dig into ICANN, which spares the rest of us from having to learn more about that institution.  This he does, admirably, making the case for a slow and conditional transition of ICANN to an alternative governance structure.  Don’t miss his just-released paper on the topic for the Heritage Foundation.

Meanwhile, NSA news is blessedly sparse this week.  A federal judge in San Francisco announced that she was not willing to take the Justice Department’s word that several FOIA’d FISA court opinions cannot be partially declassified and demanded that they be produced for in camera inspection.

Meanwhile, China is making plenty of news, none of it good for China’s government.  Crowdstrike outs another PLA hacker by name (not to mention his picture and his personal blog).  Paul describes his lunch with Chinese embassy staff and their tone-deaf claim that the US government needs to provide more information about alleged Chinese hacking.  The DoD authorization bill is due to add a few more provisions tightening restrictions on China’s IT sector.  And China earns an early Privy nomination for charging dissenters with privacy violations, a practice about which privacy groups and the European Union have been unaccountably silent.

Michael Vatis explains Microsoft’s legal objections to getting a warrant for other people’s data stored in Ireland – and the amicus brief that he just filed in support of Microsoft.  In other fourth amendment news, Wi-Fi moochers have no expectation of privacy, but how to treat location data stored by cell phone companies continues to drive the federal courts to distraction, as Judge Sentelle travels south to vindicate his lower court opinion in Jones.

I talks about a study that Jim Lewis of CSIS and I unveiled last week on the cost of cybercrime — $445 billion globally, if you’re keeping track.

Jason explains why the entire class data breach class action bar may move en masse to West Virginia.  And the FCC catches up to the FTC and SEC in cybersecurity “nudge” regulation.

Download the twenty-fourth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

China’s Use of Privacy Law Raises Questions for Privacy Advocates

Posted in China, International, Privacy Regulation

China seems to have found a reliable legal tool for suppressing dissent.  A prominent Chinese human rights lawyer, Pu Zhiqiang, has been arrested after a meeting in a private home to commemorate the 25th anniversary of the killings at Tiananmen Square.  The charge?  “Illegal access to the personal information of citizens,” a crime punishable by three years in prison.

But where are EFF and EPIC and CDT and the ACLU?  This is not the first time China has brought privacy charges against politically disfavored defendants.  Why haven’t these advocates of more privacy law vocally condemned China’s use of privacy law to foster oppression?

The same question might be asked of the Article 29 Working Party in the European Union, along with a second one: How is China’s law different from the data protection laws that Europe has been urging the world to adopt?

Steptoe Cyberlaw Podcast – Interview with Congressman Mike Pompeo

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

This week’s interview is with Rep. Mike Pompeo, a member of the House Intelligence Committee who joined the House in 2010 after three careers, any one of which would have been enough for an ordinary man.  First in his class in West Point, he left the Army to study law at Harvard, where he made law review, then founded a successful aviation business, and went on to run an oil services company.

Rep. Pompeo weighs in on the USA Freedom Act, which passed the House overwhelmingly but ran into trouble at its first Senate Intelligence Committee hearing.  (Full disclosure: some of that trouble was inspired by my testimony.)  We explore the bill’s flaws, its House support, and the prospects (high) that the bill will die in this Congress and will return for hurry-up consideration as section 215 faces sunset in mid 2015.  Asked about Snowden, Rep. Pompeo brings up the little-publicized finding that 90% of what he took was straight military intelligence that discloses extraordinarily sensitive secrets with no apparent scandal value.  This material hasn’t been used in any press stories, which raises questions about why it was taken and who it was given to.  For a guy who purports to oppose untargeted mass collection of sensitive data, Snowden sure did a lot of it.  The interview closes with Rep. Pompeo’s thoughts on the CIA-SSCI fight and the Bergdahl-Taliban swap.

In other NSA news, German prosecutors have opened a criminal investigation into the tapping of Angela Merkel’s phone but not the hacking of her computer.  Apparently the Germans only investigate electronic spying by countries that remind them of communist authoritarian regimes, but not spying by, you know, actual communist authoritarians.  And EFF still wants NSA to hang on to more Americans’ records than NSA wants to keep.  EFF asks the courts to order that NSA retain records that would otherwise be destroyed under NSA’s standard privacy policy.  The wages of hypocrisy turn out to be modest.  The court has rejected EFF’s demand.

We return as well to the European Court of Justice’s “right to be forgotten” decision, and Google’s effort to implement it.  Not content with mocking the decision, I’ve decided to hack it, filing multiple requests to have European search requests censored on grounds ranging from “this search engine makes me look fat” to “these links criticize my political views.”  We’ll keep you posted on how those requests fare at Google and the data protection authorities.

And in a transatlantic contest to trash free expression rights, New York’s entry is a stunningly overbroad ban on cyberbullying. Mike Vatis has the story.

We dig a bit into Google’s decision to promote more encryption, shaming other email providers and offering end-to-end encryption as a way of thwarting even lawful warrants.  The fallout for governments from the Snowden leaks continues to get worse.

Michael explains how stingray cell phone location systems work, and why the US marshals might seize stingray records from the Florida police.

And, with Facebook and Google both talking about using satellites to provide internet service to developing countries, Stephanie Roy digs into the regulatory issues they’re likely to face – including (you knew we’d ask about it) government wiretap requirements.

Download the twenty-third episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The NYT makes the case for surveillance cameras

Posted in Privacy Regulation

The ACLU and EPIC have campaigned long and hard against surveillance cameras in public spaces, and they’ve had considerable success — despite a paucity of actual serious privacy abuses.  So it’s worth remembering that all this privacy theater imposes real costs on crime victims.

This story, headlined “After Boy and Girl Are Stabbed, Anger Over a Lack of Cameras” is only surprising because it appears in the New York Times:

The 7-year-old girl is hospitalized in critical condition, the only witness to a crime that so far defies explanation: A man stabbed two young children in the elevator of a public-housing project and escaped into the late-spring evening.  Her best friend, a 6-year-old boy, is dead.

Though residents of the Brooklyn housing project saw a man fleeing through the development after the attack, he remained at large on Monday, the search made more difficult because the building has no surveillance cameras.

Living in housing projects in East New York means living with the daily threat of violence, and Boulevard Houses is no exception.  But until Sunday night, parents felt safe taking their children downstairs to play….

The lack of cameras raised questions on Monday as elected officials accused the New York City Housing Authority, which manages the building, of being slow to install the cameras.

To be fair, I haven’t seen reports suggesting that privacy groups opposed installation of surveillance cameras in these particular public spaces.  Maybe they think that city-owned public housing should be as freely surveilled as private housing.  But I wouldn’t take bets on it.