Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Daniel Sutherland

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

In this week’s episode, we explore the latest FOIA tussle between the FBI and ACLU over NSA and the dog-bites-man story of Larry Klayman losing another long-shot appeal. This Week in NSA focuses on the Bloomberg story claiming that the agency is exploiting the Heartbleed flaw. Kudos to NSA for managing to persuasively deny the thinly sourced and dubious story before the day’s news cycle was complete. Even so, the White House defensively rolls out a new policy on zero-days. We chew on the critical question: Can you win a Pulitzer for writing a false story if it prompts a new White House policy?

Jason notes the largely unsurprising result in the Wyndham case and the FTC’s effort to lock Facebook and Whatsapp into their current privacy policies. And just to show that we don’t always harsh on the FTC, Jason describes the commission’s charges against a site that really lived up to its name – jerk.com.

The European Court of Justice makes news, striking down parts of the data retention directive that have long distinguished Europe as a far less privacy-protective jurisdiction than the United States. Maury Shenk, our European correspondent, has the analysis.
Continuing a tutorial in class action tactics, Jason talks about the Target litigation being consolidated in Minnesota.

The Justice Department and the FTC issue antitrust guidance designed to ease the fears of companies that sharing cybersecurity information will create antitrust liability. It doesn’t say anything that couldn’t have been said fourteen years ago – and was. I’d call it Groundhog Day II but I think that’s recursive.

International cyberdiplomacy is slowly recovering from the Snowden leaks, though successes are still thin on the ground. The US tries a creative (if rather handwringing) response to Iran’s DOS attacks on banks, and it tries candor (without much success) on China.

Our special guest, Dan Sutherland, served under all four DHS secretaries and is now the chief lawyer for the DHS component charged with cybersecurity, biometrics, and telecommunications. He comments on the antitrust agencies information-sharing guidance and conveys DHS’s latest thinking on how regulatory agencies will use the NIST cybersecurity framework to incentivize better network hygiene.

Download the fifteenth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Steptoe Cyberlaw Podcast – Interview with Benjamin Wittes

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

This week’s podcast features a conversation with none other than Lawfare’s own Ben Wittes. But it begins as usual with This Week in NSA: A Reuters story claims that researchers showed something bad about the way NSA influenced the Dual EC encryption standard.  The story glided insouciantly over two of the more newsworthy aspects of the researchers’ work: (1) They couldn’t actually find the weakness everyone has been assuming and (2) Practically no one is using the supposedly flawed standard, so practically no one is at risk.  In other NSA news, a civil libertarian academic who was part of the President’s expert’s group NSA published a candid assessment of the agency – almost all of it positive.  And Yahoo! has finally been able to encrypt its back-office communications – aiming at NSA and hitting foreign law enforcement squarely between the eyes.

In This Week in Reruns, LabMD is back from the dead, maybe.  Michael Vatis discusses the company’s latest filing and its chances of turning the case around.  Jason Weinstein reports that the banks that sued Target’s security assessor have had second thoughts.  Microsoft’s search of Hotmail to protect its property yields a guilty plea; but the company will still be cleaning up after the search long after this defendant has served his sentence.  And the latest chapter in Google’s struggle with the most famous ten-second video performance in history ends abruptly.

Despite its name, The Onion Router doesn’t really turn your messages into spoofed news stories (cool as that would be).  Also known as TOR, it is the US-government-funded security tool that has won fans among human rights campaigners and pedophiles.  Now, Jason reports, law enforcement is finding ways to at least dent the security TOR provides.

And a handful of federal magistrates have discovered the sweetest gig in the judicial branch.  They can make law that goes viral without worrying about being reversed.  As long as they rule against the government.  As many have been doing, imposing limits on computer search warrants as a condition of signing them.  Jason and I discuss the merits and motivations of these rulings – and what Justice can do about them.

Finally, Ben Wittes joins the fray, previewing his testimony to the House Foreign Affairs Committee.  He discovers hidden connections between the AUMF and section 702 interception authority.  Speaking of section 702, Ben and I dig deeper into the House Intelligence Committee’s redraft of the section 215 metadata authority, which could be marketed as 702 Jr.  We explore the politics and policy behind the bill, and the President’s determination to carve out a sliver of difference with the committee, and what’s wrong with the widespread assumption that the telcos have at least eighteen months’ worth of back data that can be exploited even if NSA destroys its current database.

Download the fourteenth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Is the New IRS Rule Good or Bad for Bitcoin?

Posted in Privacy Regulation

Last week the IRS announced that Bitcoin would be treated as property, rather than currency, for tax purposes.  That means the virtual currency will be subject to very real capital gains taxes when used to make purchases.  So is this good or bad for Bitcoin?  Well, that depends on whether you view the glass on Bitcoin as half-empty or half-full.

If your glass is half-empty, you’ll see the rule as creating a practical obstacle to using Bitcoin in everyday transactions that undermines the ease of use that was part of its appeal in the first place.  Under the new rule, if you pay for a product or service with Bitcoins, you’ll have to pay tax on the increase in value from the date you acquired each Bitcoin to the day you spent it.  That’s not an easy thing to keep track of, especially since Bitcoin’s volatility means you may have paid very different prices for your Bitcoins.  That’s sort of like paying for something at a store with individual shares of stock that you may have acquired on different days and at different prices, and trying to select the share that will result in the smallest capital gains.  You may also bristle at the fact that wages paid in Bitcoins are subject to income-tax withholding and that payments of $600 or more made in Bitcoins are subject to IRS reporting requirements, which complicates the anonymity relished by many Bitcoin users.

But if your glass is half-full, you’ll see the IRS rule as a step toward further legitimacy for Bitcoin, a recognition that it’s an increasing presence in our economy as both a medium for transactions and as an asset.  You’ll view increasing certainty regarding the regulatory treatment of Bitcoin as good for its development.  And if you hold Bitcoins for investment, you may even focus on the fact that Bitcoins now will be subject to a lower tax rate than if they were taxed as a currency.

More generally, the IRS rule raises the fundamental Catch-22 of Bitcoin: the more it’s regulated, the more stable it will become, but the more it may drive away those “early adopters” who were drawn to it precisely because it was anonymous and unregulated.  I’ve written more about that issue here.

Warren Buffett recently called Bitcoin a “mirage,” and it’s fair to say that no one ever made money betting against Warren Buffett.  (Speaking of which, Mr. B – is there a prize for getting the fewest number of games correct in the NCAA Tournament?  If so, call me.)  But prominent venture capitalists continue to be bullish on Bitcoin’s future, and more retailers are accepting Bitcoins seemingly every week.

The bet here is that Bitcoin has sufficient momentum that it’s not going away anytime soon.  Especially if some smart app developers figure out how to automate the tax calculation process to offset some of the practical complications for users. But if those app developers get paid in Bitcoins, they should remember to pay their taxes.

Steptoe Cyberlaw Podcast – Interview with Michael Allen

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our special guest this week is Michael Allen, former Majority Staff Director of the House intelligence committee.  Mike is the founder of Beacon Global Strategies and the author of Blinking Red, the story of the creation of the Director of National Intelligence.

We drag him into the program from the beginning, getting his take on his old committee’s proposal to replace NSA’s 215 metadata program with one where the data remains with the telephone companies. I puzzle over the Obama administration’s booted opportunity to work with a bipartisan coalition on reforming 215 and its determination to instead pursue the affections of privacy lobbyists who want the FISA court to review every search of the telcos’ data.

Mike Allen reflects on the most significant contributions of Chairman Mike Rogers to the intelligence committee from which he is unexpectedly retiring. He evidently plans to become a radio show host concentrating on national security affairs. I speculate that he was forced into Old Media because the niche for podcasts on national security law has now been so definitively filled by the Steptoe Cyberlaw Podcast.

In other news, the FISA court is getting a new chief judge. And China has promised to bolster its cybersecurity while protesting news that Huawei was hacked by NSA; it would only be fair if the administration declared, as China has so often when accused of hacking a US defense contractor, “Hey, we’re victims of hacking too. Tell us what you know about this alleged hacking and maybe we can help.”

This Week in Target produces a surprise — banks suing not just Target but also its security assessor. Is this a sign of strength or an admission that Target itself may have a pretty good defense to claims that it violated the PCI standards? Jason Weinstein thinks it’s an augur of things to come, and that other security auditors may face such litigation, especially if they provide some of the services they’re supposed to be auditing.

Microsoft is in the privacy cement mixer this week. After admitting that it opened a subscriber’s Hotmail account to track an employee who was leaking its business secrets, it first said it had every right to do so, then said it would only do so with the approval of a retired federal judge, and finally said it would leave that sort of thing to law enforcement. Michael Arrington, who rarely misses an opportunity to make headlines, accused Google of doing the same with Gmail. But the incident was years ago, and Google has denied it — while acknowledging that, like Microsoft, its terms of service very likely permit it to access Gmail for that purpose. Michael Vatis and I speculate about what this means for actions to protect Microsoft customers, since many webmail security measures require that the operator aggressively investigate malware distributors using its network; if those security measures must now wait for law enforcement investigations, we’ll all be pwned by the end of the year, and we’ll have privacy to thank for it.

Jason reports that Bitcoin is getting a modest amount of establishment recognition, but bitcoin owners will get new paperwork headaches and the traceability of their holdings will increase dramatically, as the IRS starts treating bitcoins as assets subject to capital gains calculations.

The sordid, pigs-at-the-trough spectacle of nonprofits squabbling over who will get the windfall from cy pres settlements of privacy suits reaches new heights as a new $8.5 million payout is finally approved. And the European Court of Justice rules that ISPs must block copyright infringing sites. (How? Don’t bother us with details, we’re European jurists.) And the actress who’s gotten more publicity, public sympathy, and judicial somersaults from a ten-second YouTube performance than anyone in history is back to complain that Google isn’t doing enough to keep her performance from the public.

Returning to Mike Allen, we talk about his book, and how Henry Hyde killed one version of the 9/11 intelligence reform bill with a well-timed bon mot on the intelligence of House and Senate members. The difference in style between Bush and Obama legislative relations is explored, gingerly. And Mike reflects on what produced the astonishing breakdown in relations between the CIA and the Senate Intelligence Committee.

Download the thirteenth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The New Phone Metadata Program

Posted in Privacy Regulation, Security Programs & Policies

According to the New York Times, the President has decided to kill the existing NSA phone metadata program and come up with a substitute that leaves the metadata with the phone companies. The decision will limit the government’s ability to find older connections, since few companies hold records for three or more years; it will also be hard to construct a social graph that combines customers of different carriers.

This may have been inevitable but even so, the President’s decision is disappointing for other reasons. The key passage for the future is this passage in the NYT story:

In recent days, attention in Congress has shifted to legislation developed by leaders of the House Intelligence Committee. That bill, according to people familiar with a draft proposal, would have the court issue an overarching order authorizing the program, but allow the N.S.A. to issue subpoenas for specific phone records without prior judicial approval.

The Obama administration proposal, by contrast, would retain a judicial role in determining whether the standard of suspicion was met for a particular phone number before the N.S.A. could obtain associated records.

The administration’s proposal would also include a provision clarifying whether Section 215 of the Patriot Act, due to expire next year unless Congress reauthorizes it, may in the future be legitimately interpreted as allowing bulk data collection of telephone data.

The House intelligence committee has been working to produce a bipartisan replacement for the metadata program. The President had a chance, rare for him, to embrace bipartisanship and work with the House committee. This certainly looks doable, since it appears from press coverage that the differences between the White House and the House approach are modest.

Instead, the White House just couldn’t resist sniping at the House and posturing itself as a hair more privacy protective than the bipartisan House approach. This is a sadly familiar story; the White House did the same thing on CISPA, the cybersecurity information sharing bill. There the White House tacked left at the last minute, threatening to veto a bipartisan House bill because it lacked privacy protections that the President’s own bill hadn’t included.

So which approach is better? Looking at the press coverage, the White House is highlighting two differences in approach. One seems completely symbolic — deciding how section 215 should be interpreted between the time the new bill passes and the time section 215 expires. But there may be no such interim, since legislation takes a long time to pass, and in any event the new bill is likely to repeal the current program.

The other difference, requiring the FISA court to evaluate each request for phone data, is a bigger deal. It’s also problematic. First, it is inconsistent with criminal practice, where subpoenas are routinely served by investigators without court involvement. Does the administration think that stopping cross-border terror attacks is less urgent than investigating bank robberies?

Second, I’m not aware of any circumstances where judges make “reasonable articulable suspicion” determinations in advance. In fact the whole point of the “articulable” part of that test is that the government needs to be able to explain itself later to a judge. What does judicial review of such a standard look like? Do the judges have to decide that the phone number also looks suspicious to them or just that it’s reasonable for the government to be suspicious?

Third, the metadata program is needed mainly to speed up a cumbersome process of mapping contacts more or less by hand, but the administration’s proposal adds new delays by injecting the court into the front end of the process. No one knows how or whether that will work, because we’ve never put the courts into that stage.

Finally, there is at least some reason to worry that the administration is going to inject the court into every request for data from the carriers. I hope not, because that would be completely unworkable. Remember, in the new system, all the data remains with the phone companies, so assembling one suspicious character’s social graph means first assembling a list of all the people he calls, which is easy — just serve his phone company with the request — and then assembling a list of his contacts’ contacts. That’s the second hop. To collect second-hop records means obtaining records from every carrier whose customers showed up on the first hop. Right now, NSA can move from the first hop to the second with the click of a mouse. But under the proposed new system, every hop requires a batch of new subpoenas to a batch of carriers. That’s going to slow the process quite a bit. Adding the courts to the process, though, will turn it into a morass. I hope that’s not what the administration has in mind.

At best, this is an opportunity missed. The President seems genuinely convinced that his efforts to build bridges to Republicans have failed because of right-wing intransigence. Sorry, Mr. President, it’s stupid point-scoring by your staff, like this leak, that makes you look like someone who either can’t do Congress or doesn’t care to.

Debating Snowden

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

For some reason, debates about Snowden are thick on the ground these days, and I’ve joined a couple of them. The most fun was the Oxford Union, which has been preparing future Parliamentarians (and Prime Ministers) all around the British Commonwealth since 1823. The Oxford Union debate was “This House would call Edward Snowden a Hero.” My argument to the contrary is here:

Highlights of the debate included the arguments of Jeffrey Toobin, with whom I agree on nothing but Snowden, and P.J. Crowley, lately of the Clinton State Department — both of them well worth watching. I also thought Chris Huhne and Chris Hedges did particularly well in support of the motion. And Charlie Vaughan, the Aussie student who stepped in to support our side, already shows signs of being a formidable politician. They can all be found here.

The motion carried, but narrowly (something like 212-175), which I thought a moral victory with a university audience outside the United States. (And an audience that thinks very highly of itself; Even at Harvard I would have expected a laugh when I declared that being a toady was the key to debating success and then immediately told the audience that it was the most intelligent I had ever appeared before. At Oxford, no one saw anything remotely humorous in the suggestion.)

UCLA also held a debate, on “Snowden — Patriot or Traitor,” a choice I wasn’t fond of, since I think there’s an element of intent in being a traitor that is hard to judge from this distance. Luckily the school left room for a third choice, “Neither,” so I encouraged the audience to vote for anything but patriot. I was paired with Judge James Carr of the N.D. Ohio, formerly of the FISA court. Our opponents included Jesselyn Radack and Trevor Timm. Bruce Fein argued for “neither” though his attack on the government was unrelenting.

UCLA took two votes, one before and one after the debate. Gratifyingly, the room flipped after hearing the argument. The vote was 43-33 in favor of “Patriot,” at the outset, but it declined to 34-51 when the debate was done. Here’s the UCLA debate from beginning to end. (I show up at 29:00 and again at 1:26:20.)

I’ve also started to take straw polls of audiences on the question “Snowden, Good or Bad?” Snowden doesn’t do well in that binary choice. He lost about 10:1 at a Suits and Spooks conference for civil liberties and security researchers three weeks ago, and he lost about 4:1 at a conference of minority corporate counsel where I spoke a week ago.

All this suggests that Snowden is wearing out his welcome with the American public as he compromises intelligence program after intelligence program without producing anything more shocking than the fact that NSA is an aggressive, effective collector of intelligence in a dangerous world.

Steptoe Cyberlaw Podcast – Interview with Jim Lewis

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies

This week’s cyberlaw podcast begins as always with the week in NSA. We suspect that a second tech exec meeting with the President (for two hours!) bodes ill for the intelligence community, or at least the 215 metadata program, as does the shifting position of usually stalwart NSA supporters like Dianne Feinstein and Dutch Ruppersberger.

We introduce a new feature, Silliest Press Angle of the Week, for the Guardian’s claim that NSA’s GC somehow contradicted tech companies when he said that the recipients of 702 orders know that intercepts are going on. The companies that got orders didn’t deny knowing about the orders, obviously, but downstream users were likely to be in the dark, and no one outside NSA had ever heard of PRISM. Ten minutes of fact-checking would have killed the story. Which may be why the story wasn’t checked.

We ask whether hyperventilation about the NSA’s ability to “reach into the past” would sound as scary if we were talking about my VCR — and whether a story on NSA hacking Huawei meets any of the justifications that Snowden has offered for his leaks. We also observe that Brazil has already abandoned its dream of digital autarky – in favor of something equally dubious.

Illinois’s law against recording conversations in the absence of all parties’ consent turns out to be an infringement of free speech (like most “privacy” law, in my view), and the Illinois Supreme Court has struck it down for overbreadth, casting a shadow over some but not all such laws in other states. here and here

All-party consent laws also lost a round in front of Judge Koh of the San Francisco federal district court. After a startling ruling that suggested massive liability for Google because it did not get all parties’ consent to Gmail scanning, she took away the plaintiffs’ main leverage, denying class certification. In deference to March Madness, we debate whether the decision resembles a basketball ref’s makeup foul call.

In other privacy litigation a ground-breaking settlement compensates even those who have suffered no injury from a data breach. The theory is unjust enrichment. And so, we suspect, is the outcome. After all, you don’t have to suffer much injury to be considered a proper litigant, as Michael reminds us in discussing a privacy case where alleged the harm is battery power lost when personal data is extracted from an Android phone.

We update the “Innocence of Muslims” YouTube ban and offer skepticism about whether the Supreme Court will review the Ninth Circuit’s decision. And the SSCI-CIA fight continues in a lower key. We’ll explore that in more detail with next week’s guest, Michael Allen, himself a former staff director of the House intelligence committee.

This week’s guest is Jim Lewis of the Center for Strategic and International Studies. Jim is the most thoughtful outside commentator on international cybersecurity issues, and he gives us a tour of the horizon on cyberwar norms, confidence-building measures, and post-Snowden diplomacy. He also predicts the course of cybersecurity legislation and the prospects for regulatory adoption of the NIST cybersecurity framework. And he gives the 215 metadata program a year to live. All in a tight, one-hour package, for those still shell-shocked by the 85-minute sprawl of episode 11.

Download the twelfth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Steptoe Cyberlaw Podcast – Interview with Dan Novack

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

This week’s podcast covers the latest on NSA.  We mock EFF overriding one of the privacy protections in NSA’s metadata program by killing the 5-year retention limit.  We puzzle over the New York Times story on “raw take.”  What exactly is the news there?  We also ask whether NSA and the telcos will end up going “Dutch,” as in Ruppersberger.  And I brag about the results in my latest debate over Edward Snowden, who is starting to wear out his welcome with Americans.

In other fallout from the NSA leaks, we note that Commerce announced its willingness to give up an oversight role for ICANN.  And members of the European Parliament start work on a data protection that they can’t finish before elections.  Why?  Because, one member of the Parliament explains, hating NSA should be popular with the “euroskeptics, racists, and homophobes” she expects to be elected to the next Parliament.  So if you’re known by your enemies, maybe NSA is doing something right.

And remarkably, NSA isn’t even the intelligence agency in the biggest political flap of the week.  We unpack the legal claims in the SSCI-CIA brouhaha.

Turning to non-intelligence topics, the Silverpop case suggest that it may be harder to win a hacker-breach negligence case than some of us thought.  And the Target case gets more interesting. It looks as though Target missed a chance to stop the exploit, probably because of information overload.  And I argue that the incident also shows the foolishness of Justice’s campaign against corporate self-help in cyberspace.

Privacy groups want to block the Whatsapp deal on privacy grounds. Is this a promising new front for privacy campaigners or a peculiarity of the FTC’s dog’s-breakfast jurisdiction?  We also touch on a few other stories: the public’s first good look at Russia’s cyberespionage tools, Google starts encrypting search in China, Leon Panetta invokes “cyber Pearl Harbor” and it turns out we could lose power for 18 months if a handful of substations are successfully attacked.

The interview features Dan Novack, a former big-firm litigator now serving as legal analyst at First Look, the Greenwald/Omidyar news service. Occasional fireworks break out.  Be sure to read his article “DOJ Still Ducking Scrutiny After Misleading Supreme Court on Surveillance,” which he mentions in the interview.

Download the eleventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Steptoe Cyberlaw Podcast – Interview with Mark Weatherford

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

In the latest episode of the Steptoe Cyberlaw Podcast, Jason Weinstein and I cover a host of topics. In the continuing NSA saga, we note the Director’s hints about a possible end to the broad collection of metadata – and the FISA court’s refusal to extend the 5-year retention deadline for NSA’s store of metadata. Was that ruling a defeat for NSA – or the result of a clever litigation strategy? The Steptoe podcasters consider both possibilities.

Bitcoin will deserve a podcast of its own if it keeps acting more like a soap opera than a currency. Jason has the latest.

Meanwhile, taking a second look at the copyright fight over “Innocence of Muslims” Jason and I express some unease about the Ninth Circuit’s method for doing rough justice and speculate on the prospects for en banc review, even as Google finds a way to display the movie, minus one actress’s performance.

In wiretap news, the $21 million Justice Department claim against Sprint for overcharging on wiretaps gets a close look.

As for cybersecurity policy, the Obama administration’s approach is getting the most sincere form of flattery from other nations. China and Europe are once again living out the fantasies of American officials. Except for the FTC, which as far as we can tell is already living in its own fantasy, riding a 50-plus streak of wins to a couple more victories, though one was closer than expected.

Finally, in our interview segment, the former head of cybersecurity at DHS, Mark Weatherford, offers candid views about what’s working at DHS and what’s not, the relationship with NSA, and where things will go from here.

Download the tenth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

Making sense of Bitcoin

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

With all of the hype and hyperbole surrounding bitcoin and the dizzying array of press coverage, it can be hard for companies to know where to start in evaluating the potential risks involved in making bitcoin a part of their business.  Law360 published an article this week in which I make sense of it all – or at least try to.  Read the full article.