Header graphic for print

Steptoe Cyberblog

FinTech Bits: What Does Donald Trump Think About Bitcoin?

Posted in Blockchain, Virtual Currency

This week featured interesting remarks from two of the most influential thought leaders in Bitcoin and the blockchain – Blythe Masters and Brian Forde.

During SourceMedia’s Convene conference, Masters, the CEO of Digital Asset Holdings, observed that while we are in the early days of development for Bitcoin and the blockchain, similar to where we were with the Internet in the early 1990s, “[t]he potential addressable markets for these types of technologies are gigantic.” For instance, Masters noted that blockchain technology could transform the way we trade and settle transactions for stocks, bonds, and derivatives.

Meanwhile, Brian Forde from MIT’s Digital Currency Initiative, with whom I was privileged to spend time at the Blockchain Summit, spoke at the Atlantic Aspen Ideas Festival about how digital currency and blockchain technology could improve public welfare. Forde observed that these technological innovations could improve the efficiency and security of government services. He noted that the technology also could benefit underserved populations by, among other things, increasing financial inclusion for the unbanked, helping secure property rights, and protecting identity.

The week also included thoughtful remarks about Bitcoin from a more unlikely source – former Texas governor and current presidential candidate Rick Perry. In a speech to the Committee to Unleash Economic Prosperity, Perry offered his take on the causes of the 2008 economic crisis, predicted that another economic crash is on the horizon, and challenged Donald Trump to a pull-up contest. But in the same speech, Perry called for “regulatory breathing room for banking with digital currencies, like Bitcoin.” Perry added that “[d]igital currencies harbor the possibility of reducing the cost and improving the quality of financial transactions in much the same way that the conventional Internet has done for consumer goods and services.” Regardless of what one thinks of Perry’s politics, it is a milestone of sorts that any presidential candidate was discussing Bitcoin in the course of a campaign event, and perhaps even more significant that the candidate was encouraging a regulatory approach that doesn’t stifle the growth of the technology.

No word yet on when, or if, Donald Trump will offer his position on Bitcoin and the blockchain. Or whether he’ll accept the challenge of a pull-up contest. Time will tell, as the campaign, like the technology, is still young.

On the Intelligence Authorization Bill

Posted in Security Programs & Policies

On July 28, Senator Ron Wyden objected to the Senate’s passage of the Intelligence Authorization Bill for Fiscal Year 2016. He objected not because he opposes the funding decisions included in the legislation but rather because of just 29 lines of text among the 41 pages of proposed legislation that have nothing to do with intelligence spending. Those 29 lines, found in Section 603 of S. 1705, would require Internet companies to report to the Attorney General (or her designee) “terrorist activity” on their platforms. In support of this idea, proponents have raised concerns about use of the Internet by terrorist organizations such as ISIS to promote terrorism and recruit new members. Of course such concerns are appropriate, but the proposed legislation creates too much collateral damage. Our client, the Internet Association, has raised concerns with Section 603. The views here, however, are my own.

The Supreme Court, among others, has noted, “[C]ontent on the Internet is as diverse as human thought.” This means that along with supercharged innovation, economic development, and democratic discourse, the Internet also facilitates the views of the intolerant, hateful, and yes even criminal elements around the globe.

In the US, the First Amendment protects the rights of individuals to express intolerant and hateful ideas. We are often criticized for this, to which we respond that the best means of combating such speech is by ensuring the ability of others to respond. In this dynamic, we believe that the marketplace of ideas is the best referee. Certainly, it is a better referee we can agree than a bureaucrat in a government agency making decisions about what should be censored. Put another way, the dangers of government-controlled speech far outweigh concerns over the promotion of speech we find objectionable.

Yet the First Amendment does not protect organizations from laws prohibiting them from conspiring to commit violent acts or raise money to fund criminal activities. The First Amendment does not protect an individual’s right to incite imminent lawless action that is likely to incite such action.

When use of the Internet crosses the line from protected speech to criminal activity, law enforcement can and should intervene. In such cases, Internet companies can and do cooperate with lawful requests to assist efforts to investigate and prosecute criminal behavior.

A key problem with Section 603, however, is that the trigger for the reporting mandate is based on the vague and undefined term “terrorist activity.” This term is not a term of art in the US criminal code and arguably goes well beyond criminal activity to speech that is protected under the First Amendment.

Proponents of the provision compare the reporting obligation to the existing reporting obligation for child pornography images in 18 U.S.C. §2258A. That law requires intermediaries that obtain actual knowledge of any facts and circumstances from which there is an apparent violation of federal child exploitation crimes involving child pornography to file a report with the National Center for Missing and Exploited Children (NCMEC).

The NCMEC reporting obligations, however, relate to images that are per se unlawful and are never protected speech under the US Constitution. A government mandate that an Internet company report facts and circumstances connected to the vague and overbroad term “terrorist activity” certainly would result in overbroad reporting to the government of speech that is protected under the First Amendment.

More troubling, if adopted, the provision would serve as a global template for other countries to impose reporting requirements for activities those jurisdictions deem unlawful. This would be particularly problematic with countries that regulate speech, including political speech, and with authoritarian regimes that would demand that Internet companies police their citizens’ activities.

Section 603 also creates a practical compliance problem. Because no one knows the definition of “terrorist activity,” how does one counsel a client to establish a compliance protocol under the proposal?

Any company would be at risk that if it did not report “terrorist activity,” it could be liable if there were a subsequent event that resulted in loss of life, limb, or property. Likely, this would result in designing a protocol to over-report anything that could be considered “terrorist activity.” Given the massive scale of content shared and created on the Internet daily, this would result in reporting of items that are not likely to be of material concern to public safety and would create a “needle in the haystack” problem for law enforcement. This serves no one’s purposes and adds privacy concerns to the First Amendment concerns noted above.

This creates a perverse incentive for a company to avoid obtaining knowledge of any activity that would trigger the reporting requirement—the exact opposite of what the proponents of the legislation want. Yet, designing such an avoidance protocol is nearly impossible. If even one low-level employee received an over-the-transom email about a “terrorist activity,” knowledge of the activity can be imputed to the entire company – exacerbating the potential liability faced by an Internet company.

Section 603 has other problems. The scope of the kind of Internet platforms that would be covered by the proposal is enormous. The reporting mandate applies to an “electronic communication service” (ECS) and a “remote computing service” (RCS). An ECS is arguably any service that provides a person with the ability to communicate with others electronically. The definition of “remote computing service” is “the provision to the public of computer storage or processing services by means of an electronic communications system.” These terms create a huge universe of entities subject to the mandate, including but certainly not limited to social media companies, search engines, Internet service providers, blogs, community bulletin boards, universities, advocacy organizations, and religious institutions.

Further, the proposal would not limit the reporting requirement to publicly viewable sites. It would require a cloud storage provider to police a third party’s internal, stored communications to avoid the potential liability under the provision.

For all of the reasons above, Senator Wyden was right to object to the reporting mandate.

And the Senate Select Committee is right to raise concerns with the use of the Internet by terrorist organizations. Confronting such use, however, must not be done at the expense of the First Amendment and by requiring Internet companies to police and report on their users’ activities.

Steptoe Cyberlaw Podcast – Interview with Bruce Andrews

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

Our guest for episode 77 is Bruce Andrews, the deputy secretary of the Commerce Department. Alan Cohn and I pepper Bruce with questions about export controls on cybersecurity technology, stopping commercial cyberespionage, the future of the NIST cybersecurity framework, and how we can get on future cybersecurity trade missions, among other things.

In the news roundup, Alan and I puzzle over the administration’s reluctance to blame China for its hacks of US agencies.

The furor over cybersecurity export controls continues unabated, with a couple of hundred hostile comments filed and Congress beginning to stir. Alan Cohn fills us in.

The UK high court ruling on data retention makes history but maybe only the most evanescent of law. Alan and I discuss whether the ruling will resemble Marbury v. Madison in more ways than one.

France finalizes expansion of surveillance. Bush administration figures come out against back doors. Cyberweek begins and, the cyber left hopes, ends without progress on CISA.

This Week in Prurient Cybersecurity: The first Ashley Madison subscriber is outed.  And he’s Canadian.  Looks like the nights really are longer up there. Ottawa apparently leads the world in percentage of would-be adulterers, followed by Washington, DC. No further comment seems necessary.

And Bloomberg says that the Chinese attempt to build a database on Americans didn’t begin with OPM or Anthem, but with the compromise of travel databases two years ago.

This time, Alan hints, the FTC may throw away the key, as it once again takes action against LifeLock. And the Seventh Circuit wades into the debate over how much harm a data breach plaintiff must suffer to have standing to sue.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates, or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

 

FinTech Bits: Smart Banks Are Banking on the Blockchain

Posted in Blockchain, Virtual Currency

In an area that is growing and evolving as fast as FinTech, it’s often difficult to take a step back and take stock of where we are, and where we’re headed. So kudos to CoinDesk, which recently issued its State of Bitcoin report for the second quarter of 2015, its seventh such report since February 2014. The report is a great read that contains a number of terrific insights into trends and developments in Bitcoin and other digital currencies. One of the most interesting aspects of the report related to the significant number of banks throughout the world that are experimenting with use cases for blockchain technology. The report cited Santander, Barclays, UBS, and BNY Mellon as among the global banks exploring the potential of the blockchain.

That dovetails with reporting from CoinTelegraph and other sources that these and other large banks are increasingly studying possible use cases for bitcoin and the blockchain to reduce costs, increase speed and efficiency of transactions, and provide greater security and transparency. (To that list of advantages we would add reduced compliance costs, which are an increasing issue for banks.)

Meanwhile, a recently released book from Adaptive Labs suggests that banks are ill-prepared for the potential disruption to their business models that FinTech innovations, including the blockchain, represent.

The takeaway from all of this? Banks, money remitters, and other financial institutions would be well-served to join the growing list of organizations that are studying possible applications for digital currencies and the blockchain to enhance their business, lest they be left behind by a wave of innovation in FinTech. Better to disrupt your own business model from the inside than to see it disrupted from the outside.

Does Your CEO Know What’s Keeping You Up at Night?

Posted in Cybersecurity and Cyberwar, Data Breach

Security Magazine’s Security Talk interviewed us on how we help clients navigate cybersecurity issues.  In the article, “Does Your CEO Know What’s Keeping You Up at Night?,” we discuss how a company’s ability to weather a cyber attack depends in part on the decisions the company makes both before a breach occurs and in the immediate aftermath of a breach.  One way to prepare for a breach is through tabletop exercises that simulate a data breach, which are a key feature of our pre-breach services.  In preparing these exercises, we draw on the expertise and insights of the company’s own cybersecurity professionals, and we make a practice of asking those professionals about the scenarios that cause them to lose sleep.  We encourage directors and officers to ask that same question, because what’s keeping your cybersecurity professionals up tonight could be a nightmare for your entire company down the road.

Steptoe Cyberlaw Podcast – Interview with Annie Antón and Peter Swire

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Episode 76 of the podcast features the power couple of privacy and cybersecurity, Peter Swire and Annie Antón, both professors at Georgia Institute of Technology.  I question them on topics from the USA FREEDOM Act to the enduring gulf between writing law and writing code.

In the news roundup, as our listeners have come to expect, we do indeed return to our recurring feature, This Week in Prurient Cybersecurity, with a riff on the Ashley Madison hack.  But you’ll have to wait until the end, when we’re loosened up.

We begin more soberly, with Jason Weinstein and Michael Vatis covering the courts’ mopping up after passage of the USA FREEDOM Act.  The DC Circuit has received supplemental briefs on section 215, and the ACLU is leading hopeless charge against the 215 program in the Second Circuit.

The Hacking Team doxxing draws attention to the risk involved in hiring hackers.  When they’re disgruntled, they don’t just slam the door on the way out.  Still, Alan Cohn and I can’t help but be fascinated by the Hacking Team proposal to use drones to hover over the target, intercepting his Wi-Fi connection.

In regulatory news, Alan Cohn and Jason Weinstein discuss the FERC’s revisions to the CIP cybersecurity requirements, with a focus on supply chain practices, and a Boston hospital’s settlement of HIPAA charges, prompting me to ask whether HHS’s Office of Civil Rights is the most hypocritically aggressive privacy regulator in government.

Russia’s Right to Be Forgotten law is signed, after further tweaks.  And Google announces that it has officially tipped more than one million links into the dustbin of history.

I respond to listener feedback by walking back my mockery of Tony Scott’s “TLS Everywhere” initiative, noting that it might have some modest security benefits after all.  Instead of “privacy theater” perhaps I should have called it a “privacy skit.”  And as attribution gets better, so does the temptation to fly false flags.  It looks as though the Russians will pioneer this particular development, attacking US sites under the nom de guerre of the Cyber Caliphate.  And the US government response to the Russian attacks?  A predictable silence.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Michael Casey

Posted in Blockchain, Cybersecurity and Cyberwar, International, Privacy Regulation

Hip Hop Summit at Graceland: Michael Casey and Digital Money

Bitcoin and the blockchain – how do they work and what do they mean for financial and government services and for consumers? And who holds massive stores of bitcoin that can’t be spent without solving one of the great financial mysteries of our time?  Our guest for episode 75 is Michael Casey, former senior columnist for the Wall Street Journal and – as of last week – senior advisor at the MIT Media Lab’s Digital Currency Initiative.  Michael is also the author, along with his former Wall Street Journal colleague Paul Vigna, of The Age of Cryptocurrency:  How Bitcoin and Digital Money Are Challenging the Global Economic Order.  Alan Cohn and Jason Weinstein interview him about bitcoin and its underestimated enabling technology, the blockchain.

In the news roundup, Meredith Rathbone, Alan Cohn, and I dive into the Commerce Department’s sweeping proposal for new regulation of the cybersecurity industry under the Wassenaar arrangement.  With comments due on July 20, security companies are beginning to identify a host of unintended regulatory consequences.

The FBI and Justice Department had a surprisingly good week complaining about technologists’ deployment of ubiquitous unbreakable encryption.  A group of cryptographers offered a contrary view, and I critiqued their position in the roundup and in a blog post.

Hacking Team was itself hacked, with its internal correspondence spread across the internet.  One quick lesson:  if anyone is expecting export controls to stop sales of hacking tools to repressive regimes, they aren’t paying attention to the Italian government’s licensing policies.

Finally, the right to be forgotten looks like a bad idea whose time has come.  Jason doubts that Consumer Watchdog will succeed in smuggling the right to be forgotten into the FTC Act, perhaps because the act is already bulging at the seams.  Canadian courts, in contrast, seem happy to impose their speech rules on Americans – whether or not Canadian courts have, you know, jurisdiction over the Americans.

As always, send your questions and suggestions for interview candidates to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the seventy-fifth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

FinTech Bits: Bitcoin Is No Longer All Greek to the Greeks

Posted in Blockchain, International, Virtual Currency

In prior posts we’ve observed that the technology underlying Bitcoin – the “blockchain” – presents a world of possible applications unrelated to the use of Bitcoin as a currency. From securities settlement to remittances to asset transfer to the Internet of Things, the possibilities are endless, and some of the best and brightest minds in the world are investing their time, energy, and money to unlock the blockchain’s potential.

But the crisis in Greece is shining a brighter light on Bitcoin as a currency. With capital controls, restrictions on withdrawals, and widespread fears of a banking collapse, there has reportedly been a significant increase in the acquisition of bitcoins by users in Greece. With Greeks reportedly resorting to IOUs to obtain needed goods because of a lack of access to their money, the crisis underscores the advantages of Bitcoin as a way of paying for goods and services and transferring money across town or around the world without having to depend on traditional financial institutions.

The crisis in Greece is too far advanced for Bitcoin to have a significant impact – there aren’t many places to spend bitcoins in Greece and, after all, it’s hard for Greeks to get access to their money in the first place. But reports of an increase in Bitcoin trades in certain other southern European countries has led to speculation that people in those nations are acquiring bitcoins as a hedge against future banking instability and government restrictions should their countries follow in Greece’s unfortunate footsteps.

Some have minimized the potential future impact of Bitcoin as a currency by pointing to its volatility as compared to fiat currencies. But when you can’t access your own money from your own bank account, it may be time to rethink which currency is “virtual” and which is “real.”

Encryption: If This is the Best His Opponents Can Do, Maybe Jim Comey Has a Point

Posted in Security Programs & Policies

When industry opposes a new regulation, it can offer many arguments for its position. Here are three. Which one is real?

  • “We share EPA’s commitment to ending pollution,” said a group of utility executives. “But before the government makes us stop burning coal, it needs to put forward detailed plans for a power plant that is better for the environment and just as cheap as today’s plants. We don’t think it can be done, but we’re happy to consider the government’s design – if it can come up with one.”
  • “We take no issue here with law enforcement’s desire to execute lawful surveillance orders when they meet the requirements of human rights and the rule of law,” said a group of private sector encryption experts, “Our strong recommendation is that anyone proposing regulations should first present concrete technical requirements, which industry, academics, and the public can analyze for technical weaknesses and for hidden costs.”
  • “Building an airbag that doesn’t explode on occasion is practically impossible,” declared a panel of safety researchers who work for industry. “We have no quarrel with the regulators’ goal of 100% safety. But if the government thinks that goal is achievable, it needs to present a concrete technical design for us to review. Until then, we urge that industry stick with its current, proven design.”

Right. It’s the middle one. Troubled by the likely social costs of ubiquitous strong encryption, the FBI and other law enforcement agencies are asking industry to ensure access to communications and data when the government has a warrant. And their opponents are making arguments that would be dismissed out of hand if they were offered by any other industry facing regulation.

Behind the opponents’ demand for “concrete technical requirements” is the argument that any method of guaranteeing government access to encrypted communications should be treated as a security flaw that inevitably puts everyone’s data at risk. In principle, of course, adding a mechanism for government access introduces a risk that the mechanism will not work as intended. But it’s also true that adding a thousand lines of code to a program will greatly increase the risk of adding at least one security flaw to the program.

Yet security experts do not demand that companies stop adding code to their programs. The cost to industry of freezing innovation is deemed so great that the introduction of new security flaws must be tolerated and managed with tactics such as internal code reviews, red-team testing, and bug bounties.

That same calculus should apply to the FBI’s plea for access. There are certainly social and economic costs to giving perfect communications and storage security to everyone – from the best to the worst in society. Whether those costs are so great that we should accept and manage the risks that come with government access is a legitimate topic for debate.

Unfortunately, if you want to know how great those risks are, you can’t really rely on mainstream media, which is quietly sympathetic to opponents of the FBI, or on the internet press, which doesn’t even pretend to be evenhanded on this issue.

A good example is the media’s distorted history of NSA’s 1994 Clipper chip. That chip embodied the Clinton administration’s proposal for strong encryption that “escrowed” the encryption keys to allow government access with a warrant.

(Full disclosure: the Clipper chip helped to spur the Crypto War of the 1990s, in which I was a combatant on the government side. Now, like a veteran of the Great War, I am bemused and a little disconcerted to find that the outbreak of a second conflict has demoted mine to “Crypto War I.”)

The Clipper chip and its key escrow mechanism were heavily scrutinized by hostile technologists, and one, Matthew Blaze, discovered that it was possible with considerable effort to use the encryption offered by the chip while bypassing the mechanism that escrowed the key and thus guaranteed government access. Whether this flaw was a serious one can be debated. (Bypassing escrow certainly took more effort than simply downloading and using an unescrowed strong encryption program like PGP, so the flaw may have been more theoretical than real.)

In any event, nothing about Matt Blaze’s paper questioned the security being offered by the chip, as his paper candidly admitted. Blaze said, “None of the methods given here permit an attacker to discover the contents of encrypted traffic or compromise the integrity of signed messages. Nothing here affects the strength of the system from the point of view of the communicating parties.”

In other words, he may have found a flaw in the Clipper chip, but not in the security it provided to users.

The press has largely ignored Blaze’s caveat. It doesn’t fit the anti-FBI narrative, which is that government access always creates new security holes. I don’t think it’s an accident that no one talks these days about what Matt Blaze actually found except to say that he discovered “security flaws” in Clipper. This formulation allows the reader to (falsely) assume that Blaze’s research shows that government access always undermines security.

The success of this tactic is shown by the many journalists who have fallen prey to this false assumption. Among the reporters fooled by this line is Craig Timberg of the Washington Post, who wrote, “The [Clipper chip] eventually failed amid political opposition but not before Blaze … discovered that the “Clipper Chip” produced by the NSA had crucial security flaws. It turned out to be a back door that a skilled hacker could easily break through.”

Also taken in was Nicole Perlroth of the New York Times: “The final blow [to Clipper] was the discovery by Matt Blaze … of a flaw in the system that would have allowed anyone with technical expertise to gain access to the key to Clipper-encrypted communications.” To her credit, Nicole Perlroth tells me that the New York Times will issue a correction after a three-way Twitter exchange between me, her, and Matt Blaze.

But the fact that the error has also cropped up in the Washington Post suggests a larger problem: Reporters are so sympathetic to one side of this debate that we simply cannot rely on them for a straight story on the security risks of government access.

Why Bitcoin Is Good for Law Enforcement

Posted in Blockchain, Virtual Currency

IAPP published my op-ed today on “Why Bitcoin is Good for Law Enforcement.”  In it I discuss how with every advance in technology, criminals are early adopters, and law enforcement has to play catch-up.  Bitcoin and its underlying blockchain technology are just the latest examples.  But the blockchain actually provides significant benefits to law enforcement in going after criminals, and I argue that effective law enforcement is critical to unlocking the potential of the blockchain to transform the way we live, work, and do business.