Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Robert Litt

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is Robert (Bob) Litt, the General Counsel of the Office of the Director of National Intelligence.  Bob has had a distinguished career in government, from his clerkship with Justice Stewart, his time as a prosecutor in the Southern District of New York and at Main Justice, and more than five years in the ODNI job.  This week in NSA:  The latest fad in news coverage of the agency is a hunt for possible conflicts of interest in its leadership.  And it’s having an effect.  Two high-ranking NSA seniors, the CTO and the head of signals intelligence have recently left positions that drew scrutiny for getting too close to private industry.  I ask him whether we should be pleased or worried about the trend toward individual converts to Islam carrying out random attacks with whatever weapon comes to hand.  Prudently, he refuses to be drawn into my comparison of Islamists to the Manson Family.  We debate whether the USA Freedom Act has a chance of passage in the lame duck Congress – and whether it should, focusing among other things on how the act’s FISA civil liberties advocates would function and what ethical rules would govern their day jobs.  And we explore another ODNI project – implementing the President’s directive on protecting the privacy of foreign nationals while gathering intelligence.  Are the nation’s spies really required to wait until a foreign target’s speech goes beyond what the first amendment protects before they collect and analyze the remarks?  Will the requirement for advance justification for collection projects institutionalize risk aversion at NSA?  And can government officials look forward to intelligence reports that read like this: “[SYRIAN NATIONAL 1] asked [IRAQI NATIONAL 1] to kill [US PERSON 1]”?

Our news roundup begins with the sudden press interest in possible conflicts of interest in NSA’s leadership.  The Supreme Court takes another privacy case – one with no obvious federal connection.  Lots of city ordinances require hotels to keep guest registries – and to let the police inspect those registries on demand.  But the 9th circuit recently held en banc that these laws touch the privacy interests of the hotel owner, not just the guests, and that the laws are unconstitutional if they offer no opportunity for prior judicial review of the police demand.  Just what we need:  another opportunity for the Roberts Court to pad a narrow ruling with a lot of ill-considered dicta about Smith v. Maryland.

Harking back to last week’s interview with Tom Finan about insurance coverage for cyber incidents, we discover that where there’s insurance coverage there are also insurance coverage disputes.  The head of Steptoe’s insurance coverage practice explains the P.F. Chang dispute with Travelers Insurance and hints that it’s in the first wave of what could be thirty years of litigation.  Not that there’s anything wrong with that.

FBI Director Comey isn’t alone in complaining about Silicon Valley’s reluctance to help law enforcement.  Leslie Caldwell, the new head of the Justice Department’s criminal division, has joined the chorus.

According to the Stored Communications Act, companies like Google may not provide the contents of emails in response to subpoenas.  So what do civil litigants do when they need access to Gmail accounts in, say, divorce cases?  The usual solution is for the court with jurisdiction over the civil suit to order the litigants to “consent” to the disclosure of their email messages.  But is court-ordered consent really consent?  According to a California appeals court, it is.  Michael explains.

Whoa!  The FCC really is taking cybersecurity seriously.  It’s proposing $10 million in fines for two carriers who stored hundreds of thousands of “Obamaphone” beneficiaries’ personal data on a server accessible by anyone on the internet.

Confusion over when you need a warrant to get third party information continues to roil the courts.  The Florida Supreme Court raises the bar for cell-site location data.  And the NJ AG plots a counter-attack on a billing record warrant requirement in the Garden State.  Michael suggests a new feature to keep all the litigation straight:  This Week in Smith v. Maryland.

Lawyers with banks for clients have a new reason to upgrade their cybersecurity.  As the banks struggle with increasingly sophisticated intrusions, they’re sharing the pain, demanding that their contractors and suppliers adopt stronger cybersecurity.  Law firms are expressly included, since they’ve been targeted frequently for what inevitably will be called “bank shot” intrusions.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the fortieth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Tom Finan

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

Our guest today is Tom Finan, Senior Cybersecurity Strategist and Counsel at DHS’s National Protection and Programs Directorate (NPPD), where he is currently working on policy issues related to cybersecurity insurance and cybersecurity legislation.  Marc Frey asks him why DHS, specifically NPPD, is interested in cybersecurity insurance, what trends they are seeing in this space for carriers and other stakeholders, and what is next for their role in this space.  He is incredibly forthcoming in his responses and even asks listeners to email him  with their feedback.

This week in NSA:   The House and Senate Judiciary chairs call for action on USA Freedom Act.  And nobody cares.  We conclude that the likelihood of action before the election is zero, and the likelihood of action in a lame duck is close to zero.  But next week we’ll be interviewing Bob Litt, one of the prime negotiators for the intelligence community on this issue, and he may have a different view.

The Great Cable Unbundling seems finally upon us, as several content providers announce that they’re willing to sell content direct to consumers over the Internet.  Does that mean more support for net neutrality?  Not necessarily.  Stephanie Roy explains.

Are parents responsible for what their adolescent kids do and say on Facebook?  That makes sense, if you’ve never had adolescent kids.  Maybe that explains why Michael Vatis sees merit in the Georgia appellate court decision finding potential liability.  It reversed the trial court, which had granted summary judgment in favor of the parents of a kid who set up a fake and defamatory Facebook page in the name of a classmate he hated.  The facts are a little odd.  The kid who set up the page never took it down, even after he’d been caught and punished by school and parents.  The appeals court thought that the parents had a “supervisory” obligation to make their child delete the fake account, and that they could be held liable for negligently failing to do so.  It’s quite possible, though, that everyone in this case is a Privacy Victim; the issue could have been hashed out with a phone call from the parents of the victim to the parents of the perpetrator, but according to the press, “the child’s parents didn’t immediately confront the boy’s parents because their school refused to identify the culprit.”  Because privacy.

FBI Director Comey comes out swinging for CALEA reform, saying in a speech at Brookings that the law needs to be updated to require cooperation from makers of new communications systems when the FBI has a court order granting access to those systems.

When it comes to regulating on other topics, though, the Justice Department is a little less restrained; it has opened the door to a round of new disability claims against websites, offering a roadmap to what it thinks the law requires.

The right to be forgotten is attracting more flak in Europe, as the BBC announces a competing “right to remember” website devoted to publicizing stories that Google has delinked.  It’s Auntie BBC v. Nanny Europe.  Cue popcorn.  Unhappily, a “progressive” group most famous for relentlessly sliming Google on privacy issues has urged the search engine to bring the right to be forgotten  to the United States.  Sigh.

In breach news, TD Bank pays $850,000 to the state AGs over a “breach” that may never have happened.  TD lost a backup tape in transit, and the data wasn’t encrypted.  Was anyone’s data actually compromised by the loss of the tape?  The AGs don’t say.  They just want their money.  And they get it.

The Russians are getting sloppy, or maybe they’re taking a leaf from China’s book – figuring it doesn’t matter if they get caught. And caught they have been, by iSight Partners, which reports that Russian hackers used a Microsoft zero-day to target Western governments and Ukraine.  Meanwhile, the FBI is warning about another and even more sophisticated set of Chinese government hackers.  And hackers are now adding a new form of targeted attack to their arsenal a tactic that combines spearphishing with watering hole attacks.  They’re targeting ads at users that take them to a compromised website that serves malware.

And, in good news for privacy skeptics, the Video Privacy Protection Act gets a narrow reading.

We remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail ( +1 202 862 5785).

Download the thirty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Shaun Waterman

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

Our guest for the podcast is Shaun Waterman, editor of POLITICO Pro Cybersecurity.  Shaun is an award-winning journalist who has worked for the BBC and United Press International; and an expert on counterterrorism and cybersecurity.

We begin as usual with the week’s NSA news.  NSA has released its second privacy transparency report.  We’ve invited Becky Richards, NSA’s privacy and civil liberties watchdog, on the program to talk about it, so I’m using this post to lobby her to become a guest soon:   Come on in, Becky, it’s a new day at the NSA!

Laura Poitras’s new film about Snowden gets a quick review.  We question the hyped claim that there’s a “second leaker” at NSA; most of the leaked information described in the film was already pretty widely known.

Two more post-Snowden pieces of litigation are also in the news.  As promised, we dig deeper into the Justice Department’s botched handling of the notice that must be given to parties on the receiving end of FISA taps and section 702 of FISA.  As often turns out to be the case, the Justice Department develops a limp, and all the other agencies have to put stones in their shoes:  It looks as though OFAC is going to be dragged into this comedy of errors.

The second piece of litigation began as a humdrum piece of FOIA litigation (though with a bit of Glomar for spice).  It has now has produced a much more interesting result:  Judge Pauley, ordinarily a good friend to the government, declares that he has lost confidence in the Justice Department’s representations about the risks of releasing  FISA opinions; he insists on reviewing the FIS court’s opinions himself in camera to decide what can be released.

In other national security litigation, we all know that a canary can emit a twitter, but can Twitter emit a canary?  The social media giant is going to court to get approval for its “warrant canary,” claiming a first amendment right to list the orders it has not (yet) received under national security surveillance laws.  Meanwhile, on the opposite coast, the government’s authority to issue gag orders in national security letters is argued before the Ninth Circuit, which seems to find the issue at least a little troubling.

Maybe it’s a coincidence, but just as Europol is raising the possibility that the internet might be used to kill people, the FDA is trying to do something about it, issuing cybersecurity guidelines for manufacturers.   We damn them with faint praise, note that our refrigerators have been trying to kill us slowly for years, and wonder when the National Highway Safety Administration will security guidelines for self-driving cars.

The pendulum may be swinging toward privacy in the US but it swings hard the other way in the Southern Hemisphere.  First New Zealand gives Snowden a swift kick and now the Australian government is enacting surveillance reforms that increase government authority to conduct national security intercepts.

There’s a bit of good news in our update on the right to be forgotten.  The European Commission has poured cold water on the European Court of Justice, hinting strongly that the court’s enthusiasm for sacrificing free expression is a bad idea.  Sad to say, though, the notion seems as communicable as Ebola; even Japan is getting in the act, as a Tokyo court orders Google to take down search links at the request of an individual.

The prize for Dumbest Judicial Opinion of the Month goes (where else?) to the Ninth Circuit, which expressed shock and dismay over the idea that a Navy investigator conducted “surveillance of all the civilian computers in an entire state” in the course of looking for military personnel trading child porn.  Turns out that the investigator in question simply looked at images being shared publicly online using a common file-sharing program, Gnutella.  And when he had the IP address of someone sharing child porn images he checked to see if the suspect worked for the military.  When that turned out not to be the case, he turned the information over to civilian law enforcement, giving the Ninth Circuit a severe case of the vapors and ultimately leading to exclusion of the evidence.  Because posse comitatus.  You won’t want to miss my translation from the Latin.

We unpack the controversy over Ross Ulbricht and how the FBI managed to captcha him.  And we congratulate the FCC for a regulatory action near and dear to anyone who’s ever paid too much for bad Wi-Fi in a good hotel.

Finally, we remind everyone that the Steptoe Cyberlaw Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail ( +1 202 862 5785).  And to prove it, I read a message from Dick Mills, a libertarian blogger who started out tagging me as the Great Satan of statism but ended by admitting that the podcast occasionally changed his mind.  We can’t ask for more than that.

Download the thirty-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Rob Corbet

Posted in Cloud Computing, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

Our guest today is Rob Corbet, a partner and head of the Technology & Innovation group in Arthur Cox, a large Irish law firm.  Ireland is a uniquely important jurisdiction for US companies dealing with data protection issue.  I ask whether Ireland’s role is going to become more or less powerful under the proposed revision,  and we talk about the replacement of its longstanding data protection commissioner.

This week in NSA:   NSA is getting ever thinner, but there is still a knock-on effect from the Snowden revelations, which is now complicating the way Treasury designates people and institutions for sanctions.  This is a complex tale, and we will dig deeper into it next week.

Web publishers are taking it on the chin everywhere.  Russia has told Google, Twitter, and Facebook to register under Russian law and submit to Russian regulation, including local storage of Russian data.  And the EU Article 29 Working Party is working on how to implement the right to be forgotten, combining it its usual way ineffectual bureaucratics with politically correct misrepresentations.  Bet you didn’t know that the right to be forgotten isn’t censorship, apparently because you’re being censored first by companies, then by “independent” data protection agencies, and finally by the courts.  That’s not censorship, say European regulators, it’s “balancing.”  I’m reminded of Mary McCarthy, who famously said of Lillian Hellman, “Every word she writes is a lie, including “and” and ‘the’.”  (Meanwhile the New York Times announces that it’s been hit by the right to be forgotten, with several of its stories going down the memory hole.)

In the US, the attack on web publishers is taking a different form, but it’s no less effective.  When Apple screws up and allows the disclosure of celebrity nude photos, it’s Google that gets hit with the threat of a $100 million lawsuit, on grounds that are half copyright, and half a kind of right to be forgotten.  Google immediately surrenders, claiming that it’s taken down links to the photos.

Finally, in the most troubling cybersecurity news of the month, maybe the year, JP Morgan acknowledges a deep penetration of its computer networks by sophisticated hackers – quite possibly aided by the Russian government.  Exactly what the hackers took and what they intended is still not clear, something that makes the intrusion more ominous not less, raising as it does the possibility that Russia intends to impose its own style of financial sanctions on the United States.

All of which raises the question whether JP Morgan should protect itself by adding a “Herod clause” to its terms of service:  anyone accessing the site without authority automatically surrenders custody of his firstborn.  If it worked for F-Secure’s free wi-fi service, maybe it will work for cybersecurity.

The Cyberlaw Podcast is now open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the thirty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Admiral David Simpson

Posted in Cybersecurity and Cyberwar, Data Breach, Privacy Regulation, Security Programs & Policies

Our guest today is Admiral David Simpson, Chief of the FCC’s Public Safety and Homeland Security Bureau.  Admiral Simpson has more than 20 years of Information and Communications Technology experience supporting the Department of Defense.  Adm. Simpson is joined by Clete Johnson, his Chief Counsel for Cybersecurity.  The interview digs deep into Chairman Wheeler’s cybersecurity initiative, asking among other things exactly how voluntary it will be, what telecom companies can do to stop DDOS attacks, and what CSRIC really stands for.

It’s getting harder and harder to find new NSA stories, which must be a relief to the agency.  Last week, the only news was NSA’s decision to name Anne Neuberger its Chief Risk Officer.  Anne is an able woman who knows the outside world better than practically anyone at the agency, but I can’t shake the feeling that what the agency wants is a Chief Risk-Aversion Officer.

In other news, how to handle location data after Riley continues to bedevil the circuit courts, but the Fifth Circuit seems to have come to a surprisingly reasonable result, holding that users don’t have a reasonable expectation of privacy in the cell-site data that they give the phone company so it can connect calls to them.

Adm. Simpson and I dig into three stories that are more technical than legal but which will all have legal fallout soon:   It turns out that Apple may have known about the iCloud security flaw that enabled disclosure of nude celebrity photos for as long as six months before the hack.  The Shellshock bug debunks the notion that open-source is inherently more secure than proprietary code, and it means that anyone who has built their business on Linux should be scrambling (that means you, Apple and Google). And the financial industry launches a real-time information-sharing program that will finally test-drive the vision underlying the bills that Congress has been trying to pass for years.

In retaliation for Western sanctions, Russia is advancing the date for mandatory social media data localization.  Meanwhile, Google’s staggering potential liability for “wiretapping” publicly broadcast Wi-Fi signals has led to an interesting discovery fight, with the self-proclaimed victims of the wiretapping challenged to show that Google actually intercepted any of their data when the Street View car drove past their homes.  If the plaintiffs fail, their whole case (and their lawyers’ payday) are at risk, since non-victims are not proper class representatives.

Finally, a brief cybersecurity obituary:   Apple’s warrant canary is pining for the fjords.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the thirty-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Julian Sanchez

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

For those who think the podcast is best when we have a guest from the opposite end of the political spectrum, episode 35 should be a treat.  (We’re late this week, but it will be well worth the wait.)  Our guest is Julian Sanchez, a senior fellow at the Cato Institute who studies surveillance and other issues at the intersection of technology and civil liberties.  He is a founding editor of the policy blog Just Security, and recently debated another of our guests, Orin Kerr, on Apple’s recent announcement that it would no longer be able to decrypt iPhones for law enforcement.  We dig into that issue in detail, asking such questions as how often encryption has actually stymied an investigation, whether “hacking” the phone is a substitute for help from the company, what this means for corporate users of iPhones, the implications for Apple (and Google) in other countries, and whether Google/Apple run a risk under current US law of lawsuits by prosecutors or by crime victims.

Our news roundup begins with some of the first good news NSA has received in months.  It looks as though Snowden fatigue may finally be setting in abroad as well as here. Last week, Glenn Greenwald, Edward Snowden, and Internet multimillionaire Kim Dotcom teamed up to “close one of the Five Eyes” by driving New Zealand’s government out of office in national elections.  They combined strategic leaks, a Snowden attack on the prime minister as a liar, and Dotcom’s multimillion dollar campaign war chest.  Well, the elections are over, and the Anti-NSA Dream Team was trounced.  In less good news, NSA Director Mike Rogers admits to having missed more than he’d like about ISIS’s rise. We debate how much the political furor over the agency contributes to these problems.

In other news, we discover that auto-forwarding someone else’s email is a wiretap – and why suing for a privacy violation is much better than seeking alimony.  Meanwhile, the Home Depot case sets a new record, and the Neiman Marcus data breach case gives comfort to class action defense lawyers all across the country.  The Texas Court of Criminal Appeals tells us that the constitution may protect upskirt photos.

And, finally, we speculate whether the whole privacy law thing will finally melt down over health data, especially now that concerns about HIPAA are stifling innovation by app companies, spurring a turf war between the FTC and HHS, and, most of all, getting in the way of rapid response by government agencies accused of wrongdoing.

Finally, we announce a new feature of the Steptoe Cyberlaw Podcast: feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone here’s the number: +1 202 862 5785. We may play your message on the podcast if it’s particularly insightful or entertainingly abusive.

Download the thirty-fifth episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Snowden Fatigue is Spreading Abroad

Posted in International, Privacy Regulation, Security Programs & Policies

If you think Edward Snowden and Glenn Greenwald have stopped attacking NSA, you haven’t been following them closely enough.  While American media have largely lost interest in Snowden and Greenwald, the pair continue to campaign outside the United States against the intelligence agency.

Their most ambitious effort was in New Zealand, a member of the “Five Eyes” intelligence alliance with the US and UK.  The center-right New Zealand government has been embroiled in accusations of illegal surveillance of Kim Dotcom, who grew wealthy running a file-sharing site and is now fighting extradition to the United States for copyright violations.  As part of that fight, Dotcom dove into New Zealand’s national elections, hoping to unseat the two-term government and, in his words, “to close one of the Five Eyes.”

Snowden and Greenwald dove in with him, joining eagerly in campaign events sponsored by Dotcom.  Greenwald used his new Omidyar-funded news site to release a lengthy article in the last week of the campaign; it accused New Zealand of working with NSA to conduct mass surveillance.  When the prime minister denied the accusation, Snowden called him a liar.

The combination of carefully timed Snowden leaks and Dotcom’s millions looked potent.  Dotcom even funded a new Internet Party, aligned with the small Mana party, which already had a seat in New Zealand’s Parliament.

Well, New Zealanders went to the polls today, and the results are in.

The biggest losers?  Snowden, Greenwald, and Dotcom.

The prime minister whom Snowden accused of lying won an “overwhelming” victory that may give him the first outright majority for any New Zealand party in nearly twenty years.

Meanwhile, Dotcom’s Internet Party bombed, even costing its tiny ally the only seat it held in Parliament.

Steptoe Cyberlaw Podcast – Interview with Phyllis Schneck

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is Dr. Phyllis Schneck, the Deputy Undersecretary for Cybersecurity for the Department of Homeland Security’s National Protection and Programs Directorate (NPPD).  She and Marc Frey, Senior Director in Steptoe’s DC office and former Chief of Staff at DHS’s Office of Policy Development, discuss the status of cybersecurity legislation and DHS’s highest cybersecurity priorities.

We begin the podcast with This Week in NSA, as newly released documents indicate that back in 2008, the US government had threatened to fine Yahoo $250,000 a day if it failed to comply with an order for data under the PRISM program.

We dive into the Alien Tort Statute suit that was dismissed against Cisco.  And, even though Stewart isn’t here this week, we give an update on his favorite topic – the right to be forgotten.  We also have a new competitor for the title of “strangest ruling against Google in a European court this year” – as a German court has ordered Google to provide more responsive customer support.

Last week, we told you about how Yelp had prevailed in an extreme case claiming that the company suppresses bad reviews for its advertisers.  This week, California adopted a law that further protects customers’ ability to post negative reviews to Yelp and other sites.

This week in data breaches: Home Depot confirms its breach, and the congressional reaction is predictable.  On a related front – in the newly minted “This Week in Judge Koh,” she finds that the Adobe breach victims have standing based on risk of future harm – we explain how this can be reconciled with Clapper and what its implications might be for future class actions.

Finally, tech companies again try to ramp up the pressure for ECPA reform, and in the Microsoft search warrant litigation in New York, Microsoft agreed to be held in contempt – we explain why.

 Download the thirty-fourth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Orin Kerr

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is Orin Kerr, professor of law at George Washington University and well-known scholar in computer crime law and Internet surveillance.  Orin is our second return guest, and he demonstrates why, opining authoritatively on the future of NSA’s 215 program and the “mosaic” theory of fourth amendment privacy as well as joining in our news roundup.

We begin the podcast with this week in NSA, which again consists of news stories not written by Glenn Greenwald and the Snowdenistas.  Most prominent are the stories claiming that Snowden’s leaks contributed to US intelligence failures against ISIS, the decision by Justice and DNI officials to support Senator Leahy’s USA Freedom bill, and the release of a less-redacted version of Jack Goldsmith’s OLC opinion holding that the 215 program’s predecessor is not only legal but requires no FIS court approval, at least in time of war.  We find even more evidence that Snowden leaks harmed our ability to monitor ISIS, doubt that Senator Leahy’s bill will pass before the elections, and speculate about whether OLC has a macro that inserts its plenary Article II article into every opinion it produces.

Meanwhile, Yelp prevails in an extreme case claiming that the company suppresses bad reviews – but only for advertisers.  To which the Ninth Circuit says, “So what? It’s Yelp’s site.”  If only the aggrieved shopowner had sued under EU privacy law, which might require Yelp to forget those bad reviews.

Speaking of the right to be forgotten, I explain what I’ve learned by actually filing censorship demands of my own.  The headline?  Google will suppress European search results for anyone anywhere.  You don’t have to be a European to have your peccadilloes forgotten.  The full post is here.

And, speaking of foreign censorship of US information, LinkedIn is being accused of applying Chinese censorship to Chinese customers, even on LinkedIn’s U.S. site.  Three cases make a trend, and censoring the news that Americans read by threatening to hold their news suppliers liable abroad is definitely a trend.

This week in data breaches:  Home Depot is accused, and Senator Rockefeller calls on the company to respond.  Will “tokenization” solve the problem, at least for stores – or is that a solution only a lawyer could love?  We also look at the healthcare.gov hack and conclude that it’s been hyped.

In other regulatory action, Google takes a big hit for kids’ in-app purchases and Verizon agrees to pay $7.4 million for sending inadequate notices to customers.  But the class action bar isn’t likely to get rich off either case.

And Jason lays out the details of a Hasidic child abuse trial that has already produced not one but two noteworthy privacy rulings in New York.

Download the thirty-third episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Inside Europe’s Censorship Machinery

Posted in International, Privacy Regulation, Security Programs & Policies

Three months ago, I tried hacking Google’s implementation of Europe’s “right to be forgotten.”  For those of you who haven’t followed recent developments in censorship, the right to be forgotten is a European requirement that “irrelevant or outdated” information be excluded from searches about individuals.  The doctrine extends even to true information that remains on the internet.  And it is enforced by the search engines themselves, operating under a threat of heavy liability.  That makes the rules particularly hard to determine, since they’re buried in private companies’ decisionmaking processes.

So to find out how this censorship regime works in practice, I sent several takedown requests to Google’s British search engine, google.co.uk.  (Europe has not yet demanded compliance from US search engines, like Google.com, but there are persistent signs that it wants to.)

I’ve now received three answers from Google, all denying my requests.  Here’s what I learned.

The first question was whether Google would rule on my requests at all.  I didn’t hide that I was an American.  Google’s “right to be forgotten” request form requires that you provide ID, and I used my US driver’s license.  Would Google honor a takedown request made by a person who wasn’t a UK or EU national?

The answer appears to be yes.  Google’s response does not mention my nationality as a reason for denying my requests.  This is consistent with Europe’s preening view that its legal “mission civilisatrice” is to confer privacy rights on all mankind.  And it may be the single most important point turned up by this first set of hacks, because it means that lawyers all around the world can start cranking out takedown requests for Belorussian and Saudi clients who don’t like the way they look online.

But will the requests succeed?  The reasons Google gave for denying my requests tell us something about that as well.

1. I had asked that Google drop a link to a book claiming that in 2007 I had the “dubious honor” of being named the world’s “Worst Public Official” by Privacy International, beating out Vladimir Putin on the strength of my involvement with NSA and the USA Patriot Act.  It’s true that Privacy International announced I had won the award, but I argued that the book was inaccurate because in fact, I “had very little to do with either domestic surveillance activities at NSA or with the USA Patriot Act, and the trophy is a ‘dubious’ honor only in the sense that Privacy International never actually awarded it.”  (All true: I’ve been trying to collect the trophy for years but Privacy International has refused to deliver it.)

Google refused to drop the link, saying, “In this case, it appears that the URL(s) in question relate(s) to matters of substantial interest to the public regarding your professional life.  For example, these URLs may be of interest to potential or current consumers, users, or participants of your services.  Information about recent professions or businesses you were involved with may also be of interest to potential or current consumers, users, or participants of your services.  Accordingly, the reference to this document in our search results for your name is justified by the interest of the general public in having access to it.”

So it looks as though Google has adopted a rule that “information about recent professions or businesses you were involved with” are always relevant to consumers.  It would be impressive if the poor paralegal stuck with answering my email did enough online research to realize that I sell legal services, but I fear he or she may have thought that being the world’s worst public official was just one of the gigs I had tried my hand at in the last decade.

2. My second takedown request was a real long shot.  In an effort to see whether Google would let me get away with blatant censorship of my critics, I asked for deletion of a page from Techdirt that seems to be devoted to trashing me and my views; I claimed that it was “inappropriate” under European law to include the page in a list of links about me because it contains “many distorted claims about my political views, a particularly sensitive form of personal data.  The stories are written by men who disagree with me, and they are assembled for the purpose of making money for a website, a purpose that cannot outweigh my interest in controlling the presentation of sensitive data about myself.”

To American ears, such a claim is preposterous, but under European law, it’s not.  Google, thank goodness, still has an American perspective:  “Our conclusion is that the inclusion of the news article(s) in Google’s search results is/are – with regard to all the circumstances of the case we are aware of – still relevant and in the public interest.”

If I had to bet, I’d say that this rather vague statement is the one Google uses when other, more pointed reasons to deny relief don’t work.  But the reference to this page as a “news article” suggests that Google may be using a tougher standard in evaluating takedown requests for news media, a term that applies, at least loosely, to Techdirt.

3. The third denial was a little less interesting. I tried to get Google to take down an image showing me with a beard, arguing that it was out of date: “I don’t have a beard now. If you look at the picture, you’ll see why.”

But Google just gave me the same “professional life” rejection it gave to my “Worst Public Official” request.  I suspect that’s because the article that accompanies the picture is without question about my professional life; it’s published by the Blog of the Legal Times.  I can understand why Google would want to evaluate the complete link, not just the image, for this purpose but that’s going to make deletion of images harder, especially when a bad photo accompanies an unexceptionable article.

What next? With these results in hand, I’m preparing a second round of hacks to further explore the boundaries of the right to be forgotten, and I’ll resubmit my “does this search engine make me look fat?” request that Google take down a fourteen-year-old photo (unattached to a story) on the grounds that I weigh less now.

But to tell the truth, I’m having trouble finding stuff in my search history that is sufficiently inaccurate or outdated, especially now that we know Google is treating professional activities and news as per se relevant (at least if it’s “recent,” whatever that means).  So I hope that others will make their own searches and their own takedown requests and report what they find.  In fact, my second effort has shed some light on how Google decides someone is famous, but I’ll write that up separately, since this post is already long enough