Header graphic for print

Steptoe Cyberblog

Steptoe Cyberlaw Podcast – Interview with Thomas Rid and Jeffrey Carr

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

 

Episode 51 of the podcast features a debate on attributing cyberattacks.  Our two guests, Thomas Rid and Jeffrey Carr, disagree sharply about how and how well recent cyberattacks can be attributed.  Thomas Rid is a Professor of Security Studies at King’s College London and the author of Cyber War Will Not Take Place as well as a recent paper on how attribution should be done.  Jeffrey Carr, the founder and CEO of Taia Global, remains profoundly skeptical about the accuracy of most attribution efforts in recent years. 

I question both of them, relying heavily on questions supplied by attribution aficionados via Twitter (@langnergroup, @NateBeachW, @janwinter15, @pwnallthethings, and @marcwrogers, among others).

I ask why cyber attribution is so controversial.  Is it a hangover from the Iraq war?  Snowdenista sentiment?  Or the publicity to be gained from challenging official attributions?

We debate whether using secret  attribution evidence is inherently questionable or an essential tool for ensuring successful attribution.

I also call out the security experts who heaped scorn on the FBI for its initial fingering of North Korea as the source of the Sony attack.  Which of them recanted as the evidence mounted, and which ones doubled down?  Details in the podcast.

In the news roundup, Jason Weinstein and I are joined by Ed Krauland, a partner in Steptoe’s International Department in DC.  Ed outlines the likely impact on technology trade of President Obama’s lifting of Cuba sanctions (short answer:  not much).  I linger over the evidence that Europe has swung from hating US tech firms for being too cozy with government to hating them for not being cozy enough: the EU’s top counterterrorism official wants to prevent firms from selling unbreakable encryption, and the French government wants them to take down more terror-related online speech.  Later, I spike the ball, pointing to a Pew poll showing that NSA is holding its own in American opinion since the first Snowden revelations and that young voters have a far more favorable view of the agency than those over 65.

In US privacy litigation, Jason tells us that the class action over CarrierIQ’s storage of phone records has gotten a haircut, as the court throws out wiretap claims against hardware makers, and that LabMD has lost yet another peripheral battle in its campaign to force the FTC to spell out exactly what security measures it expects from private companies.  And we debate the significance of the revelations about DEA’s Hemisphere Project.

We remind everyone that the Podcast welcomes feedback, either by voicemail (+1 202 862 5785) or email (CyberlawPodcast@steptoe.com).

Download the fifty-first episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with David Sanger

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest for Episode 50 of the Steptoe Cyberlaw Podcast is David Sanger, the New York Times reporter who broke the detailed story of Stuxnet in his book,  Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power.  David talks about his latest story, recounting how North Korea developed its cyberattack network, and how the National Security Agency managed to compromise the network sufficiently to attribute the Sony attack.  We talk about how understanding the White House helped him break a story that seemed to be about NSA and the FBI, North Korean hackers’ resemblance to East German Olympic swimmers, and the future of cyberwar.

Michael Vatis and I also cover a news-rich week, beginning with capsule summaries of the President’s State of the Union proposals for legislation on cybersecurity information sharing, breach notification, and Computer Fraud and Abuse Act amendments.

We touch on Europe’s new commitment to antiterrorism surveillance, which officially puts a still-Snowden-ridden United States out of step with just about every developed nation.

I try to summarize the new National Academy of Sciences study on why there isn’t an easy software substitute for bulk collection.  (Short answer:  If you want to recreate the past, you have to bulk-collect the present.)

We ask whether the DEA was the inspiration for NSA’s 215 bulk collection program, call out Rep. Sensenbrenner, who evidently skipped the DEA briefings as well as NSA’s, and wonder why Justice didn’t explain to Congress last year that NSA’s program wasn’t that big a leap from the Justice Department’s own bulk collection – instead of quietly trying to bury its program when the heat built up on NSA.  (OK, we didn’t really wonder why Justice did that.)

If you judge by their joint press conference, Prime Minister Cameron seems to have done more to convert President Obama to skepticism about widespread unbreakable encryption than Jim Comey did.  Save your Clipper Chips, key escrow will rise again!

Finally, Centcom’s public affairs team, which can’t keep ISIS sympathizers out of its Twitter and YouTube feeds, deserves 24 hours of deep embarrassment, which is surprisingly exactly what it gets.

We remind everyone that the Podcast welcomes feedback, either by voicemail (+1 202 862 5785) or email (CyberlawPodcast@steptoe.com).

Download the fiftieth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Juan Zarate

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest commentator for episode 49 of the Steptoe Cyberlaw podcast is Juan Zarate, a senior adviser at the Center for Strategic and International Studies (CSIS), the senior national security analyst for CBS News, a visiting lecturer at the Harvard Law School, and chairman and co-founder of the Financial Integrity Network.  Before joining CSIS, Juan was the first ever assistant secretary of the treasury for terrorist financing and financial crimes.

We inaugurate a new headline news feature, “News or Snooze.”  Some highlights:

In the interview, Juan Zarate and Steptoe’s own Meredith Rathbone lead us through a bracing discussion of US sanctions on North Korea for the Sony attack.  Bottom line:  the Treasury sanctions announced so far are unlikely to have much impact, but they do open the door to future approaches that could.  Juan endorses tougher OFAC sanctions for the beneficiaries of cyberespionage and international sanctions for attacks on banks.  He even has a kind word for letters of marque that would give the private sector more authority to pursue cyberattackers.  By the end, he’s demonstrated anew why we call him the Lord Byron of cyberpolicy.

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the forty-ninth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Why Tort Liability Won’t Produce Good Cybersecurity

Posted in Data Breach, Security Programs & Policies

Government policymakers have been hoping for twenty years that companies will be driven to good cybersecurity by the threat of tort liability. That hope is understandable. Tort liability would allow government to get the benefit of regulating cybersecurity without taking heat for imposing restrictions directly on the digital economy.

Those who see tort law as a cybersecurity savior are now getting their day in court. Literally. Mandatory data breach notices have led, inevitably, to data breach class actions. And the class actions have led to settlements. And those freely negotiated deals set what might be called a market price for data breach liability, a price that can be used to decide how much money a company ought to spend on security.

So, how much incentive for better security comes from the threat of data breach liability? Some, but not much. As I’ve been saying for a while, the actual damages from data breaches are pretty modest in dollar terms, and the pattern of losses makes it very hard to sustain a single class, something that forces up the cost of litigation for the plaintiffs.

You can see this pattern in recent data breach settlements. I put this chart together for a talk on the subject at the Center for Strategic and International Studies. While the settlements below all have complications (Sony’s settlement was mostly in free game play, for example), they all cap the defendants’ total liability. And what’s striking about the caps is how low a price these agreements set, especially on an individual basis, where $2.50 per victim looks to set the high end and 50 cents the low. Of course, to determine how much you spend annually to avoid that liability, a company would have to discount the settlement price by the probability of a breach in any given year. Even Sony doesn’t have a breach every year, so a probability adjustment cuts the value of avoiding liability to something between a half and a tenth. At those prices, I wouldn’t expect much change in corporate cybersecurity budgets.

(I know that these charts don’t account for the biggest claims in cases like Target and Home Depot — banks suing for the cost of reissuing credit cards. That’s a very different theory of liability mainly applicable to a limited number of big retailers. In the end I doubt that liabilities to issuing banks will drive much cybersecurity either, not because the claims are low — they’re more likely to be in the $50 per card range — but because establishing liability will not be all that easy and because things like tokenization will likely prove much cheaper than improving security.)

Steptoe Cyberlaw Podcast – Interview with Jim Lewis

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Security Programs & Policies

Our guest for the first podcast of 2015 is Jim Lewis, a senior fellow and director of the Strategic Technologies Program at CSIS, where he writes on technology, security, and the international economy.

We try a new, slightly shorter format for 2015, with quick takes on a batch of headlines:

We dig a little deeper into other stories.

  • FBI investigates banks for revenge hacking of Iran:  Stewart, Jason, and Jim Lewis debate the wisdom of taking down DDOS command and control servers without waiting for the government.  And Israel’s role as a haven for private hacking back.
  • And, of course, all things Sony:  We discuss the weird “grassy knoll” determination to blame someone other than North Korea.  Turns out many of those challenging the FBI’s attribution have questionable credentials or are outspoken Snowden supporters, calling into question their judgment.  We deprecate US financial sanctions on North Korea as a deterrent and the South Korean who is taking seriously Stewart’s suggestion that The Interview be dropped on the North from balloons. 
  • Finally, Jim Lewis offers his insider’s view of China’s approach to cyber conflict – the norms that apply in cyberwar, where cyberweapons fit into China’s warfighting doctrine, and a possible split between China’s leadership and its PLA on when and whether to carry out cyberespionage for Chinese companies.  

Later this year we will be joined by Becky Richards of the NSA Privacy office.

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the forty-eighth episode (mp3).

Subscribe to the Cyberlaw Podcast here.  We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Joanne McNabb

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest this week is Joanne McNabb, Director of Privacy Education and Policy for the California Attorney General’s Office.  Joanne discusses the findings and recommendations in the recently released 2014 California Data Breach Report.  She also offers insight into some of the key factors the Attorney General’s Office considers in deciding whether or not to investigate a breach.  Finally, she discusses changes in California privacy law that will go into effect on January 1 – including SB568, the so-called “online eraser” for minors seeking to delete unwanted posts, and AB1710, which extends data security requirements to companies that “maintain” personal information, not just those that own or license it.  Finally, she settles a dispute only privacy lawyers could find interesting regarding the scope of AB1710’s provision requiring identity theft prevention/mitigation services.

We almost got through the week without any NSA news, but the FISA court made the news for doing exactly what you’d expect – renewing the section 215 orders for metadata.  More interesting was the news from Turkey, which effectively rewrites the history of cyberwar, which no longer begins with Stuxnet.  It looks as though Russia launched a distinctly kinetic and sophisticated cyberattack in 2008 on the Turkish-Azeri pipeline that threatened to break its chokehold on Caspian oil.  Michael Vatis takes the day off to file an amicus brief in support of Microsoft in the fight over overseas warrants.

The Sony breach fallout continues to be severe.  Things are bad enough that the Hollywood Reporter is asking me to write op-eds.  We question whether Sony is really resorting to “active measures” to block distribution of the stolen files.  And Aaron Sorkin calls the media “dishonorable” for publishing all these leaked documents.  Funny, but I don’t remember him saying the same thing when it was Manning and Snowden putting stolen docs on the front page.

Chris Conte explains the SEC’s new cybersecurity rules for exchanges and other trading platforms.

And the lame duck allows cybersecurity legislation to pass in a convoy:  Five cybersecurity bills, all modest in impact, were adopted by Congress in the last few days:

  • S. 1691 – allowing pay flexibility to attract cybersecurity professionals;
  • H.R. 2952 – requiring DHS to adopt a workforce strategy and assessment plan;
  • S. 2519 – authorizing  DHS to run an integration center providing threat information to civilian agencies and modifying federal government data breach rules;
  • S. 1353 – a very NIST-centered set of authorizations for cybersecurity awareness, research and workforce measures that may or may not be funded
  • S. 2521 – confirming DHS’s role in providing FISMA oversight under OMB guidance

And Sony has company.   It turns out that an Iranian hack on the Sands Las Vegas may be first cyberattack on US soil.  Both Sony and Sands join the DDOS attacks on our banks as cyberattacks on the US that have gone unanswered.  Instead of a digital Pearl Harbor, it looks as though we’re getting a lot of digital Sudetenlands.

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the forty-seventh episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Shane Harris

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our interview focuses on Shane Harris and his new book, @War:  The Rise of the Military-Internet Complex.   It’s a good read and a good book, marred by the occasional deployment of easy lefty tropes – government contractors are mercenaries, the military sees war as an opportunity to expand turf, cybersecurity is a threat to privacy, anonymity is all about rights, etc.  But Harris is first and foremost a storyteller, and his zeal for the story is far more important to him than ideology.  When he tells the story of the guys who used cybertactics to break al Qaeda in Iraq during the surge, or of the banks’ cyberbattle with Iran, he lets the reader decide who to root for.

We talk about some of the more surprising stories that Harris tells, including:

  • The (contested) claim that Chinese hackers caused a large Florida blackout by mistake
  • The mismatch between an estimated 300-1000 US government hackers and China’s estimated 20 thousand  (A land war in Asia could be coming to a network near you)
  • Harris’s controversial suggestion that the banks may be assembling their own zero-day exploits in preparation for a hackback campaign against Iran
  • The possibility that foreign governments systematically compromised the networks of American natural gas pipeline companies in preparation for an attack – and whether we’d even know when cyberweapons had been used

In our news roundup, we start with This Week in NSA, but the latest Intercept story on NSA and cell phone interception is so boring and opaque it’s practically encrypted.  So we switch to This Week in GCHQ.  At the suggestion of a listener, we mine the UK parliamentary report on the killing of a soldier on the streets of London for lessons about the need for MLAT reform in the United States.

Verizon escapes an FTC investigation without an eternal oversight regime.  Why?  Because of its aggressive effort to cure a security flaw or because the FTC realized it had overreached?  You be the judge.

We unpack the judicial decision refusing to dismiss bank claims against Target for its credit card breach, raise questions about a Boston hospital’s surprisingly cheap settlement of a privacy case arising from a stolen laptop.  And then dive into the biggest breach case of the year, maybe the decade:  Sony.  We think North Korea did the hack, and the lack of a US response could have bad consequences for the country.  Among other things, the only bad guys we’ll ever see in future movies are Serbs.  And US government officials, of course.

We remind everyone that the Podcast welcomes feedback, either by email (CyberlawPodcast@steptoe.com) or voicemail (+1 202 862 5785).

Download the forty-sixth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

A Week of Bad News and Good News in Cybersecurity – Here’s What You Need to Know

Posted in Cybersecurity and Cyberwar, Data Breach, Security Programs & Policies

It was a busy week for companies and government agencies struggling to combat the growing threat of cyber-attacks, with some bad news and some good news.  Here’s what you need to know, and how we can help.

What you Need to know

First, the bad news:

  • Lawsuits against Target move forward and lawsuits against Home Depot pile up:  Target faces over 90 lawsuits arising from its data breach last holiday season, including suits filed by consumers, banks, credit card companies, and shareholders.  Last week a federal judge in Minnesota rejected Target’s efforts to dismiss the lawsuits by the banks, clearing the way for banks to go after merchants for alleged negligence in cybersecurity.  Meanwhile, Home Depot revealed in its most recent quarterly SEC filing that it already faces at least 44 lawsuits, as well as investigations by multiple state and federal regulators, arising from the breach it announced just three months ago.  The price tag from the breach so far is reportedly $28 million, but that number will likely grow exponentially in the months ahead.  It has also been reported that Home Depot, like Target, suffered the breach in part because hackers were able to get into its system through a third-party vendor.
  • Destructive malware used in Sony Pictures attack and Iran-based hacking group attacks targets worldwide:  Sony Pictures has been victimized by an attack that resulted in the leak of several completed films as well as information about executive compensation and other personal information about employees.  The malware used in the attack reportedly wipes data from computers in a way that makes it nearly impossible, if not impossible, to recover it.  The FBI is warning other US businesses that they face a similar threat.  Meanwhile, the FBI also released an alert to US businesses in multiple sectors about coordinated cyber-attacks originating from Iran.  A private security firm released a report about the same hacking group, indicating that victims included a defense contractor as well as companies in the energy, transportation, automotive, and medical services sectors.

Now, the good – or at least encouraging – news:

  • FTC declines to pursue case against Verizon:  The FTC recently ended an investigation into allegations regarding Verizon’s security practices for customer routers.  But unlike FTC investigations into more than 50 other companies, this inquiry ended without a consent decree requiring fines or burdensome compliance audits.  On the contrary, the FTC closed its inquiry without taking any action based on Verizon’s strong, proactive remedial measures and the quality of its overall data security practices relating to routers.
  • DOJ Criminal Division announces new Cybersecurity Unit:  Leslie Caldwell, the Assistant Attorney General for DOJ’s Criminal Division, announced the formation of a new Cybersecurity Unit within the Criminal Division’s Computer Crime and Intellectual Property Section.  The new unit will act as a central hub to provide legal guidance and expertise for US and foreign law enforcement agencies and to support cybersecurity activities by public and private sector partners.  Those functions are not now – indeed, CCIPS does all of them right now.  But CCIPS has historically lacked the resources to tackle the increasingly global cybercrime problem on the scale it requires, so if the creation of the new Unit means more high-level attention and resources to the effort, then it’s a great step.  But the critical test will be whether new resources are devoted to the section to support the new Unit, so it is more than just a new line on an organizational chart.

What you need to do now

The key takeaways from these developments are:

  • Test your privacy and security program:   If you get breached, you will be sued and investigated.  Just ask Target and Home Depot.  That means it’s important to have a vetted cybersecurity program in place before a breach occurs, and to test and adapt that program as risks and threats evolve.  The best way to defend yourself later when courts and regulators are looking at your conduct is to take proactive measures now, before an incident occurs.  Steptoe can help you review and revise your security program, under the protection of the attorney-client privilege, to mitigate your risk of an incident now and to reduce your litigation exposure later.  We’ve released a free data breach toolkit to help companies better understand how to address these risks.
  • Test your incident response plan and team:  Poor breach response can make a bad situation much, much worse.  A breach is a crisis, and Steptoe can help you test your company’s ability to respond to all aspects of the crisis – including technical, legal, and public relations — through a breach simulation.  That way you can be confident that when the real thing occurs, your people will be able to handle it effectively.
  • Your vendors’ cybersecurity practices could pose a risk to your network:  Target and Home Depot both demonstrate that a hacker can get into your system though one of your vendors or suppliers.  How much do you know about your vendors’ cybersecurity practices?  Do you have contracts with your vendors that obligate them to maintain certain levels of security, and to indemnify you for a breach on your system?  Steptoe can review your vendor management program to help protect you from this third-party risk.
  • Law enforcement engagement and information-sharing are critical:  Sharing of cyber-threat information between the government and private sector has never been more important.  And one of the most challenging parts of breach response is the question of whether and how to engage with law enforcement.  Steptoe has unparalleled government cyber experience and relationships, including former DOJ, FBI, DOD, and DHS officials with responsibility for cybercrime and cybersecurity.

If you have questions about these recent developments or would like to discuss steps to address your cybersecurity and litigation risks, please contact our cybersecurity team: Stewart Baker at 202.429.6402; Michael Vatis at 212.506.3927; or Jason Weinstein at 202.429.8061.

Steptoe Cyberlaw Podcast – Interview with Troels Oerting

Posted in Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest for the week is Troels Oerting, the head of EC3, Europe’s new cybercrime coordination center.  He talks about EC3’s role in the recent take down of over 400 darknet sites, arrests of travelers using fake credit cards and of users of the Blackshades Remote Access Tool.  He repeats his view that there are probably only a hundred talented criminal writers of malware, whose work is then used by a host of dimmer bulbs.  So striking at the hundred could make a big difference.  Troels Oerting thinks we’re in a position to hurt a number of them.

The interview compares US and European willingness to name and shame Chinese PLA hackers.  I ask Troels if he’d order the arrest of any of the five indicted PLA hackers if they vacationed in Europe.  And we compare US and EU legal constraints on private sector “direct action” against hackers.

This week in the NSA:  NSA’s privacy officer speaks; and she has a sense of humor.  Regin schools hackers around the world, and German hypocrisy about NSA spying is on full display.  It turns out that Angela Merkel’s phone was being tapped by the Brits, the Chinese, the Russians and even the North Koreans.  But Merkel has yet to say that Russian, Chinese, or North Korean spying reminds her of the Stasi; only NSA seems to remind her of Communist espionage.  Meanwhile, the BND reveals that it too spies on everyone but Germans, and that it has a remarkably narrow definition of who qualifies as “German.”

Michael Vatis previews a Supreme Court argument about when online abuse passes from colorful imitations of rap lyrics to prosecutable threats.  Jason Weinstein counts the growing library of lawsuits against Home Depot and evaluates the risk.

Doug Kantor, a Steptoe government affairs partner specializing in cybersecurity issues, gives a rundown on the new, Republican-dominated Congress, including the many chair changes in both House and Senate.  Firedoglake makes an appearance.

Meanwhile, US tech companies have become all-purpose European whipping boys.  They don’t volunteer enough information about terrorists to satisfy the Brits.  They don’t hide enough “right to be forgotten” information to satisfy the European privacy regulators.  And they make too much money for the European Parliament, which wants to break up Google.

The Justice Department has claimed a scalp in its campaign against spyware.  Jason has the back story.  And it’s a good thing the All Writs Act didn’t come with a sunset clause, or it would too would be attracting the wrath of EFF and Silicon Valley.  Michael explains why the act is now part of Apple’s future, and Google’s too.

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the forty-fifth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Steptoe Cyberlaw Podcast – Interview with Sal Stolfo

Posted in China, Cybersecurity and Cyberwar, Data Breach, International, Privacy Regulation, Security Programs & Policies

Our guest for episode 44 of the Steptoe Cyberlaw Podcast is Sal Stolfo, Professor at Columbia University’s Computer Science Department and CEO of Allure Software.  Stolfo brings an attacker’s sensibility to network security approaches usually dominated by defensive thinking.  His approach to computer security includes flooding the network with plausible fake documents wired to alarm when touched by a user.  The alarm, in turn, shuts down a user’s access and prompts for a second form of authentication.  Documents that are successfully exfiltrated persistently attempt to beacon back to the home network, betraying the attacker and his customers long after the hack.  He’s already deploying some of these concepts commercially.  It’s the kind of active defense even the Justice Department should love.

In our news roundup, This Week in NSA is dominated by speculation that the 215 program will never die.  Conventional wisdom says that the metadata program will ride into the sunset on June 1, 2015.  But a “transition” note could allow the program to last for years.   Meanwhile, the NSA director, Admiral Mike Rogers, is warning that China and one or two other countries have the ability to bring down the electric grid in the United States.

The FTC has gone to mediation with Wyndham, but no one is betting that the mediation will succeed.  And the FTC’s settlement with TRUSTe puts the privacy certification company under the FTC’s thumb for years.

Telephone companies have long been the most government-friendly of technology firms, but that may be changing.  Now even the heir of Ma Bell’s name, AT&T, has filed an amicus brief demanding clearer standards before the government could get access to location information.

One solution is for the government to cut out the middleman and get the location information directly from the consumer – by offering fake cell towers to connect to.  But that tactic, and the secrecy surrounding “stingray” collection, has its costs.  Baltimore has abandoned a criminal case to keep from describing the technology and how it’s used.  And a North Carolina judge has unsealed hundreds of stingray orders.

In the words of the old country song, how can I forget you if you won’t go away?  Much as we wish the right to be forgotten would go away, that’s looking less and less likely. Google’s Global Privacy Council, Peter Fleischer, has disclosed new details about how the search giant administers the right.  And Norway has (unsurprisingly) followed the rest of Europe in adopting the doctrine.  But most troubling is the news from France, where Google is facing fines of €1000 a day for refusing to apply a French defamation takedown order to its Google.com domain – or, more accurately, for not letting a French judge censor what Americans can read.

Finally, in our first item derived from a listener request (h/t Lee Baumgardner), we look at the regulatorily challenged transport company, Uber, and its potential liability for a steady stream of privacy flaps, including its unwisely but appropriately named “God Mode.”

Tune in next week when our guest will be Troels Oerting the Assistant Director, Head of European Cyercrime Centre (EC3).

The Cyberlaw Podcast is now open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com.  If you’d like to leave a message by phone, contact us at +1 202 862 5785.

Download the forty-fourth episode (mp3).

Subscribe to the Cyberlaw Podcast here. We are also now on iTunes and Pocket Casts!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm