Header graphic for print

Steptoe Cyberblog

More States Move to Restrict Companies’ Use or Sale of Personal Information

Posted in Privacy Regulation

In the aftermath of the passage of the California Consumer Privacy Act (CCPA) in 2018, numerous other states have begun to consider similar legislation. While most of those states are in the early stages of the legislative process, Nevada and Maine recently enacted laws strictly regulating what online companies can do with their customers’ personal information.

The Nevada legislation applies broadly to commercial online services that operate in the state, but its restrictions affect only the sale of customer information; it was signed into law on May 29, and will go into effect on October 1, 2019. The Maine legislation is more narrowly targeted at broadband Internet access providers, but its restrictions apply not just to the sale of customer information but also its use or access; it was signed into law on June 6 and will go into effect on July 1, 2020. The Nevada legislation will more directly affect retailers that operate in Maine and have websites or provide other online services. The Maine law may not affect most retailers directly, since it’s limited to broadband Internet access service providers.

Click here to read more.

Episode 267: “Call me a fascist again and I’ll get the government to shut you up. Worldwide.”

Posted in Data Breach, European Union, International, Russia

 

We kick off Episode 267 with Gus Hurwitz reading the runes to see whether a 50-year Chicago winter for antitrust plaintiffs is finally thawing in Silicon Valley. Gus thinks the predictions of global antitrust warming are overhyped. But he recognizes we’re seeing an awful lot of robins on the lawn: The rise of Margrethe Vestager in the EU, the enthusiasm of state AGs for suing Big Tech, and the piling on of Dem presidential candidates and the House of Representatives. Judge Koh’s Qualcomm decision is another straw in the wind, triggering criticism from Gus (“an undue extension of Aspen Skiing”) and me (“the FTC needs a national security minder in privacy and competition law”). Matthew Heiman tells me I’m on the wrong page in suggesting that Silicon Valley’s suppression of conservative speech is a detriment to consumer welfare that the antitrust laws should take into account, even in a Borkian world.

Continue Reading

Episode 266: Will an end to social media trust mean an end to end-to-end encryption?

Posted in International

 

If you’ve lost the Germans on privacy, you’ve lost Europe, and maybe the world. That’s the lesson that emerges from my conversation with David Kris and Paul Rosenzweig about the latest declaration that the German interior minister wants to force messaging apps to decrypt chats. This comes at the same time that industry and civil society groups are claiming that GCHQ’s “ghost proposal” for breaking end-to-end encryption should be rejected. The paper, signed by all the social media giants, says that GCHQ’s proposal will erode the trust that users place in Silicon Valley. I argue that that argument is well past its sell-by date. Continue Reading

Episode 265: Cheapfakes and the end of blackmail

Posted in China, Cybersecurity and Cyberwar, International

 

Paul Rosenzweig leads off with This Week in China Tech Fear – an enduring and fecund feature in Washington these days. We cover the Trump Administration’s plan to blacklist up to five Chinese surveillance companies, including Hikvision, for contributing to Uighur human rights violations in the West of China, DHS’s rather bland warning that commercial Chinese drones pose a data risk for US users, and the difficulty US chipmakers are facing in getting “deemed export” licenses for Chinese nationals.

We delve deeper into a remarkably shallow and agenda-driven New York Times article by Nicole Perlroth and Scott Shane blaming NSA for Baltimore’s ransomware problem without ever asking why the city failed for two years to patch its systems. David Kris uses the story to take us into the Vulnerabilities Equities Process – and its flaws.

There may be a lot – or nothing – to the Navy email “spyware” story, but David points out just how many of today’s cyber issues it touches. With the added fillip of a “Go Air Force, Beat Navy” theme not usually sounded in cybersecurity stories.

Paul expands on what I have called Cheapfakes (as opposed to Deep Fakes) – the Pelosi video manipulated to make her sound impaired. And he manages to find something approaching good news in the advance of faked video – it may mean the end of (video) blackmail.

But not the end of “revenge porn” and revenge porn laws. I ask Gus Hurwitz whether those laws are actually protected by the Constitution, and the answer turns out to be highly qualified. But, surprisingly, media lawyers aren’t objecting that revenge porn laws that criminalize the dissemination of true facts are on a slippery slope to criminalizing news media. That is the argument they’re making about the expanded charges of espionage against Wikileaks founder Julian Assange. David offers his view of the pros and cons of the indictment.

And Gus closes us out with some almost unalloyed good news. Despite my suspicion of any bipartisan bill in the current climate, he insists that the Senate-passed anti-robocalling bill is a straight victory for the Forces of Good. But, he warns, the House could still screw things up by adding a private right of action along the lines of the Telephone Consumer Protection Act, which has provided the plaintiffs bar with an endless supply of cases without actually benefiting consumers.


 

Download the 265th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Episode 264: Unpacking the Supreme Court’s decision in Pepper v. Apple

Posted in China, European Union, International, Security Programs & Policies

 

We begin this episode with a quick tour of the Apple antitrust decision that pitted two Trump appointees against each other in a 5-4 decision. Matthew Heiman and I consider the differences in judging styles that produced the split and the role that 25 years of “platform billionaires” may have played in the decision.

Continue Reading

Episode 263: Turning the tables on Baker

Posted in China, International, Privacy Regulation, Security Programs & Policies

 

With apologies for the late post, Episode 263 of The Cyberlaw Podcast tells the sad tale of another US government leaker who unwisely trusted The Intercept not to compromise its source. As Nick Weaver points out, The Intercept also took forever to actually report on some of the material it received.

In other news, Brian Egan and Nate Jones agree that Israel broke no new ground in bombing the headquarters of Hamas’s rudimentary hacking operation during active hostilities.

Nick and I dig into the significance of China’s use of intrusion tools pioneered by NSA. We also question the New York Times’s grasp of the issue.

The first overt cyberattack on the US electric grid was a bust, I note, but that’s not much comfort.

How many years of being told “I’m washing my hair that night” should tell you you’re not getting anywhere? The FCC probably thought China Mobile should have gotten the hint after eight years of no action on its application to provide US service, but just in case the message didn’t get through, it finally pulled the plug last week.

Delegating to Big Social the policing of terrorist content has a surprising downside, as Nate points out. Sometimes the government or civil society need that data to make a court case.

We touch briefly on Facebook’s FTC woes and whether Sen. Hawley (R-MO) should be using the privacy stick to beat a company he’s mad at for other reasons. I reprise my longstanding view that privacy law is almost entirely about beating companies that you’re mad at for other reasons.


 

Download the 263rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Fight Over CCPA Heats Up

Posted in Privacy Regulation

We recently published a client alert on the California Consumer Privacy Act. From the alert:

When California lawmakers hastily enacted the California Consumer Privacy Act (CCPA) in June 2018, few expected the law — voted on after only a few days’ deliberation — to remain unamended. And, indeed, the law was first amended just a few months later. But that was not the end of the story. In late April, California legislative committees voted on several amendments to CCPA, which takes effect January 1, 2020. Some of these amendments would make the CCPA a bit more business-friendly, while others would make it far more burdensome — and potentially costly — for companies.

This update summarizes these proposed amendments, which, if passed, will be further supplemented by the Attorney General Office’s promulgation of regulations, which are still expected to be issued for public comment by fall 2019. The Office of the Attorney General has been holding town hall meetings throughout California in order to gather input from companies and consumer advocates to help shape these regulations.

Read the full alert here.

You can listen to Meegan Brooks discuss the CCPA on Episode 262 of The Cyberlaw Podcast.

Episode 262: Udderly indefensible facial recognition scandal may drive new privacy mooovement

Posted in China, International, Privacy Regulation

 

Have the Chinese hired American lawyers to vet their cyberespionage tactics – or just someone who cares about opsec? Probably the latter, and if you’re wondering why China would suddenly care about opsec, look no further than Supermicro’s announcement that it will be leaving China after a Bloomberg story claiming that the company’s supply chain was compromised by Chinese actors. Nick Weaver, Joel Brenner, and I doubt the Bloomberg story, but it has cost Supermicro a lot of sales – and even if it isn’t true this time, the scale and insouciance of past Chinese cyberespionage make it inherently believable. Hence the company’s shift to other sources (and, maybe, a new caution on the part of Chinese government hackers).

GDPR and the California Consumer Privacy Act (CCPA) may be the Dumb and Dumber of privacy law, but neither is going away. And for the next six months, California’s legislature will be struggling against a deadline to make sense of the CCPA. Meegan Brooks gives us an overview.

But we in Washington can’t get too smug about California’s deadline-driven dysfunction. Congress also faces a year-end deadline to renew the Section 215 program, and even the executive branch hasn’t decided what it wants. Joel takes us through the program’s history, its snake-bitten implementation, and the possible outcomes in Congress.

This week in Silicon Valley content control: Facebook dropped the link-ban hammer on Louis Farrakhan, Alex Jones, and Milo Yiannopoulos for being “dangerous.” But did it really? Once again, I volunteer to put my Facebook access at risk by testing Facebook’s censorship engine – posting a different Infowars story there every day. Not because I love the conspiracy-mongering Alex Jones but because banning links is a bad idea. (Among other things, you can’t really pile links up and burn them in cinematic pyres at rallies.) But both Facebook and Jones may have a codependent interest in overstating the ban, because as of Day 4 of my experiment, my Facebook account is still alive and well, as are the Infowars links.

The FBI has accused US scientists of sending intellectual property to China, running shadow labs, and (this part really appalls Nick) corrupting the peer review process at NIH. Sadly, Science magazine buys into easy claims that the flap is born of racial bias.

We close the episode with the latest and most shocking facial recognition scandal. It turns out face recognition researchers are chasing down unwilling subjects and restraining them to get the subjects’ pictures – all in service to untried and udderly unreliable technology. All we need to turn this into a major scandal is a public policy entrepreneur willing to work the intersection between the EFF and PETA.


 

Download the 262nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Episode 261: Blockchain Takes Over the Podcast

Posted in Blockchain

 

On Episode 261, blockchain takes over the podcast again. We dive right into the recent activity from the SEC, namely, the Framework for “Investment Contract” Analysis of Digital Assets and the No-Action Letter issued to TurnKey Jet, Inc. (TurnKey) for a digital token. Gary Goldsholle noted this guidance has been eagerly anticipated since July 2017 when the SEC first applied the Howey Test to a digital token with the DAO report. The current framework focuses primarily on the reasonable expectation of profits and efforts of others prongs of the Howey Test. While the framework lays out a number of factors to consider when determining whether a token is a security, the practicality of those factors is still up for debate.

Will Turner explained that the TurnKey No-Action Letter was most useful for parties interested in structuring a private, permissioned, centralized blockchain, but believes the guidance in the Framework would allow for alternative structures. The key from the SEC’s perspective is that there is no expectation of profits for token holders, since the token is a stablecoin pegged to the value of USD and there is no use of the token outside of TurnKey’s network. Jeff Bandman noted the irony that the first No-Action Letter related to blockchain and cryptocurrency involves private jets, particularly since “Mr. and Ms. 401(k)”—the retail investors SEC Chairman Jay Clayton is focused on protecting—are not likely to become private jet users anytime soon.

Jeff emphasized the importance of network functionality and observed that the network for private jet use was already established. Alan Cohn highlighted this tension between the need for centralization to achieve functionality, and need for decentralization as a means to avoid meeting the “derived from the efforts of others” prong of the Howey Test.

Gary then turned to Blockstack’s Regulation A filing, the most comprehensive effort to register a token under Reg. A that we have seen to date. Blockstack is seeking to be a Tier 2 issuer, meaning they can raise up to $50 million in 12 months, which comes with heightened disclosure obligations and requires audited financials. While they seek to raise capital as a security today, their ultimate goal – and a central risk factor in their offering circular – is to achieve the requisite level of decentralization such that they no longer would meet the definition of a security.

Meanwhile, in Congress, the recently reintroduced Token Taxonomy Act of 2019 would exempt a newly defined category of digital tokens from the definition of a security, as well as provide some clarity on tax issues for cryptocurrency users and exchanges. Jeff observed that these amendments might contribute further to a gap in federal regulation over spot trading markets. While the CFTC has enforcement authority, they do not have the authority to directly supervise the bitcoin trading market.

Turning to the interview, Jeff describes how he co-founded Global Digital Finance (GDF), along with other co-founders in Europe, Asia, and the United States, in order to address the lack of international standards surrounding the blockchain industry – or even a general consensus of terminology. Jeff describes how GDF has a number of working groups focused on developing high-level principles and standards on a range of topics, including stablecoins, custody, tax, and security tokens. GDF is trying to fill in some of the gaps that appear when jurisdictions regulate cryptocurrencies and crypto-assets differently.  As an example of its work, GDF’s KYC/AML/CTF group recently commented on FATF’s standards, issuing two comments in October 2018 and April 2019.

Jeff is also in the process of launching a new transfer agent service, Block Agent, focused on enabling and supporting SEC-regulated issuances. As markets mature, it is increasingly important to have the necessary post-trade infrastructure, and he is committed to offering services that recognize the novel features and efficiencies around these new technologies.


For our listeners in the DC area, Steptoe is hosting a half-day complimentary regulatory symposium this Thursday, May 2, in our DC office. Our plenary speakers include current and former commissioners and high-level officials with agencies such as the Federal Energy Regulatory Commission, the Surface Transportation Board, and the Environmental Protection Agency. We will also have breakout panels focused on four separate topics: Deference, Globalization, Regulatory/Legislative Approach, and Preemption. To register, click here.


 

Download the 261st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Coming Up: Blockchain Takes Over the Podcast

Posted in Blockchain

Next week, blockchain is taking over The Cyberlaw Podcast once again. On April 29, Steptoe partners Alan Cohn, Gary Goldsholle, and Will Turner will reconvene to discuss the latest in blockchain and cryptocurrency regulation. At the top of the list is the suite of updates coming out of the U.S. Securities and Exchange Commission, including the Framework for “Investment Contract” Analysis of Digital Assets and a No-Action Letter regarding TurnKey Jet, Inc. We’ll consider what this means for companies trying to issue tokens and lay out potential permissible token launch models. We’ll also examine two recent filings: (1) Blockstack’s filing for a $50M regulated token offering; and (2) Acra’s filing to issue its shares as digitized securities, Acra UST Coins.

Our guest speaker, Jeff Bandman, Co-Founder and Board Member of Global Digital Finance, will add an industry perspective on key regulatory issues such as their recent response to the Financial Action Task Force’s interpretative note on mitigation risks from virtual assets.