John Yoo, Mark MacCarthy, and I kick off episode 329 of the Cyberlaw Podcast diving deep into what I call the cyberspace equivalent of a dumpster fire. There is probably a pretty good national security case for banning TikTok. In fact, China did a lot better than the Trump administration when it declared, “You know that algorithm that tells all your kids what to watch all day? That’s actually a secret national security asset of the People’s Republic.” But the administration’s process for addressing the national security issue was unable to keep up with President Trump’s eagerness to announce some kind of deal. The haphazard and easily stereotyped process probably also contributed to the casual decision of a magistrate in San Francisco to brush aside US national security interests in the WeChat case, postponing the order on dubious first amendment grounds that John Yoo rightly takes to task.

Megan Stifel tells us that the bill for decoupling from China is going to be high – up to $50 billion if you listen to the Semiconductor Industry Association.

Speaking of big industry embracing big government, Pete Jeydel explains IBM’s slightly jarring suggestion that the government should slap export controls on a kind of face recognition technology that Big Blue doesn’t sell any more. Actually, when you put it like that, it kind of explains itself.

Megan tells us that the House has passed a bill on the security of IOT devices. The bill, which has also moved pretty far in the Senate, is pretty modest, setting only standards for what the federal government will buy, but Megan has hopes that it will prove to be the start of a broader movement to address IOT security.

I reprise three of the latest demonstrations of just how much Silicon Valley hates conservatives and how far it will go to suppress their speech.  My favorite is Facebook deciding that a political ad that criticizes transwomen competing in women’s sports must be taken down because it lacks context. Unlike every other political ad since the beginning of time. Although Twitter’s double standard for a “manipulated media” label is pretty rich too: Turns out that splicing Trump’s remarks to make him say what the Biden camp is sure he meant is fair comment, but splicing a Biden interview so he says what the Trump camp is sure he meant is Evil Incarnate.

Finally, Megan rounds out the week with a host of hacker news. The North Koreans are in bed with Russian cybercrime gangs.  (I can’t help wondering who wakes up with fleas.) The Iranians are stealing 2FA codes and some of them were indicted, though not apparently for the 2FA exploit.  And a long-running Chinese cybergang is indicted too.  Not that that will actually stop them, but it could be hard on their Malaysian accomplices, who are in jail, contemplating the value of government top cover.

Our interview this week is with Michael Brown, a remarkably influential defense technologist. He’s been CEO of Symantec, co-wrote the report that led to passage of FIRRMA and the transformation of CFIUS, and now runs the Defense Innovation Unit in Silicon Valley. He explains what DIU does and some of the technological successes it has already made possible.

And more!

Oh, and we have new theme music, courtesy of Ken Weissman of Weissman Sound Design.  Hope you like it!

                                                                                                                                 

Download the 329th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In our 328th episode of the Cyberlaw Podcast, Stewart is joined by Bruce Schneier (@schneierblog), Sultan Meghji @sultanmeghji), and Nate Jones (@n8jones81). The Belfer Center has produced a distinctly idiosyncratic report ranking the world’s cyber powers – a kind of Jane’s Fighting Nerds report. Bruce Schneier and I puzzle over its oddities, but at least the authors provided the underlying assessments to led them to rank the Netherlands No. 5, and Israel nowhere in the top ten. The US is number one, but that’s partly due to the Center’s insistence that we’re a norms superpower. In my book, that would require a 20% discount off our offensive capabilities ranking.  Don’t agree? Download the report and pick your own fight!

Our interview today is with Cory Doctorow, diving deep on his pamphlet/book, “How to Destroy Surveillance Capitalism.” It’s a robust and entertaining three-cornered fight – me, Cory, and the absent Shoshana Zuboff, whose 700-page tome launched the surveillance capitalism meme. You’ll enjoy hearing me explain to Cory, a Red Diaper Baby born to Trotskyists, that his solution to tech’s overreach is surprisingly similar to Attorney General Bill Barr’s.

Elsewhere in the news roundup, Nate Jones and I unpack the Pandora’s Box of pain unleashed by the European Court of Justice in Schrems II.

Facebook is fighting a multilevel rearguard action – in the courts, in two capitals, and in its terms of service — to try to salvage its current business model.

I cover the latest Tok in the TikTok saga.  Oracle has won … something or other. Sultan Meghji and I puzzle over how the TikTok algorithm can stay in China while the dataset it’s training on remains in the United States.

The Justice Department’s antitrust lawsuit against Google is getting nearer and nearer, judging from the thrashing in the underbrush. But we still don’t have a good idea what part of Google’s business will be targeted. Sultan explains the state of play.

In a news flash that I liken in shock value to the report that the weather in San Diego will be sunny and fair, Microsoft has confirmed that the Chinese, Iranians, and Russians have launched cyber-attacks on Biden and Trump campaigns. For reasons unknown, the press can’t get enough of this thin gruel.

Bruce and Sultan chart the reasons and tactics behind the rise of ransomware and the importance of being a reliable criminal if you want to make money in extortion.

Nate unpacks China’s global data security initiative so you don’t have to waste your time. The tl;dr is that other countries shouldn’t do any of the things China is doing or aspiring to do.

Speaking of things you don’t have to read because we took the hit, Bruce tells us what’s in the new White House cyber-security policy for space systems. Really, it’s all “shoulds” and puts nobody in charge of enforcement. It would be kind to call it the beta version of a space cybersecurity policy.

Sultan argues that there may after all be a limit to the EU’s ability to get every company on the internet to enforce its speech codes, and the domain name registries hope they’re on the other side of that line.

You probably saw the “op-ed” that AI “wrote,” explaining why humans need not fear it. Bruce, Sultan, and I have plenty of fun mocking Open AI’s penchant for Open Hype.  But Bruce reminds us that sooner or later the hype will be real, and more than half of Twitter will be machines talking to other machines.  Judging from my Twitter feed, that will be an improvement.

Finally,  This Week in Sore Losing: In honor of Jeff Bezos’s AWS and its brief complaining that it should have beat Microsoft to the lucrative JEDI contract, I update an old lawyer’s motto: If you’ve got the law on your side, pound the law. If you’ve got the facts, pound the facts. And if you’ve got neither, pound the Orange Man.

And more!

                                                                                                                                   

Download the 328th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In our 327th episode of the Cyberlaw Podcast, Stewart is joined by Nick Weaver (@ncweaver), David Kris (@DavidKris), and Dave Aitel (@daveaitel). We are back from hiatus, with a one-hour news roundup to cover the big stories of the last month.  Pride of place goes to the WeChat/Tiktok mess, which just gets messier as the deadline for action draws near. TikTok is getting all the attention but WeChat is by far the thorniest policy and technical problem. I predict delays as Commerce wrestles with them. Nick Weaver predicts that TikTok’s lawsuit will push resolution of its situation into January.  I’ve got fifty bucks that says it won’t. Lawfare wins either way.

Dave Aitel digs into the attempted Tesla hack. Second best question in the segment: Who’s the insider that enabled an attack on his employer and is still working there three years later?  Best question: How many CSO’s can say with confidence that none of their employees would take $1 million to plug a USB stick into the company network?

This Month in Overhyped Judicial Decisions about FISA: David Kris lays out the seven-years-late Ninth Circuit decision that has been billed as striking at the FISA warrantless surveillance law. Talk about overtaken by events. The opinion grumbles about the fourth amendment but doesn’t actually rule (and its analysis is so partial that it isn’t even persuasive dicta). It boldly finds that the collection violated a statute that has been repealed anyway. And then it says that doesn’t matter because suppression of the evidence isn’t a remedy and the violation didn’t taint the trial.  The only really good news for the libertarian left is that Justice can’t appeal to the Supreme Court because, well, it won.

David also takes on the other overhyped FISA decision, a lengthy FISA court review of agencies’ minimization practices with respect to Americans’ data collected under section 702. The court approved practically everything but was predictably and not improperly upset at the FBI’s inability to design social and IT systems that prevent dumb violations of the rules.

Speaking of FISA, important national security provisions remain unsettled, in large part because of Trump’s misguided opposition. Who, David asks, could possibly persuade GOP members that there’s a FISA reform that responds to their sense of grievance over the Russian collusion investigation?  I volunteer, with lengthy testimony to the PCLOB and a shorter piece in Lawfare.

Dave Aitel asks why we’re surprised that Iranian hackers are monetizing access to networks that don’t offer national security value to their government. Or that hackers are following their targets into specialized software markets. If you know your target is a law firm, he suggests, you’d be better off looking for flaws in Relativity than in Windows…. Excuse me, I just felt someone walk over my grave.

Nick and Dave are both critical of the Justice Department’s indictment of Joe Sullivan for obstruction of justice and misprision of felony. That is beginning to look like a case Sullivan can win, and he just might take it to trial.

Nick thinks the Justice Department is playing a long game in pretending it can seize 280 cryptocurrency accounts used by hackers. It can’t get the funds, but it sure can make it hard for the hackers to get them.

U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021.

And more!

                                                                                                                                   

Download the 327th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

On Friday, August 14, 2020, California Attorney General Xavier Becerra announced that the regulations implementing the California Consumer Privacy Act (CCPA) have been approved by the California Office of Administrative Law (OAL) and are effective immediately. The attorney general had already begun enforcing the CCPA itself on July 1. But now that the regulations have taken effect, the attorney general can begin enforcing their requirements, too, which in some cases go beyond what the statute expressly requires. And the attorney general has signaled that non-compliance can lead to heavy penalties.

The attorney general first released draft regulations in October 2019 and made subsequent modifications in February and March 2020 before submitting the draft “final” regulations to OAL for its review and approval in June 2020. The final regulations that took effect on August 14 are largely the same as the June draft, with mostly technical and grammatical edits having been made. But there are a few material changes in the final version.

For more information, click here to read the full Client Alert.

In our 326th episode of the Cyberlaw Podcast, Stewart Baker interviews Lauren Willard, who serves as Counselor to the Attorney General. Stewart is also joined Nick Weaver (@ncweaver), David Kris (@DavidKris), and Paul Rosenzweig (@RosenzweigP).

Our interview this week focuses on section 230 of the Communications Decency Act and features Lauren Willard, Counselor to the Attorney General and a moving force behind the well-received Justice Department report on section 230 reform. Among the surprises: Just how strong the case is for FCC rule-making jurisdiction over section 230.

In the news, David Kris and Paul Rosenzweig talk through the fallout from Schrems II, the Court of Justice decision that may yet cut off all data flows across the Atlantic.

Paul and I speculate on the new election interference threat being raised by House Democrats. We also pause to praise the Masterpiece Theatre of intelligence reports on Russian cyber-attacks.

Nick Weaver draws our attention to a remarkable lawsuit against Apple. Actually, it’s not the lawsuit, it’s the conduct by Apple that is remarkable, and not in a good way. Apple gift cards are being used to cash out scams that defraud consumers in the US, and Apple’s position is that, gee, it sucks to be a scam victim but that’s not Apple’s problem, even though Apple is in the position to stop these scams and actually keeps 30% of the proceeds. I point out the Western Union – on better facts than that – ended up paying hundreds of millions of dollars in an FTC enforcement action – – and still facing harsh criminal sanctions.

Paul and David talk us through the 2021 National Defense Authorization Act, which is shaping up to make a lot of cyber-security law, particularly law recommended by the Cyber Solarium Commission. On one of its recommendations – legislatively creating a White House cyber coordinator – we all end up lukewarm at best.

David analyzes the latest criminal indictment of Chinese hackers, and I try to popularize the concept of crony cyberespionage.

Paul does a post-mortem on the Twitter hack. And speaking only for myself, I can’t wait for Twitter to start charging for subscriptions to the service, for reasons you can probably guess.

David digs into the story that gives this episode its title – an academic study claiming that face recognition systems can be subverted by poisoning the training data with undetectable bits of cloaking data that wreck the AI model behind the system. How long, I wonder, before Facebook and Instagram start a “poisoned for your protection” service on their platforms?

In quick takes, I ask Nick to comment on the claim that US researchers will soon be building an “unhackable” quantum Internet. Remarkably his response is both pithy and printable.

And more!

                                                                                                                                 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Tomorrow (July 22), please join Steptoe’s Fred Geldon along with Katie Arrington, CISO for the DoD Acquisition Department and other key leaders at the Cybersecurity Maturity Model Certification (CMMC) Academy Virtual Summit. The summit will explore how prime contractors and subcontractors can get ready for CMMC assessment, as well as the international and legal aspects of the CMMC initiative.

Click here to read more and RSVP.

The big news of the week was the breathtakingly arrogant decision of the European Court of Justice, announcing that it would set the  rules for how governments could use personal data in fighting crime and terrorism.

Even more gobsmacking, the court decided to impose those rules on every government on the planet – except the members of the European Union, which are beyond its reach. Oh, and along the way the court blew up the Privacy Shield, exposing every transatlantic business to massive liability, and put the EU on a collision course with China over China’s most sensitive domestic security operations. This won’t end well.  It’s the CJEU’s version of our Court’s Dred Scott ruling. Paul Hughes helps me make sense of the decision.

In the interview, I talk to Darrell West, co-author of Turning Point—Policymaking in the Era of Artificial Intelligence. We mostly agree on where AI is already making a difference, where it’s still hype, and how it will transform war. Where we disagree is over the policy prescriptions for avoiding the worst outcomes. I disagree with the relentless focus of the book (and every other book in recent years) on the questionable claim of AI bias, and Darrell and I have a spirited disagreement over my claim that his prescription will hide numerical racial and gender quotas in every aspect of life that AI touches.

Iranian cyberspies make pretty good training videos, Sultan Meghji tells us, but they’re not taking any bows after leaving the videos exposed online.

If you thought Twitter’s content resembled middle school, wait until you see their security measures in action. Nate Jones has the details, but my takeaway is that middle school science projects are usually handled a lot more responsibly than Twitter’s “god mode” dashboard.

BIPA, the Illinois biometric privacy act, has inspired lawsuits against users of a database assembled to reduce AI bias. Mark MacCarthy explains that the law prohibits use of biometrics (like  pictures of your face) without consent. I observe that this makes BIPA the COVID-19 of privacy law.  Anyone who touches this database will be infected with liability, at least if the plaintiff’s surprisingly plausible theory holds up.

Sultan reminds us that the PRC has now been caught twice requiring companies in China to use tax software with built-in malware. You know what they say: “Once is happenstance. Twice is coincidence. Three times is enemy action.”  I don’t think we’ll need to wait long to see number three.

Nate gives us a former government lawyer’s take on the CIA’s new authority to conduct cyber covert action. (YahooLawfare) Ordinarily he’d be skeptical of keeping those decisions away from the White House, but in this case, he’ll make an exception. My take: If unshackling the CIA has produced the APT34 and FSB hacks and data dumps, what’s not to like?

In short hits, I mock the Justice Department spokesperson who claimed that Ghislaine Maxwell was engaged in “a misguided effort to evade detection” when she wrapped her cellphone in tin foil. And Mark and I cross swords over Reddit’s capture by the Intolerant Left. You make the call: When Reddit declares that exposing fake hate crimes as hoaxes is a form of hate speech, is that anecdotal evidence of left-wing bias or stone-cold proof of epistemic closure?


 

Download the 325th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our interview is with Bruce Schneier, who has coauthored a paper about how to push security back up the Internet-of-things supply chain: The reverse cascade: Enforcing security on the global IoT supply chain.  His solution is hard on IOT affordability and hard on big retailers and other middlemen, who will face new liabilities, but we conclude that it’s doable. In fact, the real question is who’ll get there first, a combination of DHS’s CISA and the FTC or the California Secretary of State.

In the News Roundup Megan Stifel (@MeganStifel), Nate Jones (@n8jones81), and David Kris (@DavidKris) and I discuss how it must feel to TikTok as though the shot clock is winding down.  Administration initiatives that could hurt or kill its US business are proliferating.  Nate Jones, Megan Stifel, and I explore the government’s options. The most surprising, and devastating, of them is a simple ban on TikTok as a threat to national security or the security of Americans. That’s the standard under Executive Order 13873, a brand-new (the regs aren’t yet final) implementation of the well-tested tools under IEEPA. A straightforward application of IEEPA remedies would cut TikTok off from the US market, I argue.

Meanwhile, another little-advertised but equally sweeping rule for government contractors is on its way to implementation. It will deny federal contracts, not just to certain Chinese products but to contractors who themselves use those products.

Not to be outdone by the contracting officers, the Federal Trade Commission and Justice Department are attacking TikTok from a different direction – investigating claims that the company failed to live up to last year’s consent decree on the privacy of children using the app.

And, on top of everything, private sector CISOs are drawing a bead on the app, as Wells Fargo and (briefly) Amazon tell their employees to take the app off their work phones.

It’s no surprise in the face of these developments that TikTok is working overtime to decouple itself in the public’s mind from China, including going so far as to join the rest of Silicon Valley in signaling discomfort with Hong Kong’s new security rules (and ruler). Megan and I question whether this strategy will succeed.

If Chief Justice Roberts were running for office, he couldn’t have produced a better result than the Court’s latest tech decision – upholding most of a law that makes  robocalls illegal while striking down the one part of the law that authorizes robocalls – for collection of government debt.  David Kris explains.

Nate unpacks a new Florida DBA privacy law prohibiting life, disability and long-term care insurance companies from using genetic tests for coverage purposes. I express skepticism.

Nate also explains the mysteriously quiet launch of the UK-US Bilateral Data Access Agreement. Four years in the making, and neither side wanted to announce that it was in effect – what’s with that, I wonder?

FBI Director Wray gives a compelling speech on the counterintelligence and economic espionage threat from China.

He says the bureau opens a new such case every ten hours.  And right on schedule come charges against a professor charged with taking $4M in US grant money to conduct research — for China.

David and I puzzle over the surprisingly lenient sentence handed to a former Yahoo engineer for hacking the personal accounts of more than 6,000 Yahoo Mail users to search to collect sexually explicit images and videos.

I out Reddit as a particularly fanatical convert to SJW orthodoxy in speech suppression, as the service apparently tells its moderators that it’s hate speech to post stories or video showing a person of color as the aggressor in a confrontation.

And Nate closes us out with a bottomless feature on all the problems faced by technological contact tracing.

                                                                                                                                  

Download the 324th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In the News Roundup, Dave Aitel (@daveaitel), Mark MacCarthy (@Mark_MacCarthy), and Nick Weaver (@ncweaver) and I discuss how French and Dutch investigators pulled off the coup of the year this April, when they totally pwned a shady “secure phone” system used by massive numbers of European criminals. Nick Weaver explains that hacking the phones of Entrochat users gave them access to large troves of remarkably candid criminal text conversations. And, I argue, it shows the flaw in the argument of encryption defenders. They are right that restricting Silicon Valley encryption will send criminals to less savory companies, but those companies are inherently more prone to compromise, as happened here.

The EARN IT Act went from Washington-controversial to Washington consensus in the usual way.  It was amended into mush. Indeed, there’s an argument that, by guaranteeing nothing bad will happen to social platforms who adopt end-to-end encryption, the Leahy amendment has actually made e2e crypto more attractive than it is today. That’s my view, but Mark MacCarthy still thinks the twitching corpse of EARN IT might cause harm by allowing states to adopt stricter rules for liability in the context of child sex abuse material. He also thinks that it won’t pass.  I have ten bucks that says it will, and by the end of the year.

Dave Aitel, new to the news roundup, discusses the bad week TikTok had in its second biggest market.  India has banned the app. And judging from some of the teardowns of the code, its days may be numbered elsewhere as well. Dave points to reports that Angry Birds was used to collect user information as well when it was at the height of its popularity. We wax philosophic about why advertising and not national security agencies are breaking new ground in building our Brave New World.

Mark once worked for a credit card association, so he’s the perfect person to comment on claims that being labeled a “hate speech” platform won’t just get you boycotted in Silicon Valley but by the credit card associations as well. And once we’re in this vein, we mine it, covering Silicon Valley’s concerted campaign to make sure Donald Trump can’t repeat 2016 in 2020. He’s been deplatformed at Twitch this week for something he said in 2016.  And Reddit dumped his enormous subreddit for failure to observe its censorship rules – which I point out are designed to censor only the majority.. I argue it’s time to defund the speech police.

Nick takes us to a remarkable Washington story. He thinks it’s about a questionable Trump administration effort to redirect $10 million in “freedom tool” funding from cryptolibertarians to Falun Gong coders. I point out that US government funds going to the cryptolibertarians were paying the salary of the notorious Jake Applebaum and buying tools like TAILS that have protected appalling sextortionist criminals. Really, the money would be better spent if we burned it on cold days on the Mall to warm the homeless.

Returning to This Week in Hacked Phones, Nick explains the latest man in the middle attack that requires the phone user to do nothing but visit a website. Any website.  Dave sets out the strikingly sophisticated and massive international surveillance system now aimed by China at Uighers all around the world.  And Nick warns of two bugs that, if you haven’t spent the weekend fixing, may already be exploited on your network.

In quick hits, I mock MIT for thinking that “pedophile” is a racial or ethnic slur but confess that its researchers know more bad words than I do.  What is a c****e, anyway? If MIT was cheating on the number of asterisks, we have an idea, but that’s cheating.  If you know, please don’t tweet the answer; send it to our email.

                                                                                                                                   

Download the 323rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage @stewartbaker with on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

For the first time in twenty years, the Justice Department is finally free to campaign for the encryption access bill it has always wanted.  Sens. Lindsey Graham (R-S.C.), Tom Cotton (R-Ark.), and Marsha Blackburn (R-Tenn.) introduced the Lawful Access To Encrypted Data Act. (Ars Technica, Press Release) As Nick Weaver points out in the news roundup, this bill is not a compromise. It’s exactly what DOJ wants – a mandate that every significant service provider or electronic device maker build in the ability to decrypt any data it has encrypted when served with a lawful warrant.

In our interview, Under Secretary Chris Krebs, head of the Cybersecurity and Infrastructure Security Agency, drops in for a chat on election security, cyberespionage aimed at coronavirus researchers, why CISA needs new administrative subpoena authority, the value of secure DNS, and how cybersecurity has changed in the three years since he took his job.

Germany’s highest court has ruled that the German competition authority can force Facebook to obtain user consent for internal data sharing, to prevent abuse of a dominant position in the social networking market. Maury Shenk and I are dubious about the use of competition law for privacy enforcement. Those doubts could also send the ruling to a still higher forum – the European Court of Justice.

You might think that NotPetya is three years in the rear-view mirror, but the idea of spreading malware via tax software, pioneered by the GRU with NotPetya, seems to have inspired a copycat in China. Maury reports that a Chinese bank is requiring foreign firms to install a tax app that, it turns out, has a covert backdoor. (Ars Technica, Report, NBC)

The Assange prosecution is looking less like a first amendment case and more like a garden variety hacking conspiracy thanks to the government’s amended indictment. (DOJ, Washington Post) And, as usual, the more information we have about Assange, the worse he looks.

Jim Carafano, new to the podcast, argues that face recognition is coming no matter how hard the press and NGOs work to demonize it. And working hard they are. The ACLU has filed a complaint against the Detroit police, faulting them for arresting the wrong man based on a faulty match provided by facial recognition software. (Ars Technica, Complaint)

The Facebook advertiser moral panic is gaining adherents, including Unilever and Verizon, but Nick and I wonder if the reason is politics or a collapse in ad budgets. Whatever the cause, it’s apparently led Mark Zuckerberg to promise more enforcement of Facebook’s policies.

In short hits, the U.S. Department of Homeland Security sent a letter to chief executives of five large tech companies asking them to ensure social media platforms are not used to incite violence. Twitter has permanently suspended the account of leak publisher DDoSecrets. (Ars Technica, Cyber Scoop). Rep. Devin Nunes (R-Calif.) was told what he must have known when he filed his case: he cannot sue Twitter for defamation over tweets posted by a parody account posing as his cow. (Ars Technica, Ruling) Nick explains why it’s good news all around as Comcast partners with Mozilla to deploy encrypted DNS lookups on the Firefox browser. And Burkov gets a nine-year sentence for his hacking.

 


 

Download the 322nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.