Header graphic for print

Steptoe Cyberblog

Episode 263: Turning the tables on Baker

Posted in China, International, Privacy Regulation, Security Programs & Policies


With apologies for the late post, Episode 263 of The Cyberlaw Podcast tells the sad tale of another US government leaker who unwisely trusted The Intercept not to compromise its source. As Nick Weaver points out, The Intercept also took forever to actually report on some of the material it received.

In other news, Brian Egan and Nate Jones agree that Israel broke no new ground in bombing the headquarters of Hamas’s rudimentary hacking operation during active hostilities.

Nick and I dig into the significance of China’s use of intrusion tools pioneered by NSA. We also question the New York Times’s grasp of the issue.

The first overt cyberattack on the US electric grid was a bust, I note, but that’s not much comfort.

How many years of being told “I’m washing my hair that night” should tell you you’re not getting anywhere? The FCC probably thought China Mobile should have gotten the hint after eight years of no action on its application to provide US service, but just in case the message didn’t get through, it finally pulled the plug last week.

Delegating to Big Social the policing of terrorist content has a surprising downside, as Nate points out. Sometimes the government or civil society need that data to make a court case.

We touch briefly on Facebook’s FTC woes and whether Sen. Hawley (R-MO) should be using the privacy stick to beat a company he’s mad at for other reasons. I reprise my longstanding view that privacy law is almost entirely about beating companies that you’re mad at for other reasons.


Download the 263rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Fight Over CCPA Heats Up

Posted in Privacy Regulation

We recently published a client alert on the California Consumer Privacy Act. From the alert:

When California lawmakers hastily enacted the California Consumer Privacy Act (CCPA) in June 2018, few expected the law — voted on after only a few days’ deliberation — to remain unamended. And, indeed, the law was first amended just a few months later. But that was not the end of the story. In late April, California legislative committees voted on several amendments to CCPA, which takes effect January 1, 2020. Some of these amendments would make the CCPA a bit more business-friendly, while others would make it far more burdensome — and potentially costly — for companies.

This update summarizes these proposed amendments, which, if passed, will be further supplemented by the Attorney General Office’s promulgation of regulations, which are still expected to be issued for public comment by fall 2019. The Office of the Attorney General has been holding town hall meetings throughout California in order to gather input from companies and consumer advocates to help shape these regulations.

Read the full alert here.

You can listen to Meegan Brooks discuss the CCPA on Episode 262 of The Cyberlaw Podcast.

Episode 262: Udderly indefensible facial recognition scandal may drive new privacy mooovement

Posted in China, International, Privacy Regulation


Have the Chinese hired American lawyers to vet their cyberespionage tactics – or just someone who cares about opsec? Probably the latter, and if you’re wondering why China would suddenly care about opsec, look no further than Supermicro’s announcement that it will be leaving China after a Bloomberg story claiming that the company’s supply chain was compromised by Chinese actors. Nick Weaver, Joel Brenner, and I doubt the Bloomberg story, but it has cost Supermicro a lot of sales – and even if it isn’t true this time, the scale and insouciance of past Chinese cyberespionage make it inherently believable. Hence the company’s shift to other sources (and, maybe, a new caution on the part of Chinese government hackers).

GDPR and the California Consumer Privacy Act (CCPA) may be the Dumb and Dumber of privacy law, but neither is going away. And for the next six months, California’s legislature will be struggling against a deadline to make sense of the CCPA. Meegan Brooks gives us an overview.

But we in Washington can’t get too smug about California’s deadline-driven dysfunction. Congress also faces a year-end deadline to renew the Section 215 program, and even the executive branch hasn’t decided what it wants. Joel takes us through the program’s history, its snake-bitten implementation, and the possible outcomes in Congress.

This week in Silicon Valley content control: Facebook dropped the link-ban hammer on Louis Farrakhan, Alex Jones, and Milo Yiannopoulos for being “dangerous.” But did it really? Once again, I volunteer to put my Facebook access at risk by testing Facebook’s censorship engine – posting a different Infowars story there every day. Not because I love the conspiracy-mongering Alex Jones but because banning links is a bad idea. (Among other things, you can’t really pile links up and burn them in cinematic pyres at rallies.) But both Facebook and Jones may have a codependent interest in overstating the ban, because as of Day 4 of my experiment, my Facebook account is still alive and well, as are the Infowars links.

The FBI has accused US scientists of sending intellectual property to China, running shadow labs, and (this part really appalls Nick) corrupting the peer review process at NIH. Sadly, Science magazine buys into easy claims that the flap is born of racial bias.

We close the episode with the latest and most shocking facial recognition scandal. It turns out face recognition researchers are chasing down unwilling subjects and restraining them to get the subjects’ pictures – all in service to untried and udderly unreliable technology. All we need to turn this into a major scandal is a public policy entrepreneur willing to work the intersection between the EFF and PETA.


Download the 262nd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Episode 261: Blockchain Takes Over the Podcast

Posted in Blockchain


On Episode 261, blockchain takes over the podcast again. We dive right into the recent activity from the SEC, namely, the Framework for “Investment Contract” Analysis of Digital Assets and the No-Action Letter issued to TurnKey Jet, Inc. (TurnKey) for a digital token. Gary Goldsholle noted this guidance has been eagerly anticipated since July 2017 when the SEC first applied the Howey Test to a digital token with the DAO report. The current framework focuses primarily on the reasonable expectation of profits and efforts of others prongs of the Howey Test. While the framework lays out a number of factors to consider when determining whether a token is a security, the practicality of those factors is still up for debate.

Will Turner explained that the TurnKey No-Action Letter was most useful for parties interested in structuring a private, permissioned, centralized blockchain, but believes the guidance in the Framework would allow for alternative structures. The key from the SEC’s perspective is that there is no expectation of profits for token holders, since the token is a stablecoin pegged to the value of USD and there is no use of the token outside of TurnKey’s network. Jeff Bandman noted the irony that the first No-Action Letter related to blockchain and cryptocurrency involves private jets, particularly since “Mr. and Ms. 401(k)”—the retail investors SEC Chairman Jay Clayton is focused on protecting—are not likely to become private jet users anytime soon.

Jeff emphasized the importance of network functionality and observed that the network for private jet use was already established. Alan Cohn highlighted this tension between the need for centralization to achieve functionality, and need for decentralization as a means to avoid meeting the “derived from the efforts of others” prong of the Howey Test.

Gary then turned to Blockstack’s Regulation A filing, the most comprehensive effort to register a token under Reg. A that we have seen to date. Blockstack is seeking to be a Tier 2 issuer, meaning they can raise up to $50 million in 12 months, which comes with heightened disclosure obligations and requires audited financials. While they seek to raise capital as a security today, their ultimate goal – and a central risk factor in their offering circular – is to achieve the requisite level of decentralization such that they no longer would meet the definition of a security.

Meanwhile, in Congress, the recently reintroduced Token Taxonomy Act of 2019 would exempt a newly defined category of digital tokens from the definition of a security, as well as provide some clarity on tax issues for cryptocurrency users and exchanges. Jeff observed that these amendments might contribute further to a gap in federal regulation over spot trading markets. While the CFTC has enforcement authority, they do not have the authority to directly supervise the bitcoin trading market.

Turning to the interview, Jeff describes how he co-founded Global Digital Finance (GDF), along with other co-founders in Europe, Asia, and the United States, in order to address the lack of international standards surrounding the blockchain industry – or even a general consensus of terminology. Jeff describes how GDF has a number of working groups focused on developing high-level principles and standards on a range of topics, including stablecoins, custody, tax, and security tokens. GDF is trying to fill in some of the gaps that appear when jurisdictions regulate cryptocurrencies and crypto-assets differently.  As an example of its work, GDF’s KYC/AML/CTF group recently commented on FATF’s standards, issuing two comments in October 2018 and April 2019.

Jeff is also in the process of launching a new transfer agent service, Block Agent, focused on enabling and supporting SEC-regulated issuances. As markets mature, it is increasingly important to have the necessary post-trade infrastructure, and he is committed to offering services that recognize the novel features and efficiencies around these new technologies.

For our listeners in the DC area, Steptoe is hosting a half-day complimentary regulatory symposium this Thursday, May 2, in our DC office. Our plenary speakers include current and former commissioners and high-level officials with agencies such as the Federal Energy Regulatory Commission, the Surface Transportation Board, and the Environmental Protection Agency. We will also have breakout panels focused on four separate topics: Deference, Globalization, Regulatory/Legislative Approach, and Preemption. To register, click here.


Download the 261st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Coming Up: Blockchain Takes Over the Podcast

Posted in Blockchain

Next week, blockchain is taking over The Cyberlaw Podcast once again. On April 29, Steptoe partners Alan Cohn, Gary Goldsholle, and Will Turner will reconvene to discuss the latest in blockchain and cryptocurrency regulation. At the top of the list is the suite of updates coming out of the U.S. Securities and Exchange Commission, including the Framework for “Investment Contract” Analysis of Digital Assets and a No-Action Letter regarding TurnKey Jet, Inc. We’ll consider what this means for companies trying to issue tokens and lay out potential permissible token launch models. We’ll also examine two recent filings: (1) Blockstack’s filing for a $50M regulated token offering; and (2) Acra’s filing to issue its shares as digitized securities, Acra UST Coins.

Our guest speaker, Jeff Bandman, Co-Founder and Board Member of Global Digital Finance, will add an industry perspective on key regulatory issues such as their recent response to the Financial Action Task Force’s interpretative note on mitigation risks from virtual assets.

Episode 260: Sending our passports to Pornhub

Posted in Cybersecurity and Cyberwar, European Union, International, Privacy Regulation


In this episode, Nick Weaver and I discuss new Internet regulations proposed in the UK. He’s mostly okay with its anti-nudge code for kids, but not with requiring proof of age to access adult material. I don’t see the problem; after all, who wouldn’t want to store their passport information with Pornhub?

Continue Reading

Episode 259: Why France understands Chinese policy better than the rest of us

Posted in AI, CFIUS, China, Cloud Computing, European Union, International, Russia


Our News Roundup is hip deep in China stories. The inconclusive EU – China summit gives Matthew Heiman and me a chance to explain why France understands – and hates – China’s geopolitical trade strategy more than most.

Maury Shenk notes that the Pentagon’s reported plan to put a bunch of Chinese suppliers on a blacklist is a bit of a tribute to China’s own list of sectors not open to Western companies. In other China news, Matthew discloses that there’s reason to believe that China has finally begun to use all the US personnel data it stole from OPM. I’m so worried it may yet turn my hair pink, at least for SF-86 purposes.

And in a sign that it really is better to be lucky than to be good, Matthew and I muse on how the Trump Administration’s China policy is coinciding with broader economic trends to force US companies to reconsider their reliance on Chinese manufacturing.

Continue Reading

Episode 258: The death of Section 230

Posted in CFIUS, China, International, Russia


Our News Roundup leads with the long, slow death of Section 230 immunity. Nick Weaver explains why he thinks social media’s pursuit of engagement has led to a poisonous online environment, and Matthew Heiman replays the astonishing international consensus that Silicon Valley deserves the blame – and the regulation – for all that ails the Internet. The UK is considering holding social media execs liable for “harmful” content on their platforms. Australia has already passed a law to punish social media companies for failure to remove “abhorrent violent material.” And Singapore is happily drafting behind the West, avoiding for once the criticism that its press controls are out of step with the international community. Even Mark Zuckerberg is reading the writing on the wall and asking for regulation. I note that lost in the one-minute hate directed at social media is any notion that other countries shouldn’t be able to tell Americans what they can and can’t read. I also wonder whether the consensus that platforms should be editors will add to conservative doubts about maintaining Section 230 at all – and in the process endanger the US-Mexico-Canada Agreement that would enshrine Section 230 in US treaty obligations.

Continue Reading

Episode 257: How we know the North Korean Embassy break-in wasn’t the work of the CIA

Posted in Data Breach, International, Privacy Regulation


In today’s News Roundup, Klon Kitchen adds to the North Korean Embassy invasion by an unknown group. Turns out some of the participants fled to the US and lawyered up, but the real tipoff about attribution is that they’ve given some of the data they stole to the FBI. That rules out CIA involvement right there.

Nick Weaver talks about Hal Martin pleading guilty to unlawfully retaining massive amounts of classified NSA hacking data. It’s looking more and more as though Martin was just a packrat, making his sentence of nine years in prison about right. But as Nick points out, that leaves unexplained how the Russians got hold of so much NSA data themselves.

Paul Hughes explains the seamy Europolitics behind the new foreign investment regulations that will take effect this month.

Continue Reading