Among the many problems with the current social media enthusiasm for deplatforming is this question: What do you do with all the data generated by people you deplatformed?

Facebook’s answer, as you’d expect, is that Facebook can do what it wants with the data, which mostly means deleting it. Even if it’s evidence of a crime?  Yes, says the platform, unless law enforcement asks us to save it. The legal fight over a deplatformed group that defended historical statues (and may have shot someone in the process) will tell us something about the – law of deplatformed data as will the fight over The Gambia’s effort to recover evidence of deplatformed human rights evidence. In the end, though, we need a law on this question. Because, given their track record in content moderation, leaving the question to the discretion of social media will translate into platforms’ preserving only evidence that hurts people they hate.

Tired: Data breach reporting. Wired: Cyber incident reporting. The unanimous view of our news panelists, Paul Rosenzweig and Dmitri Alperovitch, is that cyber policy has turned from reporting personal data breaches to reporting serious cyber intrusions no matter what data is compromised.  The latest example is the financial regulators’ adoption of a rule requiring banks and similar institutions to report major cyber incidents within 36 hours of determination that one has occurred.

But who will make that determination and with what certainty? Dmitri’s money is on the lawyers. I think there’s a great ER-style drama in the process: “OK, I’m going to call it. No point in trying to keep this alive any longer. Time of determination is 2:07 pm.”

Back after a long absence, we add an interview to the news roundup. David “moose” Wolpoff and Dan MacDonnell of Randori explain the consternation over their startup’s use of a serious vulnerability to conduct realistic penetration tests of buttoned-up networks instead of reporting it right away to the software provider. They argue that the value of zero days for pentesting is great and the risk of harm low, if handled responsibly. In fact, the debate sounds a lot like the arguments around the table at a government Vulnerability Equities Process (“VEP”) meeting.  And that makes me wonder whether the people pushing for a stricter VEP have any idea at all what they’re talking about.

Dmitri lays out the surprising complexity and sophistication of the Iranian attempt to influence the 2020 election. I’m less convinced. The Iranian effort failed, after all, and it resulted in the hackers’ indictment.

I dig into a recent brief by Hikvision claiming that the FCC lacks authority to bar sales of its products in the US. I’m only half convinced by the legal claim, but I am sure of this: The Hikvision argument has created an opportunity for some enterprising politician to sponsor quick, uncontroversial legislation giving the FCC the authority that Hikvision says it doesn’t have.

Dmitri explains the latest advance of the hardware hack known as  It may not be deployed routinely even now, he says, but the exploit makes clear that we will never entirely secure our cyber infrastructure.

Paul and I agree that it’s perfectly legal for government to buy advertising data that shows citizens’ locations. We more or less agree that some restraint on sales of location data – at least to the Russian and Chinese governments and maybe to anybody – are in order.

Paul and I offer muted and squeamish criticism of a Big Report claiming that child sexual abuse is exploding online. There’s no doubt that it’s a problem that deserves more legal and platform effort, but the authors did their cause no favors by mixing kids exchanging nude selfies with truly loathsome material.

Dmitri and I perform a public service announcement about a scam that takes advantage of security habits that the banks have encouraged us to get used to. Zelle fraud is going to make us all regret those habits.

And hopefully it will finally get banks to use hardware tokens instead of text messages to verify our transactions.

Germany and Mandiant are at odds in attributing the government sponsor of the Ghostwriter hacking gang. Germany, backed by the EU, says it’s Russia. Mandiant says it’s Belarus.

Dmitri says “Never bet against Mandiant on attribution.” I can’t disagree.

Finally, Dmitri joins me in an appreciation of Alan Paller, who died last week. He was a major influence in cybersecurity, and a role model for successful entrepreneurs who want to give back using their institution-creating skills.

And More!

                                                                                                           

Download the 384th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

 

 

Two major Senate committees have reached agreement on a cyber incident reporting mandate. And it looks like the big winner are the business lobbyists who got concessions from both committees. At least that’s my take. Dmitri Alperovitch says the bill may still be in trouble because of Justice Department opposition. And Tatyana Bolton not unfairly credits the Cyber Solarium Commission for incident reporting getting this close to passage.

Meanwhile, another piece of legislation, the Secure Equipment Act of 2021, has already been passed and signed by the President. It will lock a boatload of Chinese equipment out of U.S. markets. Dmitri explains why the FCC needed this additional authority.

Mark MacCarthy explicates the EU court ruling that upheld a $2.8 billion award against Google for “self-preferencing” in shopping searches.

If you’re surprised by the Kyle Rittenhouse trial, and the strength of the defense case, you can blame Facebook and Twitter, with astonishingly suppressed posts arguing that Rittenhouse had acted lawfully in self-defense. In a reverse John Adams moment, Twitter even suspended Rittenhouse’s defense counsel for defending him. And Facebook declared him guilty of a mass shooting and blocked searches for his name. If you want more content mob-eration like that in your podcast feed, well, no worries: the NYT is on it; the gray old lady is demanding to know why woke censorship hasn’t yet come to podcasts.

This has turned out to be a pretty good week for catching bad guys, Dmitri reports. REvil affiliates have been, arrested, indicted, and had some of their ill-gotten gains

Mark unpacks yet another bipartisan tech regulation-cum-competition bill. This one aiming to reduce platforms’ ability to foist “opaque algorithms” on their users. Tatyana notes that a lot of the bills trying to improve portability and competition are likely to raise cybersecurity concerns.

Dmitri and I aren’t impressed by the hoax email sent out in the FBI’s name from a poorly designed FBI website. It’s one step up from defacing the FBI’s website. I argue the bureau ought to give the hacker a low four-figure bug bounty and call it a day, but Dmitri thinks the hacker will be on the FBI’s most wanted list for a while. I tend to agree; there is, after all, no greater crime than Embarrassing the Bureau.

In quick hits:

  • Mark gives us a quick overview of the states’ recently updated antitrust complaint against Alphabet’s Google.
  • Tatyana and Dmitri talk about the implications of the Commerce Department sending information requests to the world’s top chipmakers.
  • Tatyana explains (as much as anyone can) Elon Musk’s decision to sell a bunch of Tesla stock because that’s what Elon Twitter wanted. We note that Elon promised to show his tweets to a lawyer in advance if they could move the market and wonder whether he actually found a lawyer who thought that tweet was a good idea.
  • I do a quick victory lap for having suspected that Frances Haugen’s incoherent retreat from criticizing Facebook’s end-to-end encryption was forced on her by the Silicon Valley version of the Deep State. Thanks to Politico, we now know her European tour was run by a batch of lefty digerati who hate Facebook, but not as much as they hate the FBI.
  • And I mourn the fact that this week the U.S. government finally surrendered to Microsoft and joined the Paris Call for Trust and Security in Cyberspace.

And More!

                                                                                                           

Download the 383rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

We’re joined for this episode by Scott Shapiro, long-time listener and first-time panelist, not to mention our first philosopher. He breaks down the Biden administration sanctions on four offensive cyber firms, most notable the Israeli company, NSO. Imposing Commerce Department “entity list” sanctions on companies from friendly countries for human rights abuses is a departure from historical practice, and exactly how it will work out remains uncertain. The sanctions are not a death penalty for companies like NSO, we conclude, since U.S. companies can still buy their services even if they can’t sell NSO anything more sophisticated than toilet paper.

The Pentagon is a bastion of top-down cybersecurity In theory, that’s what the Cybersecurity Maturity Model Certification program was all about – comprehensive and mandatory cybersecurity regulation for defense contractors. But as Nate Jones describes it, the Department of Defense’s effort to actually put the regulations in place are a cautionary tale. The Pentagon has revamped and delayed its standards again. The new proposal may well be more workable and less bureaucratic than the last, but it also pushes the day of reckoning for contractors years into the future.

Jamil Jaffer thinks the good guys may have won another battle with ransomware gangs, but it’s probably too soon to tell. On the heels of REvil claiming to be out of business, similar noises. DarkMatter is making But we won’t know for sure until the gangs have gone quiet for more than a couple of months.

Decoupling is still proceeding apace, as Yahoo surprises us all by announcing that it’s pulling out of China. (I’d forgotten they were still in.)

Jamil and Nate note that GitHub is the last big Western web company left in China. And even for GitHub, the ice appears to be cracking under its feet.

Scott takes us deep into jurisprudential philosophy in covering the ACLU’s threepeated loss as it argued a first amendment right to read classified FISA court opinions. It may be a first for our podcast to reference Marbury v. Madison, and it’s certainly a first to raise questions about whether it was correctly decided! Jamil also gives us a quick assessment of what Justice Gorsuch’s willingness to take the case tells us about his future role in national security cases.

Nate and I give the backs of our hand to legislative proposals to expand from “Five Eyes” to ‘Nine. I make the argument that we’re really down to Three.

Clearview AI took a beating down under for breaching Australians’ privacy law. Nate is short on sympathy. He thinks a more responsible set of actors might have prevented the toxification of face recognition. I argue that the toxification came first, and the dearth of big respectable face recognition firms came later. As witness Facebook being driven from the market by a $650m award under the Illinois Biometric Information Privacy Act.

In quick hits:

  • For old time’s sake, Nate and I clash over lefty efforts to define a lack of enthusiasm for climate-based regulation as “digital hate”
  • Jamil and I offer qualified endorsements of the State Department’s new cyber bureau
  • I namecheck podcast regular Paul Rosenzweig and others for a thoughtful thoughtful report on Chinese platforms in the United States:
  • I see some good news for cybersecurity in CISA’s (Cybersecurity and Infrastructure Security Agency) latest Binding Operational Directive mandating that federal agencies that we know are being exploited right now. I note that the directive is addressed to federal agencies quickly patch vulnerabilities but aimed quite deliberately at private owners of critical infrastructure. Don’t say you weren’t warned!

And More!

                                                                                                                                     

Download the 382nd Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, Dave Aitel and I dig into the new criminal law the House intelligence committee has proposed for workers at intelligence agencies. The proposal is driven by the bad decisions of three intel agency alumni who worked for the UAE, doing phone hacking and other intrusions under the sobriquet of Project Raven. Dave criticizes the broad language, the assumption that hacking for the government teaches things you can’t learn in the private sector, and the use of criminal penalties where reporting obligations would suffice. I plug a podcast on the topic released by the Association of Former Intelligence Officers.

Maury Shenk and I dig into the FCC’s decision to kick China Telecom off the U.S. telecommunications network. My view: this decision was overdetermined, a perfect storm of bad politics, poor decisions by China Telecom, and the fact that no American company has ever been licensed to do in China what China Telecom has spent 20 years doing in the United States.

We also dig into the proposal of a global regulatory alliance, Financial Action Task Force (“FATF”), to impose some fairly strict requirements on cryptocurrency transactions.  A lot of companies are criticizing the proposal, but unlike five years ago, they’re weighed down by the existence of an entire ransomware industry that depends on cryptocurrency.

The EU, meanwhile, is struggling to implement sanctions for cyber-attacks. As usual, Europe is its own worst enemy, tied down by excessive politicization, weak intelligence collection made weaker by a lack of sharing, and aggressive judicial oversight.

Maury and I track down a tip about France trying to turn cloud security standards into a weapon for excluding U.S.-owned providers. The big cloud companies are deemed insecure because they aren’t immune to U.S. legal process. But neither are the “big” European champions, since they almost certainly are subject to U.S. jurisdiction. So not only will EU buyers of cloud services be stuck with Deutsche Telekom and its 2% market share, they still won’t be safe from the long arm of U.S. discovery. European data protection policy at its finest!

We briefly explore Facebook whistleblower Frances Haugen’s flirtation with criticizing Facebook for adopting end-to-end encryption (“e2e”). Once she discovered that criticizing e2e is beyond the pale, however, she retreated into a cloud of incomprehensibility.  I capture the moment in my latest effort to turn cyber policy into cartoons.

And More!

                                                                                                                                                     

Download the 381st Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

 

We begin the episode with Michael Ellis taking a close look at the takedown of the ransomware gang. It’s a good story for the good guys, as REvil seems to have been brought down by the same tactic it used against so many of its victims – malware that lingered in the backups it used to restore its network. I note that this seems to be a continuation of efforts that were interrupted in the early summer – and led to a lot of criticism that the FBI had prioritized its intrusion and takedown over giving victims the decryption key. Looks like the FBI is getting the last laugh.

The U.S. is trying to hold Putin responsible for stopping Russian ransomware gangs. Michael thinks that effort is not advanced by recent statements from the Pentagon raising doubts about whether Putin actually has the ability to stop the attacks.

One technology where Russia’s capabilities have grown stronger is, naturally, the ability to censor and suppress criticism, both on domestic and Western platforms. David Kris discusses the kinds of hostages Russia has learned to take, and their success in bringing Western social media to heel.

The U.S. Commerce Department has released a complex new rule for the export of network intrusion tools. Meredith Rathbone, from Steptoe’s trade regulation practice, boils the rule down to a few soundbites. The short version? Commerce has done a pretty good job of protecting legitimate distributors of intrusion software, but even the good guys are going to have to save a lot more receipts.

Michael and Paul Rosenzweig reprise the latest news about content moderation, particularly Twitter’s own study showing that its algorithms offer up a bit more conservative than left-wing content. That raises the question whether right-leaning commentary and news is more popular because more people want it. If so, the employees at Facebook are determined to keep it from them, as recent leaks show aggressive internal efforts to squash Breitbart’s reach on the platform.

David and I unpack Ian Bremmer’s Foreign Affairs article on “How Big Tech Will Reshape the Global Order.” David sees more in the piece than I do.

Paul and Michael kick off a discussion of our negotiations with the EU over transatlantic data flows. But in no time, all four of us are sounding off. We offer some solutions, and plenty of criticism for the EU (“The continent that invented hypocrisy”).

David notes that NSA is pursuing more collaboration with the private sector. How well that will work out is TBD, we agree.

In quick hits and updates:

  • I note with irony that Frances Haugen has discovered the limits of criticizing Facebook.  Whatever you do, you can’t criticize WhatsApp’s growing use of end2end encryption, even if it does allow the service to ignore foreign cyberespionage.
  • Trump and TRUTH are together at last, and Paul has the details. Bottom line: it feels like a typical Donald Trump production: great hype, plenty of controversy, and weak execution.
  • Hackback, isn’t dead, it turns out, yet. I discuss the political and business advocates for a kinder, gentler version of private hackback, modeled on private investigators.

And More!

                                                                                                                                     

Download the 380th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

Fresh from his launch of the Alperovitch Institute for Cybersecurity Studies, Dmitri Alperovitch kicks off this episode with a hopeful take on the 31-nation videoconference devoted to combatting ransomware. He and Nate Jones both think a coordinated international effort could pay off. I challenge Dmitri to identify one new initiative that this group could enforce, and he rises to the occasion.

Dmitri also previews one of the proposals for regulating Silicon Valley that might yet make it through Congress – a ban on “self-preferencing” by platforms that sell both their own and other people’s products. No, we don’t get out of this discussion without a “Master of our domain” Seinfeld reference. Or a nod in the direction of China’s even more aggressive use of antitrust remedies against companies like meal delivery giant Meituan.

Tatyana Bolton, meanwhile, identifies a second front in the attack on Big Tech – regulation of algorithms. This leads us into a discussion of freedom of speech versus “freedom of reach” and a WSJ story on the weaknesses of Facebook’s AI system for downrating but only occasionally nuking “hate speech.” I argue that social media will embrace AI reach restrictions, if only as a way to make sure the victims of Silicon Valley censorship never realize how much their voices are being squelched.

Microsoft has given up its ambitions for LinkedIn’s China operations, Dmitri notes, dropping the social media elements and moving to straight job listings. I think the retreat was overdetermined by the Chinese government’s effort to extract both financial and political concessions from Microsoft. In more news about Chinese regulation, it turns out that the Chinese ban on crypto-mining didn’t quite reach the crypto miners using state resources.

But if China is slowly poisoning its high-tech sector, why does a former Pentagon official think the U.S. has lost the AI race to China? Nate and I are cautiously skeptical of that view, not least because of the official’s, uh, provenance.

Tatyana and I dig into WhatsApp’s somewhat limited adoption of encrypted backups, and the policy’s likely impact on law enforcement and different categories of criminal. (In quick hits, I also nod to the critique of “client-side scanning” of phone content for law enforcement offered by All the Usual Cryptographers.

In more comic relief, the governor of Missouri embarrasses himself by threatening criminal prosecution after a state website’s security flaws are exposed by a reporter who seems to have done all the right things from a responsible disclosure point of view.

In other quick hits,

  • I report on Facebook’s appeal of the magistrate opinion unexpectedly gutting the Stored Communications Act for everyone who’s ever been deplatformed by social media.  It’s a workmanlike effort, but only mildly persuasive. This could turn out to be a big hole in the SCA, I offer.
  • Dmitri breaks down the federal government’s plan to issue SD cards to all its employees for network access. It’s a good idea, he thinks, but saying it will end phishing of employees is more fond hope than reasonable expectation.

And More!

                                                                                                                                     

Download the 379th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

The theme of this episode is a surge of creativity in the Biden administration as it searches for ways to regulate cybersecurity and cryptocurrency without new legislative authority. Paul Rosenzweig lays out the Department of Homeland Security’s entries in the creativity sweepstakes: New (and frankly pretty modest) cybersecurity directives to the rail and air industry plus a much more detailed (and potentially problematic) set of requirements for pipeline companies. Matthew Heiman describes a Justice Department plan for enforcing cybersecurity rules for federal contractors that should chill the hearts of management: an initiative that raises the prospect of whistleblower suits under the False Claims Act for failure to disclose breaches to the government. I suggest that this means the notoriously short tenure of the Chief Information Security Officer (CISO) at large companies will now come with a built-in retirement compensation package.

Creativity in regulating cryptocurrency was signaled both by the White House, which is working on a broader and more coordinated regulatory approach and by the Justice Department, which is planning a major criminal investigative approach to the industry. Nick Weaver gives us the details.

Paul covers a remarkably creative assertion of The Committee on Foreign Investment in the United States (CFIUS) jurisdiction over a Chinese purchase of Magnachip, a company with virtually no ties to the United States. Despite having no obvious skin in the game, CFIUS insisted on a CFIUS filing under President Trump and then vetoed the deal under President Biden. I suggest that the claim of extraterritorial jurisdiction, which in other circumstances might have annoyed South Korea, is in this case a good way for South Korea to avoid taking heat from China.

Paul explains why the Facebook outage was a much bigger deal than Americans realized. If you were living in Costa Rica, the loss of Facebook and WhatsApp, he says, could have greatly complicated every aspect of daily life, including calls for emergency services.

Paul digs into the return of “hactivism” – not to mention skepticism about hactivism. I marshal the evidence that the Pandora Papers were the result of hacks, not leaks – and roast the newspapers feasting on the hack for their utter hypocrisy. Hey, Marty Baron! We haven’t forgotten that after the Democratic National Committee (DNC) leaks of 2016, you said “Before reporting on the release of hacked or leaked information, there should be a conversation with senior editors about the newsworthiness of the information, its authenticity and whether we can determine its provenance… If a decision is made to publish a story about hacked or leaked information, our coverage should emphasize what we know—or don’t know—about the source of the information and how that may fit into a foreign or domestic influence operation. Our stories should prominently explain what we know about the full context of the information we are presenting, including its origins and the motivations of the source, including whether it appears to be an effort to distract from another development.” We’re still looking for that “full context” in the Pandora Papers or the Epik leaks.

Nick fills us in on Facebook’s extreme reaction to the creation of a tool that allows users to escape the News Feed. I discover that I’ve completely missed the central Facebook experience because I semi-inadvertently disabled the news feed.

Paul offers some surprising news about the limits of Artificial Intelligence (AI). Turns out, it’s not that good even at some of the things it should be superb at, like radiology reviews.

Nick and I explore Google’s acceptance of warrants based on search terms. He thinks that this has gone on under the radar for some time because both government and Google think the public reaction will be bad for business

Finally, in two quick hits:

  • I brag about the proof that I’m one of the 14,000 Gmail users that the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU) fears most: Google caught the Russian spy agency trying to phish me with a doctored Word document.
  • And Matthew reveals what the Russian SolarWinds hackers were looking for. From all the SolarWinds bad news, we extract this bit of good news: U.S. sanctions are really getting under Putin’s skin. So much so that sanctions are among Russian spies’ top collection priorities.

And More!

                                                                                                                                               

Download the 378th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

  • This is the meatiest episode in a long time, as Dmitri Alperovitch, Dave Aitel, and Mark MacCarthy go deep on the substance of a dozen stories or more.
  • First up, Dmitri and I speculate on possible outcomes from the newly announced administration plan to convene 30 countries to crack down on ransomware. We also report on what may be the first confirmed death resulting from the equipment failures caused by ransomware – a newborn strangled by its umbilical cord without the usual electronic warnings.
  • Dmitri also recaps and explains a new cryptocurrency regulatory topic that doesn’t concern its use in ransomware schemes – the move to ensure the financial stability of stablecoins.
  • Dave weighs in on two surprising provisions of the House intel authorization bill. The first would respond to the Project Raven incident by imposing new controls on ex-spies working for foreign governments. No one is against the idea, but no one thinks that the problem is limited to alumni of a few intelligence agencies. And the bill’s sweep is far broader than cases like Project Raven. I make the argument that it may criminalize ex-spies giving security advice to Airbus, or perhaps even the Atlantic Council.
  • The second imposes reporting requirements on U.S. government purchases of vulnerabilities from foreign vendors. This leads to a discussion of which nation has the best offensive talent. Dave thinks the old champ has been decisively dethroned.
  • In other legislative news, Dmitri covers the three committees producing bills to require cyber incident reporting, with special emphasis on the recently leaked bill from Senate Intel.
  • It’s a very aggressive bill, perhaps designed to stake out negotiating room with the Homeland committees. I ask, “What’s the difference between Europe’s staggering fines for General Data Protection Regulation (GDPR) violations and the fines for violating U.S. cyber reporting obligations?” The answer: about two weeks, at which point the maximum fine due to the U.S. will exceed the top European fine.
  • Mark gives an overview and some prognostication about Google’s effort to overturn the EU’s $5 billion antitrust fine to for its handling of Android.
  • Dmitri and I find ourselves forced to face up to the growing soft power of Russia and China, which are now increasingly forcing Silicon Valley companies to project Russian and Chinese power into the West. Russia, having forced Apple and Google to send hostages in the form of local employees are trying to use their leverage to control what those companies do in countries like And Linkedin, the last Western social media company still standing in China, is trying to keep that status by asking Americans to self-censor their accounts.
  • At Dave’s request, we visit a story we missed last week and explore all the complex equities at work when the FBI decides whether to use ransomware keys for remediation or disruption.
  • Mark gives an overview of the new Federal Trade Commission, where regulatory ambitionis high but practical authority weak, at least until the Senate confirms a third Democratic commissioner.
  • Waiting in the wings for that event is a even more antitrust action, possible new online privacy rules and Commissioner Slaughter’s enthusiasm for addressing racial equity quotas under the guise of algorithmic fairness.
  • Dmitri offers his best guess about the recent Russian arrest of a cybersecurity executive for treason (that’s the second in five years if you’re counting) and the US decision to send a Russian scammer back to Russia after bitterly fighting to extradite him from Israel (it’s the magic of time served awaiting extradition, I speculate).
  • In quick hits:
    • Dmitri makes a public service announcement about the ways that Two-Factor Authentication (2FA) can be subverted.
    • I celebrate some good news for the U.S.: China is planning to encourage provincial controls on the design and use of user algorithms. That’s bound to give US companies a new competitive advantage in a field where TikTok has passed them.
    • Dave and I dissect the guilty plea of former Ethereum developer Virgil Griffith to violating U.S. sanctions to offer a bland speech on cryptocurrency in North Korea.
    • I give the highlights of two new and eminently contestable cyberlaw rulings:
    • In U.S. v Wilson, the Ninth Circuit decided that law enforcement needs a warrant to open files that it knows from hashes are 99.9% certain to be child porn. The decision would be unfortunate if it weren’t meaningless; the hash itself provides probable cause, so warrants will be quickly and routinely issued. Thanks for the make-work, EFF!
    • And a magistrate judge clearly gunning for promotion has written a Stored Communications Act opinion that would fill me with concern about the way it empowers Silicon Valley’s biased Trust and Safety operatives to de-platform people and then turn their posts over to law enforcement without the subpoena they usually demand. I would worry more about those troubling consequences if I thought the opinion would survive.
    • And, finally, Dmitri is pleased to find one field where AI is succeeding without controversy, as machine learning declares a famous Peter Paul Rubens painting, Samson and Delilah, to be a But how long, I wonder, before this AI is forced by the FTC to correct its notorious anti-Flemish bias?
  • And More!

                                                                                                                                   

Download the 377th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

 

 

 

In this episode, we welcome Nick Weaver back for a special appearance thanks to the time-shifting powers of podcast software. He does a sack dance over cryptocurrency, flagging both China’s ban on cryptocurrency transactions and the U.S. Treasury’s sanctioning of the SUEX crypto exchange.

Maury Shenk explains the plans that the Biden administration and the EU have for Big Tech and the rest of us. Hint: it involves more content moderation in support of, err, democracy.

Adam Candeub gives us a tour of Wall Street Journal’s the deeply reported series on Facebook’s difficulties managing the social consequences of, well, the internet, a responsibility that the press is determined to impose on the company. Among the quasi-scandals turned up by the Journal is details on the list of “secret elite” of users protected from Facebook’s clunky and clueless content moderation algorithms. But really, in today’s world, true power is about escaping the clueless algorithms otherwise imposed on us by various authorities. We all aspire to join that elite. And perhaps we all can, if Ohio’s Attorney General and its latest Senate candidate get their way, making Google into a common carrier. (If that happens, we’ll credit Adam, who wrote an amicus brief in support.)

And what’s an elite without its hands on the levers of industry? China’s embrace of national champions on the world stage has forced a rethinking in the West of industrial policy. So, the auto industry’s commercial problem (they want cheap, plentiful, and antiquated chips for their cars) is suddenly a matter for White House meetings, and hints that the government might have its own supply allocation plans.

In fact, regulating the private sector is so in vogue, as long as it’s a tech-ish private sector, that California barely made news when it imposed a new and almost undefinable regulatory obligation on warehouse companies like Amazon.  At bottom, I argue, this is yet another attempt to put workers back on top of the algorithm – by demanding that it explain itself.

Maury next takes us to the heart of algorithmic power and our unease with it, explaining that Google now admits that it has no idea how to make AI less toxic.

In quick hits:

  • Washington whispers about Zoom’s ties to China have grown louder, as the US government announces a national security review of its proposed acquisition of Five9 for $15 billion.
  • Contrary to my understanding, at least one former intel operative who went to work for the United Arab Emirates in Project Raven landed very much on his feet – as CTO at ExpressVPN, though company employees have been expressing unhappiness about his history.
  • And podcast regular Dmitri Alperovitch has an op-ed in the New York Times that urges much tougher tactics in the fight against ransomware gangs.

And More!

                                                                                                                                     

Download the 376th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

 

 

Jordan Schneider rejoins us after too long an absence to summarize the tech policy coming out of Beijing today: Any Chinese government agency with a beef against a tech company has carte blanche to at least try it out. From Didi and others being told to stop taking on subscribers to an end to Western IPOs, to the forced contributions to common welfare, China’s beefs with Big Tech sound a lot like those in the West (well, except for the complaints about AI-enabled censorship). What’s different is that China has freed up its agencies to actually throw sand in the gears of technology businesses. Jordan and I explore the downside of empowering agencies this way. First, it makes the Chinese government responsible for an enormous and hard to govern part of the economy, as the government’s problems with the overvalued property sector show. And it creates opportunities for companies that are better at politics than customer service to cripple their competitors.

Meanwhile, the U.S. government is trying out its own version of letting a thousand regulatory flowers bloom. Michael Weiner unpacks the new, amended complaint in FTC v. Facebook and concludes that the FTC has done a plausible job of meeting the objections that led the district court to throw out the first complaint.

Then he tells us the five buckets of sand the Biden administration is dumping into technology merger law in the hope of slowing a massive acquisition boom, from no longer granting early termination, insisting on future merger approvals in standard consent agreements, issuing “close at your own peril” letters when they haven’t finished their review, and replacing the Vertical Merger Guidelines issued in June 2020 with, uh, nothing.

Pete Jeydel takes us on a tour of Project Raven and the deferred prosecution agreements imposed on three former U.S. government hackers who sold their services too freely to the UAE. The cases raise several novel legal issues, but one of the mysteries is why the prosecutors ultimately settled the cases without jail time. My guess? Graymail.

In quick hits and updates we note: That TikTok faces an Irish General Data Protection Regulation (“GDPR”) probe over children’s data and – more significantly – its transfers of data to China. What’s most remarkable to me is how long TikTok has staved off this scrutiny. Who says Donald Trump was bad for Chinese tech companies?

President Biden has nominated a 5th Federal Trade Commission Commissioner. Alvaro Bedoya is a Georgetown Law professor who writes about privacy and face recognition. There’s a lot of dumb stuff out there about AI bias and face recognition, but I’m pleased to say that it doesn’t look as though Prof. Bedoya wrote any of it.

The special prosecutor for Russia-Russia-Russia-gate has indicted a Perkins Coie lawyer for lying to the FBI general counsel while turning over a bunch of bogus evidence of Donald Trump’s ties to Russia. Turns out, I know all of the principals in this drama, and it’s uncomfortable.

Captain Obvious, speaking for the FBI, acknowledged that there is “no indication” Russia has cracked down on ransomware gangs after President Biden yelled at Vladimir Putin about them.

The 4th Circuit has tossed Wikimedia’s money-wasting lawsuit against the National Security Agency for its collection of overseas intelligence in the U.S.

And the Bolsonaro’s ban on social media censorship of politicians has been doubly overturned by the Brazilian Senate and its Supreme Court, leaving Bolsonaro’s decree in the same place as Florida’s (and, probably soon, Texas’s) effort to do something similar.

And More!

                                                                                                                                     

Download the 375th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.