Our interview is with Mara Hvistendahl, investigative journalist at The Intercept and author of a new book, The Scientist and the Spy: A True Story of China, the FBI, and Industrial Espionage, as well as a deep WIRED article on the least known Chinese AI champion, iFlytek. Mara’s book raises questions about the expense and motivations of the FBI’s pursuit of commercial spying from China.

In the News Roundup, Gus Hurwitz, Nick Weaver, and I wrestle with whether Apple’s lawsuit against Corellium is really aimed at the FBI. The answer looks to be affirmative, since an Apple victory would make it harder for contractors to find hackable flaws in the iPhone.

Germany’s top court ruled that German intelligence can no longer freely spy on foreigners – or share intelligence with other western countries. The court seems to be trying to leave the door open to something that looks like intelligence collection, but the hurdles are many. Which reminds me that I somehow missed the 100th anniversary of the Weimar Republic.

There’s Trouble Right Here in Takedown City. Gus lays out all the screwy and maybe even dangerous takedown decisions that came to light last week. YouTube censored epidemiologist Knut Wittkowski for opposing lockdown. It suspended and then reinstated a popular Android podcast app for the crime of cataloging COVID-19 content. We learned that anyone can engage in a self-help right to be forgotten with a bit of backdating and a plagiarism claim. Classical musicians are taking it on the chin in their battle with aggressive copyright enforcement bots and a sluggish Silicon Valley response.

In that climate, who can blame the Supreme Court for ducking cases asking for a ruling on the scope of Section 230? They’ve dodged one already, and we predict the same outcome in the next one.

Finally, Gus unpacks the recent report on the DMCA from the Copyright Lobbying Office – er, the Copyright Office.

With relief, we turn to Matthew Heiman for more cyber and less law. It sure looks like Israel launched a disruptive cyberattack on Iranian port facility. It was probably a response to Iranian cybe-rmeddling with Israeli water systems.

Nick covers Bizarro-world cybersecurity: It turns out malware authors now can hire their own black-market security pentesters.

I ask about open-source security and am met with derisive laughter, which certainly seems fair after flaws were found in dozens of applications.

I also cover a Turing Test for the 21st Century: Can you sext successfully with an AI and don’t know it’s an AI? And the news from AI speech imitation is that Presidents Trump and Obama have fake-endorsed Lyrebird.

Gus reminds us that most of privacy law is about unintended consequences, like telling Grandma she’s violating GDPR by posting her grandchildren’s photos without their parents’ consent.

Beerint at last makes its appearance, as it turns out that military and intelligence personnel can be tracked with a beer enthusiast app.

Finally, in the wake of Joe Rogan’s deal with Spotify, I offer assurances that the Cyberlaw Podcast is not going to sell out for $100 million.


Download the 317th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!


The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.



Peter Singer continues his excursion into what he calls “useful fiction” – thrillers that explore real-world implications of emerging technologies – in Burn-In: A Novel of the Real Robotic Revolution, to be released May 26, 2020. This interview explores a thoroughly researched (and footnoted!) host of new technologies, many already in production or on the horizon, all packed inside a plot-driven novel. The book is a painless way to understand what these technologies make possible and their impact on actual human beings. And the interview ranges widely over the policy implications, plus a few plot spoilers.

Continue Reading Episode 316: Our AI Future – Sexbots, Toilet Drones, and Robocops?


J.P. Morgan once responded to President Teddy Roosevelt’s charge that he’d violated federal antitrust law by saying, “If we have done anything wrong, send your man to see my man, and we’ll fix it up.” That used to be the gold standard for monopolist arrogance in dealing with government, but Google and Apple have put J.P. Morgan in the shade with their latest instruction to the governments of the world: You can’t use our app to trace COVID-19 infections unless you promise not to use it for quarantine or law enforcement purposes. They are only able to do this because the two companies have more or less 99% of the phone OS market. That’s more control than Morgan had of US railways, and their dominance apparently allows them to say, “If you think we’ve done something wrong, don’t bother to send your man; ours is too busy to meet.” Nate Jones and I discuss the question of Silicon Valley overreach in this episode. (In that vein, I apologize unreservedly to John D. Rockefeller, to whom I mistakenly attributed the quote.) The sad result is that a promising technological adjunct to contact tracing has been delayed and muddled by ideological engineers to the point where it isn’t likely to be deployed and used in a timely way.

Continue Reading Episode 315: Google to Washington: “Send your man to see my man. And we’ll stiff him.”

While most businesses have been preoccupied with navigating the effects of the COVID-19 pandemic, a significant change to businesses’ data security obligations has taken effect in New York. On March 21, 2020, the second part of the Stop Hacks and Improve Electronic Data Security Act (the SHIELD Act) went into effect in New York State. The SHIELD Act was signed into law in July 2019 and part of the legislation, amending New York’s data breach notification law, went into effect last October. The new data security requirements are not limited to a specific industry, but apply to any person or business that owns or licenses computerized data that includes the private information of New York residents.[1]

The SHIELD Act mandates a covered business “develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information, including but not limited to, disposal of data.” To comply with the SHIELD Act, a business’ data security program must include the following:

  • “Reasonable administrative safeguards,” such as:
    • Designating “one or more employees to coordinate the security program”;
    • Identifying “reasonably foreseeable internal and external risks”;
    • Assessing “the sufficiency of safeguards in place to control the identified risks”;
    • Training and managing “employees in the security program practices and procedures”;
    • Selecting “service providers capable of maintaining appropriate safe-guards” and requiring “those safeguards by contract”; and
    • Adjusting “the security program in light of business changes or new circumstances.”
  • “Reasonable technical safeguards,” such as:
    • Assessing “risks in network and software design”;
    • Assessing “risks in information processing, transmission and storage”;
    • Detecting, preventing and responding “to attacks or system failures”; and
    • Regularly testing and monitoring “the effectiveness of key controls, systems and procedures.”
  • “Reasonable physical safeguards,” such as:
    • Assessing “risks of information storage and disposal”;
    • Detecting, preventing, and responding “to intrusions”;
    • Protecting “against unauthorized access to or use of private information during or after the collection, transportation, and destruction or disposal of the information”; and
    • Disposing “of private information within a reasonable amount of time after it is no longer needed for business purposes by erasing electronic media so that the information cannot be read or reconstructed.”

A small business[2] complies with the SHIELD Act’s data security program requirements where its “security program contains reasonable administrative, technical and physical safeguards that are appropriate for the size and complexity of the small business, the nature and scope of the small business’s activities, and the sensitivity of the personal information the small business collects from or about consumers.”

In addition, any entity that is subject to and in compliance with (i) regulations promulgated pursuant to Title V of the federal Gramm-Leach-Bliley Act, (ii) regulations implementing the federal Health Insurance Portability and Accountability Act (HIPAA) and the federal Health Information Technology for Economic and Clinical Health Act (HITECH Act), (iii) the New York State Department of Financial Services Cybersecurity Regulation, or (iv) any other federal or New York State data security rule, regulation, or statute, is deemed compliant with the SHIELD Act’s data security mandate.

The New York State Attorney General is empowered to enforce the SHIELD Act’s data security requirements and may seek injunctive relief and damages of up to $5,000 per violation. The Act, however, explicitly excludes a private right of action under the data security requirements section.

[1] “Private information” is defined in N.Y. Gen. Bus. § 899-aa and includes “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person” in combination with “(1) social security number; (2) driver’s license number or non-driver identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, password or other information that would permit access to an individual’s financial account; (4) account number, credit or debit card number, if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password; or (5) biometric information[.]” “Private information” also includes “a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.”

[2] A “small business” is defined as “any person or business with (i) fewer  than fifty employees; (ii) less than three million dollars in gross annual revenue in each of the last three fiscal years; or (iii) less than five million dollars in year-end total assets, calculated in accordance with generally accepted accounting principles.”

We begin with a new US measure to secure its supply chain for a critical infrastructure – the bulk power grid. David Kris unpacks a new Executive Order restricting purchases of foreign equipment for the grid.

Nick Weaver, meanwhile, explains the remarkable extent of surveillance built into Xiaomi phones and questions the company’s claim that it was merely acquiring pseudonymous ad-related data like others in the industry.

It wouldn’t be the Cyberlaw Podcast if we didn’t wrangle over mobile phones and the coronavirus. Mark MacCarthy says that several countries – Australia, the UK, and perhaps France – are deviating from the Gapple model for using phones for infection tracing. Several have bought in. India, meanwhile, is planning a much more government-driven approach to using phone apps to combat the pandemic.

Continue Reading Episode 314: Mirror-Image Decoupling


In today’s interview, I spar with Harriet Moynihan over the application of international law to cyberattacks, a topic on which she has written with clarity and in detail. We disagree politely but profoundly. I make the case that international law is distinct from what works in cyberspace and is inconsistent with either clarity or effectiveness in deterring cyberattacks. Harriet argues that international law has been a central principle of the post-1945 international system and one that has helped to keep a kind of peace among nations. It’s a good exchange.

Continue Reading Episode 313: Is the international law of cyberwar a thing?


In this episode, I interview Thomas Rid about his illuminating study of Russian disinformation, Active Measures: The Secret History of Disinformation and Political Warfare. It lays out a century of Soviet, East European, and Russian disinformation, beginning with an elaborate and successful operation against the White Russian expatriate resistance to Bolshevik rule in the 1920s. Rid has dug into recently declassified material using digital tools that enable him to tell previously untold tales – the Soviets’ remarkable success in turning opposition to US nuclear missiles in Europe into a mass movement (and the potential shadow it casts on the legendary Adm. Hyman Rickover, father of the US nuclear navy), the unimpressive record of US disinformation compared to the ruthless Soviet version, and the fake American lobbyist (and real German agent) who persuaded a German conservative legislator to save Willy Brandt’s leftist government. We close with two very different predictions about the kind of disinformation we’ll see in the 2020 campaign.

Continue Reading Episode 312: Russia’s online disinformation has a 100-year history


The Cyberspace Solarium Commission’s report was released into the teeth of the COVID-19 crisis and hasn’t attracted the press it probably deserved. But the commissioners included four sitting Congressmen who plan to push for adoption of its recommendations. And the Commission is going to be producing more material – and probably more press attention – over the coming weeks. In this episode, I interview Sen. Angus King, co-chair of the Commission, and Dr. Samantha Ravich, one of the commissioners.

We focus almost exclusively on what the Commission’s recommendations mean for the private sector. The Commission has proposed a remarkably broad range of cybersecurity measures for business. The Commission recommends a new products liability regime for assemblers of final goods (including software) who don’t promptly patch vulnerabilities. It proposes two new laws requiring notice not only of personal data breaches but also of other significant cyber incidents. It calls for a federal privacy and security law – without preemption. It updates Sarbanes-Oxley to include cybersecurity principles. And lest you think the Commission is in love with liability, it also proposed liability immunities for critical infrastructure owners operating under government supervision during a crisis. We cover all these proposals, plus the Commission’s recommendation of a new role for the Intelligence Community in providing support to critical US companies.

Continue Reading Episode 311: What the Cyberspace Solarium Report Means for the Private Sector

While attention is necessarily focused on the nation’s response to COVID-19, defense contractors should not put aside the need to prepare to meet DoD’s Cybersecurity Maturity Model Certification (CMMC) requirements. In fact, early this month the CMMC Accreditation Body announced on its website it had signed a Memorandum of Understanding (MOU) with DoD related to implementing CMMC, and is working to make more information about the agreement public. Even if DoD’s phased CMMC rollout is delayed, it is not likely to be materially changed. COVID-19 may provide immunity to those who go through it, and hopefully a vaccine for those who don’t, but these protections will not apply to cybersecurity threats to the defense industrial base. The rollout of these CMMC requirements is a matter of “when,” not “if.” Coupled with the structural change from self-certification to third-party audit, CMMC represents a sea change in the compliance requirements facing DoD contractors (and potentially those doing business with other government entities) that DoD contractors will be unable to implement overnight. DoD contractors – and their supply chains – should be proactive in responding to these requirements if they want to continue to do business with the Defense Department.

Click here to read the full article.


Nate Jones and I dig deep into Twitter’s decision to delete Rudy Giuliani’s tweet (quoting Charlie Kirk of Turning Point) to the effect that hydroxychloroquine had been shown to be 100% effective against the coronavirus and that Gov. Whitmer (D-MI) had threatened doctors prescribing it out of anti-Trump animus. Twitter claimed that it was deleting tweets that “go directly against guidance from authoritative sources” and separately implied that the tweet was an improper attack on Gov. Whitmer.

Continue Reading Episode 310: Is Twitter using the health emergency to settle political scores?