For decades, U.S. cyber exploits were notoriously lawyer-ridden, to the point where it was a key element of attribution. But it looks like Israel has matched and surpassed U.S. cyberwarriors. In an attack claimed by some “hacktivist” group but widely attributed to Israel, Nate Jones reports, several Iranian mills shut down in a flood of sparks and molten steel. But the most interesting thing about the attack was the video pre-roll, which went out of its way to note that the mills were under international sanction and that the attackers sent workers warnings to avoid casualties. Some of that was prudence; when you’re escalating cyber tactics, it’s a good idea to emphasize the limits you’re observing. But a lot of it was lawyers worried about the law of armed conflict. On top of an earlier campaign that cut off gasoline supplies but also warned emergency medical and fire services to gas up in advance, it looks as though lawyers are shaping some of the best cyber attacks.

China, meanwhile, is putting resources into exporting its Fifty Cent Army to the United States. Sultan Meghji and Maury Shenk cover a Chinese campaign on social media to turn American rare earths processing into an environmental controversy. In this case, I argue, China is taking a leaf from the Russian playbook for driving up costs for American frackers who were holding down the price of Russian oil. I urge someone to do the research necessary to figure out just how many of those fake American accounts are also on TikTok, and how TikTok’s algorithm is treating them. Speaking of Chinese propaganda, Maury tells us that one of its cybersecurity firms is accusing the U.S. of planting Trojans in hundreds of important Chinese information systems, which might be interesting if the report actually provided some details.

Feeling the spur of competition from Israel’s cyber lawyers, NSA’s counsel has opened a new front. They persuaded the Justice Department to fight a merger on the grounds that it will reduce competition in the bidding on a single NSA program. Nate and I are stuck on the market definition problems for the case, but Sultan thinks it’s an investment opportunity.

This Week in Stupid Artificial Intelligence (AI) Research: We never lack for stories in this category, but this week the two contenders are evenly matched. Sultan tells us about a story that proves you can always find sex and race discrimination in AI if your study is designed badly enough. But Maury finds another group of researchers who went one better, designing a moderately effective crime prediction algorithm and then arguing that the police were racist if they put more police into high-crime neighborhoods and racist if they didn’t send more police to neighborhoods with rising crime. Since the whole point of most AI bias research is to get your story into the press by finding racism, being able to find it no matter how the study  turns out is a pretty impressive strategy.

Speaking of unimpressive journalism, Sultan flags a Wall Street Journal story that lazily dumps on AI research for not doing everything we want, while pretty much ignoring things it has done well.

Sultan also leads us through the wreckage of one cryptocurrency domino after another, but he thinks it’s likely to put a firmer, and more regulated, foundation under the businesses that survive. Nate reprises the EU contribution to the issue – more regulation, natch – but in a surprise twist for the Cyberlaw Podcast, the Brussels proposal gets pretty high marks.

Updating a few stories from past weeks,

  • Google is really getting hurt by the study showing it favoring Democratic fundraising messages over Republicans by about 7 to 1. The GOP has always believed (correctly) that its views are being handicapped by Silicon Valley, but this time the evidence is hard to refute. Indeed, Google isn’t really refuting it, just promising to do better in future, while Republicans are claiming that Gmail bias cost them $2 billion in donations and proposing tough new transparency laws.
  • The Justice Department is upping the stakes for Uber’s former chief information security officer (CISO) with the trial court’s permission, charging Joe Sullivan with wire fraud for treating what looks like a data breach ransom as a bug bounty. The Department of Justice says this defrauded Uber drivers and customers. Sullivan is the first, but probably not the last, CISO who’ll face this charge, as government slips away from “public-private partnership” as the reason to report breaches and instead embraces fear of prosecution.
  • And the Transportation Security Administration (TSA), after taking criticism for the harshness of its secret cybersecurity standards for pipelines, had offered some secret amendments to those standards. Is that a good thing? Who knows?

                                                                                                           

Download the 415th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

It’s that time again on the Congressional calendar. All the big, bipartisan tech initiatives that looked so good a few months ago are beginning to compete for time on the floor like fat men desperate to get through a small door. And tech lobbyists are doing their best to handicap the bills they hate while advancing those they like.

We open the Cyberlaw Podcast by reviewing a few of the top contenders. Justin (Gus) Hurwitz tells us that the big bipartisan compromise on privacy is probably dead for this Congress, killed by Senator Maria Cantwell (D-WA) and the new politics of abortion. The big subsidy for domestic chip fabs is still alive, Jamil Jaffer but beset by House and Senate differences, plus a proposal to regulate outward investment by U.S. firms that would benefit China and Russia. And Senator Amy Klobuchar’s (D-MIN) platform anti-self-preferencing bill is being picked to pieces by lobbyists trying to cleave away GOP votes over content moderation and national security.

David Kris unpacks the First Circuit decision on telephone pole cameras and the fourth amendment. Technology and Fourth Amendment law is increasingly agoraphobic, I argue, as aging boomers find themselves on a vast featureless constitutional plain, with no precedents to guide them and forced to fall back on their sense of what was creepy in their day.

Speaking of creepy, the Australian Strategic Policy Institute (ASPI) has a detailed report on just how creepy content moderation and privacy protections are at TikTok and WeChat. Jamil gives the highlights.

Not that Silicon Valley has anything to brag about. I sum up This Week in Big Tech Censorship with two newly emerging rules for conservatives on line: First, obeying Big Tech’s rules is no defense; it just takes a little longer before your business revenue is cut off. Second, having science on your side is no defense. As a Brown University doctor discovered, citing a study that undermines Centers for Disease Control and Prevention (CDC) orthodoxy will get you suspended. Who knew we were supposed to follow the science with enough needle and thread to sew its mouth shut?

If Sen. Klobuchar fails, all eyes will turn to Lina Khan’s Federal Trade Commission, Gus tells us, and its defense of the “right to repair” may give a clue to how it will regulate.

David flags a Google study of zero-days sold to governments in 2021. He finds it a little depressing, but I note that at least some of the zero-days probably require court orders to implement.

Jamil also reviews a corporate report on security, Microsoft’s analysis of how Microsoft saved the world from Russian cyber espionage – or would have if you ignoramuses would just buy more cloud services. OK, it’s not quite that bad, but the marketing motivations behind the report show a little too often in what is otherwise a useful review of Russian tactics.

In quick hits:

Gus tells us about a billboard that can pick your pocket: In NYC, naturally.

                                                                                               

Download the 414th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast begins by digging into a bill more likely to transform tech regulation than most of the proposals you’ve actually heard of – a bipartisan effort to repeat U.S. Senator John Cornyn’s bipartisan success in transforming the Committee on Foreign Investment in the United States (CFIUS) four years ago. The new bill holds a mirror up to CFIUS, Matthew Heiman Where CFIUS regulates inward investment from adversary nation, the new proposal will regulate outward investment – from the U.S. to adversary nations. The goal is to slow the transfer of technical expertise (and capital) from the U.S. to China. It is opposed by the Chinese government and the same U.S. business alliance that angered Senator Cornyn in 2018. If it passes, I predict, it will be as part of must-pass legislation and will be a big surprise to most technology observers.

The cryptocurrency world might as well make Leslie Gore its official chanteuse, because everyone is crying at the end of the crypto party. Well, except for Nick Weaver, who does a Grand Tour of all the overleveraged cryptocurrency firms on or over the verge of collapse as bitcoin values drop to $20 thousand and below.

Scott Shapiro and I trade views on the spate of claims that Microsoft is downgrading security in its products. It would unfortunately make sense for Microsoft to strip-mine value from its standalone proprietary software by stinting on security, we think, but we can’t explain why it would neglect cloud security as it is increasingly accused of doing.

That brings us to NickTalk about TikTok, and a behind-the-scenes look at what has happened to the TikTok-CFIUS case in the years since former President Donald Trump left the stage. Turns out that CFIUS has been doggedly pursuing pieces of the deal that were still on the table in 2020: localization in the U.S. for U.S. user data and no Chinese access to the data. The first is moving forward, Nick tells us; the second is turning out to be a morass.

Speaking of localization, India’s determination to localize credit card data has been rewarded. Matthew reports that cutting off new credit card customers did the trick: Mastercard has localized its data, and India has lifted the ban.

Scott reports on Japan’s latest contribution to the techlash: a law that makes ‘online insults’ a crime.

Scott also reports on a modest bright spot in NSO Group’s litigation with Facebook: The Supreme Court answered the company’s plea, calling on the U.S. government to comment on whether NSO could claim sovereign immunity for the hacking tools it sells to government. Nick puts his grave dancing shoes back on to report the bad news for NSO: the Biden administration is trashing a rumored acquisition by U.S. – based L3Harris Technologies.

                                                                                                                                               

Download the 413th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This bonus episode of the Cyberlaw Podcast is an interview with Amy Gajda, author of “Seek and Hide: The Tangled History of the Right to Privacy.” Her book is an accessible history of the often obscure and sometimes “curlicued” interaction between the individual right to privacy and the public’s (or at least the press’s) right to know. Gajda, a former journalist, turns what could have been a dry exegesis on two centuries of legal precedent into a lively series of stories behind the case law. All the familiar legal titans of press and privacy — Louis Brandeis, Samuel Warren, Oliver Wendell Holmes – are there, but Gajda’s research shows that they weren’t always on the side they’re most famous for defending. You may come for deep thoughts about the law of privacy and press, but you’ll stick around for generous helpings of sex and hypocrisy (which, it turns out, is pretty much the core of privacy and, often, journalism).

This interview is just a taste of what Gajda’s book offers, but lawyers who are used to a summary of argument at the start of everything they read should listen to this episode first if they want to know up front where all the book’s stories are taking them.

                                                                                                                                               

Download the 412th Episode (mp3).

  • This episode of the Cyberlaw Podcast is dominated by things that U.S. officials said in San Francisco last week at the Rivest-Shamir-Adleman (RSA) conference. We summarize what they said and offer our views of why they said it.
  • Bobby Chesney, returning to the podcast after a long absence, helps us assess Russian warnings that the U.S. should expect a “military clash” if it conducts cyberattacks against Russian critical infrastructure. Bobby, joined by Michael Ellis sees this as a routine Russian PR response to U.S. Cyber Command and Director, Paul M. Nakasone’s talk about doing offensive operations in support of Ukraine.
  • Bobby also notes the FBI analysis of the NetWalker ransomware gang, an analysis made possible by seizure of the gang’s back office computer system in Bulgaria.  The unfortunate headline summary of the FBI’s work was a claim that “just one fourth of all NetWalker ransomware victims reported incidents to law enforcement.” Since many of the victims were outside the United States and would have had little reason to report to the Bureau, this statistic undercounts private-public cooperation. But it may, I suggest, reflect the Bureau’s increasing sensitivity about its long-term role in cybersecurity.
  • Michael notes that complaints about a dearth of private sector incident reporting is one of the themes from the government’s RSA appearances. A Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) executive also complained about a lack of ransomware incident reporting, a strange complaint considering that CISA can solve much of the problem by publishing the reporting rule that Congress authorized last year.
  • In a more promising vein, two intelligence officials underlined the need for intel agencies to share security data more effectively with the private sector. Michael sees that as the one positive note in an otherwise downbeat cybersecurity report from Avril Haines, Director of National Intelligence. And David Kris points to a similar theme offered by National Security Agency official Rob Joyce who believes that sharing of (lightly laundered) classified data is increasing, made easier by the sophistication and cooperation of the cybersecurity industry.
  • Michael and I are taking with a grain of salt the New York Times’ claim that Russia’s use of U.S. technology in its weapons has become a vulnerability due to U.S. export controls. We think it may take months to know whether those controls are really hurting Russia’s weapons production.
  • Bobby explains why the Department of Justice (DOJ) was much happier to offer a “policy” of not prosecuting good-faith security research under the Computer Fraud and Abuse Act instead of trying to draft a statutory exemption. Of course, the DOJ policy doesn’t protect researchers from civil lawsuits, so Leonard Bailey of DOJ may yet find himself forced to look for a statutory fix. (If it were me, I’d be tempted to dump the civil remedy altogether.)
  • Michael, Bobby, and I dig into the ways in which smartphones have transformed both the war and, perhaps, the law of war in Ukraine. I end up with a little more understanding of why Russian troops who’ve been flagged as artillery targets in a special Ukrainian government phone app might view every bicyclist who rides by as a legitimate target.
  • Finally, David, Bobby and I dig into a Forbes story, clearly meant to be an expose, about the United States government’s use of the All Writs Act to monitor years of travel reservations made by an indicted Russian hacker until he finally headed to a country from which he could be extradited.

                                                                                                                                               

Download the 411th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

  • If you’ve been worrying about how a leaky U.S. government can possibly compete with China’s combination of economic might and autocratic government, this episode of the Cyberlaw Podcast has a few scraps of good news. The funniest, supplied by Dave Aitel, is the tale of the Chinese gamer who was so upset at the online performance of China’s tanks that he demanded an upgrade. When it didn’t happen, he bolstered his argument by leaking apparently classified details of Chinese tank performance. I suggest that U.S. intelligence should be subtly degrading the online game performance of other Chinese weapons systems we need more information about.
  • There may be similar comfort in the story of Gitee, a well-regarded Chinese competitor to Github that ran into a widespread freeze on open source projects. Jane Bambauer and I speculate that the source of the freeze was government objections to something in the code or the comments in several projects. But guessing at what it takes to avoid a government freeze will handicap China’s software industry and make Western companies more competitive than one would expect.
  • In other news, Dave unpacks the widely reported and largely overhyped story of Cyber Command conducting “hunt forward” operations in support of Ukraine. Mark MacCarthy digs into Justice Samuel A. Alito Jr.’s opinion explaining why he would not have reinstated the district court injunction against Texas’s social media regulation. Jane and I weigh in. The short version is that the Alito opinion offers a plausible justification for upholding the law. It may not be the law now, but it could be the law if Justice Alito can find two more votes. And getting those votes may not be all that hard for a decision imposing more transparency requirements on social media companies.
  • Mark and Jane also dig deep on the substance and politics of national privacy legislation. Short version: House Democrats have made substantial concessions in the hopes of getting a privacy bill enacted before they must face what’s expected to be a hostile electorate. But Senate Democrats may not be willing to swallow those concessions, and Republican members may think they will do better to wait until after November. Impressed by the concessions, Jane and Mark hold out hope for a deal this year. I don’t.
  • Meanwhile, Jane notes, California is driving forward with regulations under its privacy law that are persuading Republicans that preemption has lots of value for business.
  • Finally, revisiting two stories from earlier weeks, Dave notes

                                                                                                                                               

Download the 410th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

At least that’s the lesson that Paul Rosenzweig and I distill from the recent 11th Circuit decision mostly striking down Florida’s law regulating social media platforms’ content “moderation” rules. We disagree flamboyantly on pretty much everything else – including whether the Court will intervene before judgment in a pending 5thCircuit case where the appeals court stayed a district court’s injunction and allowed Texas’s similar law to remain in effect.

When it comes to content moderation, Silicon Valley is a lot tougher on the Libs of TikTok than the Chinese Communist Party (CCP). Instagram just suspended the Libs of Tiktok account, I report, while a recent Brookings study shows that the Chinese government’s narratives are polluting Google and Bing search results on a regular basis. Google News and YouTube do the worst job of keeping the party line out of searches. Both Google News and YouTube return CCP-influenced links on the first page about a quarter of the time.

I ask Sultan Meghji to shed some light on the remarkable TerraUSD cryptocurrency crash. Which leads us, not surprisingly, from massive investor losses to whether financial regulators have jurisdiction over cryptocurrency. The short answer: Whether they have jurisdiction or not, all the incentives favor an assertion of jurisdiction. Nick Weaver is with us in spirit as we flag his rip-roaring attack on the whole field – a don’t-miss interview for readers who can’t get enough of Nick.

It’s a big episode for Artificial Intelligence (AI) news too. Matthew Heiman contrasts the different approaches to AI regulation in three big jurisdictions. China’s is pretty focused, Europe’s is ambitious and all-pervading, and the United States isn’t ready to do anything.

Paul thinks DuckDuckGo should be DuckDuckGone after the search engine allowed Microsoft trackers to follow users of its browser.

Sultan and I explore ways of biasing AI algorithms. It turns out that saving money on datasets makes the algorithm especially sensitive to the order in which the data is presented. Debiasing with synthetic data has its own risks, Sultan avers. But if you’re looking for good news, here’s some: Self-driving car companies who are late to the party are likely to catch up fast, because they can build on a lot of data that’s already been collected as well as new training techniques.

Matthew breaks down the $150 million fine paid by Twitter for allowing ad targeting of the phone numbers its users supplied for two-factor authentication (2FA) security purposes.

Finally, in quick hits:

                                                                                                                           

Download the 409th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week’s Cyberlaw Podcast covers efforts to pull the Supreme Court into litigation over the Texas law treating social media platforms like common carriers and prohibiting them from discriminating based on viewpoint when they take posts down. I predict that the Court won’t overturn the appellate decision staying an unpersuasive district court opinion. Mark MacCarthy and I both think that the transparency requirements in the Texas law are defensible, but Mark questions whether viewpoint neutrality is sufficiently precise for a law that trenches on the platforms’ free speech rights. I linger on a story that probably tells us more about content moderation in real life than ten Supreme Court amicus briefs – the tale of an OnlyFans performer who got her Instagram account restored by using alternative dispute resolution on Instagram staff: “We met up and like I f***ed a couple of them and I was able to get my account back like two or three times,” she said. Really, that explains so much.

Meanwhile, Jane Bambauer unpacks the Justice Department’s new policy for charging cases under the Computer Fraud and Abuse Act. It’s a generally sensible extension of some positions the Department has taken in the Supreme Court, including refusing to prosecute good faith security research or to allow companies to create felonies by writing use restrictions into their terms of service. Unless they also write those restrictions into cease and desist letters, I point out. Weirdly, the Justice Department will treat violations of such letters as potential felonies.

Mark gives a rundown of the new, Democrat-dominated Federal Trade Commission’s first policy announcement – asurprisingly uncontroversial warning that the commission will pursue educational tech companies for violations of the Children’s Online Privacy Protection Act.

Maury Shenk explains the recent United Kingdom Attorney General speech on international law and cyber conflict

Mark celebrates the demise of Department of Homeland Security’s widely unlamented Disinformation Governance Board.

Should we be shocked when law enforcement officials create fake accounts to investigate crime on social media? The Intercept is, of course. Perhaps equally predictably, I’m not. Jane offers some reasons to be cautious – and remarks on the irony that the same people who don’’t want the police on social media probably resonate to the New York Attorney General’s claim that she’ll investigate social media companies, apparently for not responding like cops to the Buffalo shooting.

Is it “game over” for humans worried about Artificial Intelligence (AI) competition? Maury explains how Google Deep Mind’s new generalist AI works and why we may have a few years left.

Jane and I manage to disagree about whether federal safety regulators should be investigating Tesla’s fatal autopilot accidents. Jane has logic and statistics on her side, so I resort to emotion and name-calling.

Finally, Maury and I puzzle over why Western readers should be shocked (as we’re clearly meant to be) by China’s requiring that social media posts include the poster’s location or by India’s insistence on a “know your customer” rule for cloud service providers and VPN operators.

                                                                                                                                               

Download the 408th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

 

Is the European Union (EU) about to rescue the FBI from Going Dark? Jamil Jaffer and Nate Jones tell us that a new directive aimed at preventing child sex abuse might just do the trick, a position backed by people who’ve been fighting the bureau on encryption for years.

The Biden administration is prepping to impose some of the toughest sanction ever on Chinese camera maker Hikvision, Jordan Schneider No one is defending Hikvision’s role in China’s Uyghur policy, but I’m skeptical that we should spend all that ammo on a company that probably isn’t the greatest national security threat we face. Jamil is more comfortable with the measure, and Jordan reminds me that China’s economy is shaky enough that it may not pick a fight to save Hikvision. Speaking of which, Jordan schools me on the likelihood that Xi Jin Ping’s hold on power will be loosened by the plight of Chinese tech platforms, harsh pandemic lockdowns, or the grim lesson provided by Putin’s ability to move without check from tactical error to strategic blunder and on to historic disaster.

Speaking of products of more serious national security than Hikvision, Nate and I try to figure out why the effort to get Kaspersky software out of U.S. infrastructure is still stalled. I think the Commerce Department should take the fall.

In a triumph of common sense and science, the wave of dumb laws attacking face recognition may be receding as lawmakers finally notice what’s been obvious for five years: The claim that face recognition is “racist” is false. Virginia, fresh off GOP electoral gains, has revamped its law on face recognition so it more or less makes sense. In related news, I puzzle over why Clearview AI accepted a settlement of the ACLU’s lawsuit under Illinois’s biometric law.

Nate and I debate how much authority Cyber Command should have to launch actions and intrude on third country machines without going through the interagency process. A Biden White House review of that question seems to have split the difference between the Trump and Obama administrations.

Quelle surprise! Jamil concludes that the EU’s regulation of cybersecurity is an overambitious and questionable expansion of the U.S. approach. He’s more comfortable with the Defense Department’s effort to keep small businesses who take its money from decamping to China once they start to succeed. Jordan and I fear that the cure may be worse than the disease.

I get to say I told you so about the unpersuasive and cursory opinion by United States Judge Robert Pitman, striking down Texas’ social media law. The Fifth Circuit has overturned his injunction, so the bill will take effect, at least for a while. In my view some of the provisions are constitutional and others are a stretch; Judge Pitman’s refusal to do a serious severability analysis means that all of them will get a try-out over the next few weeks.

Jamil and I debate geofenced search warrants and the reasons why companies like Google, Microsoft and Yahoo want them restricted.

In quick hits,

                                                                                                                                               

Download the 407th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Nick Weaver kicks off a wide-ranging episode by celebrating Treasury’s imposition of sanctions on a cryptocurrency mixer for facilitating the laundering of stolen cryptocurrency. David Kris calls on Justice to step up its game in the face of this competition, while Nick urges Treasury to next sanction Tornado Cash — and explains why this would incentivize better behavior more generally. Scott Shapiro weighs in to describe North Carolina’s effort to prohibit government entities from papaya ransom to ransomware gangs; he doubts it will work.

David and Scott also further our malware education by summarizing two chilling reports about successful long-term intrusion campaigns – one courtesy of Chinese state hackers and the other likely launched by Russian government agents. I can’t help wondering whether the Russian agencies haven’t prioritized cool hackings over effective ones – to Russia’s cost in the fight with Ukraine.

Nick provides a tutorial on why quantum cryptanalysis is worrying the Biden Administration and what it thinks we ought to do about it. I express some cynicism over how good U.S. physicists have gotten at selling expensive dreams to the government – and considerable relief that Chinese physicists are apparently at least as good at extracting funding from their government.

Here’s a story mainstream media is already burying because it doesn’t fit the “AI bias” narrative. It turns out that in a study by the Department of Homeland Security, most errors (75%) were introduced at the photo capture stage, not by the matching algorithms. What’s more, the bias we keep hearing about has disappeared for the best products. Error rates were reported for the best products by gender and skin color. Errors for women, for light-skinned subjects and dark-skinned subjects were all as low as it’s possible to be – zero. For men, the error rate was 0.8%. These tests were of authentication/identification face recognition, which is easier to do than 1:n “searches” for matching faces, but the results mean that it’s not unreasonable to expect the whole bias issue to disappear as soon as the public wises up to the ideologically driven journalism now on offer.

Nick and I spar over location data sales by software providers. I pour cold water on the notion that evil prosecutors will track women to abortion clinics in other states using their location data. Nick takes the affirmative on that topic, and we put some money on the outcome, though it may take five years for one of us to collect.

Scott unpacks the flap over Department of Homeland Security (DHS) Disinformation Governance Board, headed by Cyberlaw Podcast alumna Nina Jankowicz, who revealed on Tiktok that I should have asked her to sing the interview. Scott and I agree that DHS is retreating quickly from the board’s name and mission as negative reviews for the name, the leader, and the mission keep piling up.

This Week in Schadenfreude is covered by Nick, pointing out the irony of the Spanish prime minister’s phone being targeted with Pegasus spyware not long after the Spanish government was widely blamed for using Pegasus against Catalan separatists.

In quick hits,

                                                                                                                                               

Download the 406th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.