This bonus episode is an interview with Josephine Wolff and Dan Schwarcz, who along with Daniel Woods have written an article with the same title as this post. Their thesis is that breach lawyers have lost perspective in their no-holds-barred pursuit of attorney-client privilege to protect the confidentiality of forensic reports that diagnose the breach. Remarkably for a law review article, it contains actual field research. The authors interviewed all the players in breach response, from the company information security teams, the breach lawyers, the forensics investigators, the insurers and insurance brokers, and more. I remind them of Tracy Kidder’s astute observation that, in building a house, there are three main players – owner, architect, and builder – and that if you get any two of them in the room alone, they will spend all their time bad-mouthing the third. Wolff, Schwarcz, and Woods seem to have done that with the breach response players, and the bad-mouthing falls hardest on the lawyers.

The main problem is that using attorney-client privilege to keep a breach forensics process confidential is a reach. So, the courts have been unsympathetic. Which forces lawyers to impose more and more restrictions on the forensic investigator and its communications in the hope of maintaining confidentiality. The upshot is that no forensics report at all is written for many breaches (up to 95%, Josephine estimates). How does the breached company find out what it did wrong and what it should do to avoid the next breach? Simple. Their lawyer translates the forensic firm’s advice into a PowerPoint and briefs management. Really, what could go wrong?

In closing, Dan and Josephine offer some ideas for how to get out of this dysfunctional mess. I push back. All in all, it’s the most fun I’ve ever had talking about insurance law.

Download the 435th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

It’s been a news-heavy week, but we have the most fun in this episode with ChatGPT. Jane Bambauer, Richard Stiennon, and I pick over the astonishing number of use cases and misuse cases disclosed by the release of ChatGPT for public access. It is talented – writing dozens of term papers in seconds. It is sociopathic – the term papers are full of falsehoods, down to the made-up citations to plausible but nonexistent New York Times stories. And it has too many lawyers – Richard’s request that it provide his bio (or even Einstein’s) was refused on what are almost certainly data protection grounds. Luckily, either ChatGPT or its lawyers are also bone stupid, since reframing the question fools the machine into subverting the legal and PC limits it labors under. 

In a surprisingly under covered story, Apple has gone all in on child pornography. Its phone encryption already makes the iPhone a safe place to record child sexual abuse material (CSAM); now Apple will encrypt users’ cloud storage with keys it cannot access, allowing customers to upload CSAM without fear of law enforcement. And it has abandoned its effort to identify such material by doing phone-based screening. All that’s left of its effort is a weak option that allows parents to force their kids to activate an option that prevents them from sending or receiving nude photos. Jane and I dig into the story, as well as Apple’s questionable claim to be offering the same encryption to its Chinese customers.

Nate Jones brings us up to date on the National Defense Authorization Act, or NDAA. Lots of second-tier cyber provisions made it into the bill, but not the provision requiring that critical infrastructure companies report security breaches. A contested provision on spyware purchases by the U.S. government was compromised into a useful requirement that the intelligence community identify spyware that poses risks to the government.

Jane updates us on what European data protectionists have in store for Meta, and it’s not pretty. The EU data protection supervisory board intends to tell the Meta companies that they cannot give people a free social media network in exchange for watching what they do on the network and serving ads based on their behavior. If so, it’s a one-two punch. Apple delivered the first blow by curtailing Meta’s access to third-party behavioral data. Now even first-party data could be off limits in Europe. That’s a big revenue hit, and it raises questions whether Facebook will want to keep giving away its services in Europe.  

Mike Masnick is Glenn Greenwald with a tech bent – often wrong but never in doubt, and contemptuous of anyone who disagrees. But when he is right, he is right. Jane and I discuss his article recognizing that data protection is becoming a tool that the rich and powerful can use to squash annoying journalist-investigators. I have been saying this for decades. But still, welcome to the party, Mike!

Nate points to a plea for more controls on the export of personal data from the U.S. It comes not from the usual privacy enthusiasts but from the U.S. Naval Institute, and it makes sense.

It was a bad week for Europe on the Cyberlaw Podcast. Jane and I take time to marvel at the story of France’s Mr. Privacy and the endless appetite of Europe’s bureaucrats for his serial grifting.

Nate and I cover what could be a good resolution to the snake-bitten cloud contract process at the Department of Defense. The Pentagon is going to let four cloud companies — Google, Amazon, Oracle And Microsoft – share the prize.

You did not think we would forget Twitter, did you? Jane, Richard, and I all comment on the Twitter Files. Consensus: the journalists claiming these stories are nothingburgers are more driven by ideology than news. Especially newsworthy are the remarkable proliferation of shadowbanning tools Twitter developed for suppressing speech it didn’t like, and some considerable though anecdotal evidence that the many speech rules at the company were twisted to suppress speech from the right, even when the rules did not quite fit, as with LibsofTikTok, while similar behavior on the left went unpunished. Richard tells us what it feels like to be on the receiving end of a Twitter shadowban.

The podcast introduces a new feature: “We Read It So You Don’t Have To,” and Nate provides the tl;dr on an New York Times story: How the Global Spyware Industry Spiraled Out of Control.

And in quick hits and updates:

Download the 434th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

We spend much of this episode of the Cyberlaw Podcast talking about toxified technology – new tech that is being demonized for a variety of reasons. Exhibit One, of course, is “spyware,” essentially hacking tools that allow governments to access phones or computers otherwise closed to them, usually by end-to-end encryption. The Washington Post and the New York Times have led a campaign to turn NSO’s Pegasus tool for hacking phones into radioactive waste. Jim Dempsey, though, reminds us that not too long ago, in defending end-to-end encryption, tech policy advocates insisted that the government did not need mandated access to encrypted phones because they could engage in self-help in the form of hacking. David Kris points out that, used with a warrant, there’s nothing uniquely dangerous about hacking tools of this kind. I offer an explanation for why the public policy community and it is Silicon Valley funders have changed their tune on the issue: having won the end-to-end encryption debate, they feel free to move on to the next anti-law-enforcement campaign.

That campaign includes private lawsuits against NSO by companies like WhatsApp, whose lawsuit was briefly delayed by NSO’s claim of sovereign immunity on behalf of the (unnamed) countries it builds its products for. That claim made it to the Supreme Court, David reports, where the U.S. government recently filed a brief that will almost certainly send NSO back to court without any sovereign immunity protection.

Meanwhile, in France, Amesys and its executives are being prosecuted for facilitating the torture of Libyan citizens at the hands of the Muammar Qaddafi regime. Amesys evidently sold an earlier and less completely toxified technology – packet inspection tools – to Libya. The criminal case is pending.

And in the U.S., a whole set of tech toxification campaigns are under way, aimed at Chinese products. This week, Jim notes, the Federal Communications Commission came to the end of a long road that began with jawboning in the 2000s and culminated in a flat ban on installing Chinese telecom gear in U.S. networks. On deck for China are DJI’s drones, which several Senators see as a comparable national security threat that should be handled with a similar ban. Maury Shenk tells us that the British government is taking the first steps on a similar path, this time with a ban on some government uses of Chinese surveillance camera systems.

Those measures do not always work, Maury tells us, pointing to a story that hints at trouble ahead for S. efforts to decouple Chinese from American artificial intelligence research and development.

Maury and I take a moment to debunk efforts to persuade readers that Artificial Intelligence (AI) is toxic because Silicon Valley will use it to take our jobs. AI code writing is not likely to graduate from facilitating coding any time soon, we agree. Whether AI can do more in Human Resources (HR) may be limited by a different toxification campaign – the largely phony claim that AI is full of bias. Amazon’s effort to use AI in HR, I predict, will be sabotaged by this claim. The effort to avoid bias will almost certainly lead Amazon to build race and gender quotas into its engine.

And in a few quick hits:

  • I express doubt that Australia’s “unleash the hounds” approach to ransomware actually has anything to do with one notorious ransomware actor’s extortion site going down.
  • Maury praises an MIT Technology Review piece that argues persuasively that China’s social credit system is not quite as dystopian as it’s been portrayed. I point out that, with Airbnb practicing guilt by association and PayPal taking your money for saying things PayPal doesn’t like, Silicon Valley can brag that it’s going to reach Full-Bore Dystopia well before China.
  • I cover the fourth review in three administrations of the  dual-hat leadership of NSA and Cyber Command. No change is likely.
  • And we close with a downbeat assessment of Elon Musk’s chances of withstanding the combined hostility of European and U.S. regulators, the press, and the left-wing tech-toxifiers in civil society. He is a talented guy, I argue, and with a three-year runway, he could succeed, but he doesn’t have three years.

Download the 432nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

The Cyberlaw Podcast leads with the legal cost of Elon Musk’s anti-authoritarian takeover of Twitter. Turns out that authority figures have a lot of weapons, many grounded in law, and Twitter is at risk of being on the receiving end of those weapons. Brian Fleming explores the apparently unkillable notion that the Committee on Foreign Investment in the U.S. (CFIUS) should review Musk’s Twitter deal because of a relatively small share that went to investors with Chinese and Persian Gulf ties. It appears that CFIUS may still be seeking information on what Twitter data those investors will have access to, but I am skeptical that CFIUS will be moved to act on what it learns. More dangerous for Twitter and Musk, says Charles-Albert Helleputte, is the possibility that the company will lose its one-stop-shop privacy regulator for failure to meet the elaborate compliance machinery set up by European privacy bureaucrats. At a quick calculation, that could expose Twitter to fines up to 120% of annual turnover. Finally, I reprise my skeptical take on all the people leaving Twitter for Mastodon as a protest against Musk allowing the Babylon Bee and President Trump back on the platform. If the protestors really think Mastodon’s system is better, I recommend that Twitter adopt it, or at least the version that Francis Fukuyama and Roberta Katz have described.

If you are looking for the far edge of the Establishment’s Overton Window on China policy, you will not do better than the U.S.-China Economic and Security Review Commission, a consistently China-skeptical but mainstream body. Brian reprises the Commission’s latest report. The headline, we conclude, is about Chinese hacking, but the recommendations does not offer much hope of a solution to that problem, other than more decoupling.

Chalk up one more victory for Trump-Biden continuity, and one more loss for the State Department. Michael Ellis reminds us that the Trump administration took much of Cyber Command’s cyber offense decision making out of the National Security Council and put it back in the Pentagon. This made it much harder for the State Department to stall cyber offense operations. When it turned out that this made Cyber Command more effective and no more irresponsible, the Biden Administration prepared to ratify Trump’s order, with tweaks.

I unpack Google’s expensive (nearly $400 million) settlement with 40 States over location history. Google’s promise to stop storing location history if the feature was turned off was poorly and misleadingly drafted, but I doubt there is anyone who actually wanted to keep Google from using location for most of the apps where it remained operative, so the settlement is a good deal for the states, and a reminder of how unpopular Silicon Valley has become in red and blue states.

Michael tells the doubly embarrassing story of an Iranian hack of the U.S. Merit Systems Protection Board. It is embarrassing to be hacked with a log4j exploit that should have been patched. But it is worse when an Iranian government hacker gets access to a U.S. government network – and decided that the access is only good for mining cryptocurrency.

Brian tells us that the U.S. goal of reshoring chip production is making progress, with Apple planning to use TSMC chips from a new fab in Arizona.

In a few updates and quick hits:

  • I remind listeners that a lot of tech companies are laying employees off, but that overall Silicon Valley employment is still way up over the past couple of years.
  • I give a lick and a promise to the mess at cryptocurrency exchange FTX, which just keeps getting worse.
  • Charles updates us on the next U.S.-E.U. adequacy negotiations, and the prospects for Schrems 3 (and 4, and 5) litigation.
  • And I sound a note of both admiration and caution about Australia’s plan to “unleash the hounds” – in the form of its own Cyber Command equivalent – on ransomware gangs. As U.S. experience reveals, it makes for a great speech, but actual impact can be hard to achieve.

Download the 431st Episode (mp3). 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

We open this episode of the Cyberlaw Podcast by considering the (still evolving) results of the 2022 midterm election. Adam Klein and I trade thoughts on what Congress will do. Adam sees two years in which the Senate does nominations, the House does investigations, and neither does much legislation. Which could leave renewal of the critically important intelligence authority, Section 702 of the Foreign Intelligence Surveillance Act (FISA), out in the cold. As supporters of renewal, we conclude that the best hope for the provision is to package it with trust-building measures to restore Republicans’ willingness to give national security agencies broad surveillance authorities.

I also note that foreign government cyberattacks on our election, which have been much anticipated in election after election, failed once again to make an appearance. At this point, election interference is somewhere between Y2K and Bigfoot on the “things we should have worried about” scale.

In other news, cryptocurrency conglomerate FTX has collapsed into bankruptcy, stolen funds, and criminal investigations. Nick Weaver lays out the gory details.

A new panelist on the podcast, Chinny Sharma explains to a disbelieving U.S. audience the UK government’s plan to scan all the country’s internet-connected devices for vulnerabilities. Adam and I agree that it could never happen here.  Nick wonders why the U.K. government does not use a private service for the task. 

Nick also covers This Week in the Twitter Dogpile. He recognizes that this whole story is turning into a tragedy for all concerned, but he is determined to linger on the comic relief. Dunning-Krueger makes an appearance.

Chinny and I speculate on what may emerge from the Biden administration’s plan to reconsider the relationship between the Cybersecurity and Infrastructure Security Agency (CISA) and the Sector Risk Management Agencies that otherwise regulate important sectors. I predict turf wars and new authorities for CISA in response. The Obama administration’s egregious exemption of Silicon Valley from regulation as critical infrastructure should also be on the chopping block. Finally, if the next two Supreme Court decisions go the way I hope, the Federal Trade Commission will finally have to coordinate its privacy enforcement efforts with CISA’s cybersecurity standards and priorities.

Adam reviews the European Parliament’s report on Europe’s spyware problems. He’s impressed (as am I) by the report’s willingness to acknowledge that this is not a privacy problem made in America. Governments in at least four European countries by our count have recently used spyware to surveil members of the opposition, a problem that was unthinkable for fifty years in the United States. This, we agree, is another reason that Congress needs to put guardrails against such abuse in place quickly.

Nick notes the US government’s seizure of what was $3 billion in bitcoin. Shrinkflation has brought that value down to around $800 million. But it is still worth noting that an immutable blockchain brought James Zhong to justice ten years after he took the money.

Disinformation – or the appalling acronym MDM (for mis-, dis-, and mal-information) – has been in the news lately. A recent paper counted the staggering cost of “disinformation” suppression during COVID times. And Adam published a recent piece in City Journal explaining just how dangerous the concept has become. We end up agreeing that national security agencies need to focus on foreign government dezinformatsiya – falsehoods and propaganda from abroad – and not get in the business of policing domestic speech, even when it sounds a lot like foreign leaders we do not like.

Chinny takes us into a new and fascinating dispute between the copyleft movement, GitHub, and Artificial Intelligence (AI) that writes code. The short version is that GitHub has been training an AI engine on all the open source code on the site so that it can “autosuggest” lines of new code as you are writing the boring parts of your program. The upshot is that open source code that the AI strips off the license conditions, such as copyleft, that are part of some open source code. Not surprisingly, copyleft advocates are suing on the ground that important information has been left off their code, particularly the provision that turns all code that uses the open source into open source itself. I remind listeners that this is why Microsoft famously likened open source code to cancer. Nick tells me that it is really more like herpes, thus demonstrating that he has a lot more fun coding than I ever had.

In updates and quick hits:

  • I note that the peanut butter sandwich nuclear spies have been sentenced.
  • Adam celebrates TSMC’s decision to build a 3 nanometer semiconductor fab in Arizona. We cross sword about whether the fab capital of the U.S. will be Phoenix or Austin.
  • I celebrate the Russian government’s acknowledgment of the Cyberlaw Podcast’s reach when it designated long-time regular Dmitri Alperovitch for Russian sanctions. Occasional guest Chris Krebs also makes the list.
  • mid.ru
  • Adam and I flag the Department of Justice’s release of basic rules for what I am calling the Euro appeasement court: the quasijudicial body that will hear European complaints that the U.S. is not living up to human rights standards that no country in Europe even pretends to live up to. 

Download the 430th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

The war that began with the Russian invasion of Ukraine grinds on. Cybersecurity experts have spent much of 2022 trying to draw lessons about cyberwar strategies from the conflict. Dmitri Alperovitch takes us through the latest lessons, cautioning that all of them could look different in a few months, as both sides adapt to the others’ actions.

David Kris joins Dmitri to evaluate a Microsoft report hinting that China may be abusing its recent edict requiring that software vulnerabilities be reported first to the Chinese government. The temptation to turn such reports into 0-day exploits may be irresistible, and Microsoft notes with suspicion a recent rise in Chinese 0-day exploits. Dmitri worried about just such a development while serving on the Cyber Safety Review Board, but he is not yet convinced that we have the evidence to prove the case against the Chinese mandatory disclosure law.

Sultan Meghji keeps us in Redmond, digging through a deep Protocol story on how Microsoft has helped build Artificial Intelligence (AI) in China. The amount of money invested, and the deep bench of AI researchers from China, raises real questions about how the United States can decouple from China – and whether China may eventually decide to do the decoupling.

I express skepticism about the White House’s latest initiative on ransomware, a 30+ nation summit that produced a modest set of concrete agreements. But Sultan and Dmitri have been on the receiving end of deputy national security adviser Anne Neuberger’s forceful personality, and they think we will see results. We’d better. Banks reported that ransomware payments doubled last year, to $1.2 billion.

David introduces the high-stakes struggle over when cyberattacks can be excluded from insurance coverage as acts of war. A recent settlement between Mondelez and Zurich has left the law in limbo.

Sultan tells me why AI is so bad at explaining the results it reaches. He sees light at the end of the tunnel. I see more stealthy imposition of woke academic values. But we find common ground in trashing Facial Recognition Act, a lefty Democrat bill that throws together every bad proposal to regulate facial recognition ever put forward and adds a few more. A red wave will be worth it just to make sure this bill stays dead.

Finally, Sultan reviews the National Security Agency’s report on supply chain security. And I introduce the elephant in the room, or at least the mastodon: Elon Musk’s takeover at Twitter and the reaction to it.  I downplay the probability of CFIUS reviewing the deal. And I mock the Elon-haters who fear that scrimping on content moderation will turn Twitter into a hellhole that includes *gasp!* Republican speech. Turns out that they are fleeing Twitter for Mastodon, which pretty much invented scrimping on content moderation.

Download the 429th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

David Kris opens this episode of the Cyberlaw Podcast by laying out some of the massive disruption that the Biden Administration has kicked off in China’s semiconductor industry – and its Western suppliers. The reverberations of the administration’s new measures will be felt for years, and the Chinese government’s response, not to mention the ultimate consequences, remains uncertain.

Richard Stiennon, our industry analyst, gives us an overview of the cybersecurity market, where tech and cyber companies have taken a beating but cybersecurity startups continue to gain funding.

Mark MacCarthy reviews the industry from the viewpoint of the trustbusters. Google is facing what looks like a serious AdTech platform challenge from several directions – the EU, the Justice Department, and several states. Facebook, meanwhile, is lucky to be a target of the Federal Trade Commission, which rather embarrassingly had to withdraw claims that the acquisition of Within would remove an actual (as opposed to hypothetical) competitor from the market. No one seems to have challenged Google’s acquisition of Mandiant, meanwhile. Richard suspects that is because Google is not likely to do anything with the company.

David walks us through the new White House national security strategy – and puts it in historical context.

Mark and I cross swords over PayPal’s determination to take my money for saying things Paypal doesn’t like. Visa and Mastercard are less upfront about their ability to boycott businesses they consider beyond the pale, but all money transfer companies have rules of this kind, he says. We end up agreeing that transparency, the measure usually recommended for platform speech suppression, makes sense for Paypal and its ilk, especially since they’re already subject to extensive government regulation.

Richard and I dive into the market for identity security. It’s hot, thanks to zero trust computing. Thoma Bravo is leading a rollup of identity companies. I predict security troubles ahead for the merged portfolio.

In updates and quick hits:

                                                      

Download the 426th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We open today’s episode by teasing the Supreme Court’s decision to review whether section 230 protects big platforms from liability for materially assisting terror groups whose speech they distribute (or even recommend). I predict that this is the beginning of the end of the house of cards that aggressive lawyering and good press have built on the back of section 230. Why? Because Big Tech stayed out of the Supreme Court too long. Now, just when section 230 gets to the Court, everyone hates Silicon Valley and its entitled content moderators. Jane Bambauer, Gus Hurwitz, and Mark MacCarthy weigh in, despite the unfairness of having to comment on a cert grant that is two hours old.

Just to remind us why everyone hates Big Tech’s content practices, we do a quick review of the week’s news in content suppression.

  • A couple of conservative provocateurs prepared a video consisting of Democrats being “election deniers.” The purpose was to show the hypocrisy of those who criticize the GOP for a meme that belonged mainly to Dems until two years ago. And it worked. YouTube did a manual review before it was even released and demonetized the video because, well, who knows? An outcry led to reinstatement, too late for YouTube’s reputation. Jane has the story.
  • YouTube also steps in the same mess by first suppressing then restoring a video by Giorgia Meloni, the biggest winner of Italy’s recent election. She’s on the right, but you already knew that from how YouTube dealt with her.
  • Mark covers an even more troubling story, in which government officials point to online posts about election security that they don’t like, NGOs that the government will soon be funding take those complaints to Silicon Valley, and the platforms take a lot of the posts down. Really, what could possibly go wrong?
  • Jane asks why Facebook is “moderating” private messages by the wife of an FBI whistleblower. I suspect that this is related to the government and big tech’s hyperaggressive joint pursuit of anything related to January 6. But it definitely requires investigation.
  • Across the Atlantic, Jane notes, the Brits are hating Facebook for the content it let 14-year-old Molly Russell read before her suicide. Exactly what was wrong with the content is a little obscure, but we agree that the material served to minors is ripe for more regulation, especially outside the U.S.

For a change of pace, Mark has some largely unalloyed good news. The ITU will not be run by a Russian; instead it elected an American, Doreen Bodan-Martin to lead it.

Mark tells us that all the Sturm und Drang over tougher antitrust laws for Silicon Valley has wound down to a few modestly tougher provisions that have now passed the House. That may be all that can get passed this year, and perhaps in this Administration.

Gus gives us a few highlights from FTCland:

Jane unpacks a California law prohibiting cooperation with subpoenas from other states without an assurance that the subpoenas aren’t investigating abortions that would be legal in California. I again nominate California as playing the role in federalism for the twenty-first century that South Carolina played in the nineteenth and twentieth centuries and predict that some enterprising red state attorney general is likely to enjoy litigating the validity of California’s law – and likely winning.

Gus notes that private antitrust cases remain hard to win, especially without evidence, as Amazon and major book publishers gain the dismissal of antitrust lawsuits over book pricing.

Finally, in quick hits and updates:

I also note a large privacy flap Down Under, as the exposure of lots of personal data from a telco database seems likely to cost the carrier, and its parent dearly.

                                                                                                                           

Download the 424th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

This episode features a much deeper, and more diverse, examination of the Fifth Circuit decision upholding Texas’s social media law. We devote the last half of the episode to a structured dialogue about the opinion between Adam Candeub and Alan Rozenshtein. Both have written about it already, Alan critically and Adam supportively. I lead off, arguing that, contrary to legal Twitter’s dismissive reaction, the opinion is a brilliant and effective piece of Supreme Court advocacy. Alan thinks that is exactly the problem; he objects to the opinion’s grating self-certainty and refusal to acknowledge the less convenient parts of past case law. Adam is closer to my view. We all seem to agree that the opinion succeeds as an audition for Judge Andrew Oldham to become Justice Oldham in the DeSantis Administration.

We walk through the opinion and what its critics don’t like, touching on the competing free expression interests of social media users and of the platforms themselves, whether there’s any basis for an injunction today, given the relative weakness of the overbreadth argument and the fundamental disagreement over whether “exercising editorial discretion” is a fundamental right under the first amendment or just an artifact of older technologies. Most intriguingly, we find unexpected consensus that Judge Oldham’s (and Clarence Thomas’s) common carrier argument may turn out to be the most powerful point in the opinion and when the case reaches the Court.

In the news roundup, we focus on the Congressional sprint to pass additional legislation before the end of the Congress. Michael Ellis explains the debate between the Cyberspace Solarium Commission alumni and business lobbyists over enacting a statutory set of obligations for systemically critical infrastructure companies. Adam outlines a strange-bedfellows bill that has united Sens. Amy Klobuchar (D-Minn.) and Ted Cruz (R-Texas) in an effort to give small media companies and broadcasters an antitrust immunity to bargain with the big social media platforms over the use of their content. Adam is a skeptic, Alan less so.

The Pentagon, reliably braver when facing bullets than a bad Washington Post story, is performing to type in the flap over fake social media accounts. Michael tells us that the accounts pushed pro-U.S. stories but met with little success before Meta and Twitter caught on and kicked them off their platforms. Now the Department of Defense is conducting a broad review of military information operations. I predict fewer such efforts and don’t mourn their loss.

Adam and I touch on a decision of Meta’s Oversight Board criticizing Facebook’s automated image takedowns. I offer a new touchstone for understanding content regulation at the Big Platforms: They just don’t care, so they’ve turned to whole project over to second-rate AI and second-rate employees.

Michael walks us through the Department of the Treasury’s new flexibility on sending communications software and services to Iran.

And, in quick hits, I note that:

                                                                                                                           

Download the 423rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The big news of the week was a Fifth Circuit decision upholding Texas social media regulation law. It was poorly received by the usual supporters of social media censorship but I found it both remarkably well written and surprisingly persuasive. That does not mean it will survive the almost inevitable Supreme Court review but judge Oldham wrote an opinion that could be a model for a Supreme Court decision upholding Texas law.

The big hacking story of the week was a brutal takedown of Uber, probably by the dreaded Advanced Persistent Teenager. Dave Aitel explains what happened and why no other large corporation should feel smug or certain that it cannot happen to them. Nick Weaver piles on.

Maury Shenk explains the recent European court decision upholding sanctions on Google for its restriction of Android phone implementations.

Dave points to some of the less well publicized aspects of the Twitter whistleblower’s testimony before Congress. We agree on the bottom line – that Twitter is utterly incapable of protecting either U.S. national security or even the security of its users’ messages. If there were any doubt about that, it would be laid to rest by Twitter’s dependence on Chinese government advertising revenue.

Maury and Nick tutor me on The Merge, which moves Ethereum from “proof of work” to “proof of stake,” massively reducing the climate footprint of the cryptocurrency. They are both surprisingly upbeat about it.

Maury also lays out a new European proposal for regulating the internet of things – and, I point out, for massively increasing the cost of all those things.

China is getting into the attribution game. It has issued a report blaming the National Security Agency for intruding on Chinese educational institution networks. Dave is not impressed.

The Department of Homeland security, in breaking news from 2003, has been keeping the contents of phones it seizes on the border. Dave predicts that DHS will have to further pull back on its current practices. I’m less sure.

Now that China is regulating vulnerability disclosures, are Chinese companies reluctant to disclose vulnerabilities outside China? The Atlantic Council has a report on the subject, but Dave thinks the results are ambiguous at best.

In quick hits:

                                                                                                                           

Download the 422nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.