Header graphic for print

Steptoe Cyberblog

The Cyberlaw Podcast — Interview with Megan Stifel

Posted in China, European Union, International, Privacy Regulation, Russia

Episode 222: In which I get to play that guy in line for the movie with Woody Allen

Our interview is with Megan Stifel, whose paper for Public Knowledge offers a new way of thinking about cybersecurity measures, drawing by analogy on the relative success of sustainability initiatives in spurring environmental consciousness. She holds up pretty well under my skeptical questioning.

In this week’s news, Congress and the Executive branch continue to fight over the bleeding body of ZTE, which has already lost nearly 40% of its market value. The Commerce Department has extracted a demanding compliance and penalty package from the Chinese telecom equipment manufacturer. The Senate, meanwhile, has amended the NDAA to overturn the package and re-impose what amounts to a death penalty (see section 1727). Brian Egan and I dig into the Senate’s language and conclude that it may do a lot less than the Senators think it does, and that may be the best news ZTE is going to get from Washington this year.

Judge Leon has approved the AT&T-Time Warner merger. Gus Hurwitz puts the ruling in context. His lesson: next time, the Justice Department needs better evidence.

Continue Reading

Belgium Publishes Draft Law Implementing GDPR

Posted in International, Privacy Regulation

On June 12, Belgium’s Parliament published a draft law on the “protection of natural persons with regard to processing of personal data.”

The draft – comprising 280 Articles – has three objectives:

  • Legislate so-called “open clauses” of the General Data Protection Regulation, i. e. those clauses in the Regulation where EU Member States are free to legislate additional and complementary rules;
  • Implement into Belgian law the provisions of the “Police Directive” (“Directive 2016/680 on the protection of natural persons with regard to processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA”); and
  • Provide for various waivers and rules in relation to competent authorities and processing of personal data which are not within EU competence, for example data held by intelligence and security services.

The Government seeks urgent adoption of the text.

The Cyberlaw Podcast – News Roundup

Posted in China, Cybersecurity and Cyberwar, International, Uncategorized

Episode 221: Daugherty’s Revenge

The 11th Circuit’s LabMD decision is a dish served cold for Michael Daugherty, the CEO of the defunct company. The decision overturns decades of FTC jurisdiction, acquired over the years by a kind of bureaucratic adverse possession. Thanks to the LabMD opinion, practically all the FTC’s privacy and security consent decrees are at risk of being at least partly unenforceable — and if the dictum holds, the FTC may have to show that everything it views as an “unfair” lack of security is actually a negligent security practice.

Continue Reading

The Cyberlaw Podcast – News Roundup

Posted in Cybersecurity and Cyberwar, European Union, International, Privacy Regulation

Episode 220: GDPR and the Typhoid Marys of the Internet

GDPR has finally arrived, Maury Shenk reminds us, bringing both expected and unexpected consequences. Among the expected: New Schrems lawsuits for more money from the same old defendants; and the wasting away of the cybersecurity resource that is WHOIS, as German courts ride to the rescue of insecurity — in the name of privacy.

Also probably to be expected, at least for those who have paid attention to the history of technology regulation: The biggest companies are likely to end up boosting their market dominance.

Less expected: The decision of some big US media to just say no to European readers, recognizing them as the Typhoid Marys of the Internet, carrying a painful and stupid regulatory infection to every site they visit.

In other unsurprising news, Gus Hurwitz and Megan Reiss note, Kaspersky has now lost both its lawsuits against US government bans in a single district court ruling.

In genuinely troubling news, Iran is signaling a willingness to attack US industrial controls, which run the electric grid and pipelines and sewage systems, using the same malware it used against the Saudis. Since Iran was willing to launch DDoS attacks on US banks the last time negotiations over its nuclear program hit a snag, this is a threat that needs to be taken seriously.

The good news is that the US government released two reports this week on how to we’ll respond to both threats — cyberattacks on our grid and to DDoS attacks on our web companies. The bad news is that both reports suck. If you were feeling optimistic before this, I argue, a close reading of the reports will leave you with a sinking feeling that this is the fourth administration in a row without a clue about how to deal with such attacks.

Dr. Megan Reiss and Stewart Baker

Dr. Megan Reiss and Stewart Baker

 

Quick Hits

Russia wants Apple’s help in subduing Telegram, Maury reports. I predict that Tim Cook will fold like a cheap lawn chair. I’m guessing that it’s really only American law enforcement that he’s willing to thwart.

North Korea is getting credit for peacemaking while spreading malware to US infrastructure. A lot of the attacks are enabled by phishing emails with news about the Trump-Kim summit. Which, come to think of it, may be the real reason Kim keeps turning the summit off and on: He’s got to generate clickbait for all those phishing emails.

Trump wants to relieve ZTE of its company-killing Commerce sanctions, but Congress may not let him. Hardest hit? Paul Ryan, who’ll have to decide whether to let the House take a free vote to thwart the President on national security grounds. At least that’s my quick assessment.

Gus takes us quickly through the next big security issue: IMSI catchers and SS7 exploitation. This is a big problem, or really two big problems, that is bound to get real media attention – just as soon as civil liberties groups figure out how to blame it on Trump.

In other news, I’ll be hosting a Reddit AMA on r/legaladvice on June 6 starting at 2pm ET. The best questions may be read in the next episode, so be sure to contribute. You can find more information in the announcement here.

 

Download the 220th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast — Interview with Nick Bilton

Posted in Security Programs & Policies

Episode 219: Nick Bilton, Ross Ulbricht, and the Silk Road Bust

This episode features a conversation with Nick Bilton, author of American Kingpin: The Epic Hunt for the Criminal Mastermind Behind the Silk Road. His book, out today in paperback, tells the story of Ross Ulbricht, the libertarian who created the hidden Tor site known as the Silk Road and rode it to massive wealth, great temptation, and, finally, a life sentence. It’s a fine read in its own right, but for those who know the federal government, the most entertaining parts concern the investigators who brought Ulbricht down. Each one has ambitions and flaws that mirror the stereotypes of their agencies, even – or perhaps especially – when the agents go bad. It’s got everything: sales of body parts, murder (maybe!), rogue cops, turf fights, and justice in the end.

Sadly, I predict this episode will generate more hate mail than any other. Why? You’ll have to listen to find out. Feel free to question my judgment with emails to CyberlawPodcast@steptoe.com.

Download the 219th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions and suggestions for topics or interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast – News Roundup

Posted in China, International, Privacy Regulation, Security Programs & Policies

Episode 218: The Mugshots.com Case: California Crazy Meets European Crazy

In this episode, Markham Erickson highlights the Mugshots.com prosecution. The site had a loathsome business model, publishing mugshots for free and charging hundreds of bucks to people who wanted the record of their arrests taken down. Now the owners are being prosecuted in a case that combines the worst of European crazy (“surely criminals have a right to be forgotten”) and California crazy (“profits are being earned here – surely that calls for a criminal investigation”). Markham explains why this may be a hard case for California to win – and then joins me in expressing schadenfreude for the owners, whose mugshots are even now spread all across the internet.

Meanwhile, the ZTE mess gets messier as Congress moves to block President Trump’s proposed sanctions relief. Democrats are joining national security Republicans to move legislation on the topic. Who says President Trump is the divider-in-chief?

Michael Vatis digs into the FBI’s latest high-profile problem: it grossly overstated the number of encrypted phones it encountered last year. Was it a mistake or a misrepresentation? Our panel leans toward mistake.

Michael and I also criticize President Trump’s decision to dump government security for his phone. Michael reminds us of the President’s scathing treatment of Hillary Clinton’s insecure email server and asks why an insecure cell phone is different.

And in a new feature that we still haven’t made up our mind about, we do a lightning round of stories we couldn’t get to:

Download the 218th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Pocket Casts, Google Play, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Send your questions and suggestions for topics or interview candidates to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785. Remember: If your suggested interviewee appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Blockchain Takes Over The Cyberlaw Podcast

Posted in Blockchain, Virtual Currency

Episode 217: Blockchain Takes Over The Cyberlaw Podcast

In our 217th episode of The Cyberlaw Podcast, the blockchain and cryptocurrency team takes over the podcast again.

Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and cryptocurrency to discuss recent regulatory developments and the current state of play of the industry.

Our episode begins by looking at the Department of Treasury’s letter regarding initial coin offerings (“ICOs”). Jack Hayes tells us the key takeaways from the letter, including that persons engaged in ICOs could be considered a Money Transmitter under FinCEN’s regulations. Not only does the letter address companies based in the US that are issuing tokens, but also those based outside of the US that may have a substantial part of their business in the US or be issuing tokens to US persons. The idea that FinCEN can reach outside of the US border is not a new one. Last summer we saw a civil enforcement action against BTC-e, a foreign cryptocurrency exchange.

Jack and Alan also discuss the New York Attorney General’s recent voluntary transparency questionnaire sent to both US and non-US cryptocurrency exchanges. New York has seen its fair share of controversy with respect to cryptocurrency with the implementation of the BitLicense and the resulting exodus of a number of cryptocurrency companies.

Lisa Zarlenga provides an expert overview of the Internal Revenue Service’s (“IRS”) activity in the space starting with IRS Notice 2014-21. For tax purposes, convertible virtual currency (“CVC”) is treated as property, which means that every time you buy or sell CVC you are engaging in a taxable event and need to report capital gains or losses. The Notice did not provide much guidance on accounting for and determining basis of cryptocurrency. Lisa also discusses whether exchanging one cryptocurrency for another cryptocurrency is a like-kind exchange and how the 2018 Tax Reform Bill changes things. With the increasing popularity of airdrops, Lisa and Alan tell us about the tax treatment of tokens received during an airdrop.

Chelsea Parker discusses trends coming out of New York Blockchain Week 2018. Consensus 2018 was three times bigger than Consensus 2017 and there were almost three dozen other official conferences and events that were part of NY Blockchain Week. Needless to say, interest in blockchain appears to be at an all-time high, and there was a particularly high international presence. Government officials from countries such as Gibraltar and Bermuda highlighted their proactive steps to implement regulation while still encouraging innovation and protecting consumers. This idea of balancing regulation while still encouraging innovation was a common theme across panels.

Alan highlights Steptoe’s panel “Blockchain in Supply Chain, Navigating the Legal Waters” and the key questions discussed during Alan Cohn and Lisa Zarlenga’s presentations on the tax treatment of digital currencies and tokens at the Accounting Blockchain Coalition’s conference. Finally, the panelists highlight where they see the industry going next in terms of adoption and regulation. Lisa discusses the possibility of additional guidance from the IRS while Jack discusses the future of sovereign cryptocurrencies and the resulting regulatory challenges.

Chelsea Parker, Lisa Zarlenga, Alan Cohn, and Jack Hayes (left to right)

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 217th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Final Countdown – The EU General Data Protection Regulation

Posted in Data Breach, European Union, Privacy Regulation

The EU General Data Protection Regulation (GDPR) comes into force on May 25, 2018.

The GDPR makes many important changes to European Union (EU) data protection law, but it is not a complete departure from existing principles. Many of the concepts with which organizations are familiar will continue to apply under the GDPR. Thus, the GDPR will apply to the processing of personal data (information relating to an identified or identifiable natural person); processing includes the collection, recording, storage and structuring of that data or other operations performed with respect to it. However, one of the principal differences under the new regime relates to its extra territorial application.

In a recent Steptoe update, we therefore seek to address the questions of whether the GDPR will apply to your organization and, if so, what immediate steps need to be taken to ensure compliance.

The Cyberlaw Podcast – News Roundup

Posted in China, Cybersecurity and Cyberwar, Data Breach, Russia

Episode 216: Every President gets the White House he deserves

The Cyberlaw Podcast has now succumbed to an irresistible media trend: We begin the episode with a tweet from President Trump. In this one, he promises to get ZTE “back in business, fast.” Paul Rosenzweig and Nick Weaver provide the backstory, and a large helping of dismay, at the President’s approach to the issue.

I question the assumption that this will make the life of Chinese telecom equipment makers easier in the US. If anything it could be worse. The 2019 NDAA being drafted in the House will make it very difficult for telecom companies that do business with the Pentagon to rely on Chinese (or Russian) equipment (see page 259 et seq.). If anything, the President probably ensured a unanimous Democratic vote for the measure.

The cyber coordinator position in the White House is on the endangered list. Paul explains why it should survive. His take is not completely snark-free. Summing up the first two stories, I suggest that every President gets the White House he deserves.

Nick explains how badly American democracy could be harmed by a relatively trivial Russian (or Iranian, or North Korean) cyberattack on voter registration databases later in 2018. Indeed, they had a chance to launch such an attack in 2016, according to the Senate Intelligence Committee. This is an avoidable disaster if election officials take action now, I point out, but Paul doubts they will.

Paul and I lament the insouciance and ahistoricity of the Fourth Circuit’s new ruling adding half a dozen new judicial constraints to border searches of cell phones.

Speaking of cyberattacks, you’d better buckle up, because Iranian retribution for US withdrawal from the Joint Comprehensive Plan of Action is probably being prepared as you read this. And according to a highly educational Recorded Future/Insikt report, Iran’s semi-privatized hacking ecosystem is likely to err on the side of escalation.

The Iranians aren’t the only ones upping their game. Nick reports on an excellent Crowdstrike report on the new sophistication of Nigerian scammers.

We close with Nick’s dissection of the troubling code decisions underlying a pedestrian death caused by Uber’s autonomous vehicle.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 216th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast – Interview with Nicholas Schmidle

Posted in Cybersecurity and Cyberwar, Privacy Regulation, Security Programs & Policies

Episode 215:  The Zelig of Hacking Back

Our interview is with Nick Schmidle, staff writer for the New Yorker. His report on cybersecurity work that goes to the edge of the law and beyond turns up some previously unreported material, including the tale of Shawn Carpenter, a cybersecurity researcher with a talent for showing up in all the best hackback stories.

In the news, Jamil Jaffer reports on domain fronting, a weird form of protection for people hiding the site they’re connecting to behind some bland Google or AWS site. Some of those people are dissidents in authoritarian lands; many are authoritarian governments hacking secrets out of corporate networks.  In any event, domain fronting is disappearing before it had even made an impression on the public’s mind. I say good riddance, bolstered in my opinion by the wailing of professional privacy groups that, do I have to remind you?, don’t care about your security at all.

The Supreme Court takes a case of great interest to social media and other tech firms who attract class actions. Jennifer Quinn-Barabanov explains the law and the likely outcome. I mostly quibble about how to pronounce “cy pres.”

Move fast and break things probably isn’t the best motto if the thing you’re likely to break is, um, you. Megan Reiss talks about the death of Aaron Traywick, and the risks of bringing the hacking ethic to genetic engineering.

Europol and a host of allies were bragging last week about taking down ISIS’s online recruiting and propaganda infrastructure. But this week they’ve had to admit that ISIS is back on line. Jamil and I talk about what lessons can be drawn from cyber-whac-a-molery.

For Chinese phone makers, it never rains but it pours. Fresh off a ban on Chinese phones from US military retail stores, there may be even more pain in the works for ZTE and other Chinese mobile infrastructure providers.

Finally, Megan Reiss and I dig deep into Rep. Ruppersberger’s thoughtful take on cybersecurity, information sharing and DHS.

The Cyberlaw Podcast is hiring a part-time intern for our Washington, DC offices.

Jennifer Quinn-Barabanov with Dr. Megan Reiss

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 215th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunesPocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.