Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office of the Director of National Intelligence. Alex is now at the American University law school’s Tech, Law, and Security Program. We share stories about the difficulties of government startups and how the ODNI carved out a role for itself in the Intelligence Community (hint: It involved good lawyering). We dive pretty deep on recent FISA court opinions and the changes they forced in FBI procedures. In the course of that discussion, I realize that every “reform” of intelligence dreamed up by Congress in the last decade has turned out to be a self-licking compliance trap, and I take back some of my praise for the DNI’s lawyering.

In the News Roundup, we’re inundated by serious new reports on cyberattacks. Dave Aitel admits that the hacking group he envies most is Turla, which was recently discovered to have totally pwned and stolen the entire attack infrastructure of an Iranian government team. Dave notes that Avast has succumbed to a second, far-reaching intrusion into its network, reminiscent of the last attack, which led to the company sending out a compromised CCleaner application: We may never know whether Avast got the intruder out, Dave suggests, but his hat is off to the company’s PR team. In still more pwnage news, Dave praises two new detailed reports from security companies: FireEye’s report on APT41’s combination of espionage and cybercrime and Crowdstrike’s report on amazingly successful Chinese efforts to steal aircraft intellectual property. And one more: Cyber Command has leaked the bare minimum of information designed to show that Iran’s strike against Saudi oil facilities did not go unpunished. Dave and I take our hats off to Iran’s PR team, which responded to the vague leak by claiming that Cyber Command “must have dreamt it.”

In other news, Gus Hurwitz breaks down a recent Ninth Circuit decision construing the Section 230 immunity for tools that filter content on the Internet. Remarkably, two judges thought that the immunity for preventing access to “objectionable” content would allow a company to cut off consumers’ access to its competitor’s products. Luckily, the two judges were a district court judge and the Ninth Circuit dissenter. But the close call shows how broadly the “objectionable” immunity sweeps. Which raises the question whether our trade agreements should broaden the immunity and turn it into international law that can’t be amended easily, or at all. That was a point of rare bipartisan agreement at a recent House hearing. But there’s no sign yet that Congress is going to reject the trade deals that do this. Gus and I also touch on the latest flaps over social media content monitoring.

Dan Podair explains what’s good and what’s missing from the California AG’s rules implementing California’s new, sweeping privacy act.

Poor Equifax: Just when they were hoping the worst had passed, the plaintiff’s bar doxxed even more embarrassing security failings. Dave offers this cold comfort: All the mistakes that were offered to show that Equifax security was bad could be found in pretty much any network in the country. More cold than comfort, Dave!

And, finally, we close with This Week in Puerile Jokes: All inspired, of course, by the UK Government’s decision to drop its plan to require ID to watch sex videos online.


Download the 283rd Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.