Header graphic for print

Steptoe Cyberblog

Episode 285: ByteDance bitten by CFIUS

Posted in CFIUS, China, International


We open the episode with David Kris’s thoughts on the two-years-late CFIUS investigation of TikTok, its Chinese owner, ByteDance, and ByteDance’s US acquisition of the lip-syncing company Musical.ly. Our best guess is that this unprecedented reach-back investigation will end in a more or less precedented mitigation agreement.

Continue Reading

Episode 284: A throuple can keep a secret – if a couple of them are dead

Posted in China, International



You knew we’d go there. I talk about Congresswoman Katie Hill’s “throuple” pics and whether the rush to portray her as a victim of revenge porn raises questions about revenge porn laws themselves. Paul Rosenzweig, emboldened by twin tweets – from President Trump calling Never-Trumpers like him “human scum” and from Mark Hamill welcoming him to the Rebel Scum Alliance – takes issue with me.

Continue Reading

Episode 283: Is intelligence “reform” a self-licking ice cream cone and compliance trap?

Posted in Cybersecurity and Cyberwar, International, Privacy Regulation, Security Programs & Policies


Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office of the Director of National Intelligence. Alex is now at the American University law school’s Tech, Law, and Security Program. We share stories about the difficulties of government startups and how the ODNI carved out a role for itself in the Intelligence Community (hint: It involved good lawyering). We dive pretty deep on recent FISA court opinions and the changes they forced in FBI procedures. In the course of that discussion, I realize that every “reform” of intelligence dreamed up by Congress in the last decade has turned out to be a self-licking compliance trap, and I take back some of my praise for the DNI’s lawyering.

Continue Reading

The California Attorney General’s CCPA Regulations: Clarity or More Questions?

Posted in Privacy Regulation

Last week, California Attorney General Xavier Becerra released much anticipated regulations implementing and interpreting the California Consumer Privacy Act (CCPA). Given the Attorney General’s responsibility for enforcement and the many open questions surrounding the CCPA, even after another round of amendments were passed last month, businesses have been eagerly waiting for the draft regulations to be released. The draft regulations both provide much needed clarity on key aspects of the CCPA but also create additional and potentially burdensome requirements for businesses under the CCPA’s jurisdiction. Before becoming final, the draft regulations will go through a notice and comment period. The CCPA goes into effect on January 1, 2020, but with the draft regulations not expected to become final until the first half of 2020, enforcement likely will not commence until July 1, 2020.

The Draft Regulations

The draft regulations comprise seven articles clarifying or adding to various existing components of the CCPA. In particular, the draft regulations:

  • Clarify and define additional terms used in the CCPA
  • Clarify and expand on consumer notice requirements, including notice at the point of collection of personal information; notice of consumers’ right to opt-out of the sale of their personal information; notice of financial incentives; and privacy policy notices
  • Clarify and expand on the processes for handling and responding to consumer requests, including a new record keeping requirement
  • Detail the processes through which a business should verify consumer requests
  • Discuss mechanisms a business must use to receive opt-in permission to sell the personal information of minors
  • Clarify and expand on the CCPA’s prohibition of discriminatory practices, including the calculation of the value of a consumer’s personal information

Key Components

For businesses hoping that the Attorney General would clarify and potentially even limit some of the CCPA’s requirements, the draft regulations are a mixed bag.

Businesses will be pleased by many components of the draft regulations. For example, the draft regulations provide businesses with a clear framework for verifying consumer requests, providing much needed clarification with respect to a key component of the CCPA. To verify a consumer request through an existing password protected account, a business may use normal authentication procedures. For verification of non-accountholders, the draft regulations require a business to verify the identity of a consumer either with a reasonable degree of certainty (by matching at least two pieces of personal information provided by a consumer with their existing records) or a reasonably high degree of certainty (by matching at least three pieces of personal information provided by the consumer with their existing records and receiving a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request) depending on the nature of the consumer request. In addition, the draft regulations permit businesses to provide disclosures at the point of collection of personal information and of financial incentives through a link to their privacy policy under certain circumstances.

On the other hand, however, the draft regulations also add to many of the CCPA’s requirements and force businesses to undertake additional measures. For example, one of the most notable additions found in the draft regulations requires businesses wishing to offer consumers a financial incentive for their personal information to calculate the value of a consumer’s personal information and justify the financial incentive under the CCPA. In addition, the draft regulations contain detailed record keeping requirements for businesses’ handling of consumer requests.

Businesses should continue to monitor the status of the draft regulations as the notice and comment process begins. Businesses currently engaging in CCPA compliance efforts should also recognize that the draft regulations, while powerful guidance, are subject to change.

Episode 282: Has China opened a quantum hype lead over the US?

Posted in China, International


Our interview is with Sultan Meghji, CEO of Neocova. We cover the large Chinese investment in quantum technology and what it means for the United States. It’s possible that Chinese physicists are even better than American physicists at extracting funding from their government. Indeed, it looks as though some quantum tech, such as the use of entangled particles to identify eavesdropping, may turn out to have dubious military value. But not all. Sultan thinks the threat of special purpose quantum computing to break encryption poses a real, near-term threat to US financial institutions’ security.

Continue Reading

Episode 281: Can the European Union order Twitter to silence President Trump?

Posted in China, European Union, International, Privacy Regulation


Today’s episode opens with a truly disturbing bit of neocolonial judicial lawmaking from the Court of Justice of the European Union. The CJEU ruled that an Austrian court can order Facebook to take down statements about an Austrian politician. Called an “oaf” and a “fascist,” the politician more or less proved the truth of the accusations by suing to keep that and similar statements off Facebook worldwide. Trying to find allies for my proposal to adopt blocking legislation to protect the First Amendment from foreign government interference, I argue that President Trump should support such a law. After all, if he were ever to insult a European politician on Twitter, this ruling could lead to litigation that takes his Twitter account off the air. True, he could criticize the judges responsible for the judgment as “French” or “German” without upsetting CNN, but that would be cold comfort. At last, a legislative and international agenda for the Age of Trump!

Continue Reading

Episode 280: Challenging Edward Snowden

Posted in International


In this episode I cross swords with John Samples of the Cato Institute on Silicon Valley’s efforts to disadvantage conservative speech and what to do about it. I accuse him of Panglossian libertarianism; he challenges me to identify any way in which bringing government into the dispute will make things better. I say government is already in it, citing TikTok’s PRC-friendly “community standards” and Silicon Valley’s obeisance to European standards on hate speech and terror incitement. Disagreeing on how deep the Valley’s bias runs, we agree to put our money where our mouths are: I bet John $50 that Donald J. Trump will be suspended or banned from Twitter by the end of the year in which he leaves office.

There’s a lot of news in the Roundup. David Kris explains the background of the first CLOUD Act agreement that may be signed this year with the UK.

Nate Jones and I ask, “What is the president’s beef with CrowdStrike, anyway?” And find a certain amount of common ground on the answer.

This Week in Counterattacks in the War on Terror: David and I recount the origins and ironies of Congress’s willingness to end the NSA 215 phone surveillance program. We also take time to critique the New York Times’s wide-eyed hook-line-and-sinker ingestion of an EFF attack on the FBI’s use of National Security Letters.

Edward Snowden’s got a new book out, and the Justice Department wants to make sure he never collects his royalties. Nate explains. I’m just relieved that I will be able to read it without having to shoplift it. And it seems to be an episode for challenges, as I offer Snowden a chance to be interviewed on the podcast – anytime, anywhere, Ed!

Matthew Heiman explains the latest NotPeya travail for FedEx: A shareholder suit alleging that the company failed to disclose how much damage the malware caused to its ongoing business.

Evan Abrams gives a hint about the contents of Treasury’s 300-page opus incorporating Congress’s overhaul of CFIUS into the CFR.

I credit David for inspiring my piece questioning how long end-to-end commercial encryption is going to last, and we note that even the New York Times seems to be questioning whether Silicon Valley’s latest enthusiasm is actually good for the world.

Matthew tells us that China may have a new tool in the trade war – or at least to keep companies toeing the party line: The government is assigning social credit scores to businesses.

Finally, Matthew outlines France’s OG take on international law and cyber conflict. France opens up some distance between its views and those of the United States, but everyone will get a chance to talk at even greater length on the topic, as the UN gears up two different bodies to engage in yet another round of cyber-norm-building.


Download the 280th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Episode 279: Blockchain Takes over the Podcast

Posted in Blockchain


In our 279th episode of The Cyberlaw Podcast, the Blockchain Group takes over the podcast. Host Alan Cohn is joined by Gary Goldsholle, Will Turner, and Evan Abrams to discuss:

  • The SEC has issued its second token-related no-action letter to Pocketful of Quarters, Inc., giving more guidance and opening a number of issues.
  • The SEC has brought a double-headed complaint against ICOBOX, an entity that both conducted an initial coin offering (ICO) and facilitated ICOs for others.
  • The US has brought the Financial Action Task Force along on its travel rule adventure.
  • The SEC and FINRA have custody guidance.
  • FinCEN has guidance on convertible virtual currencies.
  • The SEC has brought a complaint against FantasyCoin for what amounts to sheer, brazen fraud.
  • The SEC settlement for a digital health company, with Steptoe as counsel, shows the SEC’s willingness to work with companies that voluntarily remediate errors.


Download the 279th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.


Episode 278: Will international trade law prevent the US from regulating the security of the Internet of Things?

Posted in International, Security Programs & Policies


Joel Trachtman thinks it’s a near certainty that the WTO agreements will complicate US efforts to head off an IoT cybersecurity meltdown, and there’s a real possibility that a US cybersecurity regime could be held to violate our international trade obligations. Claire Schachter and I dig into the details of the looming disaster and how to avoid it.

In the news, Paul Rosenzweig analyzes the Ninth Circuit holding that scraping publicly available information doesn’t violate the CFAA.

The California legislature has adjourned, leaving behind a smoking ruin where Silicon Valley’s business models used to be. Mark MacCarthy elaborates: One new law would force companies like Uber and Lyft (and a boatload more) to treat workers as employees, not contractors. Another set of votes has left the California Consumer Privacy Act more or less unscathed as its 2020 effective date looms. Really, it’s beginning to look as though even California hates Silicon Valley.

Klon Kitchen and I discuss the latest round of Treasury sanctions on North Korean hacking groups. The sanctions won’t hit anyone in North Korea, but they might affect a few of their enablers on the Internet. The real question, though, is this: Since sanctions violations are punishable even when they aren’t intentional, will US companies whose money is stolen by the Lazarus Group be penalized for having engaged in a prohibited transaction with a sanctioned party? Maybe the Lazarus Group should steal a license too, just to be sure.

Klon also lays out in chilling detail what the Russians were really trying to do to Ukraine’s grid – and the growing risk that someone is going to launch a destructive cyberattack that leads to a cycle of serious real-world violence. The drone attack on Saudi oil facilities shows how big that risk can be.

Paul examines reports that Israel planted spy devices near the White House. He thinks it says more about the White House than about Israel.

Paul also reports on one of the unlikelier escapades of students from his alma mater: Trading 15 minutes at the keyboard for a lifetime of trouble on their permanent records. The lesson? If you try to access the president’s tax data online, you’re going to jail, prank or not.

I walk back the deepfake voice scam story, but Klon points out that it reflects a future that is coming for us soon, if not today.

Proving the old adage about a fool for a lawyer, the Mar-a-Lago trespasser has been found guilty after an ineffective pro se defense.

Klon digs into the long and thoughtful op-ed by NSA’s Glenn Gerstell about the effects of the “digital revolution” on national security.

I note the recent Carnegie report trying to move the encryption debate forward. I also plug my upcoming speech in Israel on the topic.


Download the 278th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed!

As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!


The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

Episode 277: Bankrupting National Security?

Posted in China, European Union, International


Camille Stewart talks about a little-known national security risk: China’s propensity to acquire US technology through the bankruptcy courts and the many ways in which the bankruptcy system isn’t set up to combat improper tech transfers. Published by the Journal of National Security Law & Policy, Camille’s paper is available here. Camille has enjoyed great success in her young career working with the Transformative Cyber Innovation Lab at the Foundation for Defense of Democracies, as a Cybersecurity Policy Fellow at New America, and as a 2019 Cyber Security Woman of the Year, among other achievements. We talk at the end of the session about life and advancement as an African American woman in cybersecurity.

Want to hear more from Camille on this topic? She’ll be speaking Friday, September 13, at a lunch event hosted by the Foundation for Defense of Democracies. She’ll be joined by fellow panelists Giovanna Cinelli, Jamil Jaffer, and Harvey Rishikof, along with moderator Dr. Samantha Ravich. The event will be livestreamed at www.fdd.org/events. If you would like to learn more about the event, please contact Abigail Barnes at FDD. If you are a member of the press, please direct your inquiries to press@fdd.org.

Continue Reading