Header graphic for print

Steptoe Cyberblog

The Cyberlaw Podcast – The News Roundup

Posted in International, Security Programs & Policies

Cyberlaw Podcast alumnus Marten Mickos was called before the Senate Commerce Committee to testify about HackerOne’s bug bounty program. But the unhappy star of the hearings was Uber, which was heavily criticized for having paid out a large bonus under cloudy circumstances. Sen. Blumenthal and others on the Hill treated the payment as more ransom than bounty and pilloried Uber for not disclosing what they called a breach. Even Uber, under new management, was critical of its performance.

As the only cyberlaw podcast with a Davos correspondent, we ask Alan Cohn to give highlights of the event from a cybersecurity point of view. I bring the color commentary and snark.

With Microsoft Ireland case heading to argument, the Justice Department and Big Tech are hoping to head the Court off with a legislative solution. Jamil Jaffer explains what the CLOUD Act will do. I point out who’s missing from the Grand Coalition and question whether Big Privacy has the clout to stop the act.

Fancy Bear hackers seeking high-tech weapons data from US defense contractors get lucky – up to 40% of their phishing links strike paydirt. Michael Mutek explains what this likely means for the Defense Department – more regulation, probably. Whether more regs and more compliance will produce more security is the question no one can answer.

A cyberdiplomacy office is back from the dead, sort of:  Secretary Tillerson now says he’ll create a bureau for cyberspace headed by an Assistant Secretary. And, as Jamil explains, the fight switches to which undersecretary will oversee the office.

Nick Weaver and Jamil comment on the news that Justice has pulled in an impressive haul of cyber-fraudsters, bookended by doubts whether any hackers can ever be extradited from places like the UK and Ireland. Because, face it, how many can’t claim to be on the spectrum?

I close with a tribute to John Perry Barlow, who died last week. If you wanted to know how many women would fall for a combination Grateful Dead lyricist, technologist, and cowboy, John could tell you. Exactly.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 202nd Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast – Interview with Susan Landau

Posted in China, European Union, Privacy Regulation

Episode 201: Interview with Susan Landau

The crypto wars return to The Cyberlaw Podcast in episode 201, as I interview Susan Landau about her new book on the subject, Listening In: Cybersecurity in an Insecure Age. Susan and I have been debating each other for decades now, and this interview is no exception.

In the news roundup, Brian Egan and Nick Weaver join me for the inevitable mastication of the Nunes memo. (My take: the one clear scandal here is the way Glenn Simpson and Chris Steele treated the US national security apparatus, including the national security press, as just another agency to be lobbied – and the success they had in milking it for partisan advantage and private profit.)

Meanwhile, if you needed a reminder of just how enthusiastically and ham-handedly China conducts its espionage, just ask the African Union, whose Chinese-built headquarters is pwned from top to bottom.

Brian lays out a significant Ninth Circuit Anti-Terrorism Act case absolving Twitter of liability for providing “material assistance” to ISIS by requiring a more direct relationship between Twitter’s acts and the harm suffered by the private plaintiffs. Not a surprise, but a relief for Silicon Valley.

Nick fulminates about the security threat posed by a sophisticated recent malvertising campaign and wonders when enterprises will start requiring ad blockers on corporate internet software. In a related story, we wonder how much incentive Twitter really has to kill off its armies of fake followers.

Are the Dutch paying the price for punching above their weight in the cyberespionage game? And did American leaks kill their success? All we can do is speculate, unfortunately.

You know you’ve missed This Week in Sex Toy Security, so we bring it back to cover yet another internet-connected vibrator company trying to shake off a privacy class action. At least half of our audience will enjoy my stumbling effort to understand the appeal of the product.

Finally, as a sign that we’ve finally reached Peak Cybersecurity and Peak Privacy, both topics are ending up on the agendas of international trade negotiators.  The EU says its privacy rules are untouchable in negotiations (although other countries’ overly protectionist data flow policies are fair game) and the NAFTA negotiators have reportedly agreed to add to NAFTA cyber security “principles” based on the NIST Cyber Security Framework.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 201st Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

GDPR: Belgium sets up new Data Protection Authority

Posted in Data Breach, European Union, International, Privacy Regulation

On 10 January, the Belgian Gazette published the Law of 3 December 2017 “setting up the authority for data protection” (the Law).

The Law is the first legal text in Belgium applying various provisions of the EU’s General Data Protection Regulation (GDPR). Under the GDPR, EEA Member States must provide for one or more independent public authorities to be responsible for monitoring the application of the GDPR, in order to protect fundamental rights and freedoms of personal persons in relation to processing and to facilitate the free flow of personal data within the European Union. The Law therefore sets up a new “Data Protection Authority” (DPA), which, with effect from 25 May 2018, replaces the current body, the Commission for the Protection of Privacy (Privacy Commission).

Although not a “big player,” Belgium is often at the forefront of developments in EU law, including in the protection of privacy. The DPA’s predecessor, the Privacy Commission, has been an active data protection agency, for example it has also been one of several authorities across the EU which has sued social media providers.

The DPA will doubtless continue the Privacy Commission’s advisory role, but the Law also grants extensive powers to the DPA: it remains to be seen whether the DPA will merely exhort rather than enforce. Much will depend on the composition of its Executive Committee. The DPA will need to press for sufficient budget to attract the personnel necessary to exercise its powers and to burnish its image as a truly independent authority.

If the DPA does “show its teeth,” the Law’s extensive provisions on investigations by the DPA’s Inspection Service, preliminary measures by its Disputes Chamber and on the Chamber’s proceedings on the merits will become familiar reading. The rights of the defense and other safeguards guaranteed in the Law will be put to the test. The ultimate sanction is, however, loss of reputation: no serious economic operator wants to face allegations – often highly publicized – that it has been negligent in its protection of the personal data of its customers.

For a full review of the Law and the DPA’s powers, see our briefing.

CFIUS Reform: A Primer on the Key Changes Under Consideration

Posted in International

Key committees in the Senate and House have concluded initial hearings on the bill to reform the Committee on Foreign Investment in the United States (CFIUS), the Foreign Investment Risk Review Modernization Act of 2017 (FIRRMA). FIRRMA was introduced in the Senate and House by Senator Cornyn and Representative Pittenger with bipartisan cosponsors on November 9, 2017. CFIUS is the interagency US government body originally created by President Ford in 1975 to review the national security implications of foreign investment activity in the United States. CFIUS reviews foreign acquisitions, mergers, and takeovers of existing businesses in the United States for US national security concerns.

This advisory identifies key issues with the existing CFIUS process that have prompted calls for reform, the mechanisms that FIRRMA would create to address those issues, and some of the main criticisms of FIRRMA that have been registered by congressional witnesses and others thus far.

For more information, please see our advisory.

EU Court Denies Class Action for Data Protection in Schrems vs. Facebook Ireland Ltd – A Short-Lived Respite Until GDPR?

Posted in European Union, International, Privacy Regulation

In its judgment of January 26, the European Court interpreted EU rules on jurisdiction in a dispute referred from the Austrian Supreme Court between a ‘consumer’ – Maximilian Schrems – and Facebook Ireland Limited.

The Court would not accept the consumer’s choice of forum for a class-action type proceeding and held that, when interpreting EU rules on jurisdiction (consumer forum), the consumer forum cannot assert ‘claims assigned by other consumers.’  A person bringing legal proceedings might do so on behalf of others provided they do it as a consumer, i.e., on a ‘predominately non-professional’ basis. According to the Court, a consumer is protected only in so far as he is, in his personal capacity, the applicant or defendant in proceedings.

As expected, the Court confirms that the consumer must be able to challenge a social media provider in his country of domicile (Austria), rather than the provider’s (Ireland). Incidentally, this means he can also use his native language (German, not English). The Court does, however, interpret the consumer forum jurisdiction strictly, so as to prevent Mr. Schrems from using this forum where he is assignee of others’ claims. The Court appears to have been influenced by Mr. Schrems being assignee of enforcement rights of some 25,000 people worldwide, in addition to having become a well-known privacy campaigner.

Although the Court has denied class action through assignment of rights by consumers, such actions are possible in the EU, e.g. under unfair contract terms legislation which enables action through consumer associations (for example, Test Achats in Belgium and UFC-Que Choisir? in France).

Similarly, the General Data Protection Regulation, applicable from May 25, expressly creates a new class action available to consumers (data subjects), who will have the right to mandate a not-for-profit body organisation or association to act on their behalf: lodge a complaint, take legal action, and receive damages.

The Court’s judgment in this case is therefore merely a respite. Meantime, Mr. Schrems’ highly-publicised proceedings against Facebook before the Irish Courts continue.

Click here to find out more about our GDPR webinar series.

The Cyberlaw Podcast – Interview with Tim Maurer

Posted in Cybersecurity and Cyberwar, International

Episode 200: In which we turn fitness tracking into an entirely new 702 intelligence program

Whether they call it the fitbit or the “Ohsh*t!bit” governments are learning that the exercise internet of things is giving away their geospatial secrets at a rapid clip. Nick Weaver walks us through what most in the US would call a security disaster – and how it could become an intelligence bonanza. As an example of what can be done, Jeffrey Lewis highlights Taiwan’s secret cruise missile command center.

Of course, as soon as authoritarian governments learn to use fitbits to oppress their people, we can expect the European Union and the Wassenaar export control group to slap export controls on them. Meredith Rathbone reports on the effort to persuade Europe and Wassenaar not to throw the security industry out with the intrusion software. Turns out that progress is being made on both fronts.

Nick and I talk through the latest stories on Russian cyberspying. Meduza and Buzzfeed have a persuasive and dispiriting story about how Eugene Kaspersky might have been forced to cooperate with the Russian FSB. Looking at questions being raised about US firms allowing the Russians to inspect their source code, we conclude that Balkanization of cybersecurity products is a near certainty, with the only question being how many markets there will be.

Speaking of Russia, the Dutch, not prominent among hacking intelligence agencies until now, have apparently counted cybercoup on the Russians.

Meredith and I dig into the latest round in the European Court of Justice between Max Schrems and Facebook. We call it a draw, with special props to Facebook for creativity in arguing that Schrems is no longer a consumer because he’s obviously turned suing Facebook into a profession.

And, in an overdue event, jackpotting coming to an ATM near you.

Finally, in the interview, we talk to Tim Maurer, co-director of the Cyber Policy Initiative and author of the new book, “Cyber Mercenaries – The State, Hackers, and Power.”  Tim tells us the hidden story behind his book’s title and then jumps into a fascinating comparative study of how different governments try to control (or don’t) the hackers they recruit. Because it turns out that they all recruit hackers, just in very different ways.  Tim points out an increasing fad for having hackers from one country move to another country to ply their trade. (North Koreans to China; Chinese to Africa) and the additional deterrence options this offers the US government.

Steptoe partner Stewart Baker with Tim Maurer

As always The Cyberlaw Podcast is open to feedback.  Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 200th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

European Commission Keeps Up Pressure On GDPR

Posted in Data Breach, European Union, International, Privacy Regulation

The EU General Data Protection Regulation (GDPR) will apply to businesses operating in the EU from 25 May 2018 – in 100 days’ time.

Senior Commissioners Ansip (Digital Single Market) and Jourová (Justice) yesterday announced guidelines and other materials to “facilitate a direct and smooth application of the new data protection rules across the EU [and beyond] as of 25 May.” The guidance comprises a 17-page “communication” plus Q&A, an online tool, and factsheets. The Communication recaps the main innovations and opportunities opened up by the GDPR; takes stock of EU-level preparatory work; and outlines next steps for the Commission, national data protection authorities, and national governments. The Commission is raising the ante by recommending that EU governments now adapt their national legislation to the GDPR rules; data protection authorities apply the rules including through fines; and companies respect the new rules as at 25 May. The Commission itself will monitor the application of the new rules and “take appropriate actions, including proceedings against EU counties which fail to apply the new rules.”

Flavor of the month or more ominous?

We would say the latter and detect a concerted effort by the Commission and national DPAs to enforce quickly after the application date. The Commission will also want to report favorably on its and others’ enforcement efforts when reporting on the GDPR (in 2020).

This latest broadside also addresses the elephant in the room – Brexit. On 9 January, the Commission issued a notice warning all stakeholders processing personal data to consider the “legal repercussions” of Brexit. This note was not well received. The guidelines confirm that, as of the EU withdrawal date and subject to any transitional arrangement, the GDPR rules on transfers outside the EU, i.e. to “third countries,” will apply to the UK.

The Cyberlaw Podcast – News Roundup

Posted in Privacy Regulation, Security Programs & Policies

Episode 199: Untold stories of the 702 reauthorization

In this guestless episode, Michael Vatis, Markham Erickson, and Nick Weaver join me to roundup the news.  I explore the final results of the intense jockeying that led to passage of S. 139, which gave section 702 of FISA a new lease on life.  The administration did well, weathering the President’s tweets, providing a warrant process for backend searches that will likely be used once a year if that, and — almost without anyone noticing — pulling the unmasking reform provisions from the bill and substituting an ODNI rule.  My guess?  This was a tactic to make it easier for Dems to support the bill; if so, it worked.

And just in time, as the days after passage brought new whiffs of scandal, from the four-page House Republican memo alleging improprieties in the FBI’s FISA application to wiretap a Trump campaign hanger-on to two cases in which the FBI and NSA destroyed evidence they were supposed to be preserving.  Michael Vatis and I cross sword over whether the FISA abuse memo is worth taking seriously or just partisan flak.

Nick and I delve into the gigabytes of hacked data mislaid by another player in the phone hacking game – Lebanese intelligence.  Nick wonders if the data was obtained by EFF and Lookout by violating the Computer Fraud and Abuse Act.  I don’t.

The first known death by SWATting has yielded charges; the egregious SWATter for hire, SWauTistic, has been charged with involuntary manslaughter.

Almost as scary is the news that electric system malware is getting remarkably sophisticated, and common.

The Microsoft Ireland case will be argued next month, and there are dozens of amici briefs, including one by Michael Vatis, who lays out his direct appeal to Justice Gorsuch’s property-based view of the fourth amendment.

Matt Green (and Nick Weaver) have some questions for Apple about its moving China cloud data to a third party Chinese cloud provider.  I’ve got one too.  If treating Taiwan as a separate country from China leads to humiliating penalties for Western Companies, does that mean Apple can’t store Taiwanese and Hong Kong users outside China?

And, for once on the podcast, a sweet life-long love story, spelled out cryptographically.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 199th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast — Interview with Shane Harris

Posted in China, Data Breach, Government Contracts, Security Programs & Policies

Episode 198 — Interview with Shane Harris

It turns out that the most interesting policy story about Kaspersky software isn’t why the administration banned its products from government use. It’s why the last administration didn’t.  Shane Harris is our guest for the podcast, delving into the law and politics of the Kaspersky ban.  Along the way, I ask why the Foreign Sovereign Immunities Act, which allows suits against foreign governments for some torts committed in the United States, shouldn’t allow suits against foreign governments that hack computers located in the United States.

In the news, the House comfortably adopts a bill to reauthorized 702 surveillance; the Senate is expected to act today as well. While the House bill makes some changes to the law, it endorses the most moderate of the reform proposals.

In case you haven’t heard, Apple is handing off its iCloud operations to a local cloud storage company – with none of the histrionic civil liberties posturing the company displays in the United States.  Whose data is being transferred to the tender mercies of Chinese authorities? Who knows? Not Apple, which can’t even send out notices to its customers without getting confused about who’s covered by the new policy.

It’s a threepeat for state authority to make online companies collect sales tax from their customers.  The Supreme Court has agreed to reconsider a dormant commerce clause doctrine that it has already affirmed twice.

I apologize to Uber for snarking on their “bounty” payment of $100,000 to a hacker who exposes a serious security flaw and gained access to large amounts of personal data. A good New York Times article demonstrates that the decision to pay up was at least plausibly justified. But as if to demonstrate why the company never gets the benefit of the doubt, Bloomberg reports on Uber’s latest scofflaw-ware scandal. Luckily for journalists everywhere, Uber continues to adopt colorfully damaging nicknames for its scofflaware. In this case their product locked or deleted data sought by local law enforcement with the touch of a panic button. It was named, of course, after Sigourney Weaver’s character, Ripley, who declared that the only way to deal with an alien-infested installation was to “nuke it from orbit.”

Sheila Jackson-Lee gets an admiring mention for winning House passage of a cyber vulnerability disclosure bill that is probably nuanced enough to be adopted by the Senate as well.

And Deputy Attorney General Rosenstein makes a short pitch for “responsible” encryption that actually manages to move the debate forward a step.

Talk about 21st century warfare. Russia is claiming it fought off swarms of drones with cyberweapons. As Nick Weaver points out, that’s just the beginning.

Brian assesses the state of CFIUS reform legislation and the claim that Sen. Cornyn’s bill would result in CFIUS’s regulation of technology transfers that would be better addressed through export controls.

Finally, having already critiqued Apple and Uber, I feel obliged to offer equal time to Twitter, which remarkably can’t even identify advertisements that invite users to log on to fake Twitter sites and steal their credentials. If you want to understand the worst of Silicon Valley, I argue, you shouldn’t look to the big rich companies; it’s the struggling would-be unicorns who show what the Valley really cares about. And security ain’t it. Speaking of which, where is that Ad Transparency Center that Twitter promised any day now back in the fall of 2017?

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 198th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.

The Cyberlaw Podcast — Interview with Mara Hvistendahl

Posted in China, European Union, International, Privacy Regulation

Episode 197:  Interview with Mara Hvistendahl

While the US was transfixed by posturing over the Trump presidency, China has been building the future. Chances are you’ll find one part of that future – social credit scoring – both appalling in principle and irresistible in practice. That at least is the lesson I draw from our interview of Mara Hvistendahl, National Fellow at New America and author of the definitive article on the allure, defects and mechanics of China’s emerging social credit system.

In the news roundup, Nick Weaver dives deep on the Spectre and Meltdown security vulnerabilities while I try to draw policy and litigation implications from the debacle. TL;DR — this is bad, but the class actions will settle for pennies. Oh, and xkcd has all you need to know.

I note that US Customs and Border Protection under Trump has imposed new limitations on border searches of electronic devices. So naturally the press is all “Trump has stepped up border searches aggressively.” No good deed unpunished, as they say.

Maury Shenk explains President Macron’s latest plans to regulate cyberspace in the name of fighting Russian electoral interference and fake news. The Germans, meanwhile, have begun implementing their plan to fight hate speech on the internet. Predictably, it looks as though hate speech is winning.

In the litigation outrage of the month, a company called Keeper (apparently a competitor of LastPass and other password managers) got caught distributing software with a security flaw. So they did what any security-conscious company would – they sued the website that publicized the flaw for libel. It’s a crappy suit, and we should all hope they end up assessed with costs and fees. But the real question is this: Google found and disclosed the flaw, while Microsoft distributed Keeper to its users. When will they file as amici to say that no company with a mature security model files STFU libel suits against people who point out legitimate security problems?  TL;DR – Keeper: Loser.

Finally, Hal Martin pleads guilty to one of twenty-plus counts and takes a ten-year sentence. So far, so ordinary in the world of plea bargaining. But as Nick points out, this wasn’t a bargain.  Martin can still be tried and sentenced on all the other counts. And it effectively stipulates the maximum sentence for the one count he’s pleading guilty to. There must be a strategy here, but we can’t say for sure what it is.

As always The Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.

Download the 197th Episode (mp3).

Subscribe to The Cyberlaw Podcast here. We are also on iTunes, Pocket Casts, and Google Play (available for Android and Google Chrome)!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.