A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So mark your calendar and when the time comes, use this link to join the audience:

https://riverside.fm/studio/the-cyberlaw-podcast-400

See you there!


For the third week in a row, we lead with cyber and Russia’s invasion of Ukraine. Paul Rosenzweig comments on the most surprising thing about social media’s decoupling from Russia – how enthusiastically the industry is pursuing the separation. Facebook is allowing Ukrainians to threaten violence against Russian leadership and removing or factchecking Russian government and media posts. Not satisfied with this, the EU wants Google to remove Russia Today and Sputnik from search results. I ask why the U.S. can’t take over Facebook and Twitter infrastructure to deliver the Voice of America to Facebook and Twitter users who’ve been cut off by their departure. Nobody likes that idea but me. Meanwhile, Paul notes that The Great Cyberwar that Wasn’t could still make an appearance, citing Ciaran Martin’s sober Lawfare piece.

David Kris tells us that Congress has, after a few false starts, finally passed a cyber incident reporting bill, notwithstanding the Justice Department’s over-the-top histrionics in opposition. I wonder if the bill, passed in haste due to the Ukraine conflict, should have had another round of edits, since it seems to lock in a leisurely reg-writing process that the Cybersecurity and Infrastructure Security Agency (CISA) can’t cut short.

Jane Bambauer and David unpack the first district court opinion considering the legal status of “geofence” warrants – where Google gradually releases more data about people whose phones were found near a crime scene when the crime was committed. It’s a long opinion by Judge M. Hannah Lauck, but none of us finds it satisfying. As is often true, Orin Kerr’s take is more persuasive than the court’s.

Next, Paul Rosenzweig digs into Biden’s cryptocurrency executive order. It’s not a nothingburger, he opines, but it is a processburger, meaning that nothing will happen in the field for many months, but the interagency mill will begin to grind, and sooner or later will likely grind exceeding fine.

Jane and I draw lessons from WIRED’s “expose” on three wrongful arrests based on face recognition software, but not the “face recognition is Evil” lesson WIRED wanted us to draw. The arrests do reflect less than perfect policing, and are a wrenching view of what it’s like for an innocent man to face charges that aren’t true. But it’s unpersuasive to blame face recognition for mistakes that could have been avoided with a little more care by the cops.

David and I highly recommend Brian Krebs’s great series on what we can learn from leaked chat logs belonging to the Conti ransomware gang. What we learned from the Conti leaks. My favorite insight was the Conti member who said, when a company resisted paying to keep its files from being published, that “There is a journalist who will help intimidate them for 5 percent of the payout.” I suggest that our listeners crowdsource an effort to find journalists who might fit this description. It might not be hard; after all, how many journalists these days are breaking stories that dive deep into doxxed databases?

Paul and I spend a little more time than it deserves on a proposal for the Internet community about ways to block Russia from the network.

Jane gives a lick and a promise to the Open App Markets bill coming out of the Senate Judiciary Committee. I alert the ACLU to a shocking porcine privacy invasion.

Having saved Scarlett Johansson for last, I discover that none of the other panelists is surprised that 15% of people have already had sex with a robot but all of them find the idea of falling in love with a robot preposterous.

                                                                                                                                     

Download the 398th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Much of this episode is devoted to the new digital curtain falling across Europe. Gus Horwitz and Mark-MacCarthy review the tech boycott that has seen companies like Apple, Samsung, Microsoft and Adobe pull their service from Russia. Nick Weaver describes how Russia cracked down on independent Russian media outlets and blocked access to the websites of foreign media including the BBC and Facebook. Gus reports on an apparent Russian decision to require all servers and domains to transfer Russian zone, thereby disconnecting itself from the global internet.

Mark describes how private companies in the U.S. have excluded Russian media from their systems, including how DirecTV’s decision to drop RT America led the Russian 24-hour news channel to shutter its operations. In contrast, the EU officially shut down all RT and Sputnik operations, including their apps and websites. Nick wonders if the enforcement mechanism is up to the task of taking down the websites. Gus, Dave and Mark discuss the mythmaking in social media about the Ukrainian war such as the Ghost of Kyiv, and wonder if fiction might do some good to keep up the morale of the besieged country.

Dave Aitel reminds us that despite the apparent lack of cyberattacks in the war, more might be going on under the surface. He also he tells us more about the internal attack that affected the Conti Ransomware gang when they voiced support for Russia. Nick opines that cryptocurrencies do not have the volume to serve as an effective way around the financial sanctions against Russia. Sultan Meghji agrees that the financial sanctions will accelerate the move away from the dollar as the world’s reserve currency and is skeptical that a principles-based constraint will do much good to halt that trend.

A few things happened other than the war in Ukraine, including President Biden’s first state of the union address. Gus notices that much of the speech was devoted to tech. He notes that the presence in the audience of Frances Haugen, the Facebook whistleblower, highlighted Biden’s embrace of stronger online children’s privacy laws and that the presence of Intel CEO Patrick Gelsinger gave the President the opportunity to pitch his plan to support domestic chip production.

Sultan and Dave discuss the cybersecurity bill that passed out of the Senate unanimously. It would require companies in critical sectors to report cyberattacks and ransomware to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). They also analyze the concerns that companies have about providing information to the FBI. Dave thinks the bills that were discussed in this week’s House Commerce hearing to hold Big Tech accountable, respond to wide-spread public concerns about tech’s surveillance business model, but still he thinks they are unlikely to make it through the process to become law.

Gus says that Amazon’s certification that it has responded to the Federal Trade Commission’s inquiries about its proposed $6.5 billion MGM merger triggers a statutory deadline for the agency to act. It is not the company’s fault, he says, that the agency has a 2-2 between Democrats and Republicans that will likely prevent them opposing the merger in time. I take the opportunity to note that the Senate Commerce committee sent the nominations of Alvaro Bedoya for the Federal Trade Commission and Gigi Sohn for the Federal Communications Commission to the Senate floor, but that it would likely be several months before the full Senate would act on the nominations.

Finally, Nick argues that certain measures in the European Commission’s proposed digital identity framework, aiming to improve authentication on the web, would in practice have the opposite effect of dramatically weakening web security.

                                                                                                           

Download the 397th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

Much of this episode is devoted to how modern networks and media are influencing what has become a major shooting war between Russia and Ukraine. Dmitri Alperovitch gives a sweeping overview. Ukraine and its President, Volodymyr Zelensky, clearly won the initial stages of the war in cyberspace, turning broad Western sympathy into a deeper commitment with short videos from downtown Kyiv at a time when Zelensky was expected to be racing for the border. The narrative of determined Ukrainian resistance and hapless Russian arrogance was set in cement by the end of the week, and Zelensky’s ability to casually dial in to EU ministers’ meetings (and just as casually say that this might be the last time the ministers saw him alive) changed official Europe’s view of the conflict permanently. Putin’s failure to seize Ukraine’s capital and telecom facilities in the first day of the fight may mean a long, grinding conflict.

Russia is doing its best to control the narrative on Russian networks by throttling Facebook, Twitter, and other Western media. And it’s essentially telling those companies that they need to distribute pro-Russian media in the West if they want a future in Russia. Dmitri believes that that’s not a price Silicon Valley will pay for access to a country where every other bank and company is already off-limits due to Western sanctions. Jane Bambauer weighs in with the details of Russia’s narrative-control efforts – and their failure.

And what about the cyber-attacks that press coverage led us to expect in this conflict between two technically capable adversaries? Nate Jones and Dmitri agree that, while network wiping and ransomware have occurred, their impact on the battle has not been obvious. Russia seems not to have sent its A-team to take down any of Ukraine’s critical infrastructure. Meanwhile, as Western nations pledge more weapons and more sanctions, Russian cyber reprisals have been scarce, perhaps because Western counter-reprisals are clearly being held in reserve.

All that said, and despite unprecedented financial sanctions and export control measures, initiative in the conflict remains with Putin, and none of the panel is looking forward to finding out how Putin will react to Russia’s early humiliations in cyberspace and on the battlefield.

In other tech news, the EU has not exactly turned over a new leaf when it comes to milking national security for competitive advantage over U.S. industry. Nate and Jane unpack the proposed European Data Act, best described as an effort to write a GDPR (General Data Protection Regulation) for nonpersonal data. And, as always, as a European effort to regulate a European tech industry into existence.

Nate and I dig into a Foreign Affairs op-ed by Chris Inglis, the Biden administration’s National Cyber Director. It calls for a new Cyber Social Contract between government and industry. I CTRL-F for “regulation” and don’t find the word, likely thanks to White House copy editors, but the op-ed clearly thinks that more regulation is the key to ensuring public-private cooperation.

Jane reprises a story from the estimable “Rest of World” tech site.  It turns out that corrupt and abusive companies and governments have better tools for controlling their image than Vladimir Putin – all thanks to the European Parliament and the U.S. Congress, which approved GDPR and the Digital Millennium Copyright Act respectively. These turn out to be great tools for suppressing stories that make third-world big shots uncomfortable. I remind the audience once again that Privacy mainly Protects the Privileged and the Powerful.

In closing, Jane and I catch us up on the IRS’s latest position on face recognition – and the wrongheadedness of the NGOs campaigning against the technology.

                                                                                                                                                    

Download the 396th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

  • Troops and sanctions and accusations are coming thick and fast in Ukraine as we record the podcast. Michael Ellis draws on his past experience at the National Security Council (NSC) to guess how things are going at the White House, and we both speculate on whether the conflict will turn into a cyberwar that draws the United States in. Neither of us thinks so, though for different reasons.
  • Meanwhile, Nick Weaver reports, the Justice Department is gearing up for a fight with cryptocurrency criminals. Nick thinks it couldn’t happen to a nicer industry. Michael and I contrast the launching of this initiative with the slow death of the China initiative at the hands of a few botched prosecutions and a whole lot of anti-American racial political correctness.
  • Speaking of political correctness, Michael and I do a roundup of news (all bad) about face recognition. District Judge Sharon Johnson Coleman (ND IL) gets our prize for least persuasive first amendment analysis of the year in an opinion holding that collecting and disclosing public data about people (what their faces look like) can be punished with massive civil liability even if no damages have been shown. After all, the judge declares in an analysis that covers a full page and a half (double-spaced), the Illinois law imposing liability “does not restrict a particular viewpoint nor target public discussion of an entire topic.” But not to worry; the first amendment is bound to get a heavy workout in the next big face recognition lawsuit – the Texas Attorney General’s effort to extract hundreds of billions of dollars from Facebook for similarly collecting the face of their users. My bet? This one will make it to the Supreme Court. Next, we review the IRS’s travails in trying to use face recognition to verify taxpayers who want access to their returns. I urge everyone to read my latest op-ed in the Washington Post criticizing the Congressional critics of the effort. Finally, I mock the wokesters at Amnesty International who think that people who live in high-crime New York neighborhoods should be freed from the burden of being able to identify and jail street criminals using facial recognition. After all, if facial recognition were more equitably allocated, think of the opportunity to identify Staten Island scofflaws who let their dogs poop on the sidewalk.
  • Nick and I dig into the pending collision between European law enforcement agencies and privacy zealots in Brussels who want to ban EU use of NSO’s Pegasus surveillance tech. Meanwhile, in a rare bit of good news for Pegasus’s creator, an Israeli investigation is now casting doubt on press reports of Pegasus abuse.
  • Finally, Michael and I mull over the surprisingly belated but still troubling disclosures about just how opaque TikTok has made its methods of operation. Two administrations in a row have started out to do something about this suspect app, and neither has delivered – for reasons that demonstrate the deepest flaws of both.

                                                                                                                                     

Download the 395th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Cyberlaw Podcast has decided to take a leaf from the (alleged) Bitcoin Bandits’ embrace of cringe rap. No more apologies. We’re proud to have been cringe-casting for the last six years. Scott Shapiro, however, shows that there’s a lot more meat to the bitcoin story than embarrassing social media posts. In fact, the government’s filing after the arrest of Ilya Lichtenstein and Heather Morgan paints a forbidding picture of how hard it is to actually cash $4.5 billion in bitcoin. That’s what the government wants us to think, but it’s persuasive nonetheless, and both Scott and David Kris recommend it as a read.

Like the Rolling Stones performing their greatest hits from 1965 on tour this year, U.S. Senator Ron Wyden of Oregon is replaying his favorite schtick from 2013 or so – complaining that the government has an intelligence program that collects some U.S. person data under a legal theory that would surprise most Americans. Based on the Privacy and Civil Liberties Oversight Board staff recommendations, Dave Aitel and David Kris conclude that this doesn’t sound like much of a scandal, but it may lead to new popup boxes on intel analysts’ desktops as they search the resulting databases.

In an entirely predictable but still discouraging development, Dave Aitel points to persuasive reports from two forensics firms that an Indian government body has compromised the computers of a group of Indian activists and then used its access not just to spy on the activists but to load fake and incriminating documents onto their computers.

In the EU, meanwhile, crisis is drawing nearer over the EU General Data Protection Regulation (GDPR) and the European Court of Justice decision in the Schrems cases. David Kris covers one surprising trend. The Court may have been aiming at the United States, but its ruling is starting to hit European companies who are discovering that they may have to choose between Silicon Valley services and serious liability. That’s the message in the latest French ruling that websites using Google Analytics are in breach of GDPR. Next to face the choice may be European publishers who depend on data-dependent advertising whose legality the Belgian data protection authority has gravely undercut.

Scott and I dig into the IRS’s travails in trying to implement facial recognition for taxpayer access to records. I reprise my defense of face recognition in Lawfare. Nobody is going to come out of this looking good, Scott and I agree, but I predict that abandoning facial recognition technology is going to mean more fraud as well as more costly and lousier service for taxpayers.

I point to the only place Silicon Valley seems to be innovating – new ways to show conservatives that they should just die already. Airbnb has embraced the Southern Poverty Law Center, whose business model is labeling mainstream conservative groups as “hate” mongers. It told Michelle Malkin that her speech at a SPLC “hate” conference meant that she was forever barred from using Airbnb – and so was her husband. By my count that’s guilt by association three times removed. Equally remarkable, Facebook is now telling Bjorn Lonborg that he cannot repeat true facts if he’s using them to support the Wrong Narrative. We’re not in content moderation land any more if truth is not a defense, and tech firms that supply real things for real-life can deny them to people whose views they don’t like.

Scott and I unpack the EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act), again reported out of committee with a chorus of boos from privacy NGOs. We also note that supporters of getting tough on the platforms over child sex abuse material aren’t waiting for EARN IT. A sex trafficking lawsuit against Pornhub has survived a section 230 challenge.

                                                                                                       

Download the 394th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Another week, another industry-shaking antitrust bill from Senate Judiciary:  This time, it’s the Open App Store Act, and Mark MacCarthy reports that it’s got more bipartisan support than the last one. Maybe that’s because there are only two losers, and only one big loser: Apple. The bill would force an end to Apple’s app store monopoly. Apple says that would mean less privacy and security for users; Mark thinks there’s something to that, but Bruce Schneier thinks that’s hogwash. Our panel is mostly on Bruce’s side of the debate.”

Meanwhile, Apple’s real contribution to the debate is the enormous middle finger it’s extending to other regulators trying to rein in Apple’s app store fees.

Megan Stifel reports that Anne Neuberger, the deputy national security adviser for cyber issues, has been traveling Europe to beef up our allies’ cyber defenses as a Russian war looms in Ukraine. Details about how she’s doing that are unsurprisingly sparse.

Meanwhile, Europe is finally coming to grips with the logical consequences of the EU General Data Protection Regulation (GDPR) for the internet as we know it. Turns out, the whole thing is illegal in the EU. The Belgian data protection authority brought down a big chunk of the roof in holding the IAB liable for adtech bidding procedures that violate the GDPR. And a German court fined some poor website for using Google fonts, which are downloaded from Google and tell that company (located in *gasp* America) a lot about every user who goes to the website. Nick Weaver explains how the tech works. I argue that the logical consequence is that GDPR outlaws providing IP addresses to get data from another site – which is kinda how the internet functions. Nick thinks the damage can be limited to Facebook, Google, and surveillance capitalism, so he isn’t shedding any tears over that outcome. This leads us to a broader discussion of Facebook’s travails, as its revenue model becomes the target of regulators, Apple, TikTok, Google, liberals, and conservatives — all while subscriber growth starts to stall.

I remind listeners of Baker’s Law of Evil Technology: “You won’t know how evil a technology can be until the engineers who built it begin to fear for their jobs.”

Megan and I break down the American Airlines lawsuit against The Points Guy over an app that syncs frequent flyer data. I predict American will lose – and should.

Mark and I talk about the latest content moderation flareups, from Spotify and Rogan to Gofundme’s defunding of the Canadian lockdown protest convoy. Mark flogs his Forbes article, and I flog my latest Cybertoonz commentary on tech-enabled content moderation. Mark tells me to buckle up, more moderation is coming.

Megan tells the story of PX4, who is hacking North Korea because it hacked him. Normally, that’s the kind of moxie that appeals to me, but this effort feels a little amateurish and ill-focused.

In quicker hits, Nick and I debate the flap over ID.me, and I try to rebut claims that face recognition has a bias problem. Megan explains the brief fuss over a legislative provision that would have enabled more and faster Treasury regulation of cryptocurrency. Speaking of section 230, Mark touches on the Senate’s latest version of the EARN IT bill, as the downsizing continues. I express surprise that Facebook would not only allow foreigners to solicit help from human traffickers on the site but would put the policy in writing.

                                                                                                                                                     

Download the 393rd Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

All of Washington is back from Christmas break, and suddenly the Biden Administration is showing a sharp departure from the Obama and Clinton years where regulation of Big Tech is concerned. Regulatory swagger is everywhere.

Treasury regulatory objections to Facebook’s cryptocurrency project have forced the Silicon Valley giant to abandon the effort, Maury Shenk tells us, and the White House is initiating what looks like a major interagency effort to regulate cryptocurrency on national security grounds. Federal Energy Regulatory Commission is getting serious (sort of) about monitoring the internal security of electric grid systems, Tatyana Bolton The White House and Environmental Protection Agency are launching a “sprint” to bring some basic cybersecurity to the nation’s water systems. Gary Gensler is full of ideas for expanding the Security and Exchange Commission’s security requirements for brokers, public companies, and those who service the financial industry. The Federal Trade Commission is entertaining a rulemaking petition that could profoundly affect companies now enjoying the gusher of online ad money generated by aggregating consumer data.

In other news, Dave Aitel gives us a thoughtful assessment of why the log4j vulnerability isn’t creating as much bad news as we first expected. It’s a mildly encouraging story of increased competence and speed in remediation, combined with the complexity (and stealth) of serious attacks built on the flaw.

Dave also dives deep on the story of the Belarussian hacktivists (if that’s what they are) now trying to complicate Putin’s threats against Ukraine. It’s hard to say whether they’ve actually delayed trains carrying Russian tanks to the Belarussian-Ukrainian border, but this is one group that has consistently pulled off serious hacks over several years as they harass the Lukashenko regime.

In a blast from the past, Maury Shenk takes us back to 2011 and the Hewlett Packard (HP)-Autonomy deal, which was repudiated as tainted by fraud almost as soon as it was signed. Turns out, HP is getting a long-delayed vindication, as Autonomy’s founder and CEO is found liable for fraud and ordered extradited to the U.S. to face criminal charges. Both rulings are likely to be appealed, so we’ll probably still be following court proceedings over events from 2011 in 2025 or later.

Speaking of anachronistic court proceedings, the EU’s effort to punish Intel for abusing its dominant position in the chip market has long outlived Intel’s dominant position in the chip market, and we’re nowhere near done with the litigation. Intel won a big decision from the European general court, Maury tells us. We agree that it’s only the European courts that stand between Silicon Valley and a whole lot more European regulatory swagger.

Finally, Dave brings us up to date on a New York Times story about how Israel used NSO’s hacking capabilities in a campaign to break out of years of diplomatic isolation.

                                                                                                                    

Download the 392nd Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Just one week of antitrust litigation news shows how much turbulence Facebook and Google are encountering. Michael Weiner gives us a remarkably compact summary of the many issues, from deeply historical (Facebook’s purchase of Instagram) to cutting edge tech (complaints about Oculus self-preferencing). In all, he brings us current on two state AG case, two FTC cases, and one DOJ case against the twin giants of surveillance advertising.

Speaking of litigation, no major new technology has been greeted with more litigation in its infancy than face recognition. So this week we interview Hoan Ton-That, CEO of what must be the most controversial tech startup in decades – Clearview AI. We probe deeply into face recognition’s reputation for bias, and what the company is doing about it. Hoan is clearly taking the controversy in stride and confident that the technology will overcome efforts to turn it toxic. Meanwhile, I note, the debate is clearing out what would have been formidable competition from the likes of Microsoft, Amazon, and IBM. If you think face recognition should be banned as racist, sexist, and inaccurate, this interview will make you think.

Meanwhile, David Kris notes, rumors of war are rampant on the Russian-Ukrainian border – and in cyberspace. So far, it’s a bit of a phony cyberwar, featuring web defacing and dormant file wipers. But it could blow up at any time, and we may be surprised how much damage can be done with a keyboard.

Speaking of damage done with a keyboard, open source software is showing how much damage can be done without even trying (although some developers are in fact trying pretty hard). Nick Weaver and I dig into the Log4j and other messes, and the White House effort to head off future open source debacles.

David is in charge of good news this week. It looks as though Russia has arrested a bunch of REvil coconspirators, including one person that the White House holds responsible for the Colonial Pipeline attack. It’s surely not a coincidence that this hint of cooperation from Vladimir Putin comes when he’d very much like to have leverage on the Biden administration over Ukraine.

The EU is now firmly committed to cutting off the continent from a host of technologies offered, often free, by Silicon Valley. Google Analytics is out, according to Austrian authorities, even if this means accusing the European Parliament of violating European law. Nick reminds us that this isn’t all the services that could be cut off. Google Translate also depends on transatlantic data flows and could become unavailable in Europe. I offer an incendiary solution to that problem.

Secure messaging is still under attack, but this week its European governments taking the shots. The UK government is planning an ad campaign against end-to-end encryption, and Germany is growling about shutting down Telegram for allowing hate speech. Nick issues a heartfelt complaint about the disingenuity of both sides in the crypto debate.

Speaking of Germans who can’t live up to their reputation on protecting privacy, Nick notes that German police did exactly what Gapple feared, using a coronavirus contact-tracing app to find potential witnesses. Meanwhile, in good news, let’s not forget Twitter, whose woke colonialism led it to suspend Nigeria’s president for threatening secessionists with war. Turns out it was easier to go to war with Twitter, which has now unconditionally surrendered to the Nigerian government.

Finally, I claim kinship with Joe Rogan as one of the podcasters that bien pensant NGOs and academics hope to censor. My plan is to create a joint defense fund to which Joe and I will each contribute 1% of our podcasting revenues.

                                                                                                           

Download the 390th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Federal Trade Commission’s (FTC) other foot, I argue, is lodged firmly in its mouth. Tatyana Bolton defends the agency, which released what can only be described as a regulatory blog post in response to the log4j vulnerability, invoking the $700 million in fines imposed on Equifax to threatening “to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j.” She stresses that this is the best way to get companies to patch quickly and notes that only “reasonable steps” are required. I think we’ll hear that a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more that regulatory flexing. Especially, since the FTC’s blog post seems to pull back from its tough-guy pose when talking about the open source maintainers who actually have to do much of the patch generation; unlike the companies it threatened with wrath, the FTC understands that open source coders “don’t always have adequate resources and personnel,” something the FTC “will consider as we work to address the root issues that endanger user security.”

Speaking of fallible regulators, Glenn Gerstell gives us a tour of China’s tech regulatory landscape, and the remarkable decline in the fortunes of consumer tech firms in that country, as the New York Times covered in detail last week. Is that good news for Silicon Valley or U.S. competitiveness? Sadly, probably not, I conclude.

Mark MacCarthy explains why the proposal to marry cryptocurrency to Signal is causing angst among Signal’s supporters about the end-to-end encrypted service’s “regulatory attack surface.”

Glenn covers the latest story about security risks and telecom gear from China.

Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers. The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies.

Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has “a particular tendency to clash with lawyers.” That would only make me love her more, but Glenn (who, as the National Security Agency’s top lawyer, worked with her for years) absolves her of the charge.

Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta Platforms for bringing together the boogaloo conspirators who killed a federal protective officer. It’s a long shot, but if “negligent design” turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are worried about.

Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it’s mostly not breaches of cybersecurity laws).

Speaking of surprises that aren’t surprises, Glenn also covers the announcement by Lloyd’s of London that cyber insurance won’t cover cyber-attacks attributable to nation-states.

Finally, I devote a few minutes to rant about the Justice Department’s decision to expand charges against Joe Sullivan, Uber’s former chief information security officer, for his role in payment of “bug bounties” to hackers who looked more like crooks than bounty hunters. More than a year after charging Sullivan with obstruction of justice, Justice piled on new charges of wire fraud for failing to tell Uber’s drivers about the breach. Glenn and I both question the decision to do this without any new facts to base the charges on. And I point out that the result of exposing breach response into a wire fraud charges will (or should be) fatal to the FBI’s desire to be called in while companies are dealing with breaches. If the company delays notice to the public for longer than the government thinks proper, wire fraud charges start to hang heavy in the air. If so, why would any General Counsel want to have an FBI agent sitting in the room for the debate about when notice to customers is required?

                                                                                                                                               

Download the 389th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.