This episode features an interview with Michael Tiffany, the co-founder and president of White Ops and a deep student of how to curtail adtech fraud. Michael explains the adtech business, how fraudsters take advantage of its structure, and what a coalition of law enforcement and tech companies did to wreck one of the most successful fraud networks, known as 3ve. You can read more about the take down in the joint White Ops and Google report, “The Hunt for 3ve.”
I propose this episode’s title as Baker’s Law of Evil Technology, something that explains Twitter’s dysfunctional woke-ness, Yahoo’s crappy security, and Uber’s deadly autonomous vehicles. Companies with lots of revenue can afford to offer a lot of stuff they don’t much care about, including protection of minority voices, security, and, um, not killing people. But as Uber’s travails show, all that can get tossed out the window when corporate survival is at stake. And here’s Baker’s Law in action: Airline algorithms that deliberately break up families sitting on the plane so they can charge to put the kids back in the same row.
Mieke Eoyang joins us for the interview about Third Way’s “To Catch a Hacker” report. We agree on the importance of what I call “attribution and retribution” as a way to improve cybersecurity. But we disagree on some of the details. Mieke reveals that this report is the first in a series that will hopefully address my concerns about a lack of detail and innovation in the report’s policy prescriptions.
Today’s interview is a deep (and long – over an hour) dive into new investment review regulations for the Committee on Foreign Investment in the United States (CFIUS). It’s excerpted from an ABA panel discussion on the topic, featuring: Tom Feddo, who currently oversees CFIUS; Aimen Mir, who used to oversee CFIUS; Sanchi Jayaram, who is in charge of the Justice Department’s CFIUS and Team Telecom work; David Fagan, a noted CFIUS practitioner; and me as moderator. It turns out the new CFIUS law may be the most innovative – and sweeping – piece of legislation on national security in years.
This episode puts our experts on the spot with an election-eve question: Will foreign governments attack US electoral rolls or vote-counting machinery in 2018? Remarkably, no one on our panel (Matthew Heiman, Nick Weaver, David Kris, and I) thinks they will. So if you want cybersecurity news, you can stop listening to election coverage and tune in to Episode 238 of The Cyberlaw Podcast.
Our interview features Steve Rice (Deputy CIO for DHS) and Max Everett (CIO for the Department of Energy) and was originally taped at a session of the Homeland Security Week conference.
The theme of this week’s podcast seems to be the remarkable reach of American soft power: Really, we elect Donald Trump, and suddenly everybody’s trolling. The Justice Department criminally charges a Russian troll factory’s accountant, and before David Kris can finish explaining it, she’s on YouTube, trolling the prosecutors with a housewife schtick. She’s not alone. Faced with the news that President Trump is using a commercial iPhone for many of his calls – and, Nate Jones points out, getting tapped by China, Russia, and others as a result – China has a suggestion that scores at the top of the POTUS Troll Scale. Tim Cook goes to Europe to troll Android – and me – with a speech that touches all my buttons: Europhilia, Apple sanctimony in pursuit of profit, and blind enthusiasm for privacy regulation. And when the Belgians ask for British help investigating a suspected GCHQ hack of a Belgian ISP, as David and I discuss, the British respond with what can only be described as understated trolling.
In this episode’s interview we ask whether the midterm elections are likely to suffer as much foreign hacking and interference as we saw in 2016. The answer, from Christopher Krebs, Under Secretary for National Protection and Programs Directorate (soon to be the Cybersecurity and Infrastructure Security Agency), is surprisingly comforting, though hardly guaranteed. Briefly, it’s beginning to look as though the Russians (and maybe the Iranians) are holding their fire for the main event in 2020.
Today we interview Doug, the chief legal officer of GCHQ, the British equivalent of NSA. It’s the first time we’ve interviewed someone whose full identify is classified. Out of millions of possible pseudonyms, he’s sticking with “Doug.” Listen in as he explains why. More seriously, Doug covers the now-considerable oversight regime that governs GCHQ’s intercepts and other intelligence collection, Britain’s view of how the law of war applies in cyberspace, the prospects for UN talks on that topic, the value of attribution, and whether a national security agency should be responsible for civilian cybersecurity (the UK says yes, the US says no).
Bloomberg Businessweek’s claim that the Chinese buggered Supermicro motherboards leads off our News Roundup. The story is controversial not because it couldn’t happen and not because the Chinese wouldn’t do it but because the story has been denied by practically everyone close to the controversy, including DHS. Bloomberg Businessweek stands by the story. Maybe it’s time for the law, in the form of a libel action, to ride to the rescue.
The European Data Protection Board (EDPB) is an independent advisory body, established by the GDPR, that issues guidelines, recommendations, and best practices for the application of the GDPR.
At its Third Plenary on September 26, the EDPB adopted new draft guidelines on the GDPR’s territorial scope.
These guidelines should help provide a common interpretation of the broad territorial scope of the GDPR, often referred to as its long-arm jurisdiction, and further clarify how the GDPR applies to data controllers or processors established outside of the EU – for example, in the US – targeting individuals in the EU. The Guidelines will include guidance on the requirement to designate a representative in the EU. This is required unless the processing is carried out by a private entity or natural person and (i) is occasional, (ii) does not include, on a large scale, processing of special categories of data or data relating to criminal convictions and offences, and (iii) is unlikely to result in a risk to the rights and freedoms of natural persons.
The guidelines will be subject to public consultation, via the EDPB’s consultation link available here.