Spurred by a Cyberspace Solarium op-ed, Nate Jones gives an overview of cybersecurity worries in the maritime sector, where there is plenty to worry about. I critique the U.S. government’s December 2020 National Maritime Cybersecurity Strategy, a 36-page tome that, when the intro and summary and appendices and blank pages are subtracted, offers only eight pages of substance. Luckily, the Atlantic Council has filled the void with its own report on the topic.

Of course, the maritime sector isn’t the only one we should be concerned about. Sultan Meghji points to the deeply troubling state of industrial control security, as illustrated by at “10 out of 10” vulnerability recently identified in a Rockwell Automation ICS

Still, sometimes software rot serves a good purpose. Maury Shenk tells us about decay in Russia’s SORM – a site-blocking system that may be buckling under the weight of the Ukraine invasion. Talking about SORM allows me to trash a nothingburger story perpetrated by three New York Times reporters who ought to know better. Adam Satariano, Paul Mozur and Aaron Krolik should be ashamed of themselves for writing a long story suggesting that Nokia did something wrong by selling Russian telecom gear that enables wiretaps. Since the same wiretap features are required by Western governments as a matter of law, Nokia could hardly do anything else. SORM and its abuses were all carried out by Russian companies. I suspect that, after wading through a boatload of leaked documents, these three (three!) reporters just couldn’t admit there was no there, there.

Nate and I note the emergence of a new set of secondary sanctions targets as Treasury begins sanctioning companies that it concludes are part of a sanctions evasion network. We also puzzle over the surprising pushback on proposals to impose sanctions on If the WSJ is correct, and the reason is fear of cyberattacks if the Russian firm is sanctioned, isn’t that a reason to sanction them out of Western networks?

Sultan and Maury remind us that regulating cryptocurrency is wildly popular with some, including Sen. Elizabeth Warren and the EU Parliament. Sultan remains skeptical that sweeping regulation is in the cards. He is much more bullish on Apple’s ability to upend the entire fintech field by plunging into financial services with enthusiasm. I point out that it’s almost impossible for a financial services company to maintain a standoffish relationship with government, so Apple may have to change the tune it’s been playing in the U.S. for the last decade.

Maury and I explore fears that the DMA will break WhatsApp encryption, while Nate and I plumb some of the complexities of a story Brian Krebs broke about hackers exploiting the system by which online services provide subscriber information to law enforcement in an emergency.

Speaking of Krebs, we dig into Ubiquiti’s defamation suit against him. The gist of the complaint is that Krebs relied on a “whistleblower” who turned out to be the perp, and that Krebs didn’t quickly correct his scoop when that became apparent. My sympathies are with Krebs on this one, at least until Ubiquiti fills in a serious gap in its complaint – the lack of any allegation that the company told Krebs that he’d been misled and asked for a retraction. Without that, it’s hard to say that Krebs was negligent (let alone malicious) in reporting allegations by an apparently well-informed insider.

Maury brings us up to speed on the (still half-formed) K. online harms bill and explains why the U.K. government was willing to let the subsidiary of a Chinese company buy the U.K.’s biggest chip foundry. Sultan finds several insights in an excellent CNN story about the Great Conti Leak.

And, finally, I express my personal qualms about the indictment (for disclosing classified information) of Mark Unkenholz, a highly competent man whom I know from my time in government. To my mind, the prosecutors are going to have to establish that Unkenholz was doing something different from the kind of disclosures that are an essential part of working with tech companies that have no security clearances but plenty of tools needed by the intelligence community. This is going to be a story to watch.

                                                                                                           

Download the 401st Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

With the U.S. and Europe united in opposing Russia’s attack on Ukraine, a few tough transatlantic disputes are being swept away – or at least under the rug. Most prominently, the data protection crisis touched off by Schrems 2 has been resolved in principle by a new framework agreement between the U.S. and the EU. Michael Ellis and Paul Rosenzweig trade insights on the deal and its prospects before the European Court of Justice. The most controversial aspect of the agreement is the lack of any change in U.S. legislation. That’s simple vote-counting if you’re in Washington, but the Court of Justice of the European Union (CJEU) clearly expected that it was dictating legislation for the U.S. Congress to adopt, so Europe’s acquiescence may simply kick the can down the road a bit. The lack of legislation will be felt in particular, Michael and Paul aver, when it comes to providing remedies to European citizens who feel their rights have been trampled. Instead of going to court, they’ll be going to an administrative body with executive branch guarantees of independence and impartiality. We congratulate several old friends of the podcast who patched this solution together.

The Russian invasion of Ukraine, meanwhile, continues to throw off new tech stories. Nick Weaver updates us on the single most likely example of Russia using its cyber weapons effectively for military purposes – the bricking of Ukraine’s (and a bunch of other European) Viasat terminals. Alex Stamos and I talk about whether the social media companies recently evicted from Russia, especially Instagram, should be induced or required to provide information about their former subscribers’ interests to allow microtargeting of news to break Putin’s information management barriers; along the way we examine why it is that tech’s response to Chinese aggression has been less vigorous. Speaking of microtargeting, Paul gives kudos to the FBI for its microtargeted “talk to us” ads, only visible to Russian speakers within 100 yards of the Russian embassy in Washington. Finally, Nick Weaver and  Mike mull the significance of Israel’s determination not to sell sophisticated cell phone surveillance malware to Ukraine.

Returning to Europe-U.S. tension, Alex and I unpack the European Digital Markets Act, which regulates a handful of U.S. companies because they are “digital gatekeepers.” I think it’s a plausible response to network effect monopolization, ruined by anti-Americanism and the persistent illusion that the EU can regulate its way to a viable tech industry. Alex has a similar take, noting that the adoption of end-to-end encryption was a big privacy victory, thanks to WhatsApp, an achievement that the Digital Markets Act will undo in attempting to force standardized interoperable messaging on gatekeepers.

Nick walks us through the surprising achievements of the gang of juvenile delinquents known as Lapsus$. Their breach of Okta is the occasion for speculation about how lawyers skew cyber incident response in directions that turn out to be very bad for the breach victim. Alex vividly captures the lawyerly dynamics that hamper effective response. While we’re talking ransomware, Michael cites a detailed report on corporate responses to REvil breaches, authored by the minority staff of the Senate Homeland security committee. Neither the FBI nor CISA comes out of it looking good. But the bureau comes in for more criticism, which may help explain why no one paid much attention when the FBI demanded changes to the cyber incident reporting bill.

Finally, Nick and Michael debate whether the musician and Elon Musk sweetheart Grimes could be prosecuted for computer crimes after confessing to having DDOSed an online publication for an embarrassing photo of her. Just to be on the safe side, we conclude, maybe she shouldn’t go back to Canada. And Paul and I praise a brilliant WIRED op-ed proposing that Putin’s Soviet empire nostalgia deserves a wakeup call; the authors (Rosenzweig and Baker, as it happens) suggest that the least ICANN can do is kill off the Soviet Union’s out-of-date .su country code.

                                                                                                                                     

Download the 400th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

On March 24, Utah Governor Spencer Cox signed into law the Utah Consumer Privacy Act, which gives state residents the right to know what personal information businesses collect about them, to require businesses to delete their personal information, and to opt out of the sale of their data or its use in targeted advertising. Utah joins California, Virginia, and Colorado in the growing club of states with similar consumer privacy laws. The law follows the general contours of its statutory progenitor, the California Consumer Privacy Act (CCPA), but in many ways is less burdensome to business. The law takes effect December 31, 2023.

The Utah law applies to for-profit companies that do business in Utah or target products or services at residents of the state, have annual revenue of $25,000,000 or more, and either: a) control or process personal data of at least 100,000 Utah residents in a calendar year or b) derive over 50% of their gross revenue from the sale of personal data and control or process personal data of at least 25,000 Utah residents. There are numerous exceptions to the law’s applicability, including for entities and information regulated by HIPAA and the Gramm-Leach-Bliley Act.

In broad strokes, the Utah law gives consumers (defined as residents of Utah “acting in an individual or household context” and not “an employment or commercial context”) the rights to:

  • Confirm whether a controller is processing the consumer’s personal data.
  • Access that personal data.
  • Delete personal data that the consumer provided to the controller.
  • Obtain a copy of personal data that the consumer previously provided to the controller, in a format that is portable, readily useable, and transferable to another controller.
  • Opt out of the sale of the consumer’s personal data or its processing for targeted advertising.
  • Opt out of the processing of “sensitive data” collected from the consumer.

“Sensitive data” is defined as personal data that reveals an individual’s racial or ethnic origin, religious beliefs, sexual orientation, or citizenship or immigration status; or information regarding an individual’s medical history, mental or physical health condition, or medical treatment or diagnosis by a health care professional; the processing of genetic personal data or biometric data, if the processing is for the purpose of identifying a specific individual; or specific geolocation data. Sensitive data does not include data that reveals racial or ethnic origin if the personal data is processed by a video communication service, or data processed by a licensed health care provider.

The law allows businesses to prescribe the means by which consumer requests are made, but requires businesses to take action on a request, and inform the consumer of that action, within 45 days of the request (extendable by one additional 45-day period). Controllers need not comply with a request if it appears to be fraudulent or the controller cannot authenticate it using commercially reasonable means. A controller may not charge a fee for responding to a request unless the request is the consumer’s second or more in a 12-month period. In addition, a controller can refuse to act on a request or can charge a reasonable fee to cover administrative costs of complying, if the request is “excessive, repetitive, technically infeasible, or manifestly unfounded,” “the controller reasonably believes the primary purpose in submitting the request was something other than exercising a right,” or “the request, individually or as part of an organized effort, harasses, disrupts, or imposes undue burden on the resources of the controller’s business.” However, a controller who relies on one of these grounds for rejecting a request or for charging a fee bears the burden of demonstrating that one of these grounds applies.

Controllers are also required to provide consumers with “a reasonably accessible and clear privacy notice” that includes: “(i) the categories of personal data processed by the controller; (ii) the purposes for which the categories of personal data are processed; (iii) how consumers may exercise a right; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data.” A controller must also provide clear notice to consumers if it processes sensitive data. If a controller sells personal data or engages in targeted advertising, it must “clearly and conspicuously disclose to the consumer the manner in which the consumer may exercise the right to opt out” of such sales or advertising.

Notably, some of the key terms in the Utah law are defined more narrowly than in the CCPA, potentially lessening some of the burden on businesses. “Sale” or “sell” means “the exchange of personal data for monetary consideration by a controller to a third party.” “Targeted advertising” means “displaying an advertisement to a consumer where the advertisement is selected based on personal data obtained from the consumer’s activities over time and across nonaffiliated websites or online applications to predict the consumer’s preferences or interests,” but does not include advertising “based on a consumer’s activities within a controller’s website or online application or any affiliated website or online application,” among other things. “Third party” means “a person other than the consumer, controller, or processor and other than an affiliate or contractor of the controller or the processor.”

The law prohibits controllers from discriminating against consumers for exercising a right by denying a good or service to the consumer, charging a different price or rate, or providing the consumer a different level of quality of a good or service. However, controllers may offer a different price, rate, level, quality or selection if the consumer has opted out of targeted advertising or if the offer is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, or similar program. A controller also is not required to provide a product, service, or functionality to a consumer if the consumer does not provide his or her personal data or allow its processing, but that data is reasonably necessary for the controller to provide the product, service, or functionality.

In addition to providing state residents with the rights and disclosures described above, the Utah law requires controllers to “establish, implement, and maintain reasonable administrative, technical, and physical data security practices designed to…protect the confidentiality and integrity of personal data…and reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.”

A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So, mark your calendar and when the time comes, use this link* to join the audience:

https://riverside.fm/studio/the-cyberlaw-podcast-400

See you there!

*Please note that using this link on a mobile phone will prompt you to download the Riverside app.

                                                                                                                                     

  • There’s nothing like a serious shooting war to bring on paranoia and mistrust, and the Russian invasion of Ukraine is generating mistrust on all sides.
  • Everyone expected a much more damaging cyberattack from the Russians, and no one knows why it hasn’t happened yetDave Aitel walks us through some possibilities. Cyberattacks take planning, and Russia’s planners may have believed they wouldn’t need to use large-scale cyberattacks—apart from what appears to be a pretty impressive bricking of Viasat terminals used extensively by Ukrainian forces. Now that the Russians could use some cyber weapons in Ukraine, the pace of the war may be making it hard to build them. None of that is much comfort to Western countries that have imposed sanctions, since their infrastructure makes a nice fat sitting-duck target, and may draw fire soon if American intelligence warnings prove true.
  • Meanwhile, Matthew Heiman reports, the effort to shore up defenses is leading to a cavalcade of paranoia. Has the UK defense ministry banned the use of WhatsApp due to fears that it’s been compromised by Russia? Maybe. But WhatsApp has long had known security limitations that might justify downgrading its use on the battlefield. Speaking of ambiguity and mistrust, Telegram use is booming in Russia, Dave says, either because the Russians know how to control it or because they can’t. Take your pick.
  • Speaking of mistrust, the German security agency has suddenly discovered that it can’t trust Kaspersky products.  Good luck finding them, Dave offers, since many have been whitelabeled into other companies’ software. He has limited sympathy for an agency that resolutely ignored U.S. warnings about Kaspersky for years.
  • Even in the absence of a government with an interest in subverting software, the war is producing products that can’t be trusted. One open-source maintainer of a popular open-source tool turned it into a data wiper for anyone whose computer looks Belarussian or Russian. What could possibly go wrong with that plan?
  • Meanwhile, people who’ve advocated tougher cybersecurity regulation (including me) are doing a victory lap in the press about how it will bolster our defenses. It’ll help, I argue, but only some, and at a cost of new failures. The best example being TSA’s effort to regulate pipeline security, which has struggled to avoid unintended consequences while being critiqued by an industry that has been hostile to the whole effort from the start.
  • The most interesting impact of the war is in China. Jordan Schneider explores how China and Chinese companies are responding to sanctions on Russia. Jordan thinks that Chinese companies will follow their economic interests and adhere to sanctions – at least where it’s clear they’re being watched – despite online hostility to sanctions among Chinese digerati.
  • Matthew and I think more attention needs to be paid to Chinese government efforts to police and intimidate ethnic Chinese, including Chinese Americans, in the United States. The Justice Department for one is paying attention; it has arrested several alleged Chinese government agents engaged in such efforts.
  • Jordan unpacks China’s new guidance on AI algorithms. I offer grudging respect to the breadth and value of the topics covered by China’s AI regulatory endeavors.
  • Dave and I are disappointed by a surprise package in the FY 22 omnibus appropriations act. Buried on page 2334 is an entire smorgasbord of regulation for intelligence agency employees who go looking for jobs after leaving the intelligence community. This version is better than the original draft, but mainly for the intelligence agencies; intelligence professionals seem to have been left out in the cold when revisions were proposed.
  • Matthew does an update on the peanut butter sandwich spies who tried to sell nuclear sub secrets to a foreign power that the Justice Department did not name at the time of their arrest. Now that country has been revealed. It’s Brazil, apparently chosen because the spies couldn’t bring themselves to help an actual enemy of their country.
  • And finally, I float my own proposal for the nerdiest possible sanctions on Putin. He’s a big fan of the old Soviet empire, so it would be fitting to finally wipe out the last traces of the Soviet Union, which have lingered for thirty years too long in the Internet domain system. Check WIRED magazine for my upcoming op-ed on the topic.

                                                                                                                                     

Download the 399th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So mark your calendar and when the time comes, use this link to join the audience:

https://riverside.fm/studio/the-cyberlaw-podcast-400

See you there!

For the third week in a row, we lead with cyber and Russia’s invasion of Ukraine. Paul Rosenzweig comments on the most surprising thing about social media’s decoupling from Russia – how enthusiastically the industry is pursuing the separation. Facebook is allowing Ukrainians to threaten violence against Russian leadership and removing or factchecking Russian government and media posts. Not satisfied with this, the EU wants Google to remove Russia Today and Sputnik from search results. I ask why the U.S. can’t take over Facebook and Twitter infrastructure to deliver the Voice of America to Facebook and Twitter users who’ve been cut off by their departure. Nobody likes that idea but me. Meanwhile, Paul notes that The Great Cyberwar that Wasn’t could still make an appearance, citing Ciaran Martin’s sober Lawfare piece.

David Kris tells us that Congress has, after a few false starts, finally passed a cyber incident reporting bill, notwithstanding the Justice Department’s over-the-top histrionics in opposition. I wonder if the bill, passed in haste due to the Ukraine conflict, should have had another round of edits, since it seems to lock in a leisurely reg-writing process that the Cybersecurity and Infrastructure Security Agency (CISA) can’t cut short.

Jane Bambauer and David unpack the first district court opinion considering the legal status of “geofence” warrants – where Google gradually releases more data about people whose phones were found near a crime scene when the crime was committed. It’s a long opinion by Judge M. Hannah Lauck, but none of us finds it satisfying. As is often true, Orin Kerr’s take is more persuasive than the court’s.

Next, Paul Rosenzweig digs into Biden’s cryptocurrency executive order. It’s not a nothingburger, he opines, but it is a processburger, meaning that nothing will happen in the field for many months, but the interagency mill will begin to grind, and sooner or later will likely grind exceeding fine.

Jane and I draw lessons from WIRED’s “expose” on three wrongful arrests based on face recognition software, but not the “face recognition is Evil” lesson WIRED wanted us to draw. The arrests do reflect less than perfect policing, and are a wrenching view of what it’s like for an innocent man to face charges that aren’t true. But it’s unpersuasive to blame face recognition for mistakes that could have been avoided with a little more care by the cops.

David and I highly recommend Brian Krebs’s great series on what we can learn from leaked chat logs belonging to the Conti ransomware gang. What we learned from the Conti leaks. My favorite insight was the Conti member who said, when a company resisted paying to keep its files from being published, that “There is a journalist who will help intimidate them for 5 percent of the payout.” I suggest that our listeners crowdsource an effort to find journalists who might fit this description. It might not be hard; after all, how many journalists these days are breaking stories that dive deep into doxxed databases?

Paul and I spend a little more time than it deserves on a proposal for the Internet community about ways to block Russia from the network.

Jane gives a lick and a promise to the Open App Markets bill coming out of the Senate Judiciary Committee. I alert the ACLU to a shocking porcine privacy invasion.

Having saved Scarlett Johansson for last, I discover that none of the other panelists is surprised that 15% of people have already had sex with a robot but all of them find the idea of falling in love with a robot preposterous.

                                                                                                                                     

Download the 398th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Much of this episode is devoted to the new digital curtain falling across Europe. Gus Horwitz and Mark-MacCarthy review the tech boycott that has seen companies like Apple, Samsung, Microsoft and Adobe pull their service from Russia. Nick Weaver describes how Russia cracked down on independent Russian media outlets and blocked access to the websites of foreign media including the BBC and Facebook. Gus reports on an apparent Russian decision to require all servers and domains to transfer Russian zone, thereby disconnecting itself from the global internet.

Mark describes how private companies in the U.S. have excluded Russian media from their systems, including how DirecTV’s decision to drop RT America led the Russian 24-hour news channel to shutter its operations. In contrast, the EU officially shut down all RT and Sputnik operations, including their apps and websites. Nick wonders if the enforcement mechanism is up to the task of taking down the websites. Gus, Dave and Mark discuss the mythmaking in social media about the Ukrainian war such as the Ghost of Kyiv, and wonder if fiction might do some good to keep up the morale of the besieged country.

Dave Aitel reminds us that despite the apparent lack of cyberattacks in the war, more might be going on under the surface. He also he tells us more about the internal attack that affected the Conti Ransomware gang when they voiced support for Russia. Nick opines that cryptocurrencies do not have the volume to serve as an effective way around the financial sanctions against Russia. Sultan Meghji agrees that the financial sanctions will accelerate the move away from the dollar as the world’s reserve currency and is skeptical that a principles-based constraint will do much good to halt that trend.

A few things happened other than the war in Ukraine, including President Biden’s first state of the union address. Gus notices that much of the speech was devoted to tech. He notes that the presence in the audience of Frances Haugen, the Facebook whistleblower, highlighted Biden’s embrace of stronger online children’s privacy laws and that the presence of Intel CEO Patrick Gelsinger gave the President the opportunity to pitch his plan to support domestic chip production.

Sultan and Dave discuss the cybersecurity bill that passed out of the Senate unanimously. It would require companies in critical sectors to report cyberattacks and ransomware to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). They also analyze the concerns that companies have about providing information to the FBI. Dave thinks the bills that were discussed in this week’s House Commerce hearing to hold Big Tech accountable, respond to wide-spread public concerns about tech’s surveillance business model, but still he thinks they are unlikely to make it through the process to become law.

Gus says that Amazon’s certification that it has responded to the Federal Trade Commission’s inquiries about its proposed $6.5 billion MGM merger triggers a statutory deadline for the agency to act. It is not the company’s fault, he says, that the agency has a 2-2 between Democrats and Republicans that will likely prevent them opposing the merger in time. I take the opportunity to note that the Senate Commerce committee sent the nominations of Alvaro Bedoya for the Federal Trade Commission and Gigi Sohn for the Federal Communications Commission to the Senate floor, but that it would likely be several months before the full Senate would act on the nominations.

Finally, Nick argues that certain measures in the European Commission’s proposed digital identity framework, aiming to improve authentication on the web, would in practice have the opposite effect of dramatically weakening web security.

                                                                                                           

Download the 397th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

Much of this episode is devoted to how modern networks and media are influencing what has become a major shooting war between Russia and Ukraine. Dmitri Alperovitch gives a sweeping overview. Ukraine and its President, Volodymyr Zelensky, clearly won the initial stages of the war in cyberspace, turning broad Western sympathy into a deeper commitment with short videos from downtown Kyiv at a time when Zelensky was expected to be racing for the border. The narrative of determined Ukrainian resistance and hapless Russian arrogance was set in cement by the end of the week, and Zelensky’s ability to casually dial in to EU ministers’ meetings (and just as casually say that this might be the last time the ministers saw him alive) changed official Europe’s view of the conflict permanently. Putin’s failure to seize Ukraine’s capital and telecom facilities in the first day of the fight may mean a long, grinding conflict.

Russia is doing its best to control the narrative on Russian networks by throttling Facebook, Twitter, and other Western media. And it’s essentially telling those companies that they need to distribute pro-Russian media in the West if they want a future in Russia. Dmitri believes that that’s not a price Silicon Valley will pay for access to a country where every other bank and company is already off-limits due to Western sanctions. Jane Bambauer weighs in with the details of Russia’s narrative-control efforts – and their failure.

And what about the cyber-attacks that press coverage led us to expect in this conflict between two technically capable adversaries? Nate Jones and Dmitri agree that, while network wiping and ransomware have occurred, their impact on the battle has not been obvious. Russia seems not to have sent its A-team to take down any of Ukraine’s critical infrastructure. Meanwhile, as Western nations pledge more weapons and more sanctions, Russian cyber reprisals have been scarce, perhaps because Western counter-reprisals are clearly being held in reserve.

All that said, and despite unprecedented financial sanctions and export control measures, initiative in the conflict remains with Putin, and none of the panel is looking forward to finding out how Putin will react to Russia’s early humiliations in cyberspace and on the battlefield.

In other tech news, the EU has not exactly turned over a new leaf when it comes to milking national security for competitive advantage over U.S. industry. Nate and Jane unpack the proposed European Data Act, best described as an effort to write a GDPR (General Data Protection Regulation) for nonpersonal data. And, as always, as a European effort to regulate a European tech industry into existence.

Nate and I dig into a Foreign Affairs op-ed by Chris Inglis, the Biden administration’s National Cyber Director. It calls for a new Cyber Social Contract between government and industry. I CTRL-F for “regulation” and don’t find the word, likely thanks to White House copy editors, but the op-ed clearly thinks that more regulation is the key to ensuring public-private cooperation.

Jane reprises a story from the estimable “Rest of World” tech site.  It turns out that corrupt and abusive companies and governments have better tools for controlling their image than Vladimir Putin – all thanks to the European Parliament and the U.S. Congress, which approved GDPR and the Digital Millennium Copyright Act respectively. These turn out to be great tools for suppressing stories that make third-world big shots uncomfortable. I remind the audience once again that Privacy mainly Protects the Privileged and the Powerful.

In closing, Jane and I catch us up on the IRS’s latest position on face recognition – and the wrongheadedness of the NGOs campaigning against the technology.

                                                                                                                                                    

Download the 396th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets

The Cyberlaw Podcast has decided to take a leaf from the (alleged) Bitcoin Bandits’ embrace of cringe rap. No more apologies. We’re proud to have been cringe-casting for the last six years. Scott Shapiro, however, shows that there’s a lot more meat to the bitcoin story than embarrassing social media posts. In fact, the government’s filing after the arrest of Ilya Lichtenstein and Heather Morgan paints a forbidding picture of how hard it is to actually cash $4.5 billion in bitcoin. That’s what the government wants us to think, but it’s persuasive nonetheless, and both Scott and David Kris recommend it as a read.

Like the Rolling Stones performing their greatest hits from 1965 on tour this year, U.S. Senator Ron Wyden of Oregon is replaying his favorite schtick from 2013 or so – complaining that the government has an intelligence program that collects some U.S. person data under a legal theory that would surprise most Americans. Based on the Privacy and Civil Liberties Oversight Board staff recommendations, Dave Aitel and David Kris conclude that this doesn’t sound like much of a scandal, but it may lead to new popup boxes on intel analysts’ desktops as they search the resulting databases.

In an entirely predictable but still discouraging development, Dave Aitel points to persuasive reports from two forensics firms that an Indian government body has compromised the computers of a group of Indian activists and then used its access not just to spy on the activists but to load fake and incriminating documents onto their computers.

In the EU, meanwhile, crisis is drawing nearer over the EU General Data Protection Regulation (GDPR) and the European Court of Justice decision in the Schrems cases. David Kris covers one surprising trend. The Court may have been aiming at the United States, but its ruling is starting to hit European companies who are discovering that they may have to choose between Silicon Valley services and serious liability. That’s the message in the latest French ruling that websites using Google Analytics are in breach of GDPR. Next to face the choice may be European publishers who depend on data-dependent advertising whose legality the Belgian data protection authority has gravely undercut.

Scott and I dig into the IRS’s travails in trying to implement facial recognition for taxpayer access to records. I reprise my defense of face recognition in Lawfare. Nobody is going to come out of this looking good, Scott and I agree, but I predict that abandoning facial recognition technology is going to mean more fraud as well as more costly and lousier service for taxpayers.

I point to the only place Silicon Valley seems to be innovating – new ways to show conservatives that they should just die already. Airbnb has embraced the Southern Poverty Law Center, whose business model is labeling mainstream conservative groups as “hate” mongers. It told Michelle Malkin that her speech at a SPLC “hate” conference meant that she was forever barred from using Airbnb – and so was her husband. By my count that’s guilt by association three times removed. Equally remarkable, Facebook is now telling Bjorn Lonborg that he cannot repeat true facts if he’s using them to support the Wrong Narrative. We’re not in content moderation land any more if truth is not a defense, and tech firms that supply real things for real-life can deny them to people whose views they don’t like.

Scott and I unpack the EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act), again reported out of committee with a chorus of boos from privacy NGOs. We also note that supporters of getting tough on the platforms over child sex abuse material aren’t waiting for EARN IT. A sex trafficking lawsuit against Pornhub has survived a section 230 challenge.

                                                                                                       

Download the 394th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

All of Washington is back from Christmas break, and suddenly the Biden Administration is showing a sharp departure from the Obama and Clinton years where regulation of Big Tech is concerned. Regulatory swagger is everywhere.

Treasury regulatory objections to Facebook’s cryptocurrency project have forced the Silicon Valley giant to abandon the effort, Maury Shenk tells us, and the White House is initiating what looks like a major interagency effort to regulate cryptocurrency on national security grounds. Federal Energy Regulatory Commission is getting serious (sort of) about monitoring the internal security of electric grid systems, Tatyana Bolton The White House and Environmental Protection Agency are launching a “sprint” to bring some basic cybersecurity to the nation’s water systems. Gary Gensler is full of ideas for expanding the Security and Exchange Commission’s security requirements for brokers, public companies, and those who service the financial industry. The Federal Trade Commission is entertaining a rulemaking petition that could profoundly affect companies now enjoying the gusher of online ad money generated by aggregating consumer data.

In other news, Dave Aitel gives us a thoughtful assessment of why the log4j vulnerability isn’t creating as much bad news as we first expected. It’s a mildly encouraging story of increased competence and speed in remediation, combined with the complexity (and stealth) of serious attacks built on the flaw.

Dave also dives deep on the story of the Belarussian hacktivists (if that’s what they are) now trying to complicate Putin’s threats against Ukraine. It’s hard to say whether they’ve actually delayed trains carrying Russian tanks to the Belarussian-Ukrainian border, but this is one group that has consistently pulled off serious hacks over several years as they harass the Lukashenko regime.

In a blast from the past, Maury Shenk takes us back to 2011 and the Hewlett Packard (HP)-Autonomy deal, which was repudiated as tainted by fraud almost as soon as it was signed. Turns out, HP is getting a long-delayed vindication, as Autonomy’s founder and CEO is found liable for fraud and ordered extradited to the U.S. to face criminal charges. Both rulings are likely to be appealed, so we’ll probably still be following court proceedings over events from 2011 in 2025 or later.

Speaking of anachronistic court proceedings, the EU’s effort to punish Intel for abusing its dominant position in the chip market has long outlived Intel’s dominant position in the chip market, and we’re nowhere near done with the litigation. Intel won a big decision from the European general court, Maury tells us. We agree that it’s only the European courts that stand between Silicon Valley and a whole lot more European regulatory swagger.

Finally, Dave brings us up to date on a New York Times story about how Israel used NSO’s hacking capabilities in a campaign to break out of years of diplomatic isolation.

                                                                                                                    

Download the 392nd Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

That’s the question I had after reading Law and Policy for the Quantum Age, by Chris Hoofnagle and Simson Garfinkel. It’s a gracefully written and deeply informative look at the commercial and policy prospects of quantum computing and several other (often more promising) quantum technologies, including sensing, communications, and networking. And it left me with the question that heads this post. So, I invited Chris Hoofnagle to an interview and came away thinking the answer is “close to half – and for sure all the quantum projects grounded in fear and envy of the presumed capabilities of the National Security Agency of the United States.” My exchange with Chris makes for a bracing and fast-paced half hour of futurology and policy and not to be missed.

Also, not to be missed: Conservative Catfight II – Now With More Cats. That’s right, Jamil Jaffer and I reprise our past debate over Big Tech regulation, this time focusing on 2992, the American Innovation and Choice Online Act, just voted out of the Senate Judiciary committee with a bipartisan set of supporters and detractors. In essence, the bill would impose special “no self-preferencing” obligations on really large platforms. Jamil, joined by Gus Hurwitz, thinks this is heavy handed government regulation for a few unpopular companies, and completely unmoored from any harm to consumers. Jordan Schneider weighs in to point out that it is almost exactly the solution chosen by the Chinese government in its most recent policy shift. I argue that platforms are usually procompetitive when they start but inherently open to a host of subtle abuses once entrenched, so only a specially crafted rule will prevent a handful of companies achieving enormous economic and political power.

Doubling down on controversy, I ask Nate Jones to explain Glenn Greenwald’s objections to the subpoena practices of Congress’s Jan. 6 Committee. I conclude that the committee’s legal arguments boil down to “When Congress wrote rules for government, it clearly didn’t intend for the rules to apply to Congress.” And that Greenwald is right in arguing that the Supreme Court in the 1950s insisted that Communists be treated better than the Jan.6 committee is treating anyone even tangentially tied to the attack on the Capitol.

Nate and I try to figure out what Forbes was smoking when it tried to gin up a scandal from a standard set of metadata subpoenas to WhatsApp. Whatever it was, Forbes will need plenty of liquids and a few hours in a dark quiet room to recover.

In quick hits, Gus explains what it means that the Biden administration is rewriting the DOJ/FTC merger guidelines: essentially, the more the administration tries to make them mean, the less deference they’ll get in court. And Jordan and I puzzle over the emphasis on small and medium business in China’s latest five-year plan for the digital economy.

                                                                                                       

Download the 391st Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.