• Troops and sanctions and accusations are coming thick and fast in Ukraine as we record the podcast. Michael Ellis draws on his past experience at the National Security Council (NSC) to guess how things are going at the White House, and we both speculate on whether the conflict will turn into a cyberwar that draws the United States in. Neither of us thinks so, though for different reasons.
  • Meanwhile, Nick Weaver reports, the Justice Department is gearing up for a fight with cryptocurrency criminals. Nick thinks it couldn’t happen to a nicer industry. Michael and I contrast the launching of this initiative with the slow death of the China initiative at the hands of a few botched prosecutions and a whole lot of anti-American racial political correctness.
  • Speaking of political correctness, Michael and I do a roundup of news (all bad) about face recognition. District Judge Sharon Johnson Coleman (ND IL) gets our prize for least persuasive first amendment analysis of the year in an opinion holding that collecting and disclosing public data about people (what their faces look like) can be punished with massive civil liability even if no damages have been shown. After all, the judge declares in an analysis that covers a full page and a half (double-spaced), the Illinois law imposing liability “does not restrict a particular viewpoint nor target public discussion of an entire topic.” But not to worry; the first amendment is bound to get a heavy workout in the next big face recognition lawsuit – the Texas Attorney General’s effort to extract hundreds of billions of dollars from Facebook for similarly collecting the face of their users. My bet? This one will make it to the Supreme Court. Next, we review the IRS’s travails in trying to use face recognition to verify taxpayers who want access to their returns. I urge everyone to read my latest op-ed in the Washington Post criticizing the Congressional critics of the effort. Finally, I mock the wokesters at Amnesty International who think that people who live in high-crime New York neighborhoods should be freed from the burden of being able to identify and jail street criminals using facial recognition. After all, if facial recognition were more equitably allocated, think of the opportunity to identify Staten Island scofflaws who let their dogs poop on the sidewalk.
  • Nick and I dig into the pending collision between European law enforcement agencies and privacy zealots in Brussels who want to ban EU use of NSO’s Pegasus surveillance tech. Meanwhile, in a rare bit of good news for Pegasus’s creator, an Israeli investigation is now casting doubt on press reports of Pegasus abuse.
  • Finally, Michael and I mull over the surprisingly belated but still troubling disclosures about just how opaque TikTok has made its methods of operation. Two administrations in a row have started out to do something about this suspect app, and neither has delivered – for reasons that demonstrate the deepest flaws of both.

                                                                                                                                     

Download the 395th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Cyberlaw Podcast has decided to take a leaf from the (alleged) Bitcoin Bandits’ embrace of cringe rap. No more apologies. We’re proud to have been cringe-casting for the last six years. Scott Shapiro, however, shows that there’s a lot more meat to the bitcoin story than embarrassing social media posts. In fact, the government’s filing after the arrest of Ilya Lichtenstein and Heather Morgan paints a forbidding picture of how hard it is to actually cash $4.5 billion in bitcoin. That’s what the government wants us to think, but it’s persuasive nonetheless, and both Scott and David Kris recommend it as a read.

Like the Rolling Stones performing their greatest hits from 1965 on tour this year, U.S. Senator Ron Wyden of Oregon is replaying his favorite schtick from 2013 or so – complaining that the government has an intelligence program that collects some U.S. person data under a legal theory that would surprise most Americans. Based on the Privacy and Civil Liberties Oversight Board staff recommendations, Dave Aitel and David Kris conclude that this doesn’t sound like much of a scandal, but it may lead to new popup boxes on intel analysts’ desktops as they search the resulting databases.

In an entirely predictable but still discouraging development, Dave Aitel points to persuasive reports from two forensics firms that an Indian government body has compromised the computers of a group of Indian activists and then used its access not just to spy on the activists but to load fake and incriminating documents onto their computers.

In the EU, meanwhile, crisis is drawing nearer over the EU General Data Protection Regulation (GDPR) and the European Court of Justice decision in the Schrems cases. David Kris covers one surprising trend. The Court may have been aiming at the United States, but its ruling is starting to hit European companies who are discovering that they may have to choose between Silicon Valley services and serious liability. That’s the message in the latest French ruling that websites using Google Analytics are in breach of GDPR. Next to face the choice may be European publishers who depend on data-dependent advertising whose legality the Belgian data protection authority has gravely undercut.

Scott and I dig into the IRS’s travails in trying to implement facial recognition for taxpayer access to records. I reprise my defense of face recognition in Lawfare. Nobody is going to come out of this looking good, Scott and I agree, but I predict that abandoning facial recognition technology is going to mean more fraud as well as more costly and lousier service for taxpayers.

I point to the only place Silicon Valley seems to be innovating – new ways to show conservatives that they should just die already. Airbnb has embraced the Southern Poverty Law Center, whose business model is labeling mainstream conservative groups as “hate” mongers. It told Michelle Malkin that her speech at a SPLC “hate” conference meant that she was forever barred from using Airbnb – and so was her husband. By my count that’s guilt by association three times removed. Equally remarkable, Facebook is now telling Bjorn Lonborg that he cannot repeat true facts if he’s using them to support the Wrong Narrative. We’re not in content moderation land any more if truth is not a defense, and tech firms that supply real things for real-life can deny them to people whose views they don’t like.

Scott and I unpack the EARN IT Act (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act), again reported out of committee with a chorus of boos from privacy NGOs. We also note that supporters of getting tough on the platforms over child sex abuse material aren’t waiting for EARN IT. A sex trafficking lawsuit against Pornhub has survived a section 230 challenge.

                                                                                                       

Download the 394th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Another week, another industry-shaking antitrust bill from Senate Judiciary:  This time, it’s the Open App Store Act, and Mark MacCarthy reports that it’s got more bipartisan support than the last one. Maybe that’s because there are only two losers, and only one big loser: Apple. The bill would force an end to Apple’s app store monopoly. Apple says that would mean less privacy and security for users; Mark thinks there’s something to that, but Bruce Schneier thinks that’s hogwash. Our panel is mostly on Bruce’s side of the debate.”

Meanwhile, Apple’s real contribution to the debate is the enormous middle finger it’s extending to other regulators trying to rein in Apple’s app store fees.

Megan Stifel reports that Anne Neuberger, the deputy national security adviser for cyber issues, has been traveling Europe to beef up our allies’ cyber defenses as a Russian war looms in Ukraine. Details about how she’s doing that are unsurprisingly sparse.

Meanwhile, Europe is finally coming to grips with the logical consequences of the EU General Data Protection Regulation (GDPR) for the internet as we know it. Turns out, the whole thing is illegal in the EU. The Belgian data protection authority brought down a big chunk of the roof in holding the IAB liable for adtech bidding procedures that violate the GDPR. And a German court fined some poor website for using Google fonts, which are downloaded from Google and tell that company (located in *gasp* America) a lot about every user who goes to the website. Nick Weaver explains how the tech works. I argue that the logical consequence is that GDPR outlaws providing IP addresses to get data from another site – which is kinda how the internet functions. Nick thinks the damage can be limited to Facebook, Google, and surveillance capitalism, so he isn’t shedding any tears over that outcome. This leads us to a broader discussion of Facebook’s travails, as its revenue model becomes the target of regulators, Apple, TikTok, Google, liberals, and conservatives — all while subscriber growth starts to stall.

I remind listeners of Baker’s Law of Evil Technology: “You won’t know how evil a technology can be until the engineers who built it begin to fear for their jobs.”

Megan and I break down the American Airlines lawsuit against The Points Guy over an app that syncs frequent flyer data. I predict American will lose – and should.

Mark and I talk about the latest content moderation flareups, from Spotify and Rogan to Gofundme’s defunding of the Canadian lockdown protest convoy. Mark flogs his Forbes article, and I flog my latest Cybertoonz commentary on tech-enabled content moderation. Mark tells me to buckle up, more moderation is coming.

Megan tells the story of PX4, who is hacking North Korea because it hacked him. Normally, that’s the kind of moxie that appeals to me, but this effort feels a little amateurish and ill-focused.

In quicker hits, Nick and I debate the flap over ID.me, and I try to rebut claims that face recognition has a bias problem. Megan explains the brief fuss over a legislative provision that would have enabled more and faster Treasury regulation of cryptocurrency. Speaking of section 230, Mark touches on the Senate’s latest version of the EARN IT bill, as the downsizing continues. I express surprise that Facebook would not only allow foreigners to solicit help from human traffickers on the site but would put the policy in writing.

                                                                                                                                                     

Download the 393rd Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

All of Washington is back from Christmas break, and suddenly the Biden Administration is showing a sharp departure from the Obama and Clinton years where regulation of Big Tech is concerned. Regulatory swagger is everywhere.

Treasury regulatory objections to Facebook’s cryptocurrency project have forced the Silicon Valley giant to abandon the effort, Maury Shenk tells us, and the White House is initiating what looks like a major interagency effort to regulate cryptocurrency on national security grounds. Federal Energy Regulatory Commission is getting serious (sort of) about monitoring the internal security of electric grid systems, Tatyana Bolton The White House and Environmental Protection Agency are launching a “sprint” to bring some basic cybersecurity to the nation’s water systems. Gary Gensler is full of ideas for expanding the Security and Exchange Commission’s security requirements for brokers, public companies, and those who service the financial industry. The Federal Trade Commission is entertaining a rulemaking petition that could profoundly affect companies now enjoying the gusher of online ad money generated by aggregating consumer data.

In other news, Dave Aitel gives us a thoughtful assessment of why the log4j vulnerability isn’t creating as much bad news as we first expected. It’s a mildly encouraging story of increased competence and speed in remediation, combined with the complexity (and stealth) of serious attacks built on the flaw.

Dave also dives deep on the story of the Belarussian hacktivists (if that’s what they are) now trying to complicate Putin’s threats against Ukraine. It’s hard to say whether they’ve actually delayed trains carrying Russian tanks to the Belarussian-Ukrainian border, but this is one group that has consistently pulled off serious hacks over several years as they harass the Lukashenko regime.

In a blast from the past, Maury Shenk takes us back to 2011 and the Hewlett Packard (HP)-Autonomy deal, which was repudiated as tainted by fraud almost as soon as it was signed. Turns out, HP is getting a long-delayed vindication, as Autonomy’s founder and CEO is found liable for fraud and ordered extradited to the U.S. to face criminal charges. Both rulings are likely to be appealed, so we’ll probably still be following court proceedings over events from 2011 in 2025 or later.

Speaking of anachronistic court proceedings, the EU’s effort to punish Intel for abusing its dominant position in the chip market has long outlived Intel’s dominant position in the chip market, and we’re nowhere near done with the litigation. Intel won a big decision from the European general court, Maury tells us. We agree that it’s only the European courts that stand between Silicon Valley and a whole lot more European regulatory swagger.

Finally, Dave brings us up to date on a New York Times story about how Israel used NSO’s hacking capabilities in a campaign to break out of years of diplomatic isolation.

                                                                                                                    

Download the 392nd Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Just one week of antitrust litigation news shows how much turbulence Facebook and Google are encountering. Michael Weiner gives us a remarkably compact summary of the many issues, from deeply historical (Facebook’s purchase of Instagram) to cutting edge tech (complaints about Oculus self-preferencing). In all, he brings us current on two state AG case, two FTC cases, and one DOJ case against the twin giants of surveillance advertising.

Speaking of litigation, no major new technology has been greeted with more litigation in its infancy than face recognition. So this week we interview Hoan Ton-That, CEO of what must be the most controversial tech startup in decades – Clearview AI. We probe deeply into face recognition’s reputation for bias, and what the company is doing about it. Hoan is clearly taking the controversy in stride and confident that the technology will overcome efforts to turn it toxic. Meanwhile, I note, the debate is clearing out what would have been formidable competition from the likes of Microsoft, Amazon, and IBM. If you think face recognition should be banned as racist, sexist, and inaccurate, this interview will make you think.

Meanwhile, David Kris notes, rumors of war are rampant on the Russian-Ukrainian border – and in cyberspace. So far, it’s a bit of a phony cyberwar, featuring web defacing and dormant file wipers. But it could blow up at any time, and we may be surprised how much damage can be done with a keyboard.

Speaking of damage done with a keyboard, open source software is showing how much damage can be done without even trying (although some developers are in fact trying pretty hard). Nick Weaver and I dig into the Log4j and other messes, and the White House effort to head off future open source debacles.

David is in charge of good news this week. It looks as though Russia has arrested a bunch of REvil coconspirators, including one person that the White House holds responsible for the Colonial Pipeline attack. It’s surely not a coincidence that this hint of cooperation from Vladimir Putin comes when he’d very much like to have leverage on the Biden administration over Ukraine.

The EU is now firmly committed to cutting off the continent from a host of technologies offered, often free, by Silicon Valley. Google Analytics is out, according to Austrian authorities, even if this means accusing the European Parliament of violating European law. Nick reminds us that this isn’t all the services that could be cut off. Google Translate also depends on transatlantic data flows and could become unavailable in Europe. I offer an incendiary solution to that problem.

Secure messaging is still under attack, but this week its European governments taking the shots. The UK government is planning an ad campaign against end-to-end encryption, and Germany is growling about shutting down Telegram for allowing hate speech. Nick issues a heartfelt complaint about the disingenuity of both sides in the crypto debate.

Speaking of Germans who can’t live up to their reputation on protecting privacy, Nick notes that German police did exactly what Gapple feared, using a coronavirus contact-tracing app to find potential witnesses. Meanwhile, in good news, let’s not forget Twitter, whose woke colonialism led it to suspend Nigeria’s president for threatening secessionists with war. Turns out it was easier to go to war with Twitter, which has now unconditionally surrendered to the Nigerian government.

Finally, I claim kinship with Joe Rogan as one of the podcasters that bien pensant NGOs and academics hope to censor. My plan is to create a joint defense fund to which Joe and I will each contribute 1% of our podcasting revenues.

                                                                                                           

Download the 390th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Federal Trade Commission’s (FTC) other foot, I argue, is lodged firmly in its mouth. Tatyana Bolton defends the agency, which released what can only be described as a regulatory blog post in response to the log4j vulnerability, invoking the $700 million in fines imposed on Equifax to threatening “to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j.” She stresses that this is the best way to get companies to patch quickly and notes that only “reasonable steps” are required. I think we’ll hear that a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more that regulatory flexing. Especially, since the FTC’s blog post seems to pull back from its tough-guy pose when talking about the open source maintainers who actually have to do much of the patch generation; unlike the companies it threatened with wrath, the FTC understands that open source coders “don’t always have adequate resources and personnel,” something the FTC “will consider as we work to address the root issues that endanger user security.”

Speaking of fallible regulators, Glenn Gerstell gives us a tour of China’s tech regulatory landscape, and the remarkable decline in the fortunes of consumer tech firms in that country, as the New York Times covered in detail last week. Is that good news for Silicon Valley or U.S. competitiveness? Sadly, probably not, I conclude.

Mark MacCarthy explains why the proposal to marry cryptocurrency to Signal is causing angst among Signal’s supporters about the end-to-end encrypted service’s “regulatory attack surface.”

Glenn covers the latest story about security risks and telecom gear from China.

Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers. The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies.

Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has “a particular tendency to clash with lawyers.” That would only make me love her more, but Glenn (who, as the National Security Agency’s top lawyer, worked with her for years) absolves her of the charge.

Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta Platforms for bringing together the boogaloo conspirators who killed a federal protective officer. It’s a long shot, but if “negligent design” turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are worried about.

Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it’s mostly not breaches of cybersecurity laws).

Speaking of surprises that aren’t surprises, Glenn also covers the announcement by Lloyd’s of London that cyber insurance won’t cover cyber-attacks attributable to nation-states.

Finally, I devote a few minutes to rant about the Justice Department’s decision to expand charges against Joe Sullivan, Uber’s former chief information security officer, for his role in payment of “bug bounties” to hackers who looked more like crooks than bounty hunters. More than a year after charging Sullivan with obstruction of justice, Justice piled on new charges of wire fraud for failing to tell Uber’s drivers about the breach. Glenn and I both question the decision to do this without any new facts to base the charges on. And I point out that the result of exposing breach response into a wire fraud charges will (or should be) fatal to the FBI’s desire to be called in while companies are dealing with breaches. If the company delays notice to the public for longer than the government thinks proper, wire fraud charges start to hang heavy in the air. If so, why would any General Counsel want to have an FBI agent sitting in the room for the debate about when notice to customers is required?

                                                                                                                                               

Download the 389th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

One of the good things about coming back from Christmas break are all the deep analyses that news outlets save up to publish over the holidays – especially those they can report from countries where celebrating Christmas isn’t that big a deal. At least that’s how I account for the flood of deep media dives on China technology issues. Megan Stifel takes us through a couple. The first is a Washington Post article on China using its tools for measuring internal dissent online and focusing them on the rest of the world. The second is an New York Times article that tells us what tools the Chinese government can use when the rest of the world says things it doesn’t like. Utterly unsurprising, to me at least, is that social media companies like Twitter have become hapless enablers of China’s speech police. Later in the podcast, Megan covers another story in the same vein – the growing global unease about China’s success in building Logink, a global logistics and shipping database.

Scott Shapiro and Nick Weaver walk us through the conviction of a Harvard professor for lying about his China ties. It may be too cynical to say that the Justice Department wanted Professor Charles Lieber especially badly because he’s not Asian, but there’s no doubt he’ll be Exhibit A when it defends the China Initiative against claims of ethnic profiling.

Megan takes us through another great story of hack-enabled great story of hack-enabled insider trading, helicopters to Zermatt, dueling extraditions, and as the piece de resistance, hints we may learn more about Russian interference with the 2016 presidential election.

Scott explains how Apple AirTags are being used to track people. Nick gives us a feel for just how hard it is to separate good from bad in designing Air Tags. I suggest that this is a problem we could leave to the plaintiffs’ lawyers.

Nick lays out the economics of hacking as a service and introduces us to yet another company in that business – Cytrox. No one seems to last long in the business without changing their name. Nick and I explore the reasons for that, and the possibility that soon the teams that work for these companies will move on every year or two.

Nick also explains why bitcoin isn’t always a cybercriminal’s best friend. It turns out that cryptography isn’t proof against rubber hose cryptanalysis, or maybe even plea bargaining.

Drawing from research I’m doing for an article about why bias in face recognition has been overblown, I note that Canada, France, and the entire Western world is imposing sanctions on Clearview AI for privacy violations, but Clearview AI is the only U.S. company doing as good or better at face recognition than Chinese and Russian suppliers. I argue that’s because a dubious bias narrative has forced IBM, Amazon, Microsoft, and Meta to retreat from the market, leaving us at the mercy of Russian and Chinese tech.

Megan explains why financial regulators and not the FBI turn out to be the biggest enemies of end-to-end encryption, as they fine JPMorgan Chase a cool $200 million for using WhatsApp and other unbreakable encrypted messaging systems.

Finally, in quick hits,

                                                                                                       

Download the 388th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

All the cyberlitigation that didn’t get filed, or decided, over Thanksgiving finally hit the fan last week, and we’re still cleaning up. But first, I have to ask Dave Aitel for sanity check a on Log4Shell.

Does it really deserve a 10 out of 10 for impact? And what does it mean for all the open source components buried in all our enterprise software? Dave’s only piece of good news is that some big projects were far enough behind in updates that they hadn’t built the flaw into their products.

In the first of several cyberlawsuits covered in this episode, Jamil Jaffer and I praise Google for a particularly comprehensive and creative approach to suing cybercriminals. RICO plus a boatload of computer privacy violations are at the heart of Google’s complaint against two criminals behind the Glupteba botnet. We note that the defendants deserve credit for their own creativity in using the blockchain to reconstitute their C2 infrastructure. If more criminals did that, Microsoft’s trademark approach – using trademark violations to seize botnet infrastructure – would be less effective. We note that this week Microsoft used litigation to take down a Chinese government network. Is it wrong to complain that Microsoft has been using this approach for long enough that botnets are only inconvenienced, not destroyed, by the tactic?

Maury Shenk digs into the remarkable report that Apple CEO Tim Cook promised $275 billion of investment to China. Five years ago. And we’re only finding out about it now. In secret. When Congress finally gets around to the cyber incident reporting bill that it bumped from the defense authorization act, maybe it will want to classify multibillion dollar deals with China as the kind of cyber incident that ought to be reported to anyone on the receiving end of corporate lobbying campaigns.

The Tenth Circuit finished its Thanksgiving by releasing a massive opinion upholding the constitutionality of Section 702 of FISA. Jamil Jaffer, who played a key role in the adoption of Section 702 walks us through the decision. The decision was 2-1, but not on the main ruling. Instead, the debate was over Article III and the “advisory” nature of FISA court opinions reviewing executive procedures under that section. I confess to some sympathy for the dissent but wonder how it would help the defendant to strike down that procedure.

Dave explains why Tor might not be a secure as we think. A mysterious and likely state sponsored actor. is running hundreds of malicious Tor relays. And to add insult to injury, the actor is openly lobbying against measures to cut down on malicious Tor relays.

But wait, there’s more cyberlitigation, and again Jamil talks us through it. A Saudi women’s rights activist has brought a CFAA lawsuit against DarkMatter and its expat American employees for an iPhone hack that she says got her arrested. I’m a little skeptical that the lawsuit will survive a Foreign Sovereign Immunities Act motion.

Maury and I question the wisdom of a recent Italian fine penalizing Amazon over a billion euros, mainly for preferencing sellers who sign up for Prime logistics

Dave tells the sad story of Ilya Sachkov, a Russian cybersecurity whiz kid and CEO who may have believed too much that everyone sees cybersecurity as a white hat enterprise. Word is that he may have been too helpful in unraveling the DNC attackers identities in 2016 and is now paying for it with a Russian treason charge.

Maury notes that the U.S. decision to blacklist the Chinese AI company SenseTime was carefully timed to guarantee disruption of SenseTime’s IPO. Whether the U.S. action will be more than a delaying tactic remains to be seen, but Maury is skeptical.

Maury notes that Wikileaks founder Julian Assange has lost an important battle as he fights extradition to the U.S., British court rules – The Washington Post. Jamil notes that the cyber incident reporting bill didn’t make it into the defense authorization act, as mentioned earlier. He is one of the few cybersecurity buffs who isn’t especially disappointed.

Maury and I disagree about a much-ballyhooed group of companies claiming to combat A.I. bias in hiring I’ll believe it when they actually expose their recommendations to public scrutiny.

For those who think bias in content moderation is not a thing, try spending ten minutes with this right-wing French candidate’s very effective campaign ad. Then ask yourself why exactly YouTube thought it wasn’t fit for children. My guess is that it was the ad’s effectiveness that YouTube really disapproved of.

Dave and I puzzle over the Biden administration’s unsatisfying `Initiative for Democratic Renewal’ – a big international get-together that got only cursory attention in the US, perhaps because its theme is still a little hard to find. And, finally, just to give me an excuse to publicize my latest Cybertoonz comic, Jamil asks for Western militaries what it means to “impose a cost” on ransomware gangs.

With that, the Cyberlaw Podcast bids farewell to 2021. We will return in January.

                                                                                                           

Download the 387th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Federal district judge Robert Pitman has enjoined enforcement of Texas’s law regulating social media censorship.  The ruling sparks a fight between me and Nate Jones that ranges from how much weight should be given to the speech rights of social media to the Kyle Rittenhouse verdict imposed by Facebook when it decided he was guilty and wouldn’t let anyone disagree. On the merits, as before, we agreed that the Obama appointee was on solid ground (for now) in applying the Tornillo line of cases saying that government should not directly regulate the editorial judgments of publishers. But the judge’s ruling on the transparency and due process requirements of the law suggests that he wasn’t prepared to give the law a fair shake. So, look for a competitive appeal on the topic and quite possibly a certiorari grant as well. By the time we stop beating this horse, he’s long past any possible right of self-defense.

Megan Stifel has an easier task: Explaining cybersecurity recommendations for rail and other surface transportation companies. The advice is mostly something that could have been offered in the 90s, so we both puzzle over the fierce resistance from industry. Maybe it’s the 24-hour requirement to notify TSA of cyber incidents.

Nate and I explore proposals from the Biden administration to muster a group of like-minded countries to curb sales of surveillance gear to authoritarian regimes. No doubt the initiative was reinforced by news that S. State Department phones were recently hacked exported spyware from Israel. But I think the whole project fails for a simple reason: authoritarian governments can buy all the surveillance gear they need from China, which is happy to sell it. In the absence of credible enforcement, condemning such sales is empty virtue signaling.

I mock an eminently mockable story from the Markup, claiming that the PredPol crime prediction software is racist because it urges the police to patrol more poor black neighborhoods than rich white ones. Then, when the authors finally notice that that’s where arrests are concentrated, they switch arguments and say that the prediction software must be useless because the same results could be reached without the software.

Speaking of stupid, Megan explains how a “smart contract” turned out to be anything but, allowing hackers to steal $31 million in digital coin.

I ask exactly how the hacker’s feat differs from really good lawyering.

Nate and I look at how well Russia is doing in bringing Twitter to heel with a mobile slowdown. Twitter hasn’t broken yet, but it’s clear that the authoritarians of the world are slowly winning their battle with Silicon Valley.

Megan tells us how a cybersecurity professional at Ubiquiti decided to stop riding with the hounds and to ride instead with the fox. Of course we all know how most fox hunts end for the fox, and this story is no exception.

In updates, I remind listeners of the elaborate gas-lighting effort put on by Jeff Bezos in trying to blame the Saudis and the National Enquirer for his brother-in-law’s leak of Bezos’s deeply embarrassing text messages. All the investigations that Bezos managed to get started are done now, and the verdict is in: the Saudis didn’t do it.

Megan and I note a Wall Street Journal article on how tough it is to be a spy in a world of smartphones, biometrics, and universal surveillance cameras. Our reaction: Yup.

And More!

                                                                                                           

Download the 386th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.