Just one week of antitrust litigation news shows how much turbulence Facebook and Google are encountering. Michael Weiner gives us a remarkably compact summary of the many issues, from deeply historical (Facebook’s purchase of Instagram) to cutting edge tech (complaints about Oculus self-preferencing). In all, he brings us current on two state AG case, two FTC cases, and one DOJ case against the twin giants of surveillance advertising.

Speaking of litigation, no major new technology has been greeted with more litigation in its infancy than face recognition. So this week we interview Hoan Ton-That, CEO of what must be the most controversial tech startup in decades – Clearview AI. We probe deeply into face recognition’s reputation for bias, and what the company is doing about it. Hoan is clearly taking the controversy in stride and confident that the technology will overcome efforts to turn it toxic. Meanwhile, I note, the debate is clearing out what would have been formidable competition from the likes of Microsoft, Amazon, and IBM. If you think face recognition should be banned as racist, sexist, and inaccurate, this interview will make you think.

Meanwhile, David Kris notes, rumors of war are rampant on the Russian-Ukrainian border – and in cyberspace. So far, it’s a bit of a phony cyberwar, featuring web defacing and dormant file wipers. But it could blow up at any time, and we may be surprised how much damage can be done with a keyboard.

Speaking of damage done with a keyboard, open source software is showing how much damage can be done without even trying (although some developers are in fact trying pretty hard). Nick Weaver and I dig into the Log4j and other messes, and the White House effort to head off future open source debacles.

David is in charge of good news this week. It looks as though Russia has arrested a bunch of REvil coconspirators, including one person that the White House holds responsible for the Colonial Pipeline attack. It’s surely not a coincidence that this hint of cooperation from Vladimir Putin comes when he’d very much like to have leverage on the Biden administration over Ukraine.

The EU is now firmly committed to cutting off the continent from a host of technologies offered, often free, by Silicon Valley. Google Analytics is out, according to Austrian authorities, even if this means accusing the European Parliament of violating European law. Nick reminds us that this isn’t all the services that could be cut off. Google Translate also depends on transatlantic data flows and could become unavailable in Europe. I offer an incendiary solution to that problem.

Secure messaging is still under attack, but this week its European governments taking the shots. The UK government is planning an ad campaign against end-to-end encryption, and Germany is growling about shutting down Telegram for allowing hate speech. Nick issues a heartfelt complaint about the disingenuity of both sides in the crypto debate.

Speaking of Germans who can’t live up to their reputation on protecting privacy, Nick notes that German police did exactly what Gapple feared, using a coronavirus contact-tracing app to find potential witnesses. Meanwhile, in good news, let’s not forget Twitter, whose woke colonialism led it to suspend Nigeria’s president for threatening secessionists with war. Turns out it was easier to go to war with Twitter, which has now unconditionally surrendered to the Nigerian government.

Finally, I claim kinship with Joe Rogan as one of the podcasters that bien pensant NGOs and academics hope to censor. My plan is to create a joint defense fund to which Joe and I will each contribute 1% of our podcasting revenues.

                                                                                                           

Download the 390th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Federal Trade Commission’s (FTC) other foot, I argue, is lodged firmly in its mouth. Tatyana Bolton defends the agency, which released what can only be described as a regulatory blog post in response to the log4j vulnerability, invoking the $700 million in fines imposed on Equifax to threatening “to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j.” She stresses that this is the best way to get companies to patch quickly and notes that only “reasonable steps” are required. I think we’ll hear that a lot from the FTC, now that it turns out that fixing the Log4j mess is going to require a lot more that regulatory flexing. Especially, since the FTC’s blog post seems to pull back from its tough-guy pose when talking about the open source maintainers who actually have to do much of the patch generation; unlike the companies it threatened with wrath, the FTC understands that open source coders “don’t always have adequate resources and personnel,” something the FTC “will consider as we work to address the root issues that endanger user security.”

Speaking of fallible regulators, Glenn Gerstell gives us a tour of China’s tech regulatory landscape, and the remarkable decline in the fortunes of consumer tech firms in that country, as the New York Times covered in detail last week. Is that good news for Silicon Valley or U.S. competitiveness? Sadly, probably not, I conclude.

Mark MacCarthy explains why the proposal to marry cryptocurrency to Signal is causing angst among Signal’s supporters about the end-to-end encrypted service’s “regulatory attack surface.”

Glenn covers the latest story about security risks and telecom gear from China.

Mark and I dig into the growing enthusiasm for regulating big Silicon Valley companies as gatekeepers. The Germans are about to apply that approach to Google. And the South Koreans are doing the same to Apple and its app store payment policies.

Tatyana notes the press coverage about possible tensions between two talented and strong cybersecurity officials in the White House: Anne Neuberger and Chris Inglis. I put Glenn on the spot about claims that Anne has “a particular tendency to clash with lawyers.” That would only make me love her more, but Glenn (who, as the National Security Agency’s top lawyer, worked with her for years) absolves her of the charge.

Mark and I handicap the probability that the plaintiff will succeed in a highly charged lawsuit against Facebook/Meta Platforms for bringing together the boogaloo conspirators who killed a federal protective officer. It’s a long shot, but if “negligent design” turns out to create liability for software and algorithms, Signal will have an even greater attack surface than its fans are worried about.

Glenn explains the charges brought in China against Walmart for breaches of cybersecurity laws (hint: it’s mostly not breaches of cybersecurity laws).

Speaking of surprises that aren’t surprises, Glenn also covers the announcement by Lloyd’s of London that cyber insurance won’t cover cyber-attacks attributable to nation-states.

Finally, I devote a few minutes to rant about the Justice Department’s decision to expand charges against Joe Sullivan, Uber’s former chief information security officer, for his role in payment of “bug bounties” to hackers who looked more like crooks than bounty hunters. More than a year after charging Sullivan with obstruction of justice, Justice piled on new charges of wire fraud for failing to tell Uber’s drivers about the breach. Glenn and I both question the decision to do this without any new facts to base the charges on. And I point out that the result of exposing breach response into a wire fraud charges will (or should be) fatal to the FBI’s desire to be called in while companies are dealing with breaches. If the company delays notice to the public for longer than the government thinks proper, wire fraud charges start to hang heavy in the air. If so, why would any General Counsel want to have an FBI agent sitting in the room for the debate about when notice to customers is required?

                                                                                                                                               

Download the 389th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

One of the good things about coming back from Christmas break are all the deep analyses that news outlets save up to publish over the holidays – especially those they can report from countries where celebrating Christmas isn’t that big a deal. At least that’s how I account for the flood of deep media dives on China technology issues. Megan Stifel takes us through a couple. The first is a Washington Post article on China using its tools for measuring internal dissent online and focusing them on the rest of the world. The second is an New York Times article that tells us what tools the Chinese government can use when the rest of the world says things it doesn’t like. Utterly unsurprising, to me at least, is that social media companies like Twitter have become hapless enablers of China’s speech police. Later in the podcast, Megan covers another story in the same vein – the growing global unease about China’s success in building Logink, a global logistics and shipping database.

Scott Shapiro and Nick Weaver walk us through the conviction of a Harvard professor for lying about his China ties. It may be too cynical to say that the Justice Department wanted Professor Charles Lieber especially badly because he’s not Asian, but there’s no doubt he’ll be Exhibit A when it defends the China Initiative against claims of ethnic profiling.

Megan takes us through another great story of hack-enabled great story of hack-enabled insider trading, helicopters to Zermatt, dueling extraditions, and as the piece de resistance, hints we may learn more about Russian interference with the 2016 presidential election.

Scott explains how Apple AirTags are being used to track people. Nick gives us a feel for just how hard it is to separate good from bad in designing Air Tags. I suggest that this is a problem we could leave to the plaintiffs’ lawyers.

Nick lays out the economics of hacking as a service and introduces us to yet another company in that business – Cytrox. No one seems to last long in the business without changing their name. Nick and I explore the reasons for that, and the possibility that soon the teams that work for these companies will move on every year or two.

Nick also explains why bitcoin isn’t always a cybercriminal’s best friend. It turns out that cryptography isn’t proof against rubber hose cryptanalysis, or maybe even plea bargaining.

Drawing from research I’m doing for an article about why bias in face recognition has been overblown, I note that Canada, France, and the entire Western world is imposing sanctions on Clearview AI for privacy violations, but Clearview AI is the only U.S. company doing as good or better at face recognition than Chinese and Russian suppliers. I argue that’s because a dubious bias narrative has forced IBM, Amazon, Microsoft, and Meta to retreat from the market, leaving us at the mercy of Russian and Chinese tech.

Megan explains why financial regulators and not the FBI turn out to be the biggest enemies of end-to-end encryption, as they fine JPMorgan Chase a cool $200 million for using WhatsApp and other unbreakable encrypted messaging systems.

Finally, in quick hits,

                                                                                                       

Download the 388th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

All the cyberlitigation that didn’t get filed, or decided, over Thanksgiving finally hit the fan last week, and we’re still cleaning up. But first, I have to ask Dave Aitel for sanity check a on Log4Shell.

Does it really deserve a 10 out of 10 for impact? And what does it mean for all the open source components buried in all our enterprise software? Dave’s only piece of good news is that some big projects were far enough behind in updates that they hadn’t built the flaw into their products.

In the first of several cyberlawsuits covered in this episode, Jamil Jaffer and I praise Google for a particularly comprehensive and creative approach to suing cybercriminals. RICO plus a boatload of computer privacy violations are at the heart of Google’s complaint against two criminals behind the Glupteba botnet. We note that the defendants deserve credit for their own creativity in using the blockchain to reconstitute their C2 infrastructure. If more criminals did that, Microsoft’s trademark approach – using trademark violations to seize botnet infrastructure – would be less effective. We note that this week Microsoft used litigation to take down a Chinese government network. Is it wrong to complain that Microsoft has been using this approach for long enough that botnets are only inconvenienced, not destroyed, by the tactic?

Maury Shenk digs into the remarkable report that Apple CEO Tim Cook promised $275 billion of investment to China. Five years ago. And we’re only finding out about it now. In secret. When Congress finally gets around to the cyber incident reporting bill that it bumped from the defense authorization act, maybe it will want to classify multibillion dollar deals with China as the kind of cyber incident that ought to be reported to anyone on the receiving end of corporate lobbying campaigns.

The Tenth Circuit finished its Thanksgiving by releasing a massive opinion upholding the constitutionality of Section 702 of FISA. Jamil Jaffer, who played a key role in the adoption of Section 702 walks us through the decision. The decision was 2-1, but not on the main ruling. Instead, the debate was over Article III and the “advisory” nature of FISA court opinions reviewing executive procedures under that section. I confess to some sympathy for the dissent but wonder how it would help the defendant to strike down that procedure.

Dave explains why Tor might not be a secure as we think. A mysterious and likely state sponsored actor. is running hundreds of malicious Tor relays. And to add insult to injury, the actor is openly lobbying against measures to cut down on malicious Tor relays.

But wait, there’s more cyberlitigation, and again Jamil talks us through it. A Saudi women’s rights activist has brought a CFAA lawsuit against DarkMatter and its expat American employees for an iPhone hack that she says got her arrested. I’m a little skeptical that the lawsuit will survive a Foreign Sovereign Immunities Act motion.

Maury and I question the wisdom of a recent Italian fine penalizing Amazon over a billion euros, mainly for preferencing sellers who sign up for Prime logistics

Dave tells the sad story of Ilya Sachkov, a Russian cybersecurity whiz kid and CEO who may have believed too much that everyone sees cybersecurity as a white hat enterprise. Word is that he may have been too helpful in unraveling the DNC attackers identities in 2016 and is now paying for it with a Russian treason charge.

Maury notes that the U.S. decision to blacklist the Chinese AI company SenseTime was carefully timed to guarantee disruption of SenseTime’s IPO. Whether the U.S. action will be more than a delaying tactic remains to be seen, but Maury is skeptical.

Maury notes that Wikileaks founder Julian Assange has lost an important battle as he fights extradition to the U.S., British court rules – The Washington Post. Jamil notes that the cyber incident reporting bill didn’t make it into the defense authorization act, as mentioned earlier. He is one of the few cybersecurity buffs who isn’t especially disappointed.

Maury and I disagree about a much-ballyhooed group of companies claiming to combat A.I. bias in hiring I’ll believe it when they actually expose their recommendations to public scrutiny.

For those who think bias in content moderation is not a thing, try spending ten minutes with this right-wing French candidate’s very effective campaign ad. Then ask yourself why exactly YouTube thought it wasn’t fit for children. My guess is that it was the ad’s effectiveness that YouTube really disapproved of.

Dave and I puzzle over the Biden administration’s unsatisfying `Initiative for Democratic Renewal’ – a big international get-together that got only cursory attention in the US, perhaps because its theme is still a little hard to find. And, finally, just to give me an excuse to publicize my latest Cybertoonz comic, Jamil asks for Western militaries what it means to “impose a cost” on ransomware gangs.

With that, the Cyberlaw Podcast bids farewell to 2021. We will return in January.

                                                                                                           

Download the 387th Episode (mp3).

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

Federal district judge Robert Pitman has enjoined enforcement of Texas’s law regulating social media censorship.  The ruling sparks a fight between me and Nate Jones that ranges from how much weight should be given to the speech rights of social media to the Kyle Rittenhouse verdict imposed by Facebook when it decided he was guilty and wouldn’t let anyone disagree. On the merits, as before, we agreed that the Obama appointee was on solid ground (for now) in applying the Tornillo line of cases saying that government should not directly regulate the editorial judgments of publishers. But the judge’s ruling on the transparency and due process requirements of the law suggests that he wasn’t prepared to give the law a fair shake. So, look for a competitive appeal on the topic and quite possibly a certiorari grant as well. By the time we stop beating this horse, he’s long past any possible right of self-defense.

Megan Stifel has an easier task: Explaining cybersecurity recommendations for rail and other surface transportation companies. The advice is mostly something that could have been offered in the 90s, so we both puzzle over the fierce resistance from industry. Maybe it’s the 24-hour requirement to notify TSA of cyber incidents.

Nate and I explore proposals from the Biden administration to muster a group of like-minded countries to curb sales of surveillance gear to authoritarian regimes. No doubt the initiative was reinforced by news that S. State Department phones were recently hacked exported spyware from Israel. But I think the whole project fails for a simple reason: authoritarian governments can buy all the surveillance gear they need from China, which is happy to sell it. In the absence of credible enforcement, condemning such sales is empty virtue signaling.

I mock an eminently mockable story from the Markup, claiming that the PredPol crime prediction software is racist because it urges the police to patrol more poor black neighborhoods than rich white ones. Then, when the authors finally notice that that’s where arrests are concentrated, they switch arguments and say that the prediction software must be useless because the same results could be reached without the software.

Speaking of stupid, Megan explains how a “smart contract” turned out to be anything but, allowing hackers to steal $31 million in digital coin.

I ask exactly how the hacker’s feat differs from really good lawyering.

Nate and I look at how well Russia is doing in bringing Twitter to heel with a mobile slowdown. Twitter hasn’t broken yet, but it’s clear that the authoritarians of the world are slowly winning their battle with Silicon Valley.

Megan tells us how a cybersecurity professional at Ubiquiti decided to stop riding with the hounds and to ride instead with the fox. Of course we all know how most fox hunts end for the fox, and this story is no exception.

In updates, I remind listeners of the elaborate gas-lighting effort put on by Jeff Bezos in trying to blame the Saudis and the National Enquirer for his brother-in-law’s leak of Bezos’s deeply embarrassing text messages. All the investigations that Bezos managed to get started are done now, and the verdict is in: the Saudis didn’t do it.

Megan and I note a Wall Street Journal article on how tough it is to be a spy in a world of smartphones, biometrics, and universal surveillance cameras. Our reaction: Yup.

And More!

                                                                                                           

Download the 386th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

This week we celebrated International Tech Policy Week, which happens every year around this time, when the American policymakers, the American execs who follow them, and the U.S. journalists who report on them all go home to eat turkey with their families and leave tech policy to the rest of the world.

Leading off a review of China’s contribution to the week, Paul Rosenzweig and Jordan Schneider cover Beijing’s pressure on Didi to delist from a S. stock exchange. If you believe it is about data security, I have a Chinese unicorn tech stock, soon to be half a unicorn, to sell you.

Jordan explains why China is also taking Tencent to the woodshed for not quite getting the message about who make the rules. In case you’re not getting the message, he also covers China’s decision to impose fines on tech firms for a decade’s worth of M&A deals.

David Kris turns what could have been a U.S. story – Insurers’ running for cover ransomware losses—international by focusing on a proposal from Lloyds of London.

Paul and I dig into a story that starts in the U.S. but soon moves abroad, Apple’s slightly weird computer fraud and abuse lawsuit against the international exploit firm, NSO Group. I point to other stories that seem to me to signal that tech hubris on this issue is out of control. Facebook is trying to stop undercover cops from using fake accounts to collect quasipublic information. And Apple is telling its customers when it discovers that they are the targets of state-sponsored malware. This is wholesale interference with law enforcement activity that in other contexts would simply be unexceptionable undercover work or lawful interception of communications. In Apple’s case, it’s egregious, since the company has not explained how it will manage to avoid blowing up legitimate counterterrorism and criminal investigations that are using malware because Apple has already foreclosed less dramatic options.

Meanwhile, in Israel, the demonization of NSO Group has led authorities to dramatically cut the number of countries to which spyware can be exported. Iran may not be on the list, but Israel seems to have exported plenty to that country, which is now returning the favor, as cyberconflict begins hitting ordinary citizens in both countries.

David, Paul, and I reveal our history-based prejudices as we examine the latest miniflap that briefly detained Congress’s proposed cyber incident reporting mandate – its failure to require simultaneous reporting to the FBI. That is a dumb idea, and the Senate seems to have treated it with exactly the amount of deference it deserved. At least that’s my view from inside the locker.

Jordan touches briefly on a Chinese province’s plan to construct a surveillance system for foreigners. He thinks there’s more (or maybe less) to the story than it appears. He also covers the U.S. decision to blacklist Chinese quantum computing companies, giving me a chance to divert him to coverage of the Endless Frontier Act and China’s peculiar decision to turn it into a BFD.

David and I dig into a proposed (and likely to pass) new UK law on IOT security that looks a lot like California’s law on the same topic.

In quick hits and updates, I note that Meta will have trouble delivering end-to-end encryption on Facebook and Instagram before 2023. And despite efforts to toxify the entire field and this company in particular, Clearview AI’s face recognition tool is performing very well against international competition. I also note that my research suggests that the whole “AI bias” narrative about face recognition, has been stuck in 2016 and has ignored the remarkable accuracy (and debiasing) strides the industry has made in recent years.

And More!

                                                                                                           

Download the 385th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Among the many problems with the current social media enthusiasm for deplatforming is this question: What do you do with all the data generated by people you deplatformed?

Facebook’s answer, as you’d expect, is that Facebook can do what it wants with the data, which mostly means deleting it. Even if it’s evidence of a crime?  Yes, says the platform, unless law enforcement asks us to save it. The legal fight over a deplatformed group that defended historical statues (and may have shot someone in the process) will tell us something about the – law of deplatformed data as will the fight over The Gambia’s effort to recover evidence of deplatformed human rights evidence. In the end, though, we need a law on this question. Because, given their track record in content moderation, leaving the question to the discretion of social media will translate into platforms’ preserving only evidence that hurts people they hate.

Tired: Data breach reporting. Wired: Cyber incident reporting. The unanimous view of our news panelists, Paul Rosenzweig and Dmitri Alperovitch, is that cyber policy has turned from reporting personal data breaches to reporting serious cyber intrusions no matter what data is compromised.  The latest example is the financial regulators’ adoption of a rule requiring banks and similar institutions to report major cyber incidents within 36 hours of determination that one has occurred.

But who will make that determination and with what certainty? Dmitri’s money is on the lawyers. I think there’s a great ER-style drama in the process: “OK, I’m going to call it. No point in trying to keep this alive any longer. Time of determination is 2:07 pm.”

Back after a long absence, we add an interview to the news roundup. David “moose” Wolpoff and Dan MacDonnell of Randori explain the consternation over their startup’s use of a serious vulnerability to conduct realistic penetration tests of buttoned-up networks instead of reporting it right away to the software provider. They argue that the value of zero days for pentesting is great and the risk of harm low, if handled responsibly. In fact, the debate sounds a lot like the arguments around the table at a government Vulnerability Equities Process (“VEP”) meeting.  And that makes me wonder whether the people pushing for a stricter VEP have any idea at all what they’re talking about.

Dmitri lays out the surprising complexity and sophistication of the Iranian attempt to influence the 2020 election. I’m less convinced. The Iranian effort failed, after all, and it resulted in the hackers’ indictment.

I dig into a recent brief by Hikvision claiming that the FCC lacks authority to bar sales of its products in the US. I’m only half convinced by the legal claim, but I am sure of this: The Hikvision argument has created an opportunity for some enterprising politician to sponsor quick, uncontroversial legislation giving the FCC the authority that Hikvision says it doesn’t have.

Dmitri explains the latest advance of the hardware hack known as  It may not be deployed routinely even now, he says, but the exploit makes clear that we will never entirely secure our cyber infrastructure.

Paul and I agree that it’s perfectly legal for government to buy advertising data that shows citizens’ locations. We more or less agree that some restraint on sales of location data – at least to the Russian and Chinese governments and maybe to anybody – are in order.

Paul and I offer muted and squeamish criticism of a Big Report claiming that child sexual abuse is exploding online. There’s no doubt that it’s a problem that deserves more legal and platform effort, but the authors did their cause no favors by mixing kids exchanging nude selfies with truly loathsome material.

Dmitri and I perform a public service announcement about a scam that takes advantage of security habits that the banks have encouraged us to get used to. Zelle fraud is going to make us all regret those habits.

And hopefully it will finally get banks to use hardware tokens instead of text messages to verify our transactions.

Germany and Mandiant are at odds in attributing the government sponsor of the Ghostwriter hacking gang. Germany, backed by the EU, says it’s Russia. Mandiant says it’s Belarus.

Dmitri says “Never bet against Mandiant on attribution.” I can’t disagree.

Finally, Dmitri joins me in an appreciation of Alan Paller, who died last week. He was a major influence in cybersecurity, and a role model for successful entrepreneurs who want to give back using their institution-creating skills.

And More!

                                                                                                           

Download the 384th Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

 

 

 

Two major Senate committees have reached agreement on a cyber incident reporting mandate. And it looks like the big winner are the business lobbyists who got concessions from both committees. At least that’s my take. Dmitri Alperovitch says the bill may still be in trouble because of Justice Department opposition. And Tatyana Bolton not unfairly credits the Cyber Solarium Commission for incident reporting getting this close to passage.

Meanwhile, another piece of legislation, the Secure Equipment Act of 2021, has already been passed and signed by the President. It will lock a boatload of Chinese equipment out of U.S. markets. Dmitri explains why the FCC needed this additional authority.

Mark MacCarthy explicates the EU court ruling that upheld a $2.8 billion award against Google for “self-preferencing” in shopping searches.

If you’re surprised by the Kyle Rittenhouse trial, and the strength of the defense case, you can blame Facebook and Twitter, with astonishingly suppressed posts arguing that Rittenhouse had acted lawfully in self-defense. In a reverse John Adams moment, Twitter even suspended Rittenhouse’s defense counsel for defending him. And Facebook declared him guilty of a mass shooting and blocked searches for his name. If you want more content mob-eration like that in your podcast feed, well, no worries: the NYT is on it; the gray old lady is demanding to know why woke censorship hasn’t yet come to podcasts.

This has turned out to be a pretty good week for catching bad guys, Dmitri reports. REvil affiliates have been, arrested, indicted, and had some of their ill-gotten gains

Mark unpacks yet another bipartisan tech regulation-cum-competition bill. This one aiming to reduce platforms’ ability to foist “opaque algorithms” on their users. Tatyana notes that a lot of the bills trying to improve portability and competition are likely to raise cybersecurity concerns.

Dmitri and I aren’t impressed by the hoax email sent out in the FBI’s name from a poorly designed FBI website. It’s one step up from defacing the FBI’s website. I argue the bureau ought to give the hacker a low four-figure bug bounty and call it a day, but Dmitri thinks the hacker will be on the FBI’s most wanted list for a while. I tend to agree; there is, after all, no greater crime than Embarrassing the Bureau.

In quick hits:

  • Mark gives us a quick overview of the states’ recently updated antitrust complaint against Alphabet’s Google.
  • Tatyana and Dmitri talk about the implications of the Commerce Department sending information requests to the world’s top chipmakers.
  • Tatyana explains (as much as anyone can) Elon Musk’s decision to sell a bunch of Tesla stock because that’s what Elon Twitter wanted. We note that Elon promised to show his tweets to a lawyer in advance if they could move the market and wonder whether he actually found a lawyer who thought that tweet was a good idea.
  • I do a quick victory lap for having suspected that Frances Haugen’s incoherent retreat from criticizing Facebook’s end-to-end encryption was forced on her by the Silicon Valley version of the Deep State. Thanks to Politico, we now know her European tour was run by a batch of lefty digerati who hate Facebook, but not as much as they hate the FBI.
  • And I mourn the fact that this week the U.S. government finally surrendered to Microsoft and joined the Paris Call for Trust and Security in Cyberspace.

And More!

                                                                                                           

Download the 383rd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

 

 

We’re joined for this episode by Scott Shapiro, long-time listener and first-time panelist, not to mention our first philosopher. He breaks down the Biden administration sanctions on four offensive cyber firms, most notable the Israeli company, NSO. Imposing Commerce Department “entity list” sanctions on companies from friendly countries for human rights abuses is a departure from historical practice, and exactly how it will work out remains uncertain. The sanctions are not a death penalty for companies like NSO, we conclude, since U.S. companies can still buy their services even if they can’t sell NSO anything more sophisticated than toilet paper.

The Pentagon is a bastion of top-down cybersecurity In theory, that’s what the Cybersecurity Maturity Model Certification program was all about – comprehensive and mandatory cybersecurity regulation for defense contractors. But as Nate Jones describes it, the Department of Defense’s effort to actually put the regulations in place are a cautionary tale. The Pentagon has revamped and delayed its standards again. The new proposal may well be more workable and less bureaucratic than the last, but it also pushes the day of reckoning for contractors years into the future.

Jamil Jaffer thinks the good guys may have won another battle with ransomware gangs, but it’s probably too soon to tell. On the heels of REvil claiming to be out of business, similar noises. DarkMatter is making But we won’t know for sure until the gangs have gone quiet for more than a couple of months.

Decoupling is still proceeding apace, as Yahoo surprises us all by announcing that it’s pulling out of China. (I’d forgotten they were still in.)

Jamil and Nate note that GitHub is the last big Western web company left in China. And even for GitHub, the ice appears to be cracking under its feet.

Scott takes us deep into jurisprudential philosophy in covering the ACLU’s threepeated loss as it argued a first amendment right to read classified FISA court opinions. It may be a first for our podcast to reference Marbury v. Madison, and it’s certainly a first to raise questions about whether it was correctly decided! Jamil also gives us a quick assessment of what Justice Gorsuch’s willingness to take the case tells us about his future role in national security cases.

Nate and I give the backs of our hand to legislative proposals to expand from “Five Eyes” to ‘Nine. I make the argument that we’re really down to Three.

Clearview AI took a beating down under for breaching Australians’ privacy law. Nate is short on sympathy. He thinks a more responsible set of actors might have prevented the toxification of face recognition. I argue that the toxification came first, and the dearth of big respectable face recognition firms came later. As witness Facebook being driven from the market by a $650m award under the Illinois Biometric Information Privacy Act.

In quick hits:

  • For old time’s sake, Nate and I clash over lefty efforts to define a lack of enthusiasm for climate-based regulation as “digital hate”
  • Jamil and I offer qualified endorsements of the State Department’s new cyber bureau
  • I namecheck podcast regular Paul Rosenzweig and others for a thoughtful thoughtful report on Chinese platforms in the United States:
  • I see some good news for cybersecurity in CISA’s (Cybersecurity and Infrastructure Security Agency) latest Binding Operational Directive mandating that federal agencies that we know are being exploited right now. I note that the directive is addressed to federal agencies quickly patch vulnerabilities but aimed quite deliberately at private owners of critical infrastructure. Don’t say you weren’t warned!

And More!

                                                                                                                                     

Download the 382nd Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In this episode, Dave Aitel and I dig into the new criminal law the House intelligence committee has proposed for workers at intelligence agencies. The proposal is driven by the bad decisions of three intel agency alumni who worked for the UAE, doing phone hacking and other intrusions under the sobriquet of Project Raven. Dave criticizes the broad language, the assumption that hacking for the government teaches things you can’t learn in the private sector, and the use of criminal penalties where reporting obligations would suffice. I plug a podcast on the topic released by the Association of Former Intelligence Officers.

Maury Shenk and I dig into the FCC’s decision to kick China Telecom off the U.S. telecommunications network. My view: this decision was overdetermined, a perfect storm of bad politics, poor decisions by China Telecom, and the fact that no American company has ever been licensed to do in China what China Telecom has spent 20 years doing in the United States.

We also dig into the proposal of a global regulatory alliance, Financial Action Task Force (“FATF”), to impose some fairly strict requirements on cryptocurrency transactions.  A lot of companies are criticizing the proposal, but unlike five years ago, they’re weighed down by the existence of an entire ransomware industry that depends on cryptocurrency.

The EU, meanwhile, is struggling to implement sanctions for cyber-attacks. As usual, Europe is its own worst enemy, tied down by excessive politicization, weak intelligence collection made weaker by a lack of sharing, and aggressive judicial oversight.

Maury and I track down a tip about France trying to turn cloud security standards into a weapon for excluding U.S.-owned providers. The big cloud companies are deemed insecure because they aren’t immune to U.S. legal process. But neither are the “big” European champions, since they almost certainly are subject to U.S. jurisdiction. So not only will EU buyers of cloud services be stuck with Deutsche Telekom and its 2% market share, they still won’t be safe from the long arm of U.S. discovery. European data protection policy at its finest!

We briefly explore Facebook whistleblower Frances Haugen’s flirtation with criticizing Facebook for adopting end-to-end encryption (“e2e”). Once she discovered that criticizing e2e is beyond the pale, however, she retreated into a cloud of incomprehensibility.  I capture the moment in my latest effort to turn cyber policy into cartoons.

And More!

                                                                                                                                                     

Download the 381st Episode (mp3)

 

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

 

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.