This week’s episode is a news roundup without an interview. We lead with the Senate’s overwhelming adoption of unexpectedly tough Russia sanctions along with the Iran sanctions bill. The mainstream press has emphasized that the bill will lock the Obama sanctions into legislation, but Anthony Rapa explains that the bigger story is just how tough the bill will be on investors in Russia’s energy sector, including European and other third-country firms. This is going to put heavy pressure on the House and its Republican majority, where enthusiasm for punishing Russia has been more tepid.
In other legislative news, the Freedom Caucus has announced that it doesn’t know what it wants from 702 renewal, but it wants something. At least that’s how I read the Caucus’s two sentence press release on section 702 renewal. In its entirety, the release says, “Government surveillance activities under the FISA Amendments Act have violated Americans’ constitutionally protected rights. We oppose any reauthorization of the FISA Amendments Act that does not include substantial reforms to the government’s collection and use of Americans’ data.” In a rare show of Cyberlaw podcast consensus, Michael Vatis agrees.
Meanwhile, NSA and GCHQ are now linking WannaCry to North Korea. The bad news is that North Korea is bringing the same spirit to cyberattacks that it has brought to nukes and missiles. The good news is that the North Koreans are still bad at cyberattacks. But they were bad at nukes and missiles once as well.
And we circle back to put the boot in on Reality Winner – the self-proclaimed “pretty, white, and cute” dingbat who leaked an NSA memo on Russia’s election hacking to the Intercept, which then managed to match her opsec cluelessness with its own.
The export of exploits for internal security purposes is getting plenty of press, as the BBC goes after exports from Denmark to the Arab world while the New York Times exposes misuse of exploits to compromise critics of the Mexican government.
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
In the news roundup, Benjamin Wittes makes a cameo appearance, defending Jim Comey (but not the FBI) from my suggestion that leaking has a long and unattractive history at the Bureau. Brian Egan takes us deep on federal records law.
Next, Ben actually finds himself to my right as we try to negotiate a quick resolution to the growing impasse over section 702. I will never live it down. Nor will Ben.
Maury Shenk explains what the UK election means for tech. Who knew? The Unionists actually have a tech platform.
Maury and Brian muse on what the Qatar crisis tells us about cyberattacks – they may turn out to be much more effective as short-term one-offs than as sustained campaigns.
China has found a way to use its new cybersecurity law — to investigate Apple, naturally. A better target would be the Chinese company Rafotech, which has installed something that looks a lot like spyware on 250 million machines worldwide. I’ll be at the Irish government’s Data Protection Summit later this week, and I’ll be asking why the EU is wasting its data export capital on fights with the US instead of China.
Finally, we cover Ukraine’s unusual new sanctions aimed at Russian social media companies, which are also Ukraine’s main social media companies. No doubt there are censorship issues lurking in that program, but I can’t help wondering why human rights groups are riding the first amendment to the rescue of companies that dance to Vladimir Putin’s tune.
To close the episode, I interview Ben Buchanan, Fellow of the Cyber Security Project at the Harvard Kennedy School of Government. I challenge the thesis of his book, The Cyber Security Dilemma: Hacking, Trust and Fear, and he holds up under the challenge pretty well.
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Episode 168 features the Tinkers-to-Evers-to-Chance of global censorship, as Filipino contractors earning minimum wage delete posts in order to satisfy US tech companies who are in turn trying to satisfy European governments. Really, what could go wrong?
In addition to Maury Shenk, our panel of interlocutors includes David Sanger, Chief Washington Correspondent for the New York Times, and Karen Eltis, Professor of Law at the University of Ottawa. Even if you think that reducing Islamic extremist proselytizing on line is a good idea, I argue, that’s not likely to be where the debate over online content ends up. Indeed, even today, controls on hate speech are aimed more at tweets that sound like President Trump than at extremist recruiting. Bottom line: no matter how you slice it, the first amendment is in deep trouble.
In other news, I criticize the right half of the blogosphere for not reading the FISA court decision they claim shows that President Obama was spying illegally at the end of his term. Glenn Reynolds, I’m talking about you!
The EU, in a bow to diplomatic reality, will not bother trying to improve the Safe Harbor deal it got from President Obama. Instead, it will try to get President Trump to honor President Obama’s privacy promises. Good luck with that, guys.
Wikimedia’s lawsuit over NSA surveillance has been revived by the court of appeals, and I find myself unable to criticize the ruling. If standing means anything, it seems as though Wikimedia ought to have standing to sue over surveillance; whether Wikimedia should be wasting our contributions on such a misconceived cause is a different question.
China’s cybersecurity law has mostly taken effect. Maury explains how little we know about what it means.
Finally, David Sanger, in his characteristic broad-gauge fashion, is able to illuminate a host of cyber statecraft topics: whether the North Koreans are getting better at stopping cyberattacks on their rocket program; how good a job did Macron really did in responding to Russian doxing attempt; and what North Korean hackers are up to in Thailand.
Episode 167 sees blockchain take over the podcast again. With Stewart traveling, Alan Cohn hosts another of the podcast’s periodic deep dives into all things blockchain and digital currency. Our guest is Meltem Demirors, Director of Development at Digital Currency Group. Podcast regular Maury Shenk joins members of Steptoe’s Blockchain and Digital Currency Practice, including financial regulation practitioner Matt Kulkin, tax guru Cameron Arterton, and author of several recent smart contracts blog posts Jared Butcher, in breaking down the current state of affairs in the blockchain world.
Our episode begins by looking at the brewing controversy in the tax world. Cameron skillfully takes us through IRS Notice 2014-21, which provided initial guidance for how virtual currencies would be treated for tax purposes, as well as the charmingly-named TIGTA Virtual Currency Report, released in September 2016, which told the IRS that it hadn’t done much beyond issuing this guidance to flesh out what it actually meant to consumers and businesses. The IRS responded with the notorious Coinbase Summons, a John Doe summons that requested records of over 500,000 Coinbase subcribers. Needless to say, this led to Coinbase users challenging the summons in court and moving to quash, while Congressional leaders question the wisdom of the IRS summons. Cameron and Alan consider this an opportune moment for the IRS to work with the industry to develop additional guidance.
We then take on the emerging phenomenon of token sales, nicknamed Initial Coin Offerings or ICOs. Matt and Alan tell us what in the world this is, how token sales work, and some of the legal challenges, including whether ICOs constitute sales of securities under the Howey test and the question of fiduciary duties. Matt and Alan conclude that ICOs can vary significantly from each other and that ultimately virtual currencies and tokens may simply be a new asset class.
Steptoe has done a lot of writing lately on smart contracts, and Jared takes us through several recent Steptoe Blockchain Blog posts on reasons to put an arbitration clause in your company’s smart contracts, tips for drafting arbitration clauses in smart contracts, and best practices for limiting liability arising from smart contract vulnerabilities. Jared and Alan discuss the new approach companies need to take in considering issues like dispute resolution and liability limitations in the context of smart contracts.
We then go across the pond to Europe, where Maury gives us the status of the delayed EU proposal to extend AML regulation to virtual currencies. Maury predicts that the legislation will pass this year forcing companies that provide virtual currency related services, such as exchanges and wallets, to comply with very burdensome requirements.
Finally, in the lightning round, Alan tells us about the recent surge in the price of bitcoin and other cryptocurrencies; Matt tell us about the future of leadership at the Commodity Futures Trading Commission and gives us an update on the Office of the Comptroller of the Currency’s proposed Fintech Charter, including a lawsuit by state regulators to head off this initiative.
In our interview, Meltem takes us through the current landscape of virtual currencies, including DCG’s recent launch of blockchain accelerator DCG Connect. Meltem tells us about the current state of play for blockchain use cases and blockchain companies, and gives her thoughts on the ICO craze. Meltem shares her thoughts on what she thinks are the most interesting things that she sees coming in the future, and she tells us what we should be looking for as signals that we’ve moved to the next stage of technical adoption of blockchain technology.
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
In episode 166, we interview Kevin Mandia, the CEO and Board Director of FireEye, an intelligence-led security company. FireEye recently outed a new cyberespionage actor associated with the Vietnamese government. Kevin tells us how FireEye does attribution and just how good the Vietnamese are (short answer: surprisingly good but apparently small in scale). Along the way, we also cover questions such as whether China has its own set of forensic cybersecurity firms, how confident we should be about the attribution of WannaCry to North Korea, and whether PLA Unit 61398 should treat its designation as APT1 as a prestige designation, sort of like having “bob@microsoft” as your email address.
Episode 166 is the interview that goes with episode 165’s news roundup, released separately to ensure the timeliness of the news.
Episode 165 is a WannaCry Festivus celebration, as The Airing of Grievances overtakes The Patching of Old Machines. Michael Vatis joins me in identifying all the entities who’ve been blamed for WannaCry, starting with Microsoft for not patching Windows XP until after the damage was done. (We exonerate Microsoft on that count.)
Another candidate for WannaCry Goat of the Year is (of course) NSA for allegedly letting a powerful hacking tool fall into the hands of the Shadow Brokers, who released it in time for WannaCry’s authors to drop it into their worm. Private industry’s fingerpointing at NSA has led to introduction of the PATCH Act, which tries to institutionalize (and tilt) the vulnerability equities process. I raise a caution flag about trying to prevent harmful vulnerability leaks by spreading information about the vulnerabilities to a new batch of civilian agencies. I also ask whether a rational equities process should require that companies get the benefit of the process only if they agree to patch their products promptly and if they cooperate to the extent possible with law enforcement rather than forcing agencies to hack their products just to carry out lawful searches. Somehow I’m guessing that will cool Silicon Valley’s enthusiasm for the whole idea.
Meanwhile, Shadow Brokers, widely thought to be Russian intelligence, may be having an equally awkward Festivus celebration with their masters, since the exploit they released seems to be causing more widespread discomfort in Russia than in the West, probably because of Russia’s high usage of unpatched pirate software.
The North Koreans should be on the carpet as well, since there is increasing reason to believe that WannaCry was a mostly failed effort by Kim Jong Un to raise money through cybercrime. The worm seems to have collected only $100 thousand in bitcoin for its authors, and the worst of its impact was likely felt in China, the world capital of pirated unpatched software. Since North Korea seems to rely on China’s internet infrastructure to launch and control its cyberattacks, launching one that mainly hurts its host is typically shortsighted.
Finally, the victims don’t escape blame. The SEC unveiled its latest criticism of private sector security practices in the financial industry as the WannaCry publicity reached a peak.
Meanwhile, our own Jon Sallet joins the Oliver-Pai debate on net neutrality, and through the magic of radio, he is able to coffee-cup-shame both of them. (Sound effects credit to www.zapsplat.com.) As an encore, Jon explains why the European Commission fined Facebook $122 million over its acquisition of WhatsApp – without undoing the deal.
As always the Cyberlaw Podcast is open to feedback. Send your questions, suggestions for interview candidates or topics to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785.
Episode 164 features Stewart Baker’s startling change of heart on the question of cyberspace norms. Credit goes to our interview guest, Tim Maurer, Fellow and co-director of the Cyber Policy Initiative at the Carnegie Endowment for International Peace. And perhaps as well to Brian Egan, former Legal Adviser to the State Department and now a partner at Steptoe. Tim and Brian talk about Tim’s view and that of his colleagues, George Perkovich and Ariel Levite, at Carnegie that the world is ripe for an enforceable norm against hacking to corrupt financial data in the banking system. Remarkably, I agree with them, though not before casting aspersions on the United Nations and the State Department.
In the news roundup, we’re joined by Paul Rosenzweig of Red Branch Consulting and the DHS Policy office. He critiques the cyber EO, which has finally been released – just in time for wCry ransomware. I note with satisfaction that the Russian government itself was burned by the worm, which it almost certainly released under the Shadow Brokers nom de guerre. Naturally, others prefer to blame the National Security Agency. Brad Smith of Microsoft is happy to blame NSA, and to claim that the crisis shows that we need a digital Geneva accord – which conveniently serves Silicon Valley’s corporate interests while conveniently distracting attention from Microsoft’s decisions about who would get a security patch and who would not.
Paul and I dive deep into NSA’s latest problems with compliance and the FISA court. I argue that we are busily recreating a risk-averse intelligence community. It’s beginning to look as though Groundhog Day falls on September 10.
Abbott Labs has proposed to gag MedSec, I note, by making a settlement offer that would hide security flaws in Abbott’s implants. According to press reports MedSec would be prohibited by the settlement from talking about Abbott’s security flaws without giving prior notice to Abbott.
Finally, if President Trump taped Jim Comey at dinner, does it matter where they ate? Absolutely, says Paul. Dinner at the White House or Trump Tower is fine, but taping a dinner at Mar-a-Lago could be a felony.
With our sound system back on line, episode 163 is already a big step up from Lost Episode 162. (Transcripts of 162 are available for those who wish by sending email to CyberlawPodcast@steptoe.com.)
Our interview is with Susan Munro, of Steptoe’s Beijing office. Susan unwinds the complex spool of cyberlaw measures promulgated by the Chinese government.
In the news, Maury Shenk and I note that Putin reran his US playbook in the French election, but the French were ready for him. Indeed, what we originally thought to be crude Russian forgeries may actually be Macron “honey docs” meant to look like crude Russian forgeries. If so, my hat is off to Macron’s IT team.
Meanwhile, Jennifer Quinn-Barabanov spots a new trend in cybersecurity litigation. It’s nuts, but that’s not the new part.
The intelligence community’s latest transparency report reveals a shocking stat about “backdoor” FBI searches of 702 for criminal cases. The bureau did that all of … one time. Those who want to clog our security services with ever more burdensome processes are going to have to find a bigger scandal.
The Republicans complaining about Susan Rice and “unmasking” can find more to work with in the report. Turns out that Americans were identified in masked or unmasked form in about 4000 reports last year, but by the time the report writers and the intelligence consumers were done, about 3000 reports had seen their Americans unmasked. With numbers like that, if the issue hadn’t been raised first by Republicans, every newspaper in America would be calling for an investigation of unmasking standards.
Okay, this is getting embarrassing. The White House has now spent more time drafting a cyber EO calling for urgent reports from the departments than it’s giving the departments to write the urgent reports. And so far, as Alan Cohn points out, all we have to show for it is … another leaked draft.
Jennifer explains why the latest Home Depot settlement is both good and bad for the plaintiffs’ bar.
Alan dives deep for substance in the White House’s EO creating an American Tech Council. He comes up empty. The EO is purely procedural.
Maury explains the UK’s draft surveillance obligations, concluding there’s not much new in them. And Germany’s intelligence service is complaining both about Russian hacking and about its lack of authority to, uh, hack back to destroy third party servers. Chris Painter, call your office!
Alan tells us that DHS cybersecurity did pretty well in budget deal, but only if your point of comparison is EPA’s budget.
At least DHS is making the right enemies. Jennifer explains DHS backpedaling on the privacy rights of non-Americans. And Alan and I flag the ABA’s interest in border searches of lawyers’ electronics.
Finally, in cybersecurity news, the Guardian plays the world’s smallest violin for billionaire superyacht owners, and the recent defeat of a common form of two factor authentication will put new cybersecurity pressure on SS7.
In this episode, Alan Cohn and Maury Shenk look at questions in Europe and elsewhere in Stewart’s absence. Maury delves into why Google was ordered to turn over foreign data accessible from US, a decision that seems at odds with the Microsoft Ireland case. Alan considers claims made by David Sanger and William Broad in The New York Times that US blew up North Korea’s most recent missile test, and Jeffrey Lewis’s rebuttal in Foreign Policy. Alan and Maury both remain skeptical.
Leaving the Korean peninsula, Maury discusses the current effort by EU data protection regulators to enact e-privacy regulations that would, among other things, put in place detailed standards for location tracking and content associated with metadata. No surprises, but potentially more headaches for US industry. And back on US soil, Alan comments on the US Justice Department’s apparent decisions to reconsider criminal charges against Wikileaks for the CIA cyber-tools leak. Maury provides some color on the Trump Administration’s (lack of) views on Privacy Shield.
Finally, Alan reviews the bidding on dual-use export controls and cyber technologies, explaining both the most recent negotiations under the Wassenaar Arrangement and the EU’s efforts to amend its dual-use export controls to include cyber-surveillance technologies.
We talk about the latest, mostly overhyped, Shadowbrokers dump, and whether Google Translate can be taught to render plain text into Shadowbrokerese as well as Klingon.
Stephanie Roy kicks off speculation about the future of net neutrality in the Pai FCC. The future looks bright for litigators.
Abbott Labs takes a short but brutal session in the woodshed from the FDA. Looks like Abbott’s now-subsidiary, St. Jude Medical, knew for years that its backdoor could be found by outsiders, but it stuck to the view that hardcoded access was a feature not a bug. Too bad Uber has already trademarked the name, because if ever there were a feature that deserved to be called “God mode,” this is it.
Burger King triggers a technical battle with Google and an editing war with Wikipedia with a commercial that begins, “Okay, Google, what’s a Whopper burger?” But, law nerds that we are, all we can talk about is whether Burger King is liable under the Computer Fraud and Abuse Act.
Our guest interview is with Nick Weaver, of Berkeley’s International Computer Science Institute. It covers the latest dumps of hacker tools, the vulnerability equities process, the so-bad-you-want-to-cover-your-eyes story of Juniper and the Dual_EC hacks, and ends with a tour of recent computer security disasters, from the capture of a bank’s entire online presence, to the pwning of Dallas’s emergency sirens and a successful campaign to compromise the outsourcing firms that supply IT to small and medium sized businesses.
In the news roundup, Maury Shenk, and Jamil Jaffer, of George Mason’s National Security Law & Policy Program, talk with me about the likely outcome of the European movement to regulate encryption. The bad news for Silicon Valley is that the US isn’t likely to play much of a moderating role when the Europeans tighten the screws.
In other news, Jennifer Quinn-Barabanov explains the two-front battle that Wendy’s is facing (and mostly losing) over data breach liability.
I acknowledge the latest Silicon Valley fad: filing lawsuits on behalf of their customers’ privacy. So far, Twitter has chalked up a win, and Facebook a loss.
LabMD has also chalked up another win, this time in a Bivens action to hold FTC officials personally liable for aggressively enforcing the law against the company as punishment for its outspoken critique of the Commission. The case has mostly survived a motion to dismiss.
Meanwhile in Massachusetts, outmoded privacy laws continue to burden would-be undercover journalists, and Jennifer reports that the prospects for invalidating a law banning recordings of oral conversations on first amendment grounds took a hit last week, at least as it relates to public officials.
Finally, in other computer security news around the globe, Germany’s security services are claiming a lack of authority to take needed action in response to cyber threats. In India, in contrast, enthusiasts for better attribution of India’s populace are forcing everyone to register in a detailed identity database – despite the efforts of India’s top court to ensure that the system remains voluntary. The death of anonymity will be a prolonged affair, but the outcome seems inevitable.
Episode 158 is a bonus episode – the Triple Entente Beer Summit, where members of the Steptoe Cyberlaw Podcast, the Lawfare Podcast, and the Rational Security Podcast assemble over beer to comment on the events of the week – or in this case, the day, since it was among the most news-filled days of President Trump’s young presidency. We cover the (then pending) attack on Assad’s forces in Syria, the future of the Russia election/surveillance investigation, and the meaning of changes to the National Security Council. It’s also the time each year when our audience gets to ask us questions, and that turns out to be among the most entertaining parts of the program.
Episode 157 digs into the security of the medical internet of things. Which, we discover, could be described more often than we’d like as an internet of things that want to kill us. Joshua Corman of the Atlantic Council and Justine Bone, CEO of MedSec, talk about the culture clash that has made medical cybersecurity such a treacherous landscape for security researchers, manufacturers, regulators, and, unfortunately, a lot of patients who remain in the dark about the security of devices they carry around inside them.
In the news roundup, Phil Khinda takes us through the likely trend in SEC cybersecurity enforcement in the new administration. Stephen Heifetz does the same for the Committee on Foreign Investment in the United States, or CFIUS.
I claim that Eli Lake’s Bloomberg story finally explains why Republicans think that Obama administration surveillance and unmasking of Trump team members needs to be investigated. Stephen calls it a distraction.
In other news, Buzzfeed gets taken down by a lawyer with a sense of humor, big claims are made for the impact of the third Wikileaks Vault7 document dump, and Donald Trump may have forgiven Apple. Finally, Jim Comey’s twitter account seems to have been outed; that’s the story, because the tweets themselves are anodyne in the extreme.
For those wanting to dig deeper into medical device cybersecurity, Joshua Corman recommends the following links, all referenced in the interview:
Our interview is with Michael Daniel, former Special Assistant to the President and Cybersecurity Coordinator at the White House and current President of the Cyber Threat Alliance. We ask Michael how the new guys are doing in his job, what he most regrets not getting done, why we didn’t float thumb drives filled with “The Interview” into North Korea on balloons, and any number of other politically incorrect questions. His answers are considerably more nuanced.
In the news roundup, we note that the second Wikileaks release is a damp squib, full of outmoded Apple exploits.
Michael Vatis and I unpack the Third Circuit ruling upholding imposition of contempt penalties on a defendant who has “forgotten” the password to his child porn trove. It turns out that the case offers a road map for prosecutors and police who want to make sure no one ever forgets a password in their jurisdiction.
Stephanie Roy notes that Congress has begun the process of repealing the ISP privacy and security regulations adopted under Chairman Wheeler. What, if anything, will replace them, and when, is a matter for lengthy speculation.
I note that the privacy zealots of Silicon Valley have fatally miscalculated the kind of support they’ll get in Europe for end-to-end encryption. Face it, guys, Europe hates you no matter what you do, and they’ll happily impose massive fines both for violating user privacy and for protecting it too well.
Does GCHQ spy on Americans for NSA? Nope. The real question is whether Rick Ledgett, number 2 at NSA, has already stopped sounding like a government employee when he talks to the press.
Having trouble understanding what President Trump and Rep. Nunes are banging on about? Try putting the shoe on the other foot…
It’s 2020. Kamala Harris finishes a close second in New Hampshire, beating expectations that Elizabeth Warren would sweep her neighboring state (and its shared media market). Harris roars into South Carolina, where she suddenly leads in the polls with a message of repudiating what she calls the Trump administration’s dangerous foreign brinksmanship.
Whatever you call it, you can’t call it dull. President Trump has forced Iran to renegotiate the nuclear deal by the simple expedient of expanding US sanctions to include the seizure and impoundment of any tanker carrying Iranian oil. The oil market remains stable, buoyed by record US oil and gas production. But the move prompts a diplomatic rupture and some tense maritime confrontations with India and China. Undeterred, the President says North Korea is next in line for what he calls, “Sanctions that work. Unlike the last guy’s. Not a leader!”
But it will only take one foreign mishap to make Harris tough to beat. She’s fresh and virtually untouched by Warren’s surprised oppo research team. The Trump team vows that it won’t be caught similarly flat-footed.
In July, the intelligence community picks up rumors that intelligence services from Iran, North Korea, and China are working together to ensure a Harris victory in November.
The President erupts at an NSC meeting. “This is intolerable! I want to know everything about foreign interference in our election – and whether any Americans are colluding with Iran. This is a top priority for all of our counterintelligence agencies.”
Attorney General Sessions approves FISA wiretap applications for every known or suspected Iranian foreign agent, with special focus on anyone known to have contacted the Harris campaign. The surveillance reveals that Harris campaign officials talked regularly to Iranian agents and even asked for help in formulating her famous “I will prosecute the President as a war criminal” speech.
The FBI circulates the transcripts to the National Security Council and high-ranking White House officials. The identities of Harris campaign staff are initially “masked”, but many officials, including Steve Bannon, insist on knowing the names “to determine how deeply Iran’s influence operation has penetrated the Harris organization.”
Within weeks, there is a swirl of public speculation about Harris and Iran, but she successfully rejects it as a “diehard Warren delusion.” With more passion than grammar, her top foreign policy adviser denies the rumors “categorically and irrefutably.“
The nominating convention is a love fest. Three weeks later, transcripts of the Harris foreign policy guru’s conversations with Iranian operatives are leaked by government sources. Within a day, bumper stickers appear, saying, “Was it treason? Categorically and irrefutably!”
With that as her introduction to the American public, Harris’s campaign sputters and collapses.
Faced with that scenario, who thinks the press would be mocking Harris’s claim that her campaign was wiretapped by its enemies? So why are reporters mocking Trump’s?
Fact is, there’s a very real problem at the bottom of President Trump’s complaints. The Obama administration decided to conduct what was bound to be one-sided surveillance. Any evidence the investigators turned up would hurt the President’s adversary, not his side. The same would be true of any leaks. And widespread distribution of intelligence from the investigation would dramatically increase the risk that his adversary will be hurt by leaks. If you’re the President, or anyone in his administration, what’s not to like?
Who made the decision to expose the Trump campaign to this scrutiny and the risks that came with it? Thanks to FISA, national security surveillance decisions must be made mainly by political appointees. This is meant to be a protection for civil liberties but it’s the reverse in a partisan context. I’m sure that the Trump campaign would rather have had the decision to launch a FISA tap made by the first two names in the DOJ phone book than by Loretta Lynch and Sally Yates. (I realize that Team Trump is now focusing more on surveillance of what might be called “institutional foreign agents” – people who don’t hide their allegiance to foreign nations. The Mike Flynn transcript may have come from such surveillance, as may much of the other “incidental” collection of Trump campaign contacts that Rep. Nunes briefed the President on. Such surveillance goes on with or without an investigation, but distribution of the product would likely be wider once an investigation is opened.)
All that said, appreciating the force of President Trump’s concerns does not mean we shouldn’t have done the investigation. In my view, we have no choice but to investigate and respond aggressively when other countries interfere with our elections. But we also ought to recognize and take action to limit the partisan temptations that such investigations will inevitably offer. Because if anything is utterly predictable about the 2020 election, it’s that foreign governments will try to influence it and that partisan passions will be high. So the surveillance shoe is going to be on someone’s foot in 2020. Ditto for 2024 and 2028 and 2032…
So we might as well try to draw some lessons from the Trump team’s unhappiness instead of pretending that their grievances are entirely illegitimate. Without being able to offer a grand solution, I can think of things that would ameliorate the risk. Maybe the government should be required to identify in advance national security investigations likely to have an impact on political officials or candidates and take special steps to depoliticize them. Perhaps political appointees should recuse themselves from the decision to launch such investigations. And the anonymity of US persons who are also surveilled in such investigations could be protected by special limits on distribution of the masked intelligence and by requiring special assurances from those who want to unmask US persons.
I can’t pretend that these are the only or the best ways to address the problem I see. Turning these decisions over to career people does nothing for those who buy the Deep State meme – or the presumption that civil servants mostly vote Democratic. And after all is said and done, these are minor tweaks, not strong protections against abuse. But at least they’d reduce the risk that Americans will end up in a circular surveillance firing squad every four years.
Episode 155 of the podcast offers something new: equal time for opposing views. Well, sort of, anyway. In place of our usual interview, we’re running a debate over hacking back that CSIS sponsored last week. I argue that US companies should be allowed to hack back; I’m opposed by Greg Nojeim, Senior Counsel at the Center for Democracy & Technology and Jamil Jaffer, Vice President for Strategy & Business Development of IronNet Cybersecurity. (Jeremy Rabkin, who was supposed to join me in arguing the affirmative, was trapped in Boston by a snowstorm.)
In the news, we can’t avoid the unedifying – and cynical on both sides – spat between press and White House over wiretapping. We then turn to legal news, where I note the DC circuit’s adoption of a cursory and unpersuasive reading of the Foreign Sovereign Immunities Act in the context of state-sponsored hacking of activists in the United States.
Maury Shenk next unpacks the latest ECJ opinion refusing to apply the “right to be forgotten” across the board to government databases. So far, the only clear application is to American tech giants. That’s also true of the latest German proposal to make the internet safe for censors, government and nongovernment alike. As Maury explains, the German Justice Minister is proposing fines up to $50 million for tech giants that don’t censor online speech fast enough or hire enough European private censors to keep up with the workload.
The Justice Department’s indictments in the Yahoo! hack show just how remarkably intertwined Russian intelligence and Russian cybercrime have become.
Alan Cohn and I chew over the latest developments in the new administration’s approach to cybersecurity – a determination to cripple botnets more effectively, and a willingness to exempt DHS cyber programs from what looks like a drastic set of budget cuts for nondefense agencies. Whether the administration can make progress on botnets while sticking to voluntary measures is uncertain; equally uncertain is whether the plus-ups for DHS cyber reflect real satisfaction with the agency’s performance of that mission in recent years.
Finally, Maury and I ask whether the German government is surrendering to reality in pursuing more effective video surveillance of possible criminals and terrorists.
In this week’s episode, we ask two former NSA cybersecurity experts, Curtis Dukes and Tony Sager, both now from the Center for Internet Security, what advice they give family members about how to keep computers, phones, and doorbells safe from hackers.
Joining us for the news round-up is Carrie Cordero, a Washington lawyer and adjunct professor of Law at Georgetown University who focuses on national security law, homeland security law, cybersecurity and data protection issues.
Topping the news is the Wikileaks Vault7 release, including Assange’s mischievous offer to work with Silicon Valley to fix vulnerabilities before they’re disclosed. Carrie, Markham Erickson, and I comment.
Stephanie Roy reports that the FCC is investigating a 911 outage at AT&T; so far the agency has been tight-lipped about the details.
Home Depot is nearing the finish line in its data breach ordeal, Jennifer Quinn-Barabanov reports. The banks that had to reissue credit cards were among the last holdouts; they’re getting $25 million, which sounds like a lot until you do the math and realize it’s two bucks a card.
Jennifer tells us that another defense effort to moot a TCPA class action by picking off a named plaintiff has been thwarted – this time by the Second Circuit.
Tom Graves (R-GA) has introduced a hackback defense to CFAA liability. Markham and I trade barbs over the wisdom of allowing hackback defenses, but we reach agreement on the depth of Uber’s greyballing problems – and the risk that more companies will use big data to disfavor some customers without telling them.
Carrie reports on developments in the FBI-Geek Squad imbroglio, and I mock the reporters who bought the deeply unappealing defendant’s claim to be a civil liberties victim.
Last, and well worth the wait, Jennifer and I update our listeners on the latest in CyberSexToy privacy. Turns out the records of your, er, interactions with your internet-enabled vibrator can be compromised for a surprisingly low settlement price. Maybe today is the day we really ought to call time of death for internet privacy.
In this episode, Matt Tait, aka @PwnAllTheThings, takes us on a tour of Russia’s cyberoperations. Ever wonder why there are three big Russian intel agencies but only two that have nicknames in cybersecurity research? Matt has the answer to this and all your other Russian cyberespionage questions.
In the news, we mourn the loss of Howard Schmidt, the first cyber czar and one of the most decent men in government. Then we descend into the depths of the Trump wiretap story. I reprise some of my views from Lawfare. Michael Vatis is not persuaded.
After Microsoft’s refusal to provide data stored in the cloud outside the US was upheld in the Second Circuit, things looked rosy for its position. But now two magistrates in a row have rejected it. Michael and I discuss the latest ruling.
Maury Shenk is now our official commentator on the legal consequences of Internet-enabled toys. This time it’s teddy bears, whose interactions with children and parents were exposed by hackers.
More seriously, Maury praises an impressive new analysis of China’s 50c army of tweeters. It turns out that everything we thought we knew about the 50c army is wrong.
Just in time for an early spring, we have harbingers of the coming fight over reauthorization of the 702 intercept program. Director of National Intelligence candidate Coats promises to put a number on the US persons whose communications are caught up in the program; the Electronic Frontier Foundation (EFF) and other NGOs turn on both the US government and Silicon Valley to urge that Privacy Shield be held hostage to changes in the program. And the incoming Commerce Secretary, Wilbur Ross, endorses Privacy Shield, a move that may validate EFF’s tactics.
As always, the Cyberlaw Podcast welcomes feedback. Send an email to CyberlawPodcast@steptoe.com or leave a message at +1 202 862 5785
Download the 153rd episode (mp3).
Our guest for episode 152 is Paul Rosenzweig. In the news roundup, Stephanie Roy outlines the deregulatory tangle around ISPs, privacy, security, and the FCC. Maury Shenk briefs us on the European legislation authorizing the quashing of terrorist advocacy on line. Jennifer Quinn-Barabanov explains when standing is a defense against privacy claims and when it isn’t. Together, we remark on the latest example of formerly stodgy banks embracing their inner plaintiffness.
Maury explains why the Germans have banned Cayla the talking (and listening!) doll. I ask whether the Germans next plan to ban speakerphones. (Likely answer: only if they come from America.)
Paul and I dig into the Amazon claim that the first amendment prevents enforcement of a criminal discovery order seeking Amazon Echo recordings. Hey, the suspect might have been ordering books, and that’s a first amendment activity, says Amazon, and anyway, what Alexa said back to the suspect was an exercise of Amazon’s first amendment rights. These arguments cry out for the command most frequently heard by my music-playing Echo: “Alexa, that’s enough.”
Almost as unpersuasive to Paul and me is magistrate judge David Weisman’s refusal to issue an order allowing the police to search a home and make anyone on the premises put their fingers on their iPhones to unlock them. That act is testimonial in Weisman’s opinion because, well, because he says it is. (His fourth amendment analysis is better, but hardly compelling.)
Paul explains the dramatic clash of cultures hidden in the otherwise esoteric battle between the GSA’s inspector general and “18F,” an Obama-meets-Silicon-Valley effort to streamline government IT development. Like any good tragedy, you knew from the start that this trainwreck was coming, but you still can’t look away.
The draft cyber executive order still isn’t out, despite what looks like a much more disciplined vetting process than other EOs went through. What’s the reward for running a good interagency process in a White House not noted for such discipline? The Homeland Security Council may get folded under the National Security Council.
No one has heard of the National Association of Secretaries of State in 50 years. And if you want to know why, we say, look no further than NASS’s foolish resolution objecting to the designation of electoral systems as "critical infrastructure."
Finally, Paul and I noodle over DHS’s request that Chinese visitors to the US voluntarily disclose their social media handles. I predict that this puts the frog in the pot and the stove on simmer. Meanwhile, Paul finds one border security measure that even I wouldn’t adopt.
In this episode, Stewart Baker goes to RSA and interviews the people that everyone at RSA is hoping to sell to – CISOs. In particular, John “Four” Flynn of Uber, Heather Adkins of Google, and Troels Oerting of Barclays Bank. We ask them what trends at RSA give them hope for the future, which make them weep, what’s truly new in cybersecurity, and what kind of help they would like from government.
While Stewart’s traveling, Alan Cohn takes over the news roundup. We start with some news from the RSA Conference keynotes. Brad Smith, President of Microsoft, called for a cyber “Geneva Convention” on behalf of the sovereign nation of Microsoft. And Rep. Michael McCaul (R-TX), chair of the House Committee on Homeland Security, announced his opposition to backdoors in encryption, lining up with former Secretary of Homeland Security Michael Chertoff and former NSA and CIA Director Michael Hayden but against current Attorney General Jeff Sessions and current FBI Director Jim Comey.
In news from across the pond, Maury walks us through the EU’s efforts to take on robots. We coin the term #EURobotHammer in the process (it’s complicated). Maury also tells us whether the Russians are hacking the French elections (it’s complicated).
Back stateside, Alan asks what the cyber implications are of "out like Flynn, in with McMaster" at the National Security Council. Alan also confides in us about White House staffers’ use of confidential messaging apps like Confide (see what we did there?).
Our interview features a classic buzzkill headline: “Worthwhile Canadian Initiatives.” We explore multiple worthwhile Canadian initiatives with Dominic Rochon, deputy chief of policy and communications for CSE, Canada’s version of the NSA and with Patricia Kosseim, general counsel and director general for policy at the Office of Canada’s Privacy Commissioner. Among other things, we take a close look at Canada’s oversight regime for intelligence, in which a retired judge gets to exercise executive authority over the CSE – in contrast to the US system where active judges do the same but pretend they’re carrying out a judicial function.
In the news roundup, Judge Robart is doing his best to hog the judicial headlines, not only blocking the Trump administration’s immigration policy but giving support to Microsoft’s suit to overturn discovery gag orders en masse. His opinion allows Microsoft to proceed with a lawsuit claiming that gag orders violated the First Amendment.
The Trump Administration could soon begin asking foreigners coming to the United States — particularly from some Muslim-majority countries — to turn over their social media accounts and passwords. This is a policy begun under the Obama administration and supported by bipartisan homeland security groups. I predict that it will nonetheless soon be trashed by the press as an Evil Trump Initiative.
Tallinn 2.0 is out. It applies international law to cyber activity at and below the threshold of armed conflict. Color me skeptical.
The cybersecurity Executive Order that’s been hanging fire for weeks is still hanging fire. A new draft has been leaked, though, and it’s better.
Hal Martin is indicted for stealing massive amounts of data from NSA and perhaps others. According to a Washington Post report, US officials think Martin may have stolen 75%of the NSA’s hacking tools. Ouch.
In other news, Rick Ledgett, the No. 2 official at the NSA is leaving but not because of Trump. And Google has told several prominent journalists that state-sponsored hackers are trying to break into their inboxes.
Our guest for episode 149 of the podcast is Jason Healey, whose Atlantic Council paper, “A Nonstate Strategy for Saving Cyberspace,” advocates for an explicit bias toward cyber defense and the private sector. He responds well to my skeptical questioning, and even my suggestion that his vision of “defense dominance” would be more marketable if paired with thigh-high leather boots and a bull whip. #50ShadesofCyber.
In the news roundup, we experiment with, uh, actual legal discussion. The Microsoft Ireland case has company; Google recently lost a similar argument before a magistrate judge – maybe because it couldn’t say where the data it wanted to protect from disclosure actually was. Michael Vatis explains.
Meredith Rathbone and I take a victory lap over CNN and its reporters, noting that if they’d listened to the podcast, they’d have known a month early that US sanctions had unexpectedly prevented US companies from filing license applications with Russian intelligence agencies – and that allowing companies to make such filings wasn’t an opportunity for hyperventilating about President Trump’s bromance with Putin.
Michael and I also deconstruct Supreme Court nominee Neil Gorsuch’s opinion in US v. Ackerman. The opinion calmly and clearly puts a hole below the waterline in a longstanding approach to collecting evidence in child porn cases. If this case gives a clue to his jurisprudence, it seems unlikely that a Justice Gorsuch will be a pushover for government arguments.
Can American companies sue governments that hack them in the US? I hope so, but that depends on whether the Foreign Sovereign Immunities Act provides protection for malware sent from abroad that does its damage here. In an unlikely-bedfellows moment, I’m depending on EFF to make that argument to the DC Circuit.
And, to follow up on two stories we covered earlier, Brexit authority slips quickly through the House of Commons, while Google’s penny-pinching settlement of a massive “wiretapping” class action is approved over objections to the cy pres payments to the usual NGOs.
Our guest for episode 148 of the podcast is Corin Stone, the Executive Director of the National Security Agency. Corin handles some tough questions – should the new team dump PPD-28, how is morale at the agency after the Snowden and Shadowbroker leaks, and will fully separating Cyber Command from NSA mean new turf fights? I give Corin plenty of free advice and, more usefully, our first in-person award of the coveted Steptoe Cyberlaw Podcast coffee mug.
In the news, Alan Cohn and I cover the Second Circuit’s much-ado-about-nothing package of opinions on rehearing the Microsoft-Ireland case.
Maury and I discuss what the new White House executive order on the privacy rights of foreigners means – as well as Donald Trump’s meeting with Theresa May (including whether they talked about Russia sanctions). Also on the agenda: Has Donald Trump already surpassed Barack Obama’s lifetime record for holding hands with prominent White House visitors?
Speaking of Peter Thiel, Jennifer Quinn-Barabanov and I speculate about whether FTC commissioner Maureen Ohlhausen will pull the FTC back from the ledge on suing companies for security flaws that don’t cause demonstrable consumer harm. And whether Peter Thiel is looking for someone else to chair the FTC.
Our guest interview is with Jack Goldsmith, Shattuck Professor of Law at Harvard and co-founder of Lawfare. We explore his contrarian view of how to deal with Russian hacking, which leads to me praising (or defaming, take your pick) him as a Herman Kahn for cyberconflict. Except what’s unthinkable in this case are his ideas for negotiating, not fighting, with the Russians.
In the news roundup, I ask Michael Vatis whether the wheels are coming off the FTC’s business model, as yet another company refuses to succumb to the commission’s genteel extortion.
The Obama Administration came to an end last week, and its officials left behind a lot of paper to remind us why we’ll miss them — and why we won’t. A basically sympathetic review of the administration’s cyber policies ends with a harsh judgment on President Obama: “He did almost everything right and it still turned out wrong.”
Among the leftovers served up last week: a farewell statement on privacy that seems unlikely to prove relevant in the new administration, a workman-like report on cyber incident response, a wistful FCC public safety bureau report on the commission’s cybersecurity initiatives, and a zombie notice that showed up in the Federal Register three days into the Trump administration, implementing the Umbrella Agreement on data protection with the EU. Maury Shenk evaluates the agreement and its prospects.
And just to make sure we haven’t forgotten the new team’s rather different approach, it posted a policy statement on how good its cyber policy will be. It reads, in its entirety, “Cyberwarfare is an emerging battlefield, and we must take every measure to safeguard our national security secrets and systems. We will make it a priority to develop defensive and offensive cyber capabilities at our U.S. Cyber Command, and recruit the best and brightest Americans to serve in this crucial area.”
I try a quick explanation of the flap between security researchers and the Guardian over an alleged “back door” in WhatsApp messaging. Somehow, the Iran-Iraq war makes an appearance.
And, in a first for the Steptoe Cyberlaw Podcast, Alan Cohn reports as our roving foreign correspondent from -- where else? -- Davos. Want to know what the global 1% are worried about – other than you? Alan has the answers.