Podcast appearances and mentions of david kris

Alan Rozenshtein, Associate Professor at the University of Minnesota Law School and Senior Editor at Lawfare, sits down with David Kris, founder of Culper Partners and the former Assistant Attorney General for National Security in the Obama administration, to talk about a new paper that David has published as part of Lawfare's ongoing Digital Social Contract series, entitled "A Data Proxy for Clients of Cloud Service Providers.”Kris argues that cloud storage offers significant benefits for security and efficiency, but many organizations may be hesitant to adopt it due to the risk of secret disclosure: the practice by which law enforcement can compel cloud service providers to turn over customer data while legally prohibiting them from notifying the customer. To address this concern, Kris proposes the appointment of a "data proxy," a highly trusted individual (like a retired federal judge) who would be contractually authorized to represent the organization's interests when it cannot represent itself due to a nondisclosure order.To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

This episode is notable not just for cyberlaw commentary, but for its imminent disappearance from these pages and from podcast playlists everywhere.  Having promised to take stock of the podcast when it reached episode 500, I've decided that I, the podcast, and the listeners all deserve a break.  So I'll be taking one after the next episode.  No final decisions have been made, so don't delete your subscription, but don't expect a new episode any time soon.  It's been a great run, from the dawn of the podcast age, through the ad-fueled podcast boom, which I manfully resisted, to the market correction that's still under way.  It was a pleasure to engage with listeners from all over the world. Yes, even the EU!    As they say, in the podcast age, everyone is famous for fifteen people.  That's certainly been true for me, and I'll always be grateful for your support – not to mention for all the great contributors who've joined the podcast over the years   Back to cyberlaw, there are a surprising number of people arguing that there's no reason to worry about existential and catastrophic risks from proliferating or runaway AI risks.  Some of that is people seeking clever takes; a lot of it is ideological, driven by fear that worrying about the end of the world will distract attention from the dire but unidentified dangers of face recognition.  One useful antidote is the Gladstone Report, written for the State Department's export control agency. David Kris gives an overview of the report for this episode of the Cyberlaw Podcast. The report explains the dynamic, and some of the evidence, behind all the doom-saying, a discussion that is more persuasive than its prescriptions for regulation.   Speaking of the dire but unidentified dangers of face recognition, Paul Stephan and I unpack a New York Times piece saying that Israel is using face recognition in its Gaza conflict. Actually, we don't so much unpack it as turn it over and shake it, only to discover it's largely empty.  Apparently the editors of the NYT thought that tying face recognition to Israel and Gaza was all we needed to understand that the technology is evil.   More interesting is the story arguing that the National Security Agency, traditionally at the forefront of computers and national security, may have to sit out the AI revolution. The reason, David tells us, is that NSA's access to mass quantities of data for training is complicated by rules and traditions against intelligence agencies accessing data about Americans. And there are few training databases not contaminated with data about and by Americans.   While we're feeling sorry for the intelligence community as it struggles with new technology, Paul notes that Yahoo News has assembled a long analysis of all the ways that personalized technology is making undercover operations impossible for CIA and FBI alike.   Michael Ellis weighs in with a review of a report by the Foundation for the Defence of Democracies on the need for a US Cyber Force to man, train, and equip fighting nerds for Cyber Command.  It's a bit of an inside baseball solution, heavy on organizational boxology, but we're both persuaded that the current system for attracting and retaining cyberwarriors is not working. In the spirit of “Yes, Minister,” we must do something, and this is something.   In that same spirit, it's fair to say that the latest Senate Judiciary proposal for a “compromise” 702 renewal bill is nothing much – a largely phony compromise chock full of ideological baggage. David Kris and I are unimpressed, and surprised at how muted the Biden administration has been in trying to wrangle the Democratic Senate into producing a workable bill.   Paul and Michael review the latest trouble for TikTok – a likely FTC lawsuit over privacy. Michael and I puzzle over the stories claiming that Meta may have “wiretapped” Snapchat analytic data.  It comes from a trial lawyer suing Meta, and there are a lot of unanswered questions, such as whether users consented to the collection of the data.  In the end, we can't help thinking that if Meta had 41 of its lawyers review the project, they found a way to avoid wiretapping liability.   The most intriguing story of the week is the complex and surprising three- or four-cornered fight in northern Myanmar over hundreds of thousands of women trapped in call centers to run romance and pig-butchering scams.  Angry that many of the women and many victims are Chinese, China fostered a warlord's attack on the call centers that freed many women, and deeply embarrassed the current Myanmar ruling junta and its warlord allies, who'd been running the scams.  And we thought our southern border was a mess! And  in quick hits: ·         Elon Musk's X Corp has lost lawsuit against the left-wing smear artists at CCDH ·         AT&T has lost millions of customer records in a data breach ·         Utah has passed an:  AI regulation bill ·         The US is still in the cyber sanctions business, tagging several Russian fintech firms and a collection of  Chinese state hackers. ·         The SEC isn't done investigating SolarWinds; now it's investigating companies harmed by the supply chain attack. ·         Apple's reluctant compliance with EU law has attracted the expected EU investigation of its app store policies  App Store changes rejected: Apple could be fined 10% of global turnover ·         And in a story that will send chills through large parts of the financial and tech elite, it turns out that Jeffrey Epstein's visitor records didn't die with him.  Thanks to geolocation adtech, they can be reconstructed.  

This episode is notable not just for cyberlaw commentary, but for its imminent disappearance from these pages and from podcast playlists everywhere.  Having promised to take stock of the podcast when it reached episode 500, I've decided that I, the podcast, and the listeners all deserve a break.  So I'll be taking one after the next episode.  No final decisions have been made, so don't delete your subscription, but don't expect a new episode any time soon.  It's been a great run, from the dawn of the podcast age, through the ad-fueled podcast boom, which I manfully resisted, to the market correction that's still under way.  It was a pleasure to engage with listeners from all over the world. Yes, even the EU!    As they say, in the podcast age, everyone is famous for fifteen people.  That's certainly been true for me, and I'll always be grateful for your support – not to mention for all the great contributors who've joined the podcast over the years   Back to cyberlaw, there are a surprising number of people arguing that there's no reason to worry about existential and catastrophic risks from proliferating or runaway AI risks.  Some of that is people seeking clever takes; a lot of it is ideological, driven by fear that worrying about the end of the world will distract attention from the dire but unidentified dangers of face recognition.  One useful antidote is the Gladstone Report, written for the State Department's export control agency. David Kris gives an overview of the report for this episode of the Cyberlaw Podcast. The report explains the dynamic, and some of the evidence, behind all the doom-saying, a discussion that is more persuasive than its prescriptions for regulation.   Speaking of the dire but unidentified dangers of face recognition, Paul Stephan and I unpack a New York Times piece saying that Israel is using face recognition in its Gaza conflict. Actually, we don't so much unpack it as turn it over and shake it, only to discover it's largely empty.  Apparently the editors of the NYT thought that tying face recognition to Israel and Gaza was all we needed to understand that the technology is evil.   More interesting is the story arguing that the National Security Agency, traditionally at the forefront of computers and national security, may have to sit out the AI revolution. The reason, David tells us, is that NSA's access to mass quantities of data for training is complicated by rules and traditions against intelligence agencies accessing data about Americans. And there are few training databases not contaminated with data about and by Americans.   While we're feeling sorry for the intelligence community as it struggles with new technology, Paul notes that Yahoo News has assembled a long analysis of all the ways that personalized technology is making undercover operations impossible for CIA and FBI alike.   Michael Ellis weighs in with a review of a report by the Foundation for the Defence of Democracies on the need for a US Cyber Force to man, train, and equip fighting nerds for Cyber Command.  It's a bit of an inside baseball solution, heavy on organizational boxology, but we're both persuaded that the current system for attracting and retaining cyberwarriors is not working. In the spirit of “Yes, Minister,” we must do something, and this is something.   In that same spirit, it's fair to say that the latest Senate Judiciary proposal for a “compromise” 702 renewal bill is nothing much – a largely phony compromise chock full of ideological baggage. David Kris and I are unimpressed, and surprised at how muted the Biden administration has been in trying to wrangle the Democratic Senate into producing a workable bill.   Paul and Michael review the latest trouble for TikTok – a likely FTC lawsuit over privacy. Michael and I puzzle over the stories claiming that Meta may have “wiretapped” Snapchat analytic data.  It comes from a trial lawyer suing Meta, and there are a lot of unanswered questions, such as whether users consented to the collection of the data.  In the end, we can't help thinking that if Meta had 41 of its lawyers review the project, they found a way to avoid wiretapping liability.   The most intriguing story of the week is the complex and surprising three- or four-cornered fight in northern Myanmar over hundreds of thousands of women trapped in call centers to run romance and pig-butchering scams.  Angry that many of the women and many victims are Chinese, China fostered a warlord's attack on the call centers that freed many women, and deeply embarrassed the current Myanmar ruling junta and its warlord allies, who'd been running the scams.  And we thought our southern border was a mess! And  in quick hits: ·         Elon Musk's X Corp has lost lawsuit against the left-wing smear artists at CCDH ·         AT&T has lost millions of customer records in a data breach ·         Utah has passed an:  AI regulation bill ·         The US is still in the cyber sanctions business, tagging several Russian fintech firms and a collection of  Chinese state hackers. ·         The SEC isn't done investigating SolarWinds; now it's investigating companies harmed by the supply chain attack. ·         Apple's reluctant compliance with EU law has attracted the expected EU investigation of its app store policies  App Store changes rejected: Apple could be fined 10% of global turnover ·         And in a story that will send chills through large parts of the financial and tech elite, it turns out that Jeffrey Epstein's visitor records didn't die with him.  Thanks to geolocation adtech, they can be reconstructed.  

Bryan Vorndran is Assistant Director of the FBI's Cyber Division, a position he's held since around March 2021. Prior to that, he was the special agent in charge in New Orleans, and he's worked in Afghanistan and on the Joint Terrorism Task Force at the Washington Field Office.David Kris, Lawfare contributor and former Assistant Attorney General for the National Security Division, and Bryan Cunningham, Lawfare contributor and Executive Director of the University of California, Irvine's Cybersecurity Policy & Research Institute, sat down with Bryan to talk about his career trajectory, the FBI's top cyber challenges, the Bureau's relationships with other agencies and private sector entities, and the challenges posed by the People's Republic of China. Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

It's the last and probably longest Cyberlaw Podcast episode of 2023. To lead off, Megan Stifel takes us through a batch of stories about ways that AI, and especially AI trust and safety, manage to look remarkably fallible. Anthropic released a paper showing that race, gender, and age discrimination by AI models was real but could be dramatically reduced by instructing The Model to “really, really, really” avoid such discrimination. (Buried in the paper was the fact that the original, severe AI bias disfavored older white men, as did the residual bias that asking nicely didn't eliminate.) Bottom line from Anthropic seems to be, “Our technology is a really cool toy, but don't use if for anything that matters.”) In keeping with that theme, Google's highly touted OpenAI competitor Gemini was release to mixed reviews when the model couldn't correctly identify recent Oscar winners or a French word with six letters (it offered “amour”). The good news was for people who hate AI's ham-handed political correctness; it turns out you can ask another AI model how to jailbreak your model, a request that can make the task go 25 times faster. This could be the week that determines the fate of FISA section 702, David Kris reports. It looks as though two bills will go to the House floor, and only one will survive. Judiciary's bill is a grudging renewal of 702 for a mere three years, full of procedures designed to cripple the program. The intelligence committee's bill beats the FBI around the head and shoulders but preserves the core of 702. David and I explore the “queen of the hill” procedure that will allow members to vote for either bill, both, or none, and will send to the Senate the version that gets the most votes.  Gus Hurwitz looks at the FTC's last-ditch appeal to stop the Microsoft-Activision merger. The best case, he suspects, is that the appeal will be rejected without actually repudiating the pet theories of the FTC's hipster antitrust lawyers. Megan and I examine the latest HHS proposal to impose new cybersecurity requirements on hospitals. David, meanwhile, looks for possible motivations behind the FBI's procedures for companies who want help in delaying SEC cyber incident disclosures. Then Megan and I consider the tough new UK rules for establishing the age of online porn consumers. I think they'll hurt Pornhub's litigation campaign against states trying to regulate children's access to porn sites.  The race to 5G is over, Gus notes, and it looks like even the winners lost. Faced with the threat of Chinese 5G domination and an industry sure that 5G was the key to the future, many companies and countries devoted massive investments to the technology, but it's now widely deployed and no one sees much benefit. There is more than one lesson here for industrial policy and the unpredictable way technologies disseminate. 23andme gets some time in the barrel, with Megan and I both dissing its “lawyerly” response to a history of data breaches – namely changing its terms of service it harder for customers to sue for data breaches. Gus reminds us that the Biden FCC only took office in that last month or two, and it is determined to catch up with the FTC in advancing foolish and doomed regulatory initiatives. This week's example, remarkably, isn't net neutrality. It's worse. The Commission is building a sweeping regulatory structure on an obscure section of the 2021 infrastructure act that calls for the FCC to “facilitate equal access to broadband internet access service...”: Think we're hyperventilating? Read Commissioner Brendan Carr's eloquent takedown of the whole initiative.  Senator Ron Wyden (D-OR) has a been in his bonnet over government access to smartphone notifications. Megan and I do our best to understand his concern and how seriously to take it.  Wrapping up, Gus offers a quick take on Meta's broadening attack on the constitutionality of the FTC's current structure. David takes satisfaction from the Justice Department's patient and successful pursuit of Russian Hacker Vladimir Dunaev for his role in creating TrickBot. Gus notes that South Korea's law imposing internet costs on content providers is no match for the law of supply and demand. Finally, in quick hits we cover:  The guilty plea of the founder of a cryptocurrency exchange accused of money laundering. Rumors that the ALPHV ransomware site has been taken down by law enforcement IBM's long-term quantum computing research milestones The UK's antitrust throat-clearing about the OpenAI-Microsoft tie-up And Europe's low-on-details announcement of a deal on the world's first comprehensive AI rules  Download 485th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

It's the last and probably longest Cyberlaw Podcast episode of 2023. To lead off, Megan Stifel takes us through a batch of stories about ways that AI, and especially AI trust and safety, manage to look remarkably fallible. Anthropic released a paper showing that race, gender, and age discrimination by AI models was real but could be dramatically reduced by instructing The Model to “really, really, really” avoid such discrimination. (Buried in the paper was the fact that the original, severe AI bias disfavored older white men, as did the residual bias that asking nicely didn't eliminate.) Bottom line from Anthropic seems to be, “Our technology is a really cool toy, but don't use if for anything that matters.”) In keeping with that theme, Google's highly touted OpenAI competitor Gemini was release to mixed reviews when the model couldn't correctly identify recent Oscar winners or a French word with six letters (it offered “amour”). The good news was for people who hate AI's ham-handed political correctness; it turns out you can ask another AI model how to jailbreak your model, a request that can make the task go 25 times faster. This could be the week that determines the fate of FISA section 702, David Kris reports. It looks as though two bills will go to the House floor, and only one will survive. Judiciary's bill is a grudging renewal of 702 for a mere three years, full of procedures designed to cripple the program. The intelligence committee's bill beats the FBI around the head and shoulders but preserves the core of 702. David and I explore the “queen of the hill” procedure that will allow members to vote for either bill, both, or none, and will send to the Senate the version that gets the most votes.  Gus Hurwitz looks at the FTC's last-ditch appeal to stop the Microsoft-Activision merger. The best case, he suspects, is that the appeal will be rejected without actually repudiating the pet theories of the FTC's hipster antitrust lawyers. Megan and I examine the latest HHS proposal to impose new cybersecurity requirements on hospitals. David, meanwhile, looks for possible motivations behind the FBI's procedures for companies who want help in delaying SEC cyber incident disclosures. Then Megan and I consider the tough new UK rules for establishing the age of online porn consumers. I think they'll hurt Pornhub's litigation campaign against states trying to regulate children's access to porn sites.  The race to 5G is over, Gus notes, and it looks like even the winners lost. Faced with the threat of Chinese 5G domination and an industry sure that 5G was the key to the future, many companies and countries devoted massive investments to the technology, but it's now widely deployed and no one sees much benefit. There is more than one lesson here for industrial policy and the unpredictable way technologies disseminate. 23andme gets some time in the barrel, with Megan and I both dissing its “lawyerly” response to a history of data breaches – namely changing its terms of service it harder for customers to sue for data breaches. Gus reminds us that the Biden FCC only took office in that last month or two, and it is determined to catch up with the FTC in advancing foolish and doomed regulatory initiatives. This week's example, remarkably, isn't net neutrality. It's worse. The Commission is building a sweeping regulatory structure on an obscure section of the 2021 infrastructure act that calls for the FCC to “facilitate equal access to broadband internet access service...”: Think we're hyperventilating? Read Commissioner Brendan Carr's eloquent takedown of the whole initiative.  Senator Ron Wyden (D-OR) has a been in his bonnet over government access to smartphone notifications. Megan and I do our best to understand his concern and how seriously to take it.  Wrapping up, Gus offers a quick take on Meta's broadening attack on the constitutionality of the FTC's current structure. David takes satisfaction from the Justice Department's patient and successful pursuit of Russian Hacker Vladimir Dunaev for his role in creating TrickBot. Gus notes that South Korea's law imposing internet costs on content providers is no match for the law of supply and demand. Finally, in quick hits we cover:  The guilty plea of the founder of a cryptocurrency exchange accused of money laundering. Rumors that the ALPHV ransomware site has been taken down by law enforcement IBM's long-term quantum computing research milestones The UK's antitrust throat-clearing about the OpenAI-Microsoft tie-up And Europe's low-on-details announcement of a deal on the world's first comprehensive AI rules  Download 485th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In a law-packed Cyberlaw Podcast episode, Chris Conte walks us through the long, detailed, and justifiably controversial SEC enforcement action against SolarWinds and its top infosec officer, Tim Brown. It sounds to me as though the SEC's explanation for its action will (1) force companies to examine and update all of their public security documents, (2) transmit a lot more of their security engineers' concerns to top management, and (3) quite possibly lead to disclosures beyond those required by the SEC's new cyber disclosure rules that would alert network attackers to what security officials know about the attack in something close to real time.  Jim Dempsey does a deep dive into the administration's executive order on AI, adding details not available last week when we went live. It's surprisingly regulatory, while still trying to milk jawboning and public-private partnership for all they're worth. The order more or less guarantees a flood of detailed regulatory and quasiregulatory initiatives for the rest of the President's first term. Jim resists our efforts to mock the even more in-the-weeds OMB guidance, saying it will drive federal AI contracting in significant ways. He's a little more willing, though, to diss the Bletchley Park announcement on AI principles that was released by a large group of countries. It doesn't say all that much, and what it does say isn't binding.  David Kris covers the Supreme Court's foray into cyberlaw this week – oral argument in two cases about when politicians can curate the audience that interacts with their social media sites. This started as a Trump issue, David reminds us, but it has lost its predictable partisan valence, so now it's just a surprisingly hard constitutional controversy that, as Justice Elena Kagan almost said, left the Supreme Court building littered with first amendment rights. Finally, I drop in on Europe to see how that Brussels Effect is doing. Turns out that, after years of huffing and puffing, the privacy bureaucrats are dropping the hammer on Facebook's data-fueled advertising model. In a move that raises doubts about how far from Brussels the Brussels Effect can reach, Facebook is changing its business model, but just for Europe, where kids won't get ads and grownups will have the dubious option of paying about ten bucks a month for Facebook and Insta. Another straw in the wind: Ordered by the French government to drop Russian government news channels, YouTube competitor Rumble has decided to drop France instead. Download 480th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

In a law-packed Cyberlaw Podcast episode, Chris Conte walks us through the long, detailed, and justifiably controversial SEC enforcement action against SolarWinds and its top infosec officer, Tim Brown. It sounds to me as though the SEC's explanation for its action will (1) force companies to examine and update all of their public security documents, (2) transmit a lot more of their security engineers' concerns to top management, and (3) quite possibly lead to disclosures beyond those required by the SEC's new cyber disclosure rules that would alert network attackers to what security officials know about the attack in something close to real time.  Jim Dempsey does a deep dive into the administration's executive order on AI, adding details not available last week when we went live. It's surprisingly regulatory, while still trying to milk jawboning and public-private partnership for all they're worth. The order more or less guarantees a flood of detailed regulatory and quasiregulatory initiatives for the rest of the President's first term. Jim resists our efforts to mock the even more in-the-weeds OMB guidance, saying it will drive federal AI contracting in significant ways. He's a little more willing, though, to diss the Bletchley Park announcement on AI principles that was released by a large group of countries. It doesn't say all that much, and what it does say isn't binding.  David Kris covers the Supreme Court's foray into cyberlaw this week – oral argument in two cases about when politicians can curate the audience that interacts with their social media sites. This started as a Trump issue, David reminds us, but it has lost its predictable partisan valence, so now it's just a surprisingly hard constitutional controversy that, as Justice Elena Kagan almost said, left the Supreme Court building littered with first amendment rights. Finally, I drop in on Europe to see how that Brussels Effect is doing. Turns out that, after years of huffing and puffing, the privacy bureaucrats are dropping the hammer on Facebook's data-fueled advertising model. In a move that raises doubts about how far from Brussels the Brussels Effect can reach, Facebook is changing its business model, but just for Europe, where kids won't get ads and grownups will have the dubious option of paying about ten bucks a month for Facebook and Insta. Another straw in the wind: Ordered by the French government to drop Russian government news channels, YouTube competitor Rumble has decided to drop France instead. Download 480th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our headline story for this episode of the Cyberlaw Podcast is the U.K.'s sweeping new Online Safety Act, which regulates social media in a host of ways. Mark MacCarthy spells some of them out, but the big surprise is encryption. U.S. encrypted messaging companies used up all the oxygen in the room hyperventilating about the risk that end-to-end encryption would be regulated. Journalists paid little attention in the past year or two to all the other regulatory provisions. And even then, they got it wrong, gleefully claiming that the U.K. backed down and took the authority to regulate encrypted apps out of the bill. Mark and I explain just how wrong they are. It was the messaging companies who blinked and are now pretending they won.  In cybersecurity news, David Kris and I have kind words for the Department of Homeland Security's report on how to coordinate cyber incident reporting. Unfortunately, there is a vast gulf between writing a report on coordinating incident reporting and actually coordinating incident reporting. David also offers a generous view of the conservative catfight between former Congressman Bob Goodlatte on one side and Michael Ellis and me on the other. The latest installment in that conflict is here. If you need to catch up on the raft of antitrust litigation launched by the Biden administration, Gus Hurwitz has you covered. First, he explains what's at stake in the Justice Department's case against Google – and why we don't know more about it. Then he previews the imminent Federal Trade Commission (FTC) case against Amazon. Followed by his criticism of Lina Khan's decision to name three Amazon execs as targets in the FTC's other big Amazon case – over Prime membership. Amazon is clearly Lina Khan's White Whale, but that doesn't mean that everyone who works there is sushi. Mark picks up the competition law theme, explaining the U.K. competition watchdog's principles for AI regulation. Along the way, he shows that whether AI is regulated by one entity or several could have a profound impact on what kind of regulation AI gets. I update listeners on the litigation over the Biden administration's pressure on social media companies to ban misinformation and use it to plug the latest Cybertoonz commentary on the case. I also note the Commerce Department claim that its controls on chip technology have not failed, arguing that there's no evidence that China can make advanced chips “at scale.”  But the Commerce Department would say that, wouldn't they? Finally, for This Week in Anticlimactic Privacy News, I note that the U.K. has decided, following the EU ruling, that U.S. law is “adequate” for transatlantic data transfers. Download 473rd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Our headline story for this episode of the Cyberlaw Podcast is the U.K.'s sweeping new Online Safety Act, which regulates social media in a host of ways. Mark MacCarthy spells some of them out, but the big surprise is encryption. U.S. encrypted messaging companies used up all the oxygen in the room hyperventilating about the risk that end-to-end encryption would be regulated. Journalists paid little attention in the past year or two to all the other regulatory provisions. And even then, they got it wrong, gleefully claiming that the U.K. backed down and took the authority to regulate encrypted apps out of the bill. Mark and I explain just how wrong they are. It was the messaging companies who blinked and are now pretending they won.  In cybersecurity news, David Kris and I have kind words for the Department of Homeland Security's report on how to coordinate cyber incident reporting. Unfortunately, there is a vast gulf between writing a report on coordinating incident reporting and actually coordinating incident reporting. David also offers a generous view of the conservative catfight between former Congressman Bob Goodlatte on one side and Michael Ellis and me on the other. The latest installment in that conflict is here. If you need to catch up on the raft of antitrust litigation launched by the Biden administration, Gus Hurwitz has you covered. First, he explains what's at stake in the Justice Department's case against Google – and why we don't know more about it. Then he previews the imminent Federal Trade Commission (FTC) case against Amazon. Followed by his criticism of Lina Khan's decision to name three Amazon execs as targets in the FTC's other big Amazon case – over Prime membership. Amazon is clearly Lina Khan's White Whale, but that doesn't mean that everyone who works there is sushi. Mark picks up the competition law theme, explaining the U.K. competition watchdog's principles for AI regulation. Along the way, he shows that whether AI is regulated by one entity or several could have a profound impact on what kind of regulation AI gets. I update listeners on the litigation over the Biden administration's pressure on social media companies to ban misinformation and use it to plug the latest Cybertoonz commentary on the case. I also note the Commerce Department claim that its controls on chip technology have not failed, arguing that there's no evidence that China can make advanced chips “at scale.”  But the Commerce Department would say that, wouldn't they? Finally, for This Week in Anticlimactic Privacy News, I note that the U.K. has decided, following the EU ruling, that U.S. law is “adequate” for transatlantic data transfers. Download 473rd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The National Intelligence Strategy is out, and David Kris, a founder of Culper Partners, sat down to talk about it with Michael Collins, the acting head of the National Intelligence Council. They discussed many aspects of U.S. national security, defense, cyber, and intelligence strategy, including the increasing geopolitical significance of non-state entities, and even the meaning of the word intelligence itself. They also cover Mike's long and illustrious career inside the U.S. intelligence community and his thoughts about the future of U.S. intelligence.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

Eric Goldstein is the Executive Assistant Director for Cybersecurity of the U.S. Cybersecurity and Infrastructure Security Agency, having served previously as Global Head of Cybersecurity Policy Strategy and Regulation at Goldman Sachs, where he led development of the firm's cybersecurity risk management program, and in cybersecurity positions in DHS, as well as practicing cybersecurity law in the private sector. David Kris, Lawfare Contributor and former Assistant Attorney General for the National Security Division, and Bryan Cunningham, Lawfare Contributor and Executive Director of the University of California, Irvine's Cybersecurity Policy & Research Institute, sat down with Eric to talk about all things cybersecurity, including the U.S. National Cybersecurity Strategy and U.S. government cyber lanes in the road. Eric also discusses ransomware and what it's like for a lawyer to serve in an operational position. Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

It was a disastrous week for cryptocurrency in the United States, as the Securities Exchange Commission (SEC) filed suit against the two biggest exchanges, Binance and Coinbase, on a theory that makes it nearly impossible to run a cryptocurrency exchange that is competitive with overseas exchanges. Nick Weaver lays out the differences between “process crimes” and “crime crimes,” and how they help distinguish the two lawsuits. The SEC action marks the end of an uneasy truce, but not the end of the debate. Both exchanges have the funds for a hundred-million-dollar defense and lobbying campaign. So you can expect to hear more about this issue for years (and years) to come. I touch on two AI regulation stories. First, I found Mark Andreessen's post trying to head off AI regulation pretty persuasive until the end, where he said that the risk of bad people using AI for bad things can be addressed by using AI to stop them. Sorry, Mark, it doesn't work that way. We aren't stopping the crimes that modern encryption makes possible by throwing more crypto at the culprits.  My nominee for the AI Regulation Hall of Fame, though, goes to Japan, which has decided to address the phony issue of AI copyright infringement by declaring that it's a phony issue and there'll be no copyright liability for their AI industry when they train models on copyrighted content. This is the right answer, but it's also a brilliant way of borrowing and subverting the EU's GDPR model (“We regulate the world, and help EU industry too”). If Japan applies this policy to models built and trained in Japan, it will give Japanese AI companies at least an arguable immunity from copyright claims  around the world. Companies will flock to Japan to train their models and build their datasets in relative regulatory certainty. The rest of the world can follow suit or watch their industries set up shop in Japan. It helps, of course, that copyright claims against AI are mostly rent-seeking by Big Content, but this has to be the smartest piece of international AI regulation any jurisdiction has come up with so far. Kurt Sanger, just back from a NATO cyber conference in Estonia, explains why military cyber defenders are stressing their need for access to the private networks they'll be defending. Whether they'll get it, we agree, is another kettle of fish entirely. David Kris turns to public-private cooperation issues in another context. The Cyberspace Solarium Commission has another report out. It calls on the government to refresh and rethink the aging orders that regulate how the government deals with the private sector on cyber matters. Kurt and I consider whether Russia is committing war crimes by DDOSing emergency services in Ukraine at the same time as its bombing of Ukrainian cities. We agree that the evidence isn't there yet.  Nick and I dig into two recent exploits that stand out from the crowd. It turns out that Barracuda's security appliance has been so badly compromised that the only remedial measure involve a woodchipper. Nick is confident that the tradecraft here suggests a nation-state attacker. I wonder if it's also a way to move Barracuda's customers to the cloud.  The other compromise is an attack on MOVEit Transfer. The attack on the secure file transfer system has allowed ransomware gang Clop to download so much proprietary data that they have resorted to telling their victims to self-identify and pay the ransom rather than wait for Clop to figure out who they've pawned. Kurt, David, and I talk about the White House effort to sell section 702 of FISA for its cybersecurity value and my effort, with Michael Ellis, to sell 702 (packaged with intelligence reform) to a conservative caucus that is newly skeptical of the intelligence community. David finds himself uncomfortably close to endorsing our efforts. Finally, in quick updates: Nick talks about Tesla's Full Self Driving, and the accidents it has been involved in I warn listeners that Virginia has joined the ranks of states that require an ID proving age to access Pornhub. I predict that twenty states will adopt such a requirement in the next year Download 462nd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.  

It was a disastrous week for cryptocurrency in the United States, as the Securities Exchange Commission (SEC) filed suit against the two biggest exchanges, Binance and Coinbase, on a theory that makes it nearly impossible to run a cryptocurrency exchange that is competitive with overseas exchanges. Nick Weaver lays out the differences between “process crimes” and “crime crimes,” and how they help distinguish the two lawsuits. The SEC action marks the end of an uneasy truce, but not the end of the debate. Both exchanges have the funds for a hundred-million-dollar defense and lobbying campaign. So you can expect to hear more about this issue for years (and years) to come. I touch on two AI regulation stories. First, I found Mark Andreessen's post trying to head off AI regulation pretty persuasive until the end, where he said that the risk of bad people using AI for bad things can be addressed by using AI to stop them. Sorry, Mark, it doesn't work that way. We aren't stopping the crimes that modern encryption makes possible by throwing more crypto at the culprits.  My nominee for the AI Regulation Hall of Fame, though, goes to Japan, which has decided to address the phony issue of AI copyright infringement by declaring that it's a phony issue and there'll be no copyright liability for their AI industry when they train models on copyrighted content. This is the right answer, but it's also a brilliant way of borrowing and subverting the EU's GDPR model (“We regulate the world, and help EU industry too”). If Japan applies this policy to models built and trained in Japan, it will give Japanese AI companies at least an arguable immunity from copyright claims  around the world. Companies will flock to Japan to train their models and build their datasets in relative regulatory certainty. The rest of the world can follow suit or watch their industries set up shop in Japan. It helps, of course, that copyright claims against AI are mostly rent-seeking by Big Content, but this has to be the smartest piece of international AI regulation any jurisdiction has come up with so far. Kurt Sanger, just back from a NATO cyber conference in Estonia, explains why military cyber defenders are stressing their need for access to the private networks they'll be defending. Whether they'll get it, we agree, is another kettle of fish entirely. David Kris turns to public-private cooperation issues in another context. The Cyberspace Solarium Commission has another report out. It calls on the government to refresh and rethink the aging orders that regulate how the government deals with the private sector on cyber matters. Kurt and I consider whether Russia is committing war crimes by DDOSing emergency services in Ukraine at the same time as its bombing of Ukrainian cities. We agree that the evidence isn't there yet.  Nick and I dig into two recent exploits that stand out from the crowd. It turns out that Barracuda's security appliance has been so badly compromised that the only remedial measure involve a woodchipper. Nick is confident that the tradecraft here suggests a nation-state attacker. I wonder if it's also a way to move Barracuda's customers to the cloud.  The other compromise is an attack on MOVEit Transfer. The attack on the secure file transfer system has allowed ransomware gang Clop to download so much proprietary data that they have resorted to telling their victims to self-identify and pay the ransom rather than wait for Clop to figure out who they've pawned. Kurt, David, and I talk about the White House effort to sell section 702 of FISA for its cybersecurity value and my effort, with Michael Ellis, to sell 702 (packaged with intelligence reform) to a conservative caucus that is newly skeptical of the intelligence community. David finds himself uncomfortably close to endorsing our efforts. Finally, in quick updates: Nick talks about Tesla's Full Self Driving, and the accidents it has been involved in I warn listeners that Virginia has joined the ranks of states that require an ID proving age to access Pornhub. I predict that twenty states will adopt such a requirement in the next year Download 462nd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.  

David Cohen is the Deputy Director of the Central Intelligence Agency, a position he held also during the Obama administration. He's also been Under Secretary for Terrorism and Financial Intelligence in the Department of the Treasury and a partner at the WilmerHale law firm.David Kris, Lawfare contributor and former Assistant Attorney General for the National Security Division, and Bryan Cunningham, Lawfare contributor and Executive Director of the University of California, Irvine's Cybersecurity Policy & Research Institute, sat down with David to talk about his career, including taking the same job twice; the coming debate about the FISA Amendments Act reauthorization; relationships between CIA and other U.S. government elements, particularly in cyber; the new CIA Transnational and Technology Mission Center; and the strategic competition between the United States and the People's Republic of China.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

Chris Fonzone is the General Counsel of ODNI and has worked in senior legal roles at the Defense Department, the National Security Council, and the Department of Justice, and in the private sector as a partner at the Sidley Austin law firm. Laura Galante is the Intelligence Community's Cyber Executive and Director of ODNI's Cyber Threat Intelligence Integration Center (CTIIC). She worked previously in a position that involves supporting Ukrainian government agencies on cyber defense in the Defense Intelligence Agency and in the private sector at Mandiant.David Kris, Lawfare contributor and former Assistant Attorney General for the National Security Division, and Bryan Cunningham, Lawfare contributor and Executive Director of the University of California, Irvine's Cybersecurity Policy & Research Institute, sat down with Chris and Laura to talk about their careers, the intra- and interagency issues in cyber policy and operations, the new National Cyber Strategy, and more.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

Rob Joyce is the Director of the Cybersecurity Directorate at the National Security Agency. He's been NSA's top cryptologic representative in the United Kingdom and has also worked in the U.S. National Security Council. David Kris, Lawfare contributor and former Assistant Attorney General for the National Security Division, and Bryan Cunningham, Lawfare contributor and Executive Director of the University of California, Irvine's Cybersecurity Policy & Research Institute, sat down with Rob to talk about his career trajectory, the quantum decryption threat, strategic competition in cyber with the People's Republic of China, and cooperation between the private sector and the government in cyberspace.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

As Director of the United States Cybersecurity and Infrastructure Security Agency, Jen Easterly is one of several women at the very top of the cybersecurity pyramid in the United States. A graduate of West Point, decorated U.S. Army officer, and a Rhodes Scholar, Jen has served her country in a plethora of senior cybersecurity and counterterrorism roles, and most recently before her return to government, was the head of Firm Resilience at Morgan Stanley. David Kris, Lawfare contributor and former Assistant Attorney General for the National Security Division, and Bryan Cunningham, Lawfare contributor and Executive Director of the University of California, Irvine's Cybersecurity Policy & Research Institute, sat down with Jen to talk about everything cybersecurity, about the need for revolutionary new approaches to emerging threats to our cyber and national security, the recent U.S. National Cyber Strategy, the cyber offense/defense flywheel, and even where her avatar got her cape. Jen also talks about CISA's priorities for the coming years, new cyber incident reporting requirements, and new cybersecurity help coming to a city near you. Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

Kemba Walden recently took over from Chris Inglis as Acting National Cyber Director in the White House. She had been Principal Deputy Assistant National Cyber Director after serving in multiple cybersecurity positions in government and in the private sector.David Kris, Lawfare contributor and former Assistant Attorney General for the National Security Division, and Bryan Cunningham, Lawfare contributor and Executive Director of the University of California, Irvine's Cybersecurity Policy & Research Institute, sat down with Kemba to talk about the challenges and opportunities of her new role, the recently released U.S. National Cyber Strategy and the significant policy changes it announces, threats to our national and economic security from China, and a fairly long discussion of music theory.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

Chris Inglis has had an illustrious career in the defense of this country, serving as an Air Force general, deputy director of the National Security Agency, and most recently as the first National Cyber Director in the White House. Chris stepped down from his position last week, and he sat down for his first interview as a private citizen with David Kris, Lawfare contributor and former assistant attorney general for the National Security Division, and Bryan Cunningham, Lawfare contributor and executive director of the University of California, Irvine's Cybersecurity Policy & Research Institute. They talked about a wide range of cyber topics, including the newly minted National Cyber Strategy, protection of critical infrastructure, cyber insurance, competition in the international front, and more.Support this show http://supporter.acast.com/lawfare. Hosted on Acast. See acast.com/privacy for more information.

This episode of the Cyberlaw Podcast is dominated by stories about possible cybersecurity regulation. David Kris points us first to an article by the leadership of the Cybersecurity and Infrastructure Security Administration in Foreign Affairs. Jen Easterly and Eric Goldstein seem to take a tough line on “Why Companies Must Build Safety Into Tech Products.“ But for all the tough language, one word, “regulation,” is entirely missing from the piece. Meanwhile, the cybersecurity strategy that the White House has been reportedly drafting for months seems to be hung up over how enthusiastically to demand regulation. All of which seems just a little weird in a world where Republicans hold the House. Regulation is not likely to be high on the GOP to-do list, so calls for tougher regulation are almost certainly more symbolic than real. Still, this is a week for symbolic calls for regulation. David also takes us through an National Telecommunications and Information Administration (NTIA) report on the anticompetitive impact of Apple's and Google's control of their mobile app markets. The report points to many problems and opportunities for abuse inherent in their headlock on what apps can be sold to phone users. But, as Google and Apple are quick to point out, they do play a role in regulating app security, so breaking the headlock could be bad for cybersecurity. In any event, practically every recommendation for action in the report is a call for Congress to step in—almost certainly a nonstarter for reasons already given. Not to be outdone on the phony regulation beat, Jordan Schneider and Sultan Meghji explore some of the policy and regulatory proposals for AI that have been inspired by the success of ChatGPT. The EU's AI Act is coming in for lots of attention, mainly from parts of the industry that want to be regulation-free. Sultan and I trade observations about who'll be hollowed out first by ChatGPT, law firms or investment firms. Sultan also tells us why the ION ransomware hack matters. Jordan and Sultan find a cybersecurity angle to The Great Chinese Balloon Scandal of 2023. And I offer an assessment of Matt Taibbi's story about the Hamilton 68 “Russian influence” reports. If you have wondered what the fuss was about, do not expect mainstream media to tell you; the media does not come out looking good in this story. Unfortunately for Matt Taibbi, he does not look much better than the reporters his story criticizes. David thinks it is a balanced and moderate take, for which I offer an apology and a promise to do better next time.

This episode of the Cyberlaw Podcast is dominated by stories about possible cybersecurity regulation. David Kris points us first to an article by the leadership of the Cybersecurity and Infrastructure Security Administration in Foreign Affairs. Jen Easterly and Eric Goldstein seem to take a tough line on “Why Companies Must Build Safety Into Tech Products.“ But for all the tough language, one word, “regulation,” is entirely missing from the piece. Meanwhile, the cybersecurity strategy that the White House has been reportedly drafting for months seems to be hung up over how enthusiastically to demand regulation. All of which seems just a little weird in a world where Republicans hold the House. Regulation is not likely to be high on the GOP to-do list, so calls for tougher regulation are almost certainly more symbolic than real. Still, this is a week for symbolic calls for regulation. David also takes us through an National Telecommunications and Information Administration (NTIA) report on the anticompetitive impact of Apple's and Google's control of their mobile app markets. The report points to many problems and opportunities for abuse inherent in their headlock on what apps can be sold to phone users. But, as Google and Apple are quick to point out, they do play a role in regulating app security, so breaking the headlock could be bad for cybersecurity. In any event, practically every recommendation for action in the report is a call for Congress to step in—almost certainly a nonstarter for reasons already given. Not to be outdone on the phony regulation beat, Jordan Schneider and Sultan Meghji explore some of the policy and regulatory proposals for AI that have been inspired by the success of ChatGPT. The EU's AI Act is coming in for lots of attention, mainly from parts of the industry that want to be regulation-free. Sultan and I trade observations about who'll be hollowed out first by ChatGPT, law firms or investment firms. Sultan also tells us why the ION ransomware hack matters. Jordan and Sultan find a cybersecurity angle to The Great Chinese Balloon Scandal of 2023. And I offer an assessment of Matt Taibbi's story about the Hamilton 68 “Russian influence” reports. If you have wondered what the fuss was about, do not expect mainstream media to tell you; the media does not come out looking good in this story. Unfortunately for Matt Taibbi, he does not look much better than the reporters his story criticizes. David thinks it is a balanced and moderate take, for which I offer an apology and a promise to do better next time.

The Cyberlaw Podcast kicks off 2023 by staring directly into the sun(set) of Section 702 authorization. The entire panel, including guest host Brian Fleming and guests Michael Ellis  and David Kris, debates where things could be headed this year as the clock is officially ticking on FISA Section 702 reauthorization. Although there is agreement that a straight reauthorization is unlikely in today's political environment, the ultimate landing spot for Section 702 is very much in doubt and a “game of chicken” will likely precede any potential deal. Everything seems to be in play, as this reauthorization battle could result in meaningful reform or a complete car crash come this time next year. Sticking with Congress, Michael also reacts to President Biden's recent bipartisan call to action regarding “Big Tech” and ponders where Republicans and Democrats could potentially find agreement on an issue everyone seems to agree on (for very different reasons). The panel also discusses the timing of President Biden's OpEd in the Wall Street Journal and debates whether it is intended as a challenge to the Republican-controlled House to act rather than simply increase oversight on the tech industry.  David then introduces a fascinating story about the bold recent action by the Security and Exchange Commission (SEC) to bring suit against Covington & Burling LLP to enforce an administrative subpoena seeking disclosure of the firm's clients implicated in a 2020 cyberattack by Chinese state-sponsored group, Hafnium. David posits that the SEC knows exactly what it is doing by taking such aggressive action in the face of strong resistance, and the panel discusses whether the SEC may have already won by attempting to protect its burgeoning piece of turf in the U.S. government cybersecurity enforcement landscape. Brian then turns to the crypto regulatory and enforcement space to discuss Coinbase's recent settlement with New York's Department of Financial Services. Rather than signal another crack in the foundation of the once high-flying crypto industry, Brian offers that this may just be routine growing pains for a maturing industry that is more like the traditional banking sector, from a regulatory and compliance standpoint, than it may have wanted to believe. Then, in the China portion of the episode, Michael discusses the latest news on the establishment of reverse Committee on Foreign Investment in the United States (CFIUS), and suggests it may still be some time before this tool gets finalized (even as the substantive scope appears to be shrinking). Next, Brian discusses a recent D.C. Circuit decision which upheld the Federal Communication Commission's decision to rescind the license of China Telecom at the recommendation of the executive branch agencies known as Team Telecom (Department of Justice, Department of Defense, and Department of Homeland Security). This important, first-of-its-kind decision reinforces the role of Team Telecom as an important national security gatekeeper for U.S. telecommunications infrastructure. Finally, David highlights an interesting recent story about an FBI search of an apparent Chinese police outpost in New York and ponders what it would mean to negotiate with and be educated by undeclared Chinese law enforcement agents in a foreign country. In a few updates and quick hits: Brian updates listeners on the U.S. government's continuing efforts to win multilateral support from key allies for tough new semiconductor export controls targeting China. Michael picks up the thread on the Twitter Files release and offers his quick take on what it says about ReleaseTheMemo.   And, last but not least, Brian discusses the unsurprising (according the Stewart) decision by the Supreme Court of the United States to allow WhatsApp's spyware suit against NSO Group to continue.  

The Cyberlaw Podcast kicks off 2023 by staring directly into the sun(set) of Section 702 authorization. The entire panel, including guest host Brian Fleming and guests Michael Ellis  and David Kris, debates where things could be headed this year as the clock is officially ticking on FISA Section 702 reauthorization. Although there is agreement that a straight reauthorization is unlikely in today's political environment, the ultimate landing spot for Section 702 is very much in doubt and a “game of chicken” will likely precede any potential deal. Everything seems to be in play, as this reauthorization battle could result in meaningful reform or a complete car crash come this time next year. Sticking with Congress, Michael also reacts to President Biden's recent bipartisan call to action regarding “Big Tech” and ponders where Republicans and Democrats could potentially find agreement on an issue everyone seems to agree on (for very different reasons). The panel also discusses the timing of President Biden's OpEd in the Wall Street Journal and debates whether it is intended as a challenge to the Republican-controlled House to act rather than simply increase oversight on the tech industry.  David then introduces a fascinating story about the bold recent action by the Security and Exchange Commission (SEC) to bring suit against Covington & Burling LLP to enforce an administrative subpoena seeking disclosure of the firm's clients implicated in a 2020 cyberattack by Chinese state-sponsored group, Hafnium. David posits that the SEC knows exactly what it is doing by taking such aggressive action in the face of strong resistance, and the panel discusses whether the SEC may have already won by attempting to protect its burgeoning piece of turf in the U.S. government cybersecurity enforcement landscape. Brian then turns to the crypto regulatory and enforcement space to discuss Coinbase's recent settlement with New York's Department of Financial Services. Rather than signal another crack in the foundation of the once high-flying crypto industry, Brian offers that this may just be routine growing pains for a maturing industry that is more like the traditional banking sector, from a regulatory and compliance standpoint, than it may have wanted to believe. Then, in the China portion of the episode, Michael discusses the latest news on the establishment of reverse Committee on Foreign Investment in the United States (CFIUS), and suggests it may still be some time before this tool gets finalized (even as the substantive scope appears to be shrinking). Next, Brian discusses a recent D.C. Circuit decision which upheld the Federal Communication Commission's decision to rescind the license of China Telecom at the recommendation of the executive branch agencies known as Team Telecom (Department of Justice, Department of Defense, and Department of Homeland Security). This important, first-of-its-kind decision reinforces the role of Team Telecom as an important national security gatekeeper for U.S. telecommunications infrastructure. Finally, David highlights an interesting recent story about an FBI search of an apparent Chinese police outpost in New York and ponders what it would mean to negotiate with and be educated by undeclared Chinese law enforcement agents in a foreign country. In a few updates and quick hits: Brian updates listeners on the U.S. government's continuing efforts to win multilateral support from key allies for tough new semiconductor export controls targeting China. Michael picks up the thread on the Twitter Files release and offers his quick take on what it says about ReleaseTheMemo.   And, last but not least, Brian discusses the unsurprising (according the Stewart) decision by the Supreme Court of the United States to allow WhatsApp's spyware suit against NSO Group to continue.  

We spend much of this episode of the Cyberlaw Podcast talking about toxified technology – new tech that is being demonized for a variety of reasons. Exhibit One, of course, is “spyware,” essentially hacking tools that allow governments to access phones or computers otherwise closed to them, usually by end-to-end encryption. The Washington Post and the New York Times have led a campaign to turn NSO's Pegasus tool for hacking phones into radioactive waste. Jim Dempsey, though, reminds us that not too long ago, in defending end-to-end encryption, tech policy advocates insisted that the government did not need mandated access to encrypted phones because they could engage in self-help in the form of hacking. David Kris points out that, used with a warrant, there's nothing uniquely dangerous about hacking tools of this kind. I offer an explanation for why the public policy community and its Silicon Valley funders have changed their tune on the issue: having won the end-to-end encryption debate, they feel free to move on to the next anti-law-enforcement campaign. That campaign includes private lawsuits against NSO by companies like WhatsApp, whose lawsuit was briefly delayed by NSO's claim of sovereign immunity on behalf of the (unnamed) countries it builds its products for. That claim made it to the Supreme Court, David reports, where the U.S. government recently filed a brief that will almost certainly send NSO back to court without any sovereign immunity protection. Meanwhile, in France, Amesys and its executives are being prosecuted for facilitating the torture of Libyan citizens at the hands of the Muammar Qaddafi regime. Amesys evidently sold an earlier and less completely toxified technology—packet inspection tools—to Libya. The criminal case is pending. And in the U.S., a whole set of tech toxification campaigns are under way, aimed at Chinese products. This week, Jim notes, the Federal Communications Commission came to the end of a long road that began with jawboning in the 2000s and culminated in a flat ban on installing Chinese telecom gear in U.S. networks. On deck for China are DJI's drones, which several Senators see as a comparable national security threat that should be handled with a similar ban. Maury Shenk tells us that the British government is taking the first steps on a similar path, this time with a ban on some government uses of Chinese surveillance camera systems. Those measures do not always work, Maury tells us, pointing to a story that hints at trouble ahead for U.S. efforts to decouple Chinese from American artificial intelligence research and development.  Maury and I take a moment to debunk efforts to persuade readers that artificial intelligence (AI) is toxic because Silicon Valley will use it to take our jobs. AI code writing is not likely to graduate from facilitating coding any time soon, we agree. Whether AI can do more in human resources (HR) may be limited by a different toxification campaign—the largely phony claim that AI is full of bias. Amazon's effort to use AI in HR, I predict, will be sabotaged by this claim. The effort to avoid bias will almost certainly lead Amazon to build race and gender quotas into its engine. And in a few quick hits: I express doubt that Australia's “unleash the hounds” approach to ransomware actually has anything to do with one notorious ransomware actor's extortion site going down  Maury praises an MIT Technology Review piece that argues persuasively that China's social credit system is not quite as dystopian as it's been portrayed. I point out that, with Airbnb practicing guilt by association and PayPal taking your money for saying things PayPal doesn't like, Silicon Valley can brag that it's going to reach Full-Bore Dystopia well before China.  I cover the fourth review in three administrations of the dual-hat leadership of NSA and Cyber Command. No change is likely.  And we close with a downbeat assessment of Elon Musk's chances of withstanding the combined hostility of European and U.S. regulators, the press, and the left-wing tech-toxifiers in civil society. He is a talented guy, I argue, and with a three-year runway, he could succeed, but he does not have three years.

We spend much of this episode of the Cyberlaw Podcast talking about toxified technology – new tech that is being demonized for a variety of reasons. Exhibit One, of course, is “spyware,” essentially hacking tools that allow governments to access phones or computers otherwise closed to them, usually by end-to-end encryption. The Washington Post and the New York Times have led a campaign to turn NSO's Pegasus tool for hacking phones into radioactive waste. Jim Dempsey, though, reminds us that not too long ago, in defending end-to-end encryption, tech policy advocates insisted that the government did not need mandated access to encrypted phones because they could engage in self-help in the form of hacking. David Kris points out that, used with a warrant, there's nothing uniquely dangerous about hacking tools of this kind. I offer an explanation for why the public policy community and its Silicon Valley funders have changed their tune on the issue: having won the end-to-end encryption debate, they feel free to move on to the next anti-law-enforcement campaign. That campaign includes private lawsuits against NSO by companies like WhatsApp, whose lawsuit was briefly delayed by NSO's claim of sovereign immunity on behalf of the (unnamed) countries it builds its products for. That claim made it to the Supreme Court, David reports, where the U.S. government recently filed a brief that will almost certainly send NSO back to court without any sovereign immunity protection. Meanwhile, in France, Amesys and its executives are being prosecuted for facilitating the torture of Libyan citizens at the hands of the Muammar Qaddafi regime. Amesys evidently sold an earlier and less completely toxified technology—packet inspection tools—to Libya. The criminal case is pending. And in the U.S., a whole set of tech toxification campaigns are under way, aimed at Chinese products. This week, Jim notes, the Federal Communications Commission came to the end of a long road that began with jawboning in the 2000s and culminated in a flat ban on installing Chinese telecom gear in U.S. networks. On deck for China are DJI's drones, which several Senators see as a comparable national security threat that should be handled with a similar ban. Maury Shenk tells us that the British government is taking the first steps on a similar path, this time with a ban on some government uses of Chinese surveillance camera systems. Those measures do not always work, Maury tells us, pointing to a story that hints at trouble ahead for U.S. efforts to decouple Chinese from American artificial intelligence research and development.  Maury and I take a moment to debunk efforts to persuade readers that artificial intelligence (AI) is toxic because Silicon Valley will use it to take our jobs. AI code writing is not likely to graduate from facilitating coding any time soon, we agree. Whether AI can do more in human resources (HR) may be limited by a different toxification campaign—the largely phony claim that AI is full of bias. Amazon's effort to use AI in HR, I predict, will be sabotaged by this claim. The effort to avoid bias will almost certainly lead Amazon to build race and gender quotas into its engine. And in a few quick hits: I express doubt that Australia's “unleash the hounds” approach to ransomware actually has anything to do with one notorious ransomware actor's extortion site going down  Maury praises an MIT Technology Review piece that argues persuasively that China's social credit system is not quite as dystopian as it's been portrayed. I point out that, with Airbnb practicing guilt by association and PayPal taking your money for saying things PayPal doesn't like, Silicon Valley can brag that it's going to reach Full-Bore Dystopia well before China.  I cover the fourth review in three administrations of the dual-hat leadership of NSA and Cyber Command. No change is likely.  And we close with a downbeat assessment of Elon Musk's chances of withstanding the combined hostility of European and U.S. regulators, the press, and the left-wing tech-toxifiers in civil society. He is a talented guy, I argue, and with a three-year runway, he could succeed, but he does not have three years.

The war that began with the Russian invasion of Ukraine grinds on. Cybersecurity experts have spent much of 2022 trying to draw lessons about cyberwar strategies from the conflict. Dmitri Alperovitch takes us through the latest lessons, cautioning that all of them could look different in a few months, as both sides adapt to the others' actions.  David Kris joins Dmitri to evaluate a Microsoft report hinting that China may be abusing its recent edict requiring that software vulnerabilities be reported first to the Chinese government. The temptation to turn such reports into zero-day exploits may be irresistible, and Microsoft notes with suspicion a recent rise in Chinese zero-day exploits. Dmitri worried about just such a development while serving on the Cyber Safety Review Board, but he is not yet convinced that we have the evidence to prove the case against the Chinese mandatory disclosure law.  Sultan Meghji keeps us in Redmond, digging through a deep Protocol story on how Microsoft has helped build Artificial Intelligence (AI) in China. The amount of money invested, and the deep bench of AI researchers from China, raises real questions about how the United States can decouple from China—and whether China may eventually decide to do the decoupling.  I express skepticism about the White House's latest initiative on ransomware, a 30-plus nation summit that produced a modest set of concrete agreements. But Sultan and Dmitri have been on the receiving end of deputy national security adviser Anne Neuberger's forceful personality, and they think we will see results. We'd better. Baks reported that ransomware payments doubled last year, to $1.2 billion.   David introduces the high-stakes struggle over when cyberattacks can be excluded from insurance coverage as acts of war. A recent settlement between Mondelez and Zurich has left the law in limbo.  Sultan tells me why AI is so bad at explaining the results it reaches. He sees light at the end of the tunnel. I see more stealthy imposition of woke academic values. But we find common ground in trashing the Facial Recognition Act, a lefty Democrat bill that throws together every bad proposal to regulate facial recognition ever put forward and adds a few more. A red wave will be worth it just to make sure this bill stays dead. Finally, Sultan reviews the National Security Agency's report on supply chain security. And I introduce the elephant in the room, or at least the mastodon: Elon Musk's takeover at Twitter and the reaction to it. I downplay the probability of CFIUS reviewing the deal. And I mock the Elon-haters who fear that scrimping on content moderation will turn Twitter into a hellhole that includes *gasp!* Republican speech. Turns out that they are fleeing Twitter for Mastodon, which pretty much invented scrimping on content moderation.

The war that began with the Russian invasion of Ukraine grinds on. Cybersecurity experts have spent much of 2022 trying to draw lessons about cyberwar strategies from the conflict. Dmitri Alperovitch takes us through the latest lessons, cautioning that all of them could look different in a few months, as both sides adapt to the others' actions.  David Kris joins Dmitri to evaluate a Microsoft report hinting that China may be abusing its recent edict requiring that software vulnerabilities be reported first to the Chinese government. The temptation to turn such reports into zero-day exploits may be irresistible, and Microsoft notes with suspicion a recent rise in Chinese zero-day exploits. Dmitri worried about just such a development while serving on the Cyber Safety Review Board, but he is not yet convinced that we have the evidence to prove the case against the Chinese mandatory disclosure law.  Sultan Meghji keeps us in Redmond, digging through a deep Protocol story on how Microsoft has helped build Artificial Intelligence (AI) in China. The amount of money invested, and the deep bench of AI researchers from China, raises real questions about how the United States can decouple from China—and whether China may eventually decide to do the decoupling.  I express skepticism about the White House's latest initiative on ransomware, a 30-plus nation summit that produced a modest set of concrete agreements. But Sultan and Dmitri have been on the receiving end of deputy national security adviser Anne Neuberger's forceful personality, and they think we will see results. We'd better. Baks reported that ransomware payments doubled last year, to $1.2 billion.   David introduces the high-stakes struggle over when cyberattacks can be excluded from insurance coverage as acts of war. A recent settlement between Mondelez and Zurich has left the law in limbo.  Sultan tells me why AI is so bad at explaining the results it reaches. He sees light at the end of the tunnel. I see more stealthy imposition of woke academic values. But we find common ground in trashing the Facial Recognition Act, a lefty Democrat bill that throws together every bad proposal to regulate facial recognition ever put forward and adds a few more. A red wave will be worth it just to make sure this bill stays dead. Finally, Sultan reviews the National Security Agency's report on supply chain security. And I introduce the elephant in the room, or at least the mastodon: Elon Musk's takeover at Twitter and the reaction to it. I downplay the probability of CFIUS reviewing the deal. And I mock the Elon-haters who fear that scrimping on content moderation will turn Twitter into a hellhole that includes *gasp!* Republican speech. Turns out that they are fleeing Twitter for Mastodon, which pretty much invented scrimping on content moderation.

David Kris opens this episode of the Cyberlaw Podcast by laying out some of the massive disruption that the Biden Administration has kicked off in China's semiconductor industry—and its Western suppliers. The reverberations of the administration's new measures will be felt for years, and the Chinese government's response, not to mention the ultimate consequences, remains uncertain. Richard Stiennon, our industry analyst, gives us an overview of the cybersecurity market, where tech and cyber companies have taken a beating but cybersecurity startups continue to gain funding.  Mark MacCarthy reviews the industry from the viewpoint of the trustbusters. Google is facing what looks like a serious AdTech platform challenge from several directions—the EU, the Justice Department, and several states. Facebook, meanwhile, is lucky to be a target of the Federal Trade Commission, which rather embarrassingly had to withdraw claims that the acquisition of Within would remove an actual (as opposed to hypothetical) competitor from the market. No one seems to have challenged Google's acquisition of Mandiant, meanwhile. Richard suspects that is because Google is not likely to do anything with the company.  David walks us through the new White House national security strategy—and puts it in historical context.  Mark and I cross swords over PayPal's determination to take my money for saying things Paypal doesn't like. Visa and Mastercard are less upfront about their ability to boycott businesses they consider beyond the pale, but all money transfer companies have rules of this kind, he says. We end up agreeing that transparency, the measure usually recommended for platform speech suppression, makes sense for Paypal and its ilk, especially since they're already subject to extensive government regulation.   Richard and I dive into the market for identity security. It's hot, thanks to zero trust computing. Thoma Bravo is leading a rollup of identity companies. I predict security troubles ahead for the merged portfolio.   In updates and quick hits: The Texas social media law is on hold again, but do not get excited. It is a  voluntary deal designed to speed Supreme Court consideration of a review petition.  Now Ukraine knows how Twitter feels: Elon Musk has changed his mind again. He will not be demanding that Department of Defense pay for the Starlink service Elon rolled out at the start of the war with Russia. After catching Google red-handed in what looks like ideological use of a spam filter, the GOP now appears to be overplaying its hand.  And I predict much more coverage, not to mention prosecutorial attention, will result from accusations that a powerful partner at the establishment law firm, Dechert, engaged in hack-and-dox attacks on adversaries of his clients.

David Kris opens this episode of the Cyberlaw Podcast by laying out some of the massive disruption that the Biden Administration has kicked off in China's semiconductor industry—and its Western suppliers. The reverberations of the administration's new measures will be felt for years, and the Chinese government's response, not to mention the ultimate consequences, remains uncertain. Richard Stiennon, our industry analyst, gives us an overview of the cybersecurity market, where tech and cyber companies have taken a beating but cybersecurity startups continue to gain funding.  Mark MacCarthy reviews the industry from the viewpoint of the trustbusters. Google is facing what looks like a serious AdTech platform challenge from several directions—the EU, the Justice Department, and several states. Facebook, meanwhile, is lucky to be a target of the Federal Trade Commission, which rather embarrassingly had to withdraw claims that the acquisition of Within would remove an actual (as opposed to hypothetical) competitor from the market. No one seems to have challenged Google's acquisition of Mandiant, meanwhile. Richard suspects that is because Google is not likely to do anything with the company.  David walks us through the new White House national security strategy—and puts it in historical context.  Mark and I cross swords over PayPal's determination to take my money for saying things Paypal doesn't like. Visa and Mastercard are less upfront about their ability to boycott businesses they consider beyond the pale, but all money transfer companies have rules of this kind, he says. We end up agreeing that transparency, the measure usually recommended for platform speech suppression, makes sense for Paypal and its ilk, especially since they're already subject to extensive government regulation.   Richard and I dive into the market for identity security. It's hot, thanks to zero trust computing. Thoma Bravo is leading a rollup of identity companies. I predict security troubles ahead for the merged portfolio.   In updates and quick hits: The Texas social media law is on hold again, but do not get excited. It is a  voluntary deal designed to speed Supreme Court consideration of a review petition.  Now Ukraine knows how Twitter feels: Elon Musk has changed his mind again. He will not be demanding that Department of Defense pay for the Starlink service Elon rolled out at the start of the war with Russia. After catching Google red-handed in what looks like ideological use of a spam filter, the GOP now appears to be overplaying its hand.  And I predict much more coverage, not to mention prosecutorial attention, will result from accusations that a powerful partner at the establishment law firm, Dechert, engaged in hack-and-dox attacks on adversaries of his clients.

It's that time again on the Congressional calendar. All the big, bipartisan tech initiatives that looked so good a few months ago are beginning to compete for time on the floor like fat men desperate to get through a small door. And tech lobbyists are doing their best to hinder the bills they hate while advancing those they like. We open the Cyberlaw Podcast by reviewing a few of the top contenders. Justin (Gus) Hurwitz tells us that the big bipartisan compromise on privacy is probably dead for this Congress, killed by Senator Maria Cantwell (D-WA) and the new politics of abortion. The big subsidy for domestic chip fabs is still alive, Jamil Jaffer but beset by House and Senate differences, plus a proposal to regulate outward investment by U.S. firms that would benefit China and Russia. And Senator Amy Klobuchar's (D-MIN) platform anti-self-preferencing bill is being picked to pieces by lobbyists trying to cleave away Republican votes over content moderation and national security.   David Kris unpacks the First Circuit decision on telephone pole cameras and the fourth amendment. Technology and Fourth Amendment law is increasingly agoraphobic, I argue, as aging boomers find themselves on a vast featureless constitutional plain, with no precedents to guide them and forced to fall back on their sense of what was creepy in their day. Speaking of creepy, the Australian Strategic Policy Institute (ASPI) has a detailed report on just how creepy content moderation and privacy protections are at TikTok and WeChat. Jamil gives the highlights.    Not that Silicon Valley has anything to brag about. I sum up This Week in Big Tech Censorship with two newly emerging rules for conservatives on line: First, obeying Big Tech's rules is no defense; it just takes a little longer before your business revenue is cut off. Second, having science on your side is no defense. As a Brown University doctor discovered, citing a study that undermines Centers for Disease Control and Prevention (CDC) orthodoxy will get you suspended. Who knew we were supposed to follow the science with enough needle and thread to sew its mouth shut? If Sen. Klobuchar fails, all eyes will turn to Lina Khan's Federal Trade Commission, Gus tells us, and its defense of the “right to repair” may give a clue to how it will regulate.  David flags a Google study of zero-days sold to governments in 2021. He finds it a little depressing, but I note that at least some of the zero-days probably require court orders to implement. Jamil also reviews a corporate report on security, Microsoft's analysis of how Microsoft saved the world from Russian cyber espionage—or would have if you ignoramuses would just buy more cloud services. OK, it's not quite that bad, but the marketing motivations behind the report show a little too often in what is otherwise a useful review of Russian tactics.  In quick hits: Gus tells us about a billboard that can pick your pocket: In NYC, naturally.  Jamil thinks we may have finally found Putin's billions, through the magic of shared email addresses.  I offer a preview of the next U.S.-E.U. privacy spat, over sharing biometrics at the border.  And David and I talk marijuana and security clearances. If you listen to the podcast for career advice, it's a long wait, but David delivers Security Agency Counsel after a long series of acting General Counsels.

It's that time again on the Congressional calendar. All the big, bipartisan tech initiatives that looked so good a few months ago are beginning to compete for time on the floor like fat men desperate to get through a small door. And tech lobbyists are doing their best to hinder the bills they hate while advancing those they like. We open the Cyberlaw Podcast by reviewing a few of the top contenders. Justin (Gus) Hurwitz tells us that the big bipartisan compromise on privacy is probably dead for this Congress, killed by Senator Maria Cantwell (D-WA) and the new politics of abortion. The big subsidy for domestic chip fabs is still alive, Jamil Jaffer but beset by House and Senate differences, plus a proposal to regulate outward investment by U.S. firms that would benefit China and Russia. And Senator Amy Klobuchar's (D-MIN) platform anti-self-preferencing bill is being picked to pieces by lobbyists trying to cleave away Republican votes over content moderation and national security.   David Kris unpacks the First Circuit decision on telephone pole cameras and the fourth amendment. Technology and Fourth Amendment law is increasingly agoraphobic, I argue, as aging boomers find themselves on a vast featureless constitutional plain, with no precedents to guide them and forced to fall back on their sense of what was creepy in their day. Speaking of creepy, the Australian Strategic Policy Institute (ASPI) has a detailed report on just how creepy content moderation and privacy protections are at TikTok and WeChat. Jamil gives the highlights.    Not that Silicon Valley has anything to brag about. I sum up This Week in Big Tech Censorship with two newly emerging rules for conservatives on line: First, obeying Big Tech's rules is no defense; it just takes a little longer before your business revenue is cut off. Second, having science on your side is no defense. As a Brown University doctor discovered, citing a study that undermines Centers for Disease Control and Prevention (CDC) orthodoxy will get you suspended. Who knew we were supposed to follow the science with enough needle and thread to sew its mouth shut? If Sen. Klobuchar fails, all eyes will turn to Lina Khan's Federal Trade Commission, Gus tells us, and its defense of the “right to repair” may give a clue to how it will regulate.  David flags a Google study of zero-days sold to governments in 2021. He finds it a little depressing, but I note that at least some of the zero-days probably require court orders to implement. Jamil also reviews a corporate report on security, Microsoft's analysis of how Microsoft saved the world from Russian cyber espionage—or would have if you ignoramuses would just buy more cloud services. OK, it's not quite that bad, but the marketing motivations behind the report show a little too often in what is otherwise a useful review of Russian tactics.  In quick hits: Gus tells us about a billboard that can pick your pocket: In NYC, naturally.  Jamil thinks we may have finally found Putin's billions, through the magic of shared email addresses.  I offer a preview of the next U.S.-E.U. privacy spat, over sharing biometrics at the border.  And David and I talk marijuana and security clearances. If you listen to the podcast for career advice, it's a long wait, but David delivers Security Agency Counsel after a long series of acting General Counsels.

A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So mark your calendar and when the time comes, use this link to join the audience: https://riverside.fm/studio/the-cyberlaw-podcast-400 See you there!  For the third week in a row, we lead with cyber and Russia's invasion of Ukraine. Paul Rosenzweig comments on the most surprising thing about social media's decoupling from Russia—how enthusiastically the industry is pursuing the separation. Facebook is allowing Ukrainians to threaten violence against Russian leadership and removing or fact checking Russian government and media posts. Not satisfied with this, the EU wants Google to remove Russia Today and Sputnik from search results. I ask why the U.S. can't take over Facebook and Twitter infrastructure to deliver the Voice of America to Facebook and Twitter users who've been cut off by their departure. Nobody likes that idea but me. Meanwhile, Paul notes that The Great Cyberwar that Wasn't could still make an appearance, citing Ciaran Martin's sober Lawfare piece.   David Kris tells us that Congress has, after a few false starts, finally passed a cyber incident reporting bill, notwithstanding the Justice Department's over-the-top histrionics in opposition. I wonder if the bill, passed in haste due to the Ukraine conflict, should have had another round of edits, since it seems to lock in a leisurely reg-writing process that the Cybersecurity and Infrastructure Security Agency (CISA) can't cut short.   Jane Bambauer and David unpack the first district court opinion considering the legal status of “geofence” warrants—where Google gradually releases more data about people whose phones were found near a crime scene when the crime was committed. It's a long opinion by Judge M. Hannah Lauck, but none of us finds it satisfying. As is often true, Orin Kerr's take is more persuasive than the court's. Next, Paul Rosenzweig digs into Biden's cryptocurrency executive order. It's not a nothingburger, he opines, but it is a process-burger, meaning that nothing will happen in the field for many months, but the interagency mill will begin to grind, and sooner or later will likely grind exceeding fine.  Jane and I draw lessons from WIRED's “expose” on three wrongful arrests based on face recognition software, but not the “face recognition is Evil” lesson WIRED wanted us to draw. The arrests do reflect less than perfect policing, and are a wrenching view of what it's like for an innocent man to face charges that aren't true. But it's unpersuasive to blame face recognition for mistakes that could have been avoided with a little more care by the cops. David and I highly recommend Brian Krebs's great series on what we can learn from leaked chat logs belonging to the Conti ransomware gang. What we learned from the Conti leaks. My favorite insight was the Conti member who said, when a company resisted paying to keep its files from being published, that “There is a journalist who will help intimidate them for 5 percent of the payout.” I suggest that our listeners crowdsource an effort to find journalists who might fit this description. It might not be hard; after all, how many journalists these days are breaking stories that dive deep into doxxed databases?  Paul and I spend a little more time than it deserves on an ICANN paper about ways to block Russia from the network. But I am inspired to suggest that the country code .su—presumably all that's left of the Soviet Union—be permanently retired. I mean, really, does anyone respectable want it back?  Jane gives a lick and a promise to the Open App Markets bill coming out of the Senate Judiciary Committee. I alert the American Civil Liberties Union to a shocking porcine privacy invasion.  I discover that none of the other panelists is surprised that 15 percent of people have already had sex with a robot but all of them find the idea of falling in love with a robot preposterous.      Download the 398th Episode (mp3)   You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So mark your calendar and when the time comes, use this link to join the audience: https://riverside.fm/studio/the-cyberlaw-podcast-400 See you there!  For the third week in a row, we lead with cyber and Russia's invasion of Ukraine. Paul Rosenzweig comments on the most surprising thing about social media's decoupling from Russia—how enthusiastically the industry is pursuing the separation. Facebook is allowing Ukrainians to threaten violence against Russian leadership and removing or fact checking Russian government and media posts. Not satisfied with this, the EU wants Google to remove Russia Today and Sputnik from search results. I ask why the U.S. can't take over Facebook and Twitter infrastructure to deliver the Voice of America to Facebook and Twitter users who've been cut off by their departure. Nobody likes that idea but me. Meanwhile, Paul notes that The Great Cyberwar that Wasn't could still make an appearance, citing Ciaran Martin's sober Lawfare piece.   David Kris tells us that Congress has, after a few false starts, finally passed a cyber incident reporting bill, notwithstanding the Justice Department's over-the-top histrionics in opposition. I wonder if the bill, passed in haste due to the Ukraine conflict, should have had another round of edits, since it seems to lock in a leisurely reg-writing process that the Cybersecurity and Infrastructure Security Agency (CISA) can't cut short.   Jane Bambauer and David unpack the first district court opinion considering the legal status of “geofence” warrants—where Google gradually releases more data about people whose phones were found near a crime scene when the crime was committed. It's a long opinion by Judge M. Hannah Lauck, but none of us finds it satisfying. As is often true, Orin Kerr's take is more persuasive than the court's. Next, Paul Rosenzweig digs into Biden's cryptocurrency executive order. It's not a nothingburger, he opines, but it is a process-burger, meaning that nothing will happen in the field for many months, but the interagency mill will begin to grind, and sooner or later will likely grind exceeding fine.  Jane and I draw lessons from WIRED's “expose” on three wrongful arrests based on face recognition software, but not the “face recognition is Evil” lesson WIRED wanted us to draw. The arrests do reflect less than perfect policing, and are a wrenching view of what it's like for an innocent man to face charges that aren't true. But it's unpersuasive to blame face recognition for mistakes that could have been avoided with a little more care by the cops. David and I highly recommend Brian Krebs's great series on what we can learn from leaked chat logs belonging to the Conti ransomware gang. What we learned from the Conti leaks. My favorite insight was the Conti member who said, when a company resisted paying to keep its files from being published, that “There is a journalist who will help intimidate them for 5 percent of the payout.” I suggest that our listeners crowdsource an effort to find journalists who might fit this description. It might not be hard; after all, how many journalists these days are breaking stories that dive deep into doxxed databases?  Paul and I spend a little more time than it deserves on an ICANN paper about ways to block Russia from the network. But I am inspired to suggest that the country code .su—presumably all that's left of the Soviet Union—be permanently retired. I mean, really, does anyone respectable want it back?  Jane gives a lick and a promise to the Open App Markets bill coming out of the Senate Judiciary Committee. I alert the American Civil Liberties Union to a shocking porcine privacy invasion.  I discover that none of the other panelists is surprised that 15 percent of people have already had sex with a robot but all of them find the idea of falling in love with a robot preposterous.      Download the 398th Episode (mp3)   You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

The Cyberlaw Podcast has decided to take a leaf from the (alleged) Bitcoin Bandits' embrace of cringe rap. No more apologies. We're proud to have been cringe-casting for the last six years. Scott Shapiro, however, shows that there's a lot more meat to the bitcoin story than embarrassing social media posts. In fact, the government's filing after the arrest of Ilya Lichtenstein and Heather Morgan paints a forbidding picture of how hard it is to actually cash $4.5 billion in bitcoin. That's what the government wants us to think, but it's persuasive nonetheless, and both Scott and David Kris recommend it as a read. Like the Rolling Stones performing their greatest hits from 1965 on tour this year, U.S. Senator Ron Wyden of Oregon is replaying his favorite schtick from 2013 or so—complaining that the government has an intelligence program that collects some U.S. person data under a legal theory that would surprise most Americans. Based on the Privacy and Civil Liberties Oversight Board staff recommendations, Dave Aitel and David Kris conclude that this doesn't sound like much of a scandal, but it may lead to new popup boxes on intel analysts' desktops as they search the resulting databases. In an entirely predictable but still discouraging development, Dave Aitel points to persuasive reports from two forensics firms that an Indian government body has compromised the computers of a group of Indian activists and then used its access not just to spy on the activists but to load fake and incriminating documents onto their computers.  In the EU, meanwhile, crisis is drawing nearer over the EU General Data Protection Regulation (GDPR) and the European Court of Justice decision in the Schrems cases. David Kris covers one surprising trend. The court may have been aiming at the United States, but its ruling is starting to hit European companies who are discovering that they may have to choose between Silicon Valley services and serious liability. That's the message in the latest French ruling that websites using Google Analytics are in breach of GDPR. Next to face the choice may be European publishers who depend on data-dependent advertising whose legality the Belgian data protection authority has gravely undercut. Scott and I dig into the IRS's travails in trying to implement facial recognition for taxpayer access to records. I reprise my defense of face recognition in Lawfare. Nobody is going to come out of this looking good, Scott and I agree, but I predict that abandoning facial recognition technology is going to mean more fraud as well as more costly and lousier service for taxpayers. I point to the only place Silicon Valley seems to be innovating—new ways to show conservatives that their views are not welcome. Airbnb has embraced the Southern Poverty Law Center (SPLC), whose business model is labeling mainstream conservative groups as “hate” mongers. It told Michelle Malkin that her speech at a SPLC “hate” conference meant that she was forever barred from using Airbnb—and so was her husband. By my count that's guilt by association three times removed. Equally remarkable, Facebook is now telling Bjorn Lonborg that he cannot repeat true facts if he's using them to support the Wrong Narrative.  We're not in content moderation land any more if truth is not a defense, and tech firms that supply real things for real life can deny them to people whose views they don't like. Scott and I unpack the EARN IT Act  (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act), again reported out of committee with a chorus of boos from privacy NGOs. We also note that supporters of getting tough on the platforms over child sex abuse material aren't waiting for EARN IT. A sex trafficking lawsuit against Pornhub has survived a Section 230 challenge.  Download the 394th Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!   The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Cyberlaw Podcast has decided to take a leaf from the (alleged) Bitcoin Bandits' embrace of cringe rap. No more apologies. We're proud to have been cringe-casting for the last six years. Scott Shapiro, however, shows that there's a lot more meat to the bitcoin story than embarrassing social media posts. In fact, the government's filing after the arrest of Ilya Lichtenstein and Heather Morgan paints a forbidding picture of how hard it is to actually cash $4.5 billion in bitcoin. That's what the government wants us to think, but it's persuasive nonetheless, and both Scott and David Kris recommend it as a read. Like the Rolling Stones performing their greatest hits from 1965 on tour this year, U.S. Senator Ron Wyden of Oregon is replaying his favorite schtick from 2013 or so—complaining that the government has an intelligence program that collects some U.S. person data under a legal theory that would surprise most Americans. Based on the Privacy and Civil Liberties Oversight Board staff recommendations, Dave Aitel and David Kris conclude that this doesn't sound like much of a scandal, but it may lead to new popup boxes on intel analysts' desktops as they search the resulting databases. In an entirely predictable but still discouraging development, Dave Aitel points to persuasive reports from two forensics firms that an Indian government body has compromised the computers of a group of Indian activists and then used its access not just to spy on the activists but to load fake and incriminating documents onto their computers.  In the EU, meanwhile, crisis is drawing nearer over the EU General Data Protection Regulation (GDPR) and the European Court of Justice decision in the Schrems cases. David Kris covers one surprising trend. The court may have been aiming at the United States, but its ruling is starting to hit European companies who are discovering that they may have to choose between Silicon Valley services and serious liability. That's the message in the latest French ruling that websites using Google Analytics are in breach of GDPR. Next to face the choice may be European publishers who depend on data-dependent advertising whose legality the Belgian data protection authority has gravely undercut. Scott and I dig into the IRS's travails in trying to implement facial recognition for taxpayer access to records. I reprise my defense of face recognition in Lawfare. Nobody is going to come out of this looking good, Scott and I agree, but I predict that abandoning facial recognition technology is going to mean more fraud as well as more costly and lousier service for taxpayers. I point to the only place Silicon Valley seems to be innovating—new ways to show conservatives that their views are not welcome. Airbnb has embraced the Southern Poverty Law Center (SPLC), whose business model is labeling mainstream conservative groups as “hate” mongers. It told Michelle Malkin that her speech at a SPLC “hate” conference meant that she was forever barred from using Airbnb—and so was her husband. By my count that's guilt by association three times removed. Equally remarkable, Facebook is now telling Bjorn Lonborg that he cannot repeat true facts if he's using them to support the Wrong Narrative.  We're not in content moderation land any more if truth is not a defense, and tech firms that supply real things for real life can deny them to people whose views they don't like. Scott and I unpack the EARN IT Act  (Eliminating Abusive and Rampant Neglect of Interactive Technologies Act), again reported out of committee with a chorus of boos from privacy NGOs. We also note that supporters of getting tough on the platforms over child sex abuse material aren't waiting for EARN IT. A sex trafficking lawsuit against Pornhub has survived a Section 230 challenge.  Download the 394th Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!   The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Just one week of antitrust litigation news shows how much turbulence Facebook and Google are encountering. Michael Weiner gives us a remarkably compact summary of the many issues, from deeply historical (Facebook's purchase of Instagram) to cutting edge tech (complaints about Oculus self-preferencing). In all, he brings us current on two state attorney general cases, two Federal Trade Commission cases and one Department of Justice case against the twin giants of surveillance advertising.  Speaking of litigation, no major new technology has been greeted with more litigation in its infancy than face recognition. So this week we interview Hoan Ton-That, CEO of what must be the most controversial tech startup in decades—Clearview AI. We probe deeply into face recognition's reputation for bias, and what the company is doing about it. Hoan is clearly taking the controversy in stride and confident that the technology will overcome efforts to turn it toxic. Meanwhile, I note, the debate is clearing out what would have been formidable competition from the likes of Microsoft, Amazon and IBM.  If you think face recognition should be banned as racist, sexist and inaccurate, this interview will make you think. Meanwhile, David Kris notes, rumors of war are rampant on the Russian-Ukrainian border—and in cyberspace. So far, it's a bit of a phony cyberwar, featuring web defacing and dormant file wipers. But it could blow up at any time, and we may be surprised how much damage can be done with a keyboard.  Speaking of damage done with a keyboard, open source software is showing how much damage can be done without even trying (although some developers are in fact trying pretty hard). Nick Weaver and I dig into the Log4j and other messes, and the White House effort to head off future open source debacles.  David is in charge of good news this week. It looks as though Russia has arrested a bunch of REvil co-conspirators, including one person that the White House holds responsible for the Colonial Pipeline attack. It's surely not a coincidence that this hint of cooperation from Vladimir Putin comes when he'd very much like to have leverage on the Biden administration over Ukraine. The EU is now firmly committed to cutting off the continent from a host of technologies offered, often free, by Silicon Valley. Google Analytics is out, according to Austrian authorities, even if this means accusing the European Parliament of violating European law. Nick reminds us that this isn't all the services that could be cut off. Google Translate also depends on transatlantic data flows and could become unavailable in Europe. I offer an incendiary solution to that problem.  Secure messaging is still under attack, but this week it's European governments taking the shots. The UK government is planning an ad campaign against end-to-end encryption, and Germany is growling about shutting down Telegram for allowing hate speech. Nick issues a heartfelt complaint about the disingenuity of both sides in the crypto debate. Speaking of Germans who can't live up to their reputation on protecting privacy, Nick notes that German police did exactly what Gapple feared, using a coronavirus contact-tracing app to find potential witnesses. Meanwhile, in good news, let's not forget Twitter, whose woke colonialism led it to suspend Nigeria's president for threatening secessionists with war. Turns out it was easier to go to war with Twitter, which has now unconditionally surrendered to the Nigerian government.  Finally, I claim kinship with Joe Rogan as one of the podcasters that bien pensant NGOs and academics hope to censor. My plan is to create a joint defense fund to which Joe and I will each contribute one percent of our podcasting revenues. Download the 390th Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Just one week of antitrust litigation news shows how much turbulence Facebook and Google are encountering. Michael Weiner gives us a remarkably compact summary of the many issues, from deeply historical (Facebook's purchase of Instagram) to cutting edge tech (complaints about Oculus self-preferencing). In all, he brings us current on two state attorney general cases, two Federal Trade Commission cases and one Department of Justice case against the twin giants of surveillance advertising.  Speaking of litigation, no major new technology has been greeted with more litigation in its infancy than face recognition. So this week we interview Hoan Ton-That, CEO of what must be the most controversial tech startup in decades—Clearview AI. We probe deeply into face recognition's reputation for bias, and what the company is doing about it. Hoan is clearly taking the controversy in stride and confident that the technology will overcome efforts to turn it toxic. Meanwhile, I note, the debate is clearing out what would have been formidable competition from the likes of Microsoft, Amazon and IBM.  If you think face recognition should be banned as racist, sexist and inaccurate, this interview will make you think. Meanwhile, David Kris notes, rumors of war are rampant on the Russian-Ukrainian border—and in cyberspace. So far, it's a bit of a phony cyberwar, featuring web defacing and dormant file wipers. But it could blow up at any time, and we may be surprised how much damage can be done with a keyboard.  Speaking of damage done with a keyboard, open source software is showing how much damage can be done without even trying (although some developers are in fact trying pretty hard). Nick Weaver and I dig into the Log4j and other messes, and the White House effort to head off future open source debacles.  David is in charge of good news this week. It looks as though Russia has arrested a bunch of REvil co-conspirators, including one person that the White House holds responsible for the Colonial Pipeline attack. It's surely not a coincidence that this hint of cooperation from Vladimir Putin comes when he'd very much like to have leverage on the Biden administration over Ukraine. The EU is now firmly committed to cutting off the continent from a host of technologies offered, often free, by Silicon Valley. Google Analytics is out, according to Austrian authorities, even if this means accusing the European Parliament of violating European law. Nick reminds us that this isn't all the services that could be cut off. Google Translate also depends on transatlantic data flows and could become unavailable in Europe. I offer an incendiary solution to that problem.  Secure messaging is still under attack, but this week it's European governments taking the shots. The UK government is planning an ad campaign against end-to-end encryption, and Germany is growling about shutting down Telegram for allowing hate speech. Nick issues a heartfelt complaint about the disingenuity of both sides in the crypto debate. Speaking of Germans who can't live up to their reputation on protecting privacy, Nick notes that German police did exactly what Gapple feared, using a coronavirus contact-tracing app to find potential witnesses. Meanwhile, in good news, let's not forget Twitter, whose woke colonialism led it to suspend Nigeria's president for threatening secessionists with war. Turns out it was easier to go to war with Twitter, which has now unconditionally surrendered to the Nigerian government.  Finally, I claim kinship with Joe Rogan as one of the podcasters that bien pensant NGOs and academics hope to censor. My plan is to create a joint defense fund to which Joe and I will each contribute one percent of our podcasting revenues. Download the 390th Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This week we celebrated International Tech Policy Week, which happens every year around this time, when the American policymakers, the American execs who follow them, and the U.S. journalists who report on them all go home to eat turkey with their families and leave tech policy to the rest of the world.   Leading off a review of China's contribution to the week, Paul Rosenzweig and Jordan Schneider cover Beijing's pressure on Didi to delist from a U.S. stock exchange. If you believe it is about data security, I have a Chinese unicorn tech stock, soon to be half a unicorn, to sell you. Jordan explains why China is also taking Tencent to the woodshed for not quite getting the message about who makes the rules. In case you're not getting the message, he also covers China's decision to impose fines on tech firms for a decade's worth of M&A deals. David Kris turns what could have been a U.S. story—insurers' running for cover with regards to ransomware losses—into an international story by focusing on a proposal from Lloyds of London. Paul and I dig into a story that starts in the U.S. but soon moves abroad,  Apple's slightly weird computer fraud and abuse lawsuit against the international exploit firm, NSO Group. I point to other stories that seem to me to signal that tech hubris on this issue is out of control. Facebook is trying to stop undercover cops from using fake accounts to collect quasi-public information. And Apple is telling its customers when it discovers that they are the targets of state-sponsored malware. This is wholesale interference with law enforcement activity that in other contexts would simply be unexceptionable undercover work or lawful interception of communications. In Apple's case, it's egregious, since the company has not explained how it will manage to avoid blowing up legitimate counterterrorism and criminal investigations that are using malware because Apple has already foreclosed less dramatic options. Meanwhile, in Israel, the demonization of NSO Group has led authorities to dramatically cut the number of countries to which spyware can be exported. Iran may not be on the list, but Israel seems to have exported plenty to that country, which is now returning the favor, as cyberconflict begins hitting ordinary citizens in both countries. David, Paul and I reveal our history-based prejudices as we examine the latest mini flap that briefly detained Congress's proposed cyber incident reporting mandate—its failure to require simultaneous reporting to the FBI. That is a dumb idea, and the Senate seems to have treated it with exactly the amount of deference it deserved. At least that's my view from inside the locker. Jordan touches briefly on a Chinese province's plan to construct a surveillance system for foreigners. He thinks there's more (or maybe less) to the story than it appears. He also covers the U.S. decision to  blacklist Chinese quantum computing companies, giving me a chance to divert him to coverage of the Endless Frontier Act and China's peculiar decision to turn it into a BFD.  David and I dig into a proposed (and likely to pass) new UK law on IOT security that looks a lot like California's law on the same topic. In quick hits and updates, I note that Meta will have trouble delivering end-to-end encryption on Facebook and Instagram before 2023. And despite efforts to toxify the entire field and this company in particular, Clearview artificial intelligence's face recognition tool is performing very well against international competition. I also note that my research suggests that the whole “AI bias” narrative about face recognition has been stuck in 2016 and has ignored the remarkable accuracy (and debiasing) strides the industry has made in recent years.      Download the 385th Episode (mp3)   You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!   The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We begin the episode with Michael Ellis taking a close look at the takedown of the ransomware gang. It's a good story for the good guys, as REvil seems to have been brought down by the same tactic it used against so many of its victims—malware that lingered in the backups it used to restore its network. I note that this seems to be a continuation of efforts that were interrupted in the early summer—and led to a lot of criticism that the FBI had prioritized its intrusion and takedown over giving victims the decryption key. Looks like the FBI is getting the last laugh. The U.S. is trying to hold Putin responsible for stopping Russian ransomware gangs. Michael thinks that effort is not advanced by recent statements from the Pentagon raising doubts about whether Putin actually has the ability to stop the attacks. One technology where Russia's capabilities have grown stronger is, naturally, the ability to censor and suppress criticism both on domestic and Western platforms. David Kris discusses the kinds of hostages Russia has learned to take, and their success in bringing Western social media to heel. The U.S. Commerce Department has released a complex new rule for the export of network intrusion tools. Meredith Rathbone, from Steptoe's trade regulation practice, boils the rule down to a few soundbites. The short version? Commerce has done a pretty good job of protecting legitimate distributors of intrusion software, but even the good guys are going to have to save a lot more receipts. Michael and Paul Rosenzweig reprise the latest news about content moderation, particularly Twitter's own study showing that its algorithms offer up a bit more conservative than left-wing content. That raises the question whether right-leaning commentary and news is more popular because more people want it. If so, the employees at Facebook are determined to keep it from them, as recent leaks show aggressive internal efforts to squash Breitbart's reach on the platform. David and I unpack Ian Bremmer's Foreign Affairs article on “How Big Tech Will Reshape the Global Order.” David sees more in the piece than I do. Paul and Michael kick off a discussion of our negotiations with the EU over transatlantic data flows. But in no time, all four of us are sounding off. We offer some solutions, and plenty of criticism for the EU (“The continent that invented hypocrisy”).  David notes that NSA is pursuing more collaboration with the private sector. How well that will work out is TBD, we agree. In quick hits and updates: I note with irony that Frances Haugen has discovered the limits of criticizing Facebook. Whatever you do, you can't criticize WhatsApp's growing use of end2end encryption, even if it does allow the service to ignore foreign cyberespionage. Trump and TRUTH are together at last, and Paul has the details. Bottom line: it feels like a typical Donald Trump production: great hype, plenty of controversy, and weak execution.  Hackback, isn't dead, it turns out, yet. I discuss the political and business advocates for a kinder, gentler version of private hackback, modeled on private investigators. Download the 380th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The district court has ruled in the lawsuit between Epic and Apple over access to the Apple app store. Apple is claiming victory and Epic is appealing. But Apple's victory is not complete, and may have a worm at its core. Jamil Jaffer explains.Surprised that ransomware gangs REvil and Groove are back—and thumbing their noses at President Biden? Dmitri Alperovitch isn't. He explains why U.S. ransomware policy has failed so far. WhatsApp has finally figured out how to let users encrypt their chat backups in the cloud, to the surprise of many users who didn't realize their backups weren't encrypted. Speaking of the encryption debate, Dmitri notes that Proton Mail joined the scrum this week, in a way it no doubt regrets. After all its bragging that mail users' privacy is “protected by Swiss law,” Proton Mail disclosed that Swiss law can be surprisingly law enforcement friendly. Responding to a French request through Europol, Swiss authorities ordered the service to collect metadata on a particular account and overrode what had been seen as a Swiss legal requirement that users be notified promptly of such actions.  Is China suffering from Russia's Main Intelligence Directorate (GRU) envy? I ask and David Kris answers: It sure looks that way, as China has begun trying to rally Chinese in America to support Chinese government positions on things like the origin of COVID. So far, China's record of success is as dismal as the GRU's but I argue that it poses a bigger problem for the body politic and Chinese American interest groups. Who'd have guessed? Turns out that the EU's always-flakey General Data Protection Regulation (GDPR) provision against allowing automated decision making that affects people isn't just a charming nostalgia act; it's yet another reason for Europe to be left behind in the technology race. Jamil reports on a high-powered UK task force recommendation that the Brits dump the provision in order to allow for the growth of an AI industry. David and I debate the meaning of Brazilian President Jair Bolsonaro banning social networks from removing political posts. And in a few quick hits: I praise the Biden administration (faintly) for finally kicking off serious negotiations with the EU about transatlantic data transfer. Dmitri dissects the undiplomatic speech of China's ambassador to the U.S. David downloads the inside poop on smart toilets. Among other things, they'll be identifying us with, uh, let's just call it the opposite of facial recognition.  And Dmitri offers a solution for the dual European Community encryption story. And more! Download the 374th Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.  

In this second half of David Kris's two-part discussion with FBI historian John Fox, David and John continue their whirlwind tour of the Bureau, focused on its use of wiretap evidence, SIGINT and other intelligence. In the last episode, they worked their way from the FBI's founding through the era of prohibition and gangsters, World War II and part of the Cold War, including the prosecution of DOJ official Judith Coplon based on information from NSA's Project VENONA. In this episode, they move forward through the FBI's more recent history to cover abuses revealed in the 1970s, the terrorist attacks of 9/11, as well as some present-day issues. See acast.com/privacy for privacy and opt-out information.

This is the latest installment in our ongoing series of historical inquiries with U.S. and Five Eyes intelligence agencies. Earlier episodes have featured CIA, NSA and GCHQ, and today, it's the first of a two-part discussion of FBI, featuring FBI historian John Fox. David Kris sat down with John for a whirlwind tour of the Bureau, from its founding through the era of prohibition and gangsters, World War II, the Cold War, abuses revealed in the 1970s, 9/11 and right up to the present, focusing on the use of wiretap evidence and intelligence. See acast.com/privacy for privacy and opt-out information.

Our interview is with Mark Montgomery and John Costello, both staff to the Cyberspace Solarium Commission. The commission, which issued its main report more than a year ago, is swinging through the pitch, following up with new white papers, draft legislative language and enthusiastic advocacy for its recommendations in Congress, many of which were adopted last year. That makes it the most successful of the many cybersecurity commissions that have come and gone in Washington. And it's not done yet. Mark and John review several of the most important legislative proposals the commission will be following this year. I don't agree with all of them, but they are all serious ideas and it's a good bet that a dozen or more could be adopted in this Congress. In the news roundup, David Kris and I cover the FBI's use of a single search warrant to remove a large number of web shells from computers infected by China's irresponsible use of its access to Microsoft Exchange. The use of a search (or, more accurately, a seizure warrant)  is a surprisingly far-reaching interpretation of Federal Criminal Rule 41. But despite valiant efforts, David is unable to disagree with my earlier expressed view that the tactic is lawful. Brian Egan outlines what's new in the Biden administration's sanctions on Russia for its SolarWinds exploits. The short version: While some of the sanctions break new ground, as with Russian bonds, they do so cautiously. Paul Rosenzweig, back from Costa Rica, unpacks a hacking story that has everything—terrorism, the FBI, Apple, private sector hacking and litigation. Short version: we now know the private firm that saved Apple from the possibility of an order to hack its own phone. It's an Australian firm named Azimuth that apparently only works for democratic governments but that is nonetheless caught up in Apple's bully-the-cybersecurity-researchers litigation campaign. Gus Hurwitz talks to us about the seamy side of content moderation (or at least on seamy side) – the fight against “coordinated inauthentic behaviour.” In quicker takes, Paul gives us a master class in how to read the intel community's Annual Threat Assessment.  David highlights what may be the next Chinese  telecom manufacturing target, at least for the GOP, after Huawei and ZTE. I highlight the groundbreaking financial industry breach notification rule that has finished and is moving toward adoption. And Gus summarizes the state of Silicon Valley antitrust legislation—everyone has a bill—so no one is likely to get a bill. Download the 358th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

They used to say that a conservative was a liberal who'd been mugged. Today's version is that a conservative who's comfortable with business regulation is a conservative who's been muzzled by Silicon Valley. David Kris kicks off this topic by introducing Justice Thomas's opinion in a case over Trump's authority to block users he didn't like. The case was made thoroughly moot by both the election and Twitter's blocking of Trump, but Justice Thomas wrote separately to muse on the ways in which Twitter's authority to block users could be regulated by treating the company as a common carrier or public accommodation. David sees a trend among conservative jurists to embrace limits on Big Social's authority to suppress speech. I recount my experience being muzzled by LinkedIn, which would not let me link to a new Daily Mail story about the Hunter Biden laptop and say, “The social media giants that won't let you say the 2020 election was rigged are the people who did their best to rig it: The Hunter Biden laptop was genuine and scandalous according to the Daily Mail.” To my mind, this is Big Social protecting its own business interests by suppressing a story that could convince people that the industry has too much power over our national dialogue and our elections. (I mocked LinkedIn by posting 5 variants of my original post, all making the same point in slightly different ways. You can see this on my LinkedIn account result.) But my view that we should not let five or six Silicon Valley owners take over our national dialogue is challenged by Jamil Jaffer, a friend and conservative who is appalled at my deviation from Republican antiregulatory orthodoxy and first amendment doctrine. It's a great conservative catfight that mirrors the much greater catfight now under way in the Republican party. Elsewhere in the news roundup, Jordan Schneider and David dig into the claims that China has built advanced weapons systems with the help of American chip designers and Taiwanese fabs. The accusation has led the Biden administration to slap export controls on several Chinese firms. Whether this will work without more aggressive U.S. controls on, say, foreign fabs serving those firms is open to question. More to the point, it raises questions about long term U.S. industrial policy. David notes that one answer, the bipartisan “Endless Frontier Act,” is gaining some momentum. (I understand the motivation but question the execution.) We also touch on the sad story of Intel's recent missteps, and the opportunity that industrial policy has created for GlobalFoundries' IPO. Meanwhile Jamil takes on AdTech espionage, while U.S. senators ask Digital-Ad auctioneers to name foreign clients amid national-security concerns. We all weigh in on the administration's cyber picks, announced over the weekend. The unanimous judgment is that Chris Inglis, Jen Easterly and Rob Silvers are good picks—and, remarkably, ended up in the right jobs. In shorter hits, David and I ponder Twitch's unusual decision to start punishing people on line for misdeeds offline—misdeeds that Twitch will investigate itself. While neither of us are comfortable with the decision, including the effort to do privately what we pay cops and courts to do publicly, but there is more justification for the policy in some cases (think child sexual abuse) than might be apparent at first glance. I tell the story of the Italian authorities identifying and arresting someone trying to hire a hitman using cryptocurrency and the dark web. As far as I know, successful cryptocurrency hitmen remain as rare as unicorns David suggests that I should be glad not to live in Singapore, where the penalty for information the establishment doesn't like is a criminal libel judgment that I'd be forced to crowdfund like Singapore's government critics. I note that American sites like GoFundMe and Patreon have already imposed ideological screens that mean I wouldn't be able to crowdfund my defense against Big Social. And, for This Week in Data Breaches, I note the new tactic of ransomware gangs trying to pressure their victims to pay by threatening the victims' customers with doxxing plus the remarkable phenomenon of half-billion-user data troves that the source companies  say are not really the result of network breaches and so not disclosable.

Our news roundup for this episode is heavy on China and tech policy. And most of the news is bad for tech companies. Jordan Schneider tells us that China is telling certain agencies, not to purchase Teslas or allow them on the premises, for fear that Elon Musk's famously intrusive record-keeping systems will give U.S. agencies insight into Chinese facilities and personnel. Pete Jeydel says the Biden administration is prepping to make the same determination about Chinese communications and information technology, sending subpoenas to a number of Chinese tech suppliers. Meanwhile, Apple's effort to protect its consumers from apps that collect personal data is coming under pressure from what Jordan sees as a remarkable alliance of normally warring companies, including Baidu, Tencent and Bytedance. In addition to their commercial heft, all these companies likely have more juice in Beijing than Apple, so look for Tim Cook to climb down from his privacy high horse in China. (And Russia, where Apple has already agreed to let the Russian government specify the apps that must come preinstalled on iPhones sold in Russia.) Still, you can expect that Apple will continue to bravely refuse to cooperate with the FBI on terrorism and serious crime because that might set a precedent for cooperating with government demands in places like Russia and China (like them, I guess, but, you know, smaller). But the episode gets its title from our discovery that President Xi's critique of social media platforms sounds exactly like Sen. Josh Hawley's. It is, in fact, the global bien pensant consensus, which has no dissenters to speak of now that the Chinese go to Davos. Jordan offers insights into why the Chinese government's concerns about Big Tech might have its origins in something other than factional strife in Beijing. David Kris and I dive into the final word from the intelligence community on foreign governments' interference  (via hacking or influence ops) in our 2020 election. The short answer is that the Russians and the Chinese didn't hack our election machinery, in fact they didn't even try. So, chest-beating over our 2020 cyber defenses may be a little like doing a victory lap after the other team forfeits. David and I manage to disagree about a few things, including the Hunter Biden laptop story, which I contend is now the principal disinformation campaign of 2020, as the media and Big Tech combined to throttle the story on spurious suspicions of a Russian hand in its provenance; David disagrees. Pete Jeydel and Ishan Sharma, our interview guest, weigh in on the latest cyber conflict paper from the United Nations. We all agree that it could be worse, and that getting the General Assembly to accept it was an achievement at a time of lowered expectations for the UN. The Cyber Space Solarium Commission is not going away, Pete and I agree, as witness the most recent report card issued to the Biden administration by a Solarium staffer. In principle, that's a good thing; commissions need to stick around and fight for their recommendations. But I can't help complaining that some of the things the commission is fighting for—Senate confirmation of a White House cyber director, and cutting the Department of Homeland Security out of supply chain governance—are bad ideas.  We close with a recognition of the rafts of material supplied over the years to the podcast by the data protection authorities of Europe. They've mostly always been an example of what Texans call “all hat and no cattle” – better talkers than doers. But now their lack of serious implementation skills is catching up to them, as the companies they have penalized begin to  pursue, and win, judicial appeals. That's a trend likely to continue, and a good thing too. Our interview is with Ishan Sharma, from the Federation of American Scientists, and author of “A More Responsible Digital Surveillance Future Multi-stakeholder Perspectives and Cohesive State & Local, Federal, and International Actions." If you like the episodes where I disagree profoundly with my guests, this one's for you. I don't think Ishan gets more than two minutes in before the critiquing begins. Still, he holds his own, defending a vision of surveillance technology that serves democratic ends and is for that reason supported and even subsidized in a global competition with the less democratic alternatives from China. I suspect that he'll lose friends on both the left and the right as he tries to walk this line, but he's clearly put a lot of thought into finding an alternative to technopessimism, and he defends it ably. And more! Download the 354th Episode (mp3)  You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

David Kris sat down with David Robarge, the chief historian at the Central Intelligence Agency, to discuss covert action. All together, around 50 covert actions have been declassified over the years, and Kris and Robarge discuss several of them, involving the Middle East, Western Europe, Africa and Central America. They also talked about the legal and policy rules governing covert action, the process by which covert action is reviewed and approved and the famous "Washington Post test."

Podcast: The Cyberlaw Podcast (LS 46 · TOP 1% what is this?)Episode: Episode 351: When will Cyberattacks on the Grid Become the New Normal?Pub date: 2021-03-01In the news roundup, David Kris digs into rumors that Chinese malware attacks may have caused a blackout in India at a time when military conflict was flaring on the two nation's Himalayan This leads us to Russia's targeting of the US grid and to uneasy speculation on how well our regulatory regime is adapted to preventing successful grid attacks.; The Biden administration is starting to get its legs under it on cybersecurity. In its first major initiative, Maury Shenk and Nick Weaver tell us, it has called for a set of studies on how to secure the supply chain in several critical products, from rare earths to semiconductors. As a reflection of the rare bipartisanship of the issue, the President's order is weirdly similar to Sen. Tom Cotton's to "beat China" economically.; Nick explains the most recent story on how China repurposed an NSA attack tool to use against US targets. Bottom line: It's embarrassing for sure, but it's also business as usual for attack teams. This leads us to a surprisingly favorable review of the Cyber Threat Alliance's recent paper on how to run a Vulnerability Equities Process.; Maury explains the new rules that Facebook, WhatsApp and Twitter will face in India. Among other things, the rules will require Indi-based "grievance officers" to handle complaints. I am unable to resist snarking that if ever there were a title that the wokeforce at these companies should aspire to, it's Chief Grievance Officer.; Nick and I make short work of two purported scandals – ICE investigators using a private utility database to enforce immigration law and the IRS purchasing cellphone location data. I argue that the first is the work of ideologues who would loudly protest ICE access to the White Pages. And the second is a nonstory largely manufactured by Sen. Wyden.; In a story that isn't manufactured, David and I predict that the Supremes will agree to decide the scope of cellphone border searches. More than that, we conclude, the Ninth Circuit will lose. The hard question is how broadly the Court decides to rule once it has kicked the Ninth Circuit rule to the curb.; Maury reports that Facebook and Google have pushed the Aussie government into a compromise on paying Aussie media fees for links.; Facebook gets the credit for being willing to shoot the family members the government was holding hostage (although in Facebook's case, the hostage was probably a second cousin once removed).; Maury predicts that the negotiations will be tougher once the European Union starts rounding up its hostages.; In Quick Hits, I claim credit for pointing out years ago that sooner or later the crybullies would come for "quantum supremacy." And they have.; Maury and I note the rise of audits for AI. He's mildly favorable; I am not. And I close by noting the surprisingly difficult choices illustrated by Pro Publica's story on how the content moderation sausage was made at Facebook when the Turkish government demanded that a Kurdish group's postings be taken down.; And more! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.The podcast and artwork embedded on this page are from Steptoe & Johnson LLP, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

In the news roundup, David Kris digs into rumors that Chinese malware attacks may have caused a blackout in India at a time when military conflict was flaring on the two nation's Himalayan border. This leads us to Russia's targeting of the U.S. grid and to uneasy speculation on how well our regulatory regime is adapted to preventing successful grid attacks. The Biden administration is starting to get its legs under it on cybersecurity. In its first major initiative, Maury Shenk and Nick Weaver tell us, it has called for a set of studies on how to secure the supply chain in several critical products, from rare earths to semiconductors. As a reflection of the rare bipartisanship of the issue, the president's order is weirdly similar to Sen. Tom Cotton's to “beat China” economically.  Nick explains the most recent story on how China repurposed an NSA attack tool to use against U.S. targets. Bottom line: It's embarrassing for sure, but it's also business as usual for attack teams. This leads us to a surprisingly favorable review of the Cyber Threat Alliance's recent paper on how to run a Vulnerability Equities Process. Maury explains the new rules that Facebook, WhatsApp and Twitter will face in India.  Among other things, the rules will require Indi-based “grievance officers”to handle complaints. I am unable to resist snarking that if ever there were a title that the wokeforce at these companies should aspire to, it's Chief Grievance Officer. Nick and I make short work of two purported scandals—ICE investigators using a private utility database to enforce immigration law and the IRS purchasing cellphone location data. I argue that the first is the work of ideologues who would loudly protest ICE access to the White Pages. And the second is a nonstory largely manufactured by Sen. Wyden.  In a story that isn't manufactured, David and I predict that the Supremes will agree to decide the scope of cellphone border searches.  More than that, we conclude, the Ninth Circuit will lose. The hard question is how broadly the Court decides to rule once it has kicked the Ninth Circuit rule to the curb. Maury reports that Facebook and Google have pushed the Aussie government into a compromise on paying Aussie media fees for links.  Facebook gets the credit for being willing to shoot the family members the government was holding hostage (although in Facebook's case, the hostage was probably a second cousin once removed).  Maury predicts that the negotiations will be tougher once the European Union starts rounding up its hostages.   In quick hits, I claim credit for pointing out years ago that sooner or later the crybullies would come for  “quantum supremacy.” And they have. Maury and I note the rise of audits for AI bias.  He's mildly favorable; I am not. And I close by noting the surprisingly difficult choices illustrated by Pro Publica's story on how the content moderation sausage was made at Facebook when the Turkish government demanded that a Kurdish group's postings be taken down.  And more! Download the 351st Episode (mp3)   You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The Right Opinion: Dem-ja Vu This Week: Parnas is the new Michael Cohen Parnas Says He Warned Top Ukraine Aide on Potential Cutoff of Fundshttps://www.wsj.com/articles/house-impeachment-panels-release-documents-on-contacts-of-lev-parnas-11579141413 Sidebar on Christiane Amanpour Former Rep. Bob Livingston on OAN: https://t.co/ZKJAbhlXyb?amp=1 Yovanovitch is the new Christine Blasey Ford, Stormy Daniels and Hillary Clinton all rolled into one. David Kris is the new Mueller: Is the FBI Really Addressing the FISA Abuse? Trump Weighs In, People Ask Where Is Joe Pientka?https://www.redstate.com/nick-arama/2020/01/12/764485/ Nunes Memo: https://www.vox.com/2018/2/2/16957588/nunes-memo-released-full-text-read-pdf-declassified The Right Opinion Merch Store:https://www.teepublic.com/t-shirts/therightopinion  Subscribe: TheRightOpinion.podbean.comor search “The Right Opinion”On iTunes or Google Play(For your monthly episodes and all exclusive bonus episodes) Twitter and Instagram:@RightOpinionPod Email Harrison:TheRightOpinionPod@gmail.com We will also be available on a 24-48 hour delay on HackerHamin.podbean.comOr search “HackerHamin” on Spotify, iTunes, Stitcher, Google Play and more.And Rat Salad ReviewRatSaladReview.com Available on YouTube, iTunes, Google Play, iHeart Radio and Stitcher  This is a public episode. If you would like to discuss this with other subscribers or get access to bonus episodes, visit rightopinionpod.substack.com