The Cyberlaw Podcast

The Capitol Hill hearings featuring TikTok's CEO lead off episode 450 of the Cyberlaw Podcast. The CEO handled the endless stream of Congressional accusations and suspicion about as well as could have been expected. And it did him as little good as a cynic would have expected. Jim Dempsey and Mark MacCarthy think Congress is moving toward action on Chinese IT products—probably in the form of the bipartisan Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act. But passing legislation and actually doing something about China's IT successes are two very different things. The FTC is jumping into the arena on cloud services, Mark tells us, and it can't escape its DNA—dwelling on possible industry concentration and lock-in and not asking much about the national security implications of knocking off a bunch of American cloud providers when the alternatives are largely Chinese cloud providers. The FTC's myopia means that the administration won't get as much help as it could from the FTC on cloud security measures. I reissue my standard objection to the FTC's refusal to follow the FCC's lead in deferring on national security to executive branch concerns. Mark and I disagree about whether the FTC Act forces the Commission to limit itself to consumer protection. Jim Dempsey reviews the latest AI releases, including Google's Bard, which seems to have many of the same hallucination problems as OpenAI's engines. Jim and I debate what I consider the wacky and unjustified fascination in the press with catching AI engaging in wrong think. I believe it's just a mechanism for justifying the imposition of left-wing values on AI's output —which already scores left/libertarian on 14 of 15 standard tests for identifying ideological affiliation. Similarly, I question the effort to stop AI from hallucinating footnotes in support of its erroneous facts. If ever there were a case for generative AI correction of AI errors, the fake citation problem seems like a natural. Speaking of Silicon Valley's lying problem, Mark reminds us that social media is absolutely immune for user speech, even after it gets notice that the speech is harmful and false. He reminds us of his thoughtful argument in favor of tweaking section 230 to more closely resemble the notice and action obligations found in the Digital Millennium Copyright Act (DMCA). I argue that the DMCA has not so much solved the incentives for overcensoring speech as it has surrendered to them. Jim introduces us to an emerging trend in state privacy law: bills that industry supports. Iowa's new law is the exemplar; Jim questions whether it will satisfy users in the long run. I summarize Hachette v. Internet Archive, in which Judge John G. Koeltl delivers a harsh rebuke to internet hippies everywhere, ruling that the Internet Archive violated copyright in its effort to create a digital equivalent to public library lending. The judge's lesson for the rest of us: You might think fair use is a thing, but it's not. Get over it. In quick hits, I note that the Cyberlaw Podcast scooped WIRED in covering the GSA's lies about the security of login.gov and its later effort to justify those lies by invoking "equity"—currently replacing patriotism as the last resort of scoundrels. And I offer a brief, nostalgic requiem for Toshiba, which is being broken up for scrap by what's left of Japan Inc. Thirty years ago, Toshiba was treated on the Hill like Huawei is today – a scary and unstoppable competitor who threatened the American way of life. Now, not so much. Download 450th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

GPT-4's rapid and tangible improvement over ChatGPT has more or less guaranteed that it or a competitor will be built into most new and legacy information and technology (IT) products. Some applications will be pointless; but some will change users' world. In this episode, Sultan Meghji, Jordan Schneider, and Siobhan Gorman explore the likely impact of GPT4 from Silicon Valley to China. Kurt Sanger joins us to explain why Ukraine's IT Army of volunteer hackers creates political, legal, and maybe even physical risks for the hackers and for Ukraine. This may explain why Ukraine is looking for ways to "regularize" their international supporters, with a view to steering them toward defending Ukrainian infrastructure. Siobhan and I dig into the Biden administration's latest target for cybersecurity regulation: cloud providers. I wonder if there is not a bit of bait and switch in operation here. The administration seems at least as intent on regulating cloud providers to catch hackers as to improve defenses. Say this for China – it never lets a bit of leverage go to waste, even when it should. To further buttress its seven-dashed-line claim to the South China Sea, China is demanding that companies get Chinese licenses to lay submarine cable within the contested territory. That, of course, incentivizes the laying of cables much further from China, out where they're harder for the Chinese to deal with in a conflict. But some Beijing bureaucrat will no doubt claim it as a win for the wolf warriors. Ditto for the Chinese ambassador's statement about the Netherlands joining the U.S. in restricting chip-making equipment sales to China, which boiled down to "We will make you pay for that. We just do not know how yet." The U.S. is not always good at dealing with its companies and other countries, but it is nice to be competing with a country that is demonstrably worse at it. The Security and Exchange Commission has gone from catatonic to hyperactive on cybersecurity. Siobhan notes its latest 48-hour incident reporting requirement and the difficulty of reporting anything useful in that time frame. Kurt and Siobhan bring their expertise as parents of teens and aspiring teens to the TikTok debate. I linger over the extraordinary and undercovered mess created by "18F"—the General Service Administration's effort to bring Silicon Valley to the government's IT infrastructure. It looks like they brought Silicon Valley's arrogance, its political correctness, and its penchant for breaking things but forgot to bring either competence or honesty. 18F lied to its federal customers about how or whether it was checking the identities of people logging in through login.gov. When it finally admitted the lie, it brazenly claimed it was not checking because the technology was biased, contrary to the only available evidence. Oh, and it refused to give back the $10 million it charged because the work it did cost more than that. This breakdown in the middle of coronavirus handouts undoubtedly juiced fraud, but no one has figured out how much. Among the victims: Sen. Ron Wyden (D.-Ore.), who used login.gov and its phony biometric checks as the "good" alternative that would let the Internal Revenue Service (IRS) cancel its politically inconvenient contract with ID.me. Really, guys, it's time to start scrubbing 18F from your LinkedIn profiles. The Knicks have won some games. Blind pigs have found some acorns. But Madison Square Garden (and Knicks) owner, Jimmy Dolan is still investing good money in his unwinnable fight to use facial recognition to keep lawyers he does not like out of the Garden. Kurt offers commentary, thereby saving himself the cost of Knicks tickets for future playoff games. Finally, I read Simson Garfinkel's explanation of a question I asked (and should have known the answer to) in episode 448.

This episode of the Cyberlaw Podcast kicks off with the sudden emergence of a serious bipartisan effort to impose new national security regulations on what companies can be part of the U.S. Information Technology and content supply chain. Spurred by a stalled Committee on Foreign Investment in the United States negotiation with TikTok, Michael Ellis tells us, a dozen well-regarded Democrat and Republican senators have joined to endorse the Restricting the Emergence of Security Threats that Risk Information and Communications Technology Act, which authorizes the exclusion of companies based in hostile countries from the U.S. economy. The administration has also jumped on the bandwagon, making the adoption of some legislation more likely than in the past. Jane Bambauer takes us through the district court decision upholding the use of a "geofence warrant" to identify January 6th rioters. We end up agreeing that this decision (and the context) turned out to be the best possible result for the Justice Department, silencing the usual left-leaning doubters about law enforcement technological adaptation. Just a few days after issuing a cybersecurity strategy that calls for more regulation, the administration is delivering what it called for. Transportation Security Administration (TSA) has issued emergency cybersecurity orders for airports and aircraft operators that, I argue, take the regulatory framework from a few baby steps to a plausible set of minimum requirements. Things look a little different in the water and sewage sector, where the regulator is the Environmental Protection Agency (EPA)—not known for its cybersecurity expertise—and the authority to regulate is grounded if at all in very general legislative language. To make the task even harder, EPA is planning to impose its cybersecurity standards using an interpretive rule against a background in which Congress has done just enough cybersecurity legislating to undermine the case for a broad interpretation. Jane explores the story that Google was deterred from releasing its impressive AI technology by fear of bad press. That leads us to a meditation on politics inside companies with a guaranteed source of revenue. I offer hope that Google's fears about politically incorrect AI will infect Chinese tech firms. Jane and I reprise the debate over the United Kingdom's Online Safety Act and end-to-end encryption, which leads to a poli-sci tour of European policymaking institutions. The other cyber and national security news in Congress is the ongoing debate over renewal of section 702 of the Foreign Intelligence Surveillance Act (FISA), where it appears that the FBI scored an own-goal. Michael reports that an FBI analyst did unauthorized searches of the 702 database for intelligence on one of the House intelligence committee's moderates, Rep. Darin LaHood, R-Ill. Details are sketchy, Michael notes, but the search was disclosed by Rep. LaHood, and it is bound to have led to harsh questioning during the FBI director's classified testimony, Meanwhile, at least one member of the President's Civil Liberties and Oversight Board is calling for what could be a crippling "reform" of 702 database searches. Jane and I unpack the controversy surrounding the Federal Trade Commission's investigation of Twitter's compliance with its consent decree. On the law, Elon Musk's Twitter is in trouble. On the political front, however, they are more evenly matched. Chances are, both parties are overestimating their own strengths, which could foretell a real donnybrook. Michael assesses the stories saying that the Biden administration is preparing new rules to govern outbound investment in China. He is skeptical that we'll see heavy regulation in this space. In quick hits, Jane explains the 9th Circuit decision saying that Twitter can be prohibited from publishing a full report on how many FBI probes it answered Jane and I puzzle over reports that a Colorado Catholic group bought app data to track gay priests. Download 448th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

As promised, the Cyberlaw Podcast devoted half of this episode to an autopsy of Gonzalez v. Google LLC , the Supreme Court's first opportunity in a quarter century to construe section 230 of the Communications Decency Act. And an autopsy is what our panel—Adam Candeub, Gus Hurwitz, Michael Ellis and Mark MacCarthy—came to perform. I had already laid out my analysis and predictions in a separate article for the Volokh Conspiracy, contending that both Gonzalez and Google would lose. All our panelists agreed that Gonzalez was unlikely to prevail, but no one followed me in predicting that Google's broad immunity claim would fall, at least not in this case. The general view was that Gonzalez's lawyer had hurt his case with shifting and opaque theories of liability, that Google's arguments raised concerns among the Justices but not enough to induce them to write an opinion in such a muddled case. Evaluating the Justices' performance, Justice Neil Gorsuch's search for a textual answer drew little praise and some derision while Justice Ketanji Jackson won admiration even from the more conservative panelists. More broadly, there was a consensus that, whatever the fate of this particular case, the court will find a way to push the lower courts away from a sweeping immunity for platforms and toward a more nuanced protection. But because returning to the original intent of section 230 is not likely after 25 years of investment based on a lack of liability, this more nuanced protection will not have much grounding in the actual statutory language. Call it a return to the Rule of Reason. In other news, Michael summed up recent developments in cyber war between Russia and Ukraine, including imaginative attacks on Russia's communications system. I wonder whether these attacks—which are sexy but limited in impact—make cyber the modern equivalent of using motorcycles as a weapon in 1939. Gus brings us up to date on recent developments in competition law, including a likely Department of Justice's challenge to Adobe's $20 Billion Figma deal, new airline merger challenge, the beginnings of opposition to the Federal Trade Commission's (FTC) proposed ban on noncompete clauses, and the third and final nail in the coffin of the FTC's challenge to the Meta-Within merger. In European cyber news, the European Union is launching a consultation designed to make U.S. platforms pay more of European telecom networks' costs. Adam and Gus note the rent-seeking involved but point out that rent-seeking in U.S. network construction is just as bad, but seems to be extracting rents from taxpayers instead of Silicon Valley. The EU is also getting ready to fix the General Data Protection Regulation (GDPR), in the sense that gamblers fix a prize fight. The new fix will make sure Ireland never again wins a fight with the rest of Europe over how aggressively to extract privacy rents from U.S. technology companies. I am excited about Apple's progress in devising a blood glucose monitor that could go into a watch. Adam and Gus tell me not to get too excited until we know how many roadblocks The Food and Drug Administration (FDA) will erect to the use and analysis of the monitors' data. In quick hits, Gus confirms our suspicion that generative AI Is coming for the lawyers' jobs And that Illinois' biometric privacy law has gone from a really bad idea to a social, economic, and litigation catastrophe. The Illinois Supreme Court could have staved this one off and didn't. Download 445th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast opens with a look at some genuinely weird behavior by the Bing AI chatbot – dark fantasies, professions of love, and lies on top of lies – plus the factual error that wrecked the rollout of Google's AI search bot. Chinny Sharma and Nick Weaver explain how we ended up with AI that is better at BS'ing than at accurately conveying facts. This leads me to propose a scheme to ensure that China's autocracy never gets its AI capabilities off the ground. One thing that AI is creepily good at is faking people's voices. I try out ElevenLabs' technology in the first advertisement ever to run on the Cyberlaw Podcast. The upcoming fight over renewing section 702 of FISA has focused Congressional attention on FBI searches of 702 data, Jim Dempsey reports. That leads us to the latest compliance assessment on agencies' handling of 702 data. Chinny wonders whether the only way to save 702 will be to cut off the FBI's access – at great cost to our unified approach to terrorism intelligence, I complain that the compliance data is older than dirt. Jim and I come together around the need to provide more safeguards against political bias in the intelligence community. Nick brings us up to date on cyber issues in Ukraine, as summarized in a good Google report. He puzzles over Starlink's effort to keep providing service to Ukraine without assisting offensive military operations. Chinny does a victory lap over reports that the (still not released) national cyber strategy will recommend imposing liability on the companies that distribute tech products – a recommendation she made in a paper released last year. I cannot quite understand why Google thinks this is good for Google. Nick introduces us to modern reputation management. It involves a lot of fake news and bogus legal complaints. The Digital Millennium Copyright Act and European Union (EU) and California privacy law are the censor's favorite tools. What is remarkable to my mind is that a business taking so much legal risk charges so little. Jim and Chinny bring us up to date on the charm offensive being waged in Washington by TikTok's CEO and the broader debate over China's access to the personal data of Americans, including health data. Jim cites a recent Duke study, which I complain is not clear about when the data being sold is individual and when it is aggregated. Nick reminds us all that aggregate data is often easy to individualize. Finally, we make quick work of a few more stories: This week's oral argument in Gonzalez v. Google is a big deal, but we will cover it in detail once the Justices have chewed it over. If you want to know why conservatives think the whole "disinformation" scare is a scam to suppress conservative speech, look no further than the scandal over the State Department's funding of an non-governmental organization (NGO) devoted to cutting off ad revenue for "risky" purveyors of "disinformation" like Reason (presumably including the Volokh Conspiracy), Real Clear Politics, the N.Y. Post, and the Washington Examiner – all outlets that can only look like disinformation to the most biased judge. The National Endowment for Democracy has already cut off funding, but Microsoft's ad agency still seems to be boycotting these conservative outlets. EU Lawmakers are refusing to endorse the latest EU-U.S. data deal. But it is all virtue signaling. Leaving Twitter over Elon Musk's ownership turns out to be about as popular as leaving the U.S. over Trump's presidency. Chris Inglis has finished his tour of duty as national cyber director. And the Federal Trade Commission's humiliation over its effort to block Meta's acquisition of Within is complete. Meta closed the deal last week. Download 443rd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

The latest episode of The Cyberlaw Podcast gets a bit carried away with the China spy balloon saga. Guest host Brian Fleming, along with guests Gus Hurwitz, Nate Jones, and Paul Rosenzweig, share insights (and bad puns) about the latest reporting on the electronic surveillance capabilities of the first downed balloon, the Biden administration's "shoot first, ask questions later" response to the latest "flying objects," and whether we should all spend more time worrying about China's hackers and satellites. Gus then shares a few thoughts on the State of the Union address and the brief but pointed calls for antitrust and data privacy reform. Sticking with big tech and antitrust, Gus recaps a significant recent loss for the Federal Trade Commission (FTC) and discusses what may be on the horizon for FTC enforcement later this year. Pivoting back to China, Nate and Paul discuss the latest reporting on a forthcoming (at some point) executive order intended to limit and track U.S. outbound investment in certain key aspects of China's tech sector. They also ponder how industry may continue its efforts to narrow the scope of the restrictions and whether Congress will get involved. Sticking with Congress, Paul takes the opportunity to explain the key takeaways from the not-so-bombshell House Oversight Committee hearing featuring former Twitter executives. Gus next describes his favorite ChatGPT jailbreaks and a costly mistake for an artificial intelligence (AI) chatbot competitor during a demo. Paul recommends a fascinating interview with Sinbad.io, the new Bitcoin mixer of choice for North Korean hackers, and reflects on the substantial portion of the Democratic People's Republic of Korea's gross domestic product attributable to ransomware attacks. Finally, Gus questions whether AI-generated "Nothing, Forever" will need to change its name after becoming sentient and channeling Dave Chapelle. To wrap things up in the week's quick hits, Gus briefly highlights where things stand with Chip Wars: Japan edition and Brian covers coordinated U.S./UK sanctions against the Trickbot cybercrime group, confirmation that Twitter's sale will not be investigated by the Committee on Foreign Investment in the United States (CFIUS), and the latest on Security and Exchange Commission (SEC) v. Covington. Download 442nd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

This episode of the Cyberlaw Podcast is dominated by stories about possible cybersecurity regulation. David Kris points us first to an article by the leadership of the Cybersecurity and Infrastructure Security Administration in Foreign Affairs. Jen Easterly and Eric Goldstein seem to take a tough line on "Why Companies Must Build Safety Into Tech Products." But for all the tough language, one word, "regulation," is entirely missing from the piece. Meanwhile, the cybersecurity strategy that the White House has been reportedly drafting for months seems to be hung up over how enthusiastically to demand regulation. All of which seems just a little weird in a world where Republicans hold the House. Regulation is not likely to be high on the GOP to-do list, so calls for tougher regulation are almost certainly more symbolic than real. Still, this is a week for symbolic calls for regulation. David also takes us through an National Telecommunications and Information Administration (NTIA) report on the anticompetitive impact of Apple's and Google's control of their mobile app markets. The report points to many problems and opportunities for abuse inherent in their headlock on what apps can be sold to phone users. But, as Google and Apple are quick to point out, they do play a role in regulating app security, so breaking the headlock could be bad for cybersecurity. In any event, practically every recommendation for action in the report is a call for Congress to step in—almost certainly a nonstarter for reasons already given. Not to be outdone on the phony regulation beat, Jordan Schneider and Sultan Meghji explore some of the policy and regulatory proposals for AI that have been inspired by the success of ChatGPT. The EU's AI Act is coming in for lots of attention, mainly from parts of the industry that want to be regulation-free. Sultan and I trade observations about who'll be hollowed out first by ChatGPT, law firms or investment firms. Sultan also tells us why the ION ransomware hack matters. Jordan and Sultan find a cybersecurity angle to The Great Chinese Balloon Scandal of 2023. And I offer an assessment of Matt Taibbi's story about the Hamilton 68 "Russian influence" reports. If you have wondered what the fuss was about, do not expect mainstream media to tell you; the media does not come out looking good in this story. Unfortunately for Matt Taibbi, he does not look much better than the reporters his story criticizes. David thinks it is a balanced and moderate take, for which I offer an apology and a promise to do better next time.

The big cyberlaw story of the week is the Justice Department's antitrust lawsuit against Google and the many hats it wears in the online ad ecosystem. Lee Berger explains the Justice Department's theory, which is not dissimilar to the Texas attorney general's two-year-old claims. When you have lost both the Biden administration and the Texas attorney general, I suggest, you cannot look too many places for friends—and certainly not to Brussels, which is also pursuing similar claims of its own. So what is the Justice Department's late-to-the-party contribution? At least two things, Lee suggests: a jury demand that will put all those complex Borkian consumer-welfare doctrines in front of a northern Virginia jury and a "rocket docket" that will allow Justice to catch up with and maybe lap the other lawsuits against the company. This case looks as though it will be long and ugly for Google, unless it turns out to be short and ugly. Mark reminds us that, for the Justice Department, finding an effective remedy may be harder than proving anticompetitive conduct. Nathan Simington assesses the administration's announced deal with Japan and the Netherlands to enforce a tougher decoupling policy against China's semiconductor makers. Details are still a little sparse, but some kind of deal was essential for the United States. But for Japan and the Netherlands, the details are critical, and any arrangement will require flexibility and sophistication on the part of the Commerce Department. Megan Stifel and I chew over the Justice Department/FBI victory lap after putting a stick in the spokes of The Hive ransomware infrastructure. We agree that the lap was warranted. Among other things, the FBI handled its access to decryption keys with more care than in the past, providing them to many victims before taking down a big chunk of the ransomware gang's tools. The bad news? Nobody was arrested, and the infrastructure can probably be reconstituted in the near term. Here is an evergreen headline: "Facebook is going to reinstate Donald Trump's account." That could be the opening line of any story in the last few months, and that is probably Facebook's strategy—a long, teasing dance of seven veils so that by the time Trump starts posting, it will be old news. If that is Facebook's PR strategy, it is working, Mark MacCarthy reports. Nobody much cares, and they certainly do not seem to be mad at Facebook. So the company is out of the woods, and they have left the ex-president on the receiving end of a blow to the ego that is bound to sting. Megan has more good news on the cybercrime front: The FBI identified the North Korean hacking group that stole $100 million in crypto last year—and may have kept the regime from getting its hands on any of the funds. Nathan unpacks two competing news stories. First, "OMG, ChatGPT will help bad guys write malware." Second: "OMG, ChatGPT will help good guys find and fix security holes." He thinks they are both a bit overwrought, but maybe a glimpse of the future. Mark and Megan explain TikTok's new offer to Washington. Megan also covers Congress's "TayTay v. Ticketmaster" hearing after disclosing her personal conflict of interest. Nathan answers my question: how can the FAA be so good a preventing airliners from crashing and so bad at preventing its systems from crashing? The ensuing discussion turns up more on-point bathroom humor than anyone would have expected. In quick hits, I cover three stories: First, my complaint about Gen. Milley's egregious and self-admitted overclassification of January 6th records. And the prospect that he may be investigated for it. Next, the delightful Iran-Iraq War pity-they-cannot-both-lose fight between James Dolan, the owner of Madison Square Garden, and the lawyers he his's barred from the Garden. In a tactic that reminds me of Donald Trump, Dolan is doubling down on confrontation despite the mounting legal troubles it's created. My explanation? I am betting both men have Daddy issues. Finally, Google has won at least one victory in Washington this week: It outmaneuvered the Republican effort to score points against Google in the scandal over Gmail's partisan spam filtering Download 440th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

We kick off a jam-packed episode of the Cyberlaw Podcast by flagging the news that ransomware revenue fell substantially in 2022. There is lots of room for error in that Chainalysis finding, Nick Weaver notes, but the effect is large. Among the reasons to think it might also be real is resistance to paying ransoms on the part of companies and their insurers, who are especially concerned about liability for payments to sanctioned ransomware gangs. I also note that a fascinating additional insight from Jon DiMaggio, who infiltrated the Lockbit ransomware gang. He says that Entrust was hit by Lockbit, which threatened to release its internal files, and that the company responded with days of Distributed Denial of Service (DDoS) attacks on Lockbit's infrastructure – and never did pay up. That would be a heartening display of courage. It would also be a felony, at least according to the conventional wisdom that condemns hacking back. So I cannot help thinking there is more to the story. Like, maybe Canadian Security Intelligence Service is joining Australian Signals Directorate in releasing the hounds on ransomware gangs. I look forward to more stories on this undercovered disclosure. Gus Hurwitz offers two explanations for the Federal Aviation Administration system outage, which grounded planes across the country. There's the official version and the conspiracy theory, as with everything else these days. Nick breaks down the latest cryptocurrency failure; this time it's Genesis. Nick's not a fan of this prepackaged bankruptcy. And Gus and I puzzle over the Federal Trade Commission's determination to write regulations to outlaw most non-compete clauses. Justin Sherman, a first-timer on the podcast, covers recent research showing that alleged Russian social media interference had no meaningful effect on the 2016 election. That spurs an outburst from me about the cynical scam that was the "Russia, Russia, Russia" narrative—a kind of 2016 election denial for which the press and the left have never apologized. Nick explains the looming impact of Twitter's interest payment obligation. We're going to learn a lot more about Elon Musk's business plans from how he deals with that crisis than from anything he's tweeted in recent months. It does not get more cyberlawyerly than a case the Supreme Court will be taking up this term—Gonzalez v. Google. This case will put Section 230 squarely on the Court's docket, and the amicus briefs can be measured by the shovelful. The issue is whether YouTube's recommendation of terrorist videos can ever lead to liability—or whether any judgment is barred by Section 230. Gus and I are on different sides of that question, but we agree that this is going to be a hot case, a divided Court, and a big deal. And, just to show that our foray into cyberlaw was no fluke, Gus and I also predict that the United States Court of Appeals for the District of Columbia Circuit is going to strike down the Allow States and Victims to Fight Online Sex Trafficking Act, also known as FOSTA-SESTA—the legislative exception to Section 230 that civil society loves to hate. Its prohibition on promotion of prostitution may fall to first amendment fears on the court, but the practical impact of the law may remain. Next, Justin gives us a quick primer on the national security reasons for regulation of submarine cables. Nick covers the leak of the terror watchlist thanks to an commuter airline's sloppy security. Justin explains TikTok's latest charm offensive in Washington. Finally, I provide an update on the UK's online safety bill, which just keeps getting tougher, from criminal penalties, to "ten percent of revenue" fines, to mandating age checks that may fail technically or drive away users, or both. And I review the latest theatrical offering from Madison Square Garden—"The Revenge of the Lawyers." You may root for the snake or for the scorpions, but you will not want to miss it.

In this bonus episode of the Cyberlaw Podcast, I interview Andy Greenberg, long-time WIRED reporter, about his new book, "Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency." This is Andy's second author interview on the Cyberlaw Podcast. He also came on to discuss an earlier book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers. They are both excellent cybersecurity stories. "Tracers in the Dark", I suggest, is a kind of sequel to the Silk Road story, which ends with Ross Ulbricht, the Dread Pirate Roberts, pinioned in a San Francisco library with his laptop open to an administrator's page on the Silk Road digital black market. At that time, cryptocurrency backers believed that Ulbricht's arrest was a fluke, and that properly implemented, bitcoin was anonymous and untraceable. Greenberg's book explains, story by story, how that illusion was trashed by smart cops and techies (including our own Nick Weaver!) who showed that the blockchain's "forever" records make it almost impossible to avoid attribution over time. Among those who fall victim to the illusion of anonymity are two federal officers who helped pursue Ulbricht—and to rip him off; the administrator of AlphaBay, Silk Road's successor dark market, an alleged Russian hacker who made so much money hacking Mt. Gox that he had to create his own exchange to launder it all, and hundreds of child sex abuse consumers and producers. It is a great story, and Andy brings it up to date in the interview as we dig into two massive, multi-billion seizures made possible by transaction tracing. In fact, for all the colorful characters in the book, the protagonist is really Chainalysis and its competitors, who have turned tracing into a kind of science. We close the talk by exploring Andy's deeply mixed feelings about both the world envisioned by cryptocurrency's evangelists and the way Chainalysis is saving us from that world.

The Cyberlaw Podcast kicks off 2023 by staring directly into the sun(set) of Section 702 authorization. The entire panel, including guest host Brian Fleming and guests Michael Ellis and David Kris, debates where things could be headed this year as the clock is officially ticking on FISA Section 702 reauthorization. Although there is agreement that a straight reauthorization is unlikely in today's political environment, the ultimate landing spot for Section 702 is very much in doubt and a "game of chicken" will likely precede any potential deal. Everything seems to be in play, as this reauthorization battle could result in meaningful reform or a complete car crash come this time next year. Sticking with Congress, Michael also reacts to President Biden's recent bipartisan call to action regarding "Big Tech" and ponders where Republicans and Democrats could potentially find agreement on an issue everyone seems to agree on (for very different reasons). The panel also discusses the timing of President Biden's OpEd in the Wall Street Journal and debates whether it is intended as a challenge to the Republican-controlled House to act rather than simply increase oversight on the tech industry. David then introduces a fascinating story about the bold recent action by the Security and Exchange Commission (SEC) to bring suit against Covington & Burling LLP to enforce an administrative subpoena seeking disclosure of the firm's clients implicated in a 2020 cyberattack by Chinese state-sponsored group, Hafnium. David posits that the SEC knows exactly what it is doing by taking such aggressive action in the face of strong resistance, and the panel discusses whether the SEC may have already won by attempting to protect its burgeoning piece of turf in the U.S. government cybersecurity enforcement landscape. Brian then turns to the crypto regulatory and enforcement space to discuss Coinbase's recent settlement with New York's Department of Financial Services. Rather than signal another crack in the foundation of the once high-flying crypto industry, Brian offers that this may just be routine growing pains for a maturing industry that is more like the traditional banking sector, from a regulatory and compliance standpoint, than it may have wanted to believe. Then, in the China portion of the episode, Michael discusses the latest news on the establishment of reverse Committee on Foreign Investment in the United States (CFIUS), and suggests it may still be some time before this tool gets finalized (even as the substantive scope appears to be shrinking). Next, Brian discusses a recent D.C. Circuit decision which upheld the Federal Communication Commission's decision to rescind the license of China Telecom at the recommendation of the executive branch agencies known as Team Telecom (Department of Justice, Department of Defense, and Department of Homeland Security). This important, first-of-its-kind decision reinforces the role of Team Telecom as an important national security gatekeeper for U.S. telecommunications infrastructure. Finally, David highlights an interesting recent story about an FBI search of an apparent Chinese police outpost in New York and ponders what it would mean to negotiate with and be educated by undeclared Chinese law enforcement agents in a foreign country. In a few updates and quick hits: Brian updates listeners on the U.S. government's continuing efforts to win multilateral support from key allies for tough new semiconductor export controls targeting China. Michael picks up the thread on the Twitter Files release and offers his quick take on what it says about ReleaseTheMemo. And, last but not least, Brian discusses the unsurprising (according the Stewart) decision by the Supreme Court of the United States to allow WhatsApp's spyware suit against NSO Group to continue.

Our first episode for 2023 features Dmitri Alperovitch, Paul Rosenzweig, and Jim Dempsey trying to cover a months' worth of cyberlaw news. Dmitri and I open with an effort to summarize the state of the tech struggle between the U.S. and China. I think recent developments show the U.S. doing better than expected. U.S. companies like Facebook and Dell are engaged in voluntary decoupling as they imagine what their supply chain will look like if the conflict gets worse. China, after pouring billions into an effort to take a lead in high-end chip production, may be pulling back on the throttle. Dmitri is less sanguine, noting that Chinese companies like Huawei have shown that there is life after sanctions, and there may be room for a fast-follower model in which China dominates production of slightly less sophisticated chips, where much of the market volume is concentrated. Meanwhile, any Chinese retreat is likely tactical; where it has a dominant market position, as in rare earths, it remains eager to hobble U.S. companies. Jim lays out the recent medical device security requirements adopted in the omnibus appropriations bill. It is a watershed for cybersecurity regulation of the private sector and overdue for increasingly digitized devices that in some cases can only be updated with another open-heart surgery. How much of a watershed may become clear when the White House cyber strategy, which has been widely leaked, is finally released. Paul explains what it's likely to say, most notably its likely enthusiasm not just for regulation but for liability as a check on bad cybersecurity. Dmitri points out that all of that will be hard to achieve legislatively now that Republicans control the House. We all weigh in on LastPass's problems with hackers, and with candid, timely disclosures. For reasons fair and unfair, two-thirds of the LastPass users on the show have abandoned the service. I blame LastPass's acquisition by private equity; Dmitri tells me that's sweeping with too broad a brush. I offer an overview of the Twitter Files stories by Bari Weiss, Matt Taibbi, and others. When I say that the most disturbing revelations concern the massive government campaigns to enforce orthodoxy on COVID-19, all hell breaks loose. Paul in particular thinks I'm egregiously wrong to worry about any of this. No chairs are thrown, mainly because I'm in Virginia and Paul's in Costa Rica. But it's an entertaining and maybe even illuminating debate. In shorter and less contentious segments: Dmitri unpacks the latest effort by Russian hackers to subvert the security of a Ukrainian web-based military information site. He thinks the Ukrainian ability to use the site despite Russian attacks may have lessons for NATO. Dmitri also sheds light (and not a little shade) on Chinese claims to have broken RSA with a quantum computer. Jim updates us on TikTok's travails and the ongoing debate over restricting its use in the United States. I point out that another black man has been arrested because of a facial recognition error—bringing the total of mistaken face-recognition arrests in the entire country over the past decade to four. All of which could have been avoided by police department policy. On the other hand, I also identify a shocking abuse of facial recognition to oppress some of the most loathed people in America: Lawyers. Madison Square Garden, in what must be the dumbest corporate policy of the year, uses facial recognition to identify lawyers working for law firms that have ongoing lawsuits against the company. The apparent purpose, or at least the result, is to prevent lawyers from those firms from bringing Girl Scout troops to see the Rockettes. No problem; I am sure everyone would rather watch the ensuing litigation. I remind listeners that Trump's return to Facebook and Instagram could happen very soon. The EU has advanced Its transatlantic data deal with the US, though more thrashing about should be expected.

This bonus episode is an interview with Josephine Wolff and Dan Schwarcz, who along with Daniel Woods have written an article with the same title as this post. Their thesis is that breach lawyers have lost perspective in their no-holds-barred pursuit of attorney-client privilege to protect the confidentiality of forensic reports that diagnose the breach. Remarkably for a law review article, it contains actual field research. The authors interviewed all the players in breach response, from the company information security teams, the breach lawyers, the forensics investigators, the insurers and insurance brokers, and more. I remind them of Tracy Kidder's astute observation that, in building a house, there are three main players—owner, architect, and builder—and that if you get any two of them in the room alone, they will spend all their time bad-mouthing the third. Wolff, Schwarcz, and Woods seem to have done that with the breach response players, and the bad-mouthing falls hardest on the lawyers. The main problem is that using attorney-client privilege to keep a breach forensics process confidential is a reach. So, the courts have been unsympathetic. Which forces lawyers to impose more and more restrictions on the forensic investigator and its communications in the hope of maintaining confidentiality. The upshot is that no forensics report at all is written for many breaches (up to 95 percent, Josephine estimates). How does the breached company find out what it did wrong and what it should do to avoid the next breach? Simple. Their lawyer translates the forensic firm's advice into a PowerPoint and briefs management. Really, what could go wrong? In closing, Dan and Josephine offer some ideas for how to get out of this dysfunctional mess. I push back. All in all, it's the most fun I've ever had talking about insurance law.

It's been a news-heavy week, but we have the most fun in this episode with ChatGPT. Jane Bambauer, Richard Stiennon, and I pick over the astonishing number of use cases and misuse cases disclosed by the release of ChatGPT for public access. It is talented—writing dozens of term papers in seconds. It is sociopathic—the term papers are full of falsehoods, down to the made-up citations to plausible but nonexistent New York Times stories. And it has too many lawyers—Richard's request that it provide his bio (or even Einstein's) was refused on what are almost certainly data protection grounds. Luckily, either ChatGPT or its lawyers are also bone stupid, since reframing the question fools the machine into subverting the legal and PC limits it labors under. I speculate that it beat Google to a public relations triumph precisely because Google had even more lawyers telling their artificial intelligence what not to say. In a surprisingly under covered story, Apple has gone all in on child pornography. Its phone encryption already makes the iPhone a safe place to record child sexual abuse material (CSAM); now Apple will encrypt users' cloud storage with keys it cannot access, allowing customers to upload CSAM without fear of law enforcement. And it has abandoned its effort to identify such material by doing phone-based screening. All that's left of its effort is a weak option that allows parents to force their kids to activate an option that prevents them from sending or receiving nude photos. Jane and I dig into the story, as well as Apple's questionable claim to be offering the same encryption to its Chinese customers. Nate Jones brings us up to date on the National Defense Authorization Act, or NDAA. Lots of second-tier cyber provisions made it into the bill, but not the provision requiring that critical infrastructure companies report security breaches. A contested provision on spyware purchases by the U.S. government was compromised into a useful requirement that the intelligence community identify spyware that poses risks to the government. Jane updates us on what European data protectionists have in store for Meta, and it's not pretty. The EU data protection supervisory board intends to tell the Meta companies that they cannot give people a free social media network in exchange for watching what they do on the network and serving ads based on their behavior. If so, it's a one-two punch. Apple delivered the first blow by curtailing Meta's access to third-party behavioral data. Now even first-party data could be off limits in Europe. That's a big revenue hit, and it raises questions whether Facebook will want to keep giving away its services in Europe. Mike Masnick is Glenn Greenwald with a tech bent—often wrong but never in doubt, and contemptuous of anyone who disagrees. But when he is right, he is right. Jane and I discuss his article recognizing that data protection is becoming a tool that the rich and powerful can use to squash annoying journalist-investigators. I have been saying this for decades. But still, welcome to the party, Mike! Nate points to a plea for more controls on the export of personal data from the U.S. It comes not from the usual privacy enthusiasts but from the U.S. Naval Institute, and it makes sense. It was a bad week for Europe on the Cyberlaw Podcast. Jane and I take time to marvel at the story of France's Mr. Privacy and the endless appetite of Europe's bureaucrats for his serial grifting. Nate and I cover what could be a good resolution to the snake-bitten cloud contract process at the Department of Defense. The Pentagon is going to let four cloud companies—Google, Amazon, Oracle And Microsoft—share the prize. You did not think we would forget Twitter, did you? Jane, Richard, and I all comment on the Twitter Files. Consensus: the journalists claiming these stories are nothingburgers are more driven by ideology than news. Especially newsworthy are the remarkable proliferation of shadowbanning tools Twitter developed for suppressing speech it didn't like, and some considerable though anecdotal evidence that the many speech rules at the company were twisted to suppress speech from the right, even when the rules did not quite fit, as with LibsofTikTok, while similar behavior on the left went unpunished. Richard tells us what it feels like to be on the receiving end of a Twitter shadowban. The podcast introduces a new feature: "We Read It So You Don't Have To," and Nate provides the tl;dr on an New York Times story: How the Global Spyware Industry Spiraled Out of Control. And in quick hits and updates: Jane covers the San Francisco city council's reversion to the mean. On second thought, it will not be letting killer police robots out on San Francisco's streets. Nate tells us that the Netherlands (and Japan, I might add) is likely to align with the U.S. and impose new curbs on chip-making equipment sales to China.

This episode of the Cyberlaw Podcast delves into the use of location technology in two big events—the surprisingly outspoken lockdown protests in China and the Jan. 6 riot at the U.S. Capitol. Both were seen as big threats to the government, and both produced aggressive police responses that relied heavily on government access to phone location data. Jamil Jaffer and Mark MacCarthy walk us through both stories and respond to the provocative question, what's the difference? Jamil's answer (and mine, for what it's worth) is that the U.S. government gained access to location information from Google only after a multi-stage process meant to protect innocent users' information, and that there is now a court case that will determine whether the government actually did protect users whose privacy should not have been invaded. Whether we should be relying on Google's made-up and self-protective rules for access to location data is a separate question. It becomes more pointed as Silicon Valley has started making up a set of self-protective penalties on companies that assist law enforcement in gaining access to phones that Silicon Valley has made inaccessible. The movement to punish law enforcement access providers has moved from trashing companies like NSO, whose technology has been widely misused, to punishing companies on a lot less evidence. This week, TrustCor lost its certificate authority status mostly for looking suspiciously close to the National Security Agency and Google outed Variston of Spain for ties to a vulnerability exploitation system. Nick Weaver is there to hose me down. The U.K. is working on an online safety bill, likely to be finalized in January, Mark reports, but this week the government agreed to drop its direct regulation of "lawful but awful" speech on social media. The step was a symbolic victory for free speech advocates, but the details of the bill before and after the change suggest it was more modest than the brouhaha suggests. The Department of Homeland Security's Cyber Security and Infrastructure Security Agency (CISA) has finished taking comments on its proposed cyber incident reporting regulation. Jamil summarizes industry's complaints, which focus on the risk of having to file multiple reports with multiple agencies. Industry has a point, I suggest, and CISA should take the other agencies in hand to agree on a report format that doesn't resemble the State of the Union address. It turns out that the collapse of FTX is going to curtail a lot of artificial intelligence (AI) safety research. Nick explains why, and offers reasons to be skeptical of the "effective altruism" movement that has made AI safety one of its priorities. Today, Jamil notes, the U.S. and EU are getting together for a divisive discussion of the U.S. subsidies for electric vehicles (EV) made in North America but not Germany. That's very likely a World Trade Organziation (WTO) violation, I offer, but one that pales in comparison to thirty years of WTO-violating threats to constrain European data exports to the U.S. When you think of it as retaliation for the use of General Data Protection Regulation (GDPR) to attack U.S. intelligence programs, the EV subsidy is easy to defend. I ask Nick what we learned this week from Twitter coverage. His answer—that Elon Musk doesn't understand how hard content moderation is—doesn't exactly come as news. Nor, really, does most of what we learned from Matt Taibbi's review of Twitter's internal discussion of the Hunter Biden laptop story and whether to suppress it. Twitter doesn't come out of that review looking better. It just looks bad in ways we already suspected were true. One person who does come out of the mess looking good is Rep. Ro Khanna (D.-Calif.), who vigorously advocated that Twitter reverse its ban, on both prudential and principled grounds. Good for him. Speaking of San Francisco Dems who surprised us this week, Nick notes that the city council in San Francisco approved the use of remote-controlled bomb "robots" to kill suspects. He does not think the robots are fit for that purpose. Finally, in quick hits: Meta was fined $275 million for allowing data scraping for personal data. Nick and Jamil tell us that Snowden has at last shown his true colors. Jamil has unwonted praise for Apple, which persuaded TSMC to make more advanced chips in Arizona than it originally planned. And I try to explain why the decision of the DHS cyber safety board to look into the Lapsus$ hacks seems to drawing fire.

We spend much of this episode of the Cyberlaw Podcast talking about toxified technology – new tech that is being demonized for a variety of reasons. Exhibit One, of course, is "spyware," essentially hacking tools that allow governments to access phones or computers otherwise closed to them, usually by end-to-end encryption. The Washington Post and the New York Times have led a campaign to turn NSO's Pegasus tool for hacking phones into radioactive waste. Jim Dempsey, though, reminds us that not too long ago, in defending end-to-end encryption, tech policy advocates insisted that the government did not need mandated access to encrypted phones because they could engage in self-help in the form of hacking. David Kris points out that, used with a warrant, there's nothing uniquely dangerous about hacking tools of this kind. I offer an explanation for why the public policy community and its Silicon Valley funders have changed their tune on the issue: having won the end-to-end encryption debate, they feel free to move on to the next anti-law-enforcement campaign. That campaign includes private lawsuits against NSO by companies like WhatsApp, whose lawsuit was briefly delayed by NSO's claim of sovereign immunity on behalf of the (unnamed) countries it builds its products for. That claim made it to the Supreme Court, David reports, where the U.S. government recently filed a brief that will almost certainly send NSO back to court without any sovereign immunity protection. Meanwhile, in France, Amesys and its executives are being prosecuted for facilitating the torture of Libyan citizens at the hands of the Muammar Qaddafi regime. Amesys evidently sold an earlier and less completely toxified technology—packet inspection tools—to Libya. The criminal case is pending. And in the U.S., a whole set of tech toxification campaigns are under way, aimed at Chinese products. This week, Jim notes, the Federal Communications Commission came to the end of a long road that began with jawboning in the 2000s and culminated in a flat ban on installing Chinese telecom gear in U.S. networks. On deck for China are DJI's drones, which several Senators see as a comparable national security threat that should be handled with a similar ban. Maury Shenk tells us that the British government is taking the first steps on a similar path, this time with a ban on some government uses of Chinese surveillance camera systems. Those measures do not always work, Maury tells us, pointing to a story that hints at trouble ahead for U.S. efforts to decouple Chinese from American artificial intelligence research and development. Maury and I take a moment to debunk efforts to persuade readers that artificial intelligence (AI) is toxic because Silicon Valley will use it to take our jobs. AI code writing is not likely to graduate from facilitating coding any time soon, we agree. Whether AI can do more in human resources (HR) may be limited by a different toxification campaign—the largely phony claim that AI is full of bias. Amazon's effort to use AI in HR, I predict, will be sabotaged by this claim. The effort to avoid bias will almost certainly lead Amazon to build race and gender quotas into its engine. And in a few quick hits: I express doubt that Australia's "unleash the hounds" approach to ransomware actually has anything to do with one notorious ransomware actor's extortion site going down Maury praises an MIT Technology Review piece that argues persuasively that China's social credit system is not quite as dystopian as it's been portrayed. I point out that, with Airbnb practicing guilt by association and PayPal taking your money for saying things PayPal doesn't like, Silicon Valley can brag that it's going to reach Full-Bore Dystopia well before China. I cover the fourth review in three administrations of the dual-hat leadership of NSA and Cyber Command. No change is likely. And we close with a downbeat assessment of Elon Musk's chances of withstanding the combined hostility of European and U.S. regulators, the press, and the left-wing tech-toxifiers in civil society. He is a talented guy, I argue, and with a three-year runway, he could succeed, but he does not have three years.

The Cyberlaw Podcast leads with the legal cost of Elon Musk's anti-authoritarian takeover of Twitter. Turns out that authority figures have a lot of weapons, many grounded in law, and Twitter is at risk of being on the receiving end of those weapons. Brian Fleming explores the apparently unkillable notion that the Committee on Foreign Investment in the U.S. (CFIUS) should review Musk's Twitter deal because of a relatively small share that went to investors with Chinese and Persian Gulf ties. It appears that CFIUS may still be seeking information on what Twitter data those investors will have access to, but I am skeptical that CFIUS will be moved to act on what it learns. More dangerous for Twitter and Musk, says Charles-Albert Helleputte, is the possibility that the company will lose its one-stop-shop privacy regulator for failure to meet the elaborate compliance machinery set up by European privacy bureaucrats. At a quick calculation, that could expose Twitter to fines up to 120% of annual turnover. Finally, I reprise my skeptical take on all the people leaving Twitter for Mastodon as a protest against Musk allowing the Babylon Bee and President Trump back on the platform. If the protestors really think Mastodon's system is better, I recommend that Twitter adopt it, or at least the version that Francis Fukuyama and Roberta Katz have described. If you are looking for the far edge of the Establishment's Overton Window on China policy, you will not do better than the U.S.-China Economic and Security Review Commission, a consistently China-skeptical but mainstream body. Brian reprises the Commission's latest report. The headline, we conclude, is about Chinese hacking, but the recommendations does not offer much hope of a solution to that problem, other than more decoupling. Chalk up one more victory for Trump-Biden continuity, and one more loss for the State Department. Michael Ellis reminds us that the Trump administration took much of Cyber Command's cyber offense decision making out of the National Security Council and put it back in the Pentagon. This made it much harder for the State Department to stall cyber offense operations. When it turned out that this made Cyber Command more effective and no more irresponsible, the Biden Administration prepared to ratify Trump's order, with tweaks. I unpack Google's expensive (nearly $400 million) settlement with 40 States over location history. Google's promise to stop storing location history if the feature was turned off was poorly and misleadingly drafted, but I doubt there is anyone who actually wanted to keep Google from using location for most of the apps where it remained operative, so the settlement is a good deal for the states, and a reminder of how unpopular Silicon Valley has become in red and blue states. Michael tells the doubly embarrassing story of an Iranian hack of the U.S. Merit Systems Protection Board. It is embarrassing to be hacked with a log4j exploit that should have been patched. But it is worse when an Iranian government hacker gets access to a U.S. government network—and decided that the access is only good for mining cryptocurrency. Brian tells us that the U.S. goal of reshoring chip production is making progress, with Apple planning to use TSMC chips from a new fab in Arizona. In a few updates and quick hits: I remind listeners that a lot of tech companies are laying employees off, but that overall Silicon Valley employment is still way up over the past couple of years. I give a lick and a promise to the mess at cryptocurrency exchange FTX, which just keeps getting worse. Charles updates us on the next U.S.-E.U. adequacy negotiations, and the prospects for Schrems 3 (and 4, and 5) litigation. And I sound a note of both admiration and caution about Australia's plan to "unleash the hounds" – in the form of its own Cyber Command equivalent – on ransomware gangs. As U.S. experience reveals, it makes for a great speech, but actual impact can be hard to achieve.

We open this episode of the Cyberlaw Podcast by considering the (still evolving) results of the 2022 midterm election. Adam Klein and I trade thoughts on what Congress will do. Adam sees two years in which the Senate does nominations, the House does investigations, and neither does much legislation—which could leave renewal of the critically important intelligence authority, Section 702 of the Foreign Intelligence Surveillance Act (FISA), out in the cold. As supporters of renewal, we conclude that the best hope for the provision is to package it with trust-building measures to restore Republicans' willingness to give national security agencies broad surveillance authorities. I also note that foreign government cyberattacks on our election, which have been much anticipated in election after election, failed once again to make an appearance. At this point, election interference is somewhere between Y2K and Bigfoot on the "things we should have worried about" scale. In other news, cryptocurrency conglomerate FTX has collapsed into bankruptcy, stolen funds, and criminal investigations. Nick Weaver lays out the gory details. A new panelist on the podcast, Chinny Sharma, explains to a disbelieving U.S. audience the U.K. government's plan to scan all the country's internet-connected devices for vulnerabilities. Adam and I agree that it could never happen here. Nick wonders why the U.K. government does not use a private service for the task. Nick also covers This Week in the Twitter Dogpile. He recognizes that this whole story is turning into a tragedy for all concerned, but he is determined to linger on the comic relief. Dunning-Krueger makes an appearance. Chinny and I speculate on what may emerge from the Biden administration's plan to reconsider the relationship between the Cybersecurity and Infrastructure Security Agency (CISA) and the Sector Risk Management Agencies that otherwise regulate important sectors. I predict turf wars and new authorities for CISA in response. The Obama administration's egregious exemption of Silicon Valley from regulation as critical infrastructure should also be on the chopping block. Finally, if the next two Supreme Court decisions go the way I hope, the Federal Trade Commission will finally have to coordinate its privacy enforcement efforts with CISA's cybersecurity standards and priorities. Adam reviews the European Parliament's report on Europe's spyware problems. He's impressed (as am I) by the report's willingness to acknowledge that this is not a privacy problem made in America. Governments in at least four European countries by our count have recently used spyware to surveil members of the opposition, a problem that was unthinkable for fifty years in the United States. This, we agree, is another reason that Congress needs to put guardrails against such abuse in place quickly. Nick notes the U.S. government's seizure of what was $3 billion in bitcoin. Shrinkflation has brought that value down to around $800 million. But it is still worth noting that an immutable blockchain brought James Zhong to justice ten years after he took the money. Disinformation—or the appalling acronym MDM (for mis-, dis-, and mal-information)—has been in the news lately. A recent paper counted the staggering cost of "disinformation" suppression during coronavirus times. And Adam published a recent piece in City Journal explaining just how dangerous the concept has become. We end up agreeing that national security agencies need to focus on foreign government dezinformatsiya—falsehoods and propaganda from abroad – and not get in the business of policing domestic speech, even when it sounds a lot like foreign leaders we do not like. Chinny takes us into a new and fascinating dispute between the copyleft movement, GitHub, and Artificial Intelligence (AI) that writes code. The short version is that GitHub has been training an AI engine on all the open source code on the site so that it can "autosuggest" lines of new code as you are writing the boring parts of your program. The upshot is that open source code that the AI strips off the license conditions, such as copyleft, that are part of some open source code. Not surprisingly, copyleft advocates are suing on the ground that important information has been left off their code, particularly the provision that turns all code that uses the open source into open source itself. I remind listeners that this is why Microsoft famously likened open source code to cancer. Nick tells me that it is really more like herpes, thus demonstrating that he has a lot more fun coding than I ever had. In updates and quick hits: I note that the peanut butter sandwich nuclear spies have been sentenced. Adam celebrates TSMC's decision to build a 3 nanometer semiconductor fab in Arizona. We cross sword about whether the fab capital of the U.S. will be Phoenix or Austin. I celebrate the Russian government's acknowledgment of the Cyberlaw Podcast's reach when it designated long-tim

The war that began with the Russian invasion of Ukraine grinds on. Cybersecurity experts have spent much of 2022 trying to draw lessons about cyberwar strategies from the conflict. Dmitri Alperovitch takes us through the latest lessons, cautioning that all of them could look different in a few months, as both sides adapt to the others' actions. David Kris joins Dmitri to evaluate a Microsoft report hinting that China may be abusing its recent edict requiring that software vulnerabilities be reported first to the Chinese government. The temptation to turn such reports into zero-day exploits may be irresistible, and Microsoft notes with suspicion a recent rise in Chinese zero-day exploits. Dmitri worried about just such a development while serving on the Cyber Safety Review Board, but he is not yet convinced that we have the evidence to prove the case against the Chinese mandatory disclosure law. Sultan Meghji keeps us in Redmond, digging through a deep Protocol story on how Microsoft has helped build Artificial Intelligence (AI) in China. The amount of money invested, and the deep bench of AI researchers from China, raises real questions about how the United States can decouple from China—and whether China may eventually decide to do the decoupling. I express skepticism about the White House's latest initiative on ransomware, a 30-plus nation summit that produced a modest set of concrete agreements. But Sultan and Dmitri have been on the receiving end of deputy national security adviser Anne Neuberger's forceful personality, and they think we will see results. We'd better. Baks reported that ransomware payments doubled last year, to $1.2 billion. David introduces the high-stakes struggle over when cyberattacks can be excluded from insurance coverage as acts of war. A recent settlement between Mondelez and Zurich has left the law in limbo. Sultan tells me why AI is so bad at explaining the results it reaches. He sees light at the end of the tunnel. I see more stealthy imposition of woke academic values. But we find common ground in trashing the Facial Recognition Act, a lefty Democrat bill that throws together every bad proposal to regulate facial recognition ever put forward and adds a few more. A red wave will be worth it just to make sure this bill stays dead. Finally, Sultan reviews the National Security Agency's report on supply chain security. And I introduce the elephant in the room, or at least the mastodon: Elon Musk's takeover at Twitter and the reaction to it. I downplay the probability of CFIUS reviewing the deal. And I mock the Elon-haters who fear that scrimping on content moderation will turn Twitter into a hellhole that includes *gasp!* Republican speech. Turns out that they are fleeing Twitter for Mastodon, which pretty much invented scrimping on content moderation.

You heard it on the Cyberlaw Podcast first, as we mash up the week's top stories: Nate Jones commenting on Elon Musk's expected troubles running Twitter at a profit and Jordan Schneider noting the U.S. government's creeping, halting moves to constrain TikTok's sway in the U.S. market. Since Twitter has never made a lot of money, even before it was carrying loads of new debt, and since pushing TikTok out of the U.S. market is going to be an option on the table for years, why doesn't Elon Musk position Twitter to take its place? It's another big week for China news, as Nate and Jordan cover the administration's difficulties in finding a way to thwart China's rise in quantum computing and artificial intelligence (AI). Jordan has a good post about the tech decoupling bombshell. But the most intriguing discussion concerns China's remarkably limited options for striking back at the Biden administration for its harsh sanctions. Meanwhile, under the heading, When It Rains, It Pours, Elon Musk's Tesla faces a criminal investigation over its self-driving claims. Nate and I are skeptical that the probe will lead to charges, as Tesla's message about Full Self-Driving has been a mix of manic hype and lawyerly caution. Jamil Jaffer introduces us to the Guacamaya "hacktivist" group whose data dumps have embarrassed governments all over Latin America—most recently with reports of Mexican arms sales to narco-terrorists. On the hard question—hacktivists or government agents?—Jamil and I lean ever so slightly toward hacktivists. Nate covers the remarkable indictment of two Chinese spies for recruiting a U.S. law enforcement officer in an effort to get inside information about the prosecution of a Chinese company believed to be Huawei. Plenty of great color from the indictment, and Nate notes the awkward spot that the defense team now finds itself in, since the point of the operation seems to have been, er, trial preparation. To balance the scales a bit, Nate also covers suggestions that Google's former CEO Eric Schmidt, who headed an AI advisory committee, had a conflict of interest because he also invested in AI startups. There's no suggestion of illegality, though, and it is not clear how the government will get cutting edge advice on AI if it does not get it from investors like Schmidt. Jamil and I have mildly divergent takes on the Transportation Security Administration's new railroad cybersecurity directive. He worries that it will produce more box-checking than security. I have a similar concern that it mostly reinforces current practice rather than raising the bar. And in quick updates: The Federal Trade Commission has made good on its promise to impose consent decree obligations on CEOs as well as companies. The first victim is the CEO of Drizly. France has fined Clearview AI the maximum possible fine for not defending a General Data Protection Regulation (GDPR) case – unsurprisingly, because Clearview AI does no business in France. I offer this public service announcement: Given the risk that your Prime Minister's phone could be compromised, it's important to change them every 45 days.

This episode features Nick Weaver, Dave Aitel and I covering a Pro Publica story (and forthcoming book) on the difficulties the FBI has encountered in becoming the nation's principal resource on cybercrime and cybersecurity. We end up concluding that, for all its successes, the bureau's structural weaknesses in addressing cybersecurity are going to haunt it for years to come. Speaking of haunting us for years, the effort to decouple U.S. and Chinese tech sectors continues to generate news. Nick and Dave weigh in on the latest (rumored) initiative: cutting off China's access to U.S. quantum computing and AI technology, and what that could mean for the U.S. semiconductor companies, among others. We could not stay away from the Elon Musk-Twitter story, which briefly had a national security dimension, due to news that the Biden Administration was considering a Committee on Foreign Investment in the United States review of the deal. That's not a crazy idea, but in the end, we are skeptical that this will happen. Dave and I exchange views on whether it is logical for the administration to pursue cybersecurity labels for cheap Internet of things devices. He thinks it makes less sense than I do, but we agree that the end result will be to crowd the cheapest competitors from the market. Nick and I discuss the news that Kanye West is buying Parler. Neither of us thinks much of the deal as an investment. And in updates and quick takes: I see a real risk for Google in the Texas attorney general's lawsuit over the company's us of facial recognition. Nick unpacks the dispute between Facebook and The Wire, India's answer to Pro Publica, over The Wire's claim of bias in favor of incumbent Indian politicians. If you had the impression that Facebook has the better of that argument, you're right. And in another platform v. press, story, TikTok's parent ByteDance has been accused by Forbes of planning to use TikTok to monitor the location of specific Americans. TikTok has denied the story. I predict that neither the story nor the denial is enough to bring closure. We'll be hearing more.

David Kris opens this episode of the Cyberlaw Podcast by laying out some of the massive disruption that the Biden Administration has kicked off in China's semiconductor industry—and its Western suppliers. The reverberations of the administration's new measures will be felt for years, and the Chinese government's response, not to mention the ultimate consequences, remains uncertain. Richard Stiennon, our industry analyst, gives us an overview of the cybersecurity market, where tech and cyber companies have taken a beating but cybersecurity startups continue to gain funding. Mark MacCarthy reviews the industry from the viewpoint of the trustbusters. Google is facing what looks like a serious AdTech platform challenge from several directions—the EU, the Justice Department, and several states. Facebook, meanwhile, is lucky to be a target of the Federal Trade Commission, which rather embarrassingly had to withdraw claims that the acquisition of Within would remove an actual (as opposed to hypothetical) competitor from the market. No one seems to have challenged Google's acquisition of Mandiant, meanwhile. Richard suspects that is because Google is not likely to do anything with the company. David walks us through the new White House national security strategy—and puts it in historical context. Mark and I cross swords over PayPal's determination to take my money for saying things Paypal doesn't like. Visa and Mastercard are less upfront about their ability to boycott businesses they consider beyond the pale, but all money transfer companies have rules of this kind, he says. We end up agreeing that transparency, the measure usually recommended for platform speech suppression, makes sense for Paypal and its ilk, especially since they're already subject to extensive government regulation. Richard and I dive into the market for identity security. It's hot, thanks to zero trust computing. Thoma Bravo is leading a rollup of identity companies. I predict security troubles ahead for the merged portfolio. In updates and quick hits: The Texas social media law is on hold again, but do not get excited. It is a voluntary deal designed to speed Supreme Court consideration of a review petition. Now Ukraine knows how Twitter feels: Elon Musk has changed his mind again. He will not be demanding that Department of Defense pay for the Starlink service Elon rolled out at the start of the war with Russia. After catching Google red-handed in what looks like ideological use of a spam filter, the GOP now appears to be overplaying its hand. And I predict much more coverage, not to mention prosecutorial attention, will result from accusations that a powerful partner at the establishment law firm, Dechert, engaged in hack-and-dox attacks on adversaries of his clients.

It's been a jam-packed week of cyberlaw news, but the big debate of the episode is triggered by the White House blueprint for an AI Bill of Rights. I've just released a long post about the campaign to end "AI bias" in general, and the blueprint in particular. In my view, the bill of rights will end up imposing racial and gender (and intersex!) quotas on a vast swath of American life. Nick Weaver argues that AI is in fact a source of secondhand racism and sexism, something that will not be fixed until we do a better job of forcing the algorithm to explain how it arrives at the outcomes it produces. We do not agree on much, but we do agree that lack of explainability is a big problem for the new technology. President Biden has issued an executive order meant to resolve the U.S.-EU spat over transatlantic data flows. At least for a few years, until the anti-American EU Court of Justice finds it wanting again. Nick and I explore some of the mechanics. I think it's bad for the privacy of U.S. persons and for the comprehensibility of U.S. intelligence reports, but the judicial system the order creates is cleverly designed to discourage litigant grandstanding. Matthew Heiman covers the biggest CISO, or chief information security officer, news of the week, the month, and the year—the criminal conviction of Uber's CSO, Joe Sullivan, for failure to disclose a data breach to the Federal Trade Commission. He is less surprised by the verdict than others, but we agree that it will change the way CISO's do their job and relate to their fellow corporate officers. Brian Fleming joins us to cover an earthquake in U.S.-China tech trade—the sweeping new export restrictions on U.S. chips and technology. This will be a big deal for all U.S. tech companies, we agree, and probably a disaster for them in the long run if U.S. allies don't join the party. I go back to dig a little deeper on two cases we covered with just a couple of hours' notice last week—the Supreme Court's grant of review in two cases touching on Big Tech's liability for hosting the content of terror groups. It turns out that only one of the cases is likely to turn on Section 230. That's Google's almost laughable claim that holding YouTube liable for recommending terrorist videos is holding it liable as a publisher. The other case will almost certainly turn on when distribution of terrorist content can be punished as "material assistance" to terror groups. Brian walks us through the endless negotiations between TikTok and the U.S. over a security deal. We are both puzzled over the partisanization of TikTok security, although I suggest a reason why that might be happening. Matthew catches us up on a little-covered Russian hack and leak operation aimed at former MI6 boss Richard Dearlove and British Prime Minister Boris Johnson. Matthew gives Dearlove's security awareness a low grade. Finally, two updates: Nick catches us up on the Elon Musk-Twitter fight. Nick's gloating now, but he is sure he'll be booted off the platform when Musk takes over. And I pass on some very unhappy feedback from a friend at the Election Integrity Partnership (EIP), who feels we were too credulous in commenting on a JustTheNews story that left a strong impression of unseemly cooperation in suppressing election integrity misinformation. The EIP's response makes several good points in its own defense, but I remain concerned that the project as a whole raises real concerns about how tightly Silicon Valley embraced the suppression of speech "delegitimizing" election results.

We open today's episode by teasing the Supreme Court's decision to review whether section 230 protects big platforms from liability for materially assisting terror groups whose speech they distribute (or even recommend). I predict that this is the beginning of the end of the house of cards that aggressive lawyering and good press have built on the back of section 230. Why? Because Big Tech stayed out of the Supreme Court too long. Now, just when section 230 gets to the Court, everyone hates Silicon Valley and its entitled content moderators. Jane Bambauer, Gus Hurwitz, and Mark MacCarthy weigh in, despite the unfairness of having to comment on a cert grant that is two hours old. Just to remind us why everyone hates Big Tech's content practices, we do a quick review of the week's news in content suppression. A couple of conservative provocateurs prepared a video consisting of Democrats being "election deniers." The purpose was to show the hypocrisy of those who criticize the GOP for a meme that belonged mainly to Dems until two years ago. And it worked. YouTube did a manual review before it was even released and demonetized the video because, well, who knows? An outcry led to reinstatement, too late for YouTube's reputation. Jane has the story. YouTube also steps in the same mess by first suppressing then restoring a video by Giorgia Meloni, the biggest winner of Italy's recent election. She's on the right, but you already knew that from how YouTube dealt with her. Mark covers an even more troubling story, in which government officials point to online posts about election security that they don't like, NGOs that the government will soon be funding take those complaints to Silicon Valley, and the platforms take a lot of the posts down. Really, what could possibly go wrong? Jane asks why Facebook is "moderating" private messages by the wife of an FBI whistleblower. I suspect that this is related to the government and big tech's hyperaggressive joint pursuit of anything related to January 6. But it definitely requires investigation. Across the Atlantic, Jane notes, the Brits are hating Facebook for the content it let 14-year-old Molly Russell read before her suicide. Exactly what was wrong with the content is a little obscure, but we agree that the material served to minors is ripe for more regulation, especially outside the United States. For a change of pace, Mark has some largely unalloyed good news. The International Telecommunication Union will not be run by a Russian; instead it elected an American, Doreen Bodan-Martin to lead it. Mark tells us that all the Sturm und Drang over tougher antitrust laws for Silicon Valley has wound down to a few modestly tougher provisions that have now passed the House. That may be all that can get passed this year, and perhaps in this Administration. Gus gives us a few highlights from FTCland: The FTC is likely to strengthen enforcement tools for its consent decrees, mainly by tagging individuals with potential fines for violations. Gus doubts this will work out well in practice. The FTC is also end-running a recent Supreme Court decision that denied it the authority to impose certain financial penalties. Now the Commission will bring cases jointly with state agencies who have that authority. Jane unpacks a California law prohibiting cooperation with subpoenas from other states without an assurance that the subpoenas aren't investigating abortions that would be legal in California. I again nominate California as playing the role in federalism for the twenty-first century that South Carolina played in the nineteenth and twentieth centuries and predict that some enterprising red state attorney general is likely to enjoy litigating the validity of California's law – and likely winning. Gus notes that private antitrust cases remain hard to win, especially without evidence, as Amazon and major book publishers gain the dismissal of antitrust lawsuits over book pricing. Finally, in quick hits and updates: Gus previews an upcoming executive order to cool off the fight over data transfers across the Atlantic I cover two U.S. espionage arrests, one of which is best summarized by the Babylon Bee I also note a large privacy flap Down Under, as the exposure of lots of personal data from a telco database seems likely to cost the carrier, and its parent dearly. Russian botmasters have suddenly discovered that extradition to the U.S. may be better than going home and facing mobilization.

This episode features a much deeper, and more diverse, examination of the Fifth Circuit decision upholding Texas's social media law. We devote the last half of the episode to a structured dialogue about the opinion between Adam Candeub and Alan Rozenshtein. Both have written about it already, Alan critically and Adam supportively. I lead off, arguing that, contrary to legal Twitter's dismissive reaction, the opinion is a brilliant and effective piece of Supreme Court advocacy. Alan thinks that is exactly the problem; he objects to the opinion's grating self-certainty and refusal to acknowledge the less convenient parts of past case law. Adam is closer to my view. We all seem to agree that the opinion succeeds as an audition for Judge Andrew Oldham to become Justice Oldham in the DeSantis Administration. We walk through the opinion and what its critics don't like, touching on the competing free expression interests of social media users and of the platforms themselves, whether there's any basis for an injunction today, given the relative weakness of the overbreadth argument and the fundamental disagreement over whether "exercising editorial discretion" is a fundamental right under the first amendment or just an artifact of older technologies. Most intriguing, we find unexpected consensus that Judge Oldham's (and Clarence Thomas's) common carrier argument may turn out to be the most powerful point in the opinion and when the case reaches the Court. In the news roundup, we focus on the Congressional sprint to pass additional legislation before the end of the Congress. Michael Ellis explains the debate between the Cyberspace Solarium Commission alumni and business lobbyists over enacting a statutory set of obligations for systemically critical infrastructure companies. Adam outlines a strange-bedfellows bill that has united Sens. Amy Klobuchar (D-Minn.) and Ted Cruz (R-Texas) in an effort to give small media companies and broadcasters an antitrust immunity to bargain with the big social media platforms over the use of their content. Adam is a skeptic, Alan less so. The Pentagon, reliably braver when facing bullets than a bad Washington Post story, is performing to type in the flap over fake social media accounts. Michael tells us that the accounts pushed pro-U.S. stories but met with little success before Meta and Twitter caught on and kicked them off their platforms. Now the Department of Defense is conducting a broad review of military information operations. I predict fewer such efforts and don't mourn their loss. Adam and I touch on a decision of Meta's Oversight Board criticizing Facebook's automated image takedowns. I offer a new touchstone for understanding content regulation at the Big Platforms: They just don't care, so they've turned to whole project over to second-rate AI and second-rate employees. Michael walks us through the Department of the Treasury's new flexibility on sending communications software and services to Iran. And, in quick hits, I note that: The Justice Department's China Initiative continues to suffer from pushback. We should all expect bad things from the emergence of violence as a service Russian botmasters have suddenly discovered that extradition to the U.S. may be better than going home and facing mobilization.

The big news of the week was a Fifth Circuit decision upholding Texas social media regulation law. It was poorly received by the usual supporters of social media censorship but I found it both remarkably well written and surprisingly persuasive. That does not mean it will survive the almost inevitable Supreme Court review but Judge AndyOldham wrote an opinion that could be a model for a Supreme Court decision upholding Texas law. The big hacking story of the week was a brutal takedown of Uber, probably by the dreaded Advanced Persistent Teenager. Dave Aitel explains what happened and why no other large corporation should feel smug or certain that it cannot happen to them. Nick Weaver piles on. Maury Shenk explains the recent European court decision upholding sanctions on Google for its restriction of Android phone implementations. Dave points to some of the less well publicized aspects of the Twitter whistleblower's testimony before Congress. We agree on the bottom line—that Twitter is utterly incapable of protecting either U.S. national security or even the security of its users' messages. If there were any doubt about that, it would be laid to rest by Twitter's dependence on Chinese government advertising revenue. Maury and Nick tutor me on The Merge, which moves Ethereum from "proof of work' to "proof of stake," massively reducing the climate footprint of the cryptocurrency. They are both surprisingly upbeat about it. Maury also lays out a new European proposal for regulating the internet of things—and, I point out—for massively increasing the cost of all those things. China is getting into the attribution game. It has issued a report blaming the National Security Agency for intruding on Chinese educational institution networks. Dave is not impressed. The Department of Homeland security, in breaking news from 2003, has been keeping the contents of phones it seizes on the border. Dave predicts that the Department of Homeland Security will have to further pull back on its current practices. I'm less sure. Now that China is regulating vulnerability disclosures, are Chinese companies reluctant to disclose vulnerabilities outside China? The Atlantic Council has a report on the subject, but Dave thinks the results are ambiguous at best. In quick hits: The Senate has confirmed Nate Fick as the first U.S. cyber ambassador I offer data confirming my cynical view that Apple is not so much concerned about your privacy as it is eager to take over the role of Google and Facebook in the advertising market Nick lays out the latest Treasury Department guidance on sanctions and tornado cash Maury explains how the Indian government persuaded 50 million Indians to geotag their homes And I explain why it is in fact possible that the FBI and Silicon Valley are working together to identify conservatives for potential criminal investigation.

This is our return-from-hiatus episode. Jordan Schneider kicks things off by recapping passage of a major U.S. semiconductor-building subsidy bill, while new contributor Brian Fleming talks with Nick Weaver about new regulatory investment restrictions and new export controls on (artificial Intelligence (AI) chips going to China. Jordan also covers a big corruption scandal arising from China's big chip-building subsidy program, leading me to wonder when we'll have our version. Brian and Nick cover the month's biggest cryptocurrency policy story, the imposition of OFAC sanctions on Tornado Cash. They agree that, while the outer limits of sanctions aren't entirely clear, they are likely to show that sometimes the U.S. Code actually does trump the digital version. Nick points listeners to his bracing essay, OFAC Around and Find Out. Paul Rosenzweig reprises his role as the voice of reason in the debate over location tracking and Dobbs. (Literally. Paul and I did an hour-long panel on the topic last week. It's available here.) I reprise my role as Chief Privacy Skeptic, calling the Dobb/location fuss an overrated tempest in a teapot. Brian takes on one aspect of the Mudge whistleblower complaint about Twitter security: Twitter's poor record at keeping foreign spies from infiltrating its workforce and getting unaudited access to its customer records. In a coincidence, he notes, a former Twitter employee was just convicted of "spying lite", proves it's as good at national security as it is at content moderation. Meanwhile, returning to U.S.-China economic relations, Jordan notes the survival of high-level government concerns about TikTok. I note that, since these concerns first surfaced in the Trump era, TikTok's lobbying efforts have only grown more sophisticated. Speaking of which, Klon Kitchen has done a good job of highlighting DJI's increasingly sophisticated lobbying in Washington D.C. The Cloudflare decision to deplatform Kiwi Farms kicks off a donnybrook, with Paul and Nick on one side and me on the other. It's a classic Cyberlaw Podcast debate. In quick hits and updates: Nick and I cover the sad story of the Dad who photographed his baby's private parts at a doctor's request and, thanks to Google's lack of human appellate review, lost his email, his phone number, and all of the accounts that used the phone for 2FA. Paul brings us up to speed on the U.S.-EU data fight: and teases tomorrow's webinar on the topic. Nick explains the big changes likely to come to the pornography world because of a lawsuit against Visa. And why Twitter narrowly averted its own child sex scandal. I note that Google's bias against GOP fundraising emails has led to an unlikely result: less spam filtering for all such emails. And, after waiting too long, Brian Krebs retracts the post about a Ubiquity "breach" that led the company to sue him.

Just when you thought you had a month free of the Cyberlaw Podcast, it turns out that we are persisting, at least a little. This month we offer a bonus episode, in which Dave Aitel and I interview Michael Fischerkeller, one of three authors of "Cyber Persistence Theory: Redefining National Security in Cyberspace." The book is a detailed analysis of how cyberattacks and espionage work in the real world—and a sharp critique of military strategists who have substituted their models and theories for the reality of cyber conflict. We go deep on the authors' view that conflict in the cyber realm is all about persistent contact and faits accomplis rather than compulsion and escalation risk. Dave pulls these threads with enthusiasm. I recommend the book and interview in part because of how closely the current thinking at United States Cyber Command is mirrored in both.

As Congress barrels toward an election that could see at least one house change hands, efforts to squeeze big bills into law are mounting. The one with the best chance (and better than I expected) would drop $52 billion in cash and a boatload of tax breaks on the semiconductor industry. Michael Ellis points out that this is industrial policy without apology, and a throwback to the 1980s, when the government organized SEMATECH, a name derived from "Semiconductor Manufacturing Technology" to shore up U.S. chipmaking. Thanks to a bipartisan consensus on the need to fight a Chinese challenge, and a trimming of provisions that tried to hitch a ride on the bill, there now looks to be a clear path to enactment for this bill. And if there were doubt about how serious the Chinese challenge in chips will be, an under-covered story revealed that China's chipmaking champion, SMIC, has been making 7-nanometer chips for months without an announcement. That's a diameter that Intel and GlobalFoundries, the main U.S. producers, have yet to reach in commercial production. The national security implications are plain. If commercial products from China are cheap enough to sweep the market, even security-minded agencies will be forced to buy them, as it turns out the FBI and Department of Homeland Security have both been doing with Chinese drones. Nick Weaver points to his Lawfare piece showing just how cheaply the United States (and Ukraine) could be making drones. Responding to the growing political concern about Chinese products, TikTok's owner ByteDance, has increased its U.S. lobbying spending to more than $8 million a year, Christina Ayiotis tells us—about what Google spends on lobbying. In the same vein, Nick and Michael question why the government hasn't come up with the extra $3 billion to fund "rip and replace" for Chinese telecom gear. That effort will certainly get a boost from reports that Chinese telecom sales were offered on especially favorable terms to carriers who service America's nuclear missile locations. I offer an answer: The Obama administration actually paid these same rural carriers to install Chinese equipment as part of the 2009 stimulus law. I cannot help thinking that the rural carriers ought to bear some of the cost of their imprudent investments and not ask U.S. taxpayers to pay them both for installing and ripping out the same gear. In news not tied to China, Nick tells us about the House Energy and Commerce Committee's serious progress on a compromise federal data privacy bill. It is still a doomed bill, given resistance from Dems and GOP in the Senate. I argue that that's a good thing, given the effort to impose "disparate impact" quotas for race, color, religion, national origin, sex, and disability on every algorithm that processes even a little personal data. This is a transformative social engineering project that just one section (208) of the "privacy" bill will impose without any serious debate. Christina grades Russian information warfare based on its latest exploit: hacking a Ukrainian radio broadcaster to spread fake news about Ukrainian President Volodymyr Zelenskyy's health. As a hack, it gets a passing grade, but as a believable bit of information warfare, it is a bust. Tina, Michael and I evaluate YouTube's new policy on removing "misinformation" related to abortion, and the risk that this policy, like so many Silicon Valley speech suppression schemes, will start out sounding plausible and end in political correctness. Nick and I celebrate the Department of Justice's increasing success in sometimes seizing cryptocurrency from hackers and ransomware gangs. It may just be Darwin at work, but it's nice to see. Nick offers the recommended long read of the week—Brian Krebs's takedown of the VPN malware supplier, 911. And in updates and quick hits: That Twitter worker arrested for spying on behalf of Saudi Arabia is going to trial. the United Kingdom's Government Communications Headquarters's cryptoskeptics have returned to ask how we can square end-to-end encryption with child safety. I think the answer is "Not well." The General Data Protection Regulation has consequences: Turns out that schoolkids in Denmark won't be able to use Chromebooks or Google Workspace. And Nick takes a moment to dunk on the Three Arrows founders, whose cryptocurrency company went under in the bust and who are now giving interviews from an undisclosed location. *An obscure Rhode Island tribute to the Industrial Trust Building that was known to a generation of children as the 'Dusty Old Trust" building until a new generation christened it the "Superman Building."

Kicking off a packed episode, the Cyberlaw Podcast calls on Megan Stifel to cover the first Cyber Safety Review Board (CSRB) Report. The CSRB does exactly what those of us who supported the idea hoped it would do—provide an authoritative view of how the Log4J incident unfolded along with some practical advice for cybersecurity executives and government officials. Jamil Jaffer tees up the second blockbuster report of the week, a Council on Foreign Relations study called "Confronting Reality in Cyberspace Foreign Policy for a Fragmented Internet." I think the study's best contribution is its demolition of the industry-led claim that we must have a single global internet. That has not been true for a decade, and pursuing that vision means that the U.S. is not defending its own interests in cyberspace. I call out the report for the utterly wrong claim that the United States can resolve its transatlantic dispute with Europe by adopting a European-style privacy law. Europe's beef with us on privacy reregulation of private industry is over (we surrendered); now the fight is over Europe's demand that we rewrite our intelligence and counterterrorism laws. Jamil Jaffer and I debate both propositions. Megan discloses the top cybersecurity provisions added to the House defense authorization bill—notably the five year term for the head of Cybersecurity and Infrastructure Security Agency (CISA) and a cybersecurity regulatory regime for systemically critical industry. The Senate hasn't weighed in yet, but both provisions now look more likely than not to become law. Regulatory cybersecurity measures look like the flavor of the month. The Biden White House is developing a cybersecurity strategy that is expected to encourage more regulation. Jamil reports on the development but is clearly hoping that the prediction of more regulation does not come true. Speaking of cybersecurity regulation, Megan kicks off a discussion of Department of Homeland Security's CISA weighing in to encourage new regulation from the Federal Communication Commission (FCC) to incentivize a shoring up of the Border Gateway Protocol's security. Jamil thinks the FCC will do better looking for incentives than punishments. Tatyana Bolton and I try to unpack a recent smart contract hack and the confused debate about whether "Code is Law" in web3. Answer: it is not, and never was, but that does not turn the hacking of a smart contract into a violation of the Computer Fraud and Abuse Act. Megan covers North Korea's tactic for earning dollars while trying to infiltrate U.S. crypto firms—getting remote work employment at the firms as coders. I wonder why LinkedIn is not doing more to stop scammers like this, given the company's much richer trove of data about job applicants using the site. Not to be outdone, other ransomware gangs are now adding to the threat of doxing their victims by making it easier to search their stolen data. Jamil and I debate the best way to counter the tactic. Tatyana reports on Sen. Mark Warner's, effort to strongarm the intelligence community into supporting Sen. Amy Klobuchar's antitrust law aimed at the biggest tech platforms— despite its inadequate protections for national security. Jamil discounts as old news the Uber leak. We didn't learn much from the coverage that we didn't already know about Uber's highhanded approach in the teens to taxi monopolies and government. Jamil and I endorse the efforts of a Utah startup devoted to following China's IP theft using China's surprisingly open information. Why Utah, you ask? We've got the answer. In quick hits and updates: Josh Schulte has finally been convicted for one of the most damaging intelligence leaks in history. Google gets grudging respect from me for its political jiu-jitsu. Faced with a smoking gun of political bias after spam-blocking GOP but not Dem fundraising messages, Google managed to kick off outrage by saying it wanted to fix the problem by forcing political spam on all its users. Now the GOP will have to explain that it's not trying to send us more spam; it just wants Gmail to stop favoring lefty spam. And, finally, we all get to enjoy the story of the bored Chinese housewife who created a complete universe of fake Russian history on China's Wikipedia. She's promised to stop, but I suspect she's just been hired to work for the world's most active producer of fake history—China's Ministry of State Security.

Dave Aitel introduces a deliciously shocking story about lawyers as victims and—maybe—co-conspirators in the hacking of adversaries' counsel to win legal disputes. The trick, it turns out, is figuring out how to benefit from hacked documents without actually dirtying one's hands with the hacking. And here too, a Shakespearean Henry (II this time) has the answer: hire a private investigator and ask "Will no one rid me of this meddlesome litigant?" Before you know it, there's a doxing site full of useful evidence on the internet. But first Dave digs into an intriguing but flawed story of how and why the White House ended up bigfooting a possible acquisition of NSO by L3Harris. Dave spots what looks like a simple error, and we are both convinced that the New York Times got only half the story. I suspect the White House was surprised by the leak, popped off about how bad an idea the deal was, and then was surprised to discover that the intelligence community had signaled interest. That leads us to the reason why NSO has continuing value – its ability to break Apple's phone security. Apple is now trying to reinforce its security with the new, more secure and less convenient, lockdown mode. Dave gives it high marks and challenges Google to match Apple's move. Next, we dive into the U.S. effort to keep Dutch firm ASML from selling chip-making machines to China. Dmitri Alperovich makes a special appearance to urge more effective use of export controls; he and Dave both caution, however, that the U.S. must impose the same burdens on its own firms as on its allies'. Jane Bambauer introduces the latest government proposal to take a bite out of crime by taking a bite out of end-to-end encryption ("e2e"). The U.K. has introduce an amendment to its pending online safety bill that would require regulated user-to-user services to identify and swiftly take down terrorism and child sex abuse material. The identifying isn't easy in an e2e environment, Jane notes, so this bill could force adoption of the now-abandoned Apple proposal to do local scanning on your phone. I'm usually a cheap date for crypto-skeptical laws, but I can't help noticing that this proposal will stir up 90 percent as much opposition as requiring companies to be able to intercept communications when they get a court order while it probably addresses only 10 percent of the crimes that occur on e2e networks. Jane and I take turns pouring cold water on journalists, NGOs, and even Congress for their feverish effort to turn the Supreme Court's abortion ruling into a reason to talk about privacy. Dumbest of all, in my view, is the claim that location services will be used to gather evidence and prosecute women who visit out of state abortion clinics. As I point out, such prosecutions won't even muster five votes on this Court. Dave spots another doubtful story about Russian government misuse of a red team hacking tool. He thinks it's a case of a red team hacking tool being used by … a red team. Jane notes that Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has announced a surprisingly anodyne (and arguably unnecessary) post-quantum cryptography initiative. I'm a little less hard on DHS, but only a little. Finally, in updates and quick hits: I point out that the U.S.-EU transatlantic data deal is looking a lot like vaporware. That's a worry now that Ireland is on the verge of ordering Facebook to stop moving data across the Atlantic. Jane and I take a whack at predicting Elon Musk's Twitter bid. I argue that Musk may escape with less than $1 billion in penalties but for years he will be to mergers what Google is to new digital products. And, finally, some modest good news on Silicon Valley's campaign to suppress politically "incorrect" speech. Twitter suspended former NYT reporter Alex Berenson for saying several true but inconvenient things about the coronavirus vaccine (it doesn't stop infection or transmission, and it has side effects, all of which raises real doubts about the wisdom of mandating vaccinations). Berenson sued and Twitter has now settled, unsuspending his account. The lawsuit had narrowed down the point where Twitter probably felt it could settle without creating a precedent, but any chink in Big Social's armor is worth celebrating.

It's that time again on the Congressional calendar. All the big, bipartisan tech initiatives that looked so good a few months ago are beginning to compete for time on the floor like fat men desperate to get through a small door. And tech lobbyists are doing their best to hinder the bills they hate while advancing those they like. We open the Cyberlaw Podcast by reviewing a few of the top contenders. Justin (Gus) Hurwitz tells us that the big bipartisan compromise on privacy is probably dead for this Congress, killed by Senator Maria Cantwell (D-WA) and the new politics of abortion. The big subsidy for domestic chip fabs is still alive, Jamil Jaffer but beset by House and Senate differences, plus a proposal to regulate outward investment by U.S. firms that would benefit China and Russia. And Senator Amy Klobuchar's (D-MIN) platform anti-self-preferencing bill is being picked to pieces by lobbyists trying to cleave away Republican votes over content moderation and national security. David Kris unpacks the First Circuit decision on telephone pole cameras and the fourth amendment. Technology and Fourth Amendment law is increasingly agoraphobic, I argue, as aging boomers find themselves on a vast featureless constitutional plain, with no precedents to guide them and forced to fall back on their sense of what was creepy in their day. Speaking of creepy, the Australian Strategic Policy Institute (ASPI) has a detailed report on just how creepy content moderation and privacy protections are at TikTok and WeChat. Jamil gives the highlights. Not that Silicon Valley has anything to brag about. I sum up This Week in Big Tech Censorship with two newly emerging rules for conservatives on line: First, obeying Big Tech's rules is no defense; it just takes a little longer before your business revenue is cut off. Second, having science on your side is no defense. As a Brown University doctor discovered, citing a study that undermines Centers for Disease Control and Prevention (CDC) orthodoxy will get you suspended. Who knew we were supposed to follow the science with enough needle and thread to sew its mouth shut? If Sen. Klobuchar fails, all eyes will turn to Lina Khan's Federal Trade Commission, Gus tells us, and its defense of the "right to repair" may give a clue to how it will regulate. David flags a Google study of zero-days sold to governments in 2021. He finds it a little depressing, but I note that at least some of the zero-days probably require court orders to implement. Jamil also reviews a corporate report on security, Microsoft's analysis of how Microsoft saved the world from Russian cyber espionage—or would have if you ignoramuses would just buy more cloud services. OK, it's not quite that bad, but the marketing motivations behind the report show a little too often in what is otherwise a useful review of Russian tactics. In quick hits: Gus tells us about a billboard that can pick your pocket: In NYC, naturally. Jamil thinks we may have finally found Putin's billions, through the magic of shared email addresses. I offer a preview of the next U.S.-E.U. privacy spat, over sharing biometrics at the border. And David and I talk marijuana and security clearances. If you listen to the podcast for career advice, it's a long wait, but David delivers Security Agency Counsel after a long series of acting General Counsels.

This episode of the Cyberlaw Podcast begins by digging into a bill more likely to transform tech regulation than most of the proposals you've actually heard of—a bipartisan effort to repeat U.S. Senator John Cornyn's bipartisan success in transforming the Committee on Foreign Investment in the United States (CFIUS) four years ago. The new bill holds a mirror up to CFIUS, Matthew Heiman reports. Where CFIUS regulates inward investment from adversary nation, the new proposal will regulate outward investment—from the U.S. to adversary nations. The goal is to slow the transfer of technical expertise (and capital) from the U.S. to China. It is opposed by the Chinese government and the same U.S. business alliance that angered Senator Cornyn in 2018. If it passes, I predict, it will be as part of must-pass legislation and will be a big surprise to most technology observers. The cryptocurrency world might as well make Leslie Gore its official chanteuse, because everyone is crying at the end of the crypto party. Well, except for Nick Weaver, who does a Grand Tour of all the overleveraged cryptocurrency firms on or over the verge of collapse as bitcoin values drop to $20 thousand and below. Scott Shapiro and I trade views on the spate of claims that Microsoft is downgrading security in its products. It would unfortunately make sense for Microsoft to strip-mine value from its standalone proprietary software by stinting on security, we think, but we can't explain why it would neglect cloud security as it is increasingly accused of doing. That brings us to NickTalk about TikTok, and a behind-the-scenes look at what has happened to the TikTok-CFIUS case in the years since former President Donald Trump left the stage. Turns out that CFIUS has been doggedly pursuing pieces of the deal that were still on the table in 2020: localization in the U.S. for U.S. user data and no Chinese access to the data. The first is moving forward, Nick tells us; the second is turning out to be a morass. Speaking of localization, India's determination to localize credit card data has been rewarded. Matthew reports that cutting off new credit card customers did the trick: Mastercard has localized its data, and India has lifted the ban. Scott reports on Japan's latest contribution to the techlash: a law that makes 'online insults' a crime. Scott also reports on a modest bright spot in NSO Group 's litigation with Facebook: The Supreme Court answered the company's plea, calling on the U.S. government to comment on whether NSO could claim sovereign immunity for the hacking tools it sells to government. Nick puts his grave dancing shoes back on to report the bad news for NSO: the Biden administration is trashing a rumored acquisition by U.S. - based L3Harris Technologies. Scott makes short work of the idea that a Google AI chatbot has achieved sentience. Of course, as a trained philosopher, Scott seems a little reluctant to concede that I've achieved sentience. We do agree that it's a hell of a good chatbot. And in quick hits, I note the appointment of April Doss as General Counsel for the National Security Agency Counsel after a long series of acting General Counsels.

This bonus episode of the Cyberlaw Podcast is an interview with Amy Gajda, author of "Seek and Hide: The Tangled History of the Right to Privacy." Her book is an accessible history of the often obscure and sometimes "curlicued" interaction between the individual right to privacy and the public's (or at least the press's) right to know. Gajda, a former journalist, turns what could have been a dry exegesis on two centuries of legal precedent into a lively series of stories behind the case law. All the familiar legal titans of press and privacy—Louis Brandeis, Samuel Warren, Oliver Wendell Holmes—are there, but Gajda's research shows that they weren't always on the side they're most famous for defending. This interview is just a taste of what Gajda's book offers, but lawyers who are used to a summary of argument at the start of everything they read should listen to this episode first if they want to know up front where all the book's stories are taking them.

Francisco last week at the Rivest-Shamir-Adleman (RSA) conference. We summarize what they said and offer our views of why they said it. Bobby Chesney, returning to the podcast after a long absence, helps us assess Russian warnings that the U.S. should expect a "military clash" if it conducts cyberattacks against Russian critical infrastructure. Bobby, joined by Michael Ellis sees this as a routine Russian PR response to U.S. Cyber Command and Director, Paul M. Nakasone's talk about doing offensive operations in support of Ukraine. Bobby also notes the FBI analysis of the NetWalker ransomware gang, an analysis made possible by seizure of the gang's back office computer system in Bulgaria. The unfortunate headline summary of the FBI's work was a claim that "just one fourth of all NetWalker ransomware victims reported incidents to law enforcement." Since many of the victims were outside the United States and would have had little reason to report to the Bureau, this statistic undercounts private-public cooperation. But it may, I suggest, reflect the Bureau's increasing sensitivity about its long-term role in cybersecurity. Michael notes that complaints about a dearth of private sector incident reporting is one of the themes from the government's RSA appearances. A Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) executive also complained about a lack of ransomware incident reporting, a strange complaint considering that CISA can solve much of the problem by publishing the reporting rule that Congress authorized last year. In a more promising vein, two intelligence officials underlined the need for intel agencies to share security data more effectively with the private sector. Michael sees that as the one positive note in an otherwise downbeat cybersecurity report from Avril Haines, Director of National Intelligence. And David Kris points to a similar theme offered by National Security Agency official Rob Joyce who believes that sharing of (lightly laundered) classified data is increasing, made easier by the sophistication and cooperation of the cybersecurity industry. Michael and I are taking with a grain of salt the New York Times' claim that Russia's use of U.S. technology in its weapons has become a vulnerability due to U.S. export controls. We think it may take months to know whether those controls are really hurting Russia's weapons production. Bobby explains why the Department of Justice (DOJ) was much happier to offer a "policy" of not prosecuting good-faith security research under the Computer Fraud and Abuse Act instead of trying to draft a statutory exemption. Of course, the DOJ policy doesn't protect researchers from civil lawsuits, so Leonard Bailey of DOJ may yet find himself forced to look for a statutory fix. (If it were me, I'd be tempted to dump the civil remedy altogether.) Michael, Bobby, and I dig into the ways in which smartphones have transformed both the war and, perhaps, the law of war in Ukraine. I end up with a little more understanding of why Russian troops who've been flagged as artillery targets in a special Ukrainian government phone app might view every bicyclist who rides by as a legitimate target. Finally, David, Bobby and I dig into a Forbes story, clearly meant to be an expose, about the United States government's use of the All Writs Act to monitor years of travel reservations made by an indicted Russian hacker until he finally headed to a country from which he could be extradited.

If you've been worrying about how a leaky U.S. government can possibly compete with China's combination of economic might and autocratic government, this episode of the Cyberlaw Podcast has a few scraps of good news. The funniest, supplied by Dave Aitel, is the tale of the Chinese gamer who was so upset at the online performance of China's tanks that he demanded an upgrade. When it didn't happen, he bolstered his argument by leaking apparently classified details of Chinese tank performance. I suggest that U.S. intelligence should be subtly degrading the online game performance of other Chinese weapons systems we need more information about. There may be similar comfort in the story of Gitee, a well-regarded Chinese competitor to Github that ran into a widespread freeze on open source projects. Jane Bambauer and I speculate that the source of the freeze was government objections to something in the code or the comments in several projects. But guessing at what it takes to avoid a government freeze will handicap China's software industry and make western companies more competitive than one would expect. In other news, Dave unpacks the widely reported and largely overhyped story of Cyber Command conducting "hunt forward" operations in support of Ukraine. Mark MacCarthy digs into Justice Samuel A. Alito Jr.'s opinion explaining why he would not have reinstated the district court injunction against Texas's social media regulation. Jane and I weigh in. The short version is that the Alito opinion offers a plausible justification for upholding the law. It may not be the law now, but it could be the law if Justice Alito can find two more votes. And getting those votes may not be all that hard for a decision imposing more transparency requirements on social media companies. Mark and Jane also dig deep on the substance and politics of national privacy legislation. Short version: House Democrats have made substantial concessions in the hopes of getting a privacy bill enacted before they must face what's expected to be a hostile electorate. But Senate Democrats may not be willing to swallow those concessions, and Republican members may think they will do better to wait until after November. Impressed by the concessions, Jane and Mark hold out hope for a deal this year. I don't. Meanwhile, Jane notes, California is driving forward with regulations under its privacy law that are persuading Republicans that preemption has lots of value for business. Finally, revisiting two stories from earlier weeks, Dave notes The devastating consequences and obscure motivations of Conti's ransomware attacks on the Costa Rican government, and The deep tension between the U.S. government and Microsoft over export controls on intrusion tools. Download the 410th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

At least that's the lesson that Paul Rosenzweig and I distill from the recent 11th Circuit decision mostly striking down Florida's law regulating social media platforms' content "moderation" rules. We disagree flamboyantly on pretty much everything else—including whether the court will intervene before judgment in a pending 5th Circuit case where the appeals court stayed a district court's injunction and allowed Texas's similar law to remain in effect. When it comes to content moderation, Silicon Valley is a lot tougher on the Libs of TikTok than the Chinese Communist Party (CCP). Instagram just suspended the Libs of Tiktok account, I report, while a recent Brookings study shows that the Chinese government's narratives are polluting Google and Bing search results on a regular basis. Google News and YouTube do the worst job of keeping the party line out of searches. Both Google News and YouTube return CCP-influenced links on the first page about a quarter of the time. I ask Sultan Meghji to shed some light on the remarkable TerraUSD cryptocurrency crash. Which leads us, not surprisingly, from massive investor losses to whether financial regulators have jurisdiction over cryptocurrency. The short answer: Whether they have jurisdiction or not, all the incentives favor an assertion of jurisdiction. Nick Weaver is with us in spirit as we flag his rip-roaring attack on the whole fiel—a don't-miss interview for readers who can't get enough of Nick. It's a big episode for artificial intelligence (AI) news too. Matthew Heiman contrasts the different approaches to AI regulation in three big jurisdictions. China's is pretty focused, Europe's is ambitious and all-pervading, and the United States isn't ready to do anything. Paul thinks DuckDuckGo should be DuckDuckGone after the search engine allowed Microsoft trackers to follow users of its browser. Sultan and I explore ways of biasing AI algorithms. It turns out that saving money on datasets makes the algorithm especially sensitive to the order in which the data is presented. Debiasing with synthetic data has its own risks, Sultan avers. But if you're looking for good news, here's some: Self-driving car companies who are late to the party are likely to catch up fast, because they can build on a lot of data that's already been collected as well as new training techniques. Matthew breaks down the $150 million fine paid by Twitter for allowing ad targeting of the phone numbers its users supplied for two-factor authentication (2FA) security purposes. Finally, in quick hits: Matthew recommends that we all get popcorn for: Spain's planned investigation of its intelligence services following a phone hacking scandal. Sultan and I call time of death for the Klobuchar bill regulating Silicon Valley self-preferencing. It was the most likely of all the Silicon Valley competition bills to pass, but election year tensions and massive lobbying campaigns by industry have made its path to enactment too steep. And Sultan notes that the Commerce Department has published with relatively little change its rule restricting exports of hacking tools. Download the 409th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

This week's Cyberlaw Podcast covers efforts to pull the Supreme Court into litigation over the Texas law treating social media platforms like common carriers and prohibiting them from discriminating based on viewpoint when they take posts down. I predict that the court won't overturn the appellate decision staying an unpersuasive district court opinion. Mark MacCarthy and I both think that the transparency requirements in the Texas law are defensible, but Mark questions whether viewpoint neutrality is sufficiently precise for a law that trenches on the platforms' free speech rights. I talk about a story that probably tells us more about content moderation in real life than ten Supreme Court amicus briefs—the tale of an OnlyFans performer who got her Instagram account restored by using alternative dispute resolution on Instagram staff: "We met up and like I f***ed a couple of them and I was able to get my account back like two or three times," she said. Meanwhile, Jane Bambauer unpacks the Justice Department's new policy for charging cases under the Computer Fraud and Abuse Act. It's a generally sensible extension of some positions the department has taken in the Supreme Court, including refusing to prosecute good faith security research or to allow companies to create felonies by writing use restrictions into their terms of service. Unless they also write those restrictions into cease and desist letters, I point out. Weirdly, the Justice Department will treat violations of such letters as potential felonies. Mark gives a rundown of the new, Democrat-dominated Federal Trade Commission's first policy announcement—a surprisingly uncontroversial warning that the commission will pursue educational tech companies for violations of the Children's' Online Privacy Protection Act. Maury Shenk explains the recent United Kingdom Attorney General speech on international law and cyber conflict. Mark celebrates the demise of Department of Homeland Security's widely unlamented Disinformation Governance Board. Should we be shocked when law enforcement officials create fake accounts to investigate crime on social media? The Intercept is, of course. Perhaps equally predictably, I'm not. Jane offers some reasons to be cautious—and remarks on the irony that the same people who don't want the police on social media probably resonate to the New York Attorney General's claim that she'll investigate social media companies, apparently for not responding like cops to the Buffalo shooting. Is it "game over" for humans worried about artificial intelligence (AI) competition? Maury explains how Google Deep Mind's new generalist AI works and why we may have a few years left. Jane and I manage to disagree about whether federal safety regulators should be investigating Tesla's fatal autopilot accidents. Jane has logic and statistics on her side, so I resort to emotion and name-calling. Finally, Maury and I puzzle over why Western readers should be shocked (as we're clearly meant to be) by China's requiring that social media posts include the poster's location or by India's insistence on a "know your customer" rule for cloud service providers and VPN operators. Download the 408th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Is the European Union (EU) about to rescue the FBI from Going Dark? Jamil Jaffer and Nate Jones tell us that a new directive aimed at preventing child sex abuse might just do the trick, a position backed by people who've been fighting the bureau on encryption for years. The Biden administration is prepping to impose some of the toughest sanctions ever on Chinese camera maker Hikvision, Jordan Schneider reports. No one is defending Hikvision's role in China's Uyghur policy, but I'm skeptical that we should spend all that ammo on a company that probably isn't the greatest national security threat we face. Jamil is more comfortable with the measure, and Jordan reminds me that China's economy is shaky enough that it may not pick a fight to save Hikvision. Speaking of which, Jordan schools me on the likelihood that Xi Jinping's hold on power will be loosened by the plight of Chinese tech platforms, harsh pandemic lockdowns or the grim lesson provided by Putin's ability to move without check from tactical error to strategic blunder and on to historic disaster. Speaking of products of more serious national security than Hikvision, Nate and I try to figure out why the effort to get Kaspersky software out of U.S. infrastructure is still stalled. I think the Commerce Department should take the fall. In a triumph of common sense and science, the wave of laws attacking face recognition may be receding as lawmakers finally notice what's been obvious for five years: The claim that face recognition is "racist" is false. Virginia, fresh off GOP electoral gains, has revamped its law on face recognition so it more or less makes sense. In related news, I puzzle over why Clearview AI accepted a settlement of the ACLU's lawsuit under Illinois's biometric law. Nate and I debate how much authority Cyber Command should have to launch actions and intrude on third country machines without going through the interagency process. A Biden White House review of that question seems to have split the difference between the Trump and Obama administrations. Quelle surprise! Jamil concludes that the EU's regulation of cybersecurity is an overambitious and questionable expansion of the U.S. approach. He's more comfortable with the Defense Department's effort to keep small businesses who take its money from decamping to China once they start to succeed. Jordan and I fear that the cure may be worse than the disease. I get to say I told you so about the unpersuasive and cursory opinion by United States District Judge Robert Pitman, striking down Texas' social media law. The Fifth Circuit has overturned his injunction, so the bill will take effect, at least for a while. In my view some of the provisions are constitutional and others are a stretch; Judge Pitman's refusal to do a serious severability analysis means that all of them will get a try-out over the next few weeks. Jamil and I debate geofenced search warrants and the reasons why companies like Google, Microsoft and Yahoo want them restricted. In quick hits, Jamil and I trade views on whether the Biden White House has effectively managed the lagging implementation of its landmark cybersecurity executive order. I note the important new protocol for implementing the Budapest Convention. On the principle that you can judge a policy by its enemies, this protocol is looking pretty good. Jamil highlights a study—by Europeans, no less—that suggests that General Data Protection Regulation (GDPR) is killing innovation in the Android app market. Jamil also flags a new study of the Chinese Offensive Cyber Landscape. And I suggest that the event with the biggest tech policy impact last week may have been none of these things; the real impact may be the meltdown in tech stocks generally and in cryptocurrency values in particular. Download the 407th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Retraction: An earlier episode of the Cyberlaw Podcast may have left the impression that I think Google hates mothers. I regret the error. It appears that, in reality, Google only hates Republican mothers who are running for office. But to all appearances, Google really, really hates them. A remarkable, and apparently damning study disclosed that during the most recent federal election campaign, Google's Gmail sent roughly two-thirds of GOP campaign emails to users' spam inboxes while downgrading less than ten percent of the Dems' messages. Jane Bambauer lays out the details, which refute most of the excuses Google might offer for the discriminatory treatment. Notably, neither Outlook nor Yahoo! mail showed a similar pattern. Tatyana thinks we should blame Google's algorithm, not its personnel, but we're all eager to hear Google's explanation, whether it's offered in the press, Federal Election Commission (FEC), in court, or in front of Congressional investigators after the next election. Jordan Schneider helps us revisit China's cyber policies after a long hiatus. Things have NOT gotten better for the Chinese government, Jordan reports. Stringent lockdowns in Shanghai are tanking the economy and producing a surprising amount of online dissent, but with Hong Kong's death toll in mind, letting omicron spread unchecked is a scary prospect, especially for a leader who has staked his reputation on dealing with the virus better than the rest of the world. The result is hesitation over what had been a strong techlash regulatory campaign. Tatyana Bolton pulls us back to the Russian-Ukrainian war. She notes that Russia Is not used to being hacked at anything like the current scale, even if most of the online attacks are pinpricks. She also notes Microsoft's report on Russia's extensive use of cyberattacks in Ukraine. All that said, cyber operations remain a minor factor in the war. Michael Ellis and I dig into the ODNI's intelligence transparency report, which inspired several differed takes over the weekend. The biggest story was that the FBI had conducted "up to" 3.4 million searches for U.S. person data in the pool of data collected under section 702 of the Foreign Intelligence Surveillance Act (FSA). Sharing a brief kumbaya moment with Sen. Ron Wyden, Michael finds the number "alarming or meaningless," probably the latter. Meanwhile, FISA Classic wiretaps dropped again in the face of the coronavirus. And the FBI conducted four searches without going to the FISA court when it should have, probably by mistake. We can't stay away from the pileup that is Elon Musk's Twitter bid. Jordan offers views on how much leverage China will have over Twitter by virtue of Tesla's dependence on the Chinese market. Tatyana and I debate whether Musk should have criticized Twitter's content moderators for their call on the Biden laptop story. Jane Bambauer questions whether Musk will do half the things that he seems to be hinting. I agree, if only because European law will force Twitter to treat European sensibilities as the arbiter of what can be said in the public square. Jane outlines recent developments showing, in my view, that Europe isn't exactly running low on crazy. A new court decision opens the door to what amounts to class actions to enforce European privacy law without regard for the jurisdictional limits that have made life easier for big U.S. companies. I predict that such lawsuits will also mean trouble for big Chinese platforms. And that's not half of it. Europe's Digital Services Act, now nearly locked down, is the mother lode of crazy. Jane spells out a few of the wilder provisions – only some of which have made it into legal commentary. Orin Kerr, the normally restrained and professorial expert on cyber law, is up in arms over a recent 9th Circuit decision holding that a preservation order is not a seizure requiring a warrant. Michael, Jane, and I dig into Orin's agita, but we have trouble sharing it. In quick hits: Jane looks at a report expressing shock that Amazon uses data from Alexa smart speakers pretty much exactly the way you'd expect it to. Michael and I unpack the latest move in the prosecution of Uber's former Chief Security Officer, Joe Sullivan. Jane lays out what's different in Colorado's new privacy law. Spoiler: Just enough to make the likelihood of a federal privacy law with preemption look good to business. Michael and I wish the Biden administration well in its effort to get much-needed new authorities to address the risks of drone attacks here at home. Download the 405th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw

Whatever else the pundits are saying about the use of cyberattacks in the Ukraine war, Dave Aitel notes, they all believe it confirms their past predictions about cyberwar. Not much has been surprising about the cyber weapons the parties have deployed, Scott Shapiro agrees. The Ukrainians have been doxxing Russia's soldiers in Bucha and its spies around the world. The Russians have been attacking Ukraine's grid. What's surprising is that the grid attacks have not seriously degraded civilian life, and how hard the Russians have had to work to have any effect at all. Cyberwar isn't a bust, exactly, but it is looking a little overhyped. In fact, Scott suggests, it's looking more like a confession of weakness than of strength: "My military attack isn't up to the job, so I'll throw in some fancy cyberweapons to impress The Boss." Would it have more impact here? We can't know until the Russians (or someone else) gives it a try. But we should certainly have a plan for responding, and Dmitri Alperovitch and Sam Charap have offered theirs: Shut down Russia's internet for a few hours just to show we can. It's better than no plan, but we're not ready to say it's the right plan, given the limited impact and the high cost in terms of exploits exposed. Much more surprising, and therefore interesting, is the way Ukrainian mobile phone networks have become an essential part of Ukrainian defense. As discussed in a very good blog post, Ukraine has made it easy for civilians to keep using their phones without paying no matter where they travel in the country and no matter which network they find there. At the same time, Russian soldiers are finding the network to be a dangerous honeypot. Dave and I think there are lessons there for emergency administration of phone networks in other countries. Gus Hurwitz draws the short straw and sums up the second installment of the Elon Musk v. Twitter story. We agree that Twitter's poison pill probably kills Musk's chances of a successful takeover. So what else is there to talk about? In keeping with the confirmation bias story, I take a short victory lap for having predicted that Musk would try to become the Rupert Murdoch of the social oligarchs. And Gus helps us enjoy the festschrift of hypocrisy from the Usual Sources, all declaring that the preservation of democracy depends on internet censorship, administered by their friends. Scott takes us deep on pipeline security, citing a colleague's article for Lawfare on the topic. He thinks responsibility for pipeline security should be moved from Transportation Security Administration (TSA) to (FERC), because, well, TSA. The Biden administration is similarly inclined, but I'm not enthusiastic; TSA may not have shown much regulatory gumption until recently, but neither has FERC, and TSA can borrow all the cyber expertise it needs from its sister agency, CISA. An option that's also open to FERC, Scott points out. You can't talk pipeline cyber security without talking industrial control security, so Scott and Gus unpack a recently discovered ICS malware package that is a kind of Metasploit for attacking operational tech systems. It's got a boatload of features, but Gus is skeptical that it's the best tool for causing major havoc in electric grids or pipelines. Also, remarkable: it seems to have been disclosed before the nation state that developed it could actually use it against an adversary. Now that's Defending Forward! As a palate cleanser, we ask Gus to take us through the latest in EU cloud protectionism. It sounds like a measure that will hurt U.S. intelligence but do nothing for Europe's effort to build its own cloud industry. I recount the broader story, from subpoena litigation to the CLOUD Act to this latest counter-CLOUD attack. The whole thing feels to me like Microsoft playing both sides against the middle. Finally, Dave takes us on a tour of the many proposals being launched around the world to regulate the use of Artificial Intelligence (AI) systems. I note that Congressional Dems have their knives out for face recognition vendor id.me. And I return briefly to the problem of biased content moderation. I look at research showing that Republican Twitter accounts were four times more likely to be suspended than Democrats after the 2020 election. But I find myself at least tentatively persuaded by further research showing that the Republican accounts were four times as likely to tweet links to sites that a balanced cross section of voters considers unreliable. Where is confirmation bias when you need it? Download the 403rd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly cove

The theme of this episode of the Cyberlaw Podcast is, "Be careful what you wish for." Techlash regulation is burgeoning around the world. Mark MacCarthy takes us through a week's worth of regulatory enthusiasm. Canada is planning to force Google and Facebook to pay Canadian news media for links. It sounds simple, but arriving at the right price—and the right recipients—will require a hefty dose of discretionary government intervention. Meanwhile, South Korea's effort to regulate Google's Android app store policies, which also sounds simple, is quickly devolving into such detail that the government might as well call it price regulation—because that's what it is. And, Mark notes, even in China, which seemed to be moderating its hostility to tech platforms, just announced algorithm compliance audits for TenCent and ByteDance. Nobody is weeping for Big Tech, but anybody who thinks this kind of thing will hurt Big Tech has never studied the history of AT&T—or Rupert Murdoch. Incumbent tech companies have the resources to protect themselves from regulatory harm—and to make sure their competitors will be crushed by the burdens they bear. The one missing chapter in the mutual accommodation of Big Tech and Big Government, I argue, is a Rupert Murdoch figure—someone who will use his platform unabashedly to curry favor not from the left but from the right. It's an unfilled niche, but a moderately conservative Big Tech company is likely to find all the close regulatory calls being made in its favor if (or, more likely, when) the GOP takes power. If you think that's not possible, you missed the last week of tech news. Elon Musk, whose entire business empire is built on government spending, is already toying with occupying a Silicon Valley version of the Rupert Murdoch niche. His acquisition of nearly 10 percent of Twitter is an opening gambit that is likely to make him the man that conservatives hail as the antidote to Silicon Valley's political monoculture. Axios's complaint that the internet is becoming politically splintered is wildly off the mark today, but it may yet come true. Nick Weaver brings us back to earth with a review of the FBI's successful (for now) takedown of the Cyclops Blink botnet—a Russian cyber weapon that was disabled before it could be fired. Nick reminds us that the operation was only made possible by a change in search and seizure procedures that the Electronic Frontier Foundation (EFF) and friends condemned as outrageous just a decade ago. Last week, he reports, Western law enforcement also broke the Hydra dark market. In more good news, Nick takes us through the ways in which bitcoin's traceability has enabled authorities to bust child sex rings around the globe. Nick also brings us This Week in Bad News for Surveillance Software: FinFisher is bankrupt. Israeli surveillance software smuggled onto EU ministers' phones is being investigated; and Google has banned apps that use particularly intrusive data collection tools, outed by Nick's colleagues at the International Computer Science Institute. Finally, Europe is building a vast network to do face recognition across the continent. I celebrate the likely defeat of ideologues who've been trying to toxify face recognition for years. And I note that one of my last campaigns at the Department of Homeland Security (DHS) was a series of international agreements that lock European law enforcement into sharing of such data with the United States. Defending those agreements, of course, should be a high priority for the State Department's on-again off-again new cyber bureau. Download the 402nd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Spurred by a Cyberspace Solarium op-ed, Nate Jones gives an overview of cybersecurity worries in the maritime sector, where there is plenty to worry about. I critique the U.S. government's December 2020 National Maritime Cybersecurity Strategy, a 36-page tome that, when the intro and summary and appendices and blank pages are subtracted, offers only eight pages of substance. Luckily, the Atlantic Council has filled the void with its own report on the topic. Of course, the maritime sector isn't the only one we should be concerned about. Sultan Meghji points to the deeply troubling state of industrial control security, as illustrated by at "10 out of 10" vulnerability recently identified in a Rockwell Automation ICS system. Still, sometimes software rot serves a good purpose. Maury Shenk tells us about decay in Russia's SORM—a site-blocking system that may be buckling under the weight of the Ukraine invasion. Talking about SORM allows me to trash a nothingburger story perpetrated by three New York Times reporters who ought to know better. Adam Satariano, Paul Mozur and Aaron Krolik should be ashamed of themselves for writing a long story suggesting that Nokia did something wrong by selling Russia telecom gear that enables wiretaps. Since the same wiretap features are required by Western governments as a matter of law, Nokia could hardly do anything else. SORM and its abuses were all carried out by Russian companies. I suspect that, after wading through a boatload of leaked documents, these three (three!) reporters just couldn't admit there was no there, there. Nate and I note the emergence of a new set of secondary sanctions targets as the Treasury Department begins sanctioning companies that it concludes are part of a sanctions evasion network. We also puzzle over the surprising pushback on proposals to impose sanctions on Kaspersky. If the Wall Street Journal is correct, and the reason is fear of cyberattacks if the Russian firm is sanctioned, isn't that a reason to sanction them out of Western networks? Sultan and Maury remind us that regulating cryptocurrency is wildly popular with some, including Sen. Elizabeth Warren and the EU Parliament. Sultan remains skeptical that sweeping regulation is in the cards. He is much more bullish on Apple's ability to upend the entire fintech field by plunging into financial services with enthusiasm. I point out that it's almost impossible for a financial services company to maintain a standoffish relationship with the government, so Apple may have to change the tune it's been playing in the U.S. for the last decade. Maury and I explore fears that the DMA will break WhatsApp encryption, while Nate and I plumb some of the complexities of a story Brian Krebs broke about hackers exploiting the system by which online services provide subscriber information to law enforcement in an emergency. Speaking of Krebs, we dig into Ubiquiti's defamation suit against him. The gist of the complaint is that Krebs relied on a "whistleblower" who turned out to be the perp, and that Krebs didn't quickly correct his scoop when that became apparent. My sympathies are with Krebs on this one, at least until Ubiquiti fills in a serious gap in its complaint—the lack of any allegation that the company told Krebs that he'd been misled and asked for a retraction. Without that, it's hard to say that Krebs was negligent (let alone malicious) in reporting allegations by an apparently well-informed insider. Maury brings us up to speed on the (still half-formed) U.K. online harms bill and explains why the U.K. government was willing to let the subsidiary of a Chinese company buy the U.K.'s biggest chip foundry. Sultan finds several insights in an excellent CNN story about the Great Conti Leak. And, finally, I express my personal qualms about the indictment (for disclosing classified information) of Mark Unkenholz, a highly competent man whom I know from my time in government. To my mind the prosecutors are going to have to establish that Unkenholz was doing something different from the kind of disclosures that are an essential part of working with tech companies that have no security clearances but plenty of tools needed by the intelligence community. This is going to be a story to watch. Download the 401st Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

With the U.S. and Europe united in opposing Russia's attack on Ukraine, a few tough transatlantic disputes are being swept away—or at least under the rug. Most prominently, the data protection crisis touched off by Schrems 2 has been resolved in principle by a new framework agreement between the U.S. and the EU. Michael Ellis and Paul Rosenzweig trade insights on the deal and its prospects before the European Court of Justice. The most controversial aspect of the agreement is the lack of any change in U.S. legislation. That's simple vote-counting if you're in Washington, but the Court of Justice of the European Union (CJEU) clearly expected that it was dictating legislation for the U.S. Congress to adopt, so Europe's acquiescence may simply kick the can down the road a bit. The lack of legislation will be felt in particular, Michael and Paul aver, when it comes to providing remedies to European citizens who feel their rights have been trampled. Instead of going to court, they'll be going to an administrative body with executive branch guarantees of independence and impartiality. We congratulate several old friends of the podcast who patched this solution together. The Russian invasion of Ukraine, meanwhile, continues to throw off new tech stories. Nick Weaver updates us on the single most likely example of Russia using its cyber weapons effectively for military purposes—the bricking of Ukraine's (and a bunch of other European) Viasat terminals. Alex Stamos and I talk about whether the social media companies recently evicted from Russia, especially Instagram, should be induced or required to provide information about their former subscribers' interests to allow microtargeting of news to break Putin's information management barriers; along the way we examine why it is that tech's response to Chinese aggression has been less vigorous. Speaking of microtargeting, Paul gives kudos to the FBI for its microtargeted "talk to us" ads, only visible to Russian speakers within 100 yards of the Russian embassy in Washington. Finally, Nick Weaver and Mike mull the significance of Israel's determination not to sell sophisticated cell phone surveillance malware to Ukraine. Returning to Europe-U.S. tension, Alex and I unpack the European Digital Markets Act, which regulates a handful of U.S. companies because they are "digital gatekeepers." I think it's a plausible response to network effect monopolization, ruined by anti-Americanism and the persistent illusion that the EU can regulate its way to a viable tech industry. Alex has a similar take, noting that the adoption of end-to-end encryption was a big privacy victory, thanks to WhatsApp, an achievement that the Digital Markets Act will undo in attempting to force standardized interoperable messaging on gatekeepers. Nick walks us through the surprising achievements of the gang of juvenile delinquents known as Lapsus$. Their breach of Okta is the occasion for speculation about how lawyers skew cyber incident response in directions that turn out to be very bad for the breach victim. Alex vividly captures the lawyerly dynamics that hamper effective response. While we're talking ransomware, Michael cites a detailed report on corporate responses to REvil breaches, authored by the minority staff of the Senate Homeland security committee. Neither the FBI nor CISA comes out of it looking good. But the bureau comes in for more criticism, which may help explain why no one paid much attention when the FBI demanded changes to the cyber incident reporting bill. Finally, Nick and Michael debate whether the musician and Elon Musk sweetheart Grimes could be prosecuted for computer crimes after confessing to having DDOSed an online publication for an embarrassing photo of her. Just to be on the safe side, we conclude, maybe she shouldn't go back to Canada. And Paul and I praise a brilliant WIRED op-ed proposing that Putin's Soviet empire nostalgia deserves a wakeup call; the authors (Rosenzweig and Baker, as it happens) suggest that the least ICANN can do is kill off the Soviet Union's out-of-date .su country code. Download the 400th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So, mark your calendar and when the time comes, use this link to join the audience: https://riverside.fm/studio/the-cyberlaw-podcast-400 See you there! There's nothing like a serious shooting war to bring on paranoia and mistrust, and the Russian invasion of Ukraine is generating mistrust on all sides. Everyone expected a much more damaging cyberattack from the Russians, and no one knows why it hasn't happened yet. Dave Aitel walks us through some possibilities. Cyberattacks take planning, and Russia's planners may have believed they wouldn't need to use large-scale cyberattacks—apart from what appears to be a pretty impressive bricking of Viasat terminals used extensively by Ukrainian forces. Now that the Russians could use some cyber weapons in Ukraine, the pace of the war may be making it hard to build them. None of that is much comfort to Western countries that have imposed sanctions, since their infrastructure makes a nice fat sitting-duck target, and may draw fire soon if American intelligence warnings prove true. Meanwhile, Matthew Heiman reports, the effort to shore up defenses is leading to a cavalcade of paranoia. Has the UK defense ministry banned the use of WhatsApp due to fears that it's been compromised by Russia? Maybe. But WhatsApp has long had known security limitations that might justify downgrading its use on the battlefield. Speaking of ambiguity and mistrust, Telegram use is booming in Russia, Dave says, either because the Russians know how to control it or because they can't. Take your pick. Speaking of mistrust, the German security agency has suddenly discovered that it can't trust Kaspersky products. Good luck finding them, Dave offers, since many have been whitelabeled into other company's software. He has limited sympathy for an agency that resolutely ignored U.S. warnings about Kaspersky for years. Even in the absence of a government with an interest in subverting software, the war is producing products that can't be trusted. One open-source maintainer of a popular open-source tool turned it into a data wiper for anyone whose computer looks Belarussian or Russian. What could possibly go wrong with that plan? Meanwhile, people who've advocated tougher cybersecurity regulation (including me) are doing a victory lap in the press about how it will bolster our defenses. It'll help, I argue, but only some, and at a cost of new failures. The best example being TSA's effort to regulate pipeline security, which has struggled to avoid unintended consequences while being critiqued by an industry that has been hostile to the whole effort from the start. The most interesting impact of the war is in China. Jordan Schneider explores how China and Chinese companies are responding to sanctions on Russia. Jordan thinks that Chinese companies will follow their economic interests and adhere to sanctions—at least where it's clear they're being watched—despite online hostility to sanctions among Chinese digerati. Matthew and I think more attention needs to be paid to Chinese government efforts to police and intimidate ethnic Chinese, including Chinese Americans, in the United States. The Justice Department for one is paying attention; it has arrested several alleged Chinese government agents engaged in such efforts. Jordan unpacks China's new guidance on AI algorithms. I offer grudging respect to the breadth and value of the topics covered by China's AI regulatory endeavors. Dave and I are disappointed by a surprise package in the FY 22 omnibus appropriations act. Buried on page 2334 is an entire smorgasbord of regulation for intelligence agency employees who go looking for jobs after leaving the intelligence community. This version is better than the original draft, but mainly for the intelligence agencies; intelligence professionals seem to have been left out in the cold when revisions were proposed. Matthew does an update on the peanut butter sandwich spies who tried to sell nuclear sub secrets to a foreign power that the Justice Department did not name at the time of their arrest. Now that country has been revealed. It's Brazil, apparently chosen because the spies couldn't bring themselves to help an actual enemy of their country. And finally, I float my own proposal for the nerdiest possible sanctions on Putin. He's a big fan of the old Soviet empire, so it would be fitting to finally wipe out the last traces of the Soviet Union, which have lingered for thirty years too long in the Internet domain system. Check WIRED magazine for my upcoming op-ed on the topic. Download the 399th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for t

A special reminder that we will be doing episode 400 live on video and with audience participation on March 28, 2022 at noon Eastern daylight time. So mark your calendar and when the time comes, use this link to join the audience: https://riverside.fm/studio/the-cyberlaw-podcast-400 See you there! For the third week in a row, we lead with cyber and Russia's invasion of Ukraine. Paul Rosenzweig comments on the most surprising thing about social media's decoupling from Russia—how enthusiastically the industry is pursuing the separation. Facebook is allowing Ukrainians to threaten violence against Russian leadership and removing or fact checking Russian government and media posts. Not satisfied with this, the EU wants Google to remove Russia Today and Sputnik from search results. I ask why the U.S. can't take over Facebook and Twitter infrastructure to deliver the Voice of America to Facebook and Twitter users who've been cut off by their departure. Nobody likes that idea but me. Meanwhile, Paul notes that The Great Cyberwar that Wasn't could still make an appearance, citing Ciaran Martin's sober Lawfare piece. David Kris tells us that Congress has, after a few false starts, finally passed a cyber incident reporting bill, notwithstanding the Justice Department's over-the-top histrionics in opposition. I wonder if the bill, passed in haste due to the Ukraine conflict, should have had another round of edits, since it seems to lock in a leisurely reg-writing process that the Cybersecurity and Infrastructure Security Agency (CISA) can't cut short. Jane Bambauer and David unpack the first district court opinion considering the legal status of "geofence" warrants—where Google gradually releases more data about people whose phones were found near a crime scene when the crime was committed. It's a long opinion by Judge M. Hannah Lauck, but none of us finds it satisfying. As is often true, Orin Kerr's take is more persuasive than the court's. Next, Paul Rosenzweig digs into Biden's cryptocurrency executive order. It's not a nothingburger, he opines, but it is a process-burger, meaning that nothing will happen in the field for many months, but the interagency mill will begin to grind, and sooner or later will likely grind exceeding fine. Jane and I draw lessons from WIRED's "expose" on three wrongful arrests based on face recognition software, but not the "face recognition is Evil" lesson WIRED wanted us to draw. The arrests do reflect less than perfect policing, and are a wrenching view of what it's like for an innocent man to face charges that aren't true. But it's unpersuasive to blame face recognition for mistakes that could have been avoided with a little more care by the cops. David and I highly recommend Brian Krebs's great series on what we can learn from leaked chat logs belonging to the Conti ransomware gang. What we learned from the Conti leaks. My favorite insight was the Conti member who said, when a company resisted paying to keep its files from being published, that "There is a journalist who will help intimidate them for 5 percent of the payout." I suggest that our listeners crowdsource an effort to find journalists who might fit this description. It might not be hard; after all, how many journalists these days are breaking stories that dive deep into doxxed databases? Paul and I spend a little more time than it deserves on an ICANN paper about ways to block Russia from the network. But I am inspired to suggest that the country code .su—presumably all that's left of the Soviet Union—be permanently retired. I mean, really, does anyone respectable want it back? Jane gives a lick and a promise to the Open App Markets bill coming out of the Senate Judiciary Committee. I alert the American Civil Liberties Union to a shocking porcine privacy invasion. I discover that none of the other panelists is surprised that 15 percent of people have already had sex with a robot but all of them find the idea of falling in love with a robot preposterous. Download the 398th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

Much of this episode is devoted to new digital curtain falling across Europe. Gus Horwitz and Mark-MacCarthy review the tech boycott that has seen companies like Apple, Samsung, Microsoft and Adobe pull their service from Russia. Nick Weaver describes how Russia cracked down on independent Russian media outlets and blocked access to the websites of foreign media including the BBC and Facebook. Gus reports on an apparent Russian decision to require all servers and domains to transfer Russian zone, thereby disconnecting itself from the global internet. Mark describes how private companies in the U.S. have excluded Russian media from their systems, including how DirecTV's decision to drop RT America led the Russian 24-hour news channel to shutter its operations. In contrast, the EU officially shut down all RT and Sputnik operations, including their apps and websites. Nick wonders if the enforcement mechanism is up to the task of taking down the websites. Gus, Dave and Mark discuss the myth making in social media about the Ukrainian war such as the Ghost of Kyiv, and wonder if fiction might do some good to keep up the morale of the besieged country. Dave Aitel reminds us that despite the apparent lack of cyberattacks in the war, more might be going on under the surface. He also he tells us more about the internal attack that affected the Conti Ransomware gang when they voiced support for Russia. Nick opines that cryptocurrencies do not have the volume to serve as an effective way around the financial sanctions against Russia. Sultan Meghji agrees that the financial sanctions will accelerate the move away from the dollar as the world's reserve currency and is skeptical that a principles-based constraint will do much good to halt that trend. A few things happened other than the war in Ukraine, including President Biden's first state of the union address. Gus notices that much of the speech was devoted to tech. He notes that the presence in the audience of Frances Haugen, the Facebook whistleblower, highlighted Biden's embrace of stronger online children's privacy laws and that the presence of Intel CEO Patrick Gelsinger gave the president the opportunity to pitch his plan to support domestic chip production. Sultan and Dave discuss the cybersecurity bill that passed out of the Senate unanimously. It would require companies in critical sectors to report cyberattacks and ransomware to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). They also analyze the concerns that companies have about providing information to the FBI. Dave thinks the bills that were discussed in this week's House Commerce hearing to hold Big Tech accountable, respond to wide-spread public concerns about tech's surveillance business model, but still he thinks they are unlikely to make it through the process to become law. Gus says that Amazon's certification that it has responded to the Federal Trade Commission's inquiries about its proposed $6.5 billion MGM merger triggers a statutory deadline for the agency to act. It is not the company's fault, he says, that the agency has a 2-2 between Democrats and Republicans that will likely prevent them opposing the merger in time. I take the opportunity to note that the Senate Commerce committee sent the nominations of Alvaro Bedoya for the Federal Trade Commission and Gigi Sohn for the Federal Communications Commission to the Senate floor, but that it would likely be several months before the full Senate would act on the nominations. Finally, Nick argues that certain measures in the European Commission's proposed digital identity framework, aiming to improve authentication on the web, would in practice have the opposite effect of dramatically weakening web security. Download the 397th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Much of this episode is devoted to how modern networks and media are influencing what has become a major shooting war between Russia and Ukraine. Dmitri Alperovitch gives a sweeping overview. Ukraine and its president, Volodymyr Zelenskyy, clearly won the initial stages of the war in cyberspace, turning broad Western sympathy into a deeper commitment with short videos from downtown Kyiv at a time when Zelenskyy was expected to be racing for the border. The narrative of determined Ukrainian resistance and hapless Russian arrogance was set in cement by the end of the week, and Zelenskyy's ability to casually dial in to EU ministers' meetings (and just as casually say that this might be the last time the ministers saw him alive) changed official Europe's view of the conflict permanently. Putin's failure to seize Ukraine's capital and telecom facilities in the first day of the fight may mean a long, grinding conflict. Russia is doing its best to control the narrative on Russian networks by throttling Facebook, Twitter and other Western media. And it's essentially telling those companies that they need to distribute pro-Russian media in the West if they want a future in Russia. Dmitri believes that that's not a price Silicon Valley will pay for access to a country where every other bank and company is already off-limits due to Western sanctions. Jane Bambauer weighs in with the details of Russia's narrative-control efforts—and their failure. And what about the cyberattacks that press coverage led us to expect in this conflict between two technically capable adversaries? Nate Jones and Dmitri agree that, while network wiping and ransomware have occurred, their impact on the battle has not been obvious. Russia seems not to have sent its A-team to take down any of Ukraine's critical infrastructure. Meanwhile, as Western nations pledge more weapons and more sanctions, Russian cyber reprisals have been scarce, perhaps because Western counter-reprisals are clearly being held in reserve. All that said, and despite unprecedented financial sanctions and export control measures, initiative in the conflict remains with Putin, and none of the panel is looking forward to finding out how Putin will react to Russia's early humiliations in cyberspace and on the battlefield. In other tech news, the EU has not exactly turned over a new leaf when it comes to milking national security for competitive advantage over U.S. industry. Nate and Jane unpack the proposed European Data Act, best described as an effort to write a General Data Protection Regulation (GDPR) for non-personal data. And, as always, as a European effort to regulate a European tech industry into existence. Nate and I dig into a Foreign Affairs op-ed by Chris Inglis, the Biden administration's National Cyber Director. It calls for a new Cyber Social Contract between government and industry. I CTRL-F for "regulation" and don't find the word, likely thanks to White House copy editors, but the op-ed clearly thinks that more regulation is the key to ensuring public-private cooperation. Jane reprises a story from the estimable "Rest of World" tech site. It turns out that corrupt and abusive companies and governments have better tools for controlling their image than Vladimir Putin—all thanks to the European Parliament and the U.S. Congress, which approved GDPR and the Digital Millennium Copyright Act respectively. These turn out to be great tools for suppressing stories that make third-world big shots uncomfortable. I remind the audience once again that Privacy mainly Protects the Privileged and the Powerful. In closing, Jane and I catch up on the IRS's latest position on face recognition—and the wrongheadedness of the NGOs campaigning against the technology. Download the 396th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Troops and sanctions and accusations are coming thick and fast in Ukraine as we record the podcast. Michael Ellis draws on his past experience at the National Security Council (NSC) to guess how things are going at the White House, and we both speculate on whether the conflict will turn into a cyberwar that draws the United States in. Neither of us thinks so, though for different reasons. Meanwhile, Nick Weaver reports, the Justice Department is gearing up for a fight with cryptocurrency criminals. Nick thinks it couldn't happen to a nicer industry. Michael and I contrast the launching of this initiative with the slow death of the China initiative at the hands of a few botched prosecutions. Michael and I do a roundup of news (all bad) about face recognition. District Judge Sharon Johnson Coleman (ND IL) gets our prize for least persuasive first amendment analysis of the year in an opinion holding that collecting and disclosing public data about people (what their faces look like) can be punished with massive civil liability even if no damages have been shown. After all, the judge declares in an analysis that covers a full page and a half (double-spaced), the Illinois law imposing liability "does not restrict a particular viewpoint nor target public discussion of an entire topic." But not to worry; the first amendment is bound to get a heavy workout in the next big face recognition lawsuit—the Texas Attorney General's effort to extract hundreds of billions of dollars from Facebook for similarly collecting the face of their users. My bet? This one will make it to the Supreme Court. Next, we review the IRS's travails in trying to use face recognition to verify taxpayers who want access to their returns. I urge everyone to read my latest op-ed in the Washington Post criticizing the Congressional critics of the effort. Finally, I mock the staff at Amnesty International who think that people who live in high-crime New York neighborhoods should be freed from the burden of being able to identify and jail street criminals using facial recognition. After all, if facial recognition were more equitably allocated, think of the opportunity to identify scofflaws who let their dogs poop on the sidewalk. Nick and I dig into the pending collision between European law enforcement agencies and privacy zealots in Brussels who want to ban EU use of NSO's Pegasus surveillance tech. Meanwhile, in a rare bit of good news for Pegasus's creator, an Israeli investigation is now casting doubt on press reports of Pegasus abuse. Finally, Michael and I mull over the surprisingly belated but still troubling disclosures about just how opaque TikTok has made its methods of operation. Two administrations in a row have started out to do something about this sus app, and neither has delivered – for reasons that demonstrate the deepest flaws of both. Download the 395th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to [email protected]. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.