Steptoe Cyberlaw Podcast

The Cyberlaw Podcast kicks off 2023 by staring directly into the sun(set) of Section 702 authorization. The entire panel, including guest host Brian Fleming and guests Michael Ellis  and David Kris, debates where things could be headed this year as the clock is officially ticking on FISA Section 702 reauthorization. Although there is agreement that a straight reauthorization is unlikely in today’s political environment, the ultimate landing spot for Section 702 is very much in doubt and a “game of chicken” will likely precede any potential deal. Everything seems to be in play, as this reauthorization battle could result in meaningful reform or a complete car crash come this time next year. Sticking with Congress, Michael also reacts to President Biden’s recent bipartisan call to action regarding “Big Tech” and ponders where Republicans and Democrats could potentially find agreement on an issue everyone seems to agree on (for very different reasons). The panel also discusses the timing of President Biden’

Our first episode for 2023 features Dmitri Alperovitch, Paul Rosenzweig, and Jim Dempsey trying to cover a months’ worth of cyberlaw news. Dmitri and I open with an effort to summarize the state of the tech struggle between the U.S. and China. I think recent developments show the U.S. doing better than expected. U.S. companies like Facebook and Dell are engaged in voluntary decoupling as they imagine what their supply chain will look like if the conflict gets worse. China, after pouring billions into an effort to take a lead in high-end chip production, may be pulling back on the throttle. Dmitri is less sanguine, noting that Chinese companies like Huawei have shown that there is life after sanctions, and there may be room for a fast-follower model in which China dominates production of slightly less sophisticated chips, where much of the market volume is concentrated. Meanwhile, any Chinese retreat is likely tactical; where it has a dominant market position, as in rare earths, it remains eager to hobble

This bonus episode is an interview with Josephine Wolff and Dan Schwarcz, who along with Daniel Woods have written an article with the same title as this post. Their thesis is that breach lawyers have lost perspective in their no-holds-barred pursuit of attorney-client privilege to protect the confidentiality of forensic reports that diagnose the breach. Remarkably for a law review article, it contains actual field research. The authors interviewed all the players in breach response, from the company information security teams, the breach lawyers, the forensics investigators, the insurers and insurance brokers, and more. I remind them of Tracy Kidder’s astute observation that, in building a house, there are three main players—owner, architect, and builder—and that if you get any two of them in the room alone, they will spend all their time bad-mouthing the third. Wolff, Schwarcz, and Woods seem to have done that with the breach response players, and the bad-mouthing falls hardest on the lawyers.  The main

It’s been a news-heavy week, but we have the most fun in this episode with ChatGPT. Jane Bambauer, Richard Stiennon, and I pick over the astonishing number of use cases and misuse cases disclosed by the release of ChatGPT for public access. It is talented—writing dozens of term papers in seconds. It is sociopathic—the term papers are full of falsehoods, down to the made-up citations to plausible but nonexistent New York Times stories. And it has too many lawyers—Richard’s request that it provide his bio (or even Einstein’s) was refused on what are almost certainly data protection grounds. Luckily, either ChatGPT or its lawyers are also bone stupid, since reframing the question fools the machine into subverting the legal and PC limits it labors under. I speculate that it beat Google to a public relations triumph precisely because Google had even more lawyers telling their artificial intelligence what not to say. In a surprisingly under covered story, Apple has gone all in on child pornography. Its phone en

This episode of the Cyberlaw Podcast delves into the use of location technology in two big events—the surprisingly outspoken lockdown protests in China and the Jan. 6 riot at the U.S. Capitol. Both were seen as big threats to the government, and both produced aggressive police responses that relied heavily on government access to phone location data. Jamil Jaffer and Mark MacCarthy walk us through both stories and respond to the provocative question, what’s the difference? Jamil’s answer (and mine, for what it’s worth) is that the U.S. government gained access to location information from Google only after a multi-stage process meant to protect innocent users’ information, and that there is now a court case that will determine whether the government actually did protect users whose privacy should not have been invaded.  Whether we should be relying on Google’s made-up and self-protective rules for access to location data is a separate question. It becomes more pointed as Silicon Valley has started making

We spend much of this episode of the Cyberlaw Podcast talking about toxified technology – new tech that is being demonized for a variety of reasons. Exhibit One, of course, is “spyware,” essentially hacking tools that allow governments to access phones or computers otherwise closed to them, usually by end-to-end encryption. The Washington Post and the New York Times have led a campaign to turn NSO’s Pegasus tool for hacking phones into radioactive waste. Jim Dempsey, though, reminds us that not too long ago, in defending end-to-end encryption, tech policy advocates insisted that the government did not need mandated access to encrypted phones because they could engage in self-help in the form of hacking. David Kris points out that, used with a warrant, there’s nothing uniquely dangerous about hacking tools of this kind. I offer an explanation for why the public policy community and its Silicon Valley funders have changed their tune on the issue: having won the end-to-end encryption debate, they feel free to

The Cyberlaw Podcast leads with the legal cost of Elon Musk’s anti-authoritarian takeover of Twitter. Turns out that authority figures have a lot of weapons, many grounded in law, and Twitter is at risk of being on the receiving end of those weapons. Brian Fleming explores the apparently unkillable notion that the Committee on Foreign Investment in the U.S. (CFIUS) should review Musk’s Twitter deal because of a relatively small share that went to investors with Chinese and Persian Gulf ties. It appears that CFIUS may still be seeking information on what Twitter data those investors will have access to, but I am skeptical that CFIUS will be moved to act on what it learns. More dangerous for Twitter and Musk, says Charles-Albert Helleputte, is the possibility that the company will lose its one-stop-shop privacy regulator for failure to meet the elaborate compliance machinery set up by European privacy bureaucrats. At a quick calculation, that could expose Twitter to fines up to 120% of annual turnover. Final

We open this episode of the Cyberlaw Podcast by considering the (still evolving) results of the 2022 midterm election. Adam Klein and I trade thoughts on what Congress will do. Adam sees two years in which the Senate does nominations, the House does investigations, and neither does much legislation—which could leave renewal of the critically important intelligence authority, Section 702 of the Foreign Intelligence Surveillance Act (FISA), out in the cold. As supporters of renewal, we conclude that the best hope for the provision is to package it with trust-building measures to restore Republicans’ willingness to give national security agencies broad surveillance authorities. I also note that foreign government cyberattacks on our election, which have been much anticipated in election after election, failed once again to make an appearance. At this point, election interference is somewhere between Y2K and Bigfoot on the “things we should have worried about” scale. In other news, cryptocurrency conglomerate F

The war that began with the Russian invasion of Ukraine grinds on. Cybersecurity experts have spent much of 2022 trying to draw lessons about cyberwar strategies from the conflict. Dmitri Alperovitch takes us through the latest lessons, cautioning that all of them could look different in a few months, as both sides adapt to the others’ actions.  David Kris joins Dmitri to evaluate a Microsoft report hinting that China may be abusing its recent edict requiring that software vulnerabilities be reported first to the Chinese government. The temptation to turn such reports into zero-day exploits may be irresistible, and Microsoft notes with suspicion a recent rise in Chinese zero-day exploits. Dmitri worried about just such a development while serving on the Cyber Safety Review Board, but he is not yet convinced that we have the evidence to prove the case against the Chinese mandatory disclosure law.  Sultan Meghji keeps us in Redmond, digging through a deep Protocol story on how Microsoft has helped build A

You heard it on the Cyberlaw Podcast first, as we mash up the week’s top stories: Nate Jones commenting on Elon Musk’s expected troubles running Twitter at a profit and Jordan Schneider noting the U.S. government’s creeping, halting moves to constrain TikTok’s sway in the U.S. market. Since Twitter has never made a lot of money, even before it was carrying loads of new debt, and since pushing TikTok out of the U.S. market is going to be an option on the table for years, why doesn’t Elon Musk position Twitter to take its place?  It’s another big week for China news, as Nate and Jordan cover the administration’s difficulties in finding a way to thwart China’s rise in quantum computing and artificial intelligence (AI). Jordan has a good post about the tech decoupling bombshell. But the most intriguing discussion concerns China’s remarkably limited options for striking back at the Biden administration for its harsh sanctions. Meanwhile, under the heading, When It Rains, It Pours, Elon Musk’s Tesla faces a c

This episode features Nick Weaver, Dave Aitel and I covering a Pro Publica story (and forthcoming book) on the difficulties the FBI has encountered in becoming the nation’s principal resource on cybercrime and cybersecurity. We end up concluding that, for all its successes, the bureau’s structural weaknesses in addressing cybersecurity are going to haunt it for years to come. Speaking of haunting us for years, the effort to decouple U.S. and Chinese tech sectors continues to generate news. Nick and Dave weigh in on the latest (rumored) initiative: cutting off China’s access to U.S. quantum computing and AI technology, and what that could mean for the U.S. semiconductor companies, among others. We could not stay away from the Elon Musk-Twitter story, which briefly had a national security dimension, due to news that the Biden Administration was considering a Committee on Foreign Investment in the United States review of the deal. That’s not a crazy idea, but in the end, we are skeptical that this will happen

David Kris opens this episode of the Cyberlaw Podcast by laying out some of the massive disruption that the Biden Administration has kicked off in China’s semiconductor industry—and its Western suppliers. The reverberations of the administration’s new measures will be felt for years, and the Chinese government’s response, not to mention the ultimate consequences, remains uncertain. Richard Stiennon, our industry analyst, gives us an overview of the cybersecurity market, where tech and cyber companies have taken a beating but cybersecurity startups continue to gain funding.  Mark MacCarthy reviews the industry from the viewpoint of the trustbusters. Google is facing what looks like a serious AdTech platform challenge from several directions—the EU, the Justice Department, and several states. Facebook, meanwhile, is lucky to be a target of the Federal Trade Commission, which rather embarrassingly had to withdraw claims that the acquisition of Within would remove an actual (as opposed to hypothetical) competi

It’s been a jam-packed week of cyberlaw news, but the big debate of the episode is triggered by the White House blueprint for an AI Bill of Rights. I’ve just released a long post about the campaign to end “AI bias” in general, and the blueprint in particular. In my view, the bill of rights will end up imposing racial and gender (and intersex!) quotas on a vast swath of American life. Nick Weaver argues that AI is in fact a source of secondhand racism and sexism, something that will not be fixed until we do a better job of forcing the algorithm to explain how it arrives at the outcomes it produces. We do not agree on much, but we do agree that lack of explainability is a big problem for the new technology. President Biden has issued an executive order meant to resolve the U.S.-EU spat over transatlantic data flows. At least for a few years, until the anti-American EU Court of Justice finds it wanting again. Nick and I explore some of the mechanics. I think it’s bad for the privacy of U.S. persons and for the

We open today’s episode by teasing the Supreme Court’s decision to review whether section 230 protects big platforms from liability for materially assisting terror groups whose speech they distribute (or even recommend). I predict that this is the beginning of the end of the house of cards that aggressive lawyering and good press have built on the back of section 230. Why? Because Big Tech stayed out of the Supreme Court too long. Now, just when section 230 gets to the Court, everyone hates Silicon Valley and its entitled content moderators. Jane Bambauer, Gus Hurwitz, and Mark MacCarthy weigh in, despite the unfairness of having to comment on a cert grant that is two hours old. Just to remind us why everyone hates Big Tech’s content practices, we do a quick review of the week’s news in content suppression.  A couple of conservative provocateurs prepared a video consisting of Democrats being “election deniers.” The purpose was to show the hypocrisy of those who criticize the GOP for a meme that belonged mai

This episode features a much deeper, and more diverse, examination of the Fifth Circuit decision upholding Texas’s social media law. We devote the last half of the episode to a structured dialogue about the opinion between Adam Candeub and Alan Rozenshtein. Both have written about it already, Alan critically and Adam supportively. I lead off, arguing that, contrary to legal Twitter’s dismissive reaction, the opinion is a brilliant and effective piece of Supreme Court advocacy. Alan thinks that is exactly the problem; he objects to the opinion’s grating self-certainty and refusal to acknowledge the less convenient parts of past case law. Adam is closer to my view. We all seem to agree that the opinion succeeds as an audition for Judge Andrew Oldham to become Justice Oldham in the DeSantis Administration.   We walk through the opinion and what its critics don’t like, touching on the competing free expression interests of social media users and of the platforms themselves, whether there’s any basis for an i

The big news of the week was a Fifth Circuit decision upholding Texas social media regulation law. It was poorly received by the usual supporters of social media censorship but I found it both remarkably well written and surprisingly persuasive. That does not mean it will survive the almost inevitable Supreme Court review but Judge AndyOldham wrote an opinion that could be a model for a Supreme Court decision upholding Texas law.  The big hacking story of the week was a brutal takedown of Uber, probably by the dreaded Advanced Persistent Teenager. Dave Aitel explains what happened and why no other large corporation should feel smug or certain that it cannot happen to them. Nick Weaver piles on. Maury Shenk explains the recent European court decision upholding sanctions on Google for its restriction of Android phone implementations. Dave points to some of the less well publicized aspects of the Twitter whistleblower’s testimony before Congress. We agree on the bottom line—that Twitter is utterly incapable

This is our return-from-hiatus episode. Jordan Schneider kicks things off by recapping passage of a major U.S. semiconductor-building subsidy bill, while new contributor Brian Fleming talks with Nick Weaver about new regulatory investment restrictions and new export controls on (artificial Intelligence (AI) chips going to China. Jordan also covers a big corruption scandal arising from China’s big chip-building subsidy program, leading me to wonder when we’ll have our version. Brian and Nick cover the month’s biggest cryptocurrency policy story, the imposition of OFAC sanctions on Tornado Cash. They agree that, while the outer limits of sanctions aren’t entirely clear, they are likely to show that sometimes the U.S. Code actually does trump the digital version. Nick points listeners to his bracing essay, OFAC Around and Find Out. Paul Rosenzweig reprises his role as the voice of reason in the debate over location tracking and Dobbs. (Literally. Paul and I did an hour-long panel on the topic last week.

Just when you thought you had a month free of the Cyberlaw Podcast, it turns out that we are persisting, at least a little. This month we offer a bonus episode, in which Dave Aitel and I interview Michael Fischerkeller, one of three authors of "Cyber Persistence Theory: Redefining National Security in Cyberspace."  The book is a detailed analysis of how cyberattacks and espionage work in the real world—and a sharp critique of military strategists who have substituted their models and theories for the reality of cyber conflict. We go deep on the authors’ view that conflict in the cyber realm is all about persistent contact and faits accomplis rather than compulsion and escalation risk. Dave pulls these threads with enthusiasm.  I recommend the book and interview in part because of how closely the current thinking at United States Cyber Command is mirrored in both.

As Congress barrels toward an election that could see at least one house change hands, efforts to squeeze big bills into law are mounting. The one with the best chance (and better than I expected) would drop $52 billion in cash and a boatload of tax breaks on the semiconductor industry. Michael Ellis points out that this is industrial policy without apology, and a throwback to the 1980s, when the government organized SEMATECH, a name derived from “Semiconductor Manufacturing Technology” to shore up U.S. chipmaking. Thanks to a bipartisan consensus on the need to fight a Chinese challenge, and a trimming of provisions that tried to hitch a ride on the bill, there now looks to be a clear path to enactment for this bill.  And if there were doubt about how serious the Chinese challenge in chips will be, an under-covered story revealed that China’s chipmaking champion, SMIC, has been making 7-nanometer chips for months without an announcement. That’s a diameter that Intel and GlobalFoundries, the main U.S. produ

Kicking off a packed episode, the Cyberlaw Podcast calls on Megan Stifel to cover the first Cyber Safety Review Board (CSRB) Report. The CSRB does exactly what those of us who supported the idea hoped it would do—provide an authoritative view of how the Log4J incident unfolded along with some practical advice for cybersecurity executives and government officials. Jamil Jaffer tees up the second blockbuster report of the week, a Council on Foreign Relations study called “Confronting Reality in Cyberspace Foreign Policy for a Fragmented Internet.” I think the study’s best contribution is its demolition of the industry-led claim that we must have a single global internet. That has not been true for a decade, and pursuing that vision means that the U.S. is not defending its own interests in cyberspace. I call out the report for the utterly wrong claim that the United States can resolve its transatlantic dispute with Europe by adopting a European-style privacy law. Europe’s beef with us on privacy reregulation