
The Cyberlaw Podcast
The Cyberlaw Podcast is a weekly interview series and discussion offering an opinionated roundup of the latest events in technology, security, privacy, and government. It features in-depth interviews of a wide variety of guests, including academics, politicians, authors, reporters, and other technology and policy newsmakers. Hosted by cybersecurity attorney Stewart Baker, whose views expressed are his own.
Latest episodes

Sep 6, 2023 • 1h 1min
TechnoColonialism – In Reverse
The Cyberlaw Podcast is back from August hiatus, and the theme of the episode seems to be the way other countries are using the global success of U.S. technology to impose their priorities on the U.S. Exhibit 1 is the EU’s Digital Services Act, which took effect last month. Michael Ellis spells out a few of the act’s sweeping changes in how U.S. tech companies must operate – nominally in Europe but as a practical matter in the U.S. as well. The largest platforms will be heavily regulated, with restrictions on their content curation algorithms and a requirement that they promote government content when governments declare a crisis. Other social media will also be subject to heavy content regulation, such as transparency in their decisions to demote or ban content and a requirement that they respond promptly to takedown requests from “trusted flaggers” of Bad Speech. In search of a silver lining, I point out that many of the transparency and due process requirements are things that Texas and Florida have advocated over the objections of Silicon Valley companies. Compliance with the EU Act will undercut those claims in the Supreme Court arguments we’re likely to hear this term, claiming that it can’t be done. Cristin Flynn Goodwin and I note that China’s on-again off-again regulatory enthusiasm is off again. Chinese officials are doing their best to ease Western firms’ concerns about China’s new data security law requirements. Even more remarkable, China’s AI regulatory framework was watered down in August, moving away from the EU model and toward a U.S./U.K. ethical/voluntary approach. For now. Cristin also brings us up to speed on the SEC’s rule on breach notification. The short version: The rule will make sense to anyone who’s ever stopped putting out a kitchen fire to call their insurer to let them know a claim may be coming. Nick Weaver brings us up to date on cryptocurrency and the law. Short version: Cryptocurrency had one victory, which it probably deserved, in the Grayscale case, and a series of devastating losses over Tornado Cash, as a court rejected Tornado Cash’s claim that its coders and lawyers had found a hole in Treasury’s Office of Foreign Assets Control ("OFAC") regime, and the Justice Department indicted the prime movers in Tornado Cash for conspiracy to launder North Korea’s stolen loot. Here’s Nick’s view in print. Just to show that the EU isn’t the only jurisdiction that can use U.S. legal models to hurt U.S. policy, China managed to kill Intel’s acquisition of Tower Semiconductor by stalling its competition authority’s review of the deal. I see an eerie parallel between the Chinese aspirations of federal antitrust enforcers and those of the Christian missionaries we sent to China in the 1920s. Michael and I discuss the belated leak of the national security negotiations between CFIUS and TikTok. After a nod to substance (no real surprises in the draft), we turn to the question of who leaked it, and whether the effort to curb TikTok is dead. Nick and I explore the remarkable impact of the war in Ukraine on drone technology. It may change the course of war in Ukraine (or, indeed, a war over Taiwan), Nick thinks, but it also means that Joe Biden may be the last President to see the sky while in office. (And if you’ve got space in D.C. and want to hear Nick’s provocative thoughts on the topic, he will be in town next week, and eager to give his academic talk: "Dr. Strangedrone, or How I Learned to Stop Worrying and Love the Slaughterbots".) Cristin, Michael and I dig into another August policy initiative, the “outbound Committee on Foreign Investment in the United States (CFIUS)” order. Given the long delays and halting rollout, I suggest that the Treasury’s Advance Notice of Proposed Rulemaking (ANPRM) on the topic really stands for Ambivalent Notice of Proposed Rulemaking.” Finally, I suggest that autonomous vehicles may finally have turned the corner to success and rollout, now that they’re being used as rolling hookup locations and (perhaps not coincidentally) being approved to offer 24/7 robotaxi service in San Francisco. Nick’s not ready to agree, but we do find common ground in criticizing a study. Download 470th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jul 26, 2023 • 55min
AI Leaders Bring Washington a Bag of Promises
In our last episode before the August break, the Cyberlaw Podcast drills down on the AI industry leaders’ trip to Washington, where they dutifully signed up to what Gus Hurwitz calls “a bag of promises.” Gus and I parse the promises, some of which are empty, others of which have substance. Along the way, we examine the EU’s struggling campaign to lobby other countries to adopt its AI regulation framework. Really, guys, if you don’t want to be called regulatory neocolonialists, maybe you shouldn’t go around telling former European colonies to change their laws to match Europe’s. Jeffery Atik picks up the AI baton, unpacking Senate Majority Leader Chuck Schumer’s (D-N.Y.) overhyped set of AI amendments to the National Defense Authorization Act (NDAA), and panning authors’ claim that AI models have been “stealing” their works. Also this week, another endless and unjustified claim of high-tech infringement came to a likely close with appellate rejection of the argument that linking to a site violates the site’s copyright. We also cover the industry’s unfortunately well-founded fear of enabling face recognition and Meta’s unusual open-source AI strategy. Richard Stiennon pulls the podcast back to the National Cybersecurity Implementation Plan, which I praised last episode for its disciplined format. Richard introduces us to an Atlantic Council report allowing several domain experts to mark up the text. This exposes flaws not apparent on first read; it turns out that the implementation plan took a few remarkable dives, even omitting all mention of one of the strategy’s more ambitious goals. Gus gives us a regulatory lawyer’s take on the FCC’s new cybersecurity label for IoT devices and the EPA’s beleaguered regulations for water system cybersecurity. He doubts that either program can be grounded in a grant of regulatory jurisdiction. Richard points out that CISA managed to get new cybersecurity concessions from Microsoft without even a pretense of regulatory jurisdiction. Gus gives us a quick assessment of the latest DOJ/FTC draft merger review guidelines. He thinks it’s an overreach that will tarnish the prestige and persuasiveness of the guidelines. In quick hits: Richard updates us on the latest U.S. sanctions on European spyware firms. I offer a dissent from the whole campaign. Jeffery covers the brain drain in semiconductors from Europe to China, and we ask when it will hit the U.S. Gus covers the latest technopanic and media handwringing over the use of technology to catch serial killers and drug dealers. Speaking of technopanics, I question the latest narrative expressing shock that an FBI agent searched the 702 database Download 469th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jul 18, 2023 • 55min
The FTC Doubles Down, Down, Down
This episode of the Cyberlaw Podcast kicks off with a stinging defeat for the Federal Trade Commission (FTC), which could not persuade the courts to suspend the Microsoft-Activision Blizzard acquisition. Mark MacCarthy says that the FTC’s loss will pave the way for a complete victory for Microsoft, as other jurisdictions trim their sails. We congratulate Brad Smith, Microsoft’s President, whose policy smarts likely helped to construct this win. Meanwhile, the FTC is still doubling down on its determination to pursue aggressive legal theories. Maury Shenk explains the agency’s investigation of OpenAI, which raises issues not usually associated with consumer protection. Mark and Maury argue that this is just a variation of the tactic that made the FTC the de facto privacy regulator in the U.S. I ask why policing ChatGPT’s hallucinatory libel problem constitutes consumer protection, and they answer, plausibly, that libel is a kind of deception, which the FTC does have authority to police. Mark then helps us drill down on the Associated Press deal licensing its archives to OpenAI, a deal that may turn out to be good for both companies. Nick Weaver and I try to make sense of the district court ruling that Ripple’s XRP is a regulated investment contract when provided to sophisticated buyers but not when sold to retail customers in the market. It is hard to say that it makes policy sense, since the securities laws are there to protect the retail customers more than sophisticated buyers. But it does seem to be at least temporary good news for the cryptocurrency exchanges, who now have a basis for offering what the SEC has been calling an unregistered security. And it’s clearly bad news for the SEC, which may not be able to litigate its way to the Cryptopocalypse it has been pursuing. Andy Greenberg makes a guest appearance to discuss his WIRED story about the still mysterious mechanism by which Chinese cyberspies acquired the ability to forge Microsoft authentication tokens. Maury tells us why Meta’s Twitter-killer, Threads, won’t be available soon in Europe. That leads me to reflect on just how disastrously Brussels has managed the EU’s economy. Fifteen years ago, the U.S. and EU had roughly similar GDPs, at about $15 trillion each. Now the EU GDP has scarcely grown, while U.S. GCP is close to $25 trillion. It’s hard to believe that EU tech policy hasn’t contributed to this continental impoverishment, which Maury points out is even making Brexit look good. Maury also explains the French police drive to get explicit authority to conduct surveillance through cell phones. Nick offers his take on FISA section 702 reform. Stories. And Maury evaluates Amazon’s challenge to new EU content rules, which he thinks have more policy than legal appeal. Not content with his takedown of the Ripple decision, Nick reviews all the criminal cases in which cryptocurrency enthusiasts are embroiled. These include a Chinese bust of Multichain, the sentencing of Variety Jones for his role in the Silk Road crime market, and the arrest of Alex Mashinsky, CEO of the cryptocurrency exchange Celsius. Finally, in quick hits, Mark and I duel over the lawsuit claiming that Texas’s TikTok Ban on government phones will threaten academic freedom. I praise the surprisingly good National Cybersecurity-Strategy Implementation Plan and puzzle over the decision not to nominate the acting head of that office to head the office permanently. And I note that the Allow States and Victims to Fight Online Sex Trafficking Act, also known as FOSTA-SESTA, reviled by the left, has withstood a constitutional challenge in the DC Circuit. Download 468th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jul 11, 2023 • 51min
District Judge’s Injunction Sets Off Fireworks
It’s surely fitting that a decision released on July 4 would set off fireworks on the Cyberlaw Podcast. The source of the drama was U.S. District Court Judge Terry Doughty’s injunction prohibiting multiple federal agencies from leaning on social media platforms to suppress speech the agencies don’t like. Megan Stifel, Paul Rosenzweig, and I could not disagree more about the decision, which seems quite justified to me, given the aggressive White House communications telling the platforms whose speech the government wanted suppressed. Paul and Megan argue that it’s not censorship, that the judge got standing law wrong, and that I ought to invite a few content moderation aficionados on for a full hour episode on the topic. That all comes after a much less lively review of recent stories on artificial intelligence. Sultan Meghji downplays OpenAI’s claim that they’ve taken a step forward in preventing the emergence of a “misaligned”—in other words evil—superintelligence. We note what may be the first real-life “liar’s dividend” from deep faked voice. Even more interesting is the prospect that large language models will end up poisoning themselves by consuming their own waste—that is, by being trained on recent internet discourse that includes large volumes of text created by earlier models. That might stall progress in AI, Sultan suggests. But not, I predict before government regulation tries to do the same; as witness, New York City’s law requiring companies that use AI in hiring to disclose all the evidence needed to sue them for discrimination. Also vying to load large language models with rent-seeking demands are Big Content lawyers. Sultan and I try to separate the few legitimate intellectual property claims against AI from the many bogus ones. I channel a recent New York gubernatorial candidate in opining that the rent-seeking is too damn high. Paul dissects China’s most recent and self-defeating effort to deter the West from decoupling from Chinese supply chains. It looks as though China was so eager to punish the West that it rolled out supply chain penalties before it had the leverage to make the punishment stick. Speaking of self-defeating Chinese government policies, it looks as though the government’s two-minute hate directed at China’s fintech giants is coming to an end. Sultan walks us through the wreckage of the American cryptocurrency industry, pausing to note the executive exodus from Binance and the end of the view that cryptocurrency could be squared with U.S. regulatory authorities. Not in this administration, and maybe not in any, and outcome that will delay financial modernization here for years. I renew my promise to get Gus Coldebella on the podcast to see if he can turn the tide of negativism. In quick hits and updates: There’s an effort afoot to amend the National Defense Authorization Act to prevent American government agencies, and only American government agencies, from buying data available to everyone else. We are skeptical that it will pass. The EU and the U.S. have reached a (third) transatlantic data transfer deal, and just in time for Meta, which was facing a new set of competition attacks on its data protection compliance. And Canada, which already looks ineffectual for passing a link tax that led Facebook and Google to simply drop links to Canadian media, now looks ineffectual and petty, announcing it has pulled its paltry advertising budget from Facebook. Oh, and last year’s social media villain is this year’s social media hero, at least on the left, as Meta launches Threads and threatens Twitter’s hopes for a recovery. Download 467th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jul 5, 2023 • 53min
The Geopolitics of Extraditing Hackers
Geopolitics has always played a role in prosecuting hackers. But it’s getting a lot more complicated, as Kurt Sanger reports. Responding to a U.S. request, a Russian cybersecurity executive has been arrested in Kazakhstan, accused of having hacked Dropbox and Linkedin more than ten years ago. The executive, Nikita Kislitsin, has been hammered by geopolitics in that time. The firm he joined after the alleged hacking, Group IB, has seen its CEO arrested by Russia for treason—probably for getting too close to U.S. investigators. Group IB sold off all its Russian assets and moved to Singapore, while Kislitsin stayed behind, but showed up in Kazakhstan recently, perhaps as a result of the Ukraine war. Now both Russia and the U.S. have dueling extradition requests before the Kazakh authorities; Paul Stephan points out that Kazakhstan’s tenuous independence from Russia will be tested by the tug of war. In more hacker geopolitics, Kurt and Justin Sherman examine the hacking of a Russian satellite communication system that served military and civilian users. It’s reminiscent of the Viasat hack that complicated Ukrainian communications, and a bunch of unrelated commercial services, when Russia invaded. Kurt explores the law of war issues raised by an attack with multiple impacts. Justin and I consider the claim that the Wagner group carried it out as part of their aborted protest march on Moscow. We end up thinking that this makes more sense as the Ukrainians serving up revenge for Viasat at a time when it might complicate Russian’s response to the Wagner group. But when it’s hacking and geopolitics, who really knows? Paul outlines the legal theory—and antitrust nostalgia—behind the FTC’s planned lawsuit targeting Amazon’s exploitation of its sales platform. We also ask whether the FTC will file the case in court or before the FTC’s own administrative law judge. The latter may smooth the lawsuit’s early steps, but it will also bring to the fore arguments that Lina Khan should recuse herself because she’s already expressed a view on the issues to be raised by the lawsuit. I’m not Chairman Khan’s biggest fan, but I don’t see why her policy views should lead to recusal; they are, after all, why she was appointed in the first place. Justin and I cover the latest Chinese law raising the risk of doing business in that country by adopting a vague and sweeping view of espionage. Paul and I try to straighten out the EU’s apparently endless series of laws governing data, from General Data Protection Regulation (GDPR) and the AI Act to the Data Act (not to be confused with the Data Governance Act). This week, Paul summarizes the Data Act, which sets the terms for access and control over nonpersonal data. It’s based on a plausible idea—that government can unleash the value of data by clarifying and making fair the rules for who can use data in new businesses. Of course, the EU is unable to resist imposing its own views of fairness, thus upsetting existing commercial arrangements without really providing any certainty about what will replace them. The outcome is likely to reduce, not improve, the certainty that new data businesses want. Speaking of which, that’s the critique of the AI Act now being offered by dozens of European business executives, whose open letter slams the way the AI Act kludged the regulation of generative AI into a framework where it didn’t really fit. They accuse the European Parliament of “wanting to anchor the regulation of generative AI in law and proceeding with a rigid compliance logic [that] is as bureaucratic … as it is ineffective in fulfilling its purpose.” And you thought I was the EU-basher. Justin recaps an Indian court’s rejection of Twitter’s lawsuit challenging the Indian government’s orders to block users who’ve earned the government’s ire. Kurt covers a matching story about whether Facebook should suspend Hun Sen’s Facebook account for threatening users with violence. I take us to Nigeria and question why social media thinks governments can be punished for threatening violence. Finally, in two updates, I note that Google has joined Facebook in calling Canada’s bluff by refusing to link to Canadian news media in order to avoid the Canadian link tax. And I do a victory lap for the Cyberlaw Podcast’s Amber Alert feature. One week after we nominated the Commerce Department’s IT supply chain security program for an Amber Alert, the Department answered the call by posting the supply chain czar position in USAJOBS. Download 466th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jul 3, 2023 • 58min
Stewart Baker and Max Schrems Debate the Privacy Framework
Max Schrems is the lawyer and activist behind two (and, probably soon, a third) legal challenge to the adequacy of U.S. law to protect European personal data. Thanks to the Federalist Society’s Regulatory Transparency Project, Max and I were able to spend an hour debating the law and policy behind Europe’s generation-long fight with the United States over transatlantic data flows. It’s civil, pointed, occasionally raucous, and wide-ranging – a fun, detailed introduction to the issues that will almost certainly feature in the next round of litigation over the latest agreement between Europe and the U.S. Don’t miss it! Download 465th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jun 28, 2023 • 46min
Sen. Schumer Tackles AI Regulation
Sen. Schumer (D-N.Y.) has announced an ambitious plan to produce a bipartisan AI regulation program in a matter of months. Jordan Schneider admires the project; I’m more skeptical. The rest of our commentators, Chessie Lockhart and Michael Ellis, also weigh in on AI issues. Chessie lays out the case against panicking over existential AI threats, this week canvassed in the MIT Technology Review. I suggest that anyone complaining that the EU or China is getting ahead of the U.S. in AI regulation (lookin’ at you, Sen. Warner!) doesn’t quite understand the race we’re running. Jordan explains the difficulty the U.S. faces in trying to keep China from surprising us in AI. Michael catches us up on Canada’s ill-advised effort to force Google and Meta to pay Canadian media whenever a user links to a Canadian story. Meta has already said it would rather end such links. The end result could be that even more Canadian news gets filtered through American media, hardly a popular outcome north of the border. Speaking of ill-advised regulatory initiatives, Michael and I comment on Australia’s threatening Twitter with a fine for allowing too much hate speech on the platform post-Elon. Chessie gives an overview of the Data Elimination and Limiting Extensive Tracking and Exchange Act or the DELETE Act, a relatively modest bipartisan effort to regulate data brokers’ control of personal data. Michael and I talk about the growing tension between EU member states with real national security tasks to complete and the Brussels establishment, which has enjoyed a 70-year holiday from national security history and expects the next 70 to be more of the same. The latest conflict is over how much leeway to give member states when they feel the need to plant spyware on journalists’ phones. Remarkably, both sides think the government should have such leeway; the fight is over how much. Michael and I are surprised that the BBC feels obliged to ask, “Why is it so rare to hear about Western cyber-attacks?” Because, BBC, the agencies carrying out those attacks are on our side and mostly respect rules we support. In updates and quick hits: I bring listeners up to date on how things turned out for the lawyers who filed a ChatGPT-hallucinated brief in federal court: Not well. Chessie flags the creation of a new Justice Department section in the National Security Division: Natsec Cyber Chessie also welcomes the growing recognition, some of it in cold, hard cash, for cyber security clinics. Download 464th Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jun 21, 2023 • 59min
Yet Another Synthetic Moral Panic Over Privacy
Senator Ron Wyden (D-Ore.) is to moral panics over privacy what Andreessen Horowitz is to cryptocurrency startups. He’s constantly trying to blow life into them, hoping to justify new restrictions on government or private uses of data. His latest crusade is against the intelligence community’s purchase of behavioral data, which is generally available to everyone from Amazon to the GRU. He has launched his campaign several times, introducing legislation, holding up Avril Haines’s confirmation over the issue, and extracting a Director of National Intelligence report on the topic that has now been declassified. It was a sober and reasonable explanation of why commercial data is valuable for intelligence purposes, so naturally WIRED magazine’s headline summary was, “The U.S. Is Openly Stockpiling Dirt on All Its Citizens.” Matthew Heiman takes us through the story, sparking a debate that pulls in Michael Karanicolas and Cristin Flynn Goodwin. Next, Michael explains IBM’s announcement that it has made a big step forward in quantum computing. Meanwhile, Cristin tells us, the EU has taken another incremental step forward in producing its AI Act—mainly by piling even more demands on artificial intelligence companies. We debate whether Europe can be a leader in AI regulation if it has no AI industry. (I think it makes the whole effort easier, pointing to a Stanford study suggesting that every AI model we’ve seen is already in violation of the AI Act’s requirements.) Michael and I discuss a story claiming persuasively that an Amazon driver’s allegation of racism led to an Amazon customer being booted out of his own “smart” home system for days. This leads us to the question of how Silicon Valley’s many “local” monopolies enable its unaccountable power to dish out punishment to customers it doesn’t approve of. Matthew recaps the administration’s effort to turn the debate over renewal of section 702 of FISA. This week, it rolled out some impressive claims about the cyber value of 702, including identifying the Colonial Pipeline attackers (and getting back some of the ransom). It also introduced yet another set of FBI reforms designed to ensure that agents face career consequences for breaking the rules on accessing 702 data. Cristin and I award North Korea the “Most Improved Nation State Hacker” prize for the decade, as the country triples its cryptocurrency thefts and shows real talent for social engineering and supply chain exploits. Meanwhile, the Russians who are likely behind Anonymous Sudan decided to embarrass Microsoft with a DDOS attack on its application level. The real puzzle is what Russia gains from the stunt. Finally, in updates and quick hits, we give deputy national cyber director Rob Knake a fond sendoff, as he moves to the private sector, we anticipate an important competition decision in a couple of months as the FTC tries to stop the Microsoft-Activision Blizzard merger in court, and I speculate on what could be a Very Big Deal – the possible breakup of Google’s adtech business. Download 463rd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jun 13, 2023 • 49min
Cryptopocalypse
It was a disastrous week for cryptocurrency in the United States, as the Securities Exchange Commission (SEC) filed suit against the two biggest exchanges, Binance and Coinbase, on a theory that makes it nearly impossible to run a cryptocurrency exchange that is competitive with overseas exchanges. Nick Weaver lays out the differences between “process crimes” and “crime crimes,” and how they help distinguish the two lawsuits. The SEC action marks the end of an uneasy truce, but not the end of the debate. Both exchanges have the funds for a hundred-million-dollar defense and lobbying campaign. So you can expect to hear more about this issue for years (and years) to come. I touch on two AI regulation stories. First, I found Mark Andreessen’s post trying to head off AI regulation pretty persuasive until the end, where he said that the risk of bad people using AI for bad things can be addressed by using AI to stop them. Sorry, Mark, it doesn’t work that way. We aren’t stopping the crimes that modern encryption makes possible by throwing more crypto at the culprits. My nominee for the AI Regulation Hall of Fame, though, goes to Japan, which has decided to address the phony issue of AI copyright infringement by declaring that it’s a phony issue and there’ll be no copyright liability for their AI industry when they train models on copyrighted content. This is the right answer, but it’s also a brilliant way of borrowing and subverting the EU’s GDPR model (“We regulate the world, and help EU industry too”). If Japan applies this policy to models built and trained in Japan, it will give Japanese AI companies at least an arguable immunity from copyright claims around the world. Companies will flock to Japan to train their models and build their datasets in relative regulatory certainty. The rest of the world can follow suit or watch their industries set up shop in Japan. It helps, of course, that copyright claims against AI are mostly rent-seeking by Big Content, but this has to be the smartest piece of international AI regulation any jurisdiction has come up with so far. Kurt Sanger, just back from a NATO cyber conference in Estonia, explains why military cyber defenders are stressing their need for access to the private networks they’ll be defending. Whether they’ll get it, we agree, is another kettle of fish entirely. David Kris turns to public-private cooperation issues in another context. The Cyberspace Solarium Commission has another report out. It calls on the government to refresh and rethink the aging orders that regulate how the government deals with the private sector on cyber matters. Kurt and I consider whether Russia is committing war crimes by DDOSing emergency services in Ukraine at the same time as its bombing of Ukrainian cities. We agree that the evidence isn’t there yet. Nick and I dig into two recent exploits that stand out from the crowd. It turns out that Barracuda’s security appliance has been so badly compromised that the only remedial measure involve a woodchipper. Nick is confident that the tradecraft here suggests a nation-state attacker. I wonder if it’s also a way to move Barracuda’s customers to the cloud. The other compromise is an attack on MOVEit Transfer. The attack on the secure file transfer system has allowed ransomware gang Clop to download so much proprietary data that they have resorted to telling their victims to self-identify and pay the ransom rather than wait for Clop to figure out who they’ve pawned. Kurt, David, and I talk about the White House effort to sell section 702 of FISA for its cybersecurity value and my effort, with Michael Ellis, to sell 702 (packaged with intelligence reform) to a conservative caucus that is newly skeptical of the intelligence community. David finds himself uncomfortably close to endorsing our efforts. Finally, in quick updates: Nick talks about Tesla’s Full Self Driving, and the accidents it has been involved in I warn listeners that Virginia has joined the ranks of states that require an ID proving age to access Pornhub. I predict that twenty states will adopt such a requirement in the next year Download 462nd Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.

Jun 6, 2023 • 60min
Debating AI Regulation
This episode of the Cyberlaw Podcast kicks off with a spirited debate over AI regulation. Mark MacCarthy dismisses AI researchers’ recent call for attention to the existential risks posed by AI; he thinks it’s a sci-fi distraction from the real issues that need regulation—copyright, privacy, fraud, and competition. I’m utterly flummoxed by the determination on the left to insist that existential threats are not worth discussing, at least while other, more immediate regulatory proposals have not been addressed. Mark and I cross swords about whether anything on his list really needs new, AI-specific regulation when Big Content is already pursuing copyright claims in court, the FTC is already primed to look at AI-enabled fraud and monopolization, and privacy harms are still speculative. Paul Rosenzweig reminds us that we are apparently recapitulating a debate being held behind closed doors in the Biden administration. Paul also points to potentially promising research from OpenAI on reducing AI hallucination. Gus Hurwitz breaks down the week in FTC news. Amazon settled an FTC claim over children’s privacy and another over security failings at Amazon’s Ring doorbell operation. The bigger story is the FTC’s effort to issue a commercial death sentence on Meta’s children’s business for what looks to Gus and me more like a misdemeanor. Meta thinks, with some justice, that the FTC is looking for an excuse to rewrite the 2019 consent decree, something Meta says only a court can do. Paul flags a batch of China stories: China’s version of Bloomberg has begun quietly limiting the information about China’s economy that is available to overseas users. TikTok is accused of storing influencers’ sensitive financial information In China, contrary to its promises. Malaysia won’t ban Huawei from it 5G network. The former Harvard chair convicted of lying about taking Chinese money has been sentenced to just two days in prison. And another professor charged and then exonerated of commercial espionage has won the right to sue the FBI for his arrest. Gus tells us that Microsoft has effectively lost a data protection case in Ireland and will face a fine of more than $400 million. I seize the opportunity to plug my upcoming debate with Max Schrems over the Privacy Framework. Paul is surprised to find even the State Department rising to the defense of section 702 of Foreign Intelligence Surveillance Act (“FISA"). Gus asks whether automated tip suggestions should be condemned as “dark patterns” and whether the FTC needs to investigate the New York Times’s stubborn refusal to let him cancel his subscription. He also previews California’s impending Journalism Preservation Act. Download 461st Episode (mp3) You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.