"Pay no attention to the guns, the flashbang, and the handcuffs. You're free to go at any time."
Episode 245 of the Cyberlaw Podcast
Nate Jones, David Kris, and I kick off 2019 with a roundup of the month of news since we took our Christmas break. First, we break down the utterly predictable but undismissable Silicon Valley claim that the administration's new export control strategy will hurt the emerging AI industry.
Then we draw on our guests' expertise in counterintelligence prosecutions to review the APT10 indictment – and the claim by Jack Goldsmith and Robert Williams that the strategy is a failure. We conclude that it isn't a magic bullet, but that's not quite the same as a failure. I tease my plan to propose two dozen more or less unthinkable retaliatory responses the US could deploy if and when it decides to get serious about deterring adversarial cyber operations.
We quickly cover three new hacks that once looked as though they might be government sponsored. Now we suspect that two were less strategic than that. The denial of service attack on newspaper printing may have been a profit-motivated ransomware attack, and the guy who doxxed the German political establishment may have been a lone hacker (hopefully not one weighing 400 pounds or we'll never hear the end of it).
We quickly review the bidding on the US-China "quantum arms race," which may be a bit less critical than the press suggests.
David and Nate also review the mixed bag of rulings on three motions to suppress in Hal Martin's NSA theft case, which just gets weirder and weirder. David and I are in surprising agreement (along with the judge) that the FBI overreached in using handcuffs, a flashbang, and a SWAT team to conduct "noncustodial" questioning of Martin.
Today's forecast: Windy with a high probability of litigation as Los Angeles sues The Weather Company for collecting and sharing location information in its apps. We suspect that, in claiming a lack of adequate disclosure about location collection, Los Angeles is relying on the ancient legal maxim, "Damned if you do and damned if you don't."
In other litigation news, Illinois's biometric privacy law continues to encounter judicial skepticism. But the Illinois state courts, unburdened by federal standing law, may yet give teeth to this seriously dumb law as Rosenbach v. Six Flags rolls on in the Illinois Supreme Court.
In Quick Hits, I am examine the claim that a clever generative adversarial AI "cheated" at a mapping task. In fact, the lesson is both less exciting and more troubling: If you don't understand how your AI is accomplishing the task you've set for it, you are in for some rude surprises.
Despite all the talk of stasis and crisis in Washington, Congress is still passing modestly useful legislation on cyber issues. Nate describes the SECURE Technology Act, which sets vulnerability disclosure policy and calls for bug bounties at DHS.
And, finally, I recommend a fascinating and deeply ambivalating (okay, that's not a word, but it should be) report on the many ways third-party sellers game Amazon's Marketplace rules.
As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!