The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Ransomware – Death and Diplomacy

Episode 377 of the Cyberlaw Podcast


  • This is the meatiest episode in a long time, as Dmitri Alperovitch, Dave Aitel, and Mark MacCarthy go deep on the substance of a dozen stories or more. 

    First up, Dmitri and I speculate on possible outcomes from the newly announced administration plan to convene 30 countries to crack down on ransomware. We also report on what may be the first confirmed death resulting from the equipment failures caused by ransomware – a newborn strangled by its umbilical cord because the hospital's usual electronic warnings weren't operating. 

    Dmitri also explains a new cryptocurrency regulatory topic unrelated to its use in ransomware schemes – the move to ensure the financial stability of stablecoins. 

    Dave weighs in on two surprising provisions of the House intel authorization bill. The first would respond to the Project Raven incident by imposing new controls on ex-spies working for foreign governments. No one is against the idea, but no one thinks that the problem is limited to alumni of a few intelligence agencies. And the bill's sweep is far broader than cases like Project Raven. I fear that as written it may criminalize ex-spies giving security advice to Airbus, or perhaps even the Atlantic Council.

    The second provision imposes requires reports on U.S. government purchases of computer vulnerabilities from foreign vendors. This leads to a discussion of which nation has the best offensive talent. Dave thinks the old champ has been decisively dethroned. 

    In other legislative news, Dmitri covers the three committee drafts on cyber incident reporting, with special emphasis on the recently leaked bill from Senate Intel. It's a very tough bill, perhaps designed to stake out negotiating room with the Homeland committees. I ask, "What's the difference between Europe's staggering fines for General Data Protection Regulation (GDPR) violations and this bill's fines for violating cyber reporting obligations?" The answer: "about two weeks," at which point the maximum fine due to the U.S. will exceed the top European fine.

    Mark gives an overview and some prognostication about Google's effort to overturn the EU's $5 billion antitrust fine for its handling of Android. 

    Dmitri and I find ourselves forced to face up to the growing soft power of Russia and China, now increasingly forcing Silicon Valley companies to project Russian and Chinese power into the West. Russia, having forced Apple and Google to send it hostages in the form of local employees, is trying to use its leverage to control what those companies do in countries like Germany. And Linkedin, the last Western social media company still standing in China, is trying to keep that status by asking Americans to self-censor their accounts.

    At Dave's request, we visit a story we missed last week and explore all the complex equities at work when the FBI decides whether to use ransomware keys for remediation or disruption.

    Mark gives an overview of the new Federal Trade Commission, where regulatory ambition is high but practical authority weak, at least until the Senate confirms a third Democratic commissioner. Waiting in the wings for that event is a even more antitrust action, possible new online privacy rules and Commissioner Slaughter's enthusiasm for imposing racial equity quotas under the guise of algorithmic fairness.

    Dmitri offers his best guess about the recent Russian arrest of a cybersecurity executive for treason (that's the second in five years if you're counting) and the US decision to send a Russian scammer back to Russia after bitterly fighting to extradite him from Israel.

     In quick hits:

    • Dmitri makes a public service announcement about the ways that Two-Factor Authentication (2FA) can be subverted. 
    • I celebrate some good news for the U.S.: China is planning to encourage provincial controls on the design and use of social media algorithms. That's bound to give US companies a new competitive advantage in a field where TikTok has surpassed them.
    • Dave and I dissect the guilty plea of former Ethereum developer Virgil Griffith, accused of violating U.S. sanctions by giving a bland speech on cryptocurrency in North Korea.
    • I give the highlights of two new and eminently contestable cyberlaw rulings:
      • In U.S. v Wilson, the Ninth Circuit decided that law enforcement needs a warrant to open files that it knows from hashes are 99.9% certain to be child porn. The decision would be unfortunate if it weren't meaningless; the hash itself provides probable cause, so warrants will be quickly and routinely issued. Thanks for the make-work, EFF!
      • And a magistrate judge clearly gunning for promotion has written a Stored Communications Act opinion that empowers Silicon Valley's Trust and Safety operatives to de-platform people and then turn their posts over to law enforcement without the subpoena they usually demand. I would worry more about those consequences if I thought the opinion would survive.  
    • And, finally, Dmitri is pleased to find one field where AI is succeeding without controversy, as machine learning declares a famous Peter Paul Rubens painting, Samson and Delilah, to be a fake. But how long, I wonder, before this AI is forced by the FTC to correct its notorious anti-Flemish bias?

    And More!

    Download the 377th Episode (mp3)

    You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

    The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.