What to do about deplatformed data?
Episode 384 of the Cyberlaw Podcast
Among the many problems surfaced by the current social media enthusiasm for deplatforming is this question: What do you do with all the data generated by people you deplatformed? Facebook's answer, as you'd expect, is that Facebook can do what it wants with the data, which mostly means deleting it. Even if it's evidence of a crime? Yes, says the platform, unless law enforcement asks us to save it. The legal fight over a deplatformed group that defended historical statues (and may have shot someone in the process) will tell us something about the law of deplatformed data—as will the fight over The Gambia's effort to recover evidence of deplatformed human rights abuses. In the end, though, we need a law on this question. Because, given their track record in content moderation, leaving the question to the discretion of social media will translate into the platforms' only preserving evidence that hurts people they hate.
Tired: Data breach reporting. Wired: Cyber incident reporting. The unanimous view of our panelists, Paul Rosenzweig and Dmitri Alperovitch, is that cyber policy has shifted from mandatory reporting of personal data breaches to mandatory reporting of serious cyber intrusions no matter what data is compromised. The latest example is the financial regulators' adoption of a rule requiring banks and similar institutions to report major cyber incidents within 36 hours of determination that one has occurred. But who will make that determination and with what certainty? Dmitri's money is on the lawyers. I don't disagree, but I think there's a great ER-style drama in the process: "OK, I'm going to call it. No point in trying to keep this alive any longer. Time of determination is 2:07 pm."
Our interview segment is back after a long absence. David "moose" Wolpoff and Dan MacDonnell of Randori explain the consternation over their startup's use of a serious vulnerability to conduct realistic penetration tests of buttoned-up networks instead of reporting the vuln right away to the software provider. They argue that the value of zero-days for pentesting is great and the risk of harm from holding them is low, if they're handled responsibly. In fact, the debate sounds a lot like the arguments around the table at a government Vulnerability Equities Process ("VEP") meeting. And that makes me wonder whether the people pushing for a stricter VEP have any idea at all what they're talking about.
Dmitri lays out the surprising complexity and sophistication of the Iranian attempt to influence the 2020 election. I'm less convinced. The Iranian effort failed, after all, and it resulted in the hackers' indictment. Hard to be impressed by failure.
I dig into a recent brief by Hikvision claiming that the FCC lacks authority to bar sales of its products in the US. I'm only half convinced by the legal claim, but I am sure of this: The Hikvision argument has created an opportunity for some enterprising politician to sponsor quick, uncontroversial legislation clearly giving the FCC the authority that Hikvision says it doesn't have.
Dmitri explains the latest advance of the hardware hack known as Rowhammer. It may not be deployed routinely even now, he says, but the exploit makes clear that we will never entirely secure our cyber infrastructure.
Paul and I agree that it's perfectly legal for government to buy advertising data that shows citizens' locations. And we more or less agree that some restraint on sales of location data – at least to the Russian and Chinese governments and maybe to anybody – are in order.
I offer muted and squeamish criticism of a Big Report claiming that child sexual abuse is exploding online. There's no doubt that it's a problem that deserves more legal and platform effort, but the authors did their cause no favors by combining kids exchanging nude selfies with truly loathsome material.
Dmitri and I perform a public service announcement about a scam that takes advantage of security habits that the banks have encouraged us to adopt. Zelle fraud is going to make us all regret those habits. Let's hope it also induces banks to use hardware tokens instead of text messages to verify our transactions.
Germany and Mandiant are at odds over attribution of the government that sponsored the Ghostwriter hacking gang. Germany, backed by the EU, says it's Russia. Mandiant says it's Belarus. Dmitri says "Never bet against Mandiant on attribution." I can't disagree.
Finally, Dmitri joins me in an appreciation of Alan Paller, who died last week. He was a major influence in cybersecurity, and a role model for successful entrepreneurs who want to give back using their institution-creating skills.
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.