The Volokh Conspiracy

Mostly law professors | Sometimes contrarian | Often libertarian | Always independent

Ten pounds of cyberlaw in a five pound sack

Episode 387 of the Cyberlaw Podcast


All the cyberlawsuits that didn't get filed, or decided, over Thanksgiving finally hit the fan last week, and we're still cleaning up. But before that, I have to ask Dave Aitel for a sanity check on Log4Shell. Does it really deserve a 10 out of 10 for impact? And what does it mean for all the open source components buried in all our enterprise software? Dave's only piece of good news is that some big projects were far enough behind in updates that they haven't yet built the flaw into their products.

Turning to the first of several lawsuits covered in this episode, Jamil Jaffer and I praise Google for a particularly comprehensive and creative approach to suing cybercriminals. RICO plus a boatload of computer privacy violations are at the heart of Google's complaint against two criminals who created the Glupteba botnet. The defendants deserve credit of their own for creativity in using the blockchain to reconstitute their C2 infrastructure. If more criminals did that, Microsoft's trademark approach – using trademark violations to seize botnet infrastructure – would be less effective. Speaking of which, this week Microsoft used trademark litigation to take down a Chinese government network. Is it wrong to complain that Microsoft has been using this approach for so long that botnets are only inconvenienced, not destroyed, by the tactic?

Maury Shenk digs into the remarkable report that Apple CEO Tim Cook promised $275 billion of investment to China. Five years ago. In secret. And we're only finding out about it now, after he apparently delivered. When Congress finally gets around to the cyber incident reporting bill that it just bumped from the defense authorization act, maybe it will want to classify multibillion dollar deals with Communist China as the kind of cyber incident that ought to be reported to the U.S. government, if only so it knows how to evaluate the motives of the companies that are lobbying it.

The Tenth Circuit finished its Thanksgiving by releasing a massive opinion upholding the constitutionality of Section 702 of FISA. Jamil Jaffer, who played a role in adoption of Section 702, walks us through the decision, which was 2-1, but not on the main question. Instead, the debate was over Article III and the "advisory" nature of FISA court opinions that review intelligence agency procedures under 702. I confess to some sympathy for the dissent but wonder how it would help the defendant to strike down that structure.

Dave explains why Tor might not be as secure as we think. A mysterious and likely state-sponsored actor. is running hundreds of malicious Tor relays. And to add insult to injury, the actor is openly participating in Tor community debates, lobbying against proposals to reduce malicious Tor relays.

But wait, there's more cyberlitigation, and again Jamil talks us through it. A Saudi women's rights activist has brought a CFAA lawsuit against DarkMatter and its expat American employees for an iPhone hack that she says got her arrested. I'm a little skeptical that the lawsuit will survive a Foreign Sovereign Immunities Act motion.

Maury and I question the wisdom of a recent Italian fine penalizing Amazon over a billion euros, mainly for preferencing sellers who sign up for Prime logistics.

Dave tells the sad story of Ilya Sachkov, a Russian cybersecurity whiz kid and CEO who may have believed too much that everyone sees cybersecurity as a white hat enterprise. Word is that he may have been too eager to help unravel the identities of the 2016 DNC attackers and is now paying for it with a Russian treason charge.

Maury notes that the U.S. decision to blacklist SenseTime, the Chinese AI company, was carefully timed to guarantee disruption of SenseTime's IPO. Whether the U.S. action will be more than a delaying tactic remains to be seen, but Maury thinks not.

Maury notes that Wikileaks founder Julian Assange has lost an important battle as he fights extradition to the U.S. And Jamil notes that the cyber incident reporting bill didn't make it into the defense authorization act, as mentioned earlier. He is one of the few cybersecurity buffs who isn't especially disappointed.

Maury and I disagree about a much-ballyhooed group of companies claiming to combat A.I. bias in hiring. I'll believe it when they actually expose their recommendations to public scrutiny.

For those who think left-wing bias in content moderation is not a thing, try this: Spend ten minutes with this right-wing French candidate's very effective campaign ad. Then ask yourself why exactly YouTube thought it wasn't fit for children. My guess: it was really the ad's effectiveness that YouTube disapproved of.

Dave and I puzzle over the Biden administration's unsatisfying "Initiative for Democratic Renewal" – a big international get-together that got only cursory attention in the US, perhaps because its theme is still a little hard to find.

And, finally, just to give me an excuse to publicize my latest Cybertoonz comic, Jamil asks what it means for Western militaries to "impose a cost" on ransomware gangs.

And with that, the Cyberlaw Podcast bids farewell to 2021. We will return in January.

Download the 387th Episode (mp3).

You can subscribe to The Cyberlaw Podcast using iTunesGoogle PlaySpotifyPocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.