For the third week in a row, we lead with the cyber impact of Russia's invasion of Ukraine. Paul Rosenzweig comments on the most surprising thing about social media's decoupling from Russia – how enthusiastically industry is pursuing the separation. Facebook is allowing Ukrainians to threaten violence against Russian leadership and removing or factchecking Russian government and media posts. Not satisfied with this, the EU wants Google to remove Russia Today and Sputnik from search results. I ask why the U.S. can't take over Facebook and Twitter infrastructure to deliver the Voice of America to Facebook and Twitter users in Russia who've been cut off by the social giants' departure. Nobody likes that idea but me. Meanwhile, Paul notes that The Great Cyberwar that Wasn't may yet make an appearance, citing Ciaran Martin's sober Lawfare piece.
David Kris tells us that Congress has, after a few false starts, finally passed a cyber incident reporting bill, notwithstanding the Justice Department's over-the-top tantrum in opposition. I wonder if the bill, passed in haste due to the Ukraine conflict, should have had another round of edits, since it seems to lock in a leisurely 3 1/2 year reg-writing process that the Cybersecurity and Infrastructure Security Agency (CISA) can't easily cut short.
Jane Bambauer and David unpack the first federal district court opinion to consider the legal status of "geofence" warrants. With such warrants, where Google releases data in stages to the police about people whose phones were near a crime scene when the crime was committed. It's a long opinion by Judge M. Hannah Lauck, and she was clearly trying to write something precedential, but none of us finds it satisfying. As is often true, Orin Kerr's take is more persuasive than the court's.
Next, Paul Rosenzweig digs into Biden's cryptocurrency executive order. It's not exactly a nothingburger, he opines; it's more of a processburger: Nothing will happen in the field for many months, but the interagency mill will begin to grind, and sooner or later it will likely grind exceeding fine.
Jane and I draw lessons from WIRED's "expose" on three wrongful arrests based on face recognition software --but not the lesson WIRED wanted us to draw. The arrests do reflect less than perfect policing, and they are a wrenching view of what it's like for an innocent man to face charges. But WIRED is unpersuasive when it blames face recognition for police mistakes that could have been avoided with a little more care on the part of the cops.
David and I highly recommend Brian Krebs's great series on what we can learn from leaked chat logs stolen from the Conti ransomware gang. My favorite insight was the Conti member who said, apparently when a company didn't want to pay to keep its files from being published, "There is a journalist who will help intimidate them for 5 percent of the payout." I suggest that our listeners could feasibly crowdsource an effort to find journalists who might fit this description. After all, how many journalists these days are breaking stories that dive deep into doxxed databases?
Paul and I spend a little more time than it deserves on a proposal for the Internet community about ways to block Russia from the network. But I am inspired to suggest that the country code .su — presumably all that's left of the Soviet Union – be permanently retired. I mean, really, does anyone respectable want it back?
In quick hits: