Threepeat for transatlantic privacy
Episode 400 of the Cyberlaw Podcast
With the U.S. and Europe united in opposing Russia's attack on Ukraine, a few tough transatlantic disputes are being swept away – or at least under the rug. Most prominently, the data protection crisis touched off by the Court of Justice of the EU in Schrems 2 has been resolved in principle by a new framework agreement between the U.S. and the EU. Michael Ellis and Paul Rosenzweig trade insights on the deal and its prospects before the CJEU. The most controversial aspect of the agreement is the lack of any change in U.S. legislation. That solution is the result of simple vote-counting if you're from Washington, but the CJEU clearly expected that it was dictating legislation for the U.S. Congress to adopt, so Europe's acquiescence in a no-legislation solution may simply kick the can down the road until the next CJEU ruling. The lack of legislation will be felt in particular, Michael and Paul aver, when it comes to providing remedies to European citizens who feel their rights have been trampled. Instead of going to court, they'll be going to an administrative body with executive branch guarantees of independence and impartiality. Well, it's worth a try. We congratulate several old friends of the podcast who patched this solution together.
The Russian invasion of Ukraine, meanwhile, continues to throw off new tech stories. Nick Weaver updates us on the single most likely example of Russia using its cyber weapons effectively for military purposes – the bricking of Ukraine's (and a bunch of other European) Viasat terminals. Alex Stamos and I consider whether the social media companies recently evicted from Russia, especially Instagram, should be induced or required to provide information about their former subscribers' interests to allow microtargeting of news that might break through Putin's information management barriers; along the way we examine why it is that tech's response to Chinese aggression has been so less vigorous. Speaking of microtargeting, Paul gives kudos to the FBI for its microtargeted "talk to us" Russian language ads, only visible within 100 yards of the Russian embassy in Washington. Finally, Nick Weaver and Mike mull the significance of Israel's determination not to sell sophisticated cell phone surveillance malware to Ukraine.
Returning to Europe-U.S. tension, Alex and I unpack the European Digital Markets Act, which regulates a handful of U.S. companies as "digital gatekeepers." I think it's a plausible response to network-effect monopolization, but ruined by anti-Americanism and the persistent illusion that the EU can regulate its way to a viable tech industry. Alex has a similar take, noting that the adoption of end-to-end encryption was a big privacy victory, thanks to WhatsApp, an achievement that the Digital Markets Act may undo in its attempt to force standardized interoperable messaging on gatekeepers.
Nick walks us through the surprising achievements of the gang of juvenile delinquents known as Lapsus$. Their breach of Okta offers an occasion for speculation about how lawyers skew cyber incident response in directions that turn out to be very bad for the breach victim. Alex vividly captures the lawyerly dynamics that hamper effective response. While we're talking ransomware, Michael cites to a detailed report on corporate responses to REvil breaches, authored by the minority staff of the Senate Homeland security committee. Neither the FBI nor CISA comes out of it looking good. But the bureau earns more criticism, which may explain why no one paid much attention when the FBI demanded changes to the cyber incident reporting bill.
Finally, Nick and Michael debate whether dream pop musician (and Elon Musk sweetheart) Grimes could be prosecuted for computer crimes after confessing to having DDOSed an online publication for an embarrassing photo of her. Just to be on the safe side, we conclude, maybe she shouldn't go back to Canada. And Paul and I praise a brilliant WIRED op-ed proposing that Putin's Soviet empire nostalgia deserves a wakeup call; according to the authors (Rosenzweig and Baker, as it happens), least ICANN should kill off the Soviet Union's out-of-date .su country code.
And many thanks to the loyal listeners who turned up on line today to watch us record this episode live and with video. It was fun, and we'll do it again some time soon.
Download the 400th Episode (mp3)
You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.