Cryptopocalypse

It was a disastrous week for cryptocurrency in the United States, as the SEC filed suit against the two biggest exchanges, Binance and Coinbase, on a theory that makes it nearly impossible to run a cryptocurrency exchange in the US that is competitive with overseas exchanges. Nick Weaver lays out the difference between securities "process crimes" and "crime crimes," and how it helps to distinguish the two lawsuits. The SEC action marks the end of an uneasy truce between regulators and the cryptocurrency industry, but not the end of the debate. Both exchanges have the funds for a hundred-million-dollar criminal defense and lobbying campaign. So you can expect to hear more about this issue for years (and years) to come.

I bring up two AI regulation stories. First is Mark Andreessen's post trying to head off AI regulation, which is pretty persuasive until the end, where he says that the risk of bad people using AI for bad things can be addressed by using AI to stop them.  Sorry, Mark, it doesn't work that way. We aren't, for example, stopping the crimes that modern encryption makes possible by throwing more crypto at the culprits.

My nominee for the AI Regulation Hall of Fame, though, goes to Japan, which has decided to address the phony issue of AI copyright infringement by declaring that it's a phony issue and there'll be no copyright liability for their AI industry if it trains its models on copyrighted content.  That's the right answer, in my view, but it's also a brilliant way of borrowing and subverting the EU's GDPR model, in which aggressively regulating global data transfers turns out to be a pretty good trade barrier. Now Japan proposes to write the global copyright rules for AI, at least as a practical matter. Why? Because Japan's policy effectively gives immunity from copyright claims to any AI company that builds a dataset or trains its models in Japan. The rest of the world can follow suit or watch their industries flock to Japan to train their models in relative regulatory certainty. This has to be the smartest piece of international AI regulation any jurisdiction has come up with so far. (It helps, of course, that copyright claims against AI are mostly rent-seeking by Big Content.)

Kurt Sanger, just back from a NATO cyber conference in Estonia, explains why military cyber defenders are stressing their need for access to the private networks they'll be defending. Whether they'll get it, we agree, is another kettle of fish entirely.

David Kris turns to public-private cooperation issues in another context. The Cyberspace Solarium Commission has another report out. It calls on the government to refresh and rethink the aging orders that regulate how the government deals with the private sector on cyber matters.

Kurt and I consider whether Russia is committing war crimes by DDOSing emergency services in Ukraine at the same time as it's bombing Ukrainian cities. We agree that the evidence isn't there yet.

Nick and I dig into two recent exploits that stand out from the crowd. Barracuda's security appliance has been so badly compromised that the only remedial measure involves a woodchipper. Nick is confident that the tradecraft here suggests a nation-state attacker. I wonder if the remedy is also a way to move Barracuda's customers to the cloud.

The other compromise is an attack on MOVEit Transfer. Flaws in the secure file transfer system have allowed ransomware gang Clop to download so much proprietary data that they have resorted to telling their victims to self-identify and pay the ransom rather than wait for Clop to figure out who they've pwned.

Kurt, David, and I talk about the White House effort to sell section 702 of FISA for its cybersecurity value—and my effort, with Michael Ellis, to sell 702 (packaged with intelligence reform) to a conservative caucus that is newly skeptical of the intelligence community. David finds himself uncomfortably close to endorsing our efforts.

Finally, in quick updates:

• Nick talks about Tesla's Full Self Driving, and the accidents it's been involved in.
• I warn listeners that Virginia has joined the ranks of states that require users to produce ID proving their age to access Pornhub. I predict that twenty states will adopt such a requirement in the next year

Download 462nd Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families, or pets.