100 episodes

The Cyberlaw Podcast is a weekly interview series and discussion offering an opinionated roundup of the latest events in technology, security, privacy, and government. It features in-depth interviews of a wide variety of guests, including academics, politicians, authors, reporters, and other technology and policy newsmakers. Hosted by cybersecurity attorney Stewart Baker, whose views expressed are his own.

The Cyberlaw Podcast Stewart Baker

    • News
    • 4.6 • 204 Ratings

The Cyberlaw Podcast is a weekly interview series and discussion offering an opinionated roundup of the latest events in technology, security, privacy, and government. It features in-depth interviews of a wide variety of guests, including academics, politicians, authors, reporters, and other technology and policy newsmakers. Hosted by cybersecurity attorney Stewart Baker, whose views expressed are his own.

    The Fourth Antitrust Shoe Drops, on Apple This Time

    The Fourth Antitrust Shoe Drops, on Apple This Time

    The Biden administration has been aggressively pursuing antitrust cases against Silicon Valley giants like Amazon, Google, and Facebook. This week it was Apple’s turn. The Justice Department (joined by several state AGs)  filed a gracefully written complaint accusing Apple of improperly monopolizing the market for “performance smartphones.” The market definition will be a weakness for the government throughout the case, but the complaint does a good job of identifying ways in which Apple has built a moat around its business without an obvious benefit for its customers.  The complaint focuses on Apple’s discouraging of multipurpose apps and cloud streaming games, its lack of message interoperability, the tying of Apple watches to the iPhone to make switching to Android expensive, and its insistence on restricting digital wallets on its platform.  This lawsuit will continue well into the next presidential administration, so much depends on the outcome of the election this fall.
     
    Volt Typhoon is still in the news, Andrew Adams tells us, as the government continues to sound the alarm about Chinese intent to ravage American critical infrastructure in the event of a conflict.  Water systems are getting most of the attention this week.  I can’t help wondering how we expect the understaffed and underresourced water and sewage companies in this country to defeat sophisticated state-sponsored attackers. This leads Cristin and i to a discussion of how the SEC’s pursuit of CISO Tim Brown and demands for more security disclosures will improve the country’s cybersecurity.  Short answer: It won’t.
     
    Cristin covers the legislative effort to force a divestiture of Tiktok. The bill has gone to the Senate, where it is moving slowly, if at all. Speaking as a parent of teenagers and voters, Cristin is not surprised. Meanwhile, the House has sent a second bill to the Senate by a unanimous vote. This one would block data brokers from selling American’s data to foreign adversaries. Andrew notes that the House bill covers data brokers.  Other data holders, like Google and Apple, would face a similar restriction, under executive order, so the Senate will have plenty of opportunity to deal with Chinese access to American personal data.
     
    In the wake of the Murthy argument over administration jawboning in favor of censorship of mostly right-wing posts,  Andrew reports that the FBI has resumed outreach to social media companies, at least where it identifies foreign influence campaigns. And the FDA, which piled on to criticize ivermectin advocates, has withdrawn its dubious and condescending tweets.
     
     Cristin reports on the spyware agreement sponsored by the United States. It has collected several new supporters. Whether this will reduce spyware installations or simply change the countries that supply the spyware remains to be seen.

    • 46 min
    Social Speech and the Supreme Court

    Social Speech and the Supreme Court

    The Supreme Court is getting a heavy serving of first amendment social media cases. Gus Hurwitz covers two that made the news last week. In the first, Justice Barrett spoke for a unanimous court in spelling out the very factbound rules that determine when a public official may use a platform’s tools to suppress critics posting on his or her social media page.  Gus and I agree that this might mean a lot of litigation, unless public officials wise up and simply follow the Court’s broad hint: If you don’t want your page to be treated as official, simply say up top that it isn’t official.
    The second social media case making news was being argued as we recorded. Murthy v. Missouri appealed a broad injunction against the US government pressuring social media companies to take down posts the government disagrees with.  The Court was plainly struggling with a host of justiciability issues and a factual record that the government challenged vigorously. If the Court reaches the merits, it will likely address the question of when encouraging the suppression of particular speech slides into coerced censorship. 
    Gus and Jeffrey Atik review the week’s biggest news – the House has passed a bill to force the divestment of TikTok, despite the outcry of millions of influencers.  Whether the Senate will be quick to follow suit is deeply uncertain.
    Melanie Teplinsky covers the news that data about Americans’ driving habits is increasingly being sent to insurance companies to help them adjust their rates.
    Melanie also describes the FCC’s new Cyber Trust Mark for IOT devices.  Like the Commission, our commentators think this is a good idea.
    Gus takes us back to more contest territory: What should be done about the use of technology to generate fake pictures, especially nude fake pictures. We also touch on a UK debate about a snippet of audio that many believe is a fake meant to embarrass a British Labour politician.  
     Gus tells us the latest news from the SVR’s compromise of a Microsoft network. This leads us to a meditation on the unintended consequences of the SEC’s new cyber incident reporting requirements.
    Jeffrey explains the bitter conflict over app store sales between  Apple and Epic games.
    Melanie outlines a possible solution to the lack of cybersecurity standards (not to mention a lack of cybersecurity) in water systems. It’s interesting but it’s too early to judge its chances of being adopted.
    Melanie also tells us why  JetBrains and Rapid7 have been fighting over “silent patching.”
    Finally, Gus and I dig into Meta’s high-stakes fight with the FTC, and the rough reception it got from a DC district court.
     

    • 1 hr
    Preventing Sales of Personal Data to Adversary Nations

    Preventing Sales of Personal Data to Adversary Nations

    This bonus episode of the Cyberlaw Podcast focuses on the national security implications of sensitive personal information. Sales of personal data have been largely unregulated as the growth of adtech has turned personal data into a widely traded commodity. This, in turn, has produced a variety of policy proposals – comprehensive privacy regulation, a weird proposal from Sen. Wyden (D-OR) to ensure that the US governments cannot buy such data while China and Russia can, and most recently an Executive Order to prohibit or restrict commercial transactions affording China, Russia, and other adversary nations with access to Americans’ bulk sensitive personal data and government related data. 
    To get a deeper understanding of the executive order, and the Justice Department’s plans for implementing it, Stewart interviews Lee Licata, Deputy Section Chief for National Security Data Risk.

    • 31 min
    The National Cybersecurity Strategy – How Does it Look After a Year?

    The National Cybersecurity Strategy – How Does it Look After a Year?

    Kemba Walden and Stewart revisit the National Cybersecurity Strategy a year later. Sultan Meghji examines the ransomware attack on Change Healthcare and its consequences. Brandon Pugh reminds us that even large companies like Google are not immune to having their intellectual property stolen. The group conducts a thorough analysis of a "public option" model for AI development. Brandon discusses the latest developments in personal data and child online protection. Lastly, Stewart inquires about Kemba's new position at Paladin Global Institute, following her departure from the role of Acting National Cyber Director.

    • 56 min
    Regulating personal data for national security

    Regulating personal data for national security

    The United States is in the process of rolling out a sweeping regulation for personal data transfers. But the rulemaking is getting limited attention because it targets transfers to our rivals in the new Cold War – China, Russia, and their allies. Adam Hickey, whose old office is drafting the rules, explains the history of the initiative, which stems from endless Committee on Foreign Investment in the United States efforts to impose such controls on a company-by-company basis. Now, with an executive order as the foundation, the Department of Justice has published an advance notice of proposed rulemaking that promises what could be years of slow-motion regulation. Faced with a similar issue—the national security risk posed by connected vehicles, particularly those sourced in China—the Commerce Department issues a laconic notice whose telegraphic style contrasts sharply with the highly detailed Justice draft.
    I take a stab at the riskiest of ventures—predicting the results in two Supreme Court cases about social media regulations adopted by Florida and Texas. Four hours of strong appellate advocacy and a highly engaged Court make predictions risky, but here goes. I divide the Court into two camps—the Justices (Thomas, Alito, probably Gorsuch) who think that the censorship we should worry about comes from powerful speech-monopolizing platforms and the Justices (Kavanagh, the Chief) who see the cases through a lens that values corporate free speech. Many of the remainder (Kagan, Sotomayor, Jackson) see social media content moderation as understandable and justified, but they’re uneasy about the power of large platforms and reluctant to grant a sweeping immunity to those companies. To my mind, this foretells a decision striking down the laws insofar as they restrict content moderation. But that decision won’t resolve all the issues raised by the two laws, and industry’s effort to overturn them entirely on the current record is also likely to fail. There are too many provisions in those laws that some of the justices considered reasonable for Netchoice to win a sweeping victory. So I look for an opinion that rejects the “private censorship” framing but expressly leaves open or even approves other, narrower measures disciplining platform power, leaving the lower courts to deal with them on remand.
    Kurt Sanger and I dig into the Securities Exchange Commission's amended complaint against Tim Brown and SolarWinds, alleging material misrepresentation with respect to company cybersecurity. The amended complaint tries to bolster the case against the company and its CISO, but at the end of the day it’s less than fully persuasive. SolarWinds didn’t have the best security, and it was slow to recognize how much harm its compromised software was causing its customers. But the SEC’s case for disclosure feels like 20-20 hindsight. Unfortunately, CISOs are likely to spend the next five years trying to guess which intrusions will look bad in hindsight. 
    I cover the National Institute of Standards and Technology’s (NIST) release of version 2.0 of the Cybersecurity Framework, particularly its new governance and supply chain features.
    Adam reviews the latest update on section 702 of FISA, which likely means the program will stumble into 2025, thanks to a certification expected in April. We agree that Silicon Valley is likely to seize on the opportunity to engage in virtue-signaling litigation over the final certification.
    Kurt explains the remarkable power of adtech data for intelligence purposes, and Senator Ron Wyden’s (D-OR) effort to make sure such data is denied to U.S. agencies but not to the rest of the world. He also pulls Adam and me into the debate over whether we need a federal backup for cyber insurance. Bruce Schneier thinks we do, but none of us is persuaded.
    Finally, Adam and I consider the divide between CISA and GOP election officials. We agree that it has its roots in CISA’s impruden

    • 53 min
    Are AI models learning to generalize?

    Are AI models learning to generalize?

    We begin this episode with Paul Rosenzweig describing major progress in teaching AI models to do text-to-speech conversions. Amazon flagged its new model as having “emergent” capabilities in handling what had been serious problems – things like speaking with emotion, or conveying foreign phrases. The key is the size of the training set, but Amazon was able to spot the point at which more data led to unexpected skills. This leads Paul and me to speculate that training AI models to perform certain tasks eventually leads the model to learn “generalization” of its skills. If so, the more we train AI on a variety of tasks – chat, text to speech, text to video, and the like – the better AI will get at learning new tasks, as generalization becomes part of its core skill set. It’s lawyers holding forth on the frontiers of technology, so take it with a grain of salt.
    Cristin Flynn Goodwin and Paul Stephan join Paul Rosenzweig to provide an update on Volt Typhoon, the Chinese APT that is littering Western networks with the equivalent of logical land mines. Actually, it’s not so much an update on Volt Typhoon, which seems to be aggressively pursuing its strategy, as on the hyperventilating Western reaction to Volt Typhoon. There’s no doubt that China is playing with fire, and that the United States and other cyber powers should be liberally sowing similar weapons in Chinese networks. But the public measures adopted by the West do not seem likely to effectively defeat or deter China’s strategy. 
    The group is less impressed by the New York Times’ claim that China is pursuing a dangerous electoral influence campaign on U.S. social media platforms. The Russians do it better, Paul Stephan says, and even they don’t do it well, I argue. 
    Paul Rosenzweig reviews the House China Committee report alleging a link between U.S. venture capital firms and Chinese human rights abuses. We agree that Silicon Valley VCs have paid too little attention to how their investments could undermine the system on which their billions rest, a state of affairs not likely to last much longer. 
    Paul Stephan and Cristin bring us up to date on U.S. efforts to disrupt Chinese and Russian hacking operations.
    We will be eagerly waiting for resolution of the European fight over Facebook’s subscription fee and the move by websites to “Pay or Consent” privacy terms fight. I predict that Eurocrats’ hypocrisy will be tested by an effort to rule for elite European media sites, which already embrace “Pay or Consent” while ruling against Facebook. Paul Rosenzweig is confident that European hypocrisy is up to the task. 
    Cristin and I explore the latest White House enthusiasm for software security liability. Paul Stephan explains the flap over a UN cybercrime treaty, which is and should be stalled in Turtle Bay for the next decade or more.  
    Cristin also covers a detailed new Google TAG report on commercial spyware. 
    And in quick hits, 
    House Republicans tried and failed to find common ground on renewal of FISA Section 702
    I recommend Goody-2, the ‘World’s ‘Most Responsible’ AI Chatbot
    Dechert has settled a wealthy businessman’s lawsuit claiming that the law firm hacked his computer
    Imran Khan is using AI to make impressively realistic speeches about his performance in Pakistani elections
    The Kids Online Safety Act secured sixty votes in the U.S. Senate, but whether the House will act on the bill remains to be seen
    Download 492nd Episode (mp3)
    You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@gmail.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug! The views expresse

    • 49 min

Customer Reviews

4.6 out of 5
204 Ratings

204 Ratings

Trimosier ,

Stewart is a treasure

Informative, always relevant, and engaging—even humorous occasionally! Substitute hosts pale in comparison.

PauloAcadia ,

Nice

Podcast about cyber issues & law

Bobo the circus clown ,

Love this!

Great for cybersecurity professionals.

Top Podcasts In News

The Daily
The New York Times
Up First
NPR
The Ben Shapiro Show
The Daily Wire
Pod Save America
Crooked Media
The Megyn Kelly Show
SiriusXM
The Dan Bongino Show
Cumulus Podcast Network | Dan Bongino

You Might Also Like

Rational Security
The Lawfare Institute
The Lawfare Podcast
The Lawfare Institute
Chatter
Lawfare
The Realignment
The Realignment
ChinaTalk
Jordan Schneider
Divided Argument
Will Baude, Dan Epps