Our interview is with Alex Joel, former Chief of the Office of Civil Liberties, Privacy, and Transparency at the Office of the Director of National Intelligence. Alex is now at the American University law school’s Tech, Law, and Security Program. We share stories about the difficulties of government startups and how the ODNI carved out a role for itself in the Intelligence Community (hint: It involved good lawyering). We dive pretty deep on recent FISA court opinions and the changes they have forced in FBI procedures. In the course of that discussion, I posit that every “reform” of intelligence dreamed up by Congress in the last decade has turned out to be a self-licking compliance trap, and I take back some of my praise for the DNI’s lawyering.
In the News Roundup, we’re inundated by serious new reports of cyberattacks. Dave Aitel admits that the hacking group he envies most is Turla, which was recently discovered to have totally pwned the entire attack infrastructure of an Iranian government team. Dave notes that Avast has succumbed to a second far-reaching intrusion into its network, reminiscent of the last attack, which led to the company sending out a compromised CCleaner application. We may never know whether Avast got the intruder out, Dave suggests, but his hat is off to the company’s PR team. In still more pwnage news, Dave praises two new detailed reports from security companies: FireEye’s report on APT41’s combination of espionage and cybercrime and Crowdstrike’s report on amazingly successful Chinese efforts to steal aircraft intellectual property. And one more: Cyber Command has leaked the bare minimum of information to show that Iran’s strike against Saudi oil facilities did not go unpunished. Dave and I both take our hats off to Iran’s PR team, which responded to the vague leak by claiming that Cyber Command “must have dreamt it.”
In other news, Gus Hurwitz breaks down a recent Ninth Circuit decision construing the Section 230 immunity that Congress has given to companies that filter content on the Internet. Remarkably, two judges thought that the immunity for preventing access to “objectionable” content would allow a company to filter out its competitor’s products. It’s easy to see how competition might be objectionable to the company, but harder to see why Congress would have shared that view. Luckily, the two judges who got it wrong were a district court judge and the Ninth Circuit dissenter. But the close call shows how broadly the “objectionable” immunity sweeps. Which raises the question why US trade agreements should broaden the immunity and turn it into international law that can’t be amended easily, or at all. That was a point of rare bipartisan agreement at a recent House hearing. But there’s no sign yet that Congress is going to reject the trade deals that do this. Gus and I also touch on the latest flaps over social media content monitoring.
Poor Equifax: Just when they were hoping the worst had passed, the plaintiff’s bar doxxed even more embarrassing security failings. Dave offers this cold comfort: All the mistakes that embarrased Equifax could be found in pretty much any network in the country. More cold than comfort, Dave!
And, finally, we close with This Week in Puerile Jokes: All inspired, of course, by the UK Government’s decision to drop its plan to require ID to watch sex videos online.
As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!
The views expressed in this podcast are those of the speakers and do not reflect the opinions of the firm.