The current enthusiasm on social media for deplatforming poses many challenges. One example is the question, “What do you do about all the data that was generated by those you deplatformed?” Facebook says that it can do whatever it likes with data. This is a common answer. What if there is proof of crime? The platform says yes, except when law enforcement requests us to save them. The legal battle over historical statues being deplatformed (and possibly shooting someone) will give us some insight into the law on deplatformed information. The same will be true for The Gambia’s efforts to find evidence of human rights abuses deplatformed. This question needs to be addressed by law. Given their history in content moderation and the fact that social media platforms can only preserve evidence that harms hateful people, it is not a good idea to leave the decision up to them.
Tired: Data breach reporting. Wired: Reporting on cyber-incidents. The unanimous view of our panelists, Paul Rosenzweig and Dmitri Alperovitch, is that cyber policy has shifted from mandatory reporting of personal data breaches to mandatory reporting of serious cyber intrusions no matter what data is compromised. A rule was adopted by financial regulators requiring banks, similar institutions to report cyber-related incidents within 36 hours after determining that one occurred. However, who and what will be able to make this determination? Dmitri is putting his money on the attorneys. Although I disagree with your assessment, I believe there’s a wonderful ER-style drama to the proceedings. “OK, let’s call it.” There’s no point trying to make this last. The time for determination is 02:07 PM.
After a lengthy absence, our interview segment has returned. Randori’s Dan MacDonnell (David “moose”) Wolpoff, and Dan MacDonnell (Dan MacDonnell) discuss the frustration over using a serious vulnerability in their startup to perform realistic penetration tests on buttoned-up network networks. Instead of immediately reporting the vuln to the software provider. If they are handled properly, the zero-day deadline for pentesting has a great value and there is little risk to harm. This debate sounds very much like the ones at the Vulnerability Equities Process (VEP) meeting. I wonder what the VEP’s advocates know about this.
Dmitri exposes the complexity and sophistication that the Iranian effort to influence the 2020 elections. I am less convinced. I’m less convinced that the Iranian attempt failed and led to hackers being indicted. Failure is difficult to accept.
Hikvision claims that the FCC does not have the authority to ban sales of their products in the US. I find this brief. Although I don’t agree with the legal claims, I do know this: Hikvision’s argument created an avenue for an enterprising politician, to quickly and uncontroversially pass legislation giving the FCC authority that Hikvision denies it does not have.
Dmitri explains the latest advance of the hardware hack known as Rowhammer. Although it is not yet routinely used, Dmitri says that the exploit shows us that cyber security will never be perfect.
Paul and me agree that government can buy data that displays the location of citizens. And we more or less agree that some restraint on sales of location data – at least to the Russian and Chinese governments and maybe to anybody – are in order.
The Big Report claims that online child sexual abuse has exploded. I provide muted, squeamish critique. It’s clear that this is a serious problem and that more legal and platform efforts are needed. However, the authors made it worse by mixing nude selfies of children with really disgusting material.
Dmitri, along with me, make a public announcement about a scheme that makes use of security practices that banks want us to adopt. We will all be regretting our old habits when we fall for Zelle fraud. It is hoped that this will also encourage banks to utilize hardware tokens rather than text messages for verifying transactions.
Mandiant and Germany are fighting over the attribution of funding for the Ghostwriter hacking group. Germany supports the EU’s assertion that it is Russia. Mandiant claims it is Belarus. Dmitri said, “Never put your money against Mandiant when it comes to attribution.” It’s hard to disagree.
Dmitri and I join in a tribute to Alan Paller who passed away last week. He was a major influence in cybersecurity, and a role model for successful entrepreneurs who want to give back using their institution-creating skills.
Listen to the Episode 384 (mp3)
Subscribe to The Cyberlaw Podcast via iTunes, Google Play Spotify, Pocket Casts or RSS Feed. The Cyberlaw Podcast invites your feedback. Engage with @stewartbakerFollow us on Twitter. Send your questions, comments, and suggestions for topics or interviewees to CyberlawPodcast@steptoe.com. You will receive a Cyberlaw Podcast mug if you suggest a guest!
These podcasts are the views of the speaker and not those of their clients, institutions, friends, family, pets, or colleagues.