Steptoe Cyberlaw Podcast: An Interview with Angelos Keromytis

Episode 118 digs deep into DARPA’s cybersecurity research program with our guest, Angelos Keromytis, associate professor at Columbia and Program Manager for the Information Innovation Office at DARPA. Angelos paints a rich picture of a future in which we automate attribution across networks and international boundaries and then fuse bits of attribution data as though they were globules of the Terminator reassembling into human form.

In the news roundup, a district court judge takes NIT-picking to an extreme, quietly deep-sixing child porn evidence because the FBI would not disclose its Network Investigative Technique. Michael Vatis and I wonder why such an important call would not be dignified by a written opinion. Michael and I also trade assessments of Twitter’s latest effort to revive its faltering lawsuit to reveal how many national security discovery orders it has received. Michael is more bullish than I am on Twitter’s prospects.

The EU has officially given up on competing with the rest of the world on internet technology, and it has gone back to its roots – using regulation to at least force successful companies to pay a toll of hassle and forelock-tugging in Brussels. Maury Shenk has the facts (if not quite the attitude): In recent days, the EU has announced that it is trying halfheartedly to erase national boundaries in online sales, imposing its egregious European content regulations for companies like Netflix, litigating over the lawfulness of US companies relying on standard data protection contract terms, moving forward with bitcoin and blockchain regulation, and fighting over which European institution can pretend the loudest that it could have won a better deal from the US in the Privacy Shield talks. Whew! That’s what passes for A Job Well Done in Brussels.

The US Senate, in contrast, really is doing a good job, at least so far I explain, by requiring that fans of ECPA reform agree to correct a drafting error that has kept the FBI from getting electronic communications transactional records with a national security letter. The Silicon Valley U-turn ‒ from providing to refusing such data for an NSL ‒ has driven the FISA 215 workload through the roof as the FBI seeks an alternative mechanism. Remarkably, the data is already available with an NSL in ordinary criminal investigations, but swamping the FBI’s resources in terrorism cases apparently passes for civil liberties campaigning these days.

Luckily, both the intelligence committee and the judiciary committee think the time is now to fix the oversight; if that means attaching it to ECPA reform, they’d only be using a legislative hostage-taking tactic that privacy campaigners honed to perfection in decades past.

Alan Cohn, finally, brings us up to date on SWIFT and its travails. I channel Paul Rosenzweig, asking how serious an institution can be about cybersecurity if it’s just getting around to recommending two-factor authentication.