The Cyberlaw Podcast: What To Do About Deplatformed Data?

Stewart Baker
Wednesday, November 24, 2021, 9:06 AM

Published by The Lawfare Institute
in Cooperation With

Among the many problems with the current social media enthusiasm for deplatforming is this question: What do you do with all the data generated by people you deplatformed?

Facebook’s answer, as you’d expect, is that Facebook can do what it wants with the data, which mostly means deleting it. Even if it’s evidence of a crime? Yes, says the platform, unless law enforcement asks us to save it. The legal fight over a deplatformed group that defended historical statues (and may have shot someone in the process) will tell us something about the—law of deplatformed data as will the fight over Gambia’s effort to recover evidence of deplatformed human rights evidence. In the end, though, we need a law on this question. Because, given their track record in content moderation, leaving the question to the discretion of social media will translate into platforms’ preserving only evidence that hurts people they hate.

Tired: Data breach reporting. Wired: Cyber incident reporting. The unanimous view of our news panelists, Paul Rosenzweig and Dmitri Alperovitch, is that cyber policy has turned from reporting personal data breaches to reporting serious cyber intrusions no matter what data is compromised. The latest example is the financial regulators’ adoption of a rule requiring banks and similar institutions to report major cyber incidents within 36 hours of determination that one has occurred.

But who will make that determination and with what certainty? Dmitri’s money is on the lawyers. I think there’s a great ER-style drama in the process: “OK, I’m going to call it. No point in trying to keep this alive any longer. Time of determination is 2:07 pm.”

Back after a long absence, we add an interview to the news roundup. David “moose” Wolpoff and Dan MacDonnell of Randori explain the consternation over their startup’s use of a serious vulnerability to conduct realistic penetration tests of buttoned-up networks instead of reporting it right away to the software provider. They argue that the value of zero days for pentesting is great and the risk of harm low, if handled responsibly. In fact, the debate sounds a lot like the arguments around the table at a government Vulnerability Equities Process (VEP) meeting. And that makes me wonder whether the people pushing for a stricter VEP have any idea at all what they’re talking about.

Dmitri lays out the surprising complexity and sophistication of the Iranian attempt to influence the 2020 election. I’m less convinced. The Iranian effort failed, after all, and it resulted in the hackers’ indictment.

I dig into a recent brief by Hikvision claiming that the FCC lacks authority to bar sales of its products in the U.S. I’m only half convinced by the legal claim, but I am sure of this: The Hikvision argument has created an opportunity for some enterprising politician to sponsor quick, uncontroversial legislation giving the FCC the authority that Hikvision says it doesn’t have.

Dmitri explains the latest advance of the hardware hack known as Rowhammer. It may not be deployed routinely even now, he says, but the exploit makes clear that we will never entirely secure our cyber infrastructure.

Paul and I agree that it’s perfectly legal for the government to buy advertising data that shows citizens’ locations. We more or less agree that some restraint on sales of location data—at least to the Russian and Chinese governments and maybe to anybody—are in order.

Paul and I offer muted and squeamish criticism of a Big Report claiming that child sexual abuse is exploding online. There’s no doubt that it’s a problem that deserves more legal and platform effort, but the authors did their cause no favors by mixing kids exchanging nude selfies with truly loathsome material.

Dmitri and I perform a public service announcement about a scam that takes advantage of security habits that the banks have encouraged us to get used to. Zelle fraud is going to make us all regret those habits.

And hopefully it will finally get banks to use hardware tokens instead of text messages to verify our transactions.

Germany and Mandiant are at odds in attributing the government sponsor of the Ghostwriter hacking gang. Germany, backed by the EU, says it’s Russia. Mandiant says it’s Belarus.

Dmitri says “Never bet against Mandiant on attribution.” I can’t disagree.

Finally, Dmitri joins me in an appreciation of Alan Paller, who died last week. He was a major influence in cybersecurity, and a role model for successful entrepreneurs who want to give back using their institution-creating skills.

Download the 384th Episode (mp3)

You can subscribe to The Cyberlaw Podcast using iTunes, Google Play, Spotify, Pocket Casts, or our RSS feed. As always, The Cyberlaw Podcast is open to feedback. Be sure to engage with @stewartbaker on Twitter. Send your questions, comments, and suggestions for topics or interviewees to Remember: If your suggested guest appears on the show, we will send you a highly coveted Cyberlaw Podcast mug!

The views expressed in this podcast are those of the speakers and do not reflect the opinions of their institutions, clients, friends, families or pets.

Stewart A. Baker is a partner in the Washington office of Steptoe & Johnson LLP. He returned to the firm following 3½ years at the Department of Homeland Security as its first Assistant Secretary for Policy. He earlier served as general counsel of the National Security Agency.

Subscribe to Lawfare