Hey everyone, I'm James Wilson and welcome to Seriously Risky Business. This is our podcast all about cybersecurity policy and intelligence. In a moment, I'm going to bring in Tom Yuren. Tom is our policy and intelligence editor and we are going to have a chat about this week's Seriously Risky Biz newsletter that Tom has produced. And if you haven't already subscribed to that, head on over to our website at risky.biz where You can find his newsletter, have a read of it, and also subscribe. But first, I would also like to thank our sponsor for this week. Our sponsor is Nebulok, and you can find them at nebulok.io. Tom, how are you? Good, James. Welcome to Seriously Risky Business. Thank you, Matt. It is a privilege to step in for Enverly and host this one with you. Tom, I've read through your newsletter this week. It's super interesting, two quite different topics. But let's first start with Musk and his snubbing of the French authorities. and you draw some interesting parallels to the, I guess, habit that the French now have of going after CEOs of companies when they want to apply pressure. So take us through this story. Yeah, so what happened is that at the beginning of this year, Grok went wild and was producing a whole lot of sexually explicit deep fakes, including some of children. and this was shortly after a French lawmaker, a French centrist lawmaker complained to authorities that the platform was being politically biased and was being used to influence, I don't think he explicitly said it, but I think the assumption is it was being used to influence French politics. And so the French cybercrime group, There's a very aggressive unit in Paris They launched an investigation They raided X's offices And at the same time They summoned Elon Musk And the former CEO of X Linda Iaccarino To turn up for Air quotes Voluntary interviews With the police And those voluntary interviews Were to have been on Monday Musk didn't turn up Shocking Now, this very strongly reminded me of Pavel Durov, who is the CEO and one of the founders of Telegram. The backstory there is that Telegram was notorious for not responding to law enforcement queries, not helping child abuse organizations and, you know, talk to the hand. We're not interested in helping. And these same French prosecutors arrested Durov when he flew into Paris. Yeah, that was not a you're invited to come and talk to us. That was a we've got you. We picked you up, right? Yeah, that's right. Yeah. And that felt like to me we've exhausted all other avenues. We now have a law that will allow us to do this. And it really applied a lot of pressure to Durov personally. And surprise, surprise, telegrams, moderation practices improved a lot. Right. At least while Durov was held in France. Um, now the, you know, that's a clear example of applying pressure directly to the individuals in charge, like surprise, surprise, that works. And it feels like this is the same tactic and it's, you know, putting the spotlight on a key individual and trying to get some change. The, um, I think the Musk is never going to get arrested in France. I mean, the key distinction here is that, uh, you know, Durov was a French citizen, right? So you're obviously playing on very different rules there. And I think you've drawn the interesting connection here to the fact that not only is Musk quite willing to snub this, but he's got some pretty strong backing from the government that shares his ideology, shall we say, in the US. Yeah, that's right. So the US Department of Justice, well, the French asked for US cooperation. They make a number of claims. One of them I think is a bit weird. I don't really talk about it in the newsletter at all, but they say that part of the controversy, the intent around the sexually explicit deepfakes was to actually bolster X ahead of a potential IPO. That seems like it's stretching a bit, but, you know, the French did raid X's offices. So maybe they have some correspondence. I don't know. Yeah. But the US Department of Justice said, no, we're not going to help. And they actually have a really strong statement that was, surprise, surprise, the Wall Street Journal has seen. And it talks about the investigation seeks to use the criminal legal system in France to regulate a public square for the free expression of ideas and opinions in a manner contrary to the First Amendment of the United States Constitution. Of course. Of course. It talks about it being a politically charged criminal proceeding. And so I think there's, you know, no one came to Durov's help. Right, right. The Russian government, because he's a Russian citizen as well, did not, you know, speak up strongly. And if they had, well, who would care? I think this is a very different situation I also think that the types of alleged wrongdoing is very different like so rock it looked like to me that it was producing a whole lot of sexually explicit deepfakes yeah well that what i mean they make these claims of like oh it was all baseless it's like but it was it was there now now in their defense they did tighten up on that right so i still haven't looked but i don't see any talk of it being um i think it's not perfect but i don't think it's the same massive problem so they can take they have taken steps they do have policies they enforce them like very imperfectly to be sure um and one of the main complaints that they're a platform for bias and you know foreign influence like i think that's probably right but that's not the same thing as say telegram hosting uh cyber crime marketplace where billions of dollars billions of transactions and it's it's a clear um there's there's a clear you know i guess criminal activity going on there and no oversight of it but so when like what's the so what of this where does this go at the moment it's just with this aggressive french cyber um investigation but but like so so what what what What happens for you? So I think actually because the problems are kind of subjective, like influence, it's hard to prove. I think it will be hard to prove to a sort of criminal standard. Criminal standards are usually quite high. But I think what the cybercrime investigator is doing is just symptomatic of the problems European – it's not even European governments. European people have with the kind of ideology that Musk espouses. and they have lots of other tools. Regulators in general have lots of other tools where it's not to the same standard. So Europe has this thing called the Digital Services Act. One of the things it requires, which is actually pretty reasonable, platforms must assess the risks such as disinformation and election manipulation. So I actually link to a whole lot of studies that say that, yes, it turns out that X promotes right-wing ideologies, I think it's even hard to define what a neutral platform is when you step back and kind of think about what does it mean to be truly neutral. I don't think there's an easy answer, but I think it will be very hard for X to say we are that neutral platform when you have all these studies saying, no, people are pretty much influenced by X to be more right-wing. And so I think that a whole lot of European countries and the European Commission will be looking to that regulation and will be, you know, investigating X, probably finding it. It's already been fined for part of it was that you could just buy the verified checkmark. Right. Yes. So, you know, it went from being some sort of symbol of veracity to some sort of symbol that or proof that you had like $7 to spare. per month. And so they, X, got quite a big fine, 120 million euros. My understanding is that they're contesting that fine. Nobody's said that they've paid it. So I'm assuming that they're contesting it. Yeah. Yeah. And I think, as you said in the article here, that the fines are just going to mount up. And I think one thing that Musk is certainly a student of is how to drag things out in court and make things just last forever. But let's pivot now from Musk and speaking of regulators, 702, of course, back in the headlines once again, and I loved your headline here, if they've got 702 problems and the FBI has won. So what's the FBI done here and how does this sort of play into the current state of this 702 renewal? Yeah, okay. So for people who are unaware, Section 702 is a part of the Foreign Intelligence Surveillance Act. And it empowers authorities to ask domestic telcos and service providers to assist with intelligence collection. And it's a foreign intelligence act, but the collection occurs within U.S. firms. and it's being controversial because it occurs on American soil and inevitably Americans get caught up in this because, I mean, first of all, there's so many of them and they talk to people outside the world, I mean, in the rest of the world and so inevitably you'll have American communications caught up in there. Yeah. Is it fair to say it's virtually impossible to have a clean data set like this? Is that even a practical thing? From a foreign intelligence point of view, there's all the time you're coming across your own citizens because, you know, Australians, UK, US people, New Zealanders even, they're great travelers. So it's inevitable that they're going to be in your collection data set, even if you're collecting overseas. So from a foreign intelligence agency perspective, you accept that that's going to happen, but you have procedures to deal with that. Yeah. And so in the US they're called minimization procedures. You protect their identity and there certain exemptions threat to life stuff that actually makes sense where you protect their identities they kept anonymous unless it needed to save a life or something like that Yeah, yeah. And so it's an incredibly important data set for many reasons. But why does it even have this like renewal sort of thing? Like for someone that's not as familiar with this, it just feels like, oh, you know, this must be time for this whole thing. Yeah. So it's always been controversial. It was instituted after September 11. And so the incentives, I guess, or the drivers for lawmakers changed depending upon recent circumstances. And so after September 11, it obviously makes sense that you would do this and you would do it pretty much on the down low. But over time, the immediate threat of terrorism has receded and people have become more concerned about oversight, civil liberties. And so part of the provision has been the sunset clauses. So it's never been just implemented, off you go. Now, I actually think that's a good thing, having sunset provisions. what I've really noticed is that each time it comes up for reauthorization the intelligence community goes on the front foot to justify its existence by saying this is what it's really good for yeah so some a former DNI I believe called it director of national intelligence called it the crown jewel of American intelligence collection and each time it's come up there've been these examples of how it's been useful so last time it was yeah there's a whole lot of cyber security threats that are detected because of this. And we're able to tip off companies and let them know that there's potentially a ransomware problem. But I guess part of the challenge here is even those examples you just said, they sound like good uses of the data in terms of the outcome. Not to say the means justifies the end or the ends justifies the means, but what you just mentioned there, that's a far cry from September 11 terrorist attacks, right? Yeah, yeah. So this particular one, they talk about stopping a mass casualty event at a Taylor Swift concert. That actually seemed pretty impactful to me. They also talk about providing support to a raid that ended up killing the El Mencho, who was a Mexican drug cartel boss. They also talk about the disruption of a lot of fentanyl production and importation. So these are like big, impactful things. and there's also a whole lot of stuff that I'm sure they're not talking about, which is, you know, I don't know, theoretically, we were able to intercept the intelligence of, you know, such and such or such and such. You don't mention that stuff because clearly they could change their patterns of behaviour. El Mencho can't be killed twice, so it's pretty safe to mention that one. So the stories keep on coming. Like I believe that it's important and valuable. Like the, I don't think intelligence agencies usually lie about that sort of stuff. Yeah. But the sticking point here is the FBI, right? They are the bad actor, so to speak, that went a little bit nuts with this data set a little while ago. So it's interesting that before the last renewal, which was in 2024, there was this report from the Foreign Intelligence Surveillance Court. That's one of the oversight mechanisms. And it dove into the FBI and it was like the FBI was just querying it willy-nilly. Like every query will include that data set. They actually had criteria, which they were basically just not following. So it was, I imagine it was like a web portal, tick all the databases that you want to query. yeah um in theory you should only tick this one if you have a i think it was you know it had to be related to foreign intelligence you had to have a reasonable suspicion something something they were they made sense and they were just like by default everything was ticked all the time yeah and so i guess it's hard to know whether that was uh somewhere between willful ignorance or just uh misguided used you do you have any sense there yeah there was a lot of i paid attention to a lot of talk about it at the time and there was a fbi a pretty senior fbi official and he was asked directly why were you querying it and his answer was yeah i really don't know so my as in my interpretation of that is that it was just that it was always ticked yeah um and so it was on by default there wasn't any willful intent um to be uh what i would call abusive like the intent wasn't to sidestep protections. But they were doing it. But it was happening nevertheless. Yeah. Now, despite that being known, the FBI said, we'll do better after the last reauthorization. They did do better. Like their compliance rate improved a lot. There's still, I think it was described as 99% in a report. Yeah. But despite their improvements, Republicans in particular, are unhappy with the law as it stands. So it feels like there been well there has been a 10 extension that expires I think thursday next week yeah it not a long not a long time to extend this and to me it like this is we want something we want some sort of deal to make things tighter well and this is the part i wanted to try to understand better is that you know okay so if we recap here it's a very important data set it's it's known as the crown jewels there's been some sketchy uses of it in the past but it's getting better sunset clauses i can see why you you like them and would think they're important but if something's truly the crown jewels and it is repeatably uh showing its benefit it's hard to imagine it's ever going to be truly sunset but nevertheless when these renewals come up it feels like this is a point in time when you know various tweaks happen and etc so are we at this do you think we're at a sticking point on something really, really major, or is it literally just coming down to a couple of little red lines and little bits of tweaks? And do you have a sense of what those tweaks actually are that people are sort of horse trading about, to use your term? It's always framed as a warrantless way to get to Americans' communications. Right. So that's the key point, right? The warrantless thing surfaces those concerns of Yeah, yeah, yeah. So I am kind of maybe on board with maybe the FBI requiring a warrant to get to communications. Like at a stepping back, if the FBI wants to get Americans communications domestically, it needs to get a warrant. So I don't really see why it should be different because the data source is 702. I think it makes sense that they'd be able to query 702 when they've got the right justifications without needing a warrant? Like, is there even anything that's worth getting there? Yeah. But I don't think that makes sense for other agencies like NSA that are focused overseas because they're always coming across communications that are Americans. Like, it doesn't matter where the communication is occurring. That's the nature of the telecommunication system. and they've got procedures in place to deal with that already. They also don't have coercive domestic powers. Like the NSA doesn't come knocking on your door and arresting you. And so I think the risks are lower. Yeah. No, I think that makes sense, right? Domestic use should follow the domestic procedures, warrants, etc. I can see how that aligns well. But yes, I take your point that no sense in following a domestic or less sense in following a domestic policy for an international use. But the other thing that's been on my mind here is regardless of what's agreed to and what oversight is present and what rules might be tweaked or amended, we don't exactly have a US administration at the moment that seems particularly interested in following rules or, I don't know, being trustworthy. Yeah, so that's one of the interesting things is that people knew about the FBI at the last renewal 2024 and that was fine i think that the trump administration has removed a lot of oversight it's pretty clear they're not keen on oversight and now i think their interpretation is we should have free reign to do what we like and oversight is an impediment my view is that oversight is an enabler because if you've got strong oversight people have confidence that you're doing the right thing and they may even be willing to give you more powers. Yeah, but Tom, that seems like both far too sensible and also slightly too much of a long-term strategy for the folks in charge at the moment. Yeah, so I think that is seriously part of the problem. So there's Republicans there who, so for example, I quote in here Thomas Massey, who's a Republican from Kentucky. he's got serious concerns about the fbi implementation of fisa 702 this is in a tweet and he mentions a letter by senator wyden describing a secret government interpretation of fisa law so both of those things a senator should be able to say there's an oversight body that has looked at that and here is the truth here's a documented what the problem really is Yeah. And those are both. Well, I mean, the Pfizer document is that it raises serious concerns. But the letter by Senator Wyden is, is it kind of like hearsay? And so, you know, if you're trusting a letter from a senator more than oversight, I think that's a problem. You should be able to look at the oversight bodies and say, this is what the situation really is. You should be able to ask questions and get straight answers from the people implementing that. yeah well yeah i mean the clock is ticking so we will shortly see exactly where this uh where this lands and what happens but uh tom we might wrap it up there thanks so much this was a lot of fun to hang out and uh if you're not already subscribed to tom's newsletter do head over to our website risky top is where you can read and subscribe to tom's seriously risky biz newsletter and tom you'll be back again next week certainly well james all right see you then bye Thank you.
