Take a look
- The impact of the new UK online security bill on encrypted messaging apps.
- The FTC publishes a guide for AI companies.
- A regulatory storm could be brewing for cloud companies.
The impact of the new UK online security bill on encrypted messaging apps.
WhatsApp is not happy about the UK government’s new online security legislation. Will Cathcart, head of the Meta-owned messaging platform, traveled to London to tell lawmakers exactly how he feels about the UK’s proposed new online safety bill, which he says is one of the most alarming things he has seen in a Western democracy. “It’s hard to imagine that we’re having this conversation about a liberal democracy that could revolve around people’s ability to communicate in private,” Cathcart said. His main concern is that the new law could make it more difficult for WhatsApp to provide end-to-end encryption, one of the platform’s main security features. As Wired explains, the intent of the measure is to hold tech giants accountable for content shared on their platforms, but Cathcart is concerned about a call for the use of “reputable technology” to identify child sexual abuse material (CSAM). Cathcart says that such technology doesn’t exist, and even if it did, it would likely force WhatsApp to crack its encryption. Some digital rights experts agree. Barbora Bukovská, senior director of law and policy at Article 19, a digital rights group, says: “No one is defending MASI. But the bill has the potential to violate privacy and legislate savage surveillance of private communication. How can that lead to democracy? Proponents of the bill say that encrypted platforms like WhatsApp are not as effective at detecting MASN as encrypted platforms, and that the new bill will focus on scanning for illicit content. Michael Tunks, head of policy and public affairs at UK non-profit Internet Watch Foundation, says: “The bill is not intended to undermine end-to-end encryption in any way. The Online Security Bill is very clear that scanning is specifically about MASI and also about terrorism. The government has been quite clear that they are not looking to reuse this for anything else.”
The FTC publishes a guide for AI companies.
The Advertising Practices Division of the US Federal Trade Commission (FTC) published new guidance on its business blog, warning artificial intelligence companies against making marketing claims that could mislead the public into believing that their products do more than they really can. The publication says the “magic and science themes” could convince consumers that AI technology is more powerful than it actually is. To make sure they aren’t making unsubstantiated claims about their products’ capabilities, the post urges AI marketers to ask themselves if they might be exaggerating what their products can do, or even if they might be using the term “intelligence.” man-made” too. loosely. The FTC also encourages AI companies to conduct risk assessments to identify potential negative impacts an AI product could have, such as biased or unfair results. Cooley’s Cybersecurity/Data/Privacy Information warns that staff guidance like this is often followed by FTC investigations and enforcement actions, so you should take the blog post as a sign to bolster your claims about the product.
A regulatory storm could be brewing for cloud companies.
The lure of the cloud, with its unlimited storage capacity, sophisticated software, and seemingly strong security, has led businesses and government agencies to place some of their most sensitive data in the hands of cloud providers like Amazon, Microsoft, Google, and Oracle. However, recent data breaches have made it clear that the cloud is not as secure as it might seem, and the Biden administration is laying out a plan to regulate the security practices of this booming industry. Kemba Walden, acting national cyber director, told POLITICO: “If [the cloud is] disrupted, it could create large, potentially catastrophic disruptions to our economy and our government.” The sheer volume of important data stored in the cloud makes it an attractive target for cybercriminals. Also, because each cloud provider serves multiple customers, an attack on one provider could affect everyone from small businesses to critical infrastructure operators to powerful government bodies like the Central Intelligence Agency. Marc Rogers, director of security at security company Q-Net and former head of information security at Cloudflare, summed it up: “The failure of a single cloud provider could wipe out the Internet like a stack of dominoes.” In the long-awaited National Cybersecurity Strategy released last week, the Biden administration warned that increased scrutiny of the cloud industry is ahead and that regulations could follow. The goal is to motivate cloud providers to take the security burden off their customers, many of whom don’t have the knowledge or resources to keep up with the ever-evolving threat landscape. John Costello, the recently deceased chief of staff for the Office of the National Cyber Director, says: “The market has not provided all the necessary measures to ensure that it is not used inappropriately, that it is resilient, and that it is being a good caretaker of small and medium-sized companies under its umbrella”.
Chris Dorman, CTO of Cado Security, has doubts about the usefulness of government regulation of cloud providers:
“The major cloud service providers are the best in the world at managing and protecting cloud infrastructure. It would be misleading to question their capabilities and infer that the US government would “know better” in terms of regulation and security guidance to cloud providers means well, but risks pushing attackers to use services that are further out of law enforcement’s reach.
“The biggest threat right now to cloud infrastructure is more physical disasters, rather than technology failures. The financial services industry is a great example of an industry diversifying activity across multiple cloud providers, to avoid any point of failure Critical infrastructure entities modernizing to the cloud need to think about disaster recovery plans Most critical infrastructure entities are not in a position to go fully multi-cloud, which limits points of failure exposure”.
