TechLetters #166 ICRC calls for new rules of cyberwarfare protecting civilians and objects. Political influence by digital platforms. DMA.
Security
New rules protecting from consequences of cyber attacks are needed. Strong statement form the ICRC. "Interpretations of International Humanitarian Law that focus solely on the protection of civilian objects against physical damage [due to cyberattacks] are insufficient in the ICT environment". I’ve got a feeling that ICRC is on the right track. Where does this lead to? Why is this important? The ICRC traditionally do not consider existence of greyzones where there would be no rules. This is sensible as it shouldn't be accepted that civilians are left without protections in such hypothetical 'greyzones' where 'no rules apply' (allegedly). And now the ICRC for the first time underlines the potential necessity of new rules, signalling potential vacuum. While the point is raised in a modest setting of the UN Open-Ended Working Group, there are two aspects here. Concretely, ambiguous or bogus read and interpretation of existing laws by States. In other words, precision what rules such as ‘distinction between combatant and civilian [person/object]’ even mean. One may express an “interpretation” in one sentence - but it will carry no meaning.
Responsible uses of spyware software. Australia, Canada, Costa Rica, Denmark, France, New Zealand, Norway, Sweden, Switzerland, the UK and the US have signed an agreement to use software surveillance systems (spyware) in a way that respects human rights. Much more states signed a similar Pall Mall process text. The Pall Mall process considers the responsible development and uses of spyware systems. Such systems will be used. The question is how. Transparency here is about understanding "supply chains".
Post-quantum cryptography migration. "Two percent of all TLS 1.3 connections established with Cloudflare are secured with post-quantum cryptography". The end goal year is unclear.
How to provoke opposition, exert influence for political change, riots perhaps? Use notifications! By sending a notification to millions of people. It immediately pops up on everyone's screen. Some applications are trusted so the chance of influencing the user increases. By the way, TikTok used notifications infrastructure recently.
Cyber threat actor accessed Microsoft's internal systems. Including those hosting source code.
Privacy
Text of ruling about IAB Transparency & Consent Framework explains rationale. It's short and clear. User preferences are private data. Especially when additional identifiers (like IP, cookie) are in use. This may challenge some privacy engineering configurations and technical setups. The sole potential to access private information (like IP, but also others) even if it's technically isolated or perhaps encrypted, may suffice as the processing of personal data.
Meta claims that payment or ads choice as compliant with Digital Markets Act and GDPR. "People can choose to continue to use Facebook and Instagram with ads, or they could choose to pay a monthly fee" (€9.99 per month). They say that it is fine with #GDPR, and argue that this is supported by (yes, an actual) EU Court.
Technology Policy
Apple and Digital Markets Act. Apple lets EU users to install apps from other marketplaces. To comply with Digital Markets Act. However, once user leaves the EU, this option may stop working. Including the ability to install security updates. “If you leave the European Union for short-term travel, you'll continue to have access to alternative app marketplaces for a grace period. If you're gone for too long, you'll lose access to some features, including installing new alternative app marketplaces. Apps you installed from alternative app marketplaces will continue to function, but they can't be updated by the marketplace you downloaded it from.”
Amazon AWS and Digital Markets Act? :-) "we’re waiving data transfer out to the internet (DTO) charges when you want to move outside of AWS".
TikTok and DMA. Again, portability - easier to move data out.
U.S. Congress proposal to ban TikTok unless Bytedance divests. Foreign Adversary Controlled Applications Act) would force App Stores (Google, Facebook) to remove TikTok or pay fines $5,000*number of users (a lot). Progressive Web Apps may bypass this.
Detection and labelling generativeAI-made content. GenerativeAI-manufactured images will have to be labelled (a legal requirement). Here's some input from Meta.
Other
In case you feel it's worth it to forward this content further:
Subscribed
If you’d like to share: