Daily Archives: May 16, 2022

New EU rules would require chat apps to scan private messages for child abuse

Posted on by

The European Commission has proposed controversial new regulation that would require chat apps like WhatsApp and Facebook Messenger to selectively scan users’ private messages for child sexual abuse material (CSAM) and “grooming” behavior. The proposal is similar to plans mooted by Apple last year but, say critics, much more invasive.

After a draft of the regulation leaked earlier this week, privacy experts condemned it in the strongest terms. “This document is the most terrifying thing I’ve ever seen,” tweeted cryptography professor Matthew Green. “It describes the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR. Not an exaggeration.”

Jan Penfrat of digital advocacy group European Digital Rights (EDRi) echoed the concern, saying, “This looks like a shameful general #surveillance law entirely unfitting for any free democracy.” (A comparison of the PDFs shows differences between the leaked draft and final proposal are cosmetic only.)

The regulation would establish a number of new obligations for “online service providers” — a broad category that includes app stores, hosting companies, and any provider of “interpersonal communications service.”

The most extreme obligations would apply to communications services like WhatsApp, Signal, and Facebook Messenger. If a company in this group receives a “detection order” from the EU they would be required to scan select users’ messages to look for known child sexual abuse material as well as previously unseen CSAM and any messages that may constitute “grooming” or the “solicitation of children.” These last two categories of content would require the use of machine vision tools and AI systems to analyze the context of pictures and text messages.

[…]

“The proposal creates the possibility for [the orders] to be targeted but doesn’t require it,” Ella Jakubowska, a policy advisor at EDRi, told The Verge. “It completely leaves the door open for much more generalized surveillance.”

[…]

 

Source: New EU rules would require chat apps to scan private messages for child abuse – The Verge

US secretly issued secret subpoena to access Guardian reporter’s phone records

Posted on by

The US justice department secretly issued a subpoena to gain access to details of the phone account of a Guardian reporter as part of an aggressive leak investigation into media stories about an official inquiry into the Trump administration’s child separation policy at the southern border.

Leak investigators issued the subpoena to obtain the phone number of Stephanie Kirchgaessner, the Guardian’s investigations correspondent in Washington. The move was carried out without notifying the newspaper or its reporter, as part of an attempt to ferret out the source of media articles about a review into family separation conducted by the Department of Justice’s inspector general, Michael Horowitz.

It is highly unusual for US government officials to obtain a journalist’s phone details in this way, especially when no national security or classified information is involved. The move was all the more surprising in that it came from the DoJ’s inspector general’s office – the watchdog responsible for ethical oversight and whistleblower protections.

Katharine Viner, the Guardian’s editor-in-chief, decried the action as “an egregious example of infringement on press freedom and public interest journalism by the US Department of Justice”.

[…]

Source: US secretly issued subpoena to access Guardian reporter’s phone records | US news | The Guardian

A colony of blue-green algae can power a computer for six months

Posted on by

Researchers from the University of Cambridge have managed to run a computer for six months, using blue-green algae as a power source.

A type of cyanobacteria called Synechocystis sp. PCC 6803 – commonly known as “blue-green algae,” which produces oxygen through photosynthesis when exposed to sunlight, was sealed in a small container, about the size of an AA battery, made of aluminum and clear plastic.

The research was published in the journal Energy & Environmental Science.

Get more updates on this story and more with The Blueprint, our daily newsletter: Sign up here for free.

Christopher Howe from the University of Cambridge and colleagues claim that similar photosynthetic power generators could be the source of power for a range of small devices in the future, without the need for the rare and unsustainable materials used in batteries.

The computer was placed on a windowsill at one of the researchers’ houses during the lockdown period due to COVID-19 in 2021, and stayed there for six months, from February to August.

The battery made of blue-green algae has provided a continuous current across its anode and cathode that ran a microprocessor.

The computer ran in cycles of 45 minutes. It was used to calculate sums of consecutive integers to simulate a computational workload, which required 0.3 microwatts of power, and 15 minutes of standby, which required 0.24 microwatts.

The microcontroller measured the device’s current output and stored this data in the cloud for researchers to analyze.

Howe suggests that there are two potential theories for the power source. Either the bacteria itself produces electrons, which creates a current, or it creates conditions in which an aluminum anode in the container is corroded in a chemical reaction that produces electrons.

The experiment ran without any significant degrading of the anode and because of that, the researchers believe that the bacteria is producing the bulk of the current.

[…]

Source: A colony of blue-green algae can power a computer for six months

EU governments, lawmakers agree on tougher cybersecurity rules for key sectors

Posted on by

EU countries and lawmakers agreed on Friday to tougher cybersecurity rules for large energy, transport and financial firms, digital providers and medical device makers amid concerns about cyber attacks by state actors and other malicious players.

The European Commission two years ago proposed rules on the cybersecurity of network and information systems called NIS 2 Directive, in effect expanding the scope of the current rule known as NIS Directive.

The new rules cover all medium and large companies in essential sectors – energy, transport, banking, financial market infrastructure, health, vaccines and medical devices, drinking water, waste water, digital infrastructure, public administration and space.

All medium and large firms in postal and courier services, waste management, chemicals, food manufacturing, medical devices, computers and electronics, machinery equipment, motor vehicles, and digital providers such as online market places, online search engines, and social networking service platforms will also fall under the rules.

The companies are required to assess their cybersecurity risk, notify authorities and take technical and organisational measures to counter the risks, with fines up to 2% of global turnover for non-compliance.

EU countries and EU cybersecurity agency ENISA could also assess the risks of critical supply chains under the rules.

[…]

Source: EU governments, lawmakers agree on tougher cybersecurity rules for key sectors | Reuters

Web ad firms scrape email addresses before you press the submit button

Posted on by

Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers.

Some of these firms are said to have also inadvertently grabbed passwords from these forms.

In a research paper scheduled to appear at the Usenix ’22 security conference later this year, authors Asuman Senol (imec-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne) and Frederik Zuiderveen Borgesius, (Radboud University) describe how they measured data handling in web forms on the top 100,000 websites, as ranked by research site Tranco.

The boffins created their own software to measure email and password data gathering from web forms – structured web input boxes through which site visitors can enter data and submit it to a local or remote application.

Providing information through a web form by pressing the submit button generally indicates the user has consented to provide that information for a specific purpose. But web pages, because they run JavaScript code, can be programmed to respond to events prior to a user pressing a form’s submit button.

And many companies involved in data gathering and advertising appear to believe that they’re entitled to grab the information website visitors enter into forms with scripts before the submit button has been pressed.

[…]

“Furthermore, we find incidental password collection on 52 websites by third-party session replay scripts,” the researchers say.

Replay scripts are designed to record keystrokes, mouse movements, scrolling behavior, other forms of interaction, and webpage contents in order to send that data to marketing firms for analysis. In an adversarial context, they’d be called keyloggers or malware; but in the context of advertising, somehow it’s just session-replay scripts.

[…]

Source: Web ad firms scrape email addresses before you know it • The Register