At a glance.
- The impact of the UK’s new Online Safety Bill on encrypted messaging apps.
- FTC publishes guidance for AI companies.
- A regulatory storm could be brewing for cloud companies.
The impact of the UK’s new Online Safety Bill on encrypted messaging apps.
WhatsApp is unhappy with the UK government’s new online safety legislation. Will Cathcart, head of the Meta-owned messaging platform, traveled to London to tell legislators exactly how he feels about the UK’s proposed new Online Safety Bill, which he says is one of the most alarming regulations he’s seen from a Western democracy. “It’s hard to imagine we're having this conversation about a liberal democracy that might go around people's ability to communicate privately,” Cathcart stated. His main concern is that the new law could make it difficult for WhatsApp to provide end-to-end encryption, one of the platform’s main security features. As Wired explains, the measure’s intent is to hold tech giants accountable for the content shared on their platforms, but Cathcart is worried about a call for the use of “accredited technology” to identify child sexual abuse material (CSAM). Cathcart says such technology doesn’t exist, and even if it did, it would likely force WhatsApp to break its encryption. Some digital rights experts agree. Barbora Bukovská, senior director for law and policy at Article 19, a digital rights group, says, “Nobody’s defending CSAM. But the bill has the chance to violate privacy and legislate wild surveillance of private communication. How can that be conducive to democracy?” Proponents of the bill say encrypted platforms like WhatsApp aren’t as effective at detecting CSAM as encrypted platforms, and that the new bill will focus on scanning for illicit content. Michael Tunks, head of policy and public affairs at the British nonprofit Internet Watch Foundation, states, “The bill does not seek to undermine end-to-end encryption in any way. The online safety bill is very clear that scanning is specifically about CSAM and also terrorism. The government has been pretty clear they are not seeking to repurpose this for anything else.”
FTC publishes guidance for AI companies.
The US Federal Trade Commission’s (FTC) Division of Advertising Practices released new guidance on their Business Blog guidance warning artificial intelligence companies against making marketing claims that might trick the public into believing their products do more than they actually can. The post says “themes of magic and science” might convince consumers that AI tech is more powerful than it actually is. In order to ensure they’re not making unsupported claims about their products’ abilities, the post urges AI marketers to ask themselves if they might be exaggerating what their products can do, or even if they might be using the term “artificial intelligence” too loosely. The FTC also urges AI companies to perform risk evaluations to identify the possible negative impacts an AI product could have, such as biased results or unfair outcomes. Cooley’s cyber/data/privacy insights warns that staff guidance like this is often followed by FTC investigations and enforcement actions, so should take the blog post as a signal to tighten up their product claims.
A regulatory storm could be brewing for cloud companies.
The appeal of the cloud, with its unlimited storage capacity, sophisticated software, and seemingly strong security, has led businesses and government agencies to place some of their most sensitive data in the hands of cloud providers like Amazon, Microsoft, Google, and Oracle. However, recent data breaches have made it clear that the cloud is not as safe as it might seem, and the Biden administration is devising a plan to regulate the security practices of this booming industry. Kemba Walden, acting national cyber director, told POLITICO, “If [the cloud is] disrupted, it could create large potentially catastrophic disruptions to our economy and to our government.” The sheer volume of important data stored on the cloud makes it an enticing target for cybercriminals. What’s more, because each cloud provider provides services to multiple clients, an attack on one provider could impact everyone from tiny companies to critical infrastructure operators to powerful government bodies like the Central Intelligence Agency. Marc Rogers, chief security officer at security firm Q-Net and former head of information security at Cloudflare, summed it up, “A single cloud provider going down could take down the internet like a stack of dominos.” In the long-awaited National Cybersecurity Strategy released just last week, the Biden administration warned that further scrutiny of the cloud industry is coming, and regulations could follow. The goal is to motivate cloud providers to take the burden of security off of their clients, many of whom do not have the know-how or the resources to keep up with the ever-evolving threat landscape. John Costello, the recently departed chief of staff in the Office of the National Cyber Director, says, “The market has not provided for all the measures necessary to ensure that it’s not being inappropriately used, that it’s resilient, and that it’s being good caretakers of the small and medium-sized business under its umbrella.”
Chris Dorman, CTO of Cado Security, is dubious about the usefulness of government regulation of cloud providers:
"The major cloud service providers are the best in the world at managing and securing cloud infrastructure. To question their abilities and infer that the U.S. government would 'know better' in terms of regulation and security guidance would be misleading. Adding know your customer requirements to cloud providers is well intentioned, but risks pushing attackers to use services that are further from the reach of law enforcement.
"The biggest threat right now to cloud infrastructure is more physical disasters, rather than technology failures. The financial services industry is a great example of how a sector diversifies activity across multiple cloud providers, to avoid any points of failure. Critical infrastructure entities modernizing towards the cloud, need to think about disaster recovery plans. Most critical infrastructure entities are not in a position to go fully multi-cloud limiting points of exposure. "