Subscribe today for all the paywalled material on The Wavelength, a newsletter on the intersection of tech politics, policy, and law.
Here is the free preview of yesterday's edition of The Wavelength.
The European Commission (EC) has put forward a new regulation that would require online platforms to proactively search for and take down “child abuse material” and also in response to “detection orders” issued by member states. This proposed regulation follows the enactment of last year’s temporary departure from the ePrivacy Directive “for the purpose of combating online child sexual abuse.” The EC claims this new proposal will not interfere with the Digital Services Act (DSA), which will remake how the European Union polices the online world nor with the general Data Protection Regulation that governs the processing and sharing of personal data. EU member states would need to designate agencies to enforce the new regime, and a new EU entity would be established to help with enforcement and compliance.
The EC contended in its press release that “[t]he current system based on voluntary detection and reporting by companies has proven to be insufficient to adequately protect children and, in any case, will no longer be possible once the interim solution currently in place expires.” The EC added:
To effectively address the misuse of online services for the purposes of child sexual abuse, clear rules are needed, with robust conditions and safeguards. The proposed rules will oblige providers to detect, report and remove child sexual abuse material on their services. Providers will need to assess and mitigate the risk of misuse of their services and the measures taken must be proportionate to that risk and subject to robust conditions and safeguards.
In concert with the proposed regulation, the EC published a European strategy for a Better Internet for Kids (BIK+) “to improve age-appropriate digital services and to ensure that every child is protected, empowered and respected online.” The EC claimed that the new strategy “sets out the vision for a Digital Decade for children and youth, based on three key pillars:
§ Safe digital experiences, protecting children from harmful and illegal online content, conduct, and risks and improving their well-being through a safe, age-appropriate digital environment.
§ Digital empowerment so that children acquire the necessary skills and competences to make informed choices and express themselves in the online environment safely and responsibly.
§ Active participation, respecting children by giving them a say in the digital environment, with more child-led activities to foster innovative and creative safe digital experiences.
And, here are developments and articles from last month. Being subscribed would mean getting these in a more timely fashion.
The United Kingdom’s House of Commons started on the second reading of the “Online Safety Bill,” and the Public Bill Committee is asking for “written evidence” to help it scrutinize the bill line by line. The committee stated its first sitting “is expected to be on Tuesday 24 May” and it “is scheduled to report by Thursday 30 June.” The government published supporting documentation, too: Online Safety Bill: impact assessment; Online Safety Bill: Regulatory Policy Committee opinion; Online Safety Bill: European Convention on Human Rights Memorandum; and Online Safety Bill: communications offences factsheet.
The California Assembly’s Privacy & Consumer Protection Committee passed “The California Age-Appropriate Design Code Act” (AB 2273), as amended, that is based on the United Kingdom's Information Commissioner's Office's (ICO) Age Appropriate Design Code (aka the Children’s Code) that arose from the “Data Protection Act 2018.”
Before leaving Washington for the Easter/Passover break, the United States (U.S.) confirmed Laurie Locascio by voice vote as the Under Secretary of Commerce for Standards and Technology and the director of the National Institute of Standards and Technology (NIST).
The United States (U.S.) Federal Bureau of Investigation (FBI) published a private industry notification “informing Food and Agriculture (FA) sector partners that ransomware actors may be more likely to attack agricultural cooperatives during critical planting and harvest seasons, disrupting operations, causing financial loss, and negatively impacting the food supply chain.”
The European Council expanded a European Commission proposal on automated information sharing to fight crime to include “vehicle registration data, facial images and police records.”
Colorado’s Attorney General is asking for pre-rulemaking input on the “Colorado Privacy Act” (CPA) (Senate Bill 21-190) and has issued pre-rulemaking considerations. Attorney General Phil Weiser is looking to start notice and comment rulemaking this fall. In the considerations document, the Attorney General stated the CPA “gives the Colorado Attorney General three distinct categories of rulemaking authority: (1) specific, required authority to draft technical specifications for one or more universal opt-out mechanisms; (2) specific, discretionary authority to create rules governing a process of issuing opinion letters and interpretive guidance; and (3) broader discretionary authority to create rules for the purpose of carrying out the CPA.”
The University of Toronto’s Citizen Lab claimed that the UAE, India, Cyprus, and Jordan used Pegasus spyware to infect devices in the British Prime Minister’s Office and The Foreign and Commonwealth Office (FCO) (now the Foreign Commonwealth and Development office – FCDO).
The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA) “recently launched the Secure Cloud Business Applications (SCuBA) project that was funded through the American Rescue Plan Act of 2021…established to develop consistent, effective, modern, and manageable security configurations that will help secure agency information assets stored within cloud environments.” CISA is asking for comments on: The SCuBA Technical Reference Architecture (TRA) is a security guide that agencies can use to adopt technology for cloud deployment, adaptable solutions, secure architecture, and zero trust frameworks; and The Extensible Visibility Reference Framework (eVRF) Guidebook provides an overview of the eVRF framework, which enables organizations to identify visibility data that can be used to mitigate threats, understand the extent to which specific products and services provide that visibility data, and identify potential visibility gaps.
The European Union Agency for Cybersecurity (ENISA) “published a map of national Coordinated Vulnerability Disclosure (CVD) policies in the EU Member States and made recommendations.”
The United States (U.S.) Food and Drug Administration (“FDA”) issued a draft guidance document “Cybersecurity in Medical Devices: Quality System Considerations and Content of Premarket Submissions” and is asking for comment.
The Australian Competition and Consumer Commission (ACCC) “is urging businesses who supply button batteries, or products that are powered by them, to ensure they are complying with the new button battery safety standards ahead of the laws becoming mandatory on 22 June.”
The United States (U.S.) Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) issued a joint Cybersecurity Advisory (CSA) “to highlight the cyber threat associated with cryptocurrency thefts and tactics used by a North Korean state-sponsored advanced persistent threat (APT) group since at least 2020.”
The National Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE) is asking for comments on the Knowledge and Skill statements of the Workforce Framework for Cybersecurity (NICE Framework).
The University of Toronto’s Citizen Lab has found that “IATA Travel Pass (ITP), a global, opt-in app to receive, store, and share digital COVID-19 test certificates for flights, has a critical flaw in its registration process which allows an attacker to impersonate another user, needing only to know the user’s passport details but not possess the passport itself.”
Tweet of the Day
“Lithium costs a lot of money—so why aren’t we recycling lithium batteries?” By Shel Evergreen — Ars Technica
“A Twitter takeover would be a global headache for Elon Musk” By Andrew Deck and Michael Zelenko — Rest of the World
“Elon Musk’s talks of a Twitter takeover mask Tesla’s troubles in China” By Faiz Siddiqui — Washington Post
“Why Latin America doesn’t have its own version of TikTok or YouTube” By Alex González Ormerod — Rest of the World
“What is ‘Web3’? Here’s the vision for the future of the internet from the man who coined the phrase” By Arjun Kharpal — CNBC
“Chuck Schumer “Working Closely with Senator Klobuchar” to Whip Votes for Antitrust Bills” By Sara Sirota and Ryan Grim — Intercept
“From YouTube to Rutube. Inside Russia’s Influence Campaign.” By Sarah E. Needleman and Evan Gershkovich — Wall Street Journal
“Amazon engaged anti-union consultants at a weekly rate of up to $20,000 each to work in its Staten Island warehouses, documents suggest” By Isobel Asher Hamilton — Business Insider
“Apple’s Zipped Lips on Chips” By Shira Ovide — New York Times
“South Africa’s private surveillance machine is fueling a digital apartheid” By Karen Hao and Heidi Swart — MIT Technology Review
“Russia's cyberattacks in Ukraine have been tame so far, but experts warn things may escalate and target the US” By Connor Perrett — Business Insider
“Ukraine Forms ‘Internet Army’ to Pressure Western Firms in Russia” By Patience Haggin and Suzanne Vranica — Wall Street Journal
“U.S. officials link North Korean hackers to $615 million cryptocurrency heist” By Ryan Browne — CNBC
“Secret Service seizes more than $102 million in crypto assets” By Scott Zamost and Eamon Javers — CNBC