Category: Computer

Posted on by

Post Office scandal data leak interim compensation offers made

The Post Office has made interim compensation offers to a number of former subpostmasters affected by a major data breach that was revealed last year.

There is still work to be done on cases, but according to a source, some subpostmasters affected by the breach have been offered interim compensation payments by the Post Office.

The payments are for damages caused by the personal details of members of the Justice for Subpostmasters Alliance (JFSA) campaign group being accidentally published on the Post Office’s website in a document titled Confidential Settlement Deed.

The Post Office would not comment on the interim payments, but a spokesperson said: “We would like to express our sincere apologies to those that were impacted by a human error which saw an unredacted document mistakenly published on Post Office’s website. Once we were made aware of the error, the document was immediately removed. We remain in contact with the Information Commissioner’s Office and the representatives of those who were affected.”

The security breach was first revealed in June 2024, but the data had been exposed for a number of years. It made the personal details of hundreds of former subpostmasters easily available. During a public inquiry hearing in November, it was revealed that this was caused by a botched website upgrade.

Jasvinder Barang, a former subpostmistress and member of the group of affected subpostmasters, said she has not yet heard anything about compensation, “apart from dribs and drabs”.

She questioned the Post Office’s attitude towards the damage the data leak has caused. “I don’t think they’re taking that seriously. We are finding it very, very stressful and very serious, but they don’t seem to think that it’s that serious,” she added.

Barang said the data breach was just another thing on top of all the stress related to the scandal. “I am absolutely stressed. Not knowing who knows where we live and all the rest of it. And of course it’s not just my safety I am worried about, but my family as well.”

During the November public inquiry hearing, Simon Recaldin, who heads up the Post Office’s Horizon scandal financial redress schemes, said: “The link to the [document], which was on the website, had broken. They were refreshing the link, and to do this they had to get the original document to put in there, but they put the unredacted document rather than the redacted document in there.”

The subpostmasters, victims of the Horizon scandal, took part in the 2018/19 High Court case that proved bugs in the Post Office’s IT system were responsible for accounting losses for which the victims had been blamed and prosecuted.

The data breach was reported in June last year, and at that time, a Google search suggested it had been online since 2019.

Following the breach being exposed, then Post Office CEO Nick Read said: “This is a truly terrible error, and one for which at this stage I can only apologise.” The Post Office notified the Information Commissioner’s Office (ICO) of the incident.

Although the breach was revealed in June 2024, no action has so far been taken by the ICO. It said: “The Post Office have made us aware of an incident and we are investigating the information provided.”

The Post Office scandal was first exposed by Computer Weekly in 2009, revealing the stories of seven subpostmasters – including Alan Bates – and the problems they suffered due to accounting software. It is one of the biggest miscarriages of justice in British history (see below for timeline of Computer Weekly articles about the scandal, since 2009).

Source

Posted on by

Musk claims of Ukraine DDoS attack derided by cyber community

Tech oligarch Elon Musk has drawn criticism from cyber security experts following unsubstantiated claims that Ukraine was behind an apparent distributed denial of service (DDoS) attack on his social media platform, X, formerly known as Twitter.

Musk, who currently heads the US government’s Department of Government Efficiency (Doge) that has fired thousands of federal workers, accused the Ukrainian government of being behind the incident that brought down X services for many users on Monday 10 March. Speaking to the Fox Business news channel, he claimed a “massive cyber attack” targeting X appeared to have originated from IP addresses located in Ukraine.

The incident came amid a serious deterioration in relations between Ukraine and the US, and just days after US Cyber Command, the country’s military offensive and defensive cyber unit, suspended offensive operations against Russia in a significant climbdown.

Ukrainian officials were quick to refute the suggestion Kyiv was behind the cyber attack, and in conversation with the BBC, former National Cyber Security Centre head Ciaran Martin described Musk’s accusations as unconvincing and “pretty much garbage”.

Martin told the BBC he would be hard-pressed to think of an organisation of X’s scale that has been so badly impacted by such an incident in recent years and suggested the incident did not paint a good picture of the platform’s wider cyber resilience.

In a DDoS attack, malicious actors bombard a server with junk web traffic to overwhelm it, forcing it offline and leaving legitimate users unable to access it.

Such crude forms of cyber attack are well-known and relatively common – they frequently form a key element in hacktivist actions thanks to their accessibility, which at first glance lends a certain element of credibility to Musk’s claims.

However, DDoS attacks are launched via geographically disperse networks of computers and other devices that have been co-opted into botnets without their owner’s knowledge or consent. This makes it very hard to accurately locate the individuals responsible for them.

Tom Parker, cyber security author and chief technology officer (CTO) at NetSPI, said the magnitude of the attack did strongly suggest the involvement of a sophisticated threat actor but it was important to understand that accurately attributing DDoS incidents is “notoriously difficult”.

“Such adversaries are highly adept at concealing their tracks. We must be extremely cautious about pointing fingers and sabre rattling without clear and compelling evidence to demonstrate capability, motive,and likely benefit for the party involved,” Parker told Computer Weekly. 

“Despite recent events, I do believe Ukraine is still seeking to foster a more positive relationship with the US, which would make it unlikely that the claims of Ukrainian involvement are well-grounded. Rather, the scenario appears to align more with a ‘false flag’ operation deliberately crafted to implicate Ukraine.

“As we often see in these complex situations, the most straightforward explanation isn’t always correct, and drawing conclusions prematurely can lead us astray,” he said.

Pro-Palestine group

Lending more weight to arguments against Musk, a pro-Palestinian hacktivist group known as Dark Storm Team subsequently claimed via Telegram that it had been behind the incident.

An account on the Bluesky social media platform claiming to be associated with this group and appearing to have links to the Anonymous collective, described the DDoS attack as a peaceful protest and said attacks would continue.

Jake Moore, global cyber security advisor at ESET, said: “Cyber criminals attack from all angles and are incredibly fearless in their attempts. Whether they are directed by geopolitical groups or financially motivated gangs, DDoS attacks are a clever way of targeting a website without having to hack into the mainframe, and therefore the perpetrators can remain largely anonymous and difficult to point a finger at.

“This also makes it that much more difficult to protect from when the landscape is completely unknown apart from having generic DDoS protection. However, even with such protection, each year, threat actors become better equipped and use even more IP addresses such as home IoT devices to flood systems, making it increasingly more difficult to protect from.”

Added Moore: “Unfortunately, X remains one of the most talked about platforms, making it a typical target for hackers marking their own territory. All that can be done to future-proof their networks is to continue to expect the unexpected and build even more robust DDoS protection layers.”

Source

Posted on by

iPhone, iPad update fixes critical WebKit flaw

Apple has released updated versions of its iOS and iPadOS mobile operating system (OS) that address a potentially dangerous vulnerability that appears to have been exploited in the wild.

The two releases, iOS 18.3.2 and iPadOS 18.3.2, are available for iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 3rd generation and later, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 7th generation and later, and iPad mini 5th generation and later.

Collectively, the update addresses a single vulnerability tracked as CVE-2025-24201. Apple customarily releases very sparse details of the vulnerabilities it addresses to avoid giving too much away to threat actors, and the flaw in question is no exception.

Apple revealed that the flaw is an out-of-bounds write issue affecting the WebKit open source web browser engine that powers Safari, Mail, App Store and many other Apple and Linux ecosystem applications.

Cupertino said: “Maliciously crafted web content may be able to break out of Web Content sandbox. This is a supplementary fix for an attack that was blocked in iOS 17.2.”

Version 17.2 of the two OSes dates back just over a year to December 2023, and besides security fixes brought a large number of new features to Apple’s mobile estate, including the launch of a diary feature called Journal, and enhancements to its Weather app, among other things.

Nation-state adversary?

In its update notes, Apple indicated that it took steps to address the issue after it became aware of exploitation of CVE-2025-24201 in the wild. The firm said: “Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on versions of iOS before iOS 17.2.”

The fact that this attack is being described as sophisticated and targeted likely indicates that the vulnerability was used by a nation-state threat actor, possibly against individuals of interest to the intelligence services in that country. To Western ears, this could indicate exploitation by actors linked to China, Iran, North Korea or Russia.

However, given Apple mobile devices are so widely used, other countries and even private companies are known to seek out and leverage vulnerabilities in its device estate for similar purposes.

Notably, disgraced Israeli spyware manufacturer NSO Group – the organisation behind the Pegasus malware that was famously used by the Saudi Arabian regime against murdered journalist Jamal Khashoggi – exploited multiple Apple vulnerabilities in the service of its mercenary activities.

Even though this might indicate the risk to everyday members of the public might be limited, Sylvain Cortes, vice-president of strategy at Hackuity, told Computer Weekly that all users should take steps to protect themselves.

“The flaw poses a significant risk to users of older versions of the operating system, particularly those released before iOS 17.2,” said Cortes. “We highly encourage users to update their devices to iOS 18.3.2 as soon as possible to maintain the security and privacy of their data.”

Besides the fix, the update also brings new customisation options for Apple users, a redesigned Photos application, “new ways to express yourself” in Messages, a hiking feature in Maps, and updates to Wallet.

Source

Posted on by

Major strike by Fujitsu staff at ‘cash cow’ HMRC

Fujitsu staff supporting IT services contracts at HM Revenue & Customs (HMRC) will strike for 22 days in protest after in-house colleagues in similar roles received significantly higher pay rises.

Members of the Public and Commercial Services (PCS) Union at the scandal-stained supplier will down tools at HMRC on 21 March and not return until 23 April.

Fujitsu staff working on HMRC contracts were offered a 1.5% pay rise – compared with the 5% received by in-house colleagues in similar roles.

The union said: “The new round of action is expected to affect time-sensitive work, putting Fujitsu at risk of financial penalties for missing targets.”

A Fujitsu spokesperson said:“We are disappointed by PCS’s decision to proceed with industrial action following extensive negotiations around pay. We have worked with our clients to ensure all services are maintained.”

Following a two-day strike by the workers in January, the union did not rule out further action in the coming weeks because “members are angry that Fujitsu reports large profits from the HMRC account while offering them below-inflation pay rises”.

HMRC has become a UK cash cow for Fujitsu, which has continued to win major deals despite its pledge to pause bidding on government contracts after public anger over its role in the Post Office Horizon scandal.

As revealed by Computer Weekly, despite reports suggesting Fujitsu will be replaced on HMRC’s Traders Support Service, an internal meeting revealed Fujitsu is, in fact, bidding for the new £370m contract and is confident of a renewal of its contract, which was worth £240m when it was signed in 2020.

Computer Weekly also revealed a direct deal between HMRC and Fujitsu for hardware and cloud procurement, worth over £200m and known as North Star, where there is no competitive tender. Meanwhile, the department is also extending its Computer Environment for Self-Assessment (CESA) contract worth just shy of £60m, where Fujitsu is the incumbent.

In regard to the latest strike, an HMRC spokesperson said: “We have robust plans in place to ensure we continue delivering critical services for our customers during any industrial action.”

Fujitsu told its UK staff in September 2024 that there would be no UK-wide pay rise this year as it prioritised a limited budget, fuelling anger among a workforce with low morale.

One Fujitsu worker not involved in this action showed support for the striking staff, saying: “Good luck to them for standing up for their rights at a company that dodges accountability.”

Fran Heathcote, general secretary at the PCS, said: “Fujitsu continues to report large profits from the HMRC account, but never offers staff anything close to inflation, devaluing our members’ salaries over many years, despite their skills and knowledge being vital in ensuring HMRC’s tax systems remain working.

“This is a classic example of all that’s wrong with outsourcing – colleagues working side by side being paid different rates for doing similar jobs.”

Fujitsu also faces pressure from politicians to pay an interim contribution to the huge cost to taxpayers of the Post Office scandal. Last month, peer Kevan Jones demanded that Fujitsu make an interim payment of £300m.

Since then, the government and Fujitsu have initiated talks about Fujitsu’s contribution to the scandal bill, which will run into billions of pounds. The announcement of talks made no mention of an interim payment.

Computer Weekly first exposed the scandal in 2009, revealing the stories of seven subpostmasters and the problems they suffered due to Horizon accounting software, which led to the most widespread miscarriage of justice in British history.

Source

Posted on by

IR35 reforms: HMRC’s assessment of private sector impacts called into question

The news that HM Revenue & Customs (HMRC) has collected £1bn more in tax than expected from the 2021 private sector roll-out of the IR35 reforms should not be considered a sign of the initiative’s success, IT contractor market stakeholders claim.

The government tax collection agency published figures in late February 2025 about the impact caused by extending the IR35 reforms to the private sector in April 2021, in terms of how many workers were affected by the changes and how much additional tax HMRC raised by introducing them.

The reforms, introduced as part of HMRC’s ongoing clampdown on disguised employment, were originally rolled out to the public sector from April 2017, and saw contractors cede responsibility to the end-client organisations engaging them for determining whether their work means they should be taxed like an employee (inside IR35) or in the same way as an off-payroll worker (outside IR35).

Several years later, the government announced plans to extend the reforms to medium to large private sector businesses, which – following a 12-month delay due to the Covid-19 coronavirus pandemic – occurred in April 2021.

According to HMRC’s figures, around 120,000 individuals who were providing services through their own limited companies or person service companies (PSCs) were “likely to have been affected” by extending the reforms to the private sector in April 2021.

This includes contractors who may have had their engagements classified as inside IR35 as a result of the changes, and individuals who may have opted to provide their services through an umbrella company since April 2021, confirmed HMRC.

It is worth noting that HMRC originally forecast that the reforms would affect 170,000 individuals, according to a document published on 3 April 2020 that outlined the government’s rationale for rolling out the reforms and the projected benefits the move would generate.

That same 2020 document also predicted the reforms would generate an additional £2.395bn in unpaid tax, generated over the course of three tax years spanning 2020/21 to 2022/23.

However, HMRC’s February 2025 impact assessment data shows the reforms generated £1.8bn more than projected across the three tax years spanning 2021-2023, despite 50,000 people fewer than expected finding themselves in-scope of the private sector reforms.

The discrepancies in the figures have raised eyebrows among contracting market stakeholders, including Dave Chaplin, CEO of contracting authority ContractorCalculator, who told Computer Weekly that HMRC’s calculations simply do not add up.

“It’s implausible that 50,000 fewer people could generate 75% more tax revenue. The 120,000 figure seems significantly underestimated,” he said.

“If the original projection of £2.4bn was based on 170,000 people, that equals £14,088 per person. Using this same rate, achieving the new projection of £4.2bn would require 298,121 people – not 120,000.”

It’s implausible that 50,000 fewer people could generate 75% more tax revenue. The 120,000 figure seems significantly underestimated Dave Chaplin, ContractorCalculator

Chaplin continued: “The only reasonable conclusion is that HMRC’s figure of 120,000 affected individuals is incorrect. Our calculations indicate 58% of the original PSC population (510,000) was affected – not the claimed 23%, which is more than double HMRC’s estimate.”

Speaking to Computer Weekly, Andy Chamberlain, director of policy at the Association of Independent Professionals and the Self-Employed (IPSE), said there were a couple of different ways that HMRC’s figures could be interpreted.

For one, the fact the reforms have raised £1bn more than expected suggests that in its quest to improve the private sector’s IR35 compliance, what it has actually achieved appears to be a sizeable “overcompliance” with the rules.

“[This is] where individuals were forced onto payroll even though they were genuinely in-business and in ‘outside IR35’ roles,” he said.

In the lead-up to both the public and private sector IR35 reforms being rolled out, Computer Weekly reported on numerous instances whereby organisations tried to fast-track their compliance with the reforms in several ways.

Some sought to reduce the additional administrative burden the reforms put on them by declaring all the contractors they engaged as working inside IR35.

Other organisations side-stepped the reforms by issuing blanket hiring bans on off-payroll workers. This led to many insisting the contractors they engaged could only continue to provide services to them if they did so through an umbrella company, as the IR35 rules do not apply to umbrella employees.

“Some that were forced into umbrellas were able to put their rates up, so the gross pay, and therefore the tax take, was higher,” continued Chamberlain.

Computer Weekly contacted HMRC to ask if it could give an account as to why more tax has been generated than expected from fewer than anticipated affected individuals, but the government department did not directly answer the question.

It is an issue, however, that HMRC appears to address in its February 2025 impact report with the acknowledgment that there has been a “small change” in its “initial estimates of the numbers of workers affected and the additional tax revenues generated” due to “newer data becoming available” and “improvements in [HMRC’s] methodology”.

Either way, Chaplin described the HMRC data discrepancies as “concerning” because it shows its data is “unreliable” and yet these numbers are what the department is holding up as proof the reforms have had the desired result.

“[This data] further undermines confidence in the official narrative and suggests policy decisions were based on flawed information rather than accurate assessments of the freelance market’s reality,” he said.

HMRC further revealed in its private sector IR35 impact assessment that the reforms may have partly contributed to a downturn in the number of new PSCs being created, which suggests the reforms may have put some people off becoming self-employed.

“We estimate around 45,000 fewer new PSCs formed around the time of the reform, up until the end of March 2022, compared to what we might have expected to happen based on historical trends,” said HMRC.

“These workers may have instead chosen to work in a different way, and we expect they will have remained, or started, working as employees.”

The way Chaplin sees it, HMRC’s data suggests the reforms have “stripped a quarter of legitimate freelancers of their self-employment status” and have “unnecessarily restricted the flexible workforce precisely when economic growth demands their contributions most”.

He added: “I think we can rightfully conclude that HMRC’s models and research should be taken with the annual output of a salt refinery – that is, with extreme scepticism.”

Source

Posted on by

Driving licence data could be used for police facial recognition

Human rights group Liberty has said the UK government’s proposed Crime and Policing Bill will transform the country’s driving licence database into a de-facto facial recognition database, enabling police to access the biometric information of millions of people who have never committed a crime.

Introduced to Parliament on 25 February 2025, the Home Office-sponsored bill will introduce a range of measures to extend police powers in the UK, including bans on wearing face coverings or using pyrotechnics during protests, and the introduction of “respect orders” to address so-called “anti-social behaviour”.

The Crime and Policing Bill will also enable police to access driving licence information from the Driver and Vehicle Licensing Agency (DVLA), which holds more than 52 million driver records. Access to driving licence information will be controlled by as-yet unspecified regulations to be created by the secretary of state, who will also draft a code of practice about how the information can be made available and used.

The secretary of state will also be obliged to publish an annual report on how driving licence information is being used by police.

While the bill makes no explicit reference to facial recognition technology in the text or supporting documents, the measures are substantively similar to those contained in the previous Conservative government’s Criminal Justice Bill, which then-policing minister Chris Philp said could “allow police and law enforcement, including the NCA [National Crime Agency], to access driving licence records to do a facial recognition search”.

Human rights group Liberty said that although the current Labour government has denied the regulation-making powers contained in the bill’s driving licence information provisions would be used for facial recognition purposes, the proposals – which closely mirror those put forward by the last government – could still enable this invasive use of the technology.

“This would represent a huge step in broadening the use of facial recognition technology away from police databases to everyone with a driving licence,” it said. “Every photo on the DVLA database could be accessed by the police and essentially form a digital police line-up. If this is the intention, then the government should be transparent and invite proper scrutiny rather than sneaking through rights-restricting legislation.”

A Home Office spokesperson told Computer Weekly it was “categorically untrue” that the DVLA database would be accessed by police for facial recognition purposes, stating: “These provisions will have no impact on facial recognition.”

In a written submission to Parliament about the previous government’s attempts to link the DVLA database to facial recognition systems, privacy group Big Brother Watch said it represented “a huge, disproportionate expansion of police surveillance powers that would place the majority of Britons in a digital police line-up, without their consent”.

It added that setting a precedent where police are able to access a non-police database to sift through millions of people’s biometric data “would be deeply concerning” for privacy rights. “In a rights-respecting country, the public would no less expect police forces to access their facial biometrics from the DVLA database than they would expect them to access their DNA biometric from NHS databases,” it said.

Commenting on the proposal in the Crime and Policing Bill, Liberty added that police should never be allowed access to a database containing millions of biometric records of people who are not on a wanted list, have never committed a crime, and did otherwise not consent to the use of their information in this way.

Liberty further added that the proposed code of practice should not be accepted as a safeguard. “There should be primary legislation governing the overall police use of facial recognition. It should not be piecemeal in this way,” it said.

As it stands, the UK has no legislation explicitly covering the police use of facial recognition technologies, although successive governments have repeatedly affirmed it is covered a by “comprehensive legal framework”, which consists of a patchwork of existing legislation.

While there has been limited Parliamentary scrutiny of facial recognition in the form of written questions and answers over the years, there has only been one formal debate on how police are using the technology in Parliament, which was held in November 2024.

This marked the first time MPs openly discussed police use of the tech in the eight years since live facial recognition (LFR) was first deployed by the Metropolitan Police at Notting Hill Carnival in August 2016.

Since that initial deployment, there have been repeated calls from Parliament and civil society for new legal frameworks to govern law enforcement’s use of LFR technology. These include three separate inquiries by the Lords Justice and Home Affairs Committee (JHAC) into shopliftingpolice algorithms and police facial recognition; two of the UK’s former biometrics commissioners, Paul Wiles and Fraser Sampson; an independent legal review by Matthew Ryder QC; the UK’s Equalities and Human Rights Commission; and the House of Commons Science and Technology Committee, which called for a moratorium on LFR as far back as July 2019.

Attempts to link facial recognition systems with UK databases created for other purposes have been ongoing for a number of years.

In October 2023, Philp outlined his intention to give police forces access to the UK’s passport database, claiming it would enhance their facial recognition capabilities to help catch shoplifters and other criminals.

While Philp’s proposals were blasted by human rights and privacy groups, UK regulators also took issue. For example, the then-biometrics and surveillance commissioner of England and Wales, Fraser Sampson, told the BBC it was important for police to avoid giving people the impression they’re on a “digital line-up”.

“The state has large collections of good-quality photographs of a significant proportion of the population – drivers and passport holders being good examples – which were originally required and given as a condition of, say, driving and international travel,” he said.

“If the state routinely runs every photograph against every picture of every suspected incident of crime simply because it can, there is a significant risk of disproportionality and of damaging public trust,” added Sampson.

Scottish biometrics commissioner Brian Plastow also said it would be “egregious” to link the UK’s passport database with facial recognition systems, arguing it would be “unethical and potentially unlawful”.

“The suggestion that images given voluntarily to UK government agencies for a specific purpose by law-abiding citizens to obtain a UK passport or UK driving licence should then be capable of being routinely accessed by the police and ‘bulk washed’ against images from low-level crime scenes is neither proportionate nor strictly necessary and would significantly damage public trust,” he said at the time.

Source

Posted on by

US Congress demands UK lifts gag on Apple encryption order

US lawmakers have hit out at the Home Office for “attempting to gag” US companies by preventing them from telling Congress whether they have been subject to secret UK orders requiring them to hand over their users’ data.

In an unprecedented intervention, five lawmakers from both sides of the US political divide, led by senator Ron Wyden, have written to the UK’s Investigatory Powers Tribunal (IPT) accusing the British government of undermining Congressional oversight and restricting the free speech of US companies.

Their letter comes as the IPT is preparing to hear closed-door arguments from Apple, which is challenging a notice requiring it to extend UK law enforcement’s existing access to encrypted data stored by customers on the Apple iCloud service anywhere in the world to users of Apple’s Advanced Data Protection (ADP) who choose to hold encryption keys privately on their own devices.

British media organisations, including the BBC, The Times, Financial Times, Reuters, The Guardian, The Telegraph and Computer Weekly, have also filed legal submissions with the IPT today, arguing that there is an important public interest in hearing arguments over the UK’s demands against Apple in a public court.

In the Congressional letter, five US senators and congressmen complained to the Investigatory Powers Tribunal that the secrecy surrounding the orders – known as Technical Capability Notices (TCNs) – are impairing Congress’s power and duty to conduct oversight on matters of national security.

The letter disclosed that Apple and Google have informed Congress that were they to have received Technical Capability Notices, they would be barred by UK law from disclosing it to US lawmakers. The UK embassy has also failed to respond to US requests about potential demands by the UK to other US companies.

“By attempting to gag US companies and prohibit them from answering questions from Congress, the UK is both violating the free speech rights of US companies and impairing Congress’s power and duty to conduct oversight on matters of national security,” the lawmakers wrote.

“The UK’s attempted gag has already restricted US companies from engaging in speech that is constitutionally protected under US law and necessary for ongoing Congressional oversight,” they added.

The letter has been signed by democrats senator Ron Wyden from Oregon, who has campaigned for healthcare and the environment; Alex Padilla from California, who is chairman of the Senate Judiciary Subcommittee on Immigration; and Zoe Loefgren, an advocate for digital rights from California.

By attempting to gag US companies and prohibit them from answering questions from Congress, the UK is both violating the free speech rights of US companies and impairing Congress’s power and duty to conduct oversight on matters of national security Congressional letter to the Investigatory Powers Tribunal

Republicans Andy Bigg from Arizona, chair of the House Judiciary Subcommittee on Crime and Federal Government Surveillance and a vocal trump supporter; and Warren Davidson for Ohio, a member of House Financial Services Committee and a former US soldier, have also signed.

Their unified complaint calls on the IPT to apply principles of open justice to the hearing scheduled for Friday, and for all subsequent proceedings in Apple’s appeal against the Technical Capability Notice. 

The lawmakers note that the existence of the TCN has been widely reported and commented on, which makes any argument for closed hearings to keep the existence of the notice secret “unsustainable”.

The existence of the notice has also been confirmed by Apple’s public decision to withdraw its advanced encryption option, known as Advanced Data Protection, for all UK users. Apple would not have done this “unless it felt compelled to do so by a request to insert a backdoor”.

Holding public hearings would allow lawmakers to hear expert evidence from cyber security specialists, civil society representatives and experts on US-UK data flows, enabling the IPT to reach a well-informed decision over the lawfulness of the notice, they said.

Serious concerns over national security 

The lawmakers argue that the UK’s demands against Apple raise “serious concerns which directly impact national security” and therefore warrant public debate. 

As Computer Weekly previously reported, Tulsi Gabbard, the director of national intelligence, stated in a letter to Congress that the UK’s demands would be “a clear and egregious violation of American’s privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors”.

President Donald Trump confirmed in an interview with The Spectator that he had raised the Apple TCN with prime minister Keir Starmer during his visit to Washington, comparing the UK’s actions to the conduct of China.

Chinese exploited US ‘lawful access’

The lawmakers point out that the security of US technology products against surveillance by foreign governments is an important topic for ongoing Congressional oversight following a spate of hacks against the communications of senior US government officials.

China exploited US lawful interception systems in 2023 to reportedly tap the phone calls of Trump and vice-president JD Vance, and to steal millions of phone records after gaining access to major US carriers in the “Salt Typhoon” attack.

In April 2024, hackers stole phone records of “nearly all” AT&T customers, including records of members of the president’s family, the then vice-president, Kamala Harris, and the wife of the now secretary of state, Marco Rubio, in the “snowflake” incident.

And in 2003, China stole more than 60,000 emails from the department of state and compromised the email accounts of US officials and politicians after hacking into Microsoft-hosted US government email accounts.

“The common link between these incidents is that sensitive government data held by third-party companies was not properly secured and subsequently accessed by hackers … most importantly, the Salt Typhoon incident reportedly involved compromising ‘lawful intercept’ systems of the kind that it appears Apple has been ordered to build,” the letter states.

“Given the significant technical complexity of this issue, as well as the important national security harms that will result from weakening cyber security defences, it is imperative that the UK’s technical demands of Apple – and of any other US companies – be subjected to robust, public analysis and debate by cyber security,” the lawmakers wrote.

Vital for US cyber security experts to comment

“Secret court hearings featuring intelligence agencies and a handful of individuals approved by them do not enable robust challenges on highly technical matters. Moreover, given the potential impact on US national security, it is vital that American cyber security experts be permitted to analyse and comment on the security of what is proposed.”

The Home Office’s shocking order to Apple to break encryption represents a huge attack on privacy rights and is unprecedented in any democracy Rebecca Vincent, Big Brother Watch

The lawmakers invited the tribunal to permit US companies to discuss the technical demands they have received under the UK’s Investigatory Powers Act with Congress. The IPT should “invite robust public debate by independent cyber security experts before deciding the merits of the reported challenge that Apple has brought”, they said.

Separately, civil society groups Big Brother Watch, Index on Censorship and Open Rights Group have written to the president of the Investigatory Powers Tribunal, the Rt Hon Lord Justice Singh, calling for the case to be made public.

They argue that the case implicates the privacy rights of millions of British citizens who use Apple’s technology, and those of its overseas customers.

There is a “significant public interest in knowing when and on what basis the UK government believes that it can compel a private company to undermine the privacy and security of its customers”, according to the letter.

Big Brother Watch interim director Rebecca Vincent said the tribunal hearing must not take place in secret. “The Home Office’s shocking order to Apple to break encryption represents a huge attack on privacy rights and is unprecedented in any democracy,” she said.

Index on Censorship CEO Jemimah Steinfeld said breaking encryption would do away with our rights to privacy, make us far less safe and secure online, and challenge the very notion of the UK as a democracy. “With such high stakes, we demand to know what could possibly justify this. We need answers, not more secrecy,” she said.

Open Rights Group executive director Jim Killock said: “If the UK wants to claim the right to make all of Apple’s users more likely to be hacked and blackmailed, then they should argue for that in an open court.”

Source

Posted on by

‘Times are hard’ for fintech but latest report reveals glimmer of recovery

Fintech investment has been on a downward spiral since 2012, but the second half of this year could see the first shoots of recovery.

Investment in UK fintechs fell by over a quarter last year, but there are signs that a recovery could be on its way, according to KPMG.

In its latest report into EMEA fintech investment trends, KPMG revealed that 2024 saw UK firms receive $9.9bn (£7.8bn). Meanwhile, total investment in 2024 was $20.3bn compared with $27.6bn the previous year.

Total UK fintech investment dropped to $9.9bn in 2024, down 27% from $13.6bn in 2023, according to KPMG’s Pulse of fintech report.

Hannah Dobson, partner and UK head of fintech at KPMG, said UK investment is expected to remain “relatively soft” in the first half of this year, but added that “it will likely begin to pick up as interest rates reduce further, with common consensus that this will be in the third and fourth quarters”.

Fintech industry expert Chris Skinner, CEO at The Finanser, told Computer Weekly that “times are hard in the fintech space”. “Fintechs had an amazing ride in the 2010s, but in the 2020s, it seems not,” he said. “Fintech took a hammering in 2023, with investing down 48% compared with 2022, which was also a bad year, and now we move into 2025 and reflect on 2024, where it went down even more.”

In its report, KPMG said geopolitical uncertainty, high levels of inflation and the higher interest rates all contributed to “more subdued levels of UK fintech investment”.

Dobson at KPMG added: “2024 was another tough year for fintech investment, which inevitably has led to some business failure and some consolidation. It has also sharpened the focus on a path to profit and cost control which positively leads to more sustainable saleable businesses in the longer term.”

In EMEA, and particularly the UK, there are signs of a slow recovery in deals as the reduction in interest rates and more political stability leads to better certainty. The impact of regulation is an ongoing challenge for fintechs across EMEA as they face into new EU and UK regimes in areas such as AI and BNPL.

The largest fintech deal in Europe in 2024 was the $560.6m sale of online bank Knab, to Austrian financial firm Bawag Group. The largest deal in the UK was the $267m venture funding round by money transfer provider Zepz.

It’s not just Europe that saw a fall in investment. Globally, fintech hit a seven-year low last year, with $95bn invested compared with $113.7bn in 2023.

Karim Haji, global and UK head of financial services at KPMG, said there are some “bright spots”.

“Payments continued to be the rockstar of the fintech subsectors, driven by late-stage deals and an increasing focus on consolidation, and regtech gained a lot of traction,” said Haji.

Global investment

Global investment in the payments space hit $31bn in 2024, up from $17.2bn in 2023.

Haji added that while more deals are beginning to come through because of interest rate cuts in different jurisdictions and the lower cost of funding, the impacts of changing world trading conditions on inflation, interest rates and the market change are yet to be known.

KPMG’s figures mirror those published by Innovative Finance last month, which reported a 37% fall in investment in 2024 compared with 2023.

Innovate Finance, the industry body for fintech in the UK, blamed tough market conditions that included “rising interest rates, geopolitical instability, as well as a recalibration in venture capital fundraising”.

Source

Posted on by

AI Action Summit calls for a rethink of regulation

Thank you for joining!

Access your Pro+ Content below.

18 February 2025

AI Action Summit calls for a rethink of regulation

  • Share this item with your network:

In this week’s Computer Weekly, we report from the AI Action Summit in Paris on how easing red tape is overtaking safety as a priority. We examine the AI regulations that IT leaders need to understand. And we talk to the UK government’s AI minister about the country’s artificial intelligence opportunities. Read the issue now.

Source

Posted on by

Collaboration vital for making DEI progress

Thank you for joining!

Access your Pro+ Content below.

February 2025

At the Computer Weekly diversity in tech event, in partnership with Harvey Nash, attendees agreed wholeheartedly that only by working together can we create a truly diverse and inclusive industry. Download the full report here.

Table Of Contents

  • When it comes to increasing the representation of people from all walks of life in the technology sector, complacency is the enemy.
  • It is important to actively create opportunities for underrepresented groups to join the tech sector if we are to make the industry a more diverse place.
  • People working in the IT sector need to be proactive in ensuring the tech workforce reflects tech users.
  • To ensure AI works for us as individuals and as a collective, collaboration is the way forward.
  • There is an imbalance between the number of women using AI and the number of women developing AI, which is contributing towards AI bias and tech that isn’t suitable for all of its users.
  • In some cases, development of AI and machine learning has been biased against women and other underrepresented groups.

Source