Tag: Computer

Posted on by

German court finds hacked EncroChat phone evidence inadmissible

A Berlin court has raised questions over whether data from 120 million messages obtained by police hacking an encrypted phone service can continue to be lawfully used as evidence in prosecutions in Germany and other European countries.

The Landgericht Berlin Regional Court has ruled that text messages intercepted by French police from the EncroChat encrypted phone network cannot be used to prosecute a suspect for alleged drugs trafficking offences in Germany

The decision, by Germany’s largest criminal court, calls into question previous assumptions that under Europe’s mutual recognition principle, intercept evidence obtained by one member state can automatically be used as evidence in other European states.

The court ruling is likely to have implications for the use of evidence obtained from future law enforcement hacking operations into encrypted communications systems, defence lawyer Christian Lödden told Computer Weekly.

Law enforcement operations

EncroChat is one of a series of encrypted phone and messaging services to be infiltrated by collaborating law enforcement agencies across Europe since 2020, sparking prosecutions of organised crime groups for drug trafficking and money laundering in multiple countries.

French and Dutch police harvested messages from 4,600 EncroChat phone users in Germany and tens of thousands of phone users in other countries after infiltrating EncroChat servers hosted at the OVH datacentre in Roubaix, France, in a novel hacking operation in 2020.

A three-year investigation by police into organised crime and drug groups using EncroChat phones led to 6,500 arrests worldwide and the seizure of nearly €900m in cash and assets.

The lawfulness of the use of hacked data from EncroChat and other encrypted phone networks has now been called into question following a ruling by the Berlin Regional Court.

Berlin Regional Court decision raises questions

The months-long trial heard evidence from German investigators and prosecutors, and reviewed translations of evidence disclosed by the UK’s National Crime Agency during criminal trials involving EncroChat in the UK.

A grand chamber of the Berlin Regional Court, made up of five judges found in an oral decision in December that contrary to arguments by European prosecutors, French investigators had not intercepted EncroChat data from a central server in France, but had harvested it from the handsets of EncroChat users in German territory.

Under German law, that meant prosecutors were obliged to seek approval from the German courts to use the French-supplied data in Germany.

However, the presiding judge found that prosecutors had failed to seek judicial approval and that German courts would not have authorised the hacking operation against EncroChat under German law.

Questions to European Court of Justice

The decision came after the Berlin Regional Court submitted questions to the Court of Justice of the European Union (CJEU) asking whether France’s sharing of hacked EncroChat messages with Germany was permitted under European law.

The European court found that, under the European Invesitigation Order (EIO) Directive, France should have formally notified Germany of the interception of EncroChat phones on German soil, and given German authorities the opportunity to object to the operation within 96 hours, if they wished.

The court of justice found, contrary to previous German court decisions, that the protections offered by Article 31 of the EIO Directive were designed to protect the rights not only of the country receiving evidence from another EU state but also the individual users of telecoms services intercepted by law enforcement.

That contradicted earlier findings of the German supreme court that found Article 31 exists only to support the sovereignty of member states, and cannot be claimed by German citizens as a measure to protect their rights.

German courts would not have approved EncroChat hacking

Following the CJEU’s decision, the Berlin Regional Court found in its latest ruling that the principle of mutual confidence in actions of other member states during judicial cooperation only meant Germany should recognise that France’s actions were legal under French law.

The presiding judge, Kristin Klimke, found that the German court still had a duty to examine whether the French operation against EncroChat would be legal under German law. And in this case, a German court would not have approved the operation under German law because the evidence of suspicion did not meet the threshold to justify an equivalent hacking operation in Germany.

The judge also found that prosecutors had not established that evidence of serious crimes could not have been obtained in a less obtrusive way than by intercepting the data of all EncroChat phone users in Germany.

The principle of European cooperation is not intended to require each national law authority to adopt the same criteria for conducting state hacking operations, but is intended to enable cooperation between countries with different laws to protect the privacy and other rights of their citizens, the judge found.

Although the Court of Justice of the European Union allowed German prosecutors to request EncroChat data from France, the CJEU did not go on to say that prosecutors could use the data without approval from a German court.

In another legally significant decision, the judge found that the hacking operation against EncroChat was not simply a French police operation but was a joint European operation involving a number of other EU member states.

France went beyond surveilling the 300 French users of EncroChat, gathering data from all EncroChat users in Europe, the judge found. France had notified its partner countries in advance of the hacking operation.

However French prosecutors failed to comply with European law by failing to follow the correct procedures under EU law to inform Germany of its plans to obtain the phone data of German citizens.

France’s notification should have contained details of the targets identified by phone number, IP address or email, the identity of individuals targeted, including their address, date of birth and social security numbers, as well as a description of the offence committed.

The Berlin Regional Court also found that the French authorities had not disclosed their communications with German police and that no information had been supplied to the court on how the data had been intercepted – raising questions over whether defendants had adequate information to challenge the validity of the data.

German defence lawyer Christian Lödden, who is a member of an international group of lawyers collaborating on EncroChat and similar cases, said the court was the first to try to understand what happened before and during the EncroChat operation. The judge found that Germany, rather than simply taking data France had already obtained from EncroChat, had been informed about the hacking operation in advance and had therefore participated in the operation.

“At the end of the day, she said that under German and European law, the evidence is not allowed to be used in court,” he added.

Lödden said the decision would set a precedent for other cases heard in Germany, though courts elsewhere would make their own decisions on the admissibility of EncroChat evidence. The case is also likely to impact the use of intercept evidence in other cases in Europe, he said.

Dutch defence lawyer Justus Reisinger said the Berlin court’s decision could have “massive” implications for cases in Holland.

“This decision basically confirms our defence arguments in the Netherlands from the recent year. Previously, the Supreme Court rejected my arguments on this point, but along with the Berlin court, even academics are saying that an interpretation like that from the Dutch Supreme Court can’t stand. So a legal landslide is quite possible and justified,” he said.

Bojana Franović, a lawyer in Montengro dealing with evidence from police hacking of Sky ECC and the FBI-run Anom encrypted phone network, said the decision was likely to influence judicial decisions in her country.

Italian lawyer, Daniel Fiorino, said that the Berlin court decision as an “excellent result” but described the legal situation in Italy as “very complex”. 

“We have numerous trials still underway,” he said.

“Everyone in the judiciary, at least in Montenegro, is very keen on what the other countries are doing and how they are dealing with those cases,” she said.

A final written version of the decision has yet to be published.

Prosecutors are expected to appeal the decision to the Supreme Court in Germany.

Main points of decision by Berlin Regional Court

  • The Berlin Regional Court ruled that EncroChat data cannot be used in evidence in a criminal trial.
  • Although data from EncroChat phones was obtained lawfully under French law, a German court is still required to decide whether the interception measures taken by France were permissible under German law.
  • Under German law, the suspicion that users of EncroChat were committing crimes did not reach the threshold to justify intercepting all EncroChat communications.
  • The principle of mutual cooperation between European member states must recognise national measures to protect citizens’ fundamental rights in cooperating countries.
  • Although the European Court of Justice concluded that German prosecutors were permitted to request EncroChat data from France, that does not in itself mean prosecutors could also use the data in prosecutions.
  • It was not established that evidence against suspects could not have been gathered by less draconian means other than by than intercepting their communications.

Source: EKSK legal, Joint Defence Team

Source

Posted on by

Top 10 cyber security stories of 2024

The year 2024 threw up another diverse crop of stories in the world of cyber security, with much to pay attention to, particularly in the realm of artificial intelligence (AI), which continued to dominate the headlines.

This year, we steer away from AI fear, uncertainty and doubt to focus on some of the other big issues, such as data privacy and protection, large scale breaches, and the tricky issues surrounding the security of widely used open source components.

There was also trouble at the mill for cyber security companies themselves, which often found themselves in the headlines, often after the privileged access afforded by their products and services was abused to attack their customers. Ivanti, Microsoft and Okta all make our top 10 this year – and we would be remiss not to mention CrowdStrike.

Here are Computer Weekly’s top 10 cyber security stories of 2024.

1. Leak of 26 billion records may prove to be ‘mother of all breaches’

At the end of January 2024, a data dump comprising 26 billion records and totalling more than 25GB in size was discovered by researchers. Dubbed the largest leak in history, and the “mother of all breaches”, the majority of the data related to Chinese social media platforms, but the likes of Adobe, Dropbox, LinkedIn, MyFitnessPal, Telegram and X were also included.

Much of the data appeared to have been compiled from various smaller leaks, likely a broker who intended to sell it on to others for use in identity theft, phishing attacks and account takeovers.

2. Okta doubles down on cyber in wake of high-profile breaches

In February, identity and access management (IAM) provider Okta announced plans to double its investment in security over the next 12 months and launched a Secure Identity Commitment. This came in the wake of the exploitation of its products and services during a series of cyber attacks during 2023, and earlier.

The company’s leadership said that as a security leader it recognised it needed to work a lot harder to stop ne’er-do-wells from taking advantage of the identity data its customers entrust to it.

3. Widespread Ivanti vulnerabilities make waves

Another cyber company was in the news at the start of 2024, Ivanti, a specialist in asset, identity and supply chain management found a series of vulnerabilities in its Policy Secure network access control (NAC), Ivanti Connect Secure secure socket layer virtual private network (SSL VPN), and Ivanti Neurons for zero-trust access (ZTA) products caused concern at organisations worldwide after being exploited by a threat actor.

The three vulnerabilities in question enabled attackers to access privileged data and obtain elevated access rights on their victims’ systems.

4. Open source alert over intentionally placed backdoor

In April, users of the open source XZ Utils data compression library narrowly avoided falling victim to a major supply chain attack, after evidence of an apparently intentionally placed backdoor in the code was revealed. The malicious code, embedded in versions 5.6.0 and 5.6.1 of the library, enabled unauthorised access to affected Linux distributions.

It later emerged that the dodgy code was placed there by a malicious actor who intentionally worked hard over a long period to gain the trust of the projects’ developers. The security of widely used open source components was to be one of the big themes of the year.

5. Microsoft beefs up cyber initiative after hard-hitting US report

In May, Microsoft doubled down on its Secure Future Initiative (SFI), expanding the programme – which set out to address the software and vulnerability issues frequently exploited by threat actors – in the wake of a damning US government Cyber Safety Review Board (CSRB) report.

Redmond said the rapid evolution of the threat landscape underscored the severity of the threats that face both its own operations and those of its customers, and admitted that given its central role in the world’s IT ecosystem, it had a “critical responsibility” to earn and maintain trust.

6. CrowdStrike update causes worldwide chaos

The biggest IT story of 2024 – arguably – was not strictly speaking a security incident, but appears here since it originated at a security company. On 19 July, IT pros all over the UK and beyond awoke to a fast spreading IT outage downing key systems, originating at cyber firm CrowdStrike after it pushed a flawed rapid response update to key threat detection sensors that caused Windows computers to enter a so-called boot loop.

The extensive disruption caused no major security incidents at the time, but the ramifications continue to this day, with CrowdStrike execs facing legal repercussions and even being called to account for the incident in front of politicians. As with the XZ Utils scare a couple of months previously, the CrowdStrike incident shows again the importance of paying close attention to one’s code.

7. Campaigners call for evidence to reform UK cyber laws

Those who have been following the CyberUp campaign for legal reform over the past few years will know well the difficulties the group has had in convincing Britain’s politicians that the time has come to reform the outdated Computer Misuse Act of 1990, which – thanks to archaic wording in regard to the offence of “unauthorised” access to a computer – puts security professionals in the UK at risk of prosecution simply for doing their jobs.

With Keir Starmer moving into 10 Downing Street, the campaign team seized the opportunity to launch a fresh call for evidence and views during the summer, saying that about a third of UK security firms had experienced monetary losses due to the law, putting at risk £3bn of the sector’s £10.5bn annual contribution to the economy.

8. NCSC celebrates eight years as Horne blows in

In eighth place on the Computer Weekly list, the National Cyber Security Centre celebrated its eighth birthday this year, although its new leader, Richard Horne, who took up the post in October, is only the organisation’s third official CEO.

Eight years may not be a particularly long time – the Brexit referendum was eight years ago – but the cyber security landscape has changed radically in that time, and looking ahead, as the interdependency between security and intelligence would become more critical, and the risks and opportunities of new technologies and more sophisticated threats increase, the NCSC’s work to get better at addressing the security of those technologies and how to use them to the UK’s advantage continues.

 9. Zero-day exploits increasingly sought out by attackers

In November, the NCSC and its US equivalent, CISA, published new annual data revealing that of the 15 most exploited vulnerabilities of 2023, the majority were zero-days compared with less than half in 2022. The trend has continued through 2024, and the NCSC warned that defenders need to dramatically up their game when it comes to vulnerability management and patching.

Among some of the most heavily exploited CVEs were some that are now widely known, including infamous issues in Progress Software’s MOVEit Transfer, Log4Shell and Citrix, many of them dating back years.

10. US TikTok ban imminent after appeal fails

At the end of 2024 came the news that TikTok is likely to be banned in the US in mere weeks after a Washington DC appeal court rejected representations from the China-owned social media platform, which claimed its First Amendment rights were being violated.

Legitimate concerns about the firm’s data protection and privacy practices – and the possibility that the data TikTok holds may be exploited by the Chinese government – lie at the core of the potential ban which would have global ramifications and impact millions of users, influencers and businesses alike.

Somewhat ironically, given he once tried to ban it himself, the platform’s best hope for a reprieve may now lie with president-elect Donald Trump, who will undoubtedly be an impactful force in the cyber security world in 2025.

Source

Posted on by

The Security Interviews: Martin Lee, Cisco Talos

The first thing worth knowing about the first ever ransomware locker is that its use was apparently motivated by revenge rather than outright criminality. The second thing worth knowing is that there was not a Russian speaker in sight.

In fact, its author, Joseph Popp, grew up in Ohio and was educated at Harvard University. He was an anthropologist and biologist and an expert on HIV/AIDS, who worked closely with the World Health Organisation (WHO) in Africa – and was passed over for a job there, something that may have led to the apparent mental breakdown that resulted in the creation of the concept of ransomware.

The AIDS Trojan that Popp “unleashed” on the world in December 1989 was a simple piece of software by any standard. Technically, it was really a denial of service (DOS) scrambler, which replaced the AUTOEXEC.bat file used to execute commands when the computer system started up.

It then counted the number of boot cycles the system went through until it hit 90, at which point it hid directories and encrypted the names of the C drive files on the system. Victims, or targets, then saw a message informing them that their systems were infected by a virus.

“Remember, there is NO cure for AIDS,” the message chillingly read.

How were they infected? Popp posted 20,000 floppy disks to fellow attendees of a WHO AIDS conference, and created what we would now know as a phishing lure by labelling them “AIDS Information – Introductory Diskettes”.

Victims were told to send $189 (about $480, or £378 adjusted to 2024) to a PO Box number belonging to the PC Cyborg Corporation in Panama. The software also included an end user licence agreement (EULA) informing “users” that they would be liable for the cost of “leasing” it.

Popp, who was arrested in the US and extradited to the UK, never stood trial after a British judge ruled him mentally unfit to do so – he had developed a habit of wearing condoms on his nose, hair curlers in his beard, and cardboard boxes on his head, according to media reports at the time. Whether or not this was a deliberate ploy rather than an expression of insanity remains unclear. Back in the States, Popp went on to open an eponymously named butterfly sanctuary and tropical garden in upstate New York, and died in 2007.

Reflecting on the weird story behind the AIDS Trojan, Martin Lee, technical lead for security research at Cisco’s Talos intelligence and research unit, describes the malware as the creation of “an insane criminal genius”.

“It really was something completely new, a new dimension that hadn’t been mentioned before,” Lee tells Computer Weekly. “If we think back to the year 1989, the internet was still basically a dozen computers in universities and the military. The internet, as we know it, had not taken off, the World Wide Web had not taken off. Most computers were not networked at all, even hard disk drives were very much a luxury optional extra.

“All of these things that we now take for granted – distribution over a network, payment by cryptocurrency – none of this existed. It was a fairly limited attack…It is not known, but it is not believed, that anybody paid the ransom.”

Moreover, the cyber security profession simply did not exist in its current form in 1989. “It was nowhere near what it is today. It was a different world,” says Lee, who characterises the IT of the day as “prehistoric”.

“The term cyber security didn’t exist and the industry didn’t exist. There were individuals we would recognise as practicing information security, but they tended to be in the types of environments that required security clearance, like the military or governments. It would have been a tight community where everyone knew each other.

“Certainly at the time, the first ransomware did not make a big splash in the news,” he adds.

Ahead of his time

That Popp was somewhat ahead of his time is clear in that the idea of ransomware didn’t really rear its head again until the mid-90s, when academics and computer scientists first starting playing around with the idea of combining computer virus – or malware – functionality with cryptography.

But even then, the world spent another decade in blissful ignorance before the first attempt was made at a criminal ransomware attack of the type we would recognise in the 2020s.

Gpcode, as it was termed, first popped up in Russia in December 2004, 20 years ago, when reports started to emerge that individual people’s files were being encrypted by some strange new form of cyber attack.

“Ultimately, it turned out that an individual was, if I remember correctly, harvesting information from Russian job sites and emailing jobseekers saying, ‘Hey, we would like you to apply for this job’,” says Lee.

“The lure document purported to be a job application form, but in fact it was ransomware which encrypted the files, and the ransom was to be paid by money transfer. This is really the first modern criminal ransomware where the objective – to make money – is clear.”

Gpcode was “incredibly rudimentary” as ransomware goes – it used a 600-Bit RSA public key to encrypt its victim’s files, and Lee says that demanding the ransom be paid by money transfer (Bitcoin was still a few years off) was a dangerous gamble for the cyber criminals behind Gpcode, because it left them open to being tracked by law enforcement.

Gpcode was not a runaway success – in that it did not net millions for its creators as ransomwares do today – but it was notable in that it meant ransomware was starting to cut through, both in the still-emerging cyber security community and among laypeople.

Gpcode also helped to establish some of the popular tropes around ransomware phishing lures – today, phantom job offers are frequently used against victim organisations, particularly when executed as part of a targeted attack via a highly placed executive, for example.

Continuous innovation

Over the decade that followed, the story of ransomware became one of almost continuous innovation, as cyber criminals became more motivated to extort money and to avoid capture and prosecution.

Anonymity during the payment process was a particularly thorny problem that the criminal underground needed to overcome, says Lee.

“In 2004, Gpcode had a single software engineer slash operator conducting the attacks, and they had this problem of how are they going to get the ransom paid to them in a way that’s easy for the victim, but provides anonymity for the criminal,” he says.

“Initially, we have the rise of digital currencies, E-Gold and Liberty [Reserve] to name but two, which were mechanisms outside of the traditionally regulated banking industry for transferring value between individuals,” says Lee. “They were – how should we put this – abused.”

The big disadvantage of these digital currencies is that they both had a single point of failure from the cyber criminals’ perspective, in that law enforcement agencies and regulators could act to disrupt the flow of illicit payments traversing them, which of course is exactly what happened.

“This then coincides with the rise of cryptocurrencies, giving an alternative way for criminals to collect their ransom through crypto,” says Lee.

“The other big innovation addressed the weak point of early ransomware – is it was one developer and operator – so we did see in the mid-2000s the development of the first ransomware as a service.

“Malicious software engineers who were very good at writing code but maybe not so good at distributing ransomware or coming up with social engineering lures could focus on the code and then develop a partner portal so that less technically sophisticated cyber criminals could participate in attacks – they could be hired, or enter into a partnership,” says Lee. “If they divide up the tasks, it makes it more efficient.”

Though it may surprise some to learn that the concept of ransomware as a service, or RaaS, is well over 10 years old, it emerged at a very different time, and the ransomware ecosystem had to go through a few more evolutions to reach its present, devastating form.

Up to date

Lee explains: “The next big change comes in 2016 with the gang using SamSam. Prior to that, ransomware was a mass-market attack, distributing as much ransomware as possible to as many end-users as possible, getting it onto PCs, and demanding a few hundred dollars for the victim to get what’s on their endpoints back.

“The big innovation was the gang distributing SamSam chose their victims in a different way. Instead of going for sheer numbers, they would identify businesses, get inside their networks, and combine traditional hacking techniques – infiltrating the network, finding key servers that businesses relied on, and getting the ransomware on those key servers.

“In encrypting the files and stopping the functionality of those key servers,” says Lee, “SamSam brought the entire business to a half, and at that point the gang could ask for a much, much larger ransom.”

This is not to say that mass-market, end-user focused ransomware has gone away, it is very much still a threat, and in many ways, it is more devastating for the average person to be hit with ransomware than it is for a well-insured, regulated corporation.

“I’ve had people reach out to me with an elderly parent whose laptop has been hit with ransomware and it had the last photos of their deceased spouse on it, is there a way of getting it back?” says Lee.

“It’s heartbreaking, and nine times out of 10 the answer is no. So, this has not gone away and it’s not going to. Businesses may have more to lose than an end-user, but that’s not to say that end-users can’t suffer significant pain.

“But the big money for the bad guys is in businesses, getting inside businesses, causing high-value disruption and destroying large amounts of value, because the profits are so much higher.”

This brings us neatly to the developments we have seen since 2020, when the scourge of ransomware really took off, and cyber security broke out of its niche and started to make national headlines. These have all been well-documented, including the rise of double extortion attacks and the emergence of an extensive underground economy of affiliates and brokers. We are even seeing what looks like collaboration between financially motivated cyber criminal gangs and politically motivated cyber espionage operators.

This year, we have seen the beginnings of a new trend in which ransomware gangs actually forego the ransomware locker entirely. Just last month, the Australian and American authorities released new intelligence on the work of the BianLian ransomware gang, which has shifted solely to extortion without encryption.

Could it be that ransomware, in its traditional form, is starting to reach the end of the line?

Looking ahead

Probably not, says Lee, looking ahead, although it will look different: “You know IT brings enormous positives to our lives and enables so much – but anywhere where IT is creating value, criminals are looking for ways to piggyback and steal that value. Ransomware has proved to be a very profitable way for them do it.

“I think that for any new ways in which we use IT in the near- and medium-term future, we can expect there will be criminals looking to make money off that, and one of the ways that they’re going to do it, for certain, is going to be through ransomware.”

From ransomware’s birth pangs as the howl of the frustrated and aggrieved Joseph Popp, we can chart a clear line to the big bucks ransomware hits of the 2020s, and this continuity of criminality and innovation leads Lee to a simple conclusion.

“We need to be much more aware that for anything IT touches, we need to think about cyber security, we need to think about how the bad guys might disrupt it, because for certain, they’re going to be thinking too and someone’s going to try it.

“The history of ransomware has been one of constant innovation, and we can expect that to continue into the future,” he says.

Source

Posted on by

Top 10 women in tech and diversity in tech stories of 2024

This year signalled a worrying time for diversity, equity and inclusion in the technology sector as many firms began rolling back their initiatives and efforts.

This lack of commitment led many notable diversity organisations to dial back their own efforts, not wanting to contribute to allowing firms to pretend to be making a difference rather than actually turning the dial.

As the year bows out, many questions still remain about how the diversity landscape will look next year in the UK’s tech sector.

At the beginning of the year, women in the technology and finance sectors mobilised to reverse a government decisions which threatened to cause a diversity rift for startup funding.

Following a consultation, HM Treasury decided to change the criteria for what defines a “high-net-worth individual”, making it more difficult for women to become angel investors.

MP Caroline Dinenage backed the investHER campaign, which called for a change in the new law, and eventually the decision was reversed.

Research from BCS, expanding on the organisation’s study from before the pandemic, found that growth of diversity in the UK’s tech sector has been slow in the past five years.

Using women in tech as an example, the research found the number of women who make up UK tech professionals was 20% in 2022, only a 4% increase since 2018.

There is lots of debate about what exactly prevents people from underrepresented groups choosing a tech sector career.

The Institute of Coding claimed in some research that people aren’t fully sure what a role in the technology sector involved, and this misunderstanding, alongside the lack of representation of the UK’s general population among those in tech roles, is a huge barrier for those considering a career in tech.

In the summer of 2024, network for women in business, Everywoman, announced the winners of this year’s technology awards, in partnership with Bupa.

‘Empower. Transform. Thrive’ was the theme this year, with much of the conversation surrounding the importance of increasing the visibility and accessibility of female role models in the tech sector to encourage others into tech.

Each year, Computer Weekly, alongside its partner Harvey Nash, hosts a diversity in technology event to discuss subjects relating to the topic and to announce its list of the most influential women in UK technology.

The writeup from the 2023 event was released this year, including advice from tech experts on how to promote diversity and inclusion in tech businesses and why everyone needs to be involved where diversity, equity and inclusion is involved.

As part of ServiceNow’s Knowledge24 event, actress Viola Davis spoke on her career, on women in tech, and on the importance of supporting those around you both in your career and in your life.

Stating that you “can’t go it alone” in life, Davis explained how mentorship and help from others massively helped her through her career, mirroring the conversation in the technology sector surrounding the importance of role models for encouraging others to pursue a tech role.

Artificial intelligence (AI) is becoming increasingly important in both life and business, leaving many concerned about the diversity of the teams who are developing it.

Research from IBM found that business leaders in the UK believe that making sure women are in decision-making positions in the technology sector will be vital for ensuring AI and other technologies are developed with everyone in mind.

After its annual report found that the tech industry is dialling back on diversity initiatives, the Tech Talent Charter announced it would be disbanding after nearly 10 years in operation.

As it closed its doors, it issued a call to action to the industry not to go backwards in its efforts to improve the industry, giving advice on what to do next.

The industry’s concern that not having women involved in the development of technologies such as AI would have a detrimental affect on some user groups was confirmed by research from Code First Girls and Tech Talent Charter.

Job automation is 40% more likely to affect women than men, according to the joint research, though this could be improved with ongoing training.

In 2024, Sheridan Ash, co-CEO of technology education charity Tech She Can, became the 13th person to be named Computer Weekly’s most influential woman in UK tech.

The announcement was made alongside the rest of the top 50, as well as Computer Weekly’s 2024 Rising Stars, and the list of women in tech Hall of Famers.

Source

Posted on by

CCS cloud hosting deal with AWS under scrutiny as contract value soars by 89% after 15 months

The Crown Commercial Service’s (CCS) decision to increase its cloud hosting spend with Amazon Web Services (AWS) mid-contract by 89% is under scrutiny from procurement professionals.

The government’s procurement arm is overseeing the migration of workloads from the Government Digital Service’s now defunct Gov.uk platform-as-a-service (PaaS) offering to the AWS cloud.

This piece of work is covered by a £1.3m, 36-month contract CCS arranged with the public cloud giant in February 2023 through the G-Cloud 13 framework.

It has since emerged that CCS issued a Change Control Notice (CCN) that confirms the contract value increased by 89% to £2.5m in May 2024, despite deal value increases of that size not being strictly permitted under procurement rules.

“Following the migration…to AWS, there is a need to increase the contract value of the CCS Hosting contract to date for the increased costs incurred for these migrated services,” the CCN notice stated.

Under the terms of Regulation 72 of the Public Contracts Regulations 2015 (PCR15), contracts “may be modified without a new procurement procedure…provided that any increase in price does not exceed 50% of the value of the original contract”. 

On this basis, CCS is now being called on to explain why this contract was not retendered or subject to further competition, once it realised the original AWS contract would not cover the total cost of the work involved.

“The contract was awarded under G-Cloud 13, and is obviously governed by PCR15. There’s no argument with that,” said one public sector IT procurement expert, who spoke to Computer Weekly on condition of anonymity.

“But the CCS has not provided a plausible explanation for the uplift in contract value following the CCN, which clearly puts it in the threshold that requires further competition.”

Public procurement adviser Martin Medforth told Computer Weekly that Regulation 72 of PCR15 does permit public sector IT buyers to increase the original value of their contracts by more than 50% – just not all in one go.

“Regulation 72 is a funny one, in that it can be applied multiple times,” he said. “So, you can apply the 50% and then, if [the buyer] realises they still have a bit of work to do, they can apply the 50% again.”

It is not clear from the CCN notice if CCS did exercise its right to increase the size of its AWS deal multiple times, or if the 89% increase was pushed through regardless. 

Computer Weekly contacted CCS to query the change in deal size and what its response would be to claims the contract change is misaligned with the contents of PCR15.

In response to the request, a CCS spokesperson stated: “Crown Commercial Service follows procurement legislation, under the Public Contracts Regulations 2015, which ensures that all government contracts are awarded fairly and transparently. This contract was awarded using the G-Cloud 13 framework agreement.”

Nicky Stewart, senior adviser to the Open Cloud Coalition (OCC), which champions competition within the public cloud market, told Computer Weekly that it is important that high-profile, public sector organisations such as CCS demonstrate good practice when procuring cloud services.

“The OCC fully supports open and transparent procurement principles when it comes to cloud,” said Stewart. “This includes making legitimate opportunity available to all, including challenger cloud providers, and we hope that high-profile buying authorities such as the CCS will show leadership in this respect.”

Questioning the original deal size

The fact the deal size has required such a sizeable uplift after 15 months or so of work suggests CCS underestimated how much the migration would cost, continued Medforth. “Had I personally done this deal, I would have probably let this for ‘up to £5m’, to be on the safe side,” he said.

That is a sentiment shared by Owen Sayers, an enterprise architect with more than 20 years’ experience in delivering national policing systems, who told Computer Weekly that questions need to be asked about how CCS got its “sums so wrong” in the first instance where this contract is concerned.

“Having to almost double a £1.3m, three-year contract just over a third of the way into its lifecycle suggests that the original due diligence and understanding of the requirement was somewhat lacking,” he said.

Computer Weekly also contacted AWS for comment on this story, but the company declined.

Source

Posted on by

AWS offers Hackney Council ‘minimum 22%’ discount on cloud services through OGVA 2.0

Hackney Council has committed to growing its annual usage of Amazon Web Services’ (AWS) cloud platform by 8% a year over the next three years to secure a “minimum 22%” discount on the public cloud giant’s services, Computer Weekly understands.

The local authority’s latest cloud hosting deal with AWS went live on 1 November 2024, after Hackney Council secured permission from the Cabinet Procurement and Insourcing Committee (CPIC) to re-sign the public cloud giant to host its core cloud services for another 36 months. The contract award notice for the deal confirms it has a maximum value of £3m.

Computer Weekly has received a copy of a 15-page document, created in July 2024, which details the reasons why the CPIC should recommend green-lighting a council proposal to award the three-year contract to AWS with a total value of £2.95m.

As detailed in the document, the council has been an AWS user since 2019, but use of its technology has accelerated at a “faster pace than was anticipated” in the wake of the ransomware attack Hackney Council suffered in October 2020.

“The cyber attack of 2020 demonstrated the importance of [moving to the cloud] as the services that had already migrated to the cloud were protected from the attack,” the document stated.

“Our investments in recovery [from the ransomware attack] have brought forward migration to the cloud… [with] almost all of the council’s systems now provided through the cloud.”

The council’s “accelerated transition to the cloud” has seen the value of its cloud contracts increase from just over £1m to approximately £2.85m, which included “one-off costs related to data recovery work” as a direct result of the 2020 cyber attack.

However, as detailed in the document, the council has been working to streamline its cloud estate by decommissioning services that are no longer being used, and ensuring the resources that remain in use are “right-sized”.

The document continued: “We have seen our cloud usage stabilise over the past year and are continuing to actively look for opportunities to cut the costs of running the estate, including reducing consumption-based usage costs and paying for known product usage in advance to secure discounts.”

On this point, the document states the council is set to benefit from the committed spend discount scheme the UK government has in place with AWS, known as the One Government Value Agreement (OGVA) 2.0, through this proposed deal.

“[This] gives the council access to discounted pricing subject to agreeing to contractual commitment value based on our spend over the previous 12-month period,” the document stated.

“This value has been calculated and the annual commitment for the contract will be £909,800 in the first year, £982,600 in the second and £1,061,100 in the third … the total contract value over the three-year term will be £2,953,500.”

Additionally, the OGVA 2.0 agreement will also allow the council to “further offset the value of the contract” with a minimum of 22% discount on AWS’s standard pricing model, which should bring the estimated “actual spend” for the three-year contract down to £2.3m.

“These costs and savings figures are based on our current projected spend and growth as required by the One Government Value Agreement stipulations,” the document stated.

“As part of the agreement we will be committed to an annual usage growth of 8% but we will in turn benefit from a minimum of 22% savings year-on-year on the standard pricing model for the resources we use.”

Computer Weekly asked Hackney Council to confirm if it was benefiting from the discount terms set out in the document now the contract has gone live, but a spokesperson for the local authority said: “The council is not in a position to confirm the terms of the agreement.”

Computer Weekly also contacted AWS to clarify if the 22% minimum discount and 8% usage commitment outlined in the document are typical of the discounts available to public sector buyers through OGVA 2.0. AWS, however, declined to comment.

The OGVA 2.0 agreement was quietly launched by AWS in December 2023, with government procurement chiefs at the Crown Commercial Service (CCS) claiming the agreement will deliver sizeable financial benefits to public sector IT buyers through the discounts it offers.

However, no details about the exact level of discount users will benefit from have previously been made public, as contract award notices for OGVA G-Cloud deals are typically heavily redacted.

On this point, details about an 18% baseline discount offered through the first iteration of the OGVA agreement only emerged after an unredacted contract award notice was published in error on the government’s Contract Finder website.  

Incidentally, preferential pricing schemes like OGVA are one of several areas the UK Competition and Markets Authority is looking into as part of its ongoing antitrust investigation focused on the UK cloud infrastructure market as it seeks to determine if the use of committed spend discounts could be harming the sector’s competitiveness.

Source

Posted on by

The Data Bill: It’s time to cyber up

In the latest deliberations on the Data Use and Access Bill in the House of Lords, I set out two amendments to offer well overdue updating to the Computer Misuse Act (CMA) of 1990. In preparing for committee stage of the bill I remain incredibly grateful to everyone involved with the CyberUp campaign, their analysis and commentary always so perfectly on point.

I hardly think I need to rehearse the backdrop to the CMA, many people will be well aware of the act and its shortcomings. Curiously, in the intervening thirty-four and a half years, despite seismic changes in our society and technologies – crucially, including the rise of cyber security threats – the act remains unamended.

Having said that though, I’ve tempted myself a little as it is the case that the act was originally drafted to protect telephone exchanges in 1990, when only 0.5% of the population had access to the internet. 

The CMA was the UK’s first computer crime law and came about following an attack on Prestel in the mid-1980s. Anyone under the age of 40 is probably wondering what Prestel was – a forerunner of internet-based online services launched by the Post Office in 1979 – which only serves to make the point.

Significant change

My amendments to the new Data Bill seek to achieve a very clear and materially significant change, to enable cyber security professionals to do what we have asked of them without the legislation tying at least one hand behind their back.

Thirty-four years on, the CMA still governs how we tackle cyber criminals. As it is currently written, the act inadvertently criminalises legitimate cyber security research. This includes a large proportion of vulnerability research and threat intelligence activities which are critical in protecting the UK from increasingly sophisticated cyber attacks. 

Fundamentally, it restricts cyber security researchers from conducting essential work to protect the UK, including critical national infrastructure. While improving data access is a positive move, it is equally crucial to modernise cyber security laws to protect not just the data but also the systems that underpin it.

The wording of my amendments in full is:

Data use: definition of unauthorised access to computer programs or data

In section 17 of the Computer Misuse Act 1990, at the end of subsection (5) insert—

“c) they do not reasonably believe that the person entitled to control access of the kind in question to the program or data would have consented to that access if they had known about the access and the circumstances of it, including the reasons for seeking it, and

(d) they are not empowered by an enactment, by a rule of law, or by order of a court or tribunal to access of the kind in question to the program or data.

Data use: defences to charges under the Computer Misuse Act 1990

(1) The Computer Misuse Act 1990 is amended as follows.

(2) In section 1, after subsection (3) insert—

(4) It is a defence to a charge under subsection (1) to prove that—

(a) the person’s actions were necessary for the detection or prevention of crime, or

(b) the person’s actions were justified as being in the public interest.

(3) In section 3, after subsection (6) insert—

(7) It is a defence to a charge under subsection (1) in relation to an act carried out for the intention in subsection (2)(b) or (c) to prove that—

(a) the person’s actions were necessary for the detection or prevention

of crime, or

(b) the person’s actions were justified as being in the public interest.

As I said in the debate, don’t take my word for it, the National Cyber Security Centre acknowledged the widening gap between the risks facing the UK and its ability to mitigate them in its 2024 annual review, clearly stating that “updating this out-of-date legislation is a crucial step in closing this gap”.

Statutory defence

Introducing a statutory defence would provide legal clarity and protection for ethical cyber security professionals undertaking legitimate vulnerability research and threat intelligence activities. Such a defence would align the UK with best practices internationally, ensuring that we keep pace with nations like the US and EU, which are moving to safeguard ethical cyber security work.

To put some numbers to this, there have been nine million instances of cyber crime against UK businesses and charities since May 2021, according to the Department for Science, Innovation and Technology’s 2024 cyber breaches survey, published April 2024. Half of businesses and 32% of charities suffered a cyber breach or attack last year, with £2.4bn estimated increased revenue potential post-update for the sector.

Analysis based on CyberUp’s recent industry report suggests that 60% of respondents said the CMA is a barrier to their work in threat intelligence and vulnerability research, and 80% believed the UK was at a competitive disadvantage due to the CMA.

Concluding my remarks, I asked whether the minister would be able to provide an update on the work to reform the Computer Misuse Act? I also asked her whether she believed that my amendments as drafted would provide the legal protection that we seek and, if so, why the government would not bring them into force via the means of the Data Bill.

The minister’s answers to both questions were largely the same – we must wait, the amendments are “premature”, there was not consensus among those who responded to last year’s consultation on the matter so the path forward must continue with no timeline or sense of when this most pressing of issues will be resolved.

If the government needs some public support to increase its pace on this project, how about the fact that two-thirds of UK adults are inclined to support a change in the law to allow cyber security professionals to carry out research to prevent cyber attacks?

There is also support for such a statutory change from the excellent report of the then chief scientific advisor, Patrick Vallance, earlier this year which concluded that, “Amending the CMA to include a statutory public interest defence that would provide stronger legal protections for cyber security researchers and professionals”.

Other nations have already led in this area, not least France and the Netherlands. Belgium, Germany and Malta are currently amending their legal frameworks to this end. As I stated in the debate, it’s time to pass these amendments, it’s time to afford our cyber security professionals the safety they need to do the self-same thing for us, all of us. As has been the case for far too long – it’s time to CyberUp.  

Source

Posted on by

Latest attempt to override UK’s outdated hacking law stalls

Two amendments to the Data (Access and Use) Bill that would have established a statutory legal defence for security professionals and ethical hackers to protect them from prosecution under the 1990 Computer Misuse Act (CMA) have failed to make it beyond a House of Lords committee hearing after being withdrawn.

The 34-year-old CMA broadly defines the offence of “unauthorised access to a computer” that is frequently relied upon in the UK when prosecuting cyber criminals, but given it became law when Margaret Thatcher was prime minister, it has not been updated to reflect the emergence, and practices, of the legitimate cyber security profession.

Campaigners say this is putting the UK at a competitive disadvantage because security pros fear they may be prosecuted simply for doing their jobs – for example, by accessing a system during the course of an incident investigation – while their employers lose out to companies located in more permissive jurisdictions.

Introduced by Lord Chris Holmes and Lord Tim Clement-Jones, the changes would have introduced two amendments into the Data Bill to amend the CMA such that security professionals could prove their actions were “necessary for the detection or prevention of crime” or “justified as being in the public interest”.

Speaking in support of the amendment on 18 December 2024, Holmes spoke about how the CMA was introduced to defend telephony exchanges in an era when 0.5% of the population was online, and if that was the act’s sole purpose, that alone would indicate it needs updating given the profound advances in technology made in the past three-and-a-half decades.

“The Computer Misuse Act 1990 is not only out of date but inadvertently criminalising the cyber security professionals we charge with the job of keeping us all safe. They oftentimes work, understandably, under the radar, behind not just closed but locked doors, doing such important work. Yet, for want of these amendments, they are doing that work, all too often, with at least one hand tied behind their back,” said Holmes.

The Computer Misuse Act 1990 is not only out of date but inadvertently criminalising the cyber security professionals we charge with the job of keeping us all safe Lord Chris Holmes

“Let us take just two examples: vulnerability research and threat intelligence assessment and analysis. Both could find that cyber security professional falling foul of the provisions of the CMA 1990. Do not take my word for it: look to the 2024 annual report of the National Cyber Security Centre, which rightly and understandably highlights the increasing gap between the threats we face and its ability, and the ability of the cyber security professionals community, to meet those threats.

“These amendments, in essence, perform one simple but critical task: to afford a legal defence for legitimate cyber security activities,” he said. “That is all, but it would have such a profound impact for those whom we have asked to keep us safe and for the safety they can thus deliver to every citizen in our society.

“It’s not time, it’s well over time that these amendments become part of our law. If not now, then when? If not these amendments, what amendment? And if not these amendments, what will the government say to all those people who will continue to be put in harm’s way for want of these protective provisions?” added Holmes.

Government responds

During the hearing in Westminster, other parliamentarians, including the amendment’s co-sponsor Lord Clement-Jones and Lord James Arbuthnot, better known for his campaigning work in the Post Office Horizon scandal, spoke in favour of reform, but to no avail.

Lord Timothy Kirkhope said: “This just demonstrates, yet again, that unless we pull ourselves together, with better smart legislation that moves faster, we will never ever catch up with developments in technology and AI [artificial intelligence]. This has been demonstrated dramatically by these amendments. I express concerns that the government move at a pace that government always moves at, but in this particular field it is not going to work.”

Responding to the meeting, under-secretary of state at the Department for Science, Innovation and Technology (DSIT) Baroness Margaret Jones said the government agreed the UK needed a revised legislative framework to enable the authorities to tackle the harms posed by cyber criminals, and that it was committed to ensuring the CMA remains up to date and is effective in this regard.

However, said Jones, reform is a “complex and ongoing” issue that is being considered as part of a Home Office review of the CMA itself.

“We are considering improved defences by engaging extensively with the cyber security industry, law enforcement agencies, prosecutors and system owners. However, engagement to date has not produced a consensus on the issue, even within the industry, and that is holding us back at this moment – but we are absolutely determined to move forward with this and to reach a consensus on the way forward,” she said.

“The specific amendments … are premature, because we need a stronger consensus on the way forward, notwithstanding all the good reasons … given for why it is important that we have updated legislation. With these concerns and reasons in mind, I hope that the noble Lord [Holmes] will feel able to withdraw his amendment,” said Jones.

Katharina Sommer, group head of government affairs at cyber firm NCC Group, said she was thrilled to see such passionate calls for reform, and that the session had rightly highlighted the outdated nature of the CMA and how it holds back cyber security professionals.

“We need a statutory defence, like that proposed by Lord Holmes’ welcome amendment, to allow this vital work to proceed unimpeded, at a time where the cyber threat is rising unabatedly. Reforming the CMA would unlock huge opportunities, strengthen our defences, and help the UK compete on the world stage,” she said.

“It is heartening to see the minister recognise the need to provide legal protections for legitimate cyber security activities, and hear about her determination to reach consensus on the way forward, particularly as this follows her colleague the security minister’s recent commitment to reviewing the CMA,” said Sommer.

“We do hope sincerely that all those involved in keeping the UK safe in cyberspace are prepared to work together, and find compromise rather than risk deadlock. We look forward to working with the government and all partners to ensure the UK’s cyber laws reflect 21st century threats.”

Disappointment

Andrew Jones, strategy director at The Cyber Scheme, a supporter of the CyberUp Campaign for legal reform, said: “Whilst we are slightly disappointed by the government’s decision not to seize this opportunity to bring the Computer Misuse Act into the 21st century, we are encouraged by their recent comments suggesting a review of the act is being considered. Until then, the CMA will remain an outdated piece of legislation, preventing our cyber security professionals from defending organisations effectively and leaving us lagging behind peer nations, as the US and EU move to safeguard ethical cyber security work as a cornerstone of national resilience.

“With the CEO of the National Cyber Security Centre recently acknowledging that hostile activity in UK cyberspace has increased in ‘frequency, sophistication and intensity’, it is vital that the UK takes measures to upgrade its cyber resilience. 

He added: “The statutory defence we propose – drafted in consultation with industry and legal experts – would protect legitimate cyber security professionals, strengthen UK cyber defences, and reinforce its place as a cyber security leader. We are fully prepared to work with the government to help implement this necessary change in the future, as soon as it is ready to act.”

Source

Posted on by

LockBit ransomware gang teases February 2025 return

Despite being taken down and humiliated by the National Crime Agency (NCA) coordinated Operation Cronos in February 2024, an unknown individual(s) associated with, or claiming to represent, the LockBit ransomware gang has broken cover to announce the impending release of a new locker malware, LockBit 4.0.

In screengrabs taken from the dark web that have been widely circulated on social media in the past day, the supposed cyber criminal invited interested parties to “sign up and start your pentester billionaire journey in 5 minutes with us”, promising them access to supercars and women. At the time of writing, none of the links in the post direct anywhere, while a countdown timer points to a ‘launch’ date of 3 February 2025.

Robert Fitzsimons, lead threat intelligence engineer at Searchlight Cyber, said it was hard to say at this stage what LockBit 4.0 entailed – whether the gang was launching a new leak site, its old one having been seized, or whether it has made changes to its ransomware.

“It is worth noting that LockBit has already been through many iterations, its current branding is LockBit 3.0. It’s therefore not surprising that LockBit is updating once again and – given the brand damage inflicted by the law enforcement action Operation Cronos earlier this year – there there is clearly a motivation for LockBit to shake things up and re-establish its credentials, keeping in mind that the LockBit 3.0 site was hijacked and defaced by law enforcement,” said Fitzsimons.

“There has been a decrease in LockBit’s victim output since Operation Cronos but this post shows that it is still trying to attract affiliates and continue its operations.”

The gang’s sudden announcement comes just days after it emerged that the United States government is seeking the extradition from Israel of an alleged LockBit operative named as Rotislav Panev to face trial for wire fraud and cyber crime.

Panev was arrested in Haifa in Israel in August – according to Israeli news site Ynet, which was first to report the extradition request, news of his arrest has been restricted up to now in order to avoid tipping off other LockBit associates who may be located outside Russia and giving them a chance to escape to the relative safety afforded them there.

Panev is accused of working as a software developer for LockBit and may have created the mechanism by which the gang was able to print ransom notes on printers connected to the compromised systems. Panev’s lawyer told Ynet that he was a computer technician and was never aware of nor involved in any fraud, extortion or money laundering.

Computer Weekly understands an extradition hearing in this case is scheduled for January 2025.

LockBit down but not out?

Since Operation Cronos unfolded in early 2024, the NCA and other agencies that participated in the takedown have been drip feeding more information about the infamous cyber criminal operation.

In May, the NCA unmasked its leader, LockBitSupp, naming him as Russian national Dmitry Khoroshev and targeting him with asset freezes and travel bans, concurrent with an indictment in the US that has seen him charged with a total of 26 counts of fraud, damage to protected computers and extortion. Khoroshev remains at large despite a multimillion-dollar reward, and LockBitSupp has denied that this is their true identity.

Later in the year, the NCA named-and-shamed a high-profile LockBit affiliate, Aleksandr Ryzhenkov, aka Beverley, who was also a key player in the Evil Corp operation and served as a henchman to its leader Maksim Yakubets.

Despite the apparent success of Operation Cronos, recent history has shown that even when law enforcement operations can be effective at disrupting their activities, cyber criminals are remarkably resilient and often able to stand up their operations again with relative ease.

Although it is not currently possible to ascertain what the person behind LockBit’s announcement is actually planning, defenders should be alert to the possibility of attack in the coming weeks and take appropriate anti-ransomware measures wherever possible.

Source

Posted on by

Top 10 data and ethics stories of 2024

In 2024, Computer Weekly’s data and ethics coverage continued to focus on the various ethical issues associated with the development and deployment of data-driven systems, particularly artificial intelligence (AI).

This included reports on the copyright issues associated with generative AI (GenAI) tools, the environmental impacts of AI, the invasive tracking tools in place across the internet, and the ways in which autonomous weapons undermine human moral agency.

Other stories focused on the wider social implications of data-driven technologies, including the ways they are used to inflict violence on migrants, and how our use of technology prefigures certain political or social outcomes.

In an analysis published 14 January 2024, the IMF examined the potential impact of AI on the global labour market, noting that while it has the potential to “jumpstart productivity, boost global growth and raise incomes around the world”, it could just as easily “replace jobs and deepen inequality”; and will “likely worsen overall inequality” if policymakers do not proactively work to prevent the technology from stoking social tensions.

The IMF said that, unlike labour income inequality, which can decrease in certain scenarios where AI’s displacing effect lowers everyone’s incomes, capital income and wealth inequality “always increase” with greater AI adoption, both nationally and globally.

“The main reason for the increase in capital income and wealth inequality is that AI leads to labour displacement and an increase in the demand for AI capital, increasing capital returns and asset holdings’ value,” it said.

“Since in the model, as in the data, high income workers hold a large share of assets, they benefit more from the rise in capital returns. As a result, in all scenarios, independent of the impact on labour income, the total income of top earners increases because of capital income gains.”

In January, GenAI company Anthropic claimed to a US court that using copyrighted content in large language model (LLM) training data counts as “fair use”, and that “today’s general-purpose AI tools simply could not exist” if AI companies had to pay licences for the material.

Anthropic made the claim after, a host of music publishers including Concord, Universal Music Group and ABKCO initiated legal action against the Amazon- and Google-backed firm in October 2023, demanding potentially millions in damages for the allegedly “systematic and widespread infringement of their copyrighted song lyrics”.

However, in a submission to the US Copyright Office on 30 October (which was completely separate from the case), Anthropic said that the training of its AI model Claude “qualifies as a quintessentially lawful use of materials”, arguing that, “to the extent copyrighted works are used in training  data, it is for analysis (of statistical relationships between words and concepts) that is unrelated  to any expressive purpose of the work”.

On the potential of a licensing regime for LLM’s ingestion of copyrighted content, Anthropic argued that always requiring licences would be inappropriate, as it would lock up access to the vast majority of works and benefit “only the most highly resourced entities” that are able to pay their way into compliance.

In a 40-page document submitted to the court on 16 January 2024 (responding specifically to a “preliminary injunction request” filed by the music publishers), Anthropic took the same argument further, claiming “it would not be possible to amass sufficient content to train an LLM like Claude in arm’s-length licensing transactions, at any price”.

It added that Anthropic is not alone in using data “broadly assembled from the publicly available internet”, and that “in practice, there is no other way to amass a training corpus with the scale and diversity necessary to train a complex LLM with a broad understanding of human language and the world in general”. 

Anthropic further claimed that the scale of the datasets required to train LLMs is simply too large to for an effective licensing regime to operate: “One could not enter licensing transactions with enough rights owners to cover the billions of texts necessary to yield the trillions of tokens that general-purpose LLMs require for proper training. If licences were required to train LLMs on copyrighted content, today’s general-purpose AI tools simply could not exist.”

Computer Weekly spoke to members of the Migrants Rights Network (MRN) and Anti-Raids Network (ARN) about how the data sharing between public and private bodies for the purposes of carrying out immigration raids helps to prop up the UK’s hostile environment by instilling an atmosphere of fear and deterring migrants from accessing public services.

Published in the wake of the new Labour government announcing a “major surge in immigration enforcement and returns activity”, including increased detentions and deportations, a report by the MRN details how UK Immigration Enforcement uses data from the public, police, government departments, local authorities and others to facilitate raids.

Julia Tinsley-Kent, head of policy and communications at the MRN and one of the report’s authors, said the data sharing in place – coupled with government rhetoric about strong enforcement – essentially leads to people “self-policing because they’re so scared of all the ways that you can get tripped up” within the hostile environment.

She added this is particularly “insidious” in the context of data sharing from institutions that are supposedly there to help people, such as education or healthcare bodies.

As part of the hostile environment policies, the MRN, the ARN and others have long argued that the function of raids goes much deeper than mere social exclusion, and also works to disrupt the lives of migrants, their families, businesses and communities, as well as to impose a form of terror that produces heightened fear, insecurity and isolation.

At the very end of April, military technology experts gathered in Vienna for a conference on the development and use of autonomous weapons systems (AWS), where they warned about the detrimental psychological effects of AI-powered weapons.

Specific concerns raised by experts throughout the conference included the potential for dehumanisation when people on the receiving end of lethal force are reduced to data points and numbers on a screen; the risk of discrimination during target selection due to biases in the programming or criteria used; as well as the emotional and psychological detachment of operators from the human consequences of their actions.

Speakers also touched on whether there can ever be meaningful human control over AWS, due to the combination of automation bias and how such weapons increase the velocity of warfare beyond human cognition.

The second global AI summit in Seoul, South Korea saw dozens of governments and companies double down on their commitments to safely and inclusively develop the technology, but questions remained about who exactly is being included and which risks are given priority. 

The attendees and experts Computer Weekly spoke with said while the summit ended with some concrete outcomes that can be taken forward before the AI Action Summit due to take place in France in early 2025, there are still a number of areas where further movement is urgently needed.

In particular, they stressed the need for mandatory AI safety commitments from companies; socio-technical evaluations of systems that take into account how they interact with people and institutions in real-world situations; and wider participation from the public, workers and others affected by AI-powered systems.

However, they also said it is “early days yet” and highlighted the importance of the AI Safety Summit events in creating open dialogue between countries and setting the foundation for catalysing future action.

Over the course of the two-day AI Seoul Summit, a number of agreements and pledges were signed by the governments and companies in attendance.

For governments, this includes the European Union (EU) and a group of 10 countries signing the Seoul Declaration, which builds on the Bletchley Deceleration signed six months ago by 28 governments and the EU at the UK’s inaugural AI Safety Summit. It also includes the Seoul Statement of Intent Toward International Cooperation on AI Safety Science, which will see publicly backed research institutes come together to ensure “complementarity and interoperability” between their technical work and general approaches to AI safety.

The Seoul Declaration in particular affirmed “the importance of active multi-stakeholder collaboration” in this area and committed the governments involved to “actively” include a wide range of stakeholders in AI-related discussions.

A larger group of more than two dozen governments also committed to developing shared risk thresholds for frontier AI models to limit their harmful impacts in the Seoul Ministerial Statement, which highlighted the need for effective safeguards and interoperable AI safety testing regimes between countries.

The agreements and pledges made by companies include 16 AI global firms signing the Frontier AI Safety Commitments, which is a specific voluntary set of measures for how they will safely develop the technology, and 14 firms signing the Seoul AI Business Pledge, which is a similar set of commitments made by a mixture of South Korean and international tech firms to approach AI development responsibly.

One of the key voluntary commitments made by the AI companies was not to develop or deploy AI systems if the risks cannot be sufficiently mitigated. However, in the wake of the summit, a group of current and former workers from OpenAI, Anthropic and DeepMind – the first two of which signed the safety commitments in Seoul – said these firms cannot be trusted to voluntarily share information about their systems capabilities and risks with governments or civil society.

 Dozens of university, charity and policing websites designed to help people get support for serious issues such as sexual abuse, addiction or mental health are inadvertently collecting and sharing site visitors’ sensitive data with advertisers.  

A variety of tracking tools embedded on these sites – including Meta Pixel and Google Analytics – mean that when a person visits them seeking help, their sensitive data is collected and shared with companies like Google and Meta, which may become aware that a person is looking to use support services before those services can even offer help.

According to privacy experts attempting to raise awareness of the issue, the use of such tracking tools means people’s information is being shared inadvertently with these advertisers, as soon as they enter the sites in many cases because analytics tags begin collecting personal data before users have interacted with the cookie banner.

Depending on the configuration of the analytics in place, the data collected could include information about the site visitor’s age, location, browser, device, operating system and behaviours online.

While even more data is shared with advertisers if users consent to cookies, experts told Computer Weekly the sites do not provide an adequate explanation of how their information will be stored and used by programmatic advertisers.

They further warned the issue is “endemic” due a widespread lack of awareness about how tracking technologies like cookies work, as well as the potential harms associated with allowing advertisers inadvertent access to such sensitive information.

Computer Weekly spoke to author and documentary director Thomas Dekeyser about Clodo, a clandestine group of French IT workers who spent the early 1980s sabotaging technological infrastructure, which was used as the jumping off point for a wider conversation about the politics of techno-refusal.

Dekeyser says a major motivation for writing his upcoming book on the subject is that people refusing technology – whether that be the Luddites, Clodo or any other radical formation – are “all too often reduced to the figure of the primitivist, the romantic, or the person who wants to go back in time, and it’s seen as a kind of anti-modernist position to take”.

Noting that ‘technophobe’ or ‘Luddite’ have long been used as pejorative insults for those who oppose the use and control of technology by narrow capitalist interests, Dekeyser outlined the diverse range of historical subjects and their heterogenous motivations for refusal: “I want to push against these terms and what they imply.”

For Dekeyser, the history of technology is necessarily the history of its refusal. From the Ancient Greek inventor Archimedes – who Dekeyser says can be described as the first “machine breaker” due to his tendency to destroy his own inventions – to the early mercantilist states of Europe backing their guild members’ acts of sabotage against new labour devices, the social-technical nature of technology means it has always been a terrain of political struggle.

Hundreds of workers on Amazon’s Mechanical Turk (MTurk) platform were left unable to work after mass account suspensions caused by a suspected glitch in the e-commerce giant’s payments system.

Beginning on 16 May 2024, a number of US-based Mechanical Turk workers began receiving account suspension forms from Amazon, locking them out of their accounts and preventing them from completing more work on the crowdsourcing platform.

Owned and operated by Amazon, Mechanical Turk allows businesses, or “requesters”, to outsource various processes to a “distributed workforce”, who then complete tasks virtually from wherever they are based in the world, including data annotation, surveys, content moderation and AI training.

According to those Computer Weekly spoke with, the suspensions were purportedly tied to issues with the workers’ Amazon Payment accounts, an online payments processing service that allows them to both receive wages and make purchases from Amazon. The issue affected hundreds of workers.

MTurk workers from advocacy organisation Turkopticon outlined how such situations are an on-going issue that workers have to deal with, and detailed Amazon’s poor track record on the issue.

Refugee lawyer and author Petra Molnar spoke to Computer Weekly about the extreme violence people on the move face at borders across the world, and how increasingly hostile anti-immigrant politics is being enabled and reinforced by a ‘lucrative panopticon’ of surveillance technologies.

She noted how – because of the vast array of surveillance technologies now deployed against people on the move – entire border-crossing regions have been transformed into literal graveyards, while people are resorting to burning off their fingertips to avoid invasive biometric surveillance; hiding in dangerous terrain to evade pushbacks or being placed in refugee camps with dire living conditions; and living homeless because algorithms shielded from public scrutiny are refusing them immigration status in the countries they’ve sought safety in.

Molnar described how lethal border situations are enabled by a mixture of increasingly hostile anti-immigrant politics and sophisticated surveillance technologies, which combine to create a deadly feedback loop for those simply seeking a better life.

She also discussed the “inherently racist and discriminatory” nature of borders, and how the technologies deployed in border spaces are extremely difficult, if not impossible, to divorce from the underlying logic of exclusion that defines them.

The potential of AI to help companies measure and optimise their sustainability efforts could be outweighed by the huge environmental impacts of the technology itself.

On the positive side, speakers at the AI Summit London outlined, for example, how the data analysis capabilities of AI can assist companies with decarbonisation and other environmental initiatives by capturing, connecting and mapping currently disparate data sets; automatically pin point harmful emissions to specific sites in supply chains; as well as predict and manage the demand and supply of energy in specific areas.

They also said it could help companies better manage their Scope 3 emissions (which refers to indirect greenhouse gas emissions that occur outside of a company’s operations, but that are still a result of their activities) by linking up data sources and making them more legible.

However, despite the potential sustainability benefits of AI, speakers were clear that the technology itself is having huge environmental impacts around the world, and that AI itself will come to be a major part of many organisations Scope 3 emissions.

One speaker noted that if the rate of AI usage continues on its current trajectory without any form of intervention, then half of the world’s total energy supply will be used on AI by 2040; while another pointed out that, at a time when billions of people are struggling with access to water, AI-providing companies are using huge amounts of water to cool their datacentres.

They added AI in this context could help build in circularity to the operation, and that it was also key for people in the tech sector to “internalise” thinking about the socio-economic and environmental impacts of AI, so that it is thought about from a much earlier stage in a system’s lifecycle.

Source