Tag: Microsoft

Posted on April 8, 2025 by Eternity Lab

Microsoft restates commitment to OpenAI amid analyst note about datacentre expansion rollbacks

Microsoft has pushed back against claims its decision to cancel and defer at least 2GW of datacentre projects in the US and Europe is indicative of its “fraying relationship” with OpenAI.

US analyst TD Cowen published a research note on 26 March 2025 that suggested the public cloud giant had cancelled and deferred datacentre lease agreements in the US and Europe that would have increased its compute capacity by at least 2GW.

The reason for the rollback on its plans was, according to TD Cowen, due to Microsoft’s decision not to support OpenAI’s incremental training workloads.

TD Cowen had previously said the two companies were involved in a “fraying relationship”, after Microsoft confirmed in January 2025 that the exclusivity cloud hosting deal between the two firms had been rejigged.

A Microsoft blog post, dated 21 January 2025, confirmed OpenAI had made a “large Azure commitment” that included “changes to the exclusivity on new capacity, moving to a model where Microsoft has a right of first refusal”.

This means Microsoft gets first refusal on whether or not it wants to host OpenAI workloads, but OpenAI also reserves the right to build its own capacity with other partners if Microsoft cannot meet its needs.

Microsoft has now issued a statement to Computer Weekly, pushing back on TD Cowen’s take on the situation, while also restating the strength of the working relationship between the company and OpenAI.

In reference to its decision to scale back its datacentre expansion plans, Microsoft said it’s “well-positioned” to meet the current and increasing customer demand it’s seeing for its services thanks to the “significant investments” it’s made in its infrastructure to this point.

“Last year alone, we added more capacity than any prior year in history,” said a Microsoft spokesperson. “While we may strategically pace or adjust our infrastructure in some areas, we will continue to grow strongly in all regions.

“This allows us to invest and allocate resources to growth areas for our future. Our plans to spend over $80bn on infrastructure this financial year remain on track as we continue to grow at a record pace to meet customer demand.”

Microsoft has been a partner in OpenAI since 2019, with the two firms previously stating that they were working towards a shared goal to “responsibly advance artificial intelligence research” while democratising the technology and making it accessible to all.

Around the same time that Microsoft released details of its reworked cloud hosting arrangement with OpenAI, the latter released details of its $500bn effort to expand the infrastructure underpinning its services through the launch of the Stargate Project.

Softbank, Oracle, MGX and OpenAI are the equity funders for the initiative, while Microsoft is listed as a technology partner.

In reference to its ongoing partnership with OpenAI, the Microsoft spokesperson said: “OpenAI continues to be a great partner. We remain committed to pushing the frontier of AI forward, driving innovation, and making cutting-edge models accessible to our customers and partners.”

Source

Posted on April 7, 2025 by Eternity Lab

Reassessing UK law enforcement data adequacy

The UK government says reforms to police data protection rules will help simplify law enforcement data processing, but critics argue the changes will lower protection to the point where the UK risks losing its European data adequacy.

Currently going through the committee stage of Parliamentary scrutiny, the Data Use and Access Bill (DUAB) will amend the UK’s implementation of the European Union (EU) Law Enforcement Directive (LED), which is transposed into UK law via the Data Protection Act (DPA) 2018 and represented in Part Three of the act specifically.

In combination with the current data handling practices of UK law enforcement bodies, the bill’s proposed amendments to Part Three could present a challenge for UK data adequacy.

The DUAB changes the law to allow routine transfer of data to offshore cloud providers, remove the need for police to log justifications when accessing data, and enable police and intelligence services to share data outside of the LED rules.

In June 2021, the European Commission granted “data adequacy” to the UK following its exit from the EU, allowing the free flow of personal data to and from the bloc to continue, but warned the decision may yet be revoked if future data protection laws diverge significantly from those in Europe.

While the government argues that its reforms will simplify police data processing, critics say the proposals represent enough of a divergence from EU law that it will likely undermine the UK’s LED adequacy.

They add that many of the government’s changes to police data protection rules are a response to a widespread lack of compliance with key provisions in the DPA 2018, such as the need to log justifications when accessing data or implement controls that limit the offshoring of sensitive law enforcement data to non-law enforcement bodies, including cloud providers.

Computer Weekly contacted the Home Office about every concern raised, and the threat to the UK’s LED adequacy created by the government’s proposed changes to the law enforcement data protection regime.

“Any changes to our data protection regime must not come at the expense of security, and high standards of protection will continue to be applied.”

The adequacy process

In exiting the EU, the UK became a “third country” under the bloc’s rules, which means the European Commission (EC) will have to periodically assess whether the country’s data protection framework and practices provide an essentially equivalent level of protection for EU citizens’ data.

The EC will therefore have to make two separate adequacy determinations under both the General Data Protection Regulation (GDPR) and LED by the end of June 2025.

Data protection experts previously claimed to Computer Weekly in February 2021 that any adequacy decision made under the LED would be principally political in nature if it fails to directly address how the data practices of the UK’s criminal justice sector and intelligence services undermine the data and fundamental rights of EU citizens. If this is not addressed, they said a positive adequacy decision could be open to legal challenges in the European courts.

In October 2024, the UK Parliament’s European Affairs Committee (EAC) – in a warning about the risks of the UK losing its data adequacy – highlighted many of the same issues as the experts Computer Weekly spoke to, noting these would be of “interest and potential concern” to both the EC and European Court of Justice (CJEU) as they consider the UK’s adequacy statuses.

This includes potential divergence on data protection standards that would make it harder for people to exercise their data rights; the possibility that the UK government undermines end-to-end encryption; the independence and effectiveness of the Information Commissioner’s Office (ICO); aspects of the UK’s national security regime under the Investigatory Powers Act 2016, including data collection and retention, surveillance powers and practices, and the role of the Investigatory Powers Tribunal; and any legal cases which provide grounds for concern about UK data protection standards.

The EAC also highlighted potential risks posed by onward transfers of data from the UK to other third countries, including under the UK-US Cloud Agreement.

However, the EAC’s findings were published a day before the DUAB was announced, and two days before the text was published online, meaning its inquiry focused on the previous government’s Data Protection and Digital Information (DPDI) Bill – which was dropped from the legislative agenda during the UK’s pre-general election “wash up” period.

While the EC’s adequacy decision will rest on the exact contents of DUAB – for which there is still no official Keeling Schedule – it will be looking to assess whether the framework provides an essentially equivalent level of data protection for EU citizens’ data.

While some of the more controversial measures contained in the previous DPDI Bill – including removing the need for data protection impact assessments and abolishing the dual biometrics and surveillance camera commissioner role – have been dropped in the DUAB, many aspects of it have been carried over.

There are also a number of new measures that may create fresh adequacy-related problems, particularly changes to the international data transfer regime for police.

While an amendment to the DUAB was tabled by Liberal Democrat peer Lord Clement-Jones that would have required the secretary of state to carry out a formal impact assessment of the bill concerning the UK’s data adequacy, government ministers argued against it during the Lords first committee stage on 16 December 2024.

Responding to Clement-Jones during that debate, Baroness Jones, parliamentary under-secretary of state at the Department for Science, Innovation and Technology (DSIT), said maintaining adequacy was a priority for the government, noting that the free flow of personal data with the EU is vital to research, innovation and safety.

“For that reason, the government is doing all that it can to support its swift renewal. I reassure noble Lords that the bill has been designed with EU adequacy in mind,” she said.

“The government has incorporated robust safeguards and changed proposals that did not serve our priorities and were of concern to the EU. It is, though, for the EU to undertake its review of the UK, which we are entering into now. On that basis, I suggest to noble Lords that we should respect that process and provide discretion and not interfere while it is underway.”

A similar position has been adopted by information commissioner John Edwards, who in response to the DUAB said: “Whilst ultimately a decision for others, in my view the proposed changes in the bill strike a positive balance and should not present a risk to the UK’s adequacy status.”

However, the position of the UK government and ICO differs significantly from the views of a number of specialists familiar with both the EU LED and the UK DPA Part Three. Computer Weekly contacted the Home Office about what robust safeguards have been put in place, and which DUAB proposals have been changed that were of concern to the EU, but received no response on this point.

National security or law enforcement?

Chris Pounder – director of data protection training firm Amberhawk – wrote in a blog post that the DUAB would allow the secretary of state to designate that certain police datasets can become subject to Part Four national security rules, rather than Part Three law enforcement rules, over which the ICO has limited enforcement powers.

“The proposal has the effect of taking large volumes of personal data out of the UK’s data protection regime,” he wrote.

Part Four processing is also completely separate from the LED or GDPR and has no equivalent in EU law, effectively lifting police data out of the scope of EU law in instances where the secretary of state decides police and intelligence bodies can share the data.

The [DUAB] proposal has the effect of taking large volumes of personal data out of the UK’s data protection regime Chris Pounder, Amberhawk

Computer Weekly contacted the Home Office about the removal of policing data from the data protection regime, but received no on-the-record response on this point.

Pounder further noted that while the ICO is being abolished in favour of the “Information Commission”, the problem remains in the DUAB that the secretary of state will be able to appoint the most important members of the Commission, which has the potential to give them undue influence over the new body’s decision-making processes.

“The Commission still has to have regard for: the desirability of promoting innovation and competition; the importance of the prevention, investigation, detection and prosecution of criminal offences; and the need to safeguard national security,” he wrote. “In other words, these ‘regards’ could fetter decisions to protect the privacy of data subjects.”

Pounder added the DUAB will also permit the secretary of state to apply a “data protection test” when considering whether a country, part of a country, or a controller located in a country offers an adequate level of protection.

He said the provisions will increase the risk of divergence from EU transfer standards if the EC and UK government have differing views on what “adequate” means here. “Also I don’t understand how a country is not deemed adequate, but a controller, processor, or recipient located in that country is,” Pounder added.

While the UK has already taken steps to award its own law enforcement adequacy to countries not recognised by the EU – including the Isle of Man, Jersey and Guernsey – the EU has not yet reacted to these changes.

Thomas Barrett, a partner at CyXcel who leads the organisation’s data protection and privacy practice, and has previously advised the Home Office and Ministry of Justice on compliance with the DPA 2018, said there are certain scenarios where specialist police units within forces may have to collaborate with intelligence services for particular operations – for example, in terrorism cases where intelligence services have information but no power of arrest as police do – adding while “it raises red flags … I would be surprised how many of these are made”.

He added that in cases where this power is used, it has the potential to be “more targeted, more proportionate, and safer,” because only one set of data protection requirements would apply to this processing, rather than potentially three currently.

As a result, Barrett said the changes being made to UK law via the DUAB are very unlikely to materially affect the country’s LED adequacy.

“It would be counter-productive to remove adequacy over such small changes … there’s so much [law enforcement] cooperation. … Looking at the detail, I struggle to see how you really make hay of a lot of it.”

He said the real risk to LED adequacy therefore lies at “the political level”, which will be decided between the EC and the UK government.

Law enforcement transfers

Independent privacy consultant Owen Sayers, a long-term commentator on DPA Part Three compliance issues with more than 25 years of experience in delivering secure solutions to policing and the wider criminal justice sector, said for the first time UK legislation would place individual data processors – such as cloud providers – on the same broad footing as overseas law enforcement organisations, exempting them from the list of mandatory transfer conditions outlined in Article 39 of the LED.

This includes that the transfers be strictly necessary, that no data subject rights override the public interest of the transfer, that transferring to another policing body – or “competent authority” in LED parlance – would be ineffective, and that the controller provides specific instructions of how to process the data in that particular case.

Under the UK’s current law enforcement-specific data protection rules, police data controllers are bound by the DPA 2018’s stringent transfer requirements, which fully mirror EU law.

This means that, as it stands, each individual law enforcement data controller must ensure that a contract in writing exists between itself and the data processor, which sets out details of the processing, including its duration, nature, and the type and categories of personal data involved. To be valid, the contract or terms of service must be explicit in how they meet the DPA requirements.

Police data controllers are also required to ensure the processor seeks and receives permission before transferring data to a third country, for each particular transfer made. This means each transfer must be assessed on a case-by-case basis.

Police data controllers are further required to perform a case-by-case analysis and justification for all personal data offshored to such processors, and to report this to the ICO. Although police forces have used Microsoft and Amazon Web Services services for the past six years – meaning millions of these transfers will have taken place – the ICO revealed in a Freedom of Information (FoI) response to Sayers that only 148 such notifications had been received up to June 2023.

As previously reported by Computer Weekly, the use of hyperscalers under current UK law presents a number of data protection concerns, including US government access via the country’s invasive surveillance laws, and an inability to comply with the strict transfer requirements contained within the DPA 2018.

In June 2024, Computer Weekly reported details of discussions between Microsoft and Scottish policing bodies – obtained via FoI rules – in which the tech giant admitted it could not guarantee the sovereignty of UK policing data hosted on its hyperscale public cloud infrastructure.

As a result of these FoI responses, Sayers said the law is breached far more often than it is adhered to: “The evidence to show that multiple parts of the Part Three legislation are consistently breached or simply ignored by policing and their justice partners is overwhelming. In truth, the number of organisations who do apply the law as it’s currently written is less than a handful, though those that do so do it very well.”

Mariano delli Santi, legal and policy officer at the Open Rights Group (ORG), said these issues mean it is an open question whether cloud providers can adhere to Part Three requirements in practice. “Given the issues around sovereignty, is a cloud provider able to enforce the contractual agreements entered into with the police? I think that’s an issue that would cause concern,” he said.

Since the re-election of Donald Trump, delli Santi pointed out that the US government has broken several adequacy-related commitments made to the EU around enhancing scrutiny and ensuring the proportionality of their intelligence services operations.

“The Trump Administration fired members of the Privacy and Civil Liberties Oversight Board, and then doubled down with the Federal Trade Commission. Both bodies were fundamental pieces of the EU-US Data Protection Framework [DPF] which, at this point, is quite certain to be struck down by the CJEU,” he said, adding the UK-US Data Bridge, which acts as an extension of the DPF, will also go down if the EU invalidates the framework.

“It has now become obvious that the EU-US DPF will not last for long, and it has just as obviously become unfeasible to rely on US cloud providers for storing personal data unless you are willing to compromise the security and sovereignty of the data you transfer. Indeed, European lawmakers have already started to discuss this.

“Based on all the above, it is now a fact that relying on US cloud services constitutes a threat to the sovereignty, security and autonomy of the UK. Until now, this has been treated as a risk-mitigation issue at best, or something to be swept under the carpet at worst.”

Highlighting the lack of clarity from the UK data regulator around cloud data sovereignty and the applicability of standard contractual clauses in this context, delli Santi said this has created a grey area in which transfers have been allowed to continue.

“The UK government, on their side, have tried to formalise this approach with the DUAB, which introduces a new data transfer regime specifically designed to accommodate the ICO’s ‘tolerant approach’ toward data transfers that lack effective safeguards, and allow data transfers to countries such as the United States by sidestepping human rights and data security concerns.

He added that “the UK needs an exit plan to progressively cut reliance on US digital infrastructure and services – and we need this plan fast”, which includes contingencies to move away holding companies or subsidiaries of US firms geographically based in Europe, which still fall under US jurisdiction.

Given the issues around sovereignty, is a cloud provider able to enforce the contractual agreements entered into with the police? I think that would cause concern Mariano delli Santi, Open Rights Group

“Any of these companies are under an obligation to cooperate with law enforcement and international security authorities in the United States, which can be ordered to hand over data without necessarily having to tell the contracting party,” said delli Santi.

According to the government’s explanatory notes published for the DUAB in October 2024 (paragraph 1022), Schedule 8 of the bill seeks to widen the transfer conditions “by expanding the list of intended recipients to specifically include processors acting on behalf of, and in accordance with a contract with, a controller”.

It added that while transfers to processors in third countries are currently permissible, “this amendment clarifies the existing law and provides legal certainty to UK controllers that they can transfer personal data to their processors operating outside of the UK”.

The explanatory notes also specify that the DUAB will no longer require “controllers to notify the commissioner on each occasion data is transferred; it simply requires notification of the categories of information” that will be transferred.

However, Sayers argued that even if the US government does utilise its various surveillance laws to gain access to UK data, the transfers would be unlawful anyway as UK law lays down a series of specific steps that must be followed for each and every transfer of a specific piece of personal data under Part Three.

“These steps are not being followed, and Microsoft has made clear that they cannot be followed – actually, they’ve said ‘impossible to operationalise’. Because the steps laid down in the DPA 2018 Part Three are not and cannot be followed, that is one of the main reasons why the processing being done on these clouds is in breach of UK law,” he said.

“It makes zero difference if the US government bogeyman tries to use the Cloud Act to look at the data or not, as the data was illegally transferred regardless of the Cloud Act.”

The steps laid down in the DPA 2018 Part Three are not and cannot be followed [which is] one of the main reasons why the processing being done on these clouds is in breach of UK law Owen Sayers, independent privacy consultant

He added: “The intention [of the new DUAB] is to put non-UK processors – principally hyperscalers – on the same broad legal footing as overseas law enforcement organisations.”

He pointed out that the bill would enable UK policing bodies to send data overseas to offshore processors with minimal restrictions. “The bill actually puts overseas processors above overseas law enforcement processors, in the respect that it completely removes obligations to record what data is transferred to them, inform the ICO or make any assessments as to whether a particular transfer is safe and consider the data subject’s rights in advance of sending the data.”

Sayers added that while these and other changes to Part Three would be directly contradictory to EU law, the most likely outcome would be the CJEU finding that the UK regime falls far below EU standards and thus moves to block UK data transfers.

He further added that individual member states may also deem UK laws to be too divergent from their domestic laws to continue to send data, noting the chance of this is high given there are 27 member states, each with their own implementation of the LED.

“You can 100% use cloud for law enforcement data, but it needs to be sovereign and fully conformant with the law. If you need to change the law to accommodate a specific provider, then you’ve picked the wrong supplier.”

Computer Weekly contacted the Home Office about the changes to the law enforcement data transfer regime, and UK policing’s track record of non-compliance with existing data rules via its use of hyperscalers.

A Home Office source told Computer Weekly that the use of cloud providers, in particular, has caused some confusion, and that measures contained within the bill are intended to give law enforcement the confidence to use cloud processors. However, they said the use of cloud services must not come at the expense of security, and high standards of protection will continue to be applied.

‘Systemic’ transfer issues

Clement-Jones highlighted how cloud service providers routinely process data outside the UK and are unable to provide necessary contractual guarantees to policing bodies, as required by Part Three. “As a result, their use for law enforcement data processing is, on the face of it, not lawful,” he told the House of Lords.

He added this non-compliance creates significant financial exposure for the UK, including potential compensation claims from data subjects for distress or loss, something that is exacerbated by the sheer volume of data pressed by law enforcement bodies: “If only a small percentage of cases result in claims, the compensation burden could reach hundreds of millions of pounds annually.”

Clement-Jones concluded that the government’s attempts to change the law suggest that past processing on cloud service providers has not been compliant with the relevant data protection laws.

As a result, he proposed an amendment “to bring attention to the fact that there are systemic issues with UK law enforcement’s new use of hyperscaler cloud service providers to process personal data”, which would strictly limit overseas transfers to law enforcement bodies with “a legitimate operating need” – that is, not cloud service providers.

While the Lords were not invited to take a decision on Clement-Jones’s hyperscaler amendment, government minister Baroness Jones said the DUAB’s “bespoke path for personal data transfers from UK controllers to international processors is crucial … [as] we need to ensure that law enforcement can make effective use of them to tackle crime and keep citizens safe”.

One of the biggest problems in data protection is a lack of understanding and clarity [so] anything that can make it clearer and easier to follow can only be a good fit Thomas Barrett, CyXcel

She added the aim of the DUAB’s reform around international law enforcement transfers “is to provide legal clarity in the bill to law enforcement agencies in the UK so that they can embrace the technology they need and make use of international processors with confidence”.

She added: “Such transfers are already permissible under the legislation, but we know that there is some ambiguity in how the law can be applied in practice. This reform intends to remove those obstacles. The noble Lord would like to refrain from divergence from EU law. I believe that in this bill we have drafted the provisions, including this one, with retaining adequacy in mind.”

Barrett said the DUAB will clarify the law in ways that make it easier to put in place contractual provisions and other measures that adequately protect the data: “One of the biggest problems in data protection generally, but particularly here, is a lack of understanding and a lack of clarity … anything that can make it clearer and easier to follow for individuals that have to apply this stuff can only be a good fit.”

Sayers made a similar argument, noting that while many data protection practitioners believe the EU or UK GDPR to be the gold standard of legislation, they “simply fail to recognise that GDPR has a sister piece of legislation in the LED that is sufficiently different that you cannot apply GDPR thinking to it”.

He added: “This is a problem I see day in, day out, where a GDPR hammer is used to try to fix an LED nail, and even the ICO is not immune to confusing the two different sets of laws.”

According to delli Santi, the approach to transfers under the DUAB as it stands is “formalising an approach that has already been changed”. He added that given the deep commercial, governmental and cultural ties between the UK and EU, “the impact of divergence is amplified significantly”.

Police data logging requirements

The DUAB as introduced will also seek to remove the statutory logging requirements of Part Three, which would allow police to access personal data from various police databases during investigations, without having to manually record the “justification” for the search.

The removal of police logging requirements, however, could represent a further divergence from the EU’s LED, which requires logs to be kept detailing how data is accessed and used.

“The logs of consultation and disclosure shall make it possible to establish the justification, date and time of such operations and, as far as possible, the identification of the person who consulted or disclosed personal data, and the identity of the recipients of such personal data,” says the LED.

Clement-Jones told Computer Weekly that if the law changes to allow police data transfers to, and processing in, infrastructure not owned or controlled by UK bodies, it could “absolutely” be a problem for the UK’s LED adequacy retention. He added that given these clear access and control issues, the potential removal of police logging requirements is “egregious”.

Computer Weekly contacted DSIT about the removal of the logging requirements and whether it believes this measure represents a risk to the UK being able to renew its LED adequacy decision in April 2025, but DSIT declined to comment on the record.

Speaking during the 16 December Lords debate on the bill against the removal of justification logging requirements, Clement-Jones said: “The public needs more, not less, transparency and accountability over how, why and when police staff and officers access and use records about them.”

He added that while policing systems typically capture when, how and by whom data has been accessed, they “very rarely” capture the justification. This is despite the fact that Article 63 of the LED provided a grace period from May 2018 to May 2023 for member states to implement justification recording mechanisms to bring their legacy systems into compliance with the directive – new systems procured from May 2016 onward were required to comply from the start.

To alleviate the issue, Clement-Jones tabled a further amendment to ensure the logging requirements remain, which would “prevent material divergence from the EU Law Enforcement Directive”; although this was also withdrawn.

He also highlighted that “many commodity IT solutions” procured by policing organisations do not capture justifications by default, noting that while a “transitional relief” period was put in place with the introduction of DPA 2018 to modify legacy systems installed before May 2016 – later extended to May 2023 – UK law enforcement bodies did not in general make the required changes.

“Nor, it seems, did it ensure that all IT systems procured after 6 May 2016 included a strict requirement for LED-aligned logging. By adopting and using commodity and hyperscaler cloud services, it has exacerbated this problem,” he said, noting the government now wishes to strike the justification requirements completely.

“This is a serious legislative issue on two counts: it removes important evidence that may identify whether a person was acting with malicious intent when accessing data, as well as removing any deterrent effect of them having to do so; and it directly deviates from a core part of the law enforcement directive and will clearly have an impact on UK data adequacy.”

DSIT claims that removing the logging obligation will save 1.5 million police officer hours a year and save £42.5m for the public purse, but Sayers pointed out that the published impact assessments don’t so far evidence these claims.

“The reality is that most police IT systems don’t have the means to capture the required data,” said Sayers, who was previously involved in the design and delivery of many UK national police systems.

“The factsheets identify this technology problem, which exists on cloud as well as legacy systems like the PNC [Police National Computer], but instead of addressing the issue the government simply want to strike the difficult bits out of the act.”

He added: “The real reason they don’t want to capture the information is they’ve failed to invest any money in upgrading the legacy IT, and the new systems they’ve adopted don’t capture that information by default – and can’t be made to do so.”

DSIT claims that capturing “justification is likely to be of little use in a misconduct investigation”, but Sayers poured cold water on this.

“Public trust, the safety of vulnerable people, as well as the protection of police staff from claims of improper conduct, all rest on being able to prove that access to data was legitimate,” he said.

Home Office figures show police staff misuse of data to be a significant issue, with 1,630 recorded cases investigated in the year to March 2023, the last figures available.

However, Barrett said the removal of justification logging is not a problem, adding it’s more important to have the ability to track who accessed data and when, “because if you’re a bad actor you’re not going to put down the real reason … if you’ve already got access to these kinds of systems, you’re not an idiot, and so you’re going to put something like ‘routine checks’ or some other bland, uninteresting, non-determinative thing”.

He further added that inputting justifications only increases the administrative burden on police, and that while it is very common, even in much older computer systems, to be able to log time and dates, many systems are simply not architected to record justification.

He added: “We’d be much better off making sure that all the systems are really good at recording time and access, because the reality is, in your investigation, that’s going to be the thing that you’re looking at. Not whatever fanciful thing a bad actor has decided to enter as the fake justification for the access.”

During the DUAB debate, Baroness Jones insisted the removal of logging requirements “is not a watering down of provisions. We are just making sure that the safeguards are more appropriate for the sort of abuse that we think might happen in future from police misusing their records.”

While the DUAB has since progressed to readings in the House of Commons, the police data issues were not addressed – outside of vague references to reducing the administrative burden on police officers. It is currently in the committee stage, which will be followed by the report stage and a third reading.

So far, the police data issues have not been discussed during the committee stage.

Source

Posted on April 7, 2025 by Eternity Lab

UK law enforcement data adequacy at risk

The UK government has introduced its Data Use and Access Bill (DUAB) to Parliament, but proposed reforms to police data protection rules could undermine law enforcement data adequacy with the European Union (EU).

Currently going through the committee stage of Parliamentary scrutiny, the DUAB will amend the UK’s implementation of the EU Law Enforcement Directive (LED), which is transposed into UK law via the current Data Protection Act (DPA) 2018 and represented in Part Three of the DPA, specifically.

In combination with the current data handling practices of UK law enforcement bodies, the bill’s proposed amendments to Part Three – which include allowing routine transfer of data to offshore cloud providers, removing the need for police to log justifications when accessing data, and enabling police and intelligence services to share data outside of the LED rules – could present a challenge for UK data adequacy.

While Computer Weekly’s previous reporting on police hyperscale cloud use has identified major problems with the ability of these services to comply with Part Three, the government’s DUAB changes are seeking to solve the issue by simply removing the requirements that are not being complied with.

For example, while the DPA 2018 does allow for overseas transfers to “non-law enforcement recipients” – that is, cloud providers – this is only permissibleif the data controller can show it is strictly necessary to do so. This means information can only be sent on a case-by-case basis for specific, limited purposes when there is no other, less intrusive means of achieving the same goal.

However, in June 2024, Computer Weekly confirmed that UK policing data uploaded to Microsoft services is routinely sent offshore for some forms of processing, while IT support is provided on a global “follow-the-sun” model.

To circumvent the lack of compliance with these transfer requirements, the government has simply dropped them from the DUAB, meaning policing bodies will no longer be required to assess the suitability of the transfer or report it to the data regulator.

Commenting on the transfer issue during a DUAB debate in the House of Lords, Liberal Democrat peer Tim Clement-Jones highlighted how, as it stands, cloud service providers routinely process data outside the UK, and are unable to provide necessary contractual guarantees to policing bodies as required by Part Three: “As a result, their use for law enforcement data processing is, on the face of it, not lawful.”

He added: “The government’s attempts to change the law highlight the issue and suggest that past processing on cloud service providers has not been in conformity with the UK GDPR [General Data Protection Regulation] and the DPA.”

Through the DUAB, the government has also expanded the list of lawful recipients to now include “a processor whose processing … is governed by, or authorised in accordance with, a contract with the controller that complies with section 59”, which outlines key elements that must be contained in any contract between a law enforcement controller and processor.

This includes specific details of the exact types of data, the categories of data subjects and the specific purpose of the processing, as well as explicit guarantees from the processor about how it will comply with all the requirements of Part Three.

However, given the international nature of the data sharing that takes place on commodity hyperscale architecture, cloud providers are either unable or unwilling to make contractual guarantees that satisfy all aspects of Part Three.

As Microsoft told the Scottish Police Authority (SPA), in relation to its Azure-hosted Digital Evidence Sharing Capability, the company “cannot accept specific consent [to transfer data internationally] on a case-by-case basis as this would be impossible to operationalise”.

All of this effectively means that under the DUAB, the data can be routinely offshored to jurisdictions with lower data protection standards, without adherence to LED conditions around strict necessity.

Similarly, while the LED provided a five-year grace period to ensure all legacy police systems could record justification logs for why a particular piece of information has been accessed – with systems procured after May 2016 were required to have this capability from the start – most policing systems in the UK still do not have this capability.

Instead, the UK government has simply removed the requirement to record these justifications, arguing that the change will save police time and that the data has little evidentiary value because people are unlikely to record an honest justification anyway.

According to Owen Sayers – a long-term commentator on DPA Part Three compliance issues with more than 25 years of experience in delivering secure solutions to policing and the wider criminal justice sector – changing the law in this way will permanently diverge UK law from the LED requirements.

He added that while UK police have been breaking the law in practice since the DPA came into effect in May 2018, the law they were breaking was at least aligned to those in the European Union.

“Even though in practical terms the UK hasn’t actually been protecting personal data as they’re required to under the LED, their law did at least give recourse to a data subject to take action about this processing (even if no one actually did so),” he said.

“Once DUAB comes into force, however, the landscape has totally changed. Not only will UK law enforcement bodies be sending massive amounts of personal data (including a lot of data about EU citizens) offshore to a range of countries not deemed adequate by the EU, but UK law will have change to make it legal for them to do so.

“By making these changes under DUAB, the government have thrown into sharp relief that law enforcement bodies are breaching the law today – they’ve literally confirmed it by modifying the law to give Microsoft and AWS this special status.”

Computer Weekly contacted the Home Office about the threat to the UK’s LED adequacy created by the government’s proposed changes to the law enforcement data protection regime.

“We have introduced some targeted amendments in the Data Use and Access Bill to improve public trust and to drive up law enforcement efficiency by simplifying the legislation. We are committed to data adequacy and had the UK’s adequacy decisions in mind when producing this bill,” said a spokesperson. “Any changes to our data protection regime must not come at the expense of security, and high standards of protection will continue to be applied.”

A Home Office source told Computer Weekly that that the use of cloud providers in particular has caused some confusion, and that measures contained within the bill are intended to give law enforcement the confidence to use cloud processors. However, they said the use of cloud services must not come at the expense of security and high standards of protection will continue to be applied.

Source

Posted on March 29, 2025 by Eternity Lab

Perimeter security appliances source of most ransomware hits

Compromised or vulnerable perimeter security appliances and devices – especially virtual private networks (VPNs) – formed the initial access vector in over half of observed ransomware attacks during 2024, according to data released this week by cyber security insurance provider Coalition in its latest annual threat report, covering 2024.

US-based Coalition, which began offering its so-called Active Insurance policies in the UK back in 2022, said that cyber criminals compromised such appliances in 58% of claims with which it dealt during 2024, with the second most widespread access point being remote desktop products, blamed in 18% of claims.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much – they’re still going after the same tried and true technologies with many of the same methods,” said Alok Ojha, head of security products at Coalition.

“This means that businesses can have a reliable playbook too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident.”

Unsurprisingly, the most commonly compromised products were all built by ‘household’ names in the industry, including the likes of Cisco, Fortinet, Microsoft, Palo Alto Networks and SonicWall. The most common initial access vectors (IAVs) were stolen credentials, used in 47% of such intrusions, and software exploits, seen in 29% of cases.

Coalition’s analysts warned that exposed logins were fast-emerging as an underappreciated and acute driver of ransomware risks. They claimed that the organisation detected more than five million remote management solutions and tens of thousands of login panels exposed on the public internet. It added that, according to its data, most applicants for cyber insurance (65%) had at least one internet-exposed web login panel, and securing these is a requirement for buying its products.

Out of these, the most commonly exposed admin login panels related to VPNs from Cisco and SonicWall, which between them accounted for over 19% of detected exposed panels, followed by Microsoft email services.

In 2024, Coalition also observed a significant number of exposed Citrix panels, which caused significant losses, including more than a billion dollars from the infamous Change Healthcare incident in the US, in which a ransomware gang used stolen Citrix credentials and exploited a lack of multifactor authentication to access the victim’s systems.

CVEs set to jump in 2025

As part of the set of services Coalition provides, it sends out zero-day alerts to its customers as and when new vulnerabilities are discovered, and constantly monitors for new vulnerabilities.

As such, its annual report also includes data on some of the more widespread common vulnerabilities and exposures (CVEs) it saw in 2024 – issues with Citrix, Fortinet, Ivanti and Palo Alto Networks prominent among them.

Looking ahead to 2025, Coalition’s analysts said the number of published vulnerabilities would likely increase to more than 45,000, a rate of nearly 4,000 every month, up 15% over the first 10 months of 2024.

This aligns closely with data released in February by the Forum of Incident Response and Security Teams (First), a non-profit, which suggested that CVE volumes may even top 50,000 this year.

A combination of new players in the CVE ecosystem, evolving disclosure compliance practices and a rapidly expanding attack surface are likely behind the growing number of vulnerabilities being reported on.

“This year’s report focuses on the most crucial security risks that under-resourced organisations should understand to better calibrate their defensive investments to bolster resilience,” said Daniel Woods, senior security researcher at Coalition.

“Calibration involves balancing security investment across vulnerabilities, misconfigurations and threat intelligence, while also responding to emerging threats, such as zero-day vulnerabilities exploited in the wild. That’s why Coalition issues Zero-Day Alerts to help businesses, especially SMEs with limited security resources, stay ahead of these vulnerabilities and reduce alert fatigue by prioritising those posing the greatest risk.”

Source

Posted on March 29, 2025 by Eternity Lab

Microsoft wants you to delete your password and no, it’s not a gimmick

Microsoft has officially declared war on the password. In a sweeping update affecting more than a billion users, the company is making it clear—it’s time to ditch your Microsoft account password for good. This is just the latest move in Microsoft’s passkey update, which aims to move all users away from the security wyas of olden days.

Starting in April, Microsoft will begin rolling out a new sign-in and account creation experience that puts passkeys at the center. “Our ultimate goal is to remove passwords completely,” the company said in a security update posted in December.

Microsoft says it now blocks around 7,000 password-related attacks per second, nearly double the rate from last year. With AI-fueled phishing attempts and increasingly clever hacks, passwords—no matter how long or quirky—just aren’t holding up. Forcing a passkey on Microsoft users seems to be the easiest way to address the problem.

That’s where the passkey comes in. This credential is tied to your physical device and unlocked by something only you have—like a fingerprint, face scan, or device PIN. Unlike a password, a passkey can’t be phished, guessed, or intercepted. It’s stored securely on your device and never leaves it.

Tech. Entertainment. Science. Your inbox.

By signing up, I agree to the Terms of Use and have reviewed the Privacy Notice.

Password managers like Proton Pass and 1Password will let you save passkeys for internet accounts. Image source: 1Password

More importantly, it’s fast. Microsoft says passkeys are not only more secure but three times faster than typing in a traditional password. And the transition is already underway.

When creating a new Microsoft account, you won’t be asked to set a password. Instead, you’ll verify your email once and then create a passkey. For existing accounts, the sign-in experience is being redesigned to push passkeys as the default to nudge users toward a truly passwordless future.

That’s because having a passkey isn’t enough if you’re still keeping the old password around “just in case.” According to Microsoft, that’s like locking your front door but leaving the window wide open for anyone to enter.

The presence of a password—even as a backup—leaves your account open to phishing, brute-force attacks, and social engineering scams. That’s why the company says this isn’t just a shift in preference. Microsoft’s passkey update is a massive security imperative.

Millions of users have already deleted their passwords, according to Microsoft. And this change is about scaling that momentum across its entire user base.

Microsoft’s bold move sets a new bar—but not everyone is sprinting toward it. Google, for instance, still supports passwords as fallback credentials, which keeps that potential vulnerability alive.

Security researchers and privacy advocates argue that consistency across platforms will be key to making passwordless systems mainstream. For now, Microsoft is leading the charge, both in tech and in messaging clarity.

Source

Posted on March 27, 2025 by Eternity Lab

March Patch Tuesday brings 57 fixes, multiple zero-days

Microsoft has dropped a grand total of 57 fixes to mark the third Patch Tuesday update of 2025 – rising to closer to 70 when third-party vulns are taken into account – including six zero-days and six critical flaws needing urgent attention.

The zero-days comprise a security feature bypass in Microsoft Management Console, two remote code execution (RCE) issues in Windows Fast FAT File System Driver and Windows NTFS, two information disclosure vulnerabilities in Windows NTFS, and a privilege escalation flaw in Windows Win32 Kernel Subsystem.

All are listed as exploited by Microsoft, but have not yet been made public, and all are considered to be important in their severity, carrying CVSS scores that range from 4.6 to 7.8.

A seventh vulnerability, an RCE issue in Windows Access, has been listed as public but does not appear to be actively exploited at the time of writing.

The six critical vulnerabilities, carrying CVSS scores of 7.8 through 8.8, are all RCE flaws. Two of them affect Windows Remote Desktop Services, and the four others relate to Microsoft Office, Windows Domain Name Service, Remote Desktop Client, and Windows Subsystem for Linux Kernel.

“All six of the vulnerabilities that Microsoft has labelled as exploit detected are resolved with the monthly cumulative update,” said Tyler Reguly, Fortra associate director of security research and development.

“This means a single update to roll out to fix all of these at once. Thankfully, none of them require post-patch configuration steps. The same is true for five of the six critical severity vulnerabilities. A lot of our important fixes come from the same patch.

“The remaining critical vulnerability, CVE-2025-24057, and the publicly disclosed vulnerability, CVE-2025-26630, both require Office updates. For those running click-to-run, there’s not a lot to do, but for those running Office 2016, there are two patches to install, one for Office and one for Access,” he added.

Reguly said that fortunately, this limited the amount of patching needed to resolve the attention-grabbing flaws. “However,” he said, “they are big ticket items and with headlines likely to state, Microsoft patches six zero-day vulnerabilities, admins will likely have a lot of questions to answer about the state of their patching.”

Big ticket items: big impacts

Assessing these big ticket items in a little more depth, Immersive senior director of threat research, Kev Breen said the NTFS and FAT RCE flaws probably warrant the greatest attention. These flaws form part of a chain with the two NTFS information disclosure vulnerabilities.

“These four CVEs are all related to a remote code execution vulnerability that is associated with mounting Virtual Hard Disk (VHD) files. These are tracked separately as CVE-2025-24984, CVE-2025-24985, CVE-2025-24991, and CVE-2025-24993, so when it comes to patch management ensure all four are covered.

Breen explained that the exploit chain relies on the attacker convincing a user to open or mount a virtual hard disk (VHD) file. These are typically used to store operating systems for virtual machines and while more usually associated with VMs, there have been cases down through the years where such files have been used to smuggle malware payloads onto target systems.

“Depending on the configuration of Windows systems, simply double-clicking on a VHD file could be enough to mount the container and, therefore, execute any payloads contained within the malicious file,” said Breen. “Organisations should check their security tools for any VHD files being sent via email or downloaded from the internet and look to add security rules or blocks for these file types where they are not required.”

Meanwhile, Alex Vovk, CEO and co-founder of Action1, considered some of the implications of the Windows Win32 Kernel EoP flaw, tracked as CVE-2025-24984.

“CVE-2025-24983 provides a direct path from low privileges to SYSTEM access, making it an attractive target for attackers with initial access via phishing, malware, compromised credentials or insider threats,” said Vovk.

“Although classified as high complexity, well-resourced attackers – including state-sponsored groups and cyber criminal organisations – have historically overcome such constraints through automation and repeated attempts. Race-condition vulnerabilities in kernel subsystems have proven to be reliably exploitable, given sufficient attacker persistence and environment predictability.

“Organisations heavily dependent on Windows infrastructure – including enterprises, governments, and critical infrastructure sectors – are at risk. Kernel-level privilege escalation vulnerabilities remain highly valuable to attackers, as they serve as a key pivot point in advanced cyber attacks, enabling deeper network infiltration and persistent access,” said Vovk.

Source

Posted on March 24, 2025 by Eternity Lab

The end is near for Windows 10 and Microsoft won’t let you forget it

If you’re still using Windows 10, Microsoft wants to make sure you know that time is running out. The company has officially started emailing users with a not-so-subtle reminder that support for Windows 10 will end on October 14, 2025. The message is clear: upgrade now or risk being left behind.

The email was recently spotted by Windows Latest and comes with a bold headline: “End of support for Windows 10 is approaching.” It then provides direct links for users to check their upgrade eligibility or buy a new PC—because, of course, Microsoft would rather you do the latter.

The reminder also includes a FAQ section to answer some burning questions. Microsoft confirms that after October 2025, Windows 10 devices will no longer receive updates, including critical security patches. While your PC will still work, it will gradually lose compatibility with apps and become more vulnerable to cyber threats.

What’s interesting is what Microsoft doesn’t mention. There’s no real discussion of the Extended Security Updates (ESU) program, which offers one extra year of security updates for Windows 10 for $30. While Enterprise users have additional options, Microsoft seems reluctant to promote any solution other than upgrading to Windows 11.

Tech. Entertainment. Science. Your inbox.

By signing up, I agree to the Terms of Use and have reviewed the Privacy Notice.

Image source: Microsoft

The lack of emphasis on the ESU program in this latest Windows 10 end-of-support email might suggest that Microsoft doesn’t expect everyday users to pay for security patches—or that they simply want to push people toward a full upgrade instead.

Another not-so-subtle nudge in the email is a suggestion to back up files with OneDrive. While this is useful advice, it’s also an obvious attempt to promote Microsoft’s cloud storage service. But don’t worry; OneDrive isn’t going anywhere, and there’s no reason to believe it will stop working after Windows 10 reaches its expiration date.

For millions of users still clinging to Windows 10, the decision isn’t so simple, though. Many older PCs aren’t eligible for Windows 11, leaving users with limited options. Then there are the myriad of AI features Microsoft is pushing with Windows 11 that many aren’t huge fans of.

As the deadline gets closer, Microsoft’s messaging is only going to get louder. Whether you choose to upgrade, pay for extended security, or switch to another OS, Windows 10’s time is officially running out.

Source

Posted on March 24, 2025 by Eternity Lab

Salesforce execs at TDX 25: Agentforce a whole system AI play

At the TDX 2025 developer conference in San Francisco, Salesforce executives presented its Agentforce agentic AI technology as a “whole system” approach, where large language models (LLMs) are less significant than a “trinity” of data, applications and agents. Relatedly, they consistently disparage “DIY” artificial intelligence (AI) programmes.

Paula Goldman, the supplier’s chief ethical and humane use officer, said: “I think a lot of the public discourse about AI has been about [large language] models. But if you think about Agentforce, it’s a whole system. There’s a foundation model, and then there’s a series of smaller models that go into our Atlas system, and there are workflows that are automated that people can draw on. We’ve got used to talking about AI as models over the past few years, but I think we need to be talking about systems.”

David Schmaier, president and chief product officer at Salesforce, said the supplier’s entire technology stack, including Slack and Tableau, comes into play with Agentforce. He also pointed to its Data Cloud platform as central to its AI offer.

“You couldn’t have a computer without a microprocessor; you need storage and RAM and a display and an operating system around it. That’s what we’ve done. We have our data cloud, which harmonises hundreds of thousands of systems. It gives you the data, the metadata and the semantics. That’s why we can outperform an LLM by itself. LLMs have hallucinations, they have bias, toxicity. An LLM is necessary but insufficient. We add to the LLM. Our view is the data powers the AI and then the AI powers the customer experience of the future,” he said.

An LLM is necessary but insufficient. We add to the LLM. Our view is the data powers the AI and then the AI powers the customer experience of the future David Schmaier, Salesforce

“We call it the ‘holy trinity’. We have the Data Cloud, then we have our Sales Cloud, Service Cloud and Marketing Cloud apps – which is how we got the name Salesforce – as well as Slack, Mulesoft and Tableau. And now we have Agentforce on top of all that. That’s how we can turn on 10,600 customers over three days with agents. It’s because we are using the same platform as we have for 25 years. So, with a healthcare company, for example, that has workflows it has bult in its Salesforce deployment, it can make all those available for [virtual] agents,” Schmaier added.

He believes too many organisations are doing DIY AI. “Most people are just trying to take whatever apps they have, whether it’s Salesforce or SAP or Workday, and just buying ChatGPT and trying to plug it in. No other competitor has what we have, in terms of agents. We think we have a real lead in this agentic field. We’ve sold to 5,200 customers since launching at Dreamforce [in September 2024]. Now, we have 200,000 customers, and most don’t use Agentforce today,” he said.

Rahul Auradkar, executive vice-president and general manager of Unified Data Services and Einstein at Salesforce, made a similar argument about what the provider calls DIY AI.

“What we are doing with agents is an entire system. We’re not shipping a model, an app or a copilot. We’re shipping an AI system on a deeply unified platform. What that system allows our enterprise customers, who don’t want to do the DIY, to do is surface customer-centric analytics and workflows, and listen to the customers to feed back to the system so the agents get better. Copilots are a narrow sliver of what AI can be,” he said.

“The difference between a DIY AI and an enterprise using [our] system is that the enterprise can focus on things that they are good at, which is plenty of things. They have their data. The have their transactions. They have their engagement data. They have their AI policies, their workflows, their automations. We bring all that together within a deeply unified platform and drive value for our customers,” added Auradkar.

DIY AI programmes strongly in evidence among users

And yet, analyst research from Informa TechTarget’s Enterprise Strategy Group (ESG) offers a contrast with Salesforce’s disparagement of DIY AI – a complicating contrast rather than a confutation, but a contrast nevertheless.

Towards the end of 2024, ESG surveyed 832 professionals at organisations across the globe involved in the strategy, decision-making, selection, deployment and management of generative AI (GenAI) initiatives and projects at their organisations and familiar with their organisation’s use of third parties to support GenAI initiatives.

The resulting report, The state of the generative AI market: Widespread transformation continues – authored by Mark Beccue, principal analyst, Mike Leone, practice director and principal analyst, and Emily Marsh, associate research director – does find support for an agentic AI philosophy: “Respondents most often said that they see AI agents, virtual assistants, and intelligent chatbots powered by AI as valuable productivity tools, though they also often said they view them with cautious optimism (41%). Over two-thirds of organisations are planning for or considering AI agents, which represents a significant opportunity for AI vendors to target these requirements with capabilities and services.”

They also note, however: “The AI agent market is extremely nascent and loaded with challenges, including managing single-task agents, interoperability problems, the potential emergence of multitask agents and security.”

But the authors also remark, similarly to Salesforce’s Auradkar, that: “A wide majority (84%) of respondents agreed it is important to incorporate their own enterprise data into models that support generative AI. GenAI models themselves are not a competitive differentiator. Rather, effectively identifying, organising and vetting internal data for use with GenAI models is the key to creating unique and highly actionable insights.”

The research also found user organisations to be embracing a variety of LLMs – open source and proprietary. The largest percentage of respondent organisations (43%) are both proprietary and open source models.

Alongside this enthusiasm for using large language models, the study found that organisations are placing “their bets on internal resources, planning to reskill or upskill employees (58%) and provide education and awareness training to employees (43%)”. This suggests a growing cadre of employees who will want to do DIY AI.

The authors comment: “Employee enthusiasm for these technologies is likely at a high point as GenAI excitement pervades many facets of society, so this internal investment will likely be a win-win situation whereby personnel receive welcome development opportunities and the business gains valuable GenAI expertise.”

At Dreamforce in September 2024, Marc Benioff, co-founder, chairman and CEO of Salesforce, was in combative mood in respect of Agentforce, positioning it as a wholescale alternative to generative AI copilot usage, associated with Microsoft and Google, but with other vendors too.

“There’s a lot of narratives out there from vendors, and a lot of it is not true,” he said at the time. “You need to sit with those customers [at the Dreamforce event], look at the code and break the hypnosis coming from all the vendors. There’s plenty of real customers here who are really deploying real AI. But there are billions being invested in copilots, delivering how much productivity increase? Is there a better way to do it? And so, that’s our gambit.”

The game is still being played. The middle game lies ahead.

Source

Posted on March 13, 2025 by Eternity Lab

US Congress demands UK lifts gag on Apple encryption order

US lawmakers have hit out at the Home Office for “attempting to gag” US companies by preventing them from telling Congress whether they have been subject to secret UK orders requiring them to hand over their users’ data.

In an unprecedented intervention, five lawmakers from both sides of the US political divide, led by senator Ron Wyden, have written to the UK’s Investigatory Powers Tribunal (IPT) accusing the British government of undermining Congressional oversight and restricting the free speech of US companies.

Their letter comes as the IPT is preparing to hear closed-door arguments from Apple, which is challenging a notice requiring it to extend UK law enforcement’s existing access to encrypted data stored by customers on the Apple iCloud service anywhere in the world to users of Apple’s Advanced Data Protection (ADP) who choose to hold encryption keys privately on their own devices.

British media organisations, including the BBC, The Times, Financial Times, Reuters, The Guardian, The Telegraph and Computer Weekly, have also filed legal submissions with the IPT today, arguing that there is an important public interest in hearing arguments over the UK’s demands against Apple in a public court.

In the Congressional letter, five US senators and congressmen complained to the Investigatory Powers Tribunal that the secrecy surrounding the orders – known as Technical Capability Notices (TCNs) – are impairing Congress’s power and duty to conduct oversight on matters of national security.

The letter disclosed that Apple and Google have informed Congress that were they to have received Technical Capability Notices, they would be barred by UK law from disclosing it to US lawmakers. The UK embassy has also failed to respond to US requests about potential demands by the UK to other US companies.

“By attempting to gag US companies and prohibit them from answering questions from Congress, the UK is both violating the free speech rights of US companies and impairing Congress’s power and duty to conduct oversight on matters of national security,” the lawmakers wrote.

“The UK’s attempted gag has already restricted US companies from engaging in speech that is constitutionally protected under US law and necessary for ongoing Congressional oversight,” they added.

The letter has been signed by democrats senator Ron Wyden from Oregon, who has campaigned for healthcare and the environment; Alex Padilla from California, who is chairman of the Senate Judiciary Subcommittee on Immigration; and Zoe Loefgren, an advocate for digital rights from California.

By attempting to gag US companies and prohibit them from answering questions from Congress, the UK is both violating the free speech rights of US companies and impairing Congress’s power and duty to conduct oversight on matters of national security Congressional letter to the Investigatory Powers Tribunal

Republicans Andy Bigg from Arizona, chair of the House Judiciary Subcommittee on Crime and Federal Government Surveillance and a vocal trump supporter; and Warren Davidson for Ohio, a member of House Financial Services Committee and a former US soldier, have also signed.

Their unified complaint calls on the IPT to apply principles of open justice to the hearing scheduled for Friday, and for all subsequent proceedings in Apple’s appeal against the Technical Capability Notice.

The lawmakers note that the existence of the TCN has been widely reported and commented on, which makes any argument for closed hearings to keep the existence of the notice secret “unsustainable”.

The existence of the notice has also been confirmed by Apple’s public decision to withdraw its advanced encryption option, known as Advanced Data Protection, for all UK users. Apple would not have done this “unless it felt compelled to do so by a request to insert a backdoor”.

Holding public hearings would allow lawmakers to hear expert evidence from cyber security specialists, civil society representatives and experts on US-UK data flows, enabling the IPT to reach a well-informed decision over the lawfulness of the notice, they said.

Serious concerns over national security

The lawmakers argue that the UK’s demands against Apple raise “serious concerns which directly impact national security” and therefore warrant public debate.

As Computer Weekly previously reported, Tulsi Gabbard, the director of national intelligence, stated in a letter to Congress that the UK’s demands would be “a clear and egregious violation of American’s privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors”.

President Donald Trump confirmed in an interview with The Spectator that he had raised the Apple TCN with prime minister Keir Starmer during his visit to Washington, comparing the UK’s actions to the conduct of China.

Chinese exploited US ‘lawful access’

The lawmakers point out that the security of US technology products against surveillance by foreign governments is an important topic for ongoing Congressional oversight following a spate of hacks against the communications of senior US government officials.

China exploited US lawful interception systems in 2023 to reportedly tap the phone calls of Trump and vice-president JD Vance, and to steal millions of phone records after gaining access to major US carriers in the “Salt Typhoon” attack.

In April 2024, hackers stole phone records of “nearly all” AT&T customers, including records of members of the president’s family, the then vice-president, Kamala Harris, and the wife of the now secretary of state, Marco Rubio, in the “snowflake” incident.

And in 2003, China stole more than 60,000 emails from the department of state and compromised the email accounts of US officials and politicians after hacking into Microsoft-hosted US government email accounts.

“The common link between these incidents is that sensitive government data held by third-party companies was not properly secured and subsequently accessed by hackers … most importantly, the Salt Typhoon incident reportedly involved compromising ‘lawful intercept’ systems of the kind that it appears Apple has been ordered to build,” the letter states.

“Given the significant technical complexity of this issue, as well as the important national security harms that will result from weakening cyber security defences, it is imperative that the UK’s technical demands of Apple – and of any other US companies – be subjected to robust, public analysis and debate by cyber security,” the lawmakers wrote.

Vital for US cyber security experts to comment

“Secret court hearings featuring intelligence agencies and a handful of individuals approved by them do not enable robust challenges on highly technical matters. Moreover, given the potential impact on US national security, it is vital that American cyber security experts be permitted to analyse and comment on the security of what is proposed.”

The Home Office’s shocking order to Apple to break encryption represents a huge attack on privacy rights and is unprecedented in any democracy Rebecca Vincent, Big Brother Watch

The lawmakers invited the tribunal to permit US companies to discuss the technical demands they have received under the UK’s Investigatory Powers Act with Congress. The IPT should “invite robust public debate by independent cyber security experts before deciding the merits of the reported challenge that Apple has brought”, they said.

Separately, civil society groups Big Brother Watch, Index on Censorship and Open Rights Group have written to the president of the Investigatory Powers Tribunal, the Rt Hon Lord Justice Singh, calling for the case to be made public.

They argue that the case implicates the privacy rights of millions of British citizens who use Apple’s technology, and those of its overseas customers.

There is a “significant public interest in knowing when and on what basis the UK government believes that it can compel a private company to undermine the privacy and security of its customers”, according to the letter.

Big Brother Watch interim director Rebecca Vincent said the tribunal hearing must not take place in secret. “The Home Office’s shocking order to Apple to break encryption represents a huge attack on privacy rights and is unprecedented in any democracy,” she said.

Index on Censorship CEO Jemimah Steinfeld said breaking encryption would do away with our rights to privacy, make us far less safe and secure online, and challenge the very notion of the UK as a democracy. “With such high stakes, we demand to know what could possibly justify this. We need answers, not more secrecy,” she said.

Open Rights Group executive director Jim Killock said: “If the UK wants to claim the right to make all of Apple’s users more likely to be hacked and blackmailed, then they should argue for that in an open court.”

Source

Posted on March 12, 2025 by Eternity Lab

The Security Interviews: Yevgeny Dibrov, Armis

Over the past 20 to 30 years, the intelligence community has generated a stream of cyber security leaders – private cyber security companies are littered with former operatives of the American and British intelligence services.

But in Israel’s case, the intelligence-to-cyber pipeline has produced arguably the highest density of cyber security startups and organisations in the world. The likes of Check Point, CyberArk, Imperva, Palo Alto Networks and Radware can all claim links back to the Israel Defence Force’s (IDF’s) technology units.

Among these units, which likely date back to before Israel’s founding in 1948, are the highly secretive cyber weapons and tech development shop Unit 81, and the more widely known signals intelligence Unit 8200.

Israel’s astonishing concentration of cyber security talent is largely attributable to both Unit 81 and Unit 8200, whose existence has only been fairly recently acknowledged. Mossad may get international attention, but it is Unit 8200 that gets the data to support it and Unit 81 that builds the tech.

Acting as incubators for cyber security and hacking talent, these units benefit from Israel’s compulsory military service laws and intensive screening processes, which divert individuals with potential from frontline armed service, although they also scout after-school computer clubs for likely-looking candidates.

That the IDF is the wellspring of Israel’s cyber talent is these days no secret, but Armis CEO, Yevgeny Dibrov – who is allowed to say little more about the time he served in Unit 81 beyond the fact that he was there – says there’s more to the growth of Israel’s cyber community than just the hothouse conditions at the IDF.

He compares the environment to that of a startup. “When you’re a startup, when you’re building something, you don’t have much budget, but with what you have you still need to do outstanding things that differentiate a lot, that achieve a lot, and that puts you in a great place.

“We don’t have the same budget as the CIA or the NSA, maybe point one of a percent, but we have no choice. There is no other way,” he explains. “We have a lot of enemies and we want to win.”

Make the impossible possible

At first. Dibrov’s pipeline into the IT industry does not seem all that different from most other people’s – stemming from an initial schoolboy interest in computers, maths and physics – but he became hooked when he was tapped for Unit 81 as a fresh-faced teen.

“In the years I spent there I became fascinated by different capabilities, fascinated by this world, fascinated also by working hard for my country,” he says. “Twice during my service I was part of the team that won the Israel Defence Prize, which is for outstanding achievements in the technology space.

“The slogan of our unit was ‘Make the Impossible Possible’,” says Dibrov. “It’s written over the door when you enter. You see it every day, and so you kind of live towards it. It’s not just a cliché.”

Twice during my service [at Unit 81] I was part of the team that won the Israel Defence Prize, which is for outstanding achievements in the technology space Yevgeny Dibrov, Armis

But the intelligence forces serve not only as a hub for creative talent, but a hub for team-building. Indeed, of Armis’s first cohort of employees, about 50% served alongside Dibrov himself at Unit 81, and the others worked alongside his co-founder – and chief technology officer (CTO) – Nadir Izrael at Unit 8200.

“People get to know each other, and during my time at Unit 81, we were always talking to alumni that actually started companies and did great things,” says Dibrov. “I remember my team leader in the army was [Wiz CEO] Assaf Rappaport, so we were always meeting some of the alumni from our unit and learning what they had done.

“It makes you excited,” he says. “It makes you think, ‘Okay, when I’m out, here is what I want to do’. I already knew that I wanted to start a company.”

Alongside heading off to study at Technion, the Israel Institute of Technology, between 2010 and 2013, at the end of his service, Dibrov helped set up Adallom, with which Rappaport was also involved. Adallom was a cloud access security brokerage (CASB) specialising in visibility, governance and protection across business applications such as Box, Google Apps, Microsoft Office 365 and Salesforce.

The firm’s Office 365 work clearly stood out, because in September 2015, Microsoft bought the company for over $300m. Just a couple of months later, Dibrov and Izrael started Armis, with the first employees coming on board in February 2016.

Google Maps, but for vulnerable assets

Asked to “explain like I’m five”, Dibrov describes Armis as a cyber exposure management platform that essentially provides its customers with a Google Map of their IT environment, with every single asset accounted for, whether it’s something run-of-the-mill like a laptop or smartphone, to operational technology (OT) like industrial controllers, even medical equipment.

On top of this basic map, Armis provides additional layers covering security risk discovery, monitoring and management, and ultimately, remediation.

“We want to not just allow you to see your risk, but reduce it, whether through patching devices or mitigating threats with different rules in your technology environment,” he says.

Armis was earlier than many to the OT/internet of things (IoT) side of security, mapping it as a factor early on in its history, before the topic really started to hit mainstream security conversations about six or seven years ago. What was the spark that led Dibrov to make this bet?

“We really started from talking to a lot of customers, talking to a lot of CIOs, and we were hearing about the explosion of connected devices,” he explains. “We looked at the variety of different environments and we saw there was a gap.

“On the one hand, you have laptops and servers that are covered by your antivirus or next-gen antivirus, and then you have everything else. And then everything else changes in different industries. If you look at an airport, they have a big gap around a lot of operational technology stuff. They have different distribution centres, logistics centres and more. They have datacentres. They have buildings with building management systems.”

At about the same time, incidents such as NotPetya and WannaCry were exposing the precarious security of such environments – particularly in healthcare settings – and this helped push people towards a more holistic view of cyber security.

Security teams have no idea what cameras they have, and they’re 90% Chinese, potentially exploited with backdoors, and often in the most critical environments Yevgeny Dibrov, Armis

“It was a huge push across the board,” says Dibrov. “Everyone suddenly understood that they needed to have visibility into what they have in these environments – because imagine if I’m an attacker, why would I attack a laptop if the laptop has 50 agents on it? I attack the most vulnerable thing, and that’s usually devices that don’t run any agents or antivirus, devices that are mostly not updated or cannot be patched, and a bunch of old XP machines in those areas.

“These devices are often the most important in the organisation. Look at a hospital. How can you compare the importance of a laptop versus an MRI scanner?”

Customers took to this like ducks to water, and today Armis works with over 35% of the Fortune 100.

From day-to-day there is no such thing as a typical customer, says Dibrov, but they tend to be larger, distributed organisations with highly complex environments and a lot of devices. Armis claims currently to have approximately 5.3 billion connected devices in harness.

What’s the weirdest ‘thing’ he ever found? “We have things like cars that connect to the company network, to wireless air fryers – we see those a lot. And the amount of types of cameras you would never believe,” says Dibrov. “Security teams have no idea what cameras they have, and they’re 90% Chinese, potentially exploited with backdoors, and often in the most critical environments.”

Like many of its peers, Armis has also been branching out into threat research and frequently publishes its own thought leadership on diverse topics – recent ones include breaking down CISA’s most exploited vulnerabilities and the emergence of DeepSeek.

“We have so much data now, and our customers can benefit from that,” says Dibrov. “We also acquired a company in the space, some super-talented guys who merge a lot of their own data with data we generated to provide early warning, which has been very significant.”

What’s next?

Keeping in touch with Armis’s buyers is a source of pride for Dibrov, who makes a point of frequently checking in with his user advisory board and speaking to six or seven individual customers every day, whether those are long-term existing ones, new ones, or those moving through their procurement or onboarding processes.

“What do they need? What do they think like? What do we need to do different?” says Dibrov. “This is something that is ongoing for us – always listening, always developing, always running fast, and always providing real solutions to real problems.”

Dibrov declares himself particularly paranoid when it comes to the competition, and likes to try to think about 18 months ahead in terms of innovation. “This is something that is always on my mind because that’s the biggest differentiator,” he says. “You need to have first of all the best product, and then to execute from there. That’s what keeps me up at night.”

Armis recently closed a large Series D funding round, raising $200m to take it to a total valuation of over $4bn. And having made two acquisitions in the past 12 months – Silk Security in April 2024 and CTCI in February 2025 – Dibrov is open to more, as well as exploring the possibility of an initial public offering (IPO).

Beyond these goals, Dibrov is, of course, keeping a close eye on the developing threat landscape. His views on where things are going tally with those of many other observers.

“We keep seeing a lot of state actors, from Russia, China, North Korea, Iran. We keep seeing them, and we keep seeing a lot of targeting of EMEA and US critical infrastructure and manufacturing,” he says. “We see them sometimes also leveraging AI [artificial intelligence]. My guess is we’ll see that more and more, and defenders really need to be prepared.”

Source

Tag: Microsoft

Microsoft restates commitment to OpenAI amid analyst note about datacentre expansion rollbacks

Perimeter security appliances source of most ransomware hits

CVEs set to jump in 2025

Microsoft wants you to delete your password and no, it’s not a gimmick

Tech. Entertainment. Science. Your inbox.

March Patch Tuesday brings 57 fixes, multiple zero-days

Big ticket items: big impacts

The end is near for Windows 10 and Microsoft won’t let you forget it

Tech. Entertainment. Science. Your inbox.

The Security Interviews: Yevgeny Dibrov, Armis

Make the impossible possible

Google Maps, but for vulnerable assets

What’s next?

Filter by price

Latest Posts