Feedback & Followups
- 🇪🇸 Spain implicated in Pegasus spyware attack on Catalan politicians — www.imore.com/…
- Social Media Updates:
- Instagram will now rank based on originality & improve product and people tagging — www.imore.com/…
- You Can Now Ask Google to Remove Your Phone Number, Email or Address from Search Results — krebsonsecurity.com/…
- A leaked internal report warns that Facebook doesn’t actually know what it does with user data ATM, so it can’t honestly make promises to regulators until it gets its house in order — www.vice.com/…
- Related: 🇪🇺 The EU were quick to remind Elon Musk that Twitter must follow the law in the EU — www.macobserver.com/…
- Apple have issued a firmware update for AirTags to tweak the sound air tags make when they’re away from their owners to make them easier to find — www.imore.com/…
Deep Dive — 🇪🇺 The European Parliament & Council have Reached Agreement on the Digital Services Act
About a month ago it was big news when the European Commission, European Parliament, and the European Council reached an agreement on the big-picture structure of the Digital Markets Act (DMA), and we dug into it in detail in Security Bits on 3 April 2022.
We mentioned then that the DMA was just the first of two major tech-related acts that were in the works in Europe, the second being the Digital Services Act or DSA. Last weekend, the DSA made it to a similar stage, having reached Provisional Political Agreement. The DSA’s arrived here via a slightly different process because it’s being led by a different commissioner, so there was no last-minute trialogue this time, just a two-way agreement between the parliament and the ministers, and the next step is not technical wording, but final approval by the parliament and council of ministers. I think the reason for the difference is that this bill is smaller, and a lot less prescriptive — it’s more about defining responsibilities than mandating specific actions.
While the scale may be smaller, and the technical details different, a lot of the philosophy sounds very similar to me — like the DMA, the DSA is aimed primarily at big companies. But, with the DSA, unlike the DMA, smaller companies aren’t completely exempted, they’re just subject to fewer rules and less stringent oversight.
What Companies are Primarily Targeted?
The DSA focuses mostly on what it calls very large online platforms (VLOPs) and very large online search engines (VLOSEs). The threshold for being considered very large is having at least 45 million monthly active users in the EU. Smaller platforms and search engines are “exempted from certain new obligations”.
The biggest difference between the big guys and the little guys is that the big guys will be centrally regulated by the European Commission, while the smaller companies will continue to be regulated by the appropriate national institutions within the member countries.
The Most Significant Rules for Everyone
The most significant change affecting all services IMO is a new responsibility to safe-guard minors using online services and an outright ban on targeted advertising aimed at children.
Three other requirements for all online service providers stand out:
- All online marketplaces (regardless of size) will have a duty of care to ensure they display appropriate information on products and services being sold, regardless of the seller. The aim here is to protect consumers. It means online resellers can’t knowingly sell things like counterfeit chargers that could kill people without being liable.
- So-called dark patterns, i.e. intentionally misleading UIs will be illegal for all online services.
- There will be transparency requirements for all recommendation engines.
The Most Significant Rules for the VLOPs & VLOSEs
The single biggest requirement is that large companies must implement annual systematic risk assessments and put in place measures to reduce the risks they find. This is where the controversy lies because addressing some of these risks will inevitably lead to limits on speech. These are the risks called out in the press release describing the agreed act:
- Dissemination of illegal content
- Adverse effects services may have on fundamental rights
- Adverse effects services may have on democratic processes and public safety
- Adverse effects on minors
- Increased gender-based violence
- Adverse effects on users’ physical or mental health
The big companies also have an extra responsibility to offer versions of their recommendation engines not based on user profiles.
Finally, there was a last-minute addition allowing the Commission to decide that a crisis has broken out, and then, impose restrictions on VLOPs & VLOSEs. The examples they give in the press release are pandemics and wars (can’t imagine why those were on their minds). This hasty last-minute addition has some people nervous because the commission seem to get all the power here — they get to both declare emergencies and decide what emergency rules to impose on the large services.
Links
- The official press release: www.consilium.europa.eu/…
- EU strikes deal to force tech giants to tackle disinformation — www.euronews.com/…
Worthy Warnings
- Remember “Unregulated” means you’ve got no safety net, and you can irrevocably lose everything crypto in seconds:
- If you use a Cryptowallet that backs your private key up to iCloud, then an iCloud Phishing scam can cost you everything in your wallet: Investor lost $650k in crypto and NFTs through this iCloud scam — www.imore.com/… & Cryptowallet MetaMask Warns Apple Users to Beware of Phishing Attacks — www.macobserver.com/…
- Beanstalk cryptocurrency heist: scammer votes himself all the money — nakedsecurity.sophos.com/… (Remember, De-Fi is just a new buzzword for an even more dangerous version of crypto)
- Related: Glenn Fleishman outdoes himself with the single best article on crypto I’ve seen yet: Understand Cryptocurrency, but Don’t Invest in It — tidbits.com/…
- A timely reminder never to relay 2FA tokens to anyone ever – Vice have a report detailing how cybercriminals are using services like ApplePay to cash out with stolen credit cards by tricking people into relaying the needed 2FA codes to them — www.vice.com/…
- PSA: Fake WhatsApp Support accounts are out to steal your information — www.imore.com/… (On any service, if the verified badge is in someone’s avatar it’s fake!)
- A reminder to check out AirDrop settings, it’s starting to be abused for spam 🙁: Apple Store Patrons in Select Cities Find AirDrop Surprise From Refurbishing Company — www.macobserver.com/…
Notable News
- Time to buy your sysadmin friends another coffee – Oracle have released a patch to Java that fixes a catastrophic hole in one of the languages core crypto libraries (all zeros is effectively a skeleton key!) — nakedsecurity.sophos.com/… (There’s nothing for regular folks to do, this is another one for corporate IT like Log4Shell earlier in the year)
- 🇬🇧 Apple is bringing its Communication Safety in Messages parental control feature to the UK (this is the uncontroversial CSAM protection feature that is already active in the US, not the controversial feature that’s indefinitely postponed) — www.imore.com/…
Interesting Insights
- 2021 Top Routinely Exploited Vulnerabilities — us-cert.cisa.gov/…
- 🎧 A little over a year ago the Malicious Life podcast sponsored by Cyber Reason, did an excellent 3-part series on Clearview AI and the complex questions facial recognition technology raises:
Palate Cleansers
- 🎦 Bart: Duckin’ Autocorrect: The Inventor of iPhone’s Autocorrect Explains How It Works | WSJ – YouTube — m.youtube.com/…
- Bart: A recent Change Log podcast episode pointed me towards a very interesting new Terminal app that’s in public beta now called Warp — www.warp.dev/… (it’s cloud-integrated because the intention is to enable collaboration, so you have to sign in to the app with GitHub, they are clear that they absolutely do not send your commands or their outputs to the cloud)
- 🎦 Demo video showing Warp in action — youtube.com/…
Legend
When the textual description of a link is part of the link it is the title of the page being linked to, when the text describing a link is not part of the link it is a description written by Bart.
| Emoji | Meaning |
|---|---|
| 🎧 | A link to audio content, probably a podcast. |
| ❗ | A call to action. |
| flag | The story is particularly relevant to people living in a specific country, or, the organisation the story is about is affiliated with the government of a specific country. |
| 📊 | A link to graphical content, probably a chart, graph, or diagram. |
| 🧯 | A story that has been over-hyped in the media, or, “no need to light your hair on fire” 🙂 |
| 💵 | A link to an article behind a paywall. |
| 📌 | A pinned story, i.e. one to keep an eye on that’s likely to develop into something significant in the future. |
| 🎩 | A tip of the hat to thank a member of the community for bringing the story to our attention. |