The European Union is regulating disinformation. Well, sort of. While the issue is indeed discussed in regulations such as the Digital Services Act, it seems that the “executive” arm is the Code on Disinformation, as of now strengthened. It builds on the previous 2018 version whi … | Continue reading
France presented their military doctrine for information operations. They will be seriously active in this space. Let me recall that previously I looked at the: Highlights of the French cybersecurity strategy, developments in cyber - France - combattants cyber et l’arme cybernet … | Continue reading
Artificial Intelligence and AI Governance are hot topics in this decade. European Union has a pretty ambitious attempt to regulate AI (project here). In this post, I have a look at the proposal through the technical lens, including paying attention to cybersecurity and privacy. T … | Continue reading
User tracking technologies are ubiquitous on the web. In recent times web browsers try to fight abuses. This led to an arms race where new tracking and anti-tracking measures are being developed. The use of one of such evasion techniques, the CNAME cloaking technique is recently … | Continue reading
After the success of the GDPR, Europe is doubling down on setting the standards in Artificial Intelligence. It should be clear to everyone, especially after a version of the “REGULATION ON A EUROPEAN APPROACH FOR ARTIFICIAL INTELLIGENCE” project leaked. While it contains interest … | Continue reading
Is Privacy Sandbox’s Federated Learning of Cohorts leaking information about web browsing history? Let's find out. Federated Learning of Cohorts is computing a SimHash on a user's web browsing history (the lists of visited websites) to obtain the cohort ID. In principle, it is a … | Continue reading
The last and final version of the ePrivacy Regulation was finally delivered by the Council of the European Union. The work will finally move forward. I tracked all relevant ePrivacy events since 2016. I also directly participated in the works as an expert and advisor. While this … | Continue reading
This post describes some of the technologies that are or may be used, as well as the ideas of improving the privacy stance of such a certificate/passports technology. Treat it as a standardisation and food-for-thoughts consideration, with a view towards privacy-preserving Covid19 … | Continue reading
I was hesitant to speak about contact tracing apps because so many people speakon the subject and the ratio of repeating the same cliches over and over is alsohigh. Little insightful things are left to be said in this rather simpleproblem. But recently it emerged that a particula … | Continue reading
I wanted to steer clear from the topic of SARS-CoV-19[https://en.wikipedia.org/wiki/Severe_acute_respiratory_syndrome_coronavirus_2].But it is now clear that thee global coronavirus epidemic/spread introduces anextraordinary situation, warranting special considerations for indivi … | Continue reading
Privacy vulnerabilities in mechanisms designed to improve privacy are notsomething expected. On the contrary, they are the last place where you’d expecta privacy bug.Intelligent Tracking Prevention[https://webkit.org/blog/7675/intelligent-tracking-prevention/] (ITP) is animpressi … | Continue reading
Ireland just released its cybersecurity strategy. It is a very interestingdocument because, considering the size of the country, Ireland is a crucialbackbone of the EU digital economy.Ireland knows this and it mentioned in the strategy very prominently: around 30%of “data” are ba … | Continue reading
Software can officially and formally be munitions. Since December 2019 offensivesoftware even more so. At least in the context of the Wassenaar Arrangement onExport Controls for Conventional Arms and Dual-Use Goods and Technologies[https://en.wikipedia.org/wiki/Wassenaar_Arrangem … | Continue reading
Chances are that you may have heard about General Data Protection Regulation(GDPR) by now. Even if not from expert circles, training or media reporting,then certainly you must have felt the remarkable experience from the reinforcedcookie pop-ups (a fact not difficult to predict i … | Continue reading
Contrary to what you may read in the popular press, there are rules when itcomes to cyberattacks. Today, probably all countries regulate cybercrime indomestic law. All countries agree also that international law rules apply tocyberspace, including cyberattacks and also cyberwarfa … | Continue reading
Many countries currently discuss cybersecurity on multiple levels. France is notan exception. The new REVUE STRATÉGIQUE DE CYBERDÉFENSE (Strategic Review ofCyberdefence) is a complex, coherent and strategic document listing the manyactions that France has already taken, as well a … | Continue reading
Developments of the web introduce new ways of using technology. Sometimes the evolution brings positive changes that are not obvious initially. But some events highlight the significance. Like for example the periodic controversy about the removal of certain mobile apps from cert … | Continue reading
Do you know when Apple Messages send end-to-end encrypted messages? This note might look unusual but it was sparked by continuous questions I receive about communication confidentiality. If you’re well-versed in security and privacy technology - feel free to skip, most likely y … | Continue reading
You may have heard of the cliché “there are no rules in cyberwar". It is false. There are rules. The trick is how those apply. Countries rarely speak clearly how they see or would see things. Most countries accept that international law applies to cyberspace, including to cyber o … | Continue reading
Interesting proposals of web standards amending the way some aspects of web architecture work emerged from Apple and Google. This marks a pretty unprecedented competition over web architecture. The grand battleground is web standardization. As such it will happen in the open and … | Continue reading
Organizations voluntarily creating big public data breaches are rare. Recently it became widely known that the Public Transport Victoria (PTV) published a dataset of possibly over 15 million users. It was “anonymized”, but PTV may now still face a $336,000 data protection fine. H … | Continue reading
The just-published report of International Committee of the Red Cross (ICRC) on humanitarian consequences of cyber operations brings the much-needed, currently lacking expert insight and context in the debate around cyber warfare. I am also happy because I had an opportunity to c … | Continue reading
Users of public transportation are mainly interested in one thing: getting to the right place conveniently and fast. So do I. Public transportation systems around the world struggle with maintaining their systems as efficient as possible. Transports for London (TfL) is perhaps in … | Continue reading
Real-Time Bidding is a technology enabling the targeting of content to mobile and web users. Real-Time Bidding has numerous problems. Security, including malvertising (abusing ads infrastructure to deliver malware); affecting hundreds of millions of user visits; delivering malwa … | Continue reading
Welcome to the privacy analysis of Progressive Web Applications. With new features in steady supply, the web is changing in exciting ways. One of the more interesting trends is the concept of Progressive Web Applications (PWA). PWAs use modern and powerful web features to further … | Continue reading
In this post we describe and demonstrate a neat trick to exfiltrate sensitive information from your browser using a surprising tool: your smartphone or laptop’s ambient light sensor. In short: We provide background about the light sensor API and current discussions to expose it … | Continue reading
Many countries are developing cyber capabilities, including for their military forces. Details are often secret. Public discussions are therefore always refreshing. There is a good opportunity. France just made public the elements of the offensive cyber operation doctrine. This … | Continue reading
Websites, mobile apps, IoT devices, smartphones and just about any other products, systems or processes will, in a majority of cases, might soon need to redesign and re-engineer how user consent is being processed. Why? Because of the European General Data Protection Regulation. … | Continue reading
Today, disinformation is a broad problem touching national, international, and cyber security policies, as well as domains such as social sciences and technology, including technical cybersecurity and privacy. Different tactics are used by state and non-state actors, both interna … | Continue reading
Cybersecurity evolves rapidly both in technology and policy terms. Countries and organisations struggle with the pace of change. Analysing particular strategies is not only useful but also interesting, as it may often constitute a form of a litmus test. On the one hand, strategi … | Continue reading
Soon every website will be able to know if its visitors have a disability, or not. Well, not quite. That will relate to those who use assistive technologies (i.e. screen readers for vision-impaired), and who gave access for this feature. This thanks to Accessibility Object Model … | Continue reading
Did you encounter a web, Facebook or Twitter advertisement seemingly tailored to your interests or related with your recent actions on the web? Chances are this was delivered to you via Real-Time Bidding channels. I am involved in technical research and analysis of Real-Time Bi … | Continue reading
It is surprisingly difficult to find realistic, interesting and creative privacy case studies. It is perhaps even more difficult in the case of major software. There are no proper motivations for making this kind of work public (employees often paid to do some kind of work in-hou … | Continue reading
It is always good to observe how countries build their strategic capabilities within the cyber domain. It is truly a fascinating time for technology policy, privacy and cybersecurity, speaking here in all means: technically, strategically, diplomatically and militarily. Some co … | Continue reading
The world is rapidly upgrading data privacy regulations. In that regard, European Union is admittedly at the forefront, with its General Data Protection Regulation. It somewhat permeates outside, spreading the good P-rays (privacy rays). India is a very importan country, the larg … | Continue reading
Unsecured ways of web browsing are fading away at accelerating pace. Technically this is done thanks to the increased deployment of HTTPS on the of web. Data indicates that above 70% of websites are now accessed via this secured protocol, those numbers quickly increasing. This is … | Continue reading
The new Russian Information Security Doctrine (Doktrina informatsionnoy bezopasnosti Rossiyskoy Federatsii) might appear to be a rather general document. Upon first sight, it seems that it doesn’t contain much interesting information. This view is misguided - it’s worth to look … | Continue reading
Modern Web browsers are constantly getting new features. It makes for interesting challenges on the level of security and privacy reviews. This is how I usually look on this stuff. There are recently a lot of interesting new browser mechanisms. I previously analysed some in the p … | Continue reading
One of the most discussed and often introduced as controversial additions of the General Data Protection Regulations are the high fines. Maximum fines of €10.000.000 (or 2% annual worldwide turnover) or €20.000.000 (or 4%) are definitely significant. They could cripple an entire … | Continue reading