Uncategorized

Independent legal analysis of a controversial UK government proposal to regulate online speech under a safety-focused framework — aka the Online Safety Bill — says the draft bill contains some of the broadest mass surveillance powers over citizens every proposed in a Western democracy which it also warns pose a risk to the integrity of end-to-end encryption (E2EE).

The opinion, written by the barrister Matthew Ryder KC of Matrix Chambers, was commissioned by Index on Censorship, a group that campaigns for freedom of expression.

Ryder was asked to consider whether provisions in the bill are compatible with human rights law.

His conclusion is that — as is –– the bill lacks essential safeguards on surveillance powers that mean, without further amendment, it will likely breach the European Convention on Human Rights (ECHR).

The bill’s progress through parliament was paused over the summer — and again in October — following political turbulence in the governing Conservative Party. After the arrival of a new digital minister, and two changes of prime minister, the government has indicated it intends to make amendments to the draft — however these are focused on provisions related to so-called ‘legal but harmful’ speech, rather than the gaping human rights hole identified by Ryder.

We reached out to the Home Office for a response to the issues raised by his legal opinion.

A government spokesperson replied with an emailed statement, attributed to minister for security Tom Tugendhat, which dismisses any concerns:

“The Online Safety Bill has privacy at the heart of its proposals and ensures we’re able to protect ourselves from online crimes including child sexual exploitation. It‘s not a ban on any type of technology or service design.

“Where a company fails to tackle child sexual abuse on its platforms, it is right that Ofcom as the independent regulator has the power, as a last resort, to require these companies to take action.

“Strong encryption protects our privacy and our online economy but end-to-end encryption can be implemented in a way which is consistent with public safety. The Bill ensures that tech companies do not provide a safe space for the most dangerous predators online.”

Ryder’s analysis finds key legal checks are lacking in the bill which grants the state sweeping powers to compel digital providers to surveil users’ online communications “on a generalised and widespread basis” — yet fails to include any form of independent prior authorisation (or independent ex post facto oversight) for the issuing of content scanning notices.

In Ryder’s assessment this lack of rigorous oversight would likely breach Articles 8 (right to privacy) and 10 (right to freedom of expression) of the ECHR.

Existing very broad surveillance powers granted to UK security services, under the (also highly controversial) Investigatory Powers Act 2016 (IPA), do contain legal checks and balances for authorizing the most intrusive powers — involving the judiciary in signing off intercept warrants.

But the Online Safety Bill leaves it up to the designated Internet regulator to make decisions to issue the most intrusive content scanning orders — a public body that Ryder argues is not adequately independent for this function.

He also points out that given existing broad surveillance powers under the IPA, the “mass surveillance” of online comms proposed in the Online Safety Bill may not meet another key human rights test — of being “necessary in a democratic society”.

While bulk surveillance powers under the IPA must be linked to a national security concern — and cannot be used solely for the prevention and detection of serious crime between UK users — yet the Online Safety Bill, which his legal analysis argues grants similar “mass surveillance” powers to Ofcom, covers a much broader range of content than pure national security issues. So it looks far less bounded. 

Commenting on Ryder’s legal opinion in a statement, Index on Censorship’s chief executive, Ruth Smeeth, denounced the bill’s overreach — writing:

“This legal opinion makes clear the myriad issues surrounding the Online Safety Bill. The vague drafting of this legislation will necessitate Ofcom, a media regulator, unilaterally deciding how to deploy massive powers of surveillance across almost every aspect of digital day-to-day life in Britain. Surveillance by regulator is perhaps the most egregious instance of overreach in a Bill that is simply unfit for purpose.”

Impact on E2EE

While much of the controversy attached to the Online Safety Bill — which was published in draft last year but has continued being amended and expanded in scope by government — has focused on risks to freedom of expression, there are a range of other notable concerns. Including how content scanning provisions in the legislation could impact E2EE, with critics like the Open Rights Group warning the law will essentially strong-arm service providers into breaking strong encryption.

Concerns have stepped up since the bill was introduced after a government amendment this July — which proposed new powers for Ofcom to force messaging platforms to implement content-scanning technologies even if comms are strongly encrypted on their service. The amendment stipulated that a regulated service could be required to use “best endeavours” to develop or source technology for detecting and removing CSEA in private comms — and private comms puts it on a collision course with E2EE.

E2EE remains the ‘gold standard’ for encryption and online security — and is found on mainstream messaging platforms like WhatsApp, iMessage and Signal, to name a few — providing essential security and privacy for users’ online comms.

So any laws that threaten use of this standard — or open up new vulnerabilities for E2EE — could have a massive impact on web users’ security globally.

In the legal opinion, Ryder focuses most of his attention on the Online Safety Bill’s content scanning provisions — which are creating this existential risk for E2EE.

The bulk of his legal analysis centers on Clause 104 of the bill — which grants the designated Internet watchdog (existing media and comms regulator, Ofcom) a new power to issue notices to in-scope service providers requiring them to identify and take down terrorism content that’s communicated “publicly” by means of their services or Child Sex Exploitation and Abuse (CSEA) content being communicated “publicly or privately”. And, again, the inclusion of “private” comms is where things look really sticky for E2EE.

Ryder takes the view that the bill, rather than forcing messaging platforms to abandon E2EE altogether, will push them towards deploying a controversial technology called client side scanning (CSS) — as a way to comply with 104 Notices issued by Ofcom — predicting that’s “likely to be the primary technology whose use is mandated”.

“Clause 104 does not refer to CSS (or any technology) by name. It mentions only ‘accredited technology’. However, the practical implementation of 104 Notices requiring the identification, removal and/or blocking of content leads almost inevitably to the concern that this power will be used by Ofcom to mandate CSPs [communications service providers] using some form of CSS,” he writes, adding: “The Bill notes that the accredited technology referred to c.104 is a form of ‘content moderation technology’, meaning ‘technology, such as algorithms, keyword matching, image matching or image classification, which […] analyses relevant content’ (c.187(2)(11). This description corresponds with CSS.”

He also points to an article published by two senior GCHQ officials this summer — which he says “endorsed CSS as a potential solution to the problem of CSEA content being transmitted on encrypted platforms” — further noting that out their comments were made “against the backdrop of the ongoing debate about the OLSB [Online Safety Bill].”

“Any attempt to require CSPs to undermine their implementation of end-to-end encryption generally, would have far-reaching implications for the safety and security of all global on-line of communications. We are unable to envisage circumstances where such a destructive step in the security of global online communications for billions of users could be justified,” he goes on to warn.

Client side scanning risk

CSS refers to controversial scanning technology in which the content of encrypted communications is scanned with the goal of identifying objectionable content. The process entails a message being converted to a cryptographic digital fingerprint prior to it being encrypted and sent, with this fingerprint then compared with a database of fingerprints to check for any matches with known objectionable content (such as CSEA). The comparison of these cryptographic fingerprints can take place either on the user’s own device — or on a remote service.

Wherever the comparison takes place, privacy and security experts argue that CSS breaks the E2E trust model since it fundamentally defeats the ‘zero knowledge’ purpose of end-to-end encryption and generates new risks by opening up novel attack and/or censorship vectors.

For example they point to the prospect of embedded content-scanning infrastructure enabling ‘censorship creep’ as a state could mandate comms providers scan for an increasingly broad range of ‘objectionable’ content (from copyrighted material all the way up to expressions of political dissent that are displeasing to an autocratic regime, since tools developed within a democratic system aren’t likely to be applied in only one place in the world).

An attempt by Apple to deploy CSS last year on iOS users’ devices — when it announced it would begin scanning iCloud Photo uploads for known child abuse imagery — led to a huge backlash from privacy and security experts. Apple first paused — and then quietly dropped reference to the plan in December, so it appears to have abandoned the idea. However governments could revive such moves by mandating deployment of CSS via laws like the UK’s Online Safety Bill which relies on the same claimed child safety justification to embed and enforce content scanning on platforms.

Notably, the UK Home Office has been actively supporting development of content-scanning technologies which could be applied to E2EE services — announcing a “Tech Safety Challenge Fund” last year to splash taxpayer cash on the development of what it billed at the time as “innovative technology to keep children safe in environments such as online messaging platforms with end-to-end encryption”.

Last November, five winning projects were announced as part of that challenge. It’s not clear how ‘developed’ — and/or accurate — these prototypes are. But the government is moving ahead with Online Safety legislation that this legal expert suggests will, de facto, require E2EE platforms to carry out content scanning and drive uptake of CSS — regardless of the state of development of such tech.

Failure to comply with the Online Safety Bill will put service providers at risk of a range of severe penalties — so very large sticks are being assembled and put in place alongside sweeping surveillance powers to force compliance.

The draft legislation allowing for fines of up to 10% of global annual turnover (or £18M, whichever is higher). The bill would also enable Ofcom to be able to apply to court for “business disruption measures” — including blocking non-compliant services within the UK market. While senior execs at providers who fail to cooperate with the regulator could risk criminal prosecution.

For its part, the UK government has — so far — been dismissive of concerns about the impact of the legislation on E2EE.

In a section on “private messaging platforms”, a government fact-sheet claims content scanning technology would only be mandated by Ofcom “as a last resort”. The same text also suggests these scanning technologies will be “highly accurate” — without providing any evidence in support of the assertion. And it writes that “use of this power will be subject to strict safeguards to protect users’ privacy”, adding: “Highly accurate automated tools will ensure that legal content is not affected. To use this power, Ofcom must be certain that no other measures would be similarly effective and there is evidence of a widespread problem on a service.”

The notion that novel AI will be “highly accurate” for a wide-ranging content scanning purpose at scale is obviously questionable — and demands robust evidence to back it up.

You only need consider how blunt a tool AI has proven to be for content moderation on mainstream platforms, hence the thousands of human contractors still employed reviewing automated reports. So it seems highly fanciful that the Home Office has or will be able to foster development of a far more effective AI filter than tech giants like Google and Facebook have managed to devise over the past decades.

As for limits on use of content scanning notices, Ryder’s opinion touches on safeguards contained in Clause 105 of the bill — but he questions whether these are sufficient to address the full sweep of human rights concerns attached to such a potent power.

“Other safeguards exist in Clause 105 of the OLSB but whether those additional safeguards will be sufficient will depend on how they are applied in practice,” he suggests. “There is currently no indication as to how Ofcom will apply those safeguards and limit the scope of 104 Notices.

“For example, Clause 105(h) alludes to Article 10 of the ECHR, by requiring appropriate consideration to be given to interference with the right to freedom of expression. But there is no specific provision ensuring the adequate protection of journalistic sources, which will need to be provided in order to prevent a breach of Article 10.”

In further remarks responding to Ryder’s opinion, the Home Office emphasized that Section 104 Notice powers will only be used where there is no alternative, less intrusive measures capable of achieving the necessary reduction in illegal CSEA (and/or terrorism content) appearing on the service — adding that it will be up to the regulator to assess whether issuing a notice is necessary and proportionate, taking into account matters set out in the legislation including the risk of harm occurring on a service, as well as the prevalence of harm.

Surveillance powers in UK’s Online Safety Bill are risk to E2EE, warns legal expert by Natasha Lomas originally published on TechCrunch

An international police operation has dismantled an online spoofing service that allowed cybercriminals to impersonate trusted corporations to steal more than $120 million from victims.

iSpoof, which now displays a message stating that it has been seized by the FBI and the U.S. Secret Service, offered “spoofing” services that enabled paying users to mask their phone numbers with one belonging to a trusted organization, such as banks and tax offices, to carry out social engineering attacks.

“The services of the website allowed those who sign up and pay for the service to anonymously make spoofed calls, send recorded messages, and intercept one-time passwords,” Europol said in a statement on Thursday. “The users were able to impersonate an infinite number of entities for financial gain and substantial losses to victims.”

London’s Metropolitan Police, which began investigating iSpoof in June 2021 along with international law enforcement agencies, in the U.S., the Netherlands, and Ukraine, said it had arrested the website’s suspected administrator, named as Teejai Fletcher, 34, charged with fraud and offenses related to organized crime. Fletcher was remanded to custody and will appear at Southwark Crown Court in London on December 6.

iSpoof had around 59,000 users, which caused £48 million of losses to 200,000 identified victims in the U.K., according to the Met Police. One victim was scammed out of £3 million, while the average amount stolen was £10,000.

Europol says the service’s operators raked in estimated profits of $3.8 million in the last 16 months alone.

The Metropolitan Police said it also used bitcoin payment records found on the site’s server to identify and arrest a further 100 U.K.-based users of the iSpoof service. The site’s infrastructure, which was hosted in the Netherlands but moved to Kyiv earlier in 2022, was seized and taken offline in a joint Ukrainian-U.S. operation earlier this month.

Police have a list of phone numbers targeted by iSpoof fraudsters and will contact potential victims via text on Thursday and Friday. The text message will ask victims to visit the Met’s website to help it build more cases.

Helen Rance of the Metropolitan Police Cyber Crime Unit said: “Instead of just taking down the website and arresting the administrator, we have gone after the users of iSpoof. Our message to criminals who have used this website is: we have your details and are working hard to locate you, regardless of where you are.”

US authorities seize iSpoof, a call spoofing site that stole millions by Carly Page originally published on TechCrunch

LinkedIn is rolling out a new feature that allows users to schedule posts to send at a later time.

The Microsoft-owned social network has seemingly been testing the new feature for several months already, according to at least one online report dating back to August, but it seems that it’s now ramping up the rollout, according to a growing number of reports across social media.

Matt Navarra, a social media consultant and renowned tipster, confirmed yesterday that he was now seeing the post-scheduling feature inside the Android app and on the LinkedIn website itself. Internally at TechCrunch, it’s a bit of a mixed bag with some of us seeing the feature and others not, however it does seem to be limited to the web and Android for now.

Those that do have the feature will see a little clock icon beside the “post” button within the message compose box.

When the user clicks on the clock icon, they’re presented with an option to choose a specific date and half-hourly slot that they want to schedule their post for.

Marketers rejoice

While millions of marketers, influencers, and “thought leaders” the world over will no doubt rejoice at this new feature, it is worth noting that similar functionality has been available for a while already through third-party platforms such as Hootsuite and Buffer. However, not everyone is happy giving third-party platforms access to their LinkedIn accounts for data-privacy reasons — plus, native functionality is nearly always more convenient, particularly for those who only want to share a specific piece of content to their LinkedIn followers.

In truth, native post-scheduling has always been a fairly notable absence from such a widely-used social network as LinkedIn which claims some 875 million members globally. The likes of Twitter (via TweetDeck) and Facebook have offered scheduling for a while already, not to mention email clients such as Gmail which allow you to send messages while you’re fast asleep.

TechCrunch has reached out to LinkedIn for more information on the new post-scheduling feature, including when everyone can expect to have access. We’ll update here when, or if, we hear back.

LinkedIn’s rolling out a new feature that lets you schedule posts for later by Paul Sawers originally published on TechCrunch

Most small and medium enterprises (SMEs) in supply chains across different sectors in Africa execute orders in days but receive invoices after several weeks and sometimes months. It’s such an inefficient way of doing business that ultimately leads to cash-flow problems — and on top of that are fragmented payment collection and tracking processes.

Recently, startups have taken a top-down approach by singling out a particular sector and delivering solutions to SMEs within it. One such startup is Pivo, which helps freight carriers get paid faster by providing a bank account, a debit card and digital invoicing tools that track payments.

The startup, founded by Nkiru Amadi-Emina and Ijeoma Akwiwu in July 2021, is announcing today that it has closed a $2 million seed round. Pivo, in a statement, said it intends to use the financing to upgrade existing products, build new ones, hire talent and expand outside of Lagos, its first market and other African countries, particularly in East Africa.

Pivo provides financial services — credit, payments and expense management — to SME vendors within large manufacturing supply chains, an industry Amadi-Emina, the chief executive officer, plied her trade before starting the one-year-old startup, which has raised $2.55 million since launch.

In 2017, Amadi-Emina launched an on-demand delivery platform targeted at e-commerce brands in North and Central Africa, which subsequently got acquired by Kobo360, one of Africa’s most prominent e-logistics players. It was during her time at Kobo360 — first as an enterprise account manager and up until she left as head of port operations — that she witnessed the glaring liquidity problems that existed at both ends of the logistics supply chain. Truckers need cash advances from logistics companies such as Kobo360, Lori Systems and MVX to move cargo; meanwhile, these companies also require manufacturers to pay on time for distributing cargo to truckers.

“In most cases, we found out that managing cash flow was the primary issue for these businesses — it was either nonexistent or just paper-based,” Amadi-Emina told TechCrunch in an interview. “A lot of the payments made were made with cash and we thought to build a digital bank that provides financial services geared towards solving these various problems for SME vendors that operate within large manufacturing supply chains, starting first and foremost with the logistics providers, and then gradually moving to the supplier pockets and at the tail end of things.”

Pivo leverages manufacturing supply chain relationships and deploys financial services to the SMEs within them, mostly truckers in this instance. The credit play of its platform, Pivo Capital, serves as an early payment alternative for truckers and allows logistics companies to deal with any upfront costs — such as diesel and driver’s allowance — typically incurred during operations. Pivo Business, its payments reconciliation arm, helps these small businesses to facilitate payments via peer-to-peer transfers and track payments with debit cards with spend controls. Amadi-Emina explained that all these features will drive Pivo to capture a sizable portion of a $4 billion addressable market opportunity.

It’s a huge market where Pivo has the first-mover advantage. And though it doesn’t seem to have any noteworthy challengers in the freight sector, startups such as Duplo, another YC alum, whose customers are SMEs in the fast-moving consumer goods (FMCG) space, pose serious competition in the long run when the platforms seek out other sectors to replicate growth. That said, within its sector, there’s also some concern that e-logistics companies can construct a similar platform in-house (case in point, Kobo360’s Payfasta).

“As a plug-and-play and embedded solution, we’ve always been more complimentary than competitive,” the chief executive told TechCrunch when questioned about Pivo’s chances if e-logistics firms launch a competing product. “If you look at e-logistics firms, the goal for them is to move towards a platform approach and if at any point in time they want to unlock financial services, we tell them to come to PIVO for that instead of going to the traditional banks.”

The freight carrier–focused digital bank currently serves about 500 SMEs as direct customers and makes revenue by charging interest on capital and fees on payments processed. Amadi-Emina said Pivo Capital has disbursed over $3 million to SMEs and currently records a 98% repayment rate while transaction volume on Pivo Business grew over 400% between April and September this year. The startup has registered a total volume of $4.7 million from July to date.

What’s next for the female-led startup? More growth, according to its CEO. The company is working on Pivo+, a package of value-added services that will turn Pivo into a full-fledged financial services platform. Daniel Block, an investment principal at Mercy Corps, one of the investors in this round, thinks Pivo is designed to become such a platform because the startup’s “commitment to unattended supply chain SMEs would enable it to rapidly carve out a deep moat in the competitive fintech lending space.”

Other investors in the seed round include Precursor Ventures, Vested World, FoundersX, and Y Combinator, where Amadi-Emina and Ijeoma Akwiwu have accomplished an impressive feat of being the first all-female founded team the famed accelerator has backed in Nigeria — and the second in Africa after the defunct Ghanaian startup Tress.

“It is a great thing that we were able to break that barrier as a female-led start-up. Getting into YC gave us validation as founders and cemented the fact that women can be at the helm of affairs in the tech space,” said Amadi-Emina of the achievement. “Tech is a male-dominated space and all these man-made barriers exist that serve to keep women out. Getting into YC, with the news amplified not just locally but internationally means more people get to see strong female representation coming from Nigeria. We’re glad that a female founder somewhere looks at us and gains an awareness that it is possible that if you keep putting in the hard work, applying yourself and have the numbers to back it all up, you can achieve what you set out to.”

Pivo powers up Nigerian freight carriers with a bespoke digital bank, gets $2M seed funding by Tage Kene-Okafor originally published on TechCrunch

Tesla is extending its “full self-driving” (FSD) beta software “to anyone in North America who requests it from the car screen,” according to CEO Elon Musk who tweeted out the news late Wednesday evening. The rollout of FSD across the continent comes as Tesla is potentially facing a criminal investigation from the U.S. Department of Justice over false claims relating to the company’s advanced driver assistance system Autopilot.

Autopilot comes standard on Tesla vehicles and performs automated driving functions such as steering, accelerating and automatic braking. FSD, which costs North American drivers $15,000, is an extension of Autopilot that includes features like assisted steering on highways and city streets, smart vehicle summoning, automatic parking and recognizing and reacting to traffic lights and stop signs.

Autopilot, and by extension FSD, have come under regulator scrutiny in recent years following a series of Tesla crashes, many of which were fatal. The National Highway Traffic Safety Administration (NHTSA) has opened special investigations into 36 Tesla crashes involving Autopilot since 2016, five of which happened this year. Tesla has also come under fire from California’s Department of Motor Vehicles and drivers who claim the company falsely advertised the self-driving capabilities of Autopilot and FSD.

Some Tesla owners and enthusiasts predicted the company might allow FSD into all cars after Tesla appears to have dropped the requirement for 100 Autopilot miles and a safety score of at least 80 to receive the FSD update. This is a concerning lack of scrutiny considering fears that drivers using ADAS are less likely to watch the road and be alert in case the system malfunctions. Tesla’s website does encourage drivers to keep their hands on the wheel and eyes on the road.

Despite concerns, any driver who has already paid the steep price for Tesla’s FSD will be able to access the software in North America. Tesla had previously extended FSD access to 160,000 owners in the U.S. and Canada in September, and today’s widespread rollout makes good on previous promises from Musk to get FSD in every Tesla by the end of 2022.

Musk has claimed that Tesla could achieve full-self driving by the end of the year, but during the company’s third quarter earnings admitted that FSD wouldn’t gain regulatory approval to be driven without someone behind the wheel in 2022. The move to expand the number of users and possibly give Tesla’s supercomputer Dojo more data to work with might be one of the reasons Tesla has chosen now to expand.

It might also be a move to ease investor worries and accrue some more revenue. Tesla’s stock is at a two-year low and its market cap slashed from $1.2 trillion last November to $574 billion today following Musk’s buyout of Twitter and the ensuing dramas of the company overhaul.

The FSD scaling also follows news from Tesla engineers Romi Phadte and Gabe Gheorghian who spoke at BazelCon this week and shared that Tesla has increased the number of FSD simulations per week from around 250,000 in 2020 to 2 million today.

Tesla extends FSD access to “anyone in North America who requests it” by Rebecca Bellan originally published on TechCrunch