Jurisdiction

UK Home Office’s new vulnerability reporting policy creates legal risks for ethical researchers, experts warn

The UK Home Office has introduced a vulnerability reporting mechanism through the platform HackerOne, allowing cybersecurity researchers to report security issues in its systems. However, concerns have been raised that individuals who submit reports could still face legal risks under the UK’s Computer Misuse Act (CMA), even if they follow the department’s new guidance.

Unlike some private-sector initiatives, the Home Office program does not offer financial rewards for reporting vulnerabilities. The new guidelines prohibit researchers from disrupting systems or accessing and modifying data. However, they also caution that individuals must not ‘break any applicable law or regulations,’ a clause that some industry groups argue could discourage vulnerability disclosure due to the broad provisions of the CMA, which dates back to 1990.

The CyberUp Campaign, a coalition of industry professionals, academics, and cybersecurity experts, warns that the CMA’s definition of unauthorized access does not distinguish between malicious intent and ethical security research. While the Ministry of Defence has previously assured researchers they would not face prosecution, the Home Office provides no such assurances, leaving researchers uncertain about potential legal consequences.

A Home Office spokesperson declined to comment on the concerns.

The CyberUp Campaign acknowledged the growing adoption of vulnerability disclosure policies across the public and private sectors but highlighted the ongoing legal risks researchers face in the UK. The campaign noted that other countries, including Malta, Portugal, and Belgium, have updated their laws to provide legal protections for ethical security research, while the UK has yet to introduce similar reforms.

The Labour Party had previously proposed an amendment to the CMA that would introduce a public interest defense for cybersecurity researchers, but this was not passed. Last year, Labour’s security minister Dan Jarvis praised the contributions of cybersecurity professionals and stated that the government was considering CMA reforms, though no legislative changes have been introduced so far.

For more information on these topics, visit diplomacy.edu.

Sweden considers law requiring encrypted messaging backdoors, Signal threatens to exit

Swedish law enforcement and security agencies are advocating for legislation that would require encrypted messaging services such as Signal and WhatsApp to implement technical measures allowing authorities to access user communications, according to a report by SVT Nyheter.

If introduced, the bill would mandate that these platforms retain messages and provide law enforcement with access to the message history of criminal suspects. Minister of Justice Gunnar Strömmer stated that such measures are necessary for authorities to carry out investigations effectively.

Signal Foundation President Meredith Whittaker told SVT Nyheter that if the proposed legislation requires the company to introduce backdoors, Signal would withdraw from the Swedish market rather than comply. The Swedish Armed Forces have also expressed concerns, warning that implementing such access mechanisms could introduce security risks that might be exploited by unauthorised parties.

The bill could be considered by Sweden’s parliament, the Riksdag, next year if it moves forward in the legislative process.

Similar legislative efforts have been introduced in other countries. In the UK, Apple recently disabled end-to-end encryption for iCloud accounts in response to government demands for access to encrypted data.

For more information on these topics, visit diplomacy.edu.

EU Commission proposes enhanced cyber crisis management framework

The EU Commission introduced a proposal aimed at strengthening the EU’s response to large-scale cyber attacks. This recommendation to the Council of Ministers seeks to update the existing EU framework for crisis management in cybersecurity and outline the roles of relevant EU actors, including civilian and military entities as well as NATO.

Specifically, the proposal aims to establish coordination points with NATO to facilitate information sharing during cyber crises, including interconnections between systems. If Member States deploy defense initiatives during a cybersecurity incident, they must inform EU-CyCLONe and the EU Cyber Commanders Conference.

The High Representative, in collaboration with the Commission and relevant entities, should facilitate information flow with strategic partners during identified incidents and enhance coordination against malicious cyber activities using the cyber diplomacy toolbox. Joint exercises should be organized to test cooperation between civilian and military components during significant incidents, including those affecting NATO allies and candidate countries.

The Commission noted that a significant cybersecurity incident could overwhelm the response capabilities of individual Member States and impact multiple EU countries, potentially leading to a crisis that disrupts the internal market and poses risks to public safety. It encourages the establishment of voluntary collaborative clusters to foster cooperation and trust in cybersecurity. Member States can create these clusters based on existing information-sharing frameworks, focusing on common threats while adhering to the mandates of participating actors.

The document emphasizes the importance of a comprehensive and integrated approach to crisis management across all sectors and levels of government. It highlights that if cybersecurity incidents are part of a broader hybrid campaign, stakeholders should collaborate to develop a unified situational awareness across sectors.

Within twelve months of adopting the cybersecurity blueprint, Member States must develop a unified taxonomy for cyber crisis management and establish guidelines for the secure handling of cybersecurity information. The proposal emphasises avoiding over-classification to promote the sharing of non-classified information through established cooperation platforms.

To enhance preparedness for crises and improve organizational efficiency, Member States and relevant entities should conduct ongoing cyber exercises based on scenarios derived from EU-coordinated risk assessments, aligning with existing crisis response mechanisms. Smaller exercises should test interactions during escalating incidents, while the Commission, EEAS, and ENISA will organize an exercise within eighteen months to evaluate the cybersecurity blueprint, involving all relevant stakeholders, including the private sector.

The proposal also recommends that Member States and critical infrastructure operators integrate at least one Union-based DNS infrastructure, such as DNS4EU, to ensure reliable services during crises. ENISA and EU-CyCLONe are tasked with creating emergency failover guidelines for transitioning to Union-based DNS in case of service failures.

While the cybersecurity blueprint does not interfere with how entities define their internal procedures, each entity should clearly define the interfaces used for working with other entities. These interfaces should be jointly agreed upon between the entities concerned and documented.

National and cross-border cyber hubs should share threat information to bolster protection against Union-specific threats, and Member States are encouraged to engage in a multistakeholder forum to identify best practices and standards for securing critical Internet infrastructure. Public and private entities should implement threat-informed detection strategies to proactively identify potential disruptions. They must share information about covert operations with partners before crises escalate and report potential cyber crises to relevant networks, while the CSIRTs Network and EU-CyCLONe establish procedures for coordinating responses to large-scale incidents.

For more information on these topics, visit diplomacy.edu.

Australia bans Kaspersky software on government systems over security risks

The Australian government has issued a directive prohibiting the use of cybersecurity software and web services from Kaspersky on government systems, citing national security considerations. Under the new policy, government agencies are required to remove existing Kaspersky products by April 2025 and refrain from installing them on government devices in the future.

According to a statement from Stephanie Foster, Secretary of the Department of Home Affairs, the decision follows a threat and risk assessment that identified security concerns related to the use of Kaspersky products and web services. The directive notes ‘unacceptable security risks arising from threats of foreign interference, espionage and sabotage’. The directive doesn’t provide details on threats and risks that have been recently identified and led to this decision.

In response to the decision, a Kaspersky spokesperson stated that the company was not given prior notice or an opportunity for engagement before the ban was issued. The company reiterated that the decision was influenced by geopolitical factors rather than technical assessments of its products. Despite the restriction on government use, Kaspersky confirmed that it will continue to provide services to other customers in Australia and remains open to discussions with authorities.

The move follows Australia’s earlier decision to prohibit the use of Chinese artificial intelligence firm DeepSeek’s technology in government systems, citing security risks.

Kaspersky has faced restrictions in multiple countries, with the US implementing a ban on its products in June 2024, followed by sanctions on several company executives. European nations, including Germany and the Netherlands, have also taken steps to limit the use of Kaspersky software in government infrastructure.

For more information on these topics, visit diplomacy.edu

Google loses European court battle over Android Auto access

Europe’s top court has ruled that Google’s decision to block an Enel e-mobility app from Android Auto could be considered an abuse of market power. The judgment reinforces competition rules and may push major tech firms to allow easier access for rival apps.

The case stemmed from a €102 million fine imposed by Italy’s antitrust authority in 2021 for restricting access to Enel’s JuicePass app.

Google challenged the penalty, arguing security concerns and the absence of a specific app template. However, the Court of Justice of the European Union backed the Italian regulator, stating that dominant companies must ensure interoperability unless valid security risks exist.

The court clarified that companies should develop necessary templates within a reasonable timeframe.

Although Google has since introduced the requested feature, the ruling may set a precedent for similar cases. Legal experts see it as aligning with EU competition law, citing past decisions against IBM and Microsoft.

The ruling also supports the objectives of the Digital Markets Act, which aims to regulate dominant digital platforms.

The decision is final and unappealable, meaning the Italian Council of State must now rule on Google’s appeal in line with the court’s findings.

For more information on these topics, visit diplomacy.edu.

Italy demands 12.5 million euros from X over tax probe

Italy is demanding 12.5 million euros ($13 million) from Elon Musk’s social network X following a tax probe linked to a broader investigation into Meta. The case, which focuses on value-added tax (VAT) claims for the years 2016 to 2022, is significant as it raises questions about how social networks provide access to their services. Italian tax authorities argue that user registrations on platforms like X, Facebook, and Instagram should be considered taxable transactions, as they involve the exchange of personal data for a membership account.

This case could have major implications for the tech sector in Europe, potentially altering the way business models are structured in the 27-nation European Union, as VAT is a harmonised EU tax. Although the claim of 12.5 million euros is a small amount for X, the outcome of this case could influence future tax policies across the region. Both X and Meta must respond to the tax authority’s observations by late March or early April, with the option to either accept the charges or challenge them in court.

The investigation also comes at a sensitive time, as US President Donald Trump has criticised digital taxes in countries like Italy that target US tech firms. Musk, who has strong ties with Italian Prime Minister Giorgia Meloni, is also keen to expand his Starlink business in the country. If no agreement is reached, Italy’s Revenue Agency may pursue a lengthy judicial review, which could take up to 10 years to resolve.

For more information on these topics, visit diplomacy.edu.

Nvidia takes legal action against EU antitrust investigation

Nvidia has filed a lawsuit against the European Commission for accepting a referral from Italy to review its acquisition of AI startup Run:ai. The US chipmaker argues that the Commission violated a recent court ruling that restricts its powers over minor transactions. This case follows growing concerns over the Commission’s use of Article 22, which allows it to review smaller mergers that fall below EU merger thresholds, a move companies have criticised as overreach.

While the case will not impact the approval of the AI‘s deal, which was cleared in December, a ruling in favour of Nvidia could curb the European Commission’s ability to regulate similar transactions in the future. Nvidia argues that the decision breaches legal principles, including proportionality and equal treatment, and undermines legal certainty for businesses operating in the EU.

For more information on these topics, visit diplomacy.edu.

Indonesia and Apple close deal to end iPhone 16 ban

Indonesia and Apple have reportedly reached an agreement to lift the country’s ban on iPhone 16s, with a potential deal expected to be signed this week. The ban was imposed in October after Apple failed to meet the requirement that smartphones sold in Indonesia must include at least 35% locally-made parts.

As part of the agreement, Apple will invest $1 billion into a manufacturing plant in Indonesia, focused on producing components for smartphones and other products. Additionally, Apple will commit to training local workers in research and development, expanding beyond its existing Apple academies. However, Apple has no immediate plans to begin iPhone production in the country.

Neither Apple nor Indonesia’s Ministry for Industry have responded to requests for comment on the matter.

For more information on these topics, visit diplomacy.edu.

EU court sides with Italy in Google antitrust case

The European Court of Justice has backed Italy‘s antitrust authority in a ruling against Google, stating that the tech giant’s refusal to allow Enel’s JuicePass app to work with its Android Auto platform could constitute an abuse of market power. This decision supports a 2021 fine of 102 million euros imposed by the Italian watchdog after Google blocked the e-mobility app. Google had argued that the refusal was due to security concerns and the absence of a specific template for compatibility, but the court disagreed, stating that dominant companies must ensure their platforms are interoperable with third-party apps unless doing so would harm security.

Although Google has since resolved the issue, the ruling sets a precedent for future cases involving platform dominance. The court acknowledged that companies could refuse interoperability if it compromises platform security, but if this is not the case, they must develop a compatible template in a reasonable timeframe. Google claimed the feature was only relevant to a small percentage of cars in Italy at the time, but the ruling now forces the company to comply with the antitrust decision. The case is final and cannot be appealed, and the Italian Council of State will follow the court’s guidance in its future ruling.

For more information on these topics, visit diplomacy.edu.

Musk’s X wins court motion to remove judge in German election data case

Elon Musk-owned social media platform X has succeeded in removing a judge from a German court case concerning demands for real-time election data.

The case, brought by activist groups Democracy Reporting International and the Society for Civil Rights, aimed to secure immediate access to data from the February 23 German election to monitor misinformation.

Although a Berlin court initially supported the activists’ request, X filed a motion arguing the judge had shown bias by interacting with the plaintiffs’ social media posts. The court approved the motion, though similar claims against two other judges were dismissed.

The ruling means that the activists will not receive the requested data within their critical timeframe. A hearing on the matter is set for February 27, but any ruling will come too late to influence their election monitoring efforts in Germany.

However, the decision could establish an important precedent for future transparency cases involving social media platforms. The activists had argued that while some election data is technically accessible, it is not realistically obtainable without direct access from X.

X has also announced plans to sue the German government over what it calls excessive user data requests, claiming these demands violate privacy and freedom of expression.

The German digital affairs ministry acknowledged X’s public statements but confirmed that no formal lawsuits had been filed yet. The escalating legal dispute highlights growing tensions between Musk and German authorities, particularly as the country prepares for key elections amid concerns over misinformation.

For more information on these topics, visit diplomacy.edu.