Privacy and data protection

Estonia proposes world-first digital IDs for AI agents

Estonia is moving forward with plans to create official digital identities for AI agents, a move that could make it the first country to establish a formal framework for AI systems acting on behalf of individuals and organisations. The proposal received backing from Prime Minister Kristen Michal following discussions within the Eesti.ai advisory board.

Under the proposed framework, AI agents would be granted limited and clearly defined permissions, enabling them to perform specific tasks such as preparing documents, handling administrative procedures and accessing designated information. Authorities say the framework would ensure that every action remains traceable, auditable and subject to clear human accountability.

Officials argue that digital identities for AI could prevent users from granting excessive access to personal data and services while supporting the growing use of AI across the economy. The initiative builds on Estonia’s long-established digital infrastructure, including digital identities, electronic signatures and secure data-sharing systems.

Alongside the AI identity project, Estonia is exploring a new testing environment for air and water drones in the Baltic Sea region and expanding programmes designed to improve AI literacy. Authorities are also working to strengthen Estonian-language AI models and support organisations in making informed decisions about AI adoption and deployment.

Why does it matter?

As AI agents become increasingly capable of performing administrative, professional and transactional tasks, questions about identity, authorisation and accountability are becoming central governance challenges. Estonia’s proposal seeks to create a formal mechanism for defining what an AI agent is allowed to do, who authorised those actions and who remains responsible for the outcomes.

The initiative also represents a potentially significant evolution of digital identity systems. If successful, Estonia could provide an early model for integrating AI agents into public services and the wider digital economy while preserving transparency, security and trust. The framework may influence future debates on AI governance, digital public infrastructure and the legal status of increasingly autonomous AI systems in other jurisdictions.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Five Eyes agencies urge action on AI cyber risk

Five Eyes cybersecurity agencies have urged business and technology leaders to act quickly as AI transforms the cyber landscape.

In a joint statement issued on 22 June, the leaders of the Five Eyes cybersecurity agencies said AI is already changing both offensive and defensive cyber capabilities. They said AI can strengthen cyber defence capabilities, but it is also increasing the speed, scale and sophistication of cyber threats.

The agencies said frontier AI models could surpass current industry expectations and fundamentally reshape cyber capabilities within months rather than years. They warned that AI is lowering barriers for malicious actors and shrinking the time between vulnerability discovery and exploitation.

The statement was signed by cybersecurity leaders from Australia, Canada, New Zealand, the United Kingdom, and the United States. Signatories included the heads of the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, New Zealand’s National Cyber Security Centre, the UK’s National Cyber Security Centre, the US Cybersecurity and Infrastructure Security Agency, and the US National Security Agency’s Cyber Security Directorate.

The agencies said cyber resilience should be treated as a strategic business risk and leadership responsibility rather than solely a technical concern. Boards and executives should ensure that cyber controls are in place and can operate effectively under pressure during real incidents.

The statement urged leaders to assess organisational risk, preparedness and accountability while ensuring cybersecurity remains integrated into broader business decision-making. It also called on organisations to prioritise foundational cybersecurity practices, give cyber leaders sufficient authority and resources, and remain engaged as threats and guidance evolve.

The agencies said secure-by-design and secure-by-default must become standard practice rather than an aspiration. They also said resilience cannot depend on a single technology, making defence in depth essential as AI systems evolve.

The statement warned that new, previously unknown vulnerabilities, including zero-day exploits, will continue to emerge. It said breaches will occur, but preparedness can help organisations contain them quickly and prevent escalation into major operational and financial crises.

The Five Eyes agencies recommended five practical actions for leaders. Organisations should reduce their attack surface by limiting unnecessary access and external connectivity, and should question whether systems need to be exposed at all.

They should also accelerate patching processes because AI is shortening the time between vulnerability discovery and exploitation. Delays in patching can increase risk, especially for operational systems with long update cycles.

The statement also urged organisations to address legacy systems, describing unsupported systems as strategic liabilities rather than only technical debt. Leaders were also told to review and strengthen identity and access controls, enforce strong authentication, and regularly review permissions.

Incident preparation was another priority. The agencies said organisations should test response plans, train teams, and assume breaches will happen, with a focus on fast containment and recovery.

The agencies also encouraged organisations to deploy AI as a defensive tool, using it to identify vulnerabilities, strengthen monitoring and accelerate incident response. Organisations that integrate AI tools into security operations can detect vulnerabilities earlier, improve software quality, monitor unusual behaviour and respond faster to incidents.

The statement said success will not come from having the most tools. Instead, it said organisations should focus on getting the basics right, acting quickly and integrating cyber security into core business strategy.

The Five Eyes agencies said leaders who act now will reduce exposure, strengthen resilience, and build confidence with customers, partners, and investors. Those who delay, they said, will face growing, avoidable risks.

Why does it matter?

The statement reflects growing concern among major cybersecurity agencies that AI is changing the balance between attackers and defenders. By accelerating vulnerability discovery, automating reconnaissance and lowering technical barriers for malicious actors, AI could significantly reduce the time organisations have to identify, patch and mitigate emerging threats.

The warning also signals a broader shift in cybersecurity governance. Rather than treating cyber risk as a technical issue delegated to IT departments, governments increasingly expect boards and senior executives to view cyber resilience as a core organisational responsibility. As AI capabilities advance, secure-by-design systems, rapid patch management, strong identity controls and tested incident response plans are becoming central elements of national and corporate cyber resilience strategies.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

EU agrees tougher child protection rules against AI-generated abuse

The agreement between the European Parliament and the Council updates legislation first adopted in 2011, reflecting the growing role of digital technologies and AI in facilitating abuse.

Under the revised directive, designing, adapting or distributing AI systems intended to generate child sexual abuse material would become a criminal offence. The updated rules would also cover deepfake abuse material, livestreamed child sexual abuse, sexual extortion, and the possession or distribution of instructions on how to commit such crimes.

The agreement also strengthens rules on consent. It clarifies that consent must be given voluntarily, cannot be inferred from silence, lack of resistance or a previous relationship, and can be withdrawn at any time.

Grooming offences would be expanded to cover situations involving coercion, threats or deception, including cases where offenders falsely present themselves as peers of the child.

Victim protection would also be strengthened through access to healthcare, legal aid, helplines, accommodation support and compensation mechanisms. The agreement also extends limitation periods, recognising that many victims need years or decades before reporting abuse.

The revised directive still requires formal adoption by the European Parliament and the Council before entering into force.

Why does it matter?

The agreement shows how EU criminal law is being adapted to AI-enabled and online forms of child sexual abuse. Criminalising AI systems designed to generate abusive material is especially significant because it targets not only harmful content but also the tools used to produce it. The revised directive also strengthens victim support and prosecution timelines, addressing the reality that many survivors report abuse years after it occurred.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!  

IWF challenges misconceptions about child abuse detection technologies

The Internet Watch Foundation (IWF) has published a new analysis aimed at countering what it describes as persistent misconceptions about technologies used to detect child sexual abuse material (CSAM) online.

According to the organisation, public discussions increasingly focus on privacy and surveillance concerns while overlooking the role these technologies play in identifying and removing illegal content at scale.

The article argues that detection tools are not experimental technologies but rather adaptations of established cybersecurity methods already used throughout the digital ecosystem.

The IWF highlights hash matching technologies, which compare the mathematical signatures of files against databases of known illegal content, as a long-established and widely used approach to content detection.

The IWF stresses that these systems do not involve mass surveillance and do not require access to the contents of private communications.

The organisation also points to perceptual hashing technologies such as PhotoDNA, which can identify known abuse images even when files have been modified or resized. Similar approaches are commonly used in cybersecurity for malware detection, phishing prevention and file verification.

According to the IWF, the principles behind child protection technologies are therefore consistent with existing online security practices.

The article further argues that no single technology can effectively address the challenge of child sexual abuse material online. Instead, platforms require multiple layers of protection, including known-content detection, identification of previously unknown material, behavioural analysis, reporting mechanisms and human moderation.

The IWF warns that limiting detection capabilities would reduce the ability of platforms and law enforcement authorities to identify abuse and protect victims.

Why does it matter?

The publication contributes to an increasingly important policy debate over how to balance privacy, encryption and child protection online. As governments consider new online safety laws and content moderation requirements, questions about whether detection technologies constitute surveillance have become central to discussions involving regulators, technology companies and civil society groups.

The IWF’s intervention also highlights a broader governance challenge. While privacy advocates warn against measures that could weaken encryption or expand monitoring, child protection organisations argue that effective detection capabilities remain essential for identifying abuse, removing illegal content and supporting law enforcement investigations. The outcome of these debates could shape future approaches to online safety, platform accountability and digital rights worldwide.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

US sets post-quantum cryptography deadlines for federal systems

US President Donald Trump has signed an executive order setting deadlines for federal agencies to migrate high-priority systems to post-quantum cryptography.

Executive Order 14409 says large-scale quantum computers could threaten widely used cryptographic systems and create risks for sensitive government data, critical infrastructure and the digital economy. It also highlights ‘harvest now, decrypt later’ attacks, where adversaries collect encrypted information today and decrypt it once quantum capabilities become available.

The order makes it US policy to transition federal information systems to National Institute of Standards and Technology-approved Federal Information Processing Standards for post-quantum cryptography. It also directs the federal government to assist critical infrastructure owners and operators with their own migration planning.

Within 30 days, each federal agency must name a post-quantum cryptography migration lead responsible for cryptographic inventories, migration planning and cross-agency coordination.

The Office of Management and Budget must issue guidance within 90 days requiring agencies to review inventories of high-value assets and high-impact systems (excluding National Security Systems) and submit migration plans.

Federal high-value assets and high-impact systems must transition to post-quantum cryptography for key establishment by 31 December 2030 and for digital signatures by 31 December 2031.

The order also directs CISA, in coordination with NIST, to publish public guidance within 270 days on minimum elements for a cryptographic bill of materials, supporting automated assessment of cryptographic assets in hardware and software.

Procurement rules are also expected to change. The Federal Acquisition Regulatory Council must propose requirements for covered contractors to comply with NIST cryptographic standards, including applicable post-quantum standards, by 31 December 2030.

Why does it matter?

The order gives the US post-quantum transition concrete deadlines and turns cryptographic migration into an operational, procurement and critical infrastructure issue. Quantum-capable attacks remain a future risk, but encrypted data can be stolen now and decrypted later. By requiring inventories, migration leads, contractor obligations and cryptographic bills of materials, the EO pushes agencies and suppliers to understand where vulnerable cryptography is used before quantum threats become practical.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Oxford researchers develop AI tool to map hidden effects of high blood pressure

Researchers led by the University of Oxford have developed an AI tool called ‘HyperScore’ that could help doctors better understand how high blood pressure affects different organs and individuals in different ways. The approach could support more personalised treatment strategies in the future.

Using the AI tool, researchers identified six distinct patterns of hypertension-related disease by analysing hundreds of measurements, including cardiac imaging, brain MRI scans, blood tests and assessments of the kidneys, liver and vascular system.

The study found that individuals with higher HyperScores faced a greater risk of future cardiovascular events, even when conventional blood pressure measurements did not fully capture that risk. Changes detected through brain MRI imaging emerged as some of the strongest indicators of hypertension-related organ damage.

The researchers analysed data from more than 27,000 participants in the UK Biobank and validated their findings in an additional cohort of more than 5,500 individuals in the US. The researchers cautioned that the approach remains at an early stage and is not yet ready for routine clinical use in the UK.

Why does it matter?

High blood pressure is one of the world’s leading risk factors for heart disease, stroke and other chronic conditions, yet patients with similar blood pressure readings can experience very different health outcomes. The study suggests that AI may help identify hidden patterns of organ damage that are not captured by conventional measurements, potentially enabling more accurate risk assessment and personalised treatment strategies.

The research also highlights the growing role of AI in precision medicine. By combining imaging, laboratory data and clinical information, AI systems may help clinicians move beyond one-size-fits-all approaches to disease management. Although HyperScore remains at an early research stage, the findings demonstrate how AI could support earlier intervention and more targeted care for patients with complex cardiovascular risks.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Spain reports higher removal of online hate speech content

Spain’s Observatory on Racism and Xenophobia identified 31,003 pieces of hate speech and discriminatory content on social media in May 2026, according to its monthly monitoring report.

The Observatory, known as OBERAXE, said digital platforms removed 65% of notified content, up from 56% in April. TikTok, X and Instagram recorded the highest removal rates, while the Trusted Flagger route continued to perform better than ordinary user reporting.

Trusted Flagger notifications accounted for 53% of removed content, compared with 48% in April. Content reported through ordinary user channels reached a removal rate of 12%, up from 8% the previous month.

The report found that 73% of detected content presented targeted groups as a threat, while dehumanising and severely degrading messages increased sharply compared with April. It also recorded frequent use of aggressive language and growing reliance on images, videos, memes and coded expressions.

People from North Africa remained the main target of online hate speech, followed by African and Afro-descendant people and Roma people. Narratives linked to citizen insecurity accounted for the largest share of detected content, followed by content related to social benefits and access to public resources.

OBERAXE said continued cooperation with digital platforms is essential to improve detection, removal procedures and policies aimed at combating discrimination online.

Why does it matter?

The report shows how hate speech monitoring is becoming part of platform governance and anti-discrimination policy. Spain’s data suggest that trusted reporting channels can improve removal rates, but the scale and persistence of hostile narratives show the limits of reactive moderation. The findings also raise wider questions about transparency, platform accountability and how governments can address online hate while protecting freedom of expression.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Cybercriminals exploit World Cup hype with phishing schemes

Cybercriminals are exploiting World Cup interest through fake streaming platforms, phishing campaigns, counterfeit online stores and betting-related scams, according to Kaspersky researchers.

The security company said it had identified more than 336 fake websites designed to imitate official World Cup pages. Many scams target fans looking for cheaper tickets, free match streams or tournament merchandise.

Some fake streaming sites ask users to register and pay for access to matches, sometimes using cryptocurrency. Others collect personal data that can later be used in further phishing attacks.

Kaspersky also identified counterfeit merchandise shops, fraudulent betting schemes and phishing emails promoting fake offers or paid predictions. Some scams rely on urgency, limited-time claims and professional-looking websites to pressure users into sharing payment or personal information.

The company warned that AI-generated websites and more polished scam designs are making fraudulent pages harder to distinguish from legitimate services during high-demand events.

Kaspersky advised fans to use official sources, check website addresses carefully and avoid offers that promise free access, unrealistic discounts or guaranteed betting results.

Why does it matter?

Major sporting events create ideal conditions for online fraud because demand, urgency and emotion are all high. World Cup scams show how criminals combine phishing, fake e-commerce, streaming fraud and social engineering to steal money and personal data. The use of polished or AI-generated websites also reflects a wider challenge for consumer protection: scams are becoming easier to create at scale and harder for users to recognise.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!

Ofcom fines adult site over age check failures

Ofcom has imposed an £80,000 fine on pornography provider First Time Videos LLC after finding that the company failed to implement legally required age assurance measures under the Online Safety Act.

The regulator concluded that the provider failed to implement the ‘highly effective’ age assurance measures required to prevent children from accessing pornographic content. According to Ofcom, robust age assurance measures are a central requirement of the UK’s online safety framework and play a key role in protecting minors online.

Alongside the enforcement action, Ofcom announced its provisional view that xgroovy.com may also have failed to comply with age assurance obligations under the legislation. The regulator further expanded an existing investigation into Sun Social Media Inc. to cover an additional adult website operated by the company.

Ofcom said the penalty was determined with regard to the size and turnover of the service, ensuring that the sanction remained proportionate while reinforcing compliance expectations across the sector.

Why does it matter?

The decision marks an important milestone in the implementation of the UK’s Online Safety Act, demonstrating that age assurance requirements are moving beyond policy commitments into active regulatory enforcement. By imposing financial penalties on non-compliant providers, Ofcom is signalling that online platforms hosting adult content will be expected to adopt effective measures to prevent children’s access.

The case also reflects a broader international trend towards stronger child online safety regulation. Governments and regulators increasingly view age assurance technologies as a key tool for protecting minors in digital environments, while balancing concerns around privacy, proportionality and implementation. Future enforcement actions could shape how platforms design and deploy age verification systems both in the UK and beyond.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Apple expands app distribution options in Brazil

Apple will introduce changes to iOS in Brazil following an agreement with the country’s competition regulator, Conselho Administrativo de Defesa Econômica.

The changes, beginning with iOS 26.5, will give developers new options to distribute apps through alternative app marketplaces, operate those marketplaces and process payments for digital goods and services outside Apple’s In-App Purchase system.

Apple said the changes reflect a recent agreement with CADE and are intended to create new options for developers in Brazil. The agreement follows competition scrutiny of Apple’s App Store rules in the country.

The company warned that alternative app distribution and payment options may create new risks, including malware, fraud, scams and privacy and security concerns. It said it has worked with CADE on measures designed to reduce those risks, including app notarisation, marketplace authorisation and protections for children.

Apple also said all current members of the Apple Developer Program must agree to updated licence terms by 6 July 2026 to access the new options in Brazil. The company has made online appointments available for developers seeking more information.

Why does it matter?

The changes show how competition enforcement is reshaping closed app ecosystems beyond the EU. Brazil’s intervention adds pressure on Apple to allow alternative distribution and payment models while preserving security and privacy safeguards. The case also highlights a recurring policy tension: regulators want more competition and developer choice, while Apple argues that opening iOS can increase risks for users.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Diplo chatbot can make mistakes. Consider checking important information.