Privacy and data protection

Snapchat introduces friends-only content sharing for users under 16

Snapchat has begun rolling out new content-sharing protections for users aged 13 to 15, limiting the visibility of their Stories and Spotlight videos to mutually accepted friends.

Under the new experience, younger teens will have a dedicated profile where they can create, save and showcase content. Still, it will not be visible to one-sided followers or the wider Snapchat community. Snap said users in this age group will no longer be able to post Spotlight content that is visible to non-friend audiences.

The company said the change is intended to create a more private sharing environment for younger teenagers. Snapchat users under 16 will also no longer have engagement metrics such as favourite counts.

Snap said users aged 16 to 17 will have an optional introduction to public sharing, with additional safeguards, limited distribution and parental visibility. Users aged 18 and over will continue to have full access to public profiles and broader distribution tools.

The update forms part of Snapchat’s wider teen safety approach, which includes stricter default privacy settings, limits on unwanted contact, moderated public content and parental tools through Family Center.

Why does it matter?

The update reflects a broader shift towards age-appropriate design and privacy-by-default settings for younger users. By limiting public distribution for users aged 13 to 15, Snapchat is reducing minors’ exposure to unknown audiences and public engagement metrics. The change is relevant to ongoing regulatory debates on children’s online safety, platform design, algorithmic distribution and the mental health effects of public social media engagement.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

ENISA finds Cyber Resilience Act driving SBOM adoption across industries

The European Union Agency for Cybersecurity (ENISA) has published a report on Software Bill of Materials (SBOM) adoption, finding that the Cyber Resilience Act (CRA) is accelerating investment in software supply chain transparency across organisations. The report, titled ‘SBOM Adoption State of Play – 2026‘, analyses survey results gathered at the end of 2025.

The survey examined how organisations of different sizes and across multiple sectors are approaching SBOM adoption in response to the Cyber Resilience Act. ENISA said the regulation is transforming SBOMs from a voluntary software supply chain security practice into a mandatory requirement for products with digital elements placed on the EU market.

The report found that 78% of respondents had already begun implementing SBOMs, while 44% were in a pilot or limited deployment phase. ENISA also said 79% of organisations expect to reach the necessary SBOM maturity level by the time the Cyber Resilience Act becomes fully applicable in December 2027.

Organisations are investing in SBOM generation, automation, and integration into the software development lifecycle. Respondents cited benefits including risk reduction, cost avoidance, operational efficiency, regulatory compliance, contractual alignment and competitive advantage.

ENISA also identified barriers to the adoption of SBOMs at scale. Key challenges include achieving greater SBOM completeness, improving data quality, correlating vulnerabilities, obtaining SBOMs from suppliers and third parties, and developing the necessary internal expertise and staffing.

The report says further progress will depend on shared implementation practices, supplier transparency, workforce capabilities, and clearer integration of SBOMs into operational risk management. ENISA said organisations would also benefit from external support, including reference implementations, tool-selection guidance, conformance testing, standardised formats and clearer definitions of what constitutes a sufficiently complete SBOM.

Why does it matter?

Software supply chains have become a major cybersecurity concern as organisations increasingly rely on complex networks of open-source and third-party components. SBOMs provide visibility into the software components used within products, helping organisations identify vulnerabilities, assess risks and respond more effectively to security incidents.

The report highlights how the Cyber Resilience Act is driving a shift from voluntary software transparency practices to formal compliance requirements. The findings also illustrate that while adoption is progressing, organisations continue to face technical, organisational and supply-chain challenges that could influence the effectiveness of future software security efforts.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Ofcom confirms platform crisis protocols under UK Online Safety Act

UK communications regulator Ofcom has set out new crisis response measures aimed at helping online platforms respond when illegal content and content harmful to children spreads rapidly during emergencies.

The measures will be added to Ofcom’s Illegal Content Codes of Practice and Protection of Children Codes of Practice under the UK’s Online Safety Act. However, they must still complete the parliamentary process before taking effect.

Ofcom said ordinary content moderation systems may not be sufficient during exceptional events, such as public disorder, terrorist attacks, or other crises that lead to a sudden increase in harmful or illegal online activity. The regulator pointed to the violent riots that followed the 2024 Southport murders and the risk of terrorist attacks being livestreamed as examples of crises where online content can threaten public safety.

Under the measures, service providers should prepare and apply crisis protocols to manage significant increases in relevant illegal content or content harmful to children. Ofcom expects providers to deploy temporary response teams as soon as possible during a crisis, record key decisions and conduct post-crisis reviews to assess whether their response was effective.

Large platforms should also maintain dedicated communication channels for law enforcement agencies to share crisis-related information. Ofcom said the measures are intended to support faster and more coordinated public safety efforts during exceptional events.

The regulator consulted on crisis response protocols in 2025 and said further decisions on additional online safety measures are expected in autumn 2026.

Why does it matter?

The measures show how online safety regulation is moving from general content moderation duties towards operational crisis governance. In emergencies, platforms may face sudden spikes in illegal content, livestreamed harm or coordinated activity that ordinary moderation systems cannot manage quickly enough. Ofcom’s approach also formalises closer crisis-time coordination between large platforms and law enforcement, raising important questions about public safety, platform accountability, due process and safeguards under the UK Online Safety Act.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

Google highlights rising online scam threats

Google has warned that online scams remain a major global challenge, citing estimates that fraud losses could reach nearly $580 billion in 2025.

In its latest fraud and scams advisory, the company said phishing attacks are becoming more sophisticated, with criminals using adversary-in-the-middle techniques and QR code phishing, also known as quishing, to steal credentials and bypass security measures.

The advisory also highlighted risks linked to cryptocurrency investment scams, malicious finance applications and police impersonation schemes. According to Google, scammers are using AI, social engineering and trusted digital services to deceive users, obtain money and collect sensitive information.

Google said its Trust & Safety teams are using AI tools, predictive analytics and policy enforcement to detect and disrupt fraudulent activity across its services. The company also pointed to measures such as stronger protections for session cookies, enforcement against deceptive crypto ads, monitoring of post-installation app behaviour and developer identity verification for apps installed on certified Android devices.

The company urged users to be cautious of unsolicited communications, unrealistic investment promises, unexpected QR codes and requests for personal or financial information.

Why does it matter?

The advisory shows how online fraud is becoming a cross-platform governance problem rather than a narrow cybersecurity issue. Scams now rely on trusted cloud services, mobile apps, messaging platforms, crypto infrastructure and impersonation of public authorities. That creates pressure on major technology companies to strengthen detection, app accountability and policy enforcement, while raising broader questions about consumer protection, platform responsibility and digital trust.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Ofcom warns platforms over online abuse ahead of FIFA World Cup 2026

Ofcom has urged online platforms to strengthen protections against illegal hate speech, abuse, threats and harassment ahead of the FIFA World Cup 2026. The UK regulator reminded technology companies that they have legal responsibilities under the Online Safety Act to reduce the risk of users encountering criminal content on their services.

The intervention follows concerns about abuse directed at players, coaches, officials and commentators during previous international tournaments. According to Ofcom, online attacks have frequently targeted individuals based on race, ethnicity, perceived sexual orientation and disability, causing significant personal and professional harm.

Under the UK’s Online Safety Act, platforms are required to operate effective reporting systems, maintain adequately resourced moderation teams and remove illegal content without undue delay. Ofcom stated that evidence of failures to meet these obligations during the tournament could be considered as part of its ongoing compliance assessments.

The regulator also highlighted a partnership established earlier this year with the UK Football Policing Unit, the Football Association, the Premier League, the English Football League, the Women’s Super League, the Professional Footballers’ Association and anti-discrimination organisation Kick It Out.

The initiative aims to strengthen information sharing and support preventative measures against online abuse targeting individuals across the football ecosystem.

Why does it matter?

Major sporting events often lead to spikes in online abuse, particularly against athletes, officials and other high-profile figures. The scale and visibility of these events can amplify harmful behaviour and place additional pressure on platforms to enforce their content moderation policies effectively.

Ofcom’s intervention highlights how online safety regulation is increasingly being tested during major public events. The regulator’s warning also signals that compliance with the Online Safety Act will be assessed not only through policies on paper but through how platforms respond to real-world surges in harmful content.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EY Malta expands AI in audit services

EY Malta has introduced enterprise-scale agentic AI across its Assurance services, integrating the technology into EY Canvas, the firm’s global audit platform.

The rollout forms part of EY’s wider global strategy to embed AI into audit workflows and support audit quality, risk assessment, and client insights.

EY said the AI-enabled framework helps auditors analyse large volumes of data, assess risks, and access updated auditing and accounting guidance in real time. The firm said the technology is designed to support, not replace, auditors, with professional judgement and human oversight remaining central to the audit process.

The system is integrated with Microsoft Azure, Microsoft Foundry, and Microsoft Fabric, reflecting EY’s broader global partnership with Microsoft on the secure and scalable deployment of AI.

EY said the rollout follows global testing and is part of its long-term investment in audit quality, technology, and workforce development. The firm added that further AI enhancements are planned over the coming years as audit teams use the tools across more stages of the audit process.

EY Malta also highlighted related assurance and advisory services linked to AI readiness, governance, and risk management. The firm said the technology would allow teams in Malta to focus more on risk and audit quality while reducing administrative work.

Why does it matter?

The rollout shows how agentic AI is moving into regulated professional services, including audit, where accuracy, accountability, and human judgement remain central. AI could help auditors analyse larger datasets and focus on higher-risk areas. Still, it also raises questions about oversight, explainability, skills, liability, and how regulators assess AI-supported audit work.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

WhatsApp seeks contempt order against NSO over spyware targeting

WhatsApp has asked a US court to hold NSO Group in contempt, alleging that the spyware company violated a permanent injunction barring it from targeting WhatsApp and its users.

The company said it disrupted spear-phishing attempts linked to NSO after investigating user reports. According to WhatsApp, the activity involved malicious links that sought to redirect users to external websites outside the messaging platform.

WhatsApp also said it identified and removed test accounts and groups created on its service as part of the suspected NSO-linked activity. The company is sharing threat indicators to help users and researchers check whether targeting attempts may have occurred across WhatsApp, text messages, email, or other channels.

The latest filing follows WhatsApp’s earlier legal victory against NSO. The company said a court found that NSO violated federal and state anti-hacking laws and issued a permanent injunction barring NSO from targeting WhatsApp and its users.

WhatsApp described commercial spyware as a national security threat, arguing that surveillance-for-hire firms target not only messaging services but also browsers, operating systems, and other applications.
The company said the targets reported for such tools include journalists, government officials, military personnel, and humanitarian organisations. It also warned against easing US restrictions on NSO, which remains on the US government’s Entity List.

WhatsApp said it is contributing to the Spyware Accountability Initiative, which supports organisations working on forensic research, user support, and advocacy against spyware.

Why does it matter?

The case shows how legal orders against spyware companies may still require active technical monitoring and enforcement. WhatsApp’s contempt request also keeps pressure on the commercial spyware industry, where surveillance tools can move across platforms, devices, browsers, and operating systems. The story matters for encrypted communications because it shows that protecting users depends not only on encryption, but also on legal accountability, threat intelligence, vulnerability research, and support for civil society targets.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

UK’s IWF backs on-device nudity detection to protect children online

The Internet Watch Foundation (IWF) has welcomed a UK government proposal that would require technology companies to introduce on-device nudity detection and blocking features for children’s internet-connected devices used by children. The charity argues that preventing explicit images from being created or shared could significantly reduce the circulation of child sexual abuse material online.

The proposal follows growing concern over the increasing volume of so-called ‘self-generated’ child sexual abuse material, in which children are manipulated or coerced into creating explicit content.

According to IWF data, 311,610 reports containing child sexual abuse material were actioned during 2025, the highest number recorded by the organisation. Of those reports, 266,397 contained at least one self-generated image or video, underscoring the scale of the issue.

According to the IWF, children are frequently groomed, manipulated or coerced into producing sexual images that are subsequently distributed online. During 2025, analysts assessed more than 111,000 criminal images and almost 29,000 videos involving self-generated abuse material. More than 25,000 of those files were classified as Category A, the most severe category under UK law.

While supporting device-level protections, the organisation emphasised that no single intervention can address the problem on its own. It argues that effective child protection requires a combination of device safeguards, platform responsibility, law enforcement action and broader online safety policies.

Why does it matter?

The proposal reflects a growing shift towards preventative online safety measures that seek to stop harmful content from being created and shared, rather than relying solely on detection and removal after distribution.

The debate also highlights increasing concern about self-generated child sexual abuse material, which has become one of the fastest-growing categories of online abuse. If implemented effectively, device-level safeguards could become an important component of broader child protection strategies that also include platform responsibility, education initiatives and law enforcement action.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EDPS debate to examine EU Omnibus data protection proposals

The European Data Protection Supervisor (EDPS), Germany’s Federal Commissioner for Data Protection and Freedom of Information, and the Bavarian Data Protection Commissioner will host a high-level debate on the European Commission’s Omnibus proposals. The event, titled ‘From Omnibus to Opportunity: Driving Data Protection and Innovation’, will take place in Brussels on 8 June.

The debate will examine the Omnibus proposals and their potential implications for the GDPR and the wider EU digital regulatory framework. The event is hosted by the Representation of the Free State of Bavaria to the European Union.

According to the EDPS, the proposals introduce targeted adjustments affecting elements of the EU digital acquis, including aspects of the GDPR and the AI Act. Their stated objective is to simplify compliance requirements and reduce administrative burdens while maintaining a high level of protection for fundamental rights.

Discussions will focus on legal certainty, regulatory coherence, preserving the GDPR’s level of protection, and identifying ways to strengthen fundamental rights, innovation and competitiveness across the EU.

Participants are expected to include representatives from the European Parliament, the Council of the European Union, the European Commission, data protection authorities, academia, civil society and the private sector.

Why does it matter?

The Omnibus proposals have become a focal point in wider debates about how the European Union can strengthen competitiveness and innovation while preserving high standards of data protection and fundamental rights.

The discussion highlights growing efforts to balance regulatory simplification with legal certainty and effective safeguards, particularly as the EU seeks to implement complex frameworks such as the GDPR and AI Act while supporting digital innovation and economic growth.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

India targets dark patterns with fines for PhysicsWallah and McAfee

India’s Central Consumer Protection Authority has fined PhysicsWallah and McAfee Software India for using dark patterns that the regulator said misled consumers and influenced their choices on digital platforms.

PhysicsWallah was fined ₹5 lakh, while McAfee was fined ₹1 lakh. Both companies were directed to remove the practices from their platforms and ensure that users can make informed choices without pressure or manipulation.

The action was taken under the Consumer Protection Act 2019, the Consumer Protection (E-Commerce) Rules 2020, and the Guidelines for Prevention and Regulation of Dark Patterns 2023.

In the PhysicsWallah case, the regulator found that a ₹10 donation to the PW Foundation was automatically selected during checkout and added to the total payable amount without the consumer’s explicit consent. Users were also shown emotional messages related to children’s education, healthcare, and marriages that encouraged them to keep the donation selected.

The CCPA also found that courses advertised as free could only be accessed after users shared personal information such as a mobile number and email address. The regulator said the content remained the same across user accounts, indicating that mandatory data collection was not necessary to access the courses.

The authority identified basket sneaking, confirm shaming, and forced action in the PhysicsWallah case. It also said the practices raised serious consumer protection concerns because many users on the platform are students, including minors.

In the McAfee case, the CCPA found that users deciding whether to renew subscriptions were shown options such as ‘Renew Now’ and ‘Accept Risk’. The authority said the wording portrayed non-renewal as a risky decision and created pressure on consumers to continue their subscriptions.

The regulator identified confirmation shaming, interface interference, trick questions, and forced action in McAfee’s renewal process, saying consumers should be able to make subscription decisions freely and without fear-based messaging or misleading design.

The CCPA said the orders form part of its continued action against dark patterns in digital marketplaces. It reiterated that consumer consent must be explicit, informed, and free from manipulative design practices.

Why does it matter?

The penalties show that dark pattern rules in India are moving from guidance to enforcement. By targeting pre-selected donations, emotionally loaded opt-out messages, forced data sharing, and fear-based subscription renewal design, the CCPA is signalling that manipulative interface design can be treated as a consumer protection violation, not just a poor user experience.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Diplo chatbot can make mistakes. Consider checking important information.