Privacy and data protection

Ofcom warns platforms over online abuse ahead of FIFA World Cup 2026

Ofcom has urged online platforms to strengthen protections against illegal hate speech, abuse, threats and harassment ahead of the FIFA World Cup 2026. The UK regulator reminded technology companies that they have legal responsibilities under the Online Safety Act to reduce the risk of users encountering criminal content on their services.

The intervention follows concerns about abuse directed at players, coaches, officials and commentators during previous international tournaments. According to Ofcom, online attacks have frequently targeted individuals based on race, ethnicity, perceived sexual orientation and disability, causing significant personal and professional harm.

Under the UK’s Online Safety Act, platforms are required to operate effective reporting systems, maintain adequately resourced moderation teams and remove illegal content without undue delay. Ofcom stated that evidence of failures to meet these obligations during the tournament could be considered as part of its ongoing compliance assessments.

The regulator also highlighted a partnership established earlier this year with the UK Football Policing Unit, the Football Association, the Premier League, the English Football League, the Women’s Super League, the Professional Footballers’ Association and anti-discrimination organisation Kick It Out.

The initiative aims to strengthen information sharing and support preventative measures against online abuse targeting individuals across the football ecosystem.

Why does it matter?

Major sporting events often lead to spikes in online abuse, particularly against athletes, officials and other high-profile figures. The scale and visibility of these events can amplify harmful behaviour and place additional pressure on platforms to enforce their content moderation policies effectively.

Ofcom’s intervention highlights how online safety regulation is increasingly being tested during major public events. The regulator’s warning also signals that compliance with the Online Safety Act will be assessed not only through policies on paper but through how platforms respond to real-world surges in harmful content.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EY Malta expands AI in audit services

EY Malta has introduced enterprise-scale agentic AI across its Assurance services, integrating the technology into EY Canvas, the firm’s global audit platform.

The rollout forms part of EY’s wider global strategy to embed AI into audit workflows and support audit quality, risk assessment, and client insights.

EY said the AI-enabled framework helps auditors analyse large volumes of data, assess risks, and access updated auditing and accounting guidance in real time. The firm said the technology is designed to support, not replace, auditors, with professional judgement and human oversight remaining central to the audit process.

The system is integrated with Microsoft Azure, Microsoft Foundry, and Microsoft Fabric, reflecting EY’s broader global partnership with Microsoft on the secure and scalable deployment of AI.

EY said the rollout follows global testing and is part of its long-term investment in audit quality, technology, and workforce development. The firm added that further AI enhancements are planned over the coming years as audit teams use the tools across more stages of the audit process.

EY Malta also highlighted related assurance and advisory services linked to AI readiness, governance, and risk management. The firm said the technology would allow teams in Malta to focus more on risk and audit quality while reducing administrative work.

Why does it matter?

The rollout shows how agentic AI is moving into regulated professional services, including audit, where accuracy, accountability, and human judgement remain central. AI could help auditors analyse larger datasets and focus on higher-risk areas. Still, it also raises questions about oversight, explainability, skills, liability, and how regulators assess AI-supported audit work.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

WhatsApp seeks contempt order against NSO over spyware targeting

WhatsApp has asked a US court to hold NSO Group in contempt, alleging that the spyware company violated a permanent injunction barring it from targeting WhatsApp and its users.

The company said it disrupted spear-phishing attempts linked to NSO after investigating user reports. According to WhatsApp, the activity involved malicious links that sought to redirect users to external websites outside the messaging platform.

WhatsApp also said it identified and removed test accounts and groups created on its service as part of the suspected NSO-linked activity. The company is sharing threat indicators to help users and researchers check whether targeting attempts may have occurred across WhatsApp, text messages, email, or other channels.

The latest filing follows WhatsApp’s earlier legal victory against NSO. The company said a court found that NSO violated federal and state anti-hacking laws and issued a permanent injunction barring NSO from targeting WhatsApp and its users.

WhatsApp described commercial spyware as a national security threat, arguing that surveillance-for-hire firms target not only messaging services but also browsers, operating systems, and other applications.
The company said the targets reported for such tools include journalists, government officials, military personnel, and humanitarian organisations. It also warned against easing US restrictions on NSO, which remains on the US government’s Entity List.

WhatsApp said it is contributing to the Spyware Accountability Initiative, which supports organisations working on forensic research, user support, and advocacy against spyware.

Why does it matter?

The case shows how legal orders against spyware companies may still require active technical monitoring and enforcement. WhatsApp’s contempt request also keeps pressure on the commercial spyware industry, where surveillance tools can move across platforms, devices, browsers, and operating systems. The story matters for encrypted communications because it shows that protecting users depends not only on encryption, but also on legal accountability, threat intelligence, vulnerability research, and support for civil society targets.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

UK’s IWF backs on-device nudity detection to protect children online

The Internet Watch Foundation (IWF) has welcomed a UK government proposal that would require technology companies to introduce on-device nudity detection and blocking features for children’s internet-connected devices used by children. The charity argues that preventing explicit images from being created or shared could significantly reduce the circulation of child sexual abuse material online.

The proposal follows growing concern over the increasing volume of so-called ‘self-generated’ child sexual abuse material, in which children are manipulated or coerced into creating explicit content.

According to IWF data, 311,610 reports containing child sexual abuse material were actioned during 2025, the highest number recorded by the organisation. Of those reports, 266,397 contained at least one self-generated image or video, underscoring the scale of the issue.

According to the IWF, children are frequently groomed, manipulated or coerced into producing sexual images that are subsequently distributed online. During 2025, analysts assessed more than 111,000 criminal images and almost 29,000 videos involving self-generated abuse material. More than 25,000 of those files were classified as Category A, the most severe category under UK law.

While supporting device-level protections, the organisation emphasised that no single intervention can address the problem on its own. It argues that effective child protection requires a combination of device safeguards, platform responsibility, law enforcement action and broader online safety policies.

Why does it matter?

The proposal reflects a growing shift towards preventative online safety measures that seek to stop harmful content from being created and shared, rather than relying solely on detection and removal after distribution.

The debate also highlights increasing concern about self-generated child sexual abuse material, which has become one of the fastest-growing categories of online abuse. If implemented effectively, device-level safeguards could become an important component of broader child protection strategies that also include platform responsibility, education initiatives and law enforcement action.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

EDPS debate to examine EU Omnibus data protection proposals

The European Data Protection Supervisor (EDPS), Germany’s Federal Commissioner for Data Protection and Freedom of Information, and the Bavarian Data Protection Commissioner will host a high-level debate on the European Commission’s Omnibus proposals. The event, titled ‘From Omnibus to Opportunity: Driving Data Protection and Innovation’, will take place in Brussels on 8 June.

The debate will examine the Omnibus proposals and their potential implications for the GDPR and the wider EU digital regulatory framework. The event is hosted by the Representation of the Free State of Bavaria to the European Union.

According to the EDPS, the proposals introduce targeted adjustments affecting elements of the EU digital acquis, including aspects of the GDPR and the AI Act. Their stated objective is to simplify compliance requirements and reduce administrative burdens while maintaining a high level of protection for fundamental rights.

Discussions will focus on legal certainty, regulatory coherence, preserving the GDPR’s level of protection, and identifying ways to strengthen fundamental rights, innovation and competitiveness across the EU.

Participants are expected to include representatives from the European Parliament, the Council of the European Union, the European Commission, data protection authorities, academia, civil society and the private sector.

Why does it matter?

The Omnibus proposals have become a focal point in wider debates about how the European Union can strengthen competitiveness and innovation while preserving high standards of data protection and fundamental rights.

The discussion highlights growing efforts to balance regulatory simplification with legal certainty and effective safeguards, particularly as the EU seeks to implement complex frameworks such as the GDPR and AI Act while supporting digital innovation and economic growth.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

India targets dark patterns with fines for PhysicsWallah and McAfee

India’s Central Consumer Protection Authority has fined PhysicsWallah and McAfee Software India for using dark patterns that the regulator said misled consumers and influenced their choices on digital platforms.

PhysicsWallah was fined ₹5 lakh, while McAfee was fined ₹1 lakh. Both companies were directed to remove the practices from their platforms and ensure that users can make informed choices without pressure or manipulation.

The action was taken under the Consumer Protection Act 2019, the Consumer Protection (E-Commerce) Rules 2020, and the Guidelines for Prevention and Regulation of Dark Patterns 2023.

In the PhysicsWallah case, the regulator found that a ₹10 donation to the PW Foundation was automatically selected during checkout and added to the total payable amount without the consumer’s explicit consent. Users were also shown emotional messages related to children’s education, healthcare, and marriages that encouraged them to keep the donation selected.

The CCPA also found that courses advertised as free could only be accessed after users shared personal information such as a mobile number and email address. The regulator said the content remained the same across user accounts, indicating that mandatory data collection was not necessary to access the courses.

The authority identified basket sneaking, confirm shaming, and forced action in the PhysicsWallah case. It also said the practices raised serious consumer protection concerns because many users on the platform are students, including minors.

In the McAfee case, the CCPA found that users deciding whether to renew subscriptions were shown options such as ‘Renew Now’ and ‘Accept Risk’. The authority said the wording portrayed non-renewal as a risky decision and created pressure on consumers to continue their subscriptions.

The regulator identified confirmation shaming, interface interference, trick questions, and forced action in McAfee’s renewal process, saying consumers should be able to make subscription decisions freely and without fear-based messaging or misleading design.

The CCPA said the orders form part of its continued action against dark patterns in digital marketplaces. It reiterated that consumer consent must be explicit, informed, and free from manipulative design practices.

Why does it matter?

The penalties show that dark pattern rules in India are moving from guidance to enforcement. By targeting pre-selected donations, emotionally loaded opt-out messages, forced data sharing, and fear-based subscription renewal design, the CCPA is signalling that manipulative interface design can be treated as a consumer protection violation, not just a poor user experience.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot

Australia’s regulator warns of growing AI-powered sextortion threat

Australia’s eSafety Commissioner has launched a public awareness campaign warning that criminals are increasingly using AI and other digital tools in sextortion scams.

The initiative, titled ‘If sextortionists were honest’, uses generative AI to expose deceptive tactics used by online criminals targeting victims through dating apps and social media platforms.

According to eSafety, more than 3,300 reports of sexual extortion were received through its image-based abuse scheme in 2025. Eighty-six percent of reports came from males of all ages, while 42% of all sextortion reports involved males aged 18 to 24.

eSafety Commissioner Julie Inman Grant said offenders are already weaponising face-swapping and voice-cloning technologies, while using generative AI to create fake but convincing online characters and improve scam scripts that previously contained warning signs such as poor grammar or inconsistent messaging.

Reports made to eSafety show that first contact frequently occurs on platforms such as Tinder, Instagram, and Grindr, before conversations are moved to WhatsApp, Telegram, or other messaging apps. Offenders may then search victims’ social media accounts to identify family members and friends they can threaten to contact.

The regulator said overseas offenders often try to appear local and legitimate, including by spoofing Australian phone numbers, using intimate images taken from other victims, or using bank accounts belonging to previous victims to receive and move payments.

eSafety said the safest response is to stop contact, report the account to the platform, block the offender, preserve evidence where possible, and seek support rather than paying. The regulator also called on platforms to take proactive Safety by Design steps, including better language analysis, classifier-based detection, accessible reporting and blocking tools, swift removal pathways for image-based abuse, and cross-platform signal sharing.

Why does it matter?

The campaign shows how generative AI is making online coercion and scams harder to detect. Sextortion is no longer only a problem of fake accounts and blackmail messages: offenders can now use AI-generated personas, improved scripts, voice cloning, and deepfake-style techniques to build trust and pressure victims more effectively. That raises the importance of platform-level detection, user reporting tools, digital literacy, and victim support.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

UK Ofcom sets out AI safety and innovation strategy

Ofcom has outlined its approach to enabling safe and secure AI adoption across the UK communications sectors it regulates and within its own work.

The regulator said its approach is technology-neutral and outcomes-based, aligning AI oversight with its wider mission of making communications work for everyone while supporting innovation and growth.

Ofcom’s report uses case studies to show how AI is already shaping regulatory work and the sectors it oversees. Planned and recent initiatives include building a pilot data lake to make spectrum licensing and online safety data more accessible, engaging with innovators to identify regulatory uncertainty, and assessing public trust in AI chatbots.

The regulator is also examining the impact of AI on telecoms customer experience, exploring AI deployment in broadcasting, assessing AI use in cybersecurity for telecommunications networks, and considering how AI could support network management and optimisation.

Alongside innovation support, Ofcom said it is monitoring AI-related risks and emerging harms. Its work includes guidance on technology-led mitigation against deepfakes, research into chatbot-related harms, and action to address risks posed by AI systems to users.

Ofcom said it coordinated with the AI Security Institute and the National Cyber Security Centre to brief stakeholders on the frontier AI cybersecurity implications following Anthropic’s preview of Claude Mythos, which caused concern. It also said it launched a formal investigation into X’s Grok chatbot.

The regulator is also piloting responsible AI use internally, including tools to support policy development, research, consultation processes, tracking of technical standards, and operational efficiency. Ofcom said it will take a safety-first approach and roll out internal AI tools only once it is confident they are safe and secure.

Why does it matter?

Ofcom’s approach shows how AI governance is becoming operational inside sector regulators, not only debated at the government level. The strategy links innovation support with risk monitoring across online safety, telecoms, broadcasting, cybersecurity, spectrum management, and consumer protection. It also shows regulators experimenting with AI in their own workflows while trying to maintain safety, accountability, and public trust.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our chatbot!  

Tech firms and law enforcement disrupt Southeast Asia scam networks

A major international operation involving Meta, Microsoft, Coinbase, Starlink, and law enforcement agencies from several countries has disrupted large-scale criminal scam networks operating across Southeast Asia.

The coordinated effort combined digital intelligence, financial investigations, platform enforcement, and real-world law enforcement action to target organised groups responsible for online fraud, investment scams, and other cyber-enabled crimes.

According to Meta, the operation removed more than 1.4 million fraudulent accounts, pages, and groups across Facebook and Instagram. Microsoft suspended around 20,000 malicious accounts linked to scam activity, while Coinbase froze more than $3 million in cryptocurrency assets associated with criminal operations.

Starlink also shut down thousands of internet terminals allegedly used by fraud operations, while law enforcement authorities arrested 63 individuals linked to scam centres.

The initiative brought together the US Department of Justice, the FBI, the US Secret Service, the Royal Thai Police, and law enforcement agencies from the UK, Australia, Canada and New Zealand.

Meta said intelligence sharing between technology companies and law enforcement helped identify additional scam locations and uncover previously unknown criminal networks operating across multiple jurisdictions.

Why does it matter?

The operation shows how online scam networks now rely on a full digital stack: social media accounts, messaging, cryptocurrency payments, connectivity infrastructure, and cross-border money movement. Disrupting these networks increasingly requires coordination between platforms, financial services, internet providers, and law enforcement. The case also highlights the link between digital fraud and physical scam compounds in Southeast Asia, where cybercrime operations often operate across multiple jurisdictions.

Would you like to learn more about AI, tech and digital diplomacyIf so, ask our Diplo chatbot!

New Zealand’s NCSC warns frontier AI could amplify cybersecurity risks

New Zealand’s National Cyber Security Centre (NCSC) has issued guidance to help government agencies prepare for the cybersecurity implications of frontier AI systems. The advisory notes that frontier AI models may enable more advanced automation, reasoning and decision-making capabilities than previous generations of AI systems.

The guidance describes frontier AI as a dual-use technology, noting that the same capabilities that enhance cyber defence could also enable malicious actors to conduct cyber operations more quickly, at lower cost and on a larger scale. The NCSC warns that frontier AI could amplify risks associated with known vulnerabilities, legacy systems and poor cyber hygiene, creating what it describes as a ‘vulnerability storm’ for organisations.

According to the NCSC, organisations do not need access to the most advanced frontier AI models to strengthen their cyber resilience. Instead, it says effective readiness depends on existing cybersecurity mitigations and practices, including the New Zealand Information Security Manual, the NCSC Cyber Security Framework, Minimum Cyber Security Standards, and Protective Security Requirements.

The advisory urges government entities to treat several actions as immediate priorities, including reviewing compliance with existing standards, confirming executive accountability for frontier AI cyber risk, reviewing NCSC guidance, and identifying material gaps that AI-enabled threat actors could exploit.

The guidance also restates the NCSC Cyber Security Framework’s five functions: guide and govern, identify and understand, prevent and protect, detect and contain, and respond and recover. The advisory highlights a range of baseline cybersecurity measures, including risk management, security awareness, secure configuration, patch management, multi-factor authentication, least-privilege access controls, anomaly detection, data recovery and incident response planning.

Why does it matter?

Frontier AI is expected to increase the speed, scale and sophistication of cyber operations, potentially allowing attackers to identify vulnerabilities, automate exploitation and conduct campaigns more efficiently than before.

Rather than relying solely on new AI-specific defences, New Zealand’s guidance emphasises that strong cybersecurity fundamentals, including patching, access controls, monitoring and incident response, remain the most effective way to reduce risk. The advisory reflects a growing international view that AI is amplifying existing cyber challenges rather than replacing them with entirely new ones.

Would you like to learn more about AI, tech, and digital diplomacy? If so, ask our Diplo chatbot!

Diplo chatbot can make mistakes. Consider checking important information.