Our weekly picks of digital trust-related articles

This article is interesting because it highlights the opportunities and challenges of personal data ownership. Although tools such as dWallet claim to empower users, they can encourage the poorest and least educated people to sell their data without understanding the risks, thereby widening the digital divide. True data empowerment means that everyone must have the knowledge and resources to make informed choices about privacy, not just the privileged few.

I was intrigued by this article, as it highlights how war impacts a country’s digital assets - something that is very relevant, yet little discussed, in today's digitalized world.

This article underscores that neither digital policies nor technologies can be discussed in isolation. Using Indonesia as an example, it lays out how the country’s laws and regulations on internet content are actually implemented by the ISPs and examines how the combination of vaguely worded laws and sweeping filtering methods ultimately impacts citizens' access to information.

Cycle tracking apps are not only helpful for those trying to conceive, but also serve as important tools for keeping track of one’s general reproductive health. As this article discusses, however, such tools can quickly become a double-edged sword due to the high value of the data they collect, which can potentially end up in the wrong hands via the data market. Therefore, as with other health-related apps, it is critical to inform oneself and choose privacy-friendly alternatives.

As LLM agents become 'en vogue', we need to rethink the attacks they open to malicious third parties. Here Simon Willison describes a combination often seen in such agents that will put your private data at risk. Unfortunately, there is currently not much you can do, except be aware that all the data that agents touch could be sent to an attacker.

That is a very nice attack on privacy-protection in the mobile browsers: even if you don't allow any cookies and don't consent on being tracked, you're browsing behaviour is still tracked. The idea of communicating from the mobile browser to your locally installed app is technically very interesting, and seems to be difficult to avoid on Android devices. The article mentions Meta and Yandex as the main perpetrators using this technique.

This atlas of algorithmic systems curated by AlgorithmWatch CH is a nonexhaustive yet revealing list of algorithms currently deployed in Switzerland, whether to 'predict, recommend, affect or take decisions about human beings' or to 'generate content used by or on human beings.' The atlas is really eye-opening for me – so many systems that we consider theoretical and whose pros and cons we debate are already in use!

Cybercriminals are using U.S. cloud providers like AWS and Azure to hide their activities, creating an "infrastructure laundering" trend that complicates cybersecurity. The whac-a-mole responses highlight the urgent need for better coordination and reveal that current strategies can't keep up with criminals' quick adaptation and evasion tactics.

Agentic AI has only recently emerged, yet it is already being used to commit fraud. This trend is not new; historically, fraudsters have exploited new technologies to target unsuspecting users and weak security systems, as seen with the first instances of voice phishing during the rise of telephony in the early 20th-century. These challenges have typically spurred stronger security measures, but under-resourced institutions like community colleges are hardly the best positioned to do this.

Ein sehr schöner Einsteigerartikel in das Thema Phishing, den man auch technisch weniger versierten Personen ruhig weiterempfehlen kann.

ENISA's new vulnerability database is a significant development in the pursuit of European digital sovereignty. It reduces reliance on US-dominated resources and could lead to better alignment with EU regulations, such as the GDPR and the NIS2 Directive. However, key questions remain about coordination with existing global databases, disclosure policies, and the participation of non-EU countries such as Switzerland. The challenge lies in creating a system that avoids fragmentation while taking into account Europe's unique security landscape and regulatory framework.

Although this article only lightly touches upon the broader implications of connected devices and Big Tech's access to personal information, it vividly illustrates how data of our daily lives accumulate over time, using the example of a family and their home smart speaker.

Digitale Souveränität und doch bei einem der 'Großen' einkaufen? Mit diesem Versprechen sind US-amerikanische Tech-Giganten in den letzten Jahren in Europa werben gegangen. Doch wie passt das zusammen mit dem Versuch der schweizerischen Öffentlichkeit die Details der Rahmenverträge mit dem Bund vorenthalten zu wollen?

It's fascinating to see the tightrope dance Microsoft is doing with open source. While most of its operating system is closed source, Microsoft actively participates in several open source projects and provides some of its programs under an open source license. Open sourcing is beneficial because it allows security researchers to examine the source code for potential vulnerabilities. The latest addition to Microsoft's open source portfolio is the Windows Subsystem for Linux (WSL), which enables users to run a Linux/Ubuntu system on Windows with direct access to the Windows file system. Although some parts of the WSL remain closed source, the open portions empower researchers to enhance system security.

‘I call it the ‘AI dilemma’: while AI may threaten many jobs, it also serves as an essential tool to mitigate its own impact by boosting re-skilling and upskilling initiatives. I appreciate this article because it demonstrates how agentic AI can be employed in lifelong learning systems to reduce skill gaps, which are in part caused by our rapidly evolving digital world.

A senior official in the Trump administration has withdrawn a proposal that would have prevented data brokers from selling Americans' personal and financial information, leaving these companies exempt from federal privacy regulations that apply to other companies. It's puzzling that sharing health data requires strict consent and safeguards, while other personal data can be shared freely despite potential risks.

The new bill shifts Japan's strategy from defensive cybersecurity to active threat disruption, similar to approaches in other countries like the U.S. However, it uniquely empowers military and law enforcement to take preemptive actions, including deploying 'cyber harm prevention officers' to disrupt enemy servers without explicit oversight during critical incidents, raising concerns about potential 'vigilante hacking.' Currently, Japan claims to only target foreign criminal organizations (not nation states), but this shift is also seen as a response to the 2022 revelations of deep Chinese penetration into Japanese infrastructure, known as the Blair Shock.

Should we use the tools that can destroy us to help us? This high-school student developed a tool to flag potential extremists on Reddit and then engage with them to de-radicalize them. According to the student, he never actually employed the chat function on real persons, only on fake accounts. Reddit’s terms forbid using AI in chats without flagging these chats as AI-enabled. But how can they know? And in cases like this where AI is deployed for the public’s benefit, should we allow it anyway?

Dieser Artikel stellt die Arbeit der Initiative Data4Mods vor - eine Kooperation zwischen der African Content Moderators’ Union (ACMU) und der schweizerischen NGO personaldata.io, deren Ziel es ist, die Verflechtungen in den Arbeitsbeziehungen im Bereich Contentmoderation und Datenarbeit offen zu legen. Die Abwicklung über Dienstleister, die Outsourcing-Zentren in Ländern auf dem afrikanischen Kontinent betreiben, verschleiert die Rolle der Big-Tech-Unternehmen in diesem für seine ausbeuterischen Praktiken bekannten Arbeitsmarkt. Initiativen wie Data4Mods sind daher ein wichtiger Schritt, um diese Unternehmen in die Verantwortung zu nehmen.

Supply chain attacks are improving through automation. Adding new libraries to a software project has always been a point of vulnerability, but now that tools like 'Cursor' can add libraries automatically, developers are paying less attention to what gets installed. Some tools add libraries that send API keys of LLMs to attackers and load other malware. Nothing really new, but the reliance on automation tools and programmers’ clicking on 'continue' out of habit make these installations more insidious.

Don't mess with Texas! This settlement, along with the $1.4 billion agreement Meta reached with Texas last year over privacy violations, will hopefully disincentivize companies from engaging in similar practices. While Google doesn't admit to any wrongdoing with this settlement, it's still a significant win for data privacy advocates.

The NSCS has released an excellent overview of advanced cryptographic techniques and their potential applications. It wisely points out that while these new methods (e.g., homomorphic encryption, multiparty computation or zero-knowledge proofs) provide unique data-processing functionalities to solve certain privacy and trust problems, they come with significant trade-offs in performance, complexity and maturity. To guide this assessment and decision-making process, the article provides a useful framework for defining requirements and exploring risks.

Companies are taking advantage of the digital world to keep control over physical devices, even after you buy them. The latest licensing terms of the Nintendo Switch 2 contains wording that allows the company to permanently disable the console if it determines you've violated their terms. This highlights a serious trust concern: even after paying full price, your device remains under Nintendo's control. The worst part is that they want to do so based solely on their terms, with no independent oversight or appeals process.

I like this insight into how a cybersecurity company works to defend against adversaries trying to infiltrate them. According to this article, one of the most important attack vectors is job applicants who want to infiltrate the company. Which of course makes sense, now that other attacks become more difficult, going back to the good old spy game is again easier! I also like the fact that they team up internally to counter these attacks.