Image: Getty Images
The European Parliament has voted in favour to a resolution banning law enforcement from using facial recognition systems. In explaining the resolution, the European Parliament said the use of AI by law enforcement currently poses various risks spanning opaque decision-making, discrimination, privacy intrusion, challenges to the protection of personal data, human dignity, and the freedom of expression and information. “These potential risks are aggravated in the sector of law enforcement and criminal justice, as they may affect the presumption of innocence, the fundamental rights to liberty and security of the individual and to an effective remedy and fair trial,” the European Parliament said. In addition to calling for facial recognition to be banned for law enforcement purposes, the resolution has called for the permanent prohibition of law enforcement using automated analysis of other human features too, such as gait, fingerprints, DNA, voice, and other biometric and behavioural signals. By passing the resolution, the European Parliament explicitly expressed concern about facial recognition services such as Clearview AI, which has a database of more than three billion pictures that have been collected illegally from social networks and other parts of the internet. The final vote passed 36 to 24, with six abstaining from the vote. While the Parliament has passed the resolution, it is not legally binding. Although, it comes in the midst of the European Union working on new AI rules that would apply to both the public and private sectors.

At the same time, the European Commission (EC) is reportedly preparing to release an antitrust charge against Apple regarding its Apple Pay system, according to Reuters. The charge is reportedly for Apple only allowing the NFC chip within iPhones and iPads to be used for Apple Pay. The EC is reportedly concerned about how Apple has refused competitors from accessing the payment system. The EC has been investigating whether Apple’s integration of Apple Pay into apps and websites violates EU competition rules since last June. With Europe preparing to ramp up scrutiny against Apple for not opening up access to the NFC chips in its devices, this is not the first time Apple has been in such a position. Three years ago, Apple won its fight against an Australian banking consortium when the country’s competition watchdog sided with Apple in allowing it to block Australian banks from accessing NFC on its devices. Most of the banks then caved and signed up for Apple Pay.Since then, Australian banks have continued to complain about the lack of access to Apple’s NFC antenna, with Commonwealth Bank of Australia CEO Matt Comyn in July accusing the tech giant of leaning on its market power to compel the banks into paying fees to use Apple Pay.Related Coverage More

Swinburne University of Technology has confirmed personal information on staff, students, and external parties had inadvertently made its way into the wild.It said it was advised last month that information of around 5,200 Swinburne staff and 100 Swinburne students was available on the internet.This data, Swinburne said, was event registration information from multiple events from 2013 onwards. The event registration webpage is no longer available.The information made available was name, email address, and, in some cases, a contact phone number.”We took immediate action to investigate and respond to this data breach, including removing the information and conducting an audit across other similar sites,” the university said in a statement on Friday.”We sincerely apologise to all those impacted by this data breach and for any concerns this has caused.”Swinburne said it is currently in the process of contacting all individuals whose information was made available to apologise to them and offer appropriate support.

“We are also contacting around 200 other individuals not connected to Swinburne who had registered for the event and whose information was also made available,” it said.The breach has been reported to the Office of the Australian Information Commissioner (OAIC), the Office of the Victorian Information Commissioner (OVIC), the Tertiary Education Quality and Standards Agency (TESQA), and the Victorian Education Department.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaThe higher education sector in Australia could soon find itself considered as systems of national significance, with the government ready to enforce an “enhanced framework to uplift security and resilience” upon universities via the Security Legislation Amendment (Critical Infrastructure) Bill 2020.The Group of Eight (Go8) — comprising eight Australian universities — believe the government has in fact not yet identified any critical infrastructure assets in the higher education and research sector and, therefore, does not feel higher education and research should be included as a critical infrastructure sector, given the regulatory ramifications.”The Go8 considers the catch-all nature of the legislation as proposed for the higher education and research sector to be highly disproportionate to the likely degree and extent of criticality of the sector,” it said in February.The Go8 comprises the University of Adelaide, the Australian National University, the University of Melbourne, Monash University, UNSW Sydney, the University of Queensland, the University of Sydney, and the University of Western Australia.Swinburne made its own views available to the committee probing the Bill, in February saying that the cost of positive security obligations and enhanced cybersecurity measures for assets deemed to be systems of national significance would be difficult for universities to absorb, given the current funding situation and decrease in income from international student enrolments.”Therefore, the Commonwealth must ensure that universities are adequately funded to meet their responsibility of providing quality education and respond to these new security requirements,” it wrote [PDF].”While security from foreign interference is of paramount importance, equally important is the economic security provided by having a robust tertiary sector. We recommend that the government work closely with the sector to ensure that the legislation has minimal impact on essential university operations.”The Australian National University (ANU) in late 2018 suffered a massive data breach that was discovered in May 2019, and revealed two weeks later in June.The hackers gained access to up to 19 years’ worth of data in the system that houses the university’s human resources, financial management, student administration, and “enterprise e-forms systems”.Then there was Melbourne’s RMIT University, which in February responded to reports it fell victim to a phishing attack, saying progress was slowly being made in restoring its systems.At a recent Parliamentary Joint Committee on Intelligence and Security (PJCIS) hearing on the national security risks affecting the Australian higher education and research sector, discussions around the two security incidents were used by Home Affairs representatives to justify the inclusion of higher education and research in the Critical Infrastructure Bill.AUSTRALIA ALSO BLAMES RUSSIA FOR SOLARWINDS HACKElsewhere, the Australian government has joined international partners in holding Russia to account for its cyber campaign against US software firm, SolarWinds.Hackers working for the Russian foreign intelligence service are behind the SolarWinds attack, cyber espionage campaigns targeting COVID-19 research facilities, and more, according to the United States and the United Kingdom.  The US accusation comes in a joint advisory by the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Federal Bureau of Investigation, which also describes ongoing Russian Foreign Intelligence Service exploitation of five publicly known vulnerabilities in VPN services.The UK has also attributed the attacks to the Russian intelligence service.  “In consultation with our partners, the Australian government has determined that Russian state actors are actively exploiting SolarWinds and its supply chains,” a statement from Minister for Foreign Affairs Marise Payne, Minister for Defence Peter Dutton, and Minister for Home Affairs Karen Andrews said.”Over the past 12 months, Australia has witnessed Russia use malicious activity to undermine international stability, security, and public safety. Australia condemns such behaviour.”The supply chain attacks targeting IT management software company SolarWinds represented one of the biggest cybersecurity incidents in recent years, with hackers gaining access to the networks of tens of thousands of organisations around the world, including several US government agencies, as well as cybersecurity companies.”Russia’s campaign has affected thousands of computer systems worldwide. Australia acknowledges the high costs borne by the US private sector,” Australia’s statement continued.Updated 16 April 2021 at 3:20pm AEST: Added Australian attribution of SolarWinds breach to Russia.RELATED COVERAGE More

Special feature Cyberwar and the Future of Cybersecurity Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly. Read More The Google Threat Analysis Group (TAG), a division inside Google’s security department that tracks nation-state and […] More

Maria Diaz/ZDNETZDNET’s key takeawaysThe Fitbit Ace LTE More

A former sales representative of a mobile carrier has been sentenced after accepting bribes to perform SIM-swapping attacks. 

This week, the US Department of Justice (DoJ) said that Stephen Defiore, a Florida resident, accepted “multiple bribes” of up to $500 per day to perform the switches required to reroute phone numbers in SIM-swapping. SIM-swapping is quickly becoming a serious issue for telecommunications firms — made worse when employees, who have access to internal systems — are involved.  These attacks require either internal help or the use of social engineering to convince a carrier to reroute calls and text messages from one handset to another. SIM-swapping is often performed to circumvent security controls including two-factor authentication (2FA) and to compromise accounts for services including banking and cryptocurrency wallets.  The victims may only have a small window of time to rectify the situation once they realize that phone calls and messages are not being received — but by the time they reach their service provider, attackers may have already secured the second-level security codes required to hijack other accounts.  Rather than go through the effort of obtaining enough information on a target to successfully manage to pretend to be the victim on a phone call, some attackers try to recruit insider help.  In this case, between 2017 and 2018, Defiore was a sales representative for an unnamed carrier. 

The 36-year-old accepted bribes of roughly $500 to perform SIM-swapping on behalf of someone else. For each case, he would be sent a phone number, a four-digit PIN, and a SIM card number to be swapped with the victim’s handset details.  At least 19 customers were targeted and prosecutors estimate that the employee received $2,325 in bribes.  Following his arrest, Defiore pleaded guilty to one count of conspiracy to commit wire fraud.  US Attorney Duane Evans said that Defiore was sentenced on October 19 and will serve three months probation, a year of home confinement, and must perform 100 hours of community service.  The SIM-swapper must also pay a $100 fee and $77,417.50 in restitution.  Last year, Europol took down a massive SIM-swapping ring responsible for the theft of millions of euros. Operations Quinientos Dusim and Smart Cash combined law enforcement from multiple countries in the region, leading to multiple arrests.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More