Digital rights groups are urging Senate leaders not to move forward with a bill that would impose new regulations on companies around child sexual abuse material, arguing that the legislation could be a privacy nightmare for Americans.

In a letter addressed to Senate Judiciary Committee leaders Sens. Chuck Grassley, R-Iowa, and Dick Durbin, D-Ill., the groups – which include the American Civil Liberties Union, Freedom of the Press Foundation, Defending Rights and Dissent and RootsAction – say the STOP CSAM Act, reintroduced in May, “walks back a number of important privacy protections that had been included in a previous version of the bill.”

“The current bill creates enormous incentives for platforms to stop offering encrypted services that are critical for enabling all of us to have private conversations and securely store files from our most personal moments, like photos from a child’s birthday,” the letter reads.. “While all of our groups want to stop the harmful transmission of child sexual abuse material (CSAM), its transmission is already illegal, and these modifications to the bill do nothing more than undermine privacy and security.”

The Stop CSAM Act would impose new requirements on companies to prevent the hosting and distribution of child sexual abuse material on their platforms.

It expands companies’ legal obligations by requiring them to report instances of such material on their sites to the National Center for Missing and Exploited Children.  It also introduces stricter privacy protections for children who testify in court. Additionally, and would require businesses with more than 1 million unique monthly visitors or users or $50 million in annual revenue to submit annual reports to the Federal Trade Commission and Department of Justice.

It would also seek to alter immunity under Section 230 of the Communications Decency Act for “interactive computer services,” allowing victims to file civil lawsuits against companies that fail to remove CSAM content from their platforms in a timely fashion.

The bill includes language specifying that “any person who is a victim of the intentional, knowing, or reckless hosting or storing of child pornography or making child pornography available to any person by a provider of an interactive computer service, and who suffers personal injury as a result of such hosting, storing, or making available, regardless of when the injury occurred, may bring a civil action.”

Digital rights groups say that the new version of the legislation includes “recklessness” as a legal standard for liability and by applying it to any “interactive computer service,” the legislation would capture virtually all applications that rely on end-to-end encryption.

That in turn could open up providers of these services to civil lawsuits for hosting material that they can’t view without breaking the encryption of their users.

“[The bill] goes much further than current law and threatens to punish any service that works to keep its users secure, including those that do their best to eliminate and report CSAM,” wrote India McKinney of the Electronic Frontier Foundation. “The bill applies to ‘interactive computer services,’ which broadly includes private messaging and email apps, social media platforms, cloud storage providers, and many other internet intermediaries and online service providers.”

It’s not clear whether the groups’ warnings on data privacy will have much influence in this Congress. Politically, forcing private companies do more to counter child sexual abuse material on their platforms and websites has been broadly popular with the public, and online child safety is a top issue for congressional Republicans, who control both houses of Congress. Grassley is not known as a strong advocate of unrestricted encryption. He previously led a bipartisan congressional effort in 2018 to develop legislation that would would have compelled companies to grant law enforcement access to encrypted communications in investigations.

Another bill introduced this Congress, the Take It Down Act, carried similar take down requirements for companies around AI-generated nonconsensual deepfake pornography. Though many of the same groups loudly opposed the measure on similar privacy grounds, it ultimately passed 402-2 in the House and unanimously in the Senate before being swiftly signed into law by President Donald Trump.

The letter to Grassley and Durbin emphasizes that private communications – underpinned by strong digital encryption – are critical to healthy, functioning democratic societies and have many benefits to marginalized or targeted populations.

“That is why encrypted services are popular amongst journalists who use encrypted messages to contact their sources, protesters seeking to organize to raise their voices against unjust government action, doctors who use it to speak with patients, domestic violence victims who rely on completely private communications to escape dangerous situations at home, and businesses discussing finances with clients,” the letter reads. “But there would also be severe consequences for groups that are being targeted by governments domestically and globally.”

The post Digital rights groups sound alarm on Stop CSAM Act  appeared first on CyberScoop.

from CyberScoop https://ift.tt/HvAfyWV
via IFTTT

When Amazon Web Services deploys thousands of new digital sensors around the globe, it often runs into a ruthless truth of the internet: Within minutes, the sensors are poked, prodded, and attacked. However, using large language models, the company is turning those immediate attacks into actionable security intelligence for its vast array of cloud-centered services.  

According to Stephen Schmidt, the company’s chief security officer, examples like this demonstrate how AI enables capabilities that weren’t possible with earlier tools. During remarks at the AWS Summit on Tuesday, Schmidt highlighted this example to illustrate how AI is fundamentally transforming AWS’s approach to security — especially in areas like application security reviews and incident response.

“What we can do with AI is allow engineers to ask questions about what’s going on with that data much more easily than they could otherwise, and they can say things like ‘Find me all of the examples of situations where someone tried to break into this particular version of this particular database, and came from IP addresses that are associated with the VPNs that are normally used by this particular threat actor,” he told CyberScoop. “You can’t do that otherwise, and the tooling allows them to really dig into things much more deeply.”

The technology allows for more consistent and efficient security assessments, especially for junior engineers who may lack extensive experience.

By training large language models on previous security reviews, organizations can effectively transfer knowledge from senior security professionals to newer team members. This approach raises the overall security standard by embedding institutional expertise directly into AI-powered review processes.

“A junior engineer may not have all the knowledge, the background, the experience of the more senior engineers,” he said. “By training our large language models internally on the prior security reviews, it allows us to apply the knowledge and learning that our more senior staff have embodied in the documents that we all own, trained on, to our more junior staff. So it really raises the bar on the absolute level of security.” 

The cybersecurity industry faces persistent personnel shortages, a problem AI can help mitigate. Schmidt noted that AI tools can handle significant “heavy lifting” previously performed manually, allowing security staff to focus on more complex tasks.

Critically, Schmidt highlighted the non-deterministic nature of AI systems, meaning identical queries can produce different responses. He pointed to this as a reason why humans still need to be involved in making decisions based on the model’s output.

“We look at it this way, if you’re just asking a question and getting an answer, that’s one set of scrutiny that you have to give a system,” he said. “But if you’re going to take an action to block something, to prevent something from occurring, you’ve got to be really sure it’s correct. So there has to be that skilled person at the end of the AI-use process, saying, ‘Yes, this is the right thing to do at this point in time with this context.’”

That need for a human in the process is why Schmidt believes that AI will not supplant entry- or junior-level positions, even if the technology continues to improve. He said conversations around AI replacing junior engineers are rooted in “FUD,” and he expects the models to raise the skill level faster than ever before. 

“I don’t think it’s going to happen,” he said of AI replacing human-led security work. “The thing about security that’s both great and difficult is you’re never done, and it’s never perfect. So we always have the ability to raise the bar across things, and by using tooling that allows us to get those junior engineers up to speed more quickly and to learn more about why senior engineers make decisions. It means we’ve got this middle ground of staff who are really good, much more quickly than we would otherwise.”

The post How Amazon Web Services uses AI to be a security ‘force multiplier’ appeared first on CyberScoop.

from CyberScoop https://ift.tt/CKWwrI4
via IFTTT