Computer Law & Security Review最新文献

{"title":"Cyber Resilience Act 2022: A silver bullet for cybersecurity of IoT devices or a shot in the dark?","authors":"Mohammed Raiz Shaffique","doi":"10.1016/j.clsr.2024.106009","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106009","url":null,"abstract":"<div><p>Internet of Things (IoT) is an ecosystem of interconnected devices (IoT devices) that is capable of intelligent decision making. IoT devices can include everyday objects such as televisions, cars and shoes. The interconnectedness brought forth by IoT has extended the need for cybersecurity beyond the information security realm into the physical security sphere. However, ensuring cybersecurity of IoT devices is far from straightforward because IoT devices have several cybersecurity challenges associated with them. Some of the pertinent cybersecurity challenges of IoT devices in this regard relate to: (i) Security During Manufacturing, (ii) Identification and Authentication, (iii) Lack of Encryption, (iv) Large Attack Surface, (v) Security During Updates, (vi) Lack of User Awareness and (vii) Diverging Standards and Regulations.</p><p>Against this background, the Cyber Resilience Act (CRA) has been proposed to complement the existing EU cybersecurity framework consisting of legislations such as the Cybersecurity Act and the NIS2 Directive. However, does the CRA provide a framework for effectively combating the cybersecurity challenges of IoT devices in the EU? The central crux of the CRA is to lay down and enforce the rules required to ensure cybersecurity of ‘products with digital elements’, which includes IoT devices. To this end, several obligations are imposed on manufacturers, importers and distributors of IoT devices. Manufacturers are mandated to ensure that the essential cybersecurity requirements prescribed by the CRA are met before placing IoT devices in the market. While the cybersecurity requirements mandated by the CRA are commendable, the CRA suffers from several ambiguities which can hamper its potential impact. For instance, the CRA could provide guidance to manufacturers on how to conduct cybersecurity risk assessment and could clarify the meanings of terms such as “<em>limit attack surfaces</em>” and “<em>without any known exploitable vulnerabilitie</em>s”.</p><p>When the fundamental themes of the CRA is analysed from the prism of the cybersecurity challenges of IoT devices, it becomes clear that the CRA does provide a foundation for effectively addressing the cybersecurity challenges of IoT devices. However, the expansive wording in various parts of the CRA, including in the Annex I Requirements, leaves scope for interpretation on several fronts. Consequently, the effectiveness of the CRA in tackling the Security During Manufacturing Challenge, Identification and Authentication Challenge, Large Attack Surface Challenge and Diverging Standards and Regulations Challenge would be largely contingent on how harmonised standards develop and how the industry adopts them. The CRA seems to be more effective, albeit not fully so, in significantly addressing the Lack of Encryption Challenge, Security During Updates Challenge and Lack of User Awareness Challenge of IoT devices. However, the manner in which the CRA addresses all these","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106009"},"PeriodicalIF":3.3,"publicationDate":"2024-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000761/pdfft?md5=cffbcbbedc6e57f54e9b97ba7eead7ab&pid=1-s2.0-S0267364924000761-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141541621","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Meta-Regulation: An ideal alternative to the primary responsibility as the regulatory model of generative AI in China","authors":"Huijuan Dong ,&nbsp;Junkai Chen","doi":"10.1016/j.clsr.2024.106016","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106016","url":null,"abstract":"<div><p>Generative AI with stronger responsiveness and emergent abilities has triggered a global boom and is facing challenges such as data compliance risks during the pretraining process and risks of generating fake information, which has raised concerns among global regulatory authorities. The European Union, United States, United Kingdom, and other countries and regions are gradually establishing risk-based, scenario-based, and outcome-based governance models for generative AI. China recently introduced new regulations for the management of generative AI, which adopt a governance model focusing on generative AI service providers. It suggests that China is continuing the principle of primary responsibility in Internet governance, which encompasses legal responsibility, contractual obligations, and ethical responsibility. However, the governance model based on primary responsibility emphasizes the accountability of generative AI model service providers, with relatively limited regulation on other important entities such as users and large-scale dissemination platforms, which may not be conducive to achieving China's regulatory goals for the AI industry. In comparison, the Meta-Regulation model could be an ideal alternative for China. As a classic theory explaining the public-private relationship, the ‘Meta-Regulation’ aligns with the generative AI governance requirements. Based on the Meta-Regulation theory, the governance of generative AI in China should move towards a direction of emphasizing safety, transparency, collaborative governance, and accountability. In line with this, it is necessary to include users and large-scale dissemination platforms within the regulatory scope and establish overarching governance objectives that ensure the responsible distribution of duties among stakeholders, with regulatory authorities assuming ultimate oversight responsibility and technical coordination. At the level of specific improvement measures, it is possible to integrate the three stages of model development, usage, and content dissemination of generative AI. During the model development stage, generative AI providers have specific transparency obligations. In the usage stage, a self-regulatory system centered around platform autonomy should be constructed. In the content dissemination stage, the proactive notification obligations of the dissemination platforms should be clearly defined. Additionally, the enforcement of technical interoperability requirements is necessary, thereby promoting the orderly development of generative AI applications.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106016"},"PeriodicalIF":3.3,"publicationDate":"2024-07-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141541620","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Will the GDPR Restrain Health Data Access Bodies Under the European Health Data Space (EHDS)?","authors":"Paul Quinn,&nbsp;Erika Ellyne,&nbsp;Cong Yao","doi":"10.1016/j.clsr.2024.105993","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.105993","url":null,"abstract":"<div><p>The plans for a European Health Data Space (EHDS) envisage an ambitious and radical platform that will inter alia make the sharing of secondary health data easier. It will encourage the systematic sharing of health data and provide a legal framework for it to be shared by Health Data Access Bodies (HDABs) based in each of the Member States. Whilst this promises to bring about major benefits for research and innovation, it also raises serious questions given the intrinsic sensitivity of health data. Fears concerning privacy harms on the individual level and detrimental effects on the societal level have been raised. This article discusses two of the main protective pillars designed to allay such concerns. The first is that the proposal clearly outlines several contexts for which a Health Data Access Permit (HDAP) should and should not be granted. The second is that a request for an HDAP must also be compliant with the GDPR (inter alia requiring a valid legal basis and respecting data processing principles such as ‘minimization’ and ‘storage limitation’). As this article discusses, in some instances the need to have a valid legal basis under the GDPR may make it difficult to obtain a data access permit, in particular for some of the commercially orientated grounds outlined within the EHDS proposal. A further important issue concerns the ability of HDABs to analyse the compatibility permit requests under the GDPR and relevant national law at both speed and scale.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 105993"},"PeriodicalIF":3.3,"publicationDate":"2024-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482974","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"ETIAS system and new proposals to advance the use of AI in public services","authors":"Clara Isabel Velasco Rico ,&nbsp;Migle Laukyte","doi":"10.1016/j.clsr.2024.106015","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106015","url":null,"abstract":"<div><p>Eu-LISA is launching the European Travel Information and Authorization System (ETIAS), which seems an example of a different, human rights-oriented approach to AI within the law enforcement. However, the reality is quite different: the usual problems of the use of AI—lack of transparency, bias, opacity, just to name a few—are still on board. This paper critically assesses these promises of ETIAS and argues that it has serious issues that have not been properly dealt with. So as to argue the need to address these issues, the paper addresses ETIAS within the wider context of human rights and solidarity-based data governance. In this respect, ETIAS is seen as a tool which uses data for high value purposes, such as EU safety and security, yet it also calls for serious risk mitigation measures. Indeed, the risks related to law enforcement on the borders and in migration management are extremely serious due to the vulnerability of people who escape from poverty, wars, regimes, and other disasters. In the third part of this article, we articulate three proposals of such risk mitigation measures. We argue in favour of strengthening critical general safeguards in ETIAS, then elaborate a principle that should guide AI-based public service development (P4P principle) and end with a few IPR-related requirements for private sector involvement in such services. Adopting these measures could contribute to reduce the risk of building EU AI expertise upon data coming from the most vulnerable social groups of our planet.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106015"},"PeriodicalIF":3.3,"publicationDate":"2024-07-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000815/pdfft?md5=49b2b58312c8697b7334418c2e13e052&pid=1-s2.0-S0267364924000815-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482997","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"AI liability in Europe: How does it complement risk regulation and deal with the problem of human oversight?","authors":"Beatriz Botero Arcila","doi":"10.1016/j.clsr.2024.106012","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106012","url":null,"abstract":"<div><p>Who should compensate you if you get hit by a car in “autopilot” mode: the safety driver or the car manufacturer? What about if you find out you were unfairly discriminated against by an AI decision-making tool that was being supervised by an HR professional? Should the developer compensate you, the company that procured the software, or the (employer of the) HR professional that was “supervising” the system's output?</p><p>These questions do not have easy answers. In the European Union and elsewhere around the world, AI governance is turning towards risk regulation. Risk regulation alone is, however, rarely optimal. The situations above all involve the liability for harms that are caused by or with an AI system. While risk regulations like the AI Act regulate some aspects of these human and machine interactions, they do not offer those impacted by AI systems any rights and little avenues to seek redress. From a corrective justice perspective risk regulation must also be complemented by liability law because when harms do occur, harmed individuals should be compensated. From a risk-prevention perspective, risk regulation may still fall short of creating optimal incentives for all parties to take precautions.</p><p>Because risk regulation is not enough, scholars and regulators around the world have highlighted that AI regulations should be complemented by liability rules to address AI harms when they occur. Using a law and economics framework this Article examines how the recently proposed AI liability regime in the EU – a revision of the Product Liability Directive, and an AI Liability effectively complement the AI Act and how they address the particularities of AI-human interactions.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106012"},"PeriodicalIF":3.3,"publicationDate":"2024-06-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S0267364924000797/pdfft?md5=4672fdb50a5856a23c27094c7201b057&pid=1-s2.0-S0267364924000797-main.pdf","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482996","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Stuxnet vs WannaCry and Albania: Cyber-attribution on trial","authors":"Jakub Vostoupal","doi":"10.1016/j.clsr.2024.106008","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106008","url":null,"abstract":"<div><p>The cyber-attribution problem poses a significant challenge to the effective application of international law in cyberspace. Rooted in unclear standards of proof, evidence disclosure requirements, and deficiencies within the legal framework of the attribution procedure, this issue reflects the limitations of some traditional legal concepts in addressing the unique nature of cyberspace. Notably, the <em>effective control test</em>, introduced by the ICJ in 1986 and reaffirmed in 2007 to attribute the actions of non-state actors, does not adequately account for the distinctive dynamics of cyberspace, allowing states to use proxies to evade responsibility.</p><p>The legal impracticality and insufficiency of the attribution procedure not only give rise to the cyber-attribution problem but also compel states to develop new attribution tactics. This article explores the evolution of these cyber-attribution techniques to assess whether contemporary state practices align with the customary rules of attribution identified by the ICJ and codified by the ILC within ARSIWA, or whether new, cyber-specific rules might emerge. By analyzing two datasets on cyber incidents and three distinct cases – Stuxnet, WannaCry, and the 2022 cyberattacks against Albania – this article concludes that the <em>effective control test</em> cannot be conclusively identified as part of customary rules within cyberspace due to the insufficient support in state practice. Furthermore, it is apparent that the rules of attribution in the cyber-specific context are in a disarray, lacking consistent, widespread and representative practice to support a general custom. However, emerging state practice shows some degree of unification and development, suggesting the potential for the future establishment of cyber-specific rules of attribution.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106008"},"PeriodicalIF":3.3,"publicationDate":"2024-06-28","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482976","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Evolving Threats, Emerging Laws: Poland's 2023 Answer to the Smishing Challenge","authors":"Sebastian Zieliński","doi":"10.1016/j.clsr.2024.106013","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106013","url":null,"abstract":"<div><p>In the face of rising cybersecurity threats like 'smishing'—SMS-based phishing attacks—this article examines how legislative efforts can effectively address these challenges. This article provides a comprehensive analysis of cybersecurity challenges, focusing on the still growing phenomenon of 'smishing', within the legislative context. In particular, it explores the legal landscape of cybercrime through the lens of Poland's recently enacted Act on Combating Abuses in Electronic Communication, as well as the European Union's Cybersecurity Strategy for the Digital Decade. The first one serves as a significant case study for examining legislative efforts aimed at mitigating cybersecurity risks in the field of electronic communications. The article describes the multi-layered, collaborative business-state approach of the Polish law, which can provide a solid framework for addressing current and future cyber security threats. The act stands as a promising tool for fortifying national cybersecurity infrastructure and could serve as a useful example for other jurisdictions grappling with similar issues. The law also engages citizens actively in its cybersecurity initiatives, promoting collective responsibility. In the broader European Union context, while the Polish Act undergoes scrutiny, this analysis also seeks to explore its alignment with the objectives outlined in the 2020′s European Union's Cybersecurity Strategy for the Digital Decade. This examination aims to evaluate the extent to which the Polish legislative framework resonates with the overarching goals set forth by the European Union, thereby contributing to a deeper understanding of the synergy between national initiatives and the broader European cybersecurity strategy context.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106013"},"PeriodicalIF":3.3,"publicationDate":"2024-06-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141482975","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"EU sanctions in response to cyber-attacks as crime-based emergency measures","authors":"Yuliya Miadzvetskaya","doi":"10.1016/j.clsr.2024.106010","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106010","url":null,"abstract":"<div><p>This contribution seeks to explore the growing use of administrative measures in response to cybercrimes by analysing the specific case of sanctions in response to cyber-attacks. They constitute a novel crime-based sanctions regime, laying the foundations of personalised deterrence with respect to malicious cyber actors and consist in asset freezes and visa bans. This article reflects on the hazy boundary between crime-based sanctions as administrative or criminal law measures. The paper argues that while crime-based sanctions in response to cyber-attacks present certain similarities with criminal law measures, they remain complementary crime prevention instruments. Their administrative nature allows for an emergency response to malicious cyber operations that would not be permissible if a more stringent evidentiary standard was required.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106010"},"PeriodicalIF":3.3,"publicationDate":"2024-06-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141434316","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"The reform of consumer protection in mobile payment services in China: Legislation, regulation, and dispute resolution","authors":"Ningyao Ye ,&nbsp;Zeyu Zhao","doi":"10.1016/j.clsr.2024.106007","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.106007","url":null,"abstract":"<div><p>In China, mobile payment services, based on a rapid development of financial technology, have been playing an essential role in Chinese residents’ daily life, creating a cashless society. Unlike many advanced countries having a clear legal definition of financial consumers and incorporating consumers of mobile payment services into financial consumers, China, as one of the largest markets for mobile payment services, has not had a clear legal definition of financial consumers with no clarity regarding whether consumers of mobile payment services belong to financial consumers. This article not only provides a legal analysis of consumers of mobile payment services in China, but also outrightly explores the prospective reform of financial consumer protection with reference to other countries’ successful experience and standards. By the analysis, this article attempts to find out solution for the Chinese financial consumer protection scheme and argues that the Chinese financial consumer protection scheme has to be well designed to maintain a balance between consumers and mobile payment giants.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 106007"},"PeriodicalIF":2.9,"publicationDate":"2024-06-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141323264","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Developing China's Approaches to Regulate Cross-border Data Transfer:Relaxation and Integration","authors":"Meng Chen (Associate Professor)","doi":"10.1016/j.clsr.2024.105997","DOIUrl":"https://doi.org/10.1016/j.clsr.2024.105997","url":null,"abstract":"<div><p>This article illustrates the developing Chinese cross-border data flow regulation regime deriving from a holistic national security conception to its balance with personal information protection and digital economic development. Under the pressuring demand of digital economy development and an increasing appeal to global data governance, China is progressively improving and modifying its original government-led and restrictive cross-border data regulations. Subsequent practices and the publication of the Provisions on Promoting and Regulating Cross-border Data Transfer (PPR) in March 2024 deliver a clear sign of relaxation on restrictions on cross-border data flow, especially on the subject of personal information outbound transfer. Detailed comparison with data provisions in the Regional Comprehensive Economic Partnership (RCEP), the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), and the Digital Economy Partnership Agreement (DEPA) demonstrates that global governance of cross-border data flows is unshaped but not unrealistic, even with current fragmented national approaches. China has established a complete personal information protection legal regime and is very close to integrating into transnational cooperation for a broader framework. In addition, by coordinating national provisions regarding cross-data transfer with international rules and piloting lenient cross-border data supervision mechanisms in numerous Pilot Free Trade Zone (PFTZ), China is ready to evolve its cross-border data flow regulations and contribute to global data governance step-by-step.</p></div>","PeriodicalId":51516,"journal":{"name":"Computer Law & Security Review","volume":"54 ","pages":"Article 105997"},"PeriodicalIF":2.9,"publicationDate":"2024-06-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"141291115","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":3,"RegionCategory":"社会学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}