This is a multi-part message in MIME format

--_----------=_MCPart_401932440
Content-Type: text/plain; charset="utf-8"; format="fixed" Content-Transfer-Encoding: quoted-printable

** CRYPTO-GRAM
MAY 15=2C 2025
------------------------------------------------------------

by Bruce Schneier
Fellow and Lecturer=2C Harvard Kennedy School
schneier@schneier.com
https://www.schneier.com

A free monthly newsletter providing summaries=2C analyses=2C insights=2C a=
nd commentaries on security: computer and otherwise.

For back issues=2C or to subscribe=2C visit Crypto-Gram's web page [https= ://www.schneier.com/crypto-gram/].

Read this issue on the web [https://www.schneier.com/crypto-gram/archives= /2025/0515.html]

These same essays and news items appear in the Schneier on Security [http= s://www.schneier.com/] blog=2C along with a lively and intelligent comment=
section. An RSS feed is available.

** *** ***** ******* *********** *************


** IN THIS ISSUE:
------------------------------------------------------------

1. Slopsquatting
2. CVE Program Almost Unfunded
3. Age Verification Using Facial Scans
4. Android Improves Its Security
5. Regulating AI Behavior with a Hypervisor
6. New Linux Rootkit
7. Cryptocurrency Thefts Get Physical
8. Windscribe Acquitted on Charges of Not Collecting Users' Data
9. Applying Security Engineering to Prompt Injection Security
10. WhatsApp Case Against NSO Group Progressing
11. US as a Surveillance State
12. NCSC Guidance on "Advanced Cryptography"
13. Privacy for Agentic AI
14. Another Move in the Deepfake Creation/Detection Arms Race
15. Fake Student Fraud in Community Colleges
16. Chinese AI Submersible
17. Florida Backdoor Bill Fails
18. Court Rules Against NSO Group
19. Google=E2=80=99s Advanced Protection Now on Android
20. Upcoming Speaking Engagements
21. AI-Generated Law

** *** ***** ******* *********** *************


** SLOPSQUATTING
------------------------------------------------------------

[2025.04.15] [https://www.schneier.com/blog/archives/2025/04/slopsquatti= ng.html] As AI coding assistants invent nonexistent software libraries to=
download and use=2C enterprising attackers create and upload [https://ww= w.theregister.com/2025/04/12/ai_code_suggestions_sabotage_supply_chain/] l= ibraries with those names -- laced with malware=2C of course.

EDITED TO ADD (1/22): Research paper [https://arxiv.org/pdf/2406.10279].=
Slashdot thread [https://it.slashdot.org/story/25/04/22/0118200/ai-hallu= cinations-lead-to-a-new-cyber-threat-slopsquatting].

** *** ***** ******* *********** *************


** CVE PROGRAM ALMOST UNFUNDED ------------------------------------------------------------

[2025.04.16] [https://www.schneier.com/blog/archives/2025/04/cve-program= -almost-unfunded.html] Mitre=E2=80=99s CVE=E2=80=99s program -- which prov= ides common naming and other informational resources about cybersecurity v= ulnerabilities -- was about to be cancelled [https://www.csoonline.com/ar= ticle/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contrac= t-leaving-security-flaw-tracking-in-limbo.html]=2C as the US Department of=
Homeland Security failed to renew the contact. It was funded for eleven m=
ore months at the last minute.

This is a big deal. The CVE program is one of those pieces of common infra= structure that everyone benefits from. Losing it will bring us back to a w= orld where there=E2=80=99s no single way to talk about vulnerabilities. It= =E2=80=99s kind of crazy to think that the US government might damage its=
own security in this way -- but I suppose no crazier than any of the othe=
r ways the US is working against its own interests right now.

Sasha Romanosky=2C senior policy researcher at the Rand Corporation=2C b=

randed the end to the CVE program as =E2=80=9Ctragic=2C=E2=80=9D a sentime=
nt echoed by many cybersecurity and CVE experts reached for comment.

=E2=80=9CCVE naming and assignment to software packages and versions are=

the foundation upon which the software vulnerability ecosystem is based= =2C=E2=80=9D Romanosky said. =E2=80=9CWithout it=2C we can=E2=80=99t track=
newly discovered vulnerabilities. We can=E2=80=99t score their severity o=
r predict their exploitation. And we certainly wouldn=E2=80=99t be able to=
make the best decisions regarding patching them.=E2=80=9D

Ben Edwards=2C principal research scientist at Bitsight=2C told CSO=2C=

=E2=80=9CMy reaction is sadness and disappointment. This is a valuable re= source that should absolutely be funded=2C and not renewing the contract i=
s a mistake.=E2=80=9D

He added =E2=80=9CI am hopeful any interruption is brief and that if the=

contract fails to be renewed=2C other stakeholders within the ecosystem c=
an pick up where MITRE left off. The federated framework and openness of t=
he system make this possible=2C but it=E2=80=99ll be a rocky road if opera= tions do need to shift to another entity.=E2=80=9D

More similar quotes in the article.

My guess is that we will somehow figure out how to transition this program=
to continue without the US government. It=E2=80=99s too important to be a=
t risk.

EDITED TO ADD: Another good article [https://www.wired.com/story/cve-prog= ram-cisa-funding-chaos/].

** *** ***** ******* *********** *************


** AGE VERIFICATION USING FACIAL SCANS ------------------------------------------------------------

[2025.04.17] [https://www.schneier.com/blog/archives/2025/04/age-verific= ation-using-facial-scans.html] Discord is testing [https://gizmodo.com/d= iscord-begins-testing-facial-scans-for-age-verification-2000590188] the fe= ature:

=E2=80=9CWe=E2=80=99re currently running tests in select regions to age-=

gate access to certain spaces or user settings=2C=E2=80=9D a spokesperson=
for Discord said in a statement. =E2=80=9CThe information shared to power=
the age verification method is only used for the one-time age verificatio=
n process and is not stored by Discord or our vendor. For Face Scan=2C the=
solution our vendor uses operates on-device=2C which means there is no co= llection of any biometric information when you scan your face. For ID veri= fication=2C the scan of your ID is deleted upon verification.=E2=80=9D

I look forward to all the videos of people hacking this system using vario=
us disguises.

** *** ***** ******* *********** *************


** ANDROID IMPROVES ITS SECURITY ------------------------------------------------------------

[2025.04.22] [https://www.schneier.com/blog/archives/2025/04/android-imp= roves-its-security.html] Android phones will soon reboot themselves [http= s://arstechnica.com/gadgets/2025/04/android-phones-will-soon-reboot-themse= lves-after-sitting-unused-for-3-days/] after sitting idle for three days.=
iPhones have had this feature for a while; it=E2=80=99s nice to see Googl=
e add it to their phones.

** *** ***** ******* *********** *************


** REGULATING AI BEHAVIOR WITH A HYPERVISOR ------------------------------------------------------------

[2025.04.23] [https://www.schneier.com/blog/archives/2025/04/regulating-= ai-behavior-with-a-hypervisor.html] Interesting research: =E2=80=9CGuillot= ine: Hypervisors for Isolating Malicious AIs [https://arxiv.org/abs/2504.= 15499].=E2=80=9D

Abstract:As AI models become more embedded in critical sectors like fina=

nce=2C healthcare=2C and the military=2C their inscrutable behavior poses=
ever-greater risks to society. To mitigate this risk=2C we propose Guillo= tine=2C a hypervisor architecture for sandboxing powerful AI models -- mod=
els that=2C by accident or malice=2C can generate existential threats to h= umanity. Although Guillotine borrows some well-known virtualization techni= ques=2C Guillotine must also introduce fundamentally new isolation mechani=
sms to handle the unique threat model posed by existential-risk AIs. For e= xample=2C a rogue AI may try to introspect upon hypervisor software or the=
underlying hardware substrate to enable later subversion of that control=
plane; thus=2C a Guillotine hypervisor requires careful co-design of the=
hypervisor software and the CPUs=2C RAM=2C NIC=2C and storage devices tha=
t support the hypervisor software=2C to thwart side channel leakage and mo=
re generally eliminate mechanisms for AI to exploit reflection-based vulne= rabilities. Beyond such isolation at the software=2C network=2C and microa= rchitectural layers=2C a Guillotine hypervisor must also provide physical=
fail-safes more commonly associated with nuclear power plants=2C avionic=
platforms=2C and other types of mission critical systems. Physical fail-s= afes=2C e.g.=2C involving electromechanical disconnection of network cable= s=2C or the flooding of a datacenter which holds a rogue AI=2C provide def= ense in depth if software=2C network=2C and microarchitectural isolation i=
s compromised and a rogue AI must be temporarily shut down or permanently=
destroyed.

The basic idea is that many of the AI safety policies proposed by the AI c= ommunity lack robust technical enforcement mechanisms. The worry is that=
=2C as models get smarter=2C they will be able to avoid those safety polic= ies. The paper proposes a set technical enforcement mechanisms that could=
work against these malicious AIs.

** *** ***** ******* *********** *************


** NEW LINUX ROOTKIT ------------------------------------------------------------

[2025.04.24] [https://www.schneier.com/blog/archives/2025/04/new-linux-r= ootkit.html] Interesting [https://betanews.com/2025/04/24/hackers-bypass-= linux-security-with-armo-curing-rootkit/]:

The company has released a working rootkit called =E2=80=9CCuring=E2=80=

=9D that uses io_uring=2C a feature built into the Linux kernel=2C to stea= lthily perform malicious activities without being caught by many of the de= tection solutions currently on the market.

At the heart of the issue is the heavy reliance on monitoring system cal=

ls=2C which has become the go-to method for many cybersecurity vendors. Th=
e problem? Attackers can completely sidestep these monitored calls by lean=
ing on io_uring instead. This clever method could let bad actors quietly m=
ake network connections or tamper with files without triggering the usual=
alarms.

Here=E2=80=99s [https://github.com/armosec/curing] the code.

Note the self-serving nature of this announcement: ARMO=2C the company tha=
t released the research and code=2C has a product that it claims blocks th=
is kind of attack.

** *** ***** ******* *********** *************


** CRYPTOCURRENCY THEFTS GET PHYSICAL ------------------------------------------------------------

[2025.04.25] [https://www.schneier.com/blog/archives/2025/04/cryptocurre= ncy-thefts-get-physical.html] Long story [https://www.nytimes.com/2025/04= /24/magazine/crybercrime-crypto-minecraft.html] of a $250 million cryptocu= rrency theft that=2C in a complicated chain events=2C resulted in a pretty=
brutal kidnapping.

** *** ***** ******* *********** *************


** WINDSCRIBE ACQUITTED ON CHARGES OF NOT COLLECTING USERS' DATA ------------------------------------------------------------

[2025.04.28] [https://www.schneier.com/blog/archives/2025/04/windscribe-= acquitted-on-charges-of-not-collecting-users-data.html] The company doesn= =E2=80=99t keep logs=2C so couldn=E2=80=99t turn over data [https://hackr= ead.com/court-dismisses-criminal-charges-against-vpn-executive-no-log-poli= cy/]:

Windscribe=2C a globally used privacy-first VPN service=2C announced tod=

ay that its founder=2C Yegor Sak=2C has been fully acquitted by a court in=
Athens=2C Greece=2C following a two-year legal battle in which Sak was pe= rsonally charged in connection with an alleged internet offence by an unkn=
own user of the service.

The case centred around a Windscribe-owned server in Finland that was al=

legedly used to breach a system in Greece. Greek authorities=2C in coopera= tion with INTERPOL=2C traced the IP address to Windscribe=E2=80=99s infras= tructure and=2C unlike standard international procedures=2C proceeded to i= nitiate criminal proceedings against Sak himself=2C rather than pursuing i= nformation through standard corporate channels.

** *** ***** ******* *********** *************


** APPLYING SECURITY ENGINEERING TO PROMPT INJECTION SECURITY ------------------------------------------------------------

[2025.04.29] [https://www.schneier.com/blog/archives/2025/04/applying-se= curity-engineering-to-prompt-injection-security.html] This seems like an i= mportant advance [https://arstechnica.com/information-technology/2025/04/= researchers-claim-breakthrough-in-fight-against-ais-frustrating-security-h= ole/] in LLM security against prompt injection:

Google DeepMind has unveiled CaMeL [https://arxiv.org/abs/2503.18813] (=

CApabilities for MachinE Learning)=2C a new approach to stopping prompt-in= jection attacks that abandons the failed strategy of having AI models poli=
ce themselves. Instead=2C CaMeL treats language models as fundamentally un= trusted components within a secure software framework=2C creating clear bo= undaries between user commands and potentially malicious content.

[...]

To understand CaMeL=2C you need to understand that prompt injections hap=

pen when AI systems can=E2=80=99t distinguish between legitimate user comm= ands and malicious instructions hidden in content they=E2=80=99re processi=
ng.

[...]

While CaMeL does use multiple AI models (a privileged LLM and a quaranti=

ned LLM)=2C what makes it innovative isn=E2=80=99t reducing the number of=
models but fundamentally changing the security architecture. Rather than=
expecting AI to detect attacks=2C CaMeL implements established security e= ngineering principles like capability-based access control and data flow t= racking to create boundaries that remain effective even if an AI component=
is compromised.

Research paper [https://arxiv.org/abs/2503.18813]. Good analysis [https:= //simonwillison.net/2025/Apr/11/camel/] by Simon Willison.

I wrote about the problem of LLMs intermingling the data and control paths=
here [https://cacm.acm.org/opinion/llms-data-control-path-insecurity/].

** *** ***** ******* *********** *************


** WHATSAPP CASE AGAINST NSO GROUP PROGRESSING ------------------------------------------------------------

[2025.04.30] [https://www.schneier.com/blog/archives/2025/04/whatsapp-ca= se-against-nso-group-progressing.html] Meta is suing NSO Group=2C basicall=
y claiming [https://cyberscoop.com/whatsapp-nso-group-trial-judge-limits-= evidence-2025/] that the latter hacks WhatsApp and not just WhatsApp users=
=2E We have a procedural ruling:

Under the order [https://www.courtlistener.com/docket/16395340/686/what=

sapp-inc-v-nso-group-technologies-limited/]=2C NSO Group is prohibited fro=
m presenting evidence about its customers=E2=80=99 identities=2C implying=
the targeted WhatsApp users are suspected or actual criminals=2C or alle= ging that WhatsApp had insufficient security protections.

[...]

In making her ruling=2C Northern District of California Judge Phyllis Ha=

milton said NSO Group undercut its arguments to use evidence about its cus= tomers with contradictory statements.

=E2=80=9CDefendants cannot claim=2C on the one hand=2C that its intent i=

s to help its clients fight terrorism and child exploitation=2C and on the=
other hand say that it has nothing to do with what its client does with t=
he technology=2C other than advice and support=2C=E2=80=9D she wrote. =E2= =80=9CAdditionally=2C there is no evidence as to the specific kinds of cri=
mes or security threats that its clients actually investigate and none wit=
h respect to the attacks at issue.=E2=80=9D

I have written about [https://www.schneier.com/academic/archives/2022/03/= platforms-encryption-and-the-cfaa-the-case-of-whatsapp-v-nso-group.html] t=
he issues at play in this case.

** *** ***** ******* *********** *************


** US AS A SURVEILLANCE STATE ------------------------------------------------------------

[2025.05.01] [https://www.schneier.com/blog/archives/2025/05/us-as-a-sur= veillance-state.html] Two essays were just [https://www.theatlantic.com/t= echnology/archive/2025/04/american-panopticon/682616/] published [https:/= /www.nytimes.com/2025/04/30/opinion/musk-doge-data-ai.html] on DOGE=E2=80=
=99s data collection and aggregation=2C and how it ends with a modern surv= eillance state.

It=E2=80=99s good to see this finally being talked about.

EDITED TO ADD (5/3): Here=E2=80=99s a free link [https://www.msn.com/en-u= s/news/technology/american-panopticon/ar-AA1DHVYA] to that first essay.

** *** ***** ******* *********** *************


** NCSC GUIDANCE ON "ADVANCED CRYPTOGRAPHY" ------------------------------------------------------------

[2025.05.02] [https://www.schneier.com/blog/archives/2025/05/ncsc-guidan= ce-on-advanced-cryptography.html] The UK=E2=80=99s National Cyber Security=
Centre just released its white paper [https://www.ncsc.gov.uk/whitepaper= /advanced-cryptography] on =E2=80=9CAdvanced Cryptography=2C=E2=80=9D whic=
h it defines as =E2=80=9Ccryptographic techniques for processing encrypted=
data=2C providing enhanced functionality over and above that provided by=
traditional cryptography.=E2=80=9D It includes things like homomorphic en= cryption=2C attribute-based encryption=2C zero-knowledge proofs=2C and sec=
ure multiparty computation.

It=E2=80=99s full of good advice. I especially appreciate this warning:

When deciding whether to use Advanced Cryptography=2C start with a clear=

articulation of the problem=2C and use that to guide the development of a=
n appropriate solution. That is=2C you should not start with an Advanced C= ryptography technique=2C and then attempt to fit the functionality it prov= ides to the problem.

And:

In almost all cases=2C it is bad practice for users to design and/or imp=

lement their own cryptography; this applies to Advanced Cryptography even=
more than traditional cryptography because of the complexity of the algor= ithms. It also applies to writing your own application based on a cryptogr= aphic library that implements the Advanced Cryptography primitive operatio= ns=2C because subtle flaws in how they are used can lead to serious securi=
ty weaknesses.

The conclusion:

Advanced Cryptography covers a range of techniques for protecting sensit=

ive data at rest=2C in transit and in use. These techniques enable novel a= pplications with different trust relationships between the parties=2C as c= ompared to traditional cryptographic methods for encryption and authentica= tion.

However=2C there are a number of factors to consider before deploying a=

solution based on Advanced Cryptography=2C including the relative immatur=
ity of the techniques and their implementations=2C significant computation=
al burdens and slow response times=2C and the risk of opening up additiona=
l cyber attack vectors.

There are initiatives underway to standardise some forms of Advanced Cry=

ptography=2C and the efficiency of implementations is continually improvin=
g. While many data processing problems can be solved with traditional cryp= tography (which will usually lead to a simpler=2C lower-cost and more matu=
re solution) for those that cannot=2C Advanced Cryptography techniques cou=
ld in the future enable innovative ways of deriving benefit from large sha=
red datasets=2C without compromising individuals=E2=80=99 privacy.

NCSC blog entry [https://www.ncsc.gov.uk/blog-post/advanced-cryptography-= new-approaches-to-data-privacy].

** *** ***** ******* *********** *************


** PRIVACY FOR AGENTIC AI ------------------------------------------------------------

[2025.05.02] [https://www.schneier.com/blog/archives/2025/05/privacy-for= -agentic-ai.html] Sooner or later=2C it=E2=80=99s going to happen. AI syst=
ems will start acting as agents=2C doing things on our behalf with some de= gree of autonomy. I think it=E2=80=99s worth thinking about the security o=
f that now=2C while its still a nascent idea.

In 2019=2C I joined [https://www.schneier.com/blog/archives/2020/02/inrup= t_tim_bern.html] Inrupt=2C a company that is commercializing Tim Berners-L= ee=E2=80=99s open protocol for distributed data ownership. We are working=
on a digital wallet [https://www.schneier.com/blog/archives/2024/07/data= -wallets-using-the-solid-protocol.html] that can make use of AI in this wa=
y. (We used to call it an =E2=80=9Cactive wallet.=E2=80=9D Now we=E2=80=99=
re calling it an =E2=80=9Cagentic wallet.=E2=80=9D)

I talked about [https://www.instagram.com/rsaconference/p/DGv4Yf5SCsw/] t=
his [https://www.rsaconference.com/library/video/2025-keynote-preview-bru= ce-schneier] a bit at the RSA Conference [https://www.rsaconference.com/]=
earlier this week=2C in my keynote talk about AI and trust. Any useful AI=
assistant is going to require a level of access -- and therefore trust --=
that rivals what we currently our email provider=2C social network=2C or=
smartphone.

This Active Wallet is an example of an AI assistant. It=E2=80=99ll combi=

ne personal information about you=2C transactional data that you are a par=
ty to=2C and general information about the world. And use that to answer q= uestions=2C make predictions=2C and ultimately act on your behalf. We have=
demos of this running right now. At least in its early stages. Making it=
work is going require an extraordinary amount of trust in the system. Thi=
s requires integrity. Which is why we=E2=80=99re building protections in f=
rom the beginning.

Visa is also thinking about this. It just [https://usa.visa.com/about-vis= a/newsroom/press-releases.releaseId.21361.html] announced [https://corpor= ate.visa.com/en/products/intelligent-commerce.html] a protocol that uses A=
I to help people make purchasing decisions.

I like Visa=E2=80=99s approach because it=E2=80=99s an AI-agnostic standar=
d. I worry a lot about lock-in and monopolization of this space=2C so anyt= hing that lets people easily switch between AI models is good. And I like=
that Visa is working with Inrupt so that the data is decentralized as wel=
l. Here=E2=80=99s our announcement [https://www.inrupt.com/blog/standards= -for-agentic-commerce-visas-bold-move] about its announcement:

This isn=E2=80=99t a new relationship -- we=E2=80=99ve been working toge=

ther for over two years. We=E2=80=99ve conducted a successful POC and now=
we=E2=80=99re standing up a sandbox inside Visa so merchants=2C financial=
institutions and LLM providers can test our Agentic Wallets alongside the=
rest of Visa=E2=80=99s suite of Intelligent Commerce APIs.

For that matter=2C we welcome any other company that wants to engage in=

the world of personal=2C consented Agentic Commerce to come work with us=
as well.

I joined Inrupt years ago because I thought that Solid could do for person=
al data what HTML did for published information. I liked that the protocol=
was an open standard=2C and that it distributed data instead of centraliz=
ing it. AI agents need decentralized data. =E2=80=9CWallet=E2=80=9D is a g=
ood metaphor for personal data stores. I=E2=80=99m hoping this is another=
step towards adoption.

** *** ***** ******* *********** *************


** ANOTHER MOVE IN THE DEEPFAKE CREATION/DETECTION ARMS RACE ------------------------------------------------------------

[2025.05.05] [https://www.schneier.com/blog/archives/2025/05/another-mov= e-in-the-deepfake-creation-detection-arms-race.html] Deepfakes are now mim= icking heartbeats [https://studyfinds.org/deepfakes-outsmarting-detection= -heartbeats/]

In a nutshell

* Recent research reveals that high-quality deepfakes unintentional=

ly retain the heartbeat patterns from their source videos=2C undermining t= raditional detection methods that relied on detecting subtle skin color ch= anges linked to heartbeats.

* The assumption that deepfakes lack physiological signals=2C such=

as heart rate=2C is no longer valid. This challenges many existing detect=
ion tools=2C which may need significant redesigns to keep up with the evol= ving technology.

* To effectively identify high-quality deepfakes=2C researchers sug=

gest shifting focus from just detecting heart rate signals to analyzing ho=
w blood flow is distributed across different facial regions=2C providing a=
more accurate detection strategy.

And the AI models will start mimicking that.

** *** ***** ******* *********** *************


** FAKE STUDENT FRAUD IN COMMUNITY COLLEGES ------------------------------------------------------------

[2025.05.06] [https://www.schneier.com/blog/archives/2025/05/fake-studen= t-fraud-in-community-colleges.html] Reporting on the rise of fake students=
[https://voiceofsandiego.org/2025/04/14/as-bot-students-continue-to-floo= d-in-community-colleges-struggle-to-respond/] enrolling in community colle=
ge courses:

The bots=E2=80=99 goal is to bilk state and federal financial aid money=

by enrolling in classes=2C and remaining enrolled in them=2C long enough=
for aid disbursements to go out. They often accomplish this by submitting=
AI-generated work. And because community colleges accept all applicants=
=2C they=E2=80=99ve been almost exclusively impacted by the fraud.

The article talks about the rise of this type of fraud=2C the difficulty o=
f detecting it=2C and how it upends quite a bit of the class structure and=
learning community.

Slashdot thread [https://news.slashdot.org/story/25/04/17/1611216/bot-stu= dents-siphon-millions-in-financial-aid-from-us-community-colleges].

** *** ***** ******* *********** *************


** CHINESE AI SUBMERSIBLE ------------------------------------------------------------

[2025.05.07] [https://www.schneier.com/blog/archives/2025/05/chinese-ai-= submersible.html] A Chinese company has developed [https://www.scmp.com/n= ews/china/politics/article/3308410/china-launches-blue-whale-worlds-first-= high-speed-typhoon-proof-uncrewed-submersible] an AI-piloted submersible t=
hat can reach speeds =E2=80=9Csimilar to a destroyer or a US Navy torpedo= =2C=E2=80=9D dive =E2=80=9Cup to 60 metres underwater=2C=E2=80=9D and =E2= =80=9Cremain static for more than a month=2C like the stealth capabilities=
of a nuclear submarine.=E2=80=9D In case you=E2=80=99re worried about the=
military applications of this=2C you can relax because the company says t=
hat the submersible is =E2=80=9Cdesignated for civilian use=E2=80=9D and c=
an =E2=80=9Claunch research rockets.=E2=80=9D

=E2=80=9CResearch rockets.=E2=80=9D Sure.

** *** ***** ******* *********** *************


** FLORIDA BACKDOOR BILL FAILS ------------------------------------------------------------

[2025.05.12] [https://www.schneier.com/blog/archives/2025/05/florida-bac= kdoor-bill-fails.html] A Florida bill requiring encryption backdoors faile=
d to pass [https://techcrunch.com/2025/05/09/florida-bill-requiring-encry= ption-backdoors-for-social-media-accounts-has-failed/].

** *** ***** ******* *********** *************


** COURT RULES AGAINST NSO GROUP ------------------------------------------------------------

[2025.05.13] [https://www.schneier.com/blog/archives/2025/05/court-rules= -against-nso-group.html] The case is over [https://arstechnica.com/securi= ty/2025/05/jury-orders-nso-to-pay-167-million-for-hacking-whatsapp-users/]=
:

A jury has awarded WhatsApp $167 million in punitive damages in a case t=

he company brought against Israel-based NSO Group for exploiting a softwar=
e vulnerability that hijacked the phones of thousands of users.

I=E2=80=99m sure it=E2=80=99ll be appealed. Everything always is.

** *** ***** ******* *********** *************


** GOOGLE=E2=80=99S ADVANCED PROTECTION NOW ON ANDROID ------------------------------------------------------------

[2025.05.14] [https://www.schneier.com/blog/archives/2025/05/googles-adv= anced-protection-now-on-android.html] Google has extended [https://securi= ty.googleblog.com/2025/05/advanced-protection-mobile-devices.html] its Adv= anced Protection features to Android devices. It=E2=80=99s not for everybo= dy=2C but something to be considered by high-risk users.

Wired article [https://www.wired.com/story/google-advanced-protection-vul= nerable-users-lockdown-android-16/]=2C behind a paywall.

** *** ***** ******* *********** *************


** UPCOMING SPEAKING ENGAGEMENTS ------------------------------------------------------------

[2025.05.14] [https://www.schneier.com/blog/archives/2025/05/upcoming-sp= eaking-engagements-46.html] This is a current list of where and when I am=
scheduled to speak:

* I=E2=80=99m speaking (remotely) at the Sektor 3.0 Festival [https:= //sektor3-0.pl/en/festival/] in Warsaw=2C Poland=2C May 21-22=2C 2025.

The list is maintained on this page [https://www.schneier.com/events/].

** *** ***** ******* *********** *************


** AI-GENERATED LAW ------------------------------------------------------------

[2025.05.15] [https://www.schneier.com/blog/archives/2025/05/ai-generate= d-law.html] On April 14=2C Dubai's ruler=2C Sheikh Mohammed bin Rashid Al=
Maktoum=2C=C2=A0announced [https://x.com/HHShkMohd/status/19117951350396= 35659]=C2=A0that the United Arab Emirates would begin using=C2=A0artificia=
l intelligence [https://x.com/UAEmediaoffice/status/1911809411577684257]= =C2=A0to help write its laws. A new Regulatory Intelligence Office would u=
se the technology to "regularly suggest updates" to the law and "accelerat=
e the issuance of legislation by up to 70%." AI would create a "comprehens=
ive legislative plan" spanning local and federal law and would be connecte=
d to public administration=2C the courts=2C and global policy trends.

The plan was widely greeted with astonishment. This sort of AI legislating=
would be a global "first [https://www.ft.com/content/9019cd51-2b55-4175-= 81a6-eafcf28609c3]=2C" with the potential to go "horribly wrong [https://= www.zmescience.com/future/uae-ai-lawmakers/]." Skeptics fear that the AI m= odel will make up facts or fundamentally fail to understand societal tenet=
s such as fair treatment and justice when influencing law.

The truth is=2C the UAE's idea of AI-generated law is not really a first a=
nd not necessarily terrible.

The first instance=C2=A0of enacted law known to have been written by AI wa= s=C2=A0passed [https://www.washingtonpost.com/nation/2023/12/04/ai-writte= n-law-porto-alegre-brazil/]=C2=A0in Porto Alegre=2C Brazil=2C in 2023. It=
was a local ordinance about water meter replacement. Council member Ramir=
o Ros=C3=A1rio was simply looking for help in generating and articulating=
ideas for solving a policy problem=2C and ChatGPT did well enough that th=
e bill passed unanimously. We approve of AI assisting humans in this manne= r=2C although Ros=C3=A1rio should have disclosed that the bill was written=
by AI before it was voted on.

Brazil was a harbinger but hardly unique. In recent years=2C there has bee=
n a steady stream of attention-seeking politicians at the local and nation=
al level introducing=C2=A0bills [https://www.bostonglobe.com/2023/01/24/m= etro/this-state-senator-drafted-legislation-regulate-artificial-intelligen= ce-technology-with-some-help-chatgpt/]=C2=A0that they promote as being dra= fted by AI or letting AI write their=C2=A0speeches [https://apnews.com/ar= ticle/technology-science-oddities-israel-massachusetts-11b4dc6e42afd2d68be= 28dedf86fd25a]=C2=A0for them or even=C2=A0vocalize [https://www.politico.= com/news/2023/05/17/blumenthal-ai-deepfake-recording-senate-hearing-000973= 49]=C2=A0them in the chamber.

The Emirati proposal is different from those examples in important ways. I=
t promises to be more systemic and less of a one-off stunt. The UAE has pr= omised to spend more than $3 billion to transform into an "AI-native [htt= ps://en.aletihad.ae/news/uae/4569345/uae-to-become-first-country-to-utilis= e-ai-in-writing-laws]" government by 2027. Time will tell if it is also di= fferent in being more hype than reality.

Rather than being a true first=2C the UAE's announcement is emblematic of=
a much=C2=A0wider global trend [https://www.popvox.org/blog/assessing-us= -congressional-ai-adoption]=C2=A0of legislative bodies integrating AI assi= stive tools for legislative research=2C drafting=2C translation=2C data pr= ocessing=2C and much more. Individual lawmakers have begun turning to AI d= rafting tools as they traditionally have relied on staffers=2C interns=2C=
or lobbyists. The French government has gone so far as to=C2=A0train [ht= tps://arxiv.org/pdf/2401.16182]=C2=A0its own AI model to assist with legis= lative tasks.

Even asking AI to comprehensively review and update legislation would not=
be a first. In 2020=2C the U.S. state of Ohio began using AI to do wholes= ale=C2=A0revision [https://governor.ohio.gov/administration/lt-governor/l= aunches-ai-tool-to-analyze-ohio-regulations]=C2=A0of its administrative la=
w. AI's speed is potentially a good match to this kind of large-scale edit= orial project; the state's then-lieutenant governor=2C Jon Husted=2C claim=
s it was successful in eliminating=C2=A02.2 million [https://www.axios.co= m/local/columbus/2024/04/29/artificial-intelligence-ai-ohio-state-administ= rative-code-husted]=C2=A0words' worth of unnecessary regulation from Ohio'=
s code. Now a U.S. senator=2C Husted has recently=C2=A0proposed [https://= www.husted.senate.gov/press-releases/husted-introduces-bill-leveraging-ai-= to-increase-efficiency-within-federal-code/]=C2=A0to take the same approac=
h to U.S. federal law=2C with an ideological bent promoting AI as a tool f=
or systematic=C2=A0deregulation [https://www.wsj.com/opinion/ai-can-be-a-= force-for-deregulation-technology-government-ohio-federal-365ed0d4].

The dangers of confabulation and inhumanity -- while legitimate -- aren't=
really what makes the potential of AI-generated law novel. Humans make mi= stakes when writing law=2C too. Recall that a single=C2=A0typo [https://w= ww.nytimes.com/2015/05/26/us/politics/contested-words-in-affordable-care-a= ct-may-have-been-left-by-mistake.html]=C2=A0in a 900-page law nearly broug=
ht down the massive U.S. health care reforms of the Affordable Care Act in=
2015=2C before the Supreme Court=C2=A0excused [https://time.com/3935707/= supreme-court-obamacare-affordable-care/]=C2=A0the error. And=2C distressi= ngly=2C the citizens and residents of nondemocratic states are already sub= ject to arbitrary and often inhumane laws. (The UAE is a federation of mon= archies without direct elections of legislators and with a poor record on=
political rights and civil liberties=2C as evaluated by=C2=A0Freedom Hous=
e [https://freedomhouse.org/country/united-arab-emirates].)

The primary concern with using AI in lawmaking is that it will be wielded=
as a tool by the powerful to advance their own interests. AI may not fund= amentally change lawmaking=2C but its superhuman capabilities have the pot= ential to exacerbate the risks of power concentration.

AI=2C and technology generally=2C is often invoked by politicians to give=
their project a patina of objectivity and rationality=2C but it doesn't r= eally do any such thing. As proposed=2C AI would simply give the UAE's her= editary rulers new tools to express=2C enact=2C and enforce their preferre=
d policies.

Mohammed's emphasis that a primary benefit of AI will be to make law=C2=A0= faster [https://www.ft.com/content/9019cd51-2b55-4175-81a6-eafcf28609c3]= =C2=A0is also misguided. The machine may write the text=2C but humans will=
still propose=2C debate=2C and vote on the legislation. Drafting is rarel=
y the bottleneck in passing new law. What takes much longer is for humans=
to amend=2C horse-trade=2C and ultimately come to agreement on the conten=
t of that legislation -- even when that politicking is happening among a s= mall group of monarchic elites.

Rather than expeditiousness=2C the more important capability offered by AI=
is sophistication. AI has the potential to make law more=C2=A0complex [h= ttps://www.lawfaremedia.org/article/ai-will-write-complex-laws]=2C tailori=
ng it to a multitude of different scenarios. The combination of AI's resea=
rch and drafting speed makes it possible for it to outline legislation gov= erning dozens=2C even thousands=2C of special cases for each proposed rule=
=2E

But here again=2C this capability of AI opens the door for the powerful to=
have their way. AI's capacity to write complex law would allow the humans=
directing it to dictate their exacting policy preference for every specia=
l case. It could even embed those preferences surreptitiously.

Since time immemorial=2C=C2=A0legislators have carved out legal loopholes=
to narrowly cater to special interests. AI will be a=C2=A0powerful [http= s://www.nytimes.com/2023/01/15/opinion/ai-chatgpt-lobbying-democracy.html]= =C2=A0tool for authoritarians=2C lobbyists=2C and other empowered interest=
s to do this at a greater scale. AI can help automatically produce what po= litical scientist Amy McKay has termed "microlegislation [https://www.tec= hnologyreview.com/2023/03/14/1069717/how-ai-could-write-our-laws/]": looph= oles that may be imperceptible to human readers on the page -- until their=
impact is realized in the real world.

But AI can be constrained and directed to distribute power rather than con= centrate it. For Emirati residents=2C the most intriguing possibility of t=
he AI plan is the promise to introduce AI "interactive platforms" where th=
e public can provide input to legislation. In experiments across locales a=
s diverse as=C2=A0Kentucky [https://www.technologyreview.com/2025/04/15/1= 115125/a-small-us-city-experiments-with-ai-to-find-out-what-residents-want= /]=2C=C2=A0Massachusetts=2C France [https://static.ie.edu/CGC/AI4D%20Pape= r%203%20Applications%20of%20Artificial%20Intelligence%20Tools%20to%20Engan= ce%20Legislative%20Engagement.pdf]=2C=C2=A0Scotland [https://www.gov.scot= /news/improving-lives-through-ai/]=2C=C2=A0Taiwan [https://ai.objectives.= institute/blog/amplifying-voices-talk-to-the-city-in-taiwan]=2C and many o= thers=2C civil society within democracies are innovating and experimenting=
with ways to leverage AI to help listen to constituents and construct pub=
lic policy in a way that best serves diverse stakeholders.

If the UAE is going to build an AI-native government=2C it should do so fo=
r the purpose of empowering people and not machines. AI has real potential=
to improve deliberation and pluralism in policymaking=2C and Emirati resi= dents should hold their government accountable to delivering on this promi=
se.

** *** ***** ******* *********** *************

Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing sum= maries=2C analyses=2C insights=2C and commentaries on security technology.=
To subscribe=2C or to read back issues=2C see Crypto-Gram's web page [ht= tps://www.schneier.com/crypto-gram/].

You can also read these articles on my blog=2C Schneier on Security [http= s://www.schneier.com].

Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to colle= agues and friends who will find it valuable. Permission is also granted to=
reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.

Bruce Schneier is an internationally renowned security technologist=2C cal=
led a security guru by the _Economist_. He is the author of over one dozen=
books -- including his latest=2C _A Hacker=E2=80=99s Mind_ [https://www.= schneier.com/books/a-hackers-mind/] -- as well as hundreds of articles=2C=
essays=2C and academic papers. His newsletter and blog are read by over 2= 50=2C000 people. Schneier is a fellow at the Berkman Klein Center for Inte= rnet & Society at Harvard University; a Lecturer in Public Policy at the H= arvard Kennedy School; a board member of the Electronic Frontier Foundatio= n=2C AccessNow=2C and the Tor Project; and an Advisory Board Member of the=
Electronic Privacy Information Center and VerifiedVoting.org. He is the C= hief of Security Architecture at Inrupt=2C Inc.

Copyright (c) 2025 by Bruce Schneier.

** *** ***** ******* *********** *************

Mailing list hosting graciously provided by MailChimp [https://mailchimp.= com/]. Sent without web bugs or link tracking.

This email was sent to: cryptogram@toolazy.synchro.net

_You are receiving this email because you subscribed to the Crypto-Gram ne= wsletter._

Unsubscribe from this list: https://schneier.us18.list-manage.com/unsubscr= ibe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e=3D70f249ec14&c=3D1= 9defb26a0

Update subscription preferences: https://schneier.us18.list-manage.com/pro= file?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3D19defb= 26a0

Bruce Schneier
Harvard Kennedy School
1 Brattle Square
Cambridge=2C MA 02138
USA
--_----------=_MCPart_401932440
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE html><html lang=3D"en"><head><meta charset=3D"UTF-8"><title>Cryp= to-Gram=2C May 15=2C 2025</title></head><body>
<div class=3D"preview-text" style=3D"display:none !important;mso-hide:all;= font-size:1px;line-height:1px;max-height:0px;max-width:0px;opacity:0;overf= low:hidden;">A monthly newsletter about cybersecurity and related topics.<= /div>
<h1 style=3D"font-size:140%">Crypto-Gram <br>
<span style=3D"display:block;padding-top:.5em;font-size:80%">May 15=2C 202= 5</span></h1>


<p>by Bruce Schneier
<br>Fellow and Lecturer=2C Harvard Kennedy School
<br>schneier@schneier.com
<br><a href=3D"https://www.schneier.com">https://www.schneier.com</a>


<p>A free monthly newsletter providing summaries=2C analyses=2C insights=
=2C and commentaries on security: computer and otherwise.</p>

<p>For back issues=2C or to subscribe=2C visit <a href=3D"https://www.schn= eier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>

<p><a href=3D"https://www.schneier.com/crypto-gram/archives/2025/0515.html= ">Read this issue on the web</a></p>

<p>These same essays and news items appear in the <a href=3D"https://www.s= chneier.com/">Schneier on Security</a> blog=2C along with a lively and int= elligent comment section. An RSS feed is available.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"toc"><a name=3D"toc">I=
n this issue:</a></h2>

<p><em>If these links don't work in your email client=2C try <a href=3D"ht= tps://www.schneier.com/crypto-gram/archives/2025/0515.html">reading this i= ssue of Crypto-Gram on the web.</a></em></p>




<li><a href=3D"#cg1">Slopsquatting</a></li>
<li><a href=3D"#cg2">CVE Program Almost Unfunded</a></li>
<li><a href=3D"#cg3">Age Verification Using Facial Scans</a></li>
<li><a href=3D"#cg4">Android Improves Its Security</a></li>
<li><a href=3D"#cg5">Regulating AI Behavior with a Hypervisor</a></li>
<li><a href=3D"#cg6">New Linux Rootkit</a></li>
<li><a href=3D"#cg7">Cryptocurrency Thefts Get Physical</a></li>
<li><a href=3D"#cg8">Windscribe Acquitted on Charges of Not Collecting Use=
rs' Data</a></li>
<li><a href=3D"#cg9">Applying Security Engineering to Prompt Injection Sec= urity</a></li>
<li><a href=3D"#cg10">WhatsApp Case Against NSO Group Progressing</a></li> <li><a href=3D"#cg11">US as a Surveillance State</a></li>
<li><a href=3D"#cg12">NCSC Guidance on "Advanced Cryptography"</a></li>
<li><a href=3D"#cg13">Privacy for Agentic AI</a></li>
<li><a href=3D"#cg14">Another Move in the Deepfake Creation/Detection Arms=
Race</a></li>
<li><a href=3D"#cg15">Fake Student Fraud in Community Colleges</a></li>
<li><a href=3D"#cg16">Chinese AI Submersible</a></li>
<li><a href=3D"#cg17">Florida Backdoor Bill Fails</a></li>
<li><a href=3D"#cg18">Court Rules Against NSO Group</a></li>
<li><a href=3D"#cg19">Google=E2=80=99s Advanced Protection Now on Android<= /a></li>
<li><a href=3D"#cg20">Upcoming Speaking Engagements</a></li>
<li><a href=3D"#cg21">AI-Generated Law</a></li>
</ol>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg1"><a name=3D"cg1">S= lopsquatting</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/slopsquatting= =2Ehtml"><strong>[2025.04.15]</strong></a> As AI coding assistants invent n= onexistent software libraries to download and use=2C enterprising attacker=
s <a href=3D"https://www.theregister.com/2025/04/12/ai_code_suggestions_sa= botage_supply_chain/">create and upload</a> libraries with those names --=
laced with malware=2C of course.</p>

<p>EDITED TO ADD (1/22): Research <a href=3D"https://arxiv.org/pdf/2406.10= 279">paper</a>. Slashdot <a href=3D"https://it.slashdot.org/story/25/04/22= /0118200/ai-hallucinations-lead-to-a-new-cyber-threat-slopsquatting">threa= d</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg2"><a name=3D"cg2">C=
VE Program Almost Unfunded</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/cve-program-a= lmost-unfunded.html"><strong>[2025.04.16]</strong></a> Mitre=E2=80=99s CV= E=E2=80=99s program -- which provides common naming and other informationa=
l resources about cybersecurity vulnerabilities -- was about to <a href=3D= "https://www.csoonline.com/article/3963190/cve-program-faces-swift-end-aft= er-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.htm= l">be cancelled</a>=2C as the US Department of Homeland Security failed to=
renew the contact. It was funded for eleven more months at the last minut= e.</p>

<p>This is a big deal. The CVE program is one of those pieces of common in= frastructure that everyone benefits from. Losing it will bring us back to=
a world where there=E2=80=99s no single way to talk about vulnerabilities=
=2E It=E2=80=99s kind of crazy to think that the US government might damage=
its own security in this way -- but I suppose no crazier than any of the=
other ways the US is working against its own interests right now.</p>

<blockquote><p>Sasha Romanosky=2C senior policy researcher at the Rand Cor= poration=2C branded the end to the CVE program as =E2=80=9Ctragic=2C=E2=80=
=9D a sentiment echoed by many cybersecurity and CVE experts reached for c= omment.</p>

<p>=E2=80=9CCVE naming and assignment to software packages and versions ar=
e the foundation upon which the software vulnerability ecosystem is based= =2C=E2=80=9D Romanosky said. =E2=80=9CWithout it=2C we can=E2=80=99t track=
newly discovered vulnerabilities. We can=E2=80=99t score their severity o=
r predict their exploitation. And we certainly wouldn=E2=80=99t be able to=
make the best decisions regarding patching them.=E2=80=9D</p>

<p>Ben Edwards=2C principal research scientist at Bitsight=2C told CSO=2C=
=E2=80=9CMy reaction is sadness and disappointment. This is a valuable re= source that should absolutely be funded=2C and not renewing the contract i=
s a mistake.=E2=80=9D</p>

<p>He added =E2=80=9CI am hopeful any interruption is brief and that if th=
e contract fails to be renewed=2C other stakeholders within the ecosystem=
can pick up where MITRE left off. The federated framework and openness of=
the system make this possible=2C but it=E2=80=99ll be a rocky road if ope= rations do need to shift to another entity.=E2=80=9D</p></blockquote>

<p>More similar quotes in the article.</p>

<p>My guess is that we will somehow figure out how to transition this prog=
ram to continue without the US government. It=E2=80=99s too important to b=
e at risk.</p>

<p>EDITED TO ADD: Another <a href=3D"https://www.wired.com/story/cve-progr= am-cisa-funding-chaos/">good article</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg3"><a name=3D"cg3">A=
ge Verification Using Facial Scans</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/age-verificat= ion-using-facial-scans.html"><strong>[2025.04.17]</strong></a> Discord is=
<a href=3D"https://gizmodo.com/discord-begins-testing-facial-scans-for-ag= e-verification-2000590188"> testing</a> the feature:</p>

<blockquote><p>=E2=80=9CWe=E2=80=99re currently running tests in select re= gions to age-gate access to certain spaces or user settings=2C=E2=80=9D a=
spokesperson for Discord said in a statement. =E2=80=9CThe information sh= ared to power the age verification method is only used for the one-time ag=
e verification process and is not stored by Discord or our vendor. For Fac=
e Scan=2C the solution our vendor uses operates on-device=2C which means t= here is no collection of any biometric information when you scan your face=
=2E For ID verification=2C the scan of your ID is deleted upon verification.= =E2=80=9D</p></blockquote>

<p>I look forward to all the videos of people hacking this system using va= rious disguises.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg4"><a name=3D"cg4">A= ndroid Improves Its Security</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/android-impro= ves-its-security.html"><strong>[2025.04.22]</strong></a> Android phones w=
ill <a href=3D"https://arstechnica.com/gadgets/2025/04/android-phones-will= -soon-reboot-themselves-after-sitting-unused-for-3-days/">soon reboot them= selves</a> after sitting idle for three days. iPhones have had this featur=
e for a while; it=E2=80=99s nice to see Google add it to their phones.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg5"><a name=3D"cg5">R= egulating AI Behavior with a Hypervisor</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/regulating-ai= -behavior-with-a-hypervisor.html"><strong>[2025.04.23]</strong></a> Inter= esting research: =E2=80=9C<a href=3D"https://arxiv.org/abs/2504.15499">Gui= llotine: Hypervisors for Isolating Malicious AIs</a>.=E2=80=9D</p>

<blockquote><p><b>Abstract</b>:As AI models become more embedded in critic=
al sectors like finance=2C healthcare=2C and the military=2C their inscrut= able behavior poses ever-greater risks to society. To mitigate this risk=
=2C we propose Guillotine=2C a hypervisor architecture for sandboxing powe= rful AI models -- models that=2C by accident or malice=2C can generate exi= stential threats to humanity. Although Guillotine borrows some well-known=
virtualization techniques=2C Guillotine must also introduce fundamentally=
new isolation mechanisms to handle the unique threat model posed by exist= ential-risk AIs. For example=2C a rogue AI may try to introspect upon hype= rvisor software or the underlying hardware substrate to enable later subve= rsion of that control plane; thus=2C a Guillotine hypervisor requires care=
ful co-design of the hypervisor software and the CPUs=2C RAM=2C NIC=2C and=
storage devices that support the hypervisor software=2C to thwart side ch= annel leakage and more generally eliminate mechanisms for AI to exploit re= flection-based vulnerabilities. Beyond such isolation at the software=2C n= etwork=2C and microarchitectural layers=2C a Guillotine hypervisor must al=
so provide physical fail-safes more commonly associated with nuclear power=
plants=2C avionic platforms=2C and other types of mission critical system=
s. Physical fail-safes=2C e.g.=2C involving electromechanical disconnectio=
n of network cables=2C or the flooding of a datacenter which holds a rogue=
AI=2C provide defense in depth if software=2C network=2C and microarchite= ctural isolation is compromised and a rogue AI must be temporarily shut do=
wn or permanently destroyed.</p></blockquote>

<p>The basic idea is that many of the AI safety policies proposed by the A=
I community lack robust technical enforcement mechanisms. The worry is tha= t=2C as models get smarter=2C they will be able to avoid those safety poli= cies. The paper proposes a set technical enforcement mechanisms that could=
work against these malicious AIs.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg6"><a name=3D"cg6">N=
ew Linux Rootkit</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/new-linux-roo= tkit.html"><strong>[2025.04.24]</strong></a> <a href=3D"https://betanews.= com/2025/04/24/hackers-bypass-linux-security-with-armo-curing-rootkit/">In= teresting</a>:</p>

<blockquote><p>The company has released a working rootkit called =E2=80=9C= Curing=E2=80=9D that uses io_uring=2C a feature built into the Linux kerne= l=2C to stealthily perform malicious activities without being caught by ma=
ny of the detection solutions currently on the market.</p>

<p>At the heart of the issue is the heavy reliance on monitoring system ca= lls=2C which has become the go-to method for many cybersecurity vendors. T=
he problem? Attackers can completely sidestep these monitored calls by lea= ning on io_uring instead. This clever method could let bad actors quietly=
make network connections or tamper with files without triggering the usua=
l alarms.</p></blockquote>

<p><a href=3D"https://github.com/armosec/curing">Here=E2=80=99s</a> the co= de.</p>

<p>Note the self-serving nature of this announcement: ARMO=2C the company=
that released the research and code=2C has a product that it claims block=
s this kind of attack.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg7"><a name=3D"cg7">C= ryptocurrency Thefts Get Physical</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/cryptocurrenc= y-thefts-get-physical.html"><strong>[2025.04.25]</strong></a> Long <a hre= f=3D"https://www.nytimes.com/2025/04/24/magazine/crybercrime-crypto-minecr= aft.html">story</a> of a $250 million cryptocurrency theft that=2C in a co= mplicated chain events=2C resulted in a pretty brutal kidnapping.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg8"><a name=3D"cg8">W= indscribe Acquitted on Charges of Not Collecting Users' Data</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/windscribe-ac= quitted-on-charges-of-not-collecting-users-data.html"><strong>[2025.04.28= ]</strong></a> The company doesn=E2=80=99t keep logs=2C so couldn=E2=80=99=
t <a href=3D"https://hackread.com/court-dismisses-criminal-charges-against= -vpn-executive-no-log-policy/">turn over data</a>:</p>

<blockquote><p>Windscribe=2C a globally used privacy-first VPN service=2C=
announced today that its founder=2C Yegor Sak=2C has been fully acquitted=
by a court in Athens=2C Greece=2C following a two-year legal battle in wh=
ich Sak was personally charged in connection with an alleged internet offe=
nce by an unknown user of the service.</p>

<p>The case centred around a Windscribe-owned server in Finland that was a= llegedly used to breach a system in Greece. Greek authorities=2C in cooper= ation with INTERPOL=2C traced the IP address to Windscribe=E2=80=99s infra= structure and=2C unlike standard international procedures=2C proceeded to=
initiate criminal proceedings against Sak himself=2C rather than pursuing=
information through standard corporate channels.</p></blockquote>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg9"><a name=3D"cg9">A= pplying Security Engineering to Prompt Injection Security</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/applying-secu= rity-engineering-to-prompt-injection-security.html"><strong>[2025.04.29]<= /strong></a> This seems like an <a href=3D"https://arstechnica.com/informa= tion-technology/2025/04/researchers-claim-breakthrough-in-fight-against-ai= s-frustrating-security-hole/">important advance</a> in LLM security agains=
t prompt injection:</p>

<blockquote><p>Google DeepMind has <a href=3D"https://arxiv.org/abs/2503.1= 8813">unveiled CaMeL</a> (CApabilities for MachinE Learning)=2C a new appr= oach to stopping prompt-injection attacks that abandons the failed strateg=
y of having AI models police themselves. Instead=2C CaMeL treats language=
models as fundamentally untrusted components within a secure software fra= mework=2C creating clear boundaries between user commands and potentially=
malicious content.</p>

<p>[...]</p>

<p>To understand CaMeL=2C you need to understand that prompt injections ha= ppen when AI systems can=E2=80=99t distinguish between legitimate user com= mands and malicious instructions hidden in content they=E2=80=99re process= ing.</p>

<p>[...]</p>

<p>While CaMeL does use multiple AI models (a privileged LLM and a quarant= ined LLM)=2C what makes it innovative isn=E2=80=99t reducing the number of=
models but fundamentally changing the security architecture. Rather than=
expecting AI to detect attacks=2C CaMeL implements established security e= ngineering principles like capability-based access control and data flow t= racking to create boundaries that remain effective even if an AI component=
is compromised.</p></blockquote>

<p>Research <a href=3D"https://arxiv.org/abs/2503.18813">paper</a>. Good <=
a href=3D"https://simonwillison.net/2025/Apr/11/camel/">analysis</a> by Si=
mon Willison.</p>

<p>I wrote about the problem of LLMs intermingling the data and control pa=
ths <a href=3D"https://cacm.acm.org/opinion/llms-data-control-path-insecur= ity/">here</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg10"><a name=3D"cg10"= >WhatsApp Case Against NSO Group Progressing</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/04/whatsapp-case= -against-nso-group-progressing.html"><strong>[2025.04.30]</strong></a> Me=
ta is suing NSO Group=2C <a href=3D"https://cyberscoop.com/whatsapp-nso-gr= oup-trial-judge-limits-evidence-2025/">basically claiming</a> that the lat=
ter hacks WhatsApp and not just WhatsApp users. We have a procedural rulin= g:</p>

<blockquote><p>Under <a href=3D"https://www.courtlistener.com/docket/16395= 340/686/whatsapp-inc-v-nso-group-technologies-limited/">the order</a>=2C N=
SO Group is prohibited from presenting evidence about its customers=E2=80=
=99 identities=2C implying the targeted WhatsApp users are suspected or a= ctual criminals=2C or alleging that WhatsApp had insufficient security pro= tections.</p>

<p>[...]</p>

<p>In making her ruling=2C Northern District of California Judge Phyllis H= amilton said NSO Group undercut its arguments to use evidence about its cu= stomers with contradictory statements.</p>

<p>=E2=80=9CDefendants cannot claim=2C on the one hand=2C that its intent=
is to help its clients fight terrorism and child exploitation=2C and on t=
he other hand say that it has nothing to do with what its client does with=
the technology=2C other than advice and support=2C=E2=80=9D she wrote.=
=E2=80=9CAdditionally=2C there is no evidence as to the specific kinds of=
crimes or security threats that its clients actually investigate and none=
with respect to the attacks at issue.=E2=80=9D</p></blockquote>

<p>I have <a href=3D"https://www.schneier.com/academic/archives/2022/03/pl= atforms-encryption-and-the-cfaa-the-case-of-whatsapp-v-nso-group.html">wri= tten about</a> the issues at play in this case.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg11"><a name=3D"cg11"=

US as a Surveillance State</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/us-as-a-surve= illance-state.html"><strong>[2025.05.01]</strong></a> Two essays were <a=
href=3D"https://www.theatlantic.com/technology/archive/2025/04/american-p= anopticon/682616/">just</a> <a href=3D"https://www.nytimes.com/2025/04/30/= opinion/musk-doge-data-ai.html">published</a> on DOGE=E2=80=99s data colle= ction and aggregation=2C and how it ends with a modern surveillance state.=


<p>It=E2=80=99s good to see this finally being talked about.</p>

<p>EDITED TO ADD (5/3): Here=E2=80=99s a <a href=3D"https://www.msn.com/en= -us/news/technology/american-panopticon/ar-AA1DHVYA">free link</a> to that=
first essay.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg12"><a name=3D"cg12"= >NCSC Guidance on "Advanced Cryptography"</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/ncsc-guidance= -on-advanced-cryptography.html"><strong>[2025.05.02]</strong></a> The UK= =E2=80=99s National Cyber Security Centre just released its <a href=3D"htt= ps://www.ncsc.gov.uk/whitepaper/advanced-cryptography">white paper</a> on=
=E2=80=9CAdvanced Cryptography=2C=E2=80=9D which it defines as =E2=80=9Cc= ryptographic techniques for processing encrypted data=2C providing enhance=
d functionality over and above that provided by traditional cryptography.= =E2=80=9D It includes things like homomorphic encryption=2C attribute-base=
d encryption=2C zero-knowledge proofs=2C and secure multiparty computation= =2E</p>

<p>It=E2=80=99s full of good advice. I especially appreciate this warning:=


<blockquote><p>When deciding whether to use Advanced Cryptography=2C start=
with a clear articulation of the problem=2C and use that to guide the dev= elopment of an appropriate solution. That is=2C you should not start with=
an Advanced Cryptography technique=2C and then attempt to fit the functio= nality it provides to the problem.</p></blockquote>

<p>And:</p>

<blockquote><p>In almost all cases=2C it is bad practice for users to desi=
gn and/or implement their own cryptography; this applies to Advanced Crypt= ography even more than traditional cryptography because of the complexity=
of the algorithms. It also applies to writing your own application based=
on a cryptographic library that implements the Advanced Cryptography prim= itive operations=2C because subtle flaws in how they are used can lead to=
serious security weaknesses.</p></blockquote>

<p>The conclusion:</p>

<blockquote><p>Advanced Cryptography covers a range of techniques for prot= ecting sensitive data at rest=2C in transit and in use. These techniques e= nable novel applications with different trust relationships between the pa= rties=2C as compared to traditional cryptographic methods for encryption a=
nd authentication.</p>

<p>However=2C there are a number of factors to consider before deploying a=
solution based on Advanced Cryptography=2C including the relative immatur=
ity of the techniques and their implementations=2C significant computation=
al burdens and slow response times=2C and the risk of opening up additiona=
l cyber attack vectors.</p>

<p>There are initiatives underway to standardise some forms of Advanced Cr= yptography=2C and the efficiency of implementations is continually improvi=
ng. While many data processing problems can be solved with traditional cry= ptography (which will usually lead to a simpler=2C lower-cost and more mat=
ure solution) for those that cannot=2C Advanced Cryptography techniques co=
uld in the future enable innovative ways of deriving benefit from large sh= ared datasets=2C without compromising individuals=E2=80=99 privacy.</p></= blockquote>

<p>NCSC <a href=3D"https://www.ncsc.gov.uk/blog-post/advanced-cryptography= -new-approaches-to-data-privacy">blog entry</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg13"><a name=3D"cg13"= >Privacy for Agentic AI</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/privacy-for-a= gentic-ai.html"><strong>[2025.05.02]</strong></a> Sooner or later=2C it= =E2=80=99s going to happen. AI systems will start acting as agents=2C doin=
g things on our behalf with some degree of autonomy. I think it=E2=80=99s=
worth thinking about the security of that now=2C while its still a nascen=
t idea.</p>

<p>In 2019=2C I <a href=3D"https://www.schneier.com/blog/archives/2020/02/= inrupt_tim_bern.html">joined</a> Inrupt=2C a company that is commercializi=
ng Tim Berners-Lee=E2=80=99s open protocol for distributed data ownership.=
We are working on a <a href=3D"https://www.schneier.com/blog/archives/202= 4/07/data-wallets-using-the-solid-protocol.html">digital wallet</a> that c=
an make use of AI in this way. (We used to call it an =E2=80=9Cactive wall= et.=E2=80=9D Now we=E2=80=99re calling it an =E2=80=9Cagentic wallet.=E2= =80=9D)</p>

<p>I talked <a href=3D"https://www.instagram.com/rsaconference/p/DGv4Yf5SC= sw/">about</a> <a href=3D"https://www.rsaconference.com/library/video/2025= -keynote-preview-bruce-schneier">this</a> a bit at the <a href=3D"https://= www.rsaconference.com/">RSA Conference</a> earlier this week=2C in my keyn=
ote talk about AI and trust. Any useful AI assistant is going to require a=
level of access -- and therefore trust -- that rivals what we currently o=
ur email provider=2C social network=2C or smartphone.</p>

<blockquote><p>This Active Wallet is an example of an AI assistant. It=E2= =80=99ll combine personal information about you=2C transactional data that=
you are a party to=2C and general information about the world. And use th=
at to answer questions=2C make predictions=2C and ultimately act on your b= ehalf. We have demos of this running right now. At least in its early stag=
es. Making it work is going require an extraordinary amount of trust in th=
e system. This requires integrity. Which is why we=E2=80=99re building pro= tections in from the beginning.</p></blockquote>

<p>Visa is also thinking about this. It <a href=3D"https://usa.visa.com/ab= out-visa/newsroom/press-releases.releaseId.21361.html">just</a> <a href=3D= "https://corporate.visa.com/en/products/intelligent-commerce.html">announc= ed</a> a protocol that uses AI to help people make purchasing decisions.</=


<p>I like Visa=E2=80=99s approach because it=E2=80=99s an AI-agnostic stan= dard. I worry a lot about lock-in and monopolization of this space=2C so a= nything that lets people easily switch between AI models is good. And I li=
ke that Visa is working with Inrupt so that the data is decentralized as w= ell. Here=E2=80=99s <a href=3D"https://www.inrupt.com/blog/standards-for-a= gentic-commerce-visas-bold-move">our announcement</a> about its announceme= nt:</p>

<blockquote><p>This isn=E2=80=99t a new relationship -- we=E2=80=99ve been=
working together for over two years. We=E2=80=99ve conducted a successful=
POC and now we=E2=80=99re standing up a sandbox inside Visa so merchants=
=2C financial institutions and LLM providers can test our Agentic Wallets=
alongside the rest of Visa=E2=80=99s suite of Intelligent Commerce APIs.<=


<p>For that matter=2C we welcome any other company that wants to engage in=
the world of personal=2C consented Agentic Commerce to come work with us=
as well.</p></blockquote>

<p>I joined Inrupt years ago because I thought that Solid could do for per= sonal data what HTML did for published information. I liked that the proto=
col was an open standard=2C and that it distributed data instead of centra= lizing it. AI agents need decentralized data. =E2=80=9CWallet=E2=80=9D is=
a good metaphor for personal data stores. I=E2=80=99m hoping this is anot=
her step towards adoption.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg14"><a name=3D"cg14"= >Another Move in the Deepfake Creation/Detection Arms Race</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/another-move-= in-the-deepfake-creation-detection-arms-race.html"><strong>[2025.05.05]</= strong></a> Deepfakes are now <a href=3D"https://studyfinds.org/deepfakes-= outsmarting-detection-heartbeats/">mimicking heartbeats</a></p>

<blockquote><p>In a nutshell</p>

<ul><li>Recent research reveals that high-quality deepfakes unintentionall=
y retain the heartbeat patterns from their source videos=2C undermining tr= aditional detection methods that relied on detecting subtle skin color cha= nges linked to heartbeats.

</li><li>The assumption that deepfakes lack physiological signals=2C such=
as heart rate=2C is no longer valid. This challenges many existing detect=
ion tools=2C which may need significant redesigns to keep up with the evol= ving technology.

</li><li>To effectively identify high-quality deepfakes=2C researchers sug= gest shifting focus from just detecting heart rate signals to analyzing ho=
w blood flow is distributed across different facial regions=2C providing a=
more accurate detection strategy.</li></ul></blockquote>

<p>And the AI models will start mimicking that.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg15"><a name=3D"cg15"= >Fake Student Fraud in Community Colleges</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/fake-student-= fraud-in-community-colleges.html"><strong>[2025.05.06]</strong></a> Repor=
ting on the rise of <a href=3D"https://voiceofsandiego.org/2025/04/14/as-b= ot-students-continue-to-flood-in-community-colleges-struggle-to-respond/">= fake students</a> enrolling in community college courses:</p>

<blockquote><p>The bots=E2=80=99 goal is to bilk state and federal financi=
al aid money by enrolling in classes=2C and remaining enrolled in them=2C=
long enough for aid disbursements to go out. They often accomplish this b=
y submitting AI-generated work. And because community colleges accept all=
applicants=2C they=E2=80=99ve been almost exclusively impacted by the fra= ud.</p></blockquote>

<p>The article talks about the rise of this type of fraud=2C the difficult=
y of detecting it=2C and how it upends quite a bit of the class structure=
and learning community.</p>

<p>Slashdot <a href=3D"https://news.slashdot.org/story/25/04/17/1611216/bo= t-students-siphon-millions-in-financial-aid-from-us-community-colleges">th= read</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg16"><a name=3D"cg16"= >Chinese AI Submersible</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/chinese-ai-su= bmersible.html"><strong>[2025.05.07]</strong></a> A Chinese company has <=
a href=3D"https://www.scmp.com/news/china/politics/article/3308410/china-l= aunches-blue-whale-worlds-first-high-speed-typhoon-proof-uncrewed-submersi= ble">developed</a> an AI-piloted submersible that can reach speeds =E2=80= =9Csimilar to a destroyer or a US Navy torpedo=2C=E2=80=9D dive =E2=80=9Cu=
p to 60 metres underwater=2C=E2=80=9D and =E2=80=9Cremain static for more=
than a month=2C like the stealth capabilities of a nuclear submarine.=E2= =80=9D In case you=E2=80=99re worried about the military applications of t= his=2C you can relax because the company says that the submersible is =E2= =80=9Cdesignated for civilian use=E2=80=9D and can =E2=80=9Claunch researc=
h rockets.=E2=80=9D</p>

<p>=E2=80=9CResearch rockets.=E2=80=9D Sure.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg17"><a name=3D"cg17"= >Florida Backdoor Bill Fails</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/florida-backd= oor-bill-fails.html"><strong>[2025.05.12]</strong></a> A Florida bill req= uiring encryption backdoors <a href=3D"https://techcrunch.com/2025/05/09/f= lorida-bill-requiring-encryption-backdoors-for-social-media-accounts-has-f= ailed/">failed to pass</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg18"><a name=3D"cg18"= >Court Rules Against NSO Group</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/court-rules-a= gainst-nso-group.html"><strong>[2025.05.13]</strong></a> The case is <a h= ref=3D"https://arstechnica.com/security/2025/05/jury-orders-nso-to-pay-167= -million-for-hacking-whatsapp-users/">over</a>:</p>

<blockquote><p>A jury has awarded WhatsApp $167 million in punitive damage=
s in a case the company brought against Israel-based NSO Group for exploit=
ing a software vulnerability that hijacked the phones of thousands of user= s.</p></blockquote>

<p>I=E2=80=99m sure it=E2=80=99ll be appealed. Everything always is.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg19"><a name=3D"cg19"= >Google=E2=80=99s Advanced Protection Now on Android</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/googles-advan= ced-protection-now-on-android.html"><strong>[2025.05.14]</strong></a> Goo=
gle has <a href=3D"https://security.googleblog.com/2025/05/advanced-protec= tion-mobile-devices.html">extended</a> its Advanced Protection features to=
Android devices. It=E2=80=99s not for everybody=2C but something to be co= nsidered by high-risk users.</p>

<p>Wired <a href=3D"https://www.wired.com/story/google-advanced-protection= -vulnerable-users-lockdown-android-16/">article</a>=2C behind a paywall.</=


<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg20"><a name=3D"cg20"= >Upcoming Speaking Engagements</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/upcoming-spea= king-engagements-46.html"><strong>[2025.05.14]</strong></a> This is a cur=
rent list of where and when I am scheduled to speak:</p>



<li>I=E2=80=99m speaking (remotely) at the <a href=3D"https://sektor3-= 0.pl/en/festival/">Sektor 3.0 Festival</a> in Warsaw=2C Poland=2C May 21-2= 2=2C 2025.</li>
</ul>

<p>The list is maintained on <a href=3D"https://www.schneier.com/events/">= this page</a>.</p>

<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=


<h2 style=3D"font-size:125%;font-weight:bold" id=3D"cg21"><a name=3D"cg21"= >AI-Generated Law</a></h2>

<p><a href=3D"https://www.schneier.com/blog/archives/2025/05/ai-generated-= law.html"><strong>[2025.05.15]</strong></a> On April 14=2C Dubai's ruler=
=2C Sheikh Mohammed bin Rashid Al Maktoum=2C=C2=A0<a href=3D"https://x.com= /HHShkMohd/status/1911795135039635659">announced</a>=C2=A0that the United=
Arab Emirates would begin using=C2=A0<a href=3D"https://x.com/UAEmediaoff= ice/status/1911809411577684257">artificial intelligence</a>=C2=A0to help w= rite its laws. A new Regulatory Intelligence Office would use the technolo=
gy to "regularly suggest updates" to the law and "accelerate the issuance=
of legislation by up to 70%." AI would create a "comprehensive legislativ=
e plan" spanning local and federal law and would be connected to public ad= ministration=2C the courts=2C and global policy trends.</p>

<p>The plan was widely greeted with astonishment. This sort of AI legislat=
ing would be a global "<a href=3D"https://www.ft.com/content/9019cd51-2b55= -4175-81a6-eafcf28609c3">first</a>=2C" with the potential to go "<a href= =3D"https://www.zmescience.com/future/uae-ai-lawmakers/">horribly wrong</a=

." Skeptics fear that the AI model will make up facts or fundamentally fa=

il to understand societal tenets such as fair treatment and justice when i= nfluencing law.</p>

<p>The truth is=2C the UAE's idea of AI-generated law is not really a firs=
t and not necessarily terrible.</p>

<p>The first instance=C2=A0of enacted law known to have been written by AI=
was=C2=A0<a href=3D"https://www.washingtonpost.com/nation/2023/12/04/ai-w= ritten-law-porto-alegre-brazil/">passed</a>=C2=A0in Porto Alegre=2C Brazil=
=2C in 2023. It was a local ordinance about water meter replacement. Counc=
il member Ramiro Ros=C3=A1rio was simply looking for help in generating an=
d articulating ideas for solving a policy problem=2C and ChatGPT did well=
enough that the bill passed unanimously. We approve of AI assisting human=
s in this manner=2C although Ros=C3=A1rio should have disclosed that the b=
ill was written by AI before it was voted on.</p>

<p>Brazil was a harbinger but hardly unique. In recent years=2C there has=
been a steady stream of attention-seeking politicians at the local and na= tional level introducing=C2=A0<a href=3D"https://www.bostonglobe.com/2023/= 01/24/metro/this-state-senator-drafted-legislation-regulate-artificial-int= elligence-technology-with-some-help-chatgpt/">bills</a>=C2=A0that they pro= mote as being drafted by AI or letting AI write their=C2=A0<a href=3D"http= s://apnews.com/article/technology-science-oddities-israel-massachusetts-11= b4dc6e42afd2d68be28dedf86fd25a">speeches</a>=C2=A0for them or even=C2=A0<a=
href=3D"https://www.politico.com/news/2023/05/17/blumenthal-ai-deepfake-r= ecording-senate-hearing-00097349">vocalize</a>=C2=A0them in the chamber.</=


<p>The Emirati proposal is different from those examples in important ways=
=2E It promises to be more systemic and less of a one-off stunt. The UAE has=
promised to spend more than $3 billion to transform into an "<a href=3D"h= ttps://en.aletihad.ae/news/uae/4569345/uae-to-become-first-country-to-util= ise-ai-in-writing-laws">AI-native</a>" government by 2027. Time will tell=
if it is also different in being more hype than reality.</p>

<p>Rather than being a true first=2C the UAE's announcement is emblematic=
of a much=C2=A0<a href=3D"https://www.popvox.org/blog/assessing-us-congre= ssional-ai-adoption">wider global trend</a>=C2=A0of legislative bodies int= egrating AI assistive tools for legislative research=2C drafting=2C transl= ation=2C data processing=2C and much more. Individual lawmakers have begun=
turning to AI drafting tools as they traditionally have relied on staffer= s=2C interns=2C or lobbyists. The French government has gone so far as to= =C2=A0<a href=3D"https://arxiv.org/pdf/2401.16182">train</a>=C2=A0its own=
AI model to assist with legislative tasks.</p>

<p>Even asking AI to comprehensively review and update legislation would n=
ot be a first. In 2020=2C the U.S. state of Ohio began using AI to do whol= esale=C2=A0<a href=3D"https://governor.ohio.gov/administration/lt-governor= /launches-ai-tool-to-analyze-ohio-regulations">revision</a>=C2=A0of its ad= ministrative law. AI's speed is potentially a good match to this kind of l= arge-scale editorial project; the state's then-lieutenant governor=2C Jon=
Husted=2C claims it was successful in eliminating=C2=A0<a href=3D"https:/= /www.axios.com/local/columbus/2024/04/29/artificial-intelligence-ai-ohio-s= tate-administrative-code-husted">2.2 million</a>=C2=A0words' worth of unne= cessary regulation from Ohio's code. Now a U.S. senator=2C Husted has rece= ntly=C2=A0<a href=3D"https://www.husted.senate.gov/press-releases/husted-i= ntroduces-bill-leveraging-ai-to-increase-efficiency-within-federal-code/">= proposed</a>=C2=A0to take the same approach to U.S. federal law=2C with an=
ideological bent promoting AI as a tool for systematic=C2=A0<a href=3D"ht= tps://www.wsj.com/opinion/ai-can-be-a-force-for-deregulation-technology-go= vernment-ohio-federal-365ed0d4">deregulation</a>.</p>

<p>The dangers of confabulation and inhumanity -- while legitimate -- aren=
't really what makes the potential of AI-generated law novel. Humans make=
mistakes when writing law=2C too. Recall that a single=C2=A0<a href=3D"ht= tps://www.nytimes.com/2015/05/26/us/politics/contested-words-in-affordable= -care-act-may-have-been-left-by-mistake.html">typo</a>=C2=A0in a 900-page=
law nearly brought down the massive U.S. health care reforms of the Affor= dable Care Act in 2015=2C before the Supreme Court=C2=A0<a href=3D"https:/= /time.com/3935707/supreme-court-obamacare-affordable-care/">excused</a>=C2= =A0the error. And=2C distressingly=2C the citizens and residents of nondem= ocratic states are already subject to arbitrary and often inhumane laws. (=
The UAE is a federation of monarchies without direct elections of legislat=
ors and with a poor record on political rights and civil liberties=2C as e= valuated by=C2=A0<a href=3D"https://freedomhouse.org/country/united-arab-e= mirates">Freedom House</a>.)</p>

<p>The primary concern with using AI in lawmaking is that it will be wield=
ed as a tool by the powerful to advance their own interests. AI may not fu= ndamentally change lawmaking=2C but its superhuman capabilities have the p= otential to exacerbate the risks of power concentration.</p>

<p>AI=2C and technology generally=2C is often invoked by politicians to gi=
ve their project a patina of objectivity and rationality=2C but it doesn't=
really do any such thing. As proposed=2C AI would simply give the UAE's h= ereditary rulers new tools to express=2C enact=2C and enforce their prefer=
red policies.</p>

<p>Mohammed's emphasis that a primary benefit of AI will be to make law=C2= =A0<a href=3D"https://www.ft.com/content/9019cd51-2b55-4175-81a6-eafcf2860= 9c3">faster</a>=C2=A0is also misguided. The machine may write the text=2C=
but humans will still propose=2C debate=2C and vote on the legislation. D= rafting is rarely the bottleneck in passing new law. What takes much longe=
r is for humans to amend=2C horse-trade=2C and ultimately come to agreemen=
t on the content of that legislation -- even when that politicking is happ= ening among a small group of monarchic elites.</p>

<p>Rather than expeditiousness=2C the more important capability offered by=
AI is sophistication. AI has the potential to make law more=C2=A0<a href= =3D"https://www.lawfaremedia.org/article/ai-will-write-complex-laws">compl= ex</a>=2C tailoring it to a multitude of different scenarios. The combinat=
ion of AI's research and drafting speed makes it possible for it to outlin=
e legislation governing dozens=2C even thousands=2C of special cases for e=
ach proposed rule.</p>

<p>But here again=2C this capability of AI opens the door for the powerful=
to have their way. AI's capacity to write complex law would allow the hum=
ans directing it to dictate their exacting policy preference for every spe= cial case. It could even embed those preferences surreptitiously.</p>

<p>Since time immemorial=2C=C2=A0legislators have carved out legal loophol=
es to narrowly cater to special interests. AI will be a=C2=A0<a href=3D"ht= tps://www.nytimes.com/2023/01/15/opinion/ai-chatgpt-lobbying-democracy.htm= l">powerful</a>=C2=A0tool for authoritarians=2C lobbyists=2C and other emp= owered interests to do this at a greater scale. AI can help automatically=
produce what political scientist Amy McKay has termed "<a href=3D"https:/= /www.technologyreview.com/2023/03/14/1069717/how-ai-could-write-our-laws/"= >microlegislation</a>": loopholes that may be imperceptible to human reade=
rs on the page -- until their impact is realized in the real world.</p>

<p>But AI can be constrained and directed to distribute power rather than=
concentrate it. For Emirati residents=2C the most intriguing possibility=
of the AI plan is the promise to introduce AI "interactive platforms" whe=
re the public can provide input to legislation. In experiments across loca=
les as diverse as=C2=A0<a href=3D"https://www.technologyreview.com/2025/04= /15/1115125/a-small-us-city-experiments-with-ai-to-find-out-what-residents= -want/">Kentucky</a>=2C=C2=A0<a href=3D"https://static.ie.edu/CGC/AI4D%20P= aper%203%20Applications%20of%20Artificial%20Intelligence%20Tools%20to%20En= gance%20Legislative%20Engagement.pdf">Massachusetts=2C France</a>=2C=C2=A0=
<a href=3D"https://www.gov.scot/news/improving-lives-through-ai/">Scotland= </a>=2C=C2=A0<a href=3D"https://ai.objectives.institute/blog/amplifying-vo= ices-talk-to-the-city-in-taiwan">Taiwan</a>=2C and many others=2C civil so= ciety within democracies are innovating and experimenting with ways to lev= erage AI to help listen to constituents and construct public policy in a w=
ay that best serves diverse stakeholders.</p>

<p>If the UAE is going to build an AI-native government=2C it should do so=
for the purpose of empowering people and not machines. AI has real potent=
ial to improve deliberation and pluralism in policymaking=2C and Emirati r= esidents should hold their government accountable to delivering on this pr= omise.</p>


<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=




<p>Since 1998=2C CRYPTO-GRAM has been a free monthly newsletter providing=
summaries=2C analyses=2C insights=2C and commentaries on security technol= ogy. To subscribe=2C or to read back issues=2C see <a href=3D"https://www.= schneier.com/crypto-gram/">Crypto-Gram's web page</a>.</p>

<p>You can also read these articles on my blog=2C <a href=3D"https://www.s= chneier.com">Schneier on Security</a>.</p>

<p>Please feel free to forward CRYPTO-GRAM=2C in whole or in part=2C to co= lleagues and friends who will find it valuable. Permission is also granted=
to reprint CRYPTO-GRAM=2C as long as it is reprinted in its entirety.</p>

<p><span style=3D"font-style: italic">Bruce Schneier is an internationally=
renowned security technologist=2C called a security guru by the <cite sty= le=3D"font-style:normal">Economist</cite>. He is the author of over one do=
zen books -- including his latest=2C <a href=3D"https://www.schneier.com/b= ooks/a-hackers-mind/"><cite style=3D"font-style:normal">A Hacker=E2=80=99s=
Mind</cite></a> -- as well as hundreds of articles=2C essays=2C and acade=
mic papers. His newsletter and blog are read by over 250=2C000 people. Sch= neier is a fellow at the Berkman Klein Center for Internet & Society at Ha= rvard University; a Lecturer in Public Policy at the Harvard Kennedy Schoo=
l; a board member of the Electronic Frontier Foundation=2C AccessNow=2C an=
d the Tor Project; and an Advisory Board Member of the Electronic Privacy=
Information Center and VerifiedVoting.org. He is the Chief of Security Ar= chitecture at Inrupt=2C Inc.</span></p>

<p>Copyright &copy; 2025 by Bruce Schneier.</p>


<p style=3D"font-size:88%">** *** ***** ******* *********** *************<=

<p>Mailing list hosting graciously provided by <a href=3D"https://mailchim= p.com/">MailChimp</a>. Sent without web bugs or link tracking.</p>
<p>This email was sent to: cryptogram@toolazy.synchro.net
<br><em>You are receiving this email because you subscribed to the Crypto-= Gram newsletter.</em></p>

<p><a style=3D"display:inline-block" href=3D"https://schneier.us18.list-ma= nage.com/unsubscribe?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&t=3Db&e= =3D70f249ec14&c=3D19defb26a0">unsubscribe from this list</a>&nbsp;&nbsp;&nbs= p;&nbsp;<a style=3D"display:inline-block" href=3D"https://schneier.us18.li= st-manage.com/profile?u=3Df99e2b5ca82502f48675978be&id=3D22184111ab&e=3D70f249ec14&c=3D19defb26a0">update subscription preferences</a>
<br>Bruce Schneier &middot; Harvard Kennedy School &middot; 1 Brattle Squa=
re &middot; Cambridge=2C MA 02138 &middot; USA</p>


</body></html>
--_----------=_MCPart_401932440--