It was the best of intentions, it was the worst of implementations

This week in our main story, Heather Burns explores the unfolding drama of two distinct Technical Capability Notices (TCNs) from the UK government.

But first...

Can the Feds get my data? | ¿Puede el gobierno federal acceder a mis datos?

Since Trump began his second term, organizations, activists, and individuals involved in digital rights, data privacy, and technology advocacy have all been scrambling to secure every aspect of their digital work. But what exactly is at risk? What kind of requests for data should you anticipate receiving? Does moving servers to another country make any difference? How should you prepare?

A new webinar from May First, the Electronic Frontier Foundation and the Progressive Technology Project will de-mystify the hype, cut through the fear and tell real stories from the past and present. They will be sharing actual subpoenas and search warrants served on May First, discuss what they did in response and what made their lives harder and easier. In addition, you will hear from the Electronic Frontier Foundation about how these legal instruments (and others) work and what steps you can take now to defend yourselves.

When: Wednesday, April 30th, 9:30 AM PT/10:30 AM Mexico City/11:30 am Chicago/ 12:30 pm New York.

This Week's Links

Internet Governance

• The U.S.'s recent retreat from collaborative internet governance at the UN could shift global digital policy towards authoritarian models, risking its influence and opening the door for China and Russia to lead. https://www.atlanticcouncil.org/blogs/new-atlanticist/how-the-us-retreat-from-the-un-endangers-the-future-of-internet-governance
• This piece explores the intersection of postcolonial authoritarianism, platform capitalism, and surveillance, proposing a three-level model of digital authoritarianism that highlights the role of platform actors in driving contemporary digital surveillance. https://ojs.library.queensu.ca/index.php/surveillance-and-society/article/view/18917
• The 2025 Internet Governance Forum has been criticized for focusing heavily on UN-related processes while excluding key geopolitical issues like the US-China tech rivalry and state censorship. https://www.internetgovernance.org/2025/04/23/has-the-igf-lost-the-plot 
• Dr. Laura DeNardis explores the rising threats to space-based infrastructure and the crucial governance questions for building a secure solar-system Internet for humanity's benefit. https://www.youtube.com/watch?v=kHRukpFrWws 
• The dominance of Big Tech companies like Meta, Amazon, Microsoft, and Apple, alongside Chinese counterparts, has led to unprecedented concentration of techno-economic power, impacting income distribution, labor, innovation, and fueling geopolitical tensions. https://www.intereconomics.eu/contents/year/2025/number/2/article/big-tech-and-the-us-digital-military-industrial-complex.html 
• A new report from the critical infrastructure lab highlights how cloud computing is reshaping internet governance, using the Dutch SIDN's migration to Amazon Web Services as a case study. https://www.criticalinfralab.net/wp-content/uploads/2025/04/CIL010.pdf 
• Despite President Trump's public support for AI, his administration's policies are undermining the very foundation of the U.S. AI sector. https://www.theatlantic.com/technology/archive/2025/04/trump-jeopardizing-ai-boom/682404 
• CCIA Europe urges AGCOM not to extend telecom rules to CDNs and content providers, warning it lacks justification, introduces de facto network fees, and risks harming investment and legal clarity. https://ccianet.org/wp-content/uploads/2025/04/CCIA-Europe-response-to-AGCOM-Consultation-on-Resolution.pdf 
• A new report from the critical infrastructure lab analyzes how EU funding programs like Digital Europe and Horizon Europe aim to boost digital innovation and reduce reliance on non-EU tech giants in pursuit of digital sovereignty. https://zenodo.org/records/15263223 
• The EU has fined Apple €500 million and Meta €200 million for failing to comply with the Digital Markets Act. https://www.lemonde.fr/en/pixels/article/2025/04/23/eu-fines-apple-500-million-and-meta-200-million_6740541_13.html
• A new report exposes how weak data access and governance are undermining election integrity across Africa, despite their critical role in democratic processes. https://researchictafrica.net/research/data-deficits-and-democratic-processes-the-under-explored-role-of-data-in-african-elections 
• A key OpenAI safety partner says it had too little time to test the company’s powerful new model, o3. https://techcrunch.com/2025/04/16/openai-partner-says-it-had-relatively-little-time-to-test-the-companys-new-ai-models
• To protect kids online, Mark Zuckerberg says Congress should focus on Apple and Google, not Facebook and Instagram. And they seem to be listening. https://www.politico.com/news/2025/04/20/zuckerbergs-enlisting-the-gop-against-tech-rivals-apple-and-google-00295945 
• The U.S. is cracking down on chip exports from Nvidia and AMD in a bid to curb China’s AI ambitions, signaling a tougher stance on tech as well as trade. https://www.wsj.com/economy/trade/trump-chip-exports-nvidia-h20-china-amd-d2c4c866?reflink=desktopwebshare_permalink&st=QxJ1oZ 
• "The entry of a U.S. tech company [Starlink], which specializes in unsustainable direct-to-consumer services and increases the potential of foreign interference in India, will not be particularly useful for expanding internet connectivity" writes IX contributor Gurshabad Grover in The Diplomat. https://thediplomat.com/2025/04/the-national-security-implications-of-starlinks-entry-into-india/ 
• U.S. v. Google LLC confirms Open Markets Institute’s warning: Google is a monopolist in both search and digital ads, using its power to stifle competition and exploit the open web. https://www.openmarketsinstitute.org/publications/federal-court-confirms-googles-monopoly-over-digital-advertising-market 
• A human rights impact assessment of ICANN82's GAC communiqué finds some positive steps on digital inclusion and transparency, but raises concerns over privacy, expression, and due process risks from rapid data disclosure and DNS abuse mitigation efforts. https://digitalmedusa.org/the-governments-score-on-human-rights-a-look-at-icann82 
• Civil society and experts urge the UN to ensure an inclusive and transparent WSIS+20 review, warning that failure to engage stakeholders meaningfully could undermine global digital governance. https://www.gp-digital.org/a-call-to-action-for-an-inclusive-wsis20-review/ 
•  The US State Department has shut down its Global Engagement Center, which aimed to counter disinformation from countries including Russia, China and Iran. US Secretary of State Marco Rubio claimed on Wednesday that the centre restricted free speech in the US and elsewhere. https://www.france24.com/en/americas/20250417-us-shuts-down-anti-disinformation-office-targeting-russia-china-and-iran 

Digital Rights

• The Czech Republic’s longstanding practice of mass mobile phone data collection has been ruled illegal by a Prague court in what legal experts are calling a groundbreaking verdict that challenges the country’s data retention laws. https://www.expats.cz/czech-news/article/court-rules-that-czechia-collects-phone-data-illegally-in-landmark-decision 
• This article examines the growing trend of online platform migration and technology non-use, driven by dissatisfaction with existing platforms and the search for safer, more inclusive digital spaces, reshaping social connections and digital ecosystems. https://journals.sagepub.com/doi/10.1177/01634437251326397
• An algorithm deemed this nearly blind 70-year-old prisoner a “moderate risk.” Now he’s no longer eligible for parole. https://www.propublica.org/article/tiger-algorithm-louisiana-parole-calvin-alexander 
• This analysis critiques the neutrality of big data and AI systems, highlighting their systemic biases and the failure of current policies like the GDPR and AIDA to address structural inequalities. https://cjc.utppublishing.com/doi/10.3138/cjc-2024-0025 
• Experts warn of a eugenics revival in big tech, linking today’s data practices to past discriminatory systems in a discussion led by Anita Say Chan, Émile Torres, and Timnit Gebru. https://datasociety.net/events/resisting-predatory-data
• Bluesky restricted 72 accounts and one post in Turkey, signaling a shift from its earlier resistance to government censorship, according to İFÖD via the Stockholm Center for Freedom. https://www.turkishminute.com/2025/04/17/bluesky-restrict-access-72-account-turk-amid-government-pressure7 
• Experts warn that the Trump administration is expanding AI and surveillance in immigration enforcement, raising serious concerns about privacy, legality, and civil liberties for both citizens and non-citizens. https://www.techpolicy.press/ask-the-experts-ai-surveillance-and-us-immigration-enforcement 
• A new investigation reveals that authorities in Isfahan, Iran, are using layered surveillance technologies, including IMSI-Catchers, card readers, and CCTV, to identify, track, and intimidate women defying the compulsory hijab law. https://filter.watch/english/2025/04/17/investigated-report-isfahan-targeted-with-imsi-catchers-and-surveillance-cameras 
• Judge says tower dumps, the law enforcement practice of grabbing vast troves of private personal data from cell towers, violate the 4th amendment, but will let the cops do it this one time, as a treat. https://www.404media.co/judge-rules-blanket-search-of-cell-tower-data-unconstitutional 

Technology for Society

• Margaret Mitchell, an AI ethics researcher at Hugging Face, discusses a new initiative aimed at evaluating how AI models perpetuate stereotypes across different languages and cultures. https://www.wired.com/story/ai-bias-spreading-stereotypes-across-languages-and-cultures-margaret-mitchell
• This article explores how "repair work" in Lebanon's digital cash assistance program for Syrian refugees highlights the invisible, undervalued labor required to maintain flawed, data-driven humanitarian systems. https://journals.sagepub.com/doi/10.1177/20539517251318268
• Distant-water fishers are out on the ocean for up to 10 months at a time, with no contact to the outside world because they're not allowed to use the ship's Wi-Fi. Now multiple organizations and unions are trying to change that. https://www.404media.co/they-sometimes-worry-that-im-dead-already-deep-sea-fishers-fight-for-wi-fi 
• Educators are embracing generative A.I. for their own work while remaining deeply concerned about its ethical use by students. https://www.nytimes.com/2025/04/14/us/schools-ai-teachers-writing.html 
• In this Earth Week essay series, Data & Society’s research network explores how communities confront tech’s impact on environmental justice and everyday life. https://datasociety.net/points/the-cloud-is-dead
• New paper from IMF examines how AI may widen global inequality, as advanced economies are better positioned to benefit than low-income countries. https://www.imf.org/en/Publications/WP/Issues/2025/04/11/The-Global-Impact-of-AI-Mind-the-Gap-566129 
• A new study finds that effective content moderation in conflicts like Tigray requires deep cultural expertise and collaborative decision-making, something platforms still lack. https://www.techpolicy.press/what-a-new-study-reveals-about-content-moderation-in-tigray 
• 4chan may be gone, but its toxic legacy lives on across the internet, from X and YouTube to global politics. https://www.wired.com/story/4chan-is-dead-its-toxic-legacy-is-everywhere 
• The Washington Post, owned by Jeff Bezos, has struck a content licensing deal with OpenAI to feed material into ChatGPT's search capabilities. https://variety.com/2025/digital/news/washington-post-openai-licensing-deal-1236374787 
• To mark Earth Day 2025, the Internet Society Foundation highlights three innovative research projects using technology to tackle environmental challenges. https://www.isocfoundation.org/2025/04/celebrating-earth-day-2025-innovations-from-the-internet-society-foundations-research-grant-program 
• AI tools like ChatGPT are rapidly replacing Kenya’s once-booming academic writing industry, slashing incomes and forcing young writers to adapt or abandon the work entirely. https://developmentekko.substack.com/p/tech-giveth-tech-taketh-away 
• Just as rebranding “global warming” to “climate change” weakened the environmental movement’s message, abandoning the term “disinformation” risks diluting efforts to hold powerful actors accountable argues Michael Khoo. https://www.techpolicy.press/disinformation-is-dead-long-live-disinformation 
• To address Big Tech's cloud dominance, it isn't enough to build local alternatives. Corinne Cath, PhD makes the case for rethinking digital infrastructure from the ground up—to develop alternative visions for computing that prioritize people over profit. https://www.techpolicy.press/clouds-over-public-infrastructure-rethinking-internet-governance-in-the-hyperscaler-era

Privacy and Security

• End-to-end encrypted technology, a pillar of privacy-friendly and cybersecure digital communication, is seen as a foe by police and authorities. The technology is now coming under attack across Europe. https://www.politico.eu/article/encryption-crime-denmark-peter-hummelgaard-europe-privacy 
• WhatsApp has launched "Advanced Chat Privacy," a new setting that blocks chat exports, auto-downloads, and AI use of messages to help keep sensitive conversations more secure. https://blog.whatsapp.com/introducing-advanced-chat-privacy 
• But also… WhatsApp is under fire for embedding a new AI assistant that can't be removed, sparking privacy concerns and criticism that Meta is testing AI on users without meaningful consent. https://www.bbc.co.uk/news/articles/cd7vzw78gz9o 
• Mexico, Saudi Arabia, and Uzbekistan were among several countries accused of using Pegasus spyware in a 2019 WhatsApp hacking campaign targeting over 1,200 users. https://techcrunch.com/2025/04/16/nso-lawyer-names-mexico-saudi-arabia-and-uzbekistan-as-spyware-customers-accused-of-2019-whatsapp-hacks 
• A Cellebrite-linked Android exploit chain used against a student activist has been publicly exposed. https://securityonline.info/cellebrite-android-zero-day-exploit-poc-released-cve-2024-53104 
• This document outlines how to implement the Messaging Layer Security (MLS) protocol for secure group messaging. https://www.rfc-editor.org/info/rfc9750 
• This document from IETF introduces a new cryptographic HTTP authentication scheme that prevents unauthenticated clients from detecting whether a resource requires authentication, enhancing privacy by eliminating probeable behavior. https://datatracker.ietf.org/doc/rfc9729 
• People are using ChatGPT to figure out the location shown in pictures. https://techcrunch.com/2025/04/17/the-latest-viral-chatgpt-trend-is-doing-reverse-location-search-from-photos 
• Quad9, a non-profit DNS security service, has released version 1.0 of its Android app, Quad9 Connect, on F-Droid, making it open source under the AGPL-3.0 license, with all release files available on GitHub. https://www.quad9.net/news/blog/quad9-connect-now-on-f-droid 

Upcoming Events

• Venture Capital, Technology Startups, and Human Rights: A primer for general partners and limited partners from Debevoise and the Office of the UN High Commissioner for Human Rights. April 29 5:30pm ET. New York, NY. https://media.debevoise.com/20/7780/march-2025/webinar-invitation(forwardable)(1).asp 
• We Are All Federal Workers: Fighting the Expansion of AI, Precarity, and Disenfranchisement in Higher Education. A conference on how AI and tech-driven policies are worsening conditions in higher education, and how collective action can fight back. May 2, 9am ET. Washington, DC. https://www.asc.upenn.edu/news-events/events/we-are-all-federal-workers-fighting-expansion-ai-precarity-and-disenfranchisement-higher-education 
• What is Work Worth? Exploring what generative AI means for workers’ lives and labor from Data & Society. May 6, 5pm ET. Online or in New York, NY. https://datasociety.net/events/what-is-work-worth
• Palestine Digital Activism Forum 2025: an event focused on protecting Palestinian digital rights, strengthening social media activism, and fostering collaboration between local and international movements. May 20-21. Online. https://pdaf.net 
• HOPE_16, the first in a now annual edition of the (previously biennial) legendary hacker conference, returns with talks, workshops, and community. The call is open for talks and panels. August 15-17, St. John’s University, NYC. https://www.hope.net 
• The (m)otherboard book club is launching with We Just Build Hammers by Coraline Ada Ehmke. Next meeting is April 30, 9pm ET. Online. https://m-otherboard.ghost.io/book-club-we-just-build-hammers 

Careers and Opportunities

• Reuters is looking for someone to join its leading-edge Visual Verification Team as a Visual Verification and Newsgathering Producer. https://thomsonreuters.wd5.myworkdayjobs.com/External_Career_Site/job/ESP-Barcelona-Travessera-de-Grcia/Visual-Verification-and-Newsgathering-Producer_JREQ190325 
• 7amleh – The Arab Center for the Advancement of Social Media is hiring a U.S. Development and Communications Officer. https://7amleh.org/post/job-vacancy:-u.s.-development-and-communications-officer 
• African Women in Media in partnership with the African Union Commission (AUC) is calling for abstract submissions exploring the theme Beyond Commitments: Advancing Policies for Gender-Safe Media. Submission deadline: April 30. https://africanwomeninmedia.com/2025/03/24/awim25-conference-call-for-papers 

What did we miss? Please send us a reply or write to editor@exchangepoint.tech.

A Tale of Two TCNs

By Heather Burns

You are probably aware of the international backlash caused by the UK Home Office’s secret issuance of a Technical Capability Notice (TCN) to Apple. The notice was issued under Section 253 of the Investigatory Powers Act (IPA), a surveillance law that allows the UK government to compel companies to make their systems accessible to law enforcement authorities, which in this case sought to weaken core security features on Apple devices. You might also be aware that UK government agencies do not have a good track record of handling the data they acquire, as demonstrated by the recent ruling from the Investigatory Powers Tribunal, which confirmed that UK agencies like MI5 have unlawfully mishandled personal data. What you may not be aware of is that there is a second, separate TCN regime quietly in the works in the UK, one which poses equally worrisome threats to encryption.

Ofcom, the UK’s telecommunications and online safety regulator, recently held a public consultation on its own Technology Notices regime, introduced under Section 121 of the Online Safety Act (OSA). This provision, which attracted significant controversy in 2023 as the then-Bill wheezed towards the finish line after five years of contentious debate, could have compelled service providers to break end-to-end encryption (e2ee) in order to detect terrorist or child sexual exploitation and abuse (CSEA) content, “where necessary or proportionate”.

After heavy criticism from technologists, civil society and industry, the outcome of that debate was Ofcom’s caveat that “user to user services should only apply measures where it is technically feasible for them to do”, effectively an admission that these clauses were based in magical thinking rather than real-world technical feasibility.

The OSA TCN regime would require service providers to implement client-side scanning to detect CSAM or terrorist content, using hash-matching technology that compares user-generated content against known illegal material before it is encrypted or shared, but only on publicly communicated (e.g. unencrypted) content. Sections 4.29-4.32 of Ofcom’s draft guidance (unfortunately, Ofcom only communicates through massive, unwieldy PDFs) outlines its rationale for what counts as public vs. private communication content vis-à-vis the European Convention on Human Rights (ECHR) Article 8: the right to respect for private and family life, home, and correspondence. Despite Brexit, the UK remains a signatory to the ECHR and is still bound by European Court of Human Rights (ECtHR) rulings.

Clearly, Ofcom have been forced to do their homework. Their separate rationale on public versus private communications, issued as part of a different consultation and which I highly recommend reading in full, is the only legally feasible response to the ECtHR’s ruling in Podchasov v Russia, which reaffirmed strong protections for private encrypted communications and rejected bulk surveillance. Index on Censorship recently issued a strongly worded legal opinion reminding Ofcom of that fact. 

Ofcom’s consultation covered two key areas: one, what the minimum standards of accuracy should be for the technologies they plan to accredit, which technologists should study closely; and two, draft guidance on how Ofcom intends to issue technology notices. While the consultation has closed, all submitted responses have been posted to the same page.

Safeguards and oversight

How will the OSA TCN regime compare to the IPA regime? There is one clear improvement: notices will be announced publicly (reducing the need for whistleblowers to leak to The Washington Post). If and when Ofcom issues a TCN to a service provider, meaning a request to introduce scanning technology, it would appear on this page, updated annually. At this stage there is nothing to report, though the page is worth bookmarking.

For now, Ofcom can only note that “this part of the regime is not active and the Secretary of State cannot approve or publish any minimum standards of accuracy until they have received advice from Ofcom. Therefore, we have not yet been in a position to assess whether or not there is any technology which meets, or is in the process of development to meet, any such minimum standards of accuracy.”

So far, that transparency seems to be the only positive change. 

By contrast, the IPA regime, for all its flaws, includes several layers of oversight, including the Investigatory Powers Commissioner (currently the extremely capable Sir Brian Leveson), the IPCO, and judicial authorisation. The Ofcom TCN regime has none of those safeguards or judicial routes of appeal. Its implementation is at the discretion of Ofcom’s Chief Executive, currently Dame Melanie Dawes, whose governance of the Online Safety regime is led by public relations partnerships with the media. It is never a good sign when any regulatory regime is more driven by narrative storymaking and clickbait than by the rule of law and judicial safeguards.

As for external oversight, the IPA requires TCNs to be reviewed by a semi-secret government committee called the Technical Advisory Board. Incredibly, it took media inquiries in the aftermath of the Apple TCN for members of the TAB to learn that the Home Office had forgotten to renew their contracts. In contrast, Ofcom has opted to precede a TCN with a “report, from a skilled person, appointed by us.” Who is a “skilled person”?  Ofcom defines it as someone who appears to Ofcom to “have the skills necessary to prepare a report about matters relevant to those purposes.” To paraphrase Theresa May, “skilled person means skilled person.”

Similar to the IPA TCN regime, Ofcom intends to issue “warning notices” to providers before issuing the notice. At that time, the provider will be allowed to “make representations” to Ofcom.

Ofcom’s technology notices must be necessary, proportionate, and must also consider:

1. the extent to which the use of the specified technology would or might result in interference with users’ right to freedom of expression within the law; and
2. the level of risk of the use of the specified technology resulting in a breach of any statutory provision or rule of law concerning privacy that is relevant to the use or operation of the service (including, but not limited to, any such provision or rule concerning the processing of personal data).
3. In the case of a notice relating to a user-to-user service (or to the user-to-user part of a combined service), the extent to which the use of the specified technology would or might:
   1. have an adverse impact on the availability of journalistic content on the service, or 
   2. result in a breach of the confidentiality of journalistic sources; and
   3. whether the use of any less intrusive measures than the specified technology would be likely to achieve a significant reduction in the amount of relevant content.

Chekov’s gun

Given what we know about the IPA TCN regime, we must ask whether the intention of the Ofcom TCN is to use it as a pincer movement against encryption. There is, after all, precedent for two separate sets of domestic surveillance rules to be used in tandem in ways that violate Article 8 of the European Convention on Human Rights, as was established in Ekimdzhiev v Bulgaria. 

Ofcom’s OSA TCN regime does not explicitly mandate the breaking of end-to-end encryption. However, the Apple IPA TCN raises serious concerns that the government may intend to use that regime to accomplish the job for Ofcom, Article 8 be damned, aligning with Scott and Ó Floinn’s observation that the UK government’s ongoing strategies around encryption “may be intended to have the effect of weakening or undermining encryption in a less direct fashion”.

In its December 2024 consultation on the OSA TCN regime, Ofcom noted that “if law enforcement wants specific information about a specific individual, to intercept communications, or to obtain communications data, then they would still need to do so using powers under and in accordance with the Regulation of Investigatory Powers Act 2000 and Investigatory Powers Act 2016, as appropriate.”

One might wonder, “Why would Ofcom place the IPA on the table, if the intention is not to use it?” This is an admission that Ofcom knows that its TCN regime could facilitate a form of bulk surveillance through compromised encryption, one that the security services might find highly useful.

This conclusion seems further supported by the fact that Ofcom’s draft guidance on TCNs addresses all six of the tests set out in the Weber and Saravia v Germany Article 8 ruling: 

1. the nature of the offences (CSAM and terrorism)
2. a definition of the categories of people liable to have their communications intercepted (all users of the impacted service)
3. a limit on the duration of interception (36 months)
4. the procedure to be followed for examining, using and storing the data obtained (under consultation)
5. the precautions to be taken when communicating the data to other parties (under consultation)
6. and the circumstances in which intercepted data may or must be erased or destroyed (under consultation).

Ofcom also seems to have studied the ECtHR Big Brother v UK ruling which, despite addressing bulk national security surveillance as opposed to CSS hash matching, found its deficiencies:

• that “bulk interception was not authorized by a body independent of the executive, but by the secretary of state
• that categories of search terms defining the kinds of communications to be examined were not included in the warrant application
• and that the use of specific identifiers, so called “subject selectors linked to an individual”, had not been authorized. Ofcom’s TCN consultation has addressed two out of three of these points.

Further clues appear in Ofcom’s joint statement with the Information Commissioner’s Office (ICO), which confirms that OSA compliance will involve extensive data collection, processing, and retention. This level of activity amounts to a bulk regime in itself. Index on Censorship commissioned a very pointed legal opinion on this matter during the Act’s traumatic birth, and the ECJ’s La Quadatre du Net ruling hints at the trouble ahead here.

In summary, Ofcom has taken pains to make its TCN regime reflect multiple ECtHR rulings on Article 8. Why would they do that if the intention is not to use the regime in ways which trigger Article 8 issues at scale, either independently or in tandem with the IPA? 

We now await Ofcom’s official response to its own consultation, and to see what the Apple IPA debacle has taught regulators about the public’s tolerance for compromised encryption disguised as safety regulation.