Kategorie

Apple Silicon Macs fail at less than half the rate of Intel Macs, dramatically reducing the platform’s already industry-leading total cost of ownership (TCO), according to data revealed by London, UK-based Apple reseller Hoxton Macs.

While it’s true the data is based on a relatively small sample group, it does seem to reflect what the industry in general sees.

Apple’s chip design transforms Mac reliability

The success of Apple Silicon hardware is attributed to its simpler design, which integrates multiple components into a single chip, reducing the number of potential failure points. Additionally, Apple Silicon Macs run cooler, leading to less wear and tear on components such as batteries and USB-C ports, the report says. Across the wider laptop market, most studies show hardware faults affect one in five non-Apple machines over their first three years in use.

This builds on Apple’s enduring record for making good hardware as independent reliability surveys consistently rank the company as the most reliable laptop brand. To some extent, the data reflects the anecdotal experience most Mac users have — their computers seem to last much longer than other systems do, which helps them retain value on the second-user market.

Apple already had a good story to tell in terms of tech support before it introduced Apple Silicon machines. More than a decade ago, Fletcher Previn, then vice president of Workplace-as-a-Service at IBM, told the Jamf Nation User Conference that just 5% of IBM’s Mac-using employees needed to call the help desk; in contrast, an astonishing 40% of PC-using staff had to do so. That difference is significant because it translates into serious differences in cost; each tech support call made by those working on your ailing PC fleet has a price.

That TCO difference prompted Previn to say, “I can confidently say every Mac that we buy is making and saving IBM money.” Years later, as CIO at Cisco, he said the company’s tens of thousands of Mac users experienced five times fewer cyberthreats and nine times fewer virus issues than PCs, and that Cisco needed 33% fewer engineers to manage the Macs.

Those impressive real-world data points reflected Macs in the pre-Apple Silicon world. Those Intel Macs already worked better for longer and required less tech support. This month’s Hoxton Macs data, while based on a much smaller sample group, suggests that this particular advantage has grown even greater now. And it’s not just down to the silicon.

Fewer parts, less heat, fewer failures

Apple has designed its processors to deliver excellent performance per watt. Because these are SoCs (System on Chips) the power requirement to drive all the system components is that much lower, and it means whole categories of component failure are removed. The design also means they use less energy and generate less heat to run, dramatically reducing thermal wear and tear. 

“Fewer parts, less heat, simpler construction: the result is a machine with markedly fewer ways to break,” Hoxton Mac said in an extensive article explaining its data.

>Failure rates are consequential to everyone. Even a small failure rate means some people will end up with Macs that have hardware issues, which is always a problem for those affected. But the low fail rate should be reassuring to the millions of people switching to Apple’s  href="https://www.computerworld.com/article/4180406/after-a-quick-1-1m-sales-macbook-neo-set-to-reshape-the-pc-industry.html">even cooler-running MacBook Neos>. 

Those users might now justifiably look forward to lower running costs from their new computers, combined with good resale rates once they’re ready to upgrade. It doesn’t hurt Apple’s platform loyalty either — making it even more likely those millions of users will stay with the Mac rather than going back to where they were before.

You can follow me on social media! Join me on BlueSky,  LinkedIn, Mastodon and The Core.

Cybersecurity researchers have warned of a "resurgence and expansion" of JDY, a covert network associated with China-nexus state-sponsored threat actors. "The JDY botnet comprises over 1,500 SOHO [small office and home office] and IoT devices and operates as a centrally controlled, high-performance scanner used to discover, fingerprint, and continuously map exposed services at scale," Lumen's Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Fortinet, Ivanti, and SAP have released security updates to address multiple critical security vulnerabilities that could result in arbitrary code execution and information disclosure. The security flaw patched by Fortinet relates to a command injection vulnerability in FortiSandbox, FortiSandbox Cloud, and FortiSandbox PaaS WEB UI. It's tracked as CVE-2026-25089 (CVSS score: 9.1). "An Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

A high-severity unpatched security flaw in Langflow, an open-source low-code platform to build artificial intelligence (AI) applications, has come under active exploitation in the wild, according to findings from VulnCheck. The vulnerability in question is CVE-2026-5027 (CVSS score: 8.8), a case of path traversal that could allow an attacker to write files to arbitrary locations. "The 'POST /Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

The JDY botnet, a malware network previously associated with Chinese threat actors like Volt Typhoon, has significantly expanded its targeting scope and reconnaissance efforts. [...]

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation. The list of vulnerabilities is as follows - CVE-2026-20245 (CVSS score: 7.8) - An improper encoding or escaping of output vulnerability in Cisco Catalyst SD-WAN Manager that could allow an Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Attackers are increasingly bypassing weak authentication through phishing, MFA fatigue, and service desk social engineering. Specops Software breaks down five best practices for stronger identity verification and access security. [...]

Microsoft has patched an actively exploited Exchange Server vulnerability that allows threat actors to execute arbitrary JavaScript code in cross-site scripting (XSS) attacks targeting Outlook Web Access users. [...]

Microsoft warned customers on Tuesday that they may have issues installing the latest monthly updates on some Windows devices that were upgraded to Windows 11 24H2 or 25H2. [...]

I’ve been using and writing about Microsoft Copilot since it was publicly released in 2023. I’ve reviewed it, written articles about using it more effectively, explained how to curb hallucinations in it and other similar tools, and detailed how to use it in concert with Microsoft 365. It’s also been my go-to generative AI (genAI) tool for personal projects and advice.

But the time has come for me to leave it behind for my personal use. It’s become abundantly clear that for those tasks, Google Gemini is better. Here’s why.

Copilot is inept at solving a tech problem

Like many people who know something about technology, I’m the IT staff for friends and family. I’ve often used Copilot to help solve issues I can’t fix myself. Sometimes Copilot helps. And other times…, well, the last time I turned to it for troubleshooting advice is when I realized it was time to abandon Copilot.

My wife had bought a new iPhone, and I noticed she was receiving texts sent to her email address but hadn’t received any sent to her phone number. I asked Copilot for help.

I won’t go into the details of the wild goose chase Copilot sent me on — I’ll just offer a few lowlights. It first told me, with absolute authority, that there are “only two real explanations” for the problem and asked me to look at several settings to confirm which explanation would fix the issue.

It turned out that neither of the “two real explanations” were the cause. Undeterred, Copilot assured me, again with complete confidence, that it was going to send me “straight to the switch” that would immediately solve the problem.

I tried it. The switch didn’t work. Neither did the “final fix” it promised me. Nor did any of the other many “solutions” if offered after that so-called final fix. For more than an hour, it flailed with utter confidence and utter futility trying to diagnose and fix the problem. 

And then came the final indignity: After doing some digging, I realized Copilot was trying to solve the problem based on an old version of iOS, not the current one on my wife’s phone. When I confronted Copilot about that, it briefly apologized and promised it knew the solution: I had to call the cellphone carrier.

That was it for me. I’d had enough. I turned to Gemini for help. 

Thirty seconds later, Gemini diagnosed the problem and recommended a simple fix, which didn’t require a call to my phone carrier. It worked like a charm. Gemini had solved a tech problem in 30 seconds that Copilot couldn’t resolve after an hour. 

Copilot whiffs on personal research 

I often used Copilot for personal research projects. A recent one involved Parisian neighborhoods in the 1870s. I was looking for information about the area around the Saint-Lazare train station. When I asked Copilot, it told me the area was dangerous and poverty-ridden back then, with poor housing whose exteriors were heavily stained by coal smoke from arriving and departing trains.

That didn’t sit right with me. I recalled a well-known painting Paris Street; Rainy Day by the Impressionist painter Gustave Caillebotte, which depicted the neighborhood in the 1870s as wealthy and fashionable, filled with elegant Hausmann-style apartment buildings. I asked both Gemini and Claude about the neighborhood in the 1870s. They both told me it was expensive, fashionable and sought after by the well-off. I confirmed that with my own follow-up research.

Once again, Copilot had whiffed.

Copilot gives bad scheduling advice

I swim for exercise three or four times a week at my health club’s indoor pool. The club closed the pool for several months, so I decided to swim at the pool of an elementary school a short walk from my house. I hadn’t exercised there before and wanted to find the times on Monday through Friday when the pool would be least crowded. I asked Copilot for help.

As always, Copilot spoke with a solid air of authority. And once again, it was wrong. It told me that the least crowded time for public swimming on weekdays was between 11:30 a.m. and 12:30 p.m. or between 12:00 p.m. and 1:00 p.m.

On one count it was right: the pool would certainly not be crowded with public swimmers at those times. Because the pool doesn’t open to the public until 3 p.m. 

I turned to Gemini, which told me that 3 p.m., when the pool opened, would be the least-crowded time. Claude was no help. It demurred and said it didn’t know the answer – a rare, refreshing admittance of ignorance from a chatbot.

Gemini was on target again — 3 p.m. did indeed turn out to be the least-crowded time to swim. I often get a lane to myself, and at worst have to split a lane with one other swimmer. I asked several lifeguards if 3 p.m. was the least-crowded time on weekdays; they all confirmed it was.

Bye-bye, Copilot

For all those reasons, when it comes to personal research and advice, I’ve abandoned Copilot. I typically use Gemini now, although on occasion, I ask for a second opinion from Claude.

For my Computerworld work, I’ll keep using Copilot, and continue to write reviews of it, offer advice on how to use it and keep you informed about the latest news about it.

But other than that, for my personal use, Copilot is dead to me.

Your pentest report looks clean. That might be the problem. Run automated pentesting long enough, and the new findings start to dry up. By the third or fourth run, fewer issues appear. The report looks stable. Leadership reads "stable" as "secure." It usually isn't. The work slows down. The risk does not. That gap is what a The Hacker News webinar with Picus Security sets out to close. [email protected]

On Tuesday, Microsoft patched two zero-day vulnerabilities that let attackers gain SYSTEM privileges on fully patched Windows systems, and a third one that grants access to BitLocker-protected drives. [...]

For the past few days, I’ve been immersed in Google’s latest vision of the future — an AI-infused dashboard that taps into info from all of your Google app activity and then uses that data to cook up a series of daily “stories” designed to “connect you with what matters.”

And — believe me, I don’t say this lightly — the experience of interacting with this system has me longing more than ever for the past.

The app is called Dreambeans. Google launched it as an experiment last Wednesday, and I was offered the opportunity to skip the standard waitlist and get immediate access to explore it.

I won’t beat around the bush: Using the app really has been an eye-opening, enlightening experience for me. Just not in the way that Google had presumably wanted.

[Get level-headed knowledge in your inbox with my free Android Intelligence newsletter. Something new and useful every Friday — from my keyboard to your email.]

Google Dreambeans and the next phase of AI

In many ways, Dreambeans feels like the ultimate example of everything Google’s been gunning for — and AI in general has been building up to — over the past several years.

With your permission, the app accesses your ongoing activity data from Google Workspace (including such services as Gmail, Google Calendar, and Google Drive) along with Google Search, Google Photos, and YouTube to create an evolving profile of your life and interests. That means everything from who you email to what’s on your agenda, what you’re writing or saving files about, and what sorts of subjects you’re searching for, videos you’re watching, and activities you and your friends, family, and other associates are appearing in throughout photos (and even how you all look in those photos) gets constantly analyzed and processed and used as fodder for a personalized feed that updates a few times a day.

On the surface, it sounds a little like Google Now — the excellent and all-too-short-lived proactive intelligence feature Google added into Android for a while back around 2012.

In practice, though, lemme tell ya: It feels dramatically different. Whereas Google Now felt almost magical in its ability to anticipate what you needed before you ever asked for it — with proactive cards on things like flight statuses based on itineraries in your inbox or flight-related searches you’d performed, traffic alerts based on your typical daily routes or appointments in your agenda, and links to maps for businesses you’d been researching — Dreambeans takes those same basic concepts to a whole other level that ends up feeling creepy and invasive, both in the info it’s offering and in the way it’s presenting it.

And, more broadly, it feels indicative of the way AI is heading in general — not just with this one app or with Google but across the industry and in a style that I think most people are increasingly finding off-putting and will only find ever more intrusive in time.

Now, let’s be clear: I’m no technophobe. Far from it: I love clever tech creations and thoughtful new touches that make our lives easier. Heck, I’ve spent much of my life searching for and writing about such feats. And that’s precisely why my reaction to Dreambeans strikes me as so significant: If I’m this put off by this concept, how will average tech users — most of whom are far less tuned into tech trends and intrigued by interesting new options then I am — react?

I’ll tell you more about what I’ve heard so far in a second. First, let me show you exactly what I’ve been seeing, so you can assess this thing for yourself and see how it comes across to your spidey senses.

Here’s a handful of the Dreambeans “story” suggestions that appeared in the app upon its first day working for me, with a few names and personal details blurred for privacy purposes:

Some of Dreambeans’ custom “stories” throughout my first day with the app.

JR Raphael, Foundry

I’m honestly not even sure where all of these suggestions came from, but what jumped at me right away were the (occasionally flattering) caricatures of me and my wife and the general sense of invasion from all the slightly too personal stuff and too familiar integration of family members’ names and interests integrated into the material.

For the record: I had been looking into speaker stuff at some point in the not-too-distant past; I’ve never once typed, uttered, or even considered the phrase “hand-loomed textiles” until just now; we had been looking at the arts festival it mentioned; I’ve never specifically searched for or expressed any interest in Scary Movie 6; and I am not into the band Genesis — though, to be fair, I can’t dance.

I showed all this same material to my wife as well as to several other friends and family members I’d categorize more as typical tech users — not tech professionals or card-carrying geeks but just regular people who own and use a variety of devices, as we all do, and rely on ’em for both personal and professional purposes with varying levels of dread, excitement, and/or indifference. Without exception and without any prompting or personal opinions presented to sway them, every single one of ’em responded the same basic way: “Oh. That’s creepy.” And: “I do not like that.” Without fail.

It doesn’t get much better from here, either. Most of the app’s subsequent suggestions have continued to veer just a touch too far onto the “ick” side of the spectrum, as well as occasionally being off-base in some pretty perplexing ways. For instance:

Nice AirPods, Mr. Apple fan!

JR Raphael, Foundry

For the record on this set: I do love the show Seinfeld — SERENITY NOW! more than ever — though it’s been some time since I’ve actively watched it; I somewhat famously am allergic to Apple products and avoid ’em whenever possible (notice the name of this column, anyone?); I don’t live in the same city as my brother but do find it creepy to have him pictured in ghoulish caricature form and brought randomly into a discussion about Plex (something he wouldn’t even remotely be interested in hearing from me about); and my various editorial newsletters are all powered by a service called Kit — not Beehiiv — which is mentioned in plenty of places both on my websites and throughout my emails.

Also, while my hairline may not be what it once was, I’m (ahem) not that bald yet — thankyouverymuch, Dreambeans.

Another example that I won’t show here was an item that pictured me in overalls working on installing some “coated stainless steel wire for [my] gallery canvases” — a reference to a community art gallery (with all sorts of details wrong and in some cases flat-out fabricated) connected to my mother’s recent passing. It casually mentioned her by name, too, alongside that eerie illustration of me performing a skill I definitely don’t have in my nonexistent home workshop. I don’t think I have to elaborate on how unsettling, unappreciated, and — again — invasive it felt to have that pop up in this feed.

More than anything, what I’ve been feeling while seeing all of this is a combination of (a) egad, it knows too much — especially when it casually name-drops and caricature-pics my wife, kids, and other family members — and (b) at the same time, the info it’s giving me isn’t especially helpful or insightful. It’s mostly just flat, generic, and — well, more or less exactly what you’d expect from something AI-generated.

Seeing caricatures and personal details about my kids is odd — and, at the same time, neither of my kids actually plays or has any interest whatsoever in soccer.

JR Raphael, Foundry

More than anything, in other words, it’s a combination of creepy and not particularly useful.

Some of what I’ve seen when opening Dreambeans’ personal “stories.” Yay?

JR Raphael, Foundry

And it’s the “creepy” part that really sticks with me the most.

The fine line Google forgot to avoid crossing

Maybe if the info I’m being served up here were exceptionally useful, this could be a tradeoff I’d be at least a little more likely to accept. Maybe. But in this scenario, it just feels odd and a little too invasive — which I’ve come to realize is a common theme surrounding much of what seems to be the next level of our forced-upon-us AI future.

Take Google’s Gemini Spark, for instance — the “agentic” AI assistant announced at Google I/O that’s meant to be a “proactive” helper tackling tasks on your behalf. David Pierce from The Verge got an early look at the tool in action and called it “the most impressive and terrifying AI experience” he’s had to date, also bringing that “creepy” word into the equation:

I can’t shake the deeply creepy feeling I get from the whole thing. What Spark did feels sort of magical, and very invasive. It’s weird that Spark is so casually telling me the names and ages of my children, reminding me that it knows where I live, and finding information I know for a fact I’ve never volunteered to Google. Intellectually, I know that Google knows an incredible amount about me — add up my emails, my calendar, my photos, and my search history, and you’ve pretty much got me pegged. But seeing Spark treat all that data not as something to be protected, but as something to be mined, just feels bad.

And that, I think, mirrors the exact reaction I’ve been experiencing with Dreambeans. We’ve all always known that Google knows a lot about us, but we’ve also — at least intellectually — understood how all of that data is and isn’t being used. And it’s never been rubbed in our faces just how much the company can figure out about us by putting all the various pieces together and creating an awkward sense of robotic intimacy.

I remember years ago, being in a Google press briefing where someone from the company talked about how much more their systems and services could accomplish but how they deliberately held back on going that far and overdoing the personalization — ’cause even though they had all that info and could make all those connections, they knew (at the time) that people wouldn’t respond well to seeing all their personal activity put together in such shocking ways. They knew (at the time) that most of us weren’t looking for an artificial BFF who knew too much about us. They knew (at the time) that giving us that sensation would cross the line into being creepy.

Well, this just in: That line’s officially been decimated. We’re in AI’s creepy era. And seemingly no one is worrying anymore if it’s actually something any of us want or will appreciate.

It kinda feels now like tech companies are actively rubbing in our faces how much they know about us — and even if there’s nothing truly nefarious going on with what they’re doing, it sure doesn’t feel good. It feels creepy. And at a time when trust in tech titans is shockingly low and most folks outside of the Silicon Valley bubble are feeling more and more frustrated with AI and all of the effects it’s foisting upon us, that isn’t a great look to be giving off.

Put those sensations alongside the sigh-inducing explosion of AI “content creators,” the proliferation of lifeless AI-generated “writing” (been on LinkedIn much lately?), and the troublingly blurry line between photorealistic AI-generated images and actual real-world photographs — not to mention the maddening experience of interacting with an AI bot support agent or encountering the ever-expanding array of AI-powered scams and security threats and AI-generated job cuts, just to name a few other problematic consequences this movement is imposing — and it’s hard not to question if all this purported progress is ultimately more helpful or harmful for us, as living, breathing humans in the real world.

A few months ago, at the three-year mark of Gemini’s launch, I posed the question: Did anyone actually ask for this? And, more pressingly: Is this the future we wanted? As we’re moving now into yet another era of AI innovation and seeing how it’s affecting our lives, it gets tougher every day to imagine many folks outside of the tech industry who’d answer with an emphatic yes.

And, unfortunately, you don’t need any fancy-schmancy AI chatbots to tell you that things are only gonna get more extreme — and, yes, more creepy — from here.

Find the tips and tools that’ll *actually* help you with my free Android Intelligence newsletter. No hype, no nonsense — just useful new stuff in your inbox every Friday, from one (alleged) human to another.

Microsoft on Tuesday released fixes for a record 206 security vulnerabilities impacting its software portfolio, including three flaws that have been publicly disclosed at the time of release. Of the 206 flaws, 39 are rated Critical, and 167 are rated Important in severity. This includes 63 privilege escalation, 56 remote code execution, 30 information disclosure, 27 spoofing, 20 security Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

On June 9, Anthropic released Claude Fable 5, the most capable model it has ever made, generally available. It also did something unusual: it shipped one model as two products, split not by capability but by a layer of safety classifiers. Fable 5 goes to the public. Its twin, Claude Mythos 5, the same underlying model with the cyber safeguards lifted, stays locked to a vetted group of cyber Swati Khandelwalhttp://www.blogger.com/profile/[email protected]

ServiceNow has warned about a security incident in which unknown threat actors exploited a flaw to obtain deeper unauthorized access to susceptible instances. "On June 5, 2026, ServiceNow applied a security update to hosted customer instances," the company revealed in an advisory that requires customer access. "The update concerned a security issue that could allow an unauthenticated user, in Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Ivanti has patched two critical vulnerabilities in its Sentry secure mobile gateway solution, including a maximum-severity flaw that enables remote attackers to execute code with root privileges. [...]

The anonymous security researcher going by the name Chaotic Eclipse (aka Nightmare-Eclipse) has released a proof-of-concept (PoC) exploit for yet another Microsoft Defender zero-day named RoguePlanet. "The exploit is a race condition, so it's a hit or miss," the researcher, who published the exploit under a new GitHub account "MSNightmare" said. "I have managed to get a 100% success rate on Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

Cybersecurity researchers have flagged half a dozen vulnerabilities in protobuf.js, a JavaScript and TypeScript implementation of Protocol Buffers (Protobuf), that, if successfully exploited, could result in remote code execution (RCE) and denial-of-service (DoS) attacks. "In affected environments, a single malicious protobuf schema, descriptor, or crafted payload could be enough to trigger Ravie Lakshmananhttp://www.blogger.com/profile/[email protected]

UK Prime Minister Keir Starmer’s speech on Monday insisting that tech companies create device controls to somehow block children from viewing or creating sexually explicit imagery has raised alarms among CISOs, who worry that the same technology could undermine enterprise security. Starmer gave tech firms three months to create and implement such restrictions voluntarily, at which point he said he would push for legislation to make it mandatory.

Behind the technical and logistical hurdles for tech firms to clear, such as how a device would determine that an image was inappropriate, and how it could reliably determine the subject’s age, is the issue of whether this process would interfere with encryption protections for enterprises worldwide. And that comes down to whether the required data analysis happens on the device or in the cloud. 

Starmer did not go into a lot of detail, preferring to let technology companies craft their own plans, but in this case the details matter. Analysts and consultants said that there has been a push for everything to happen on-device, which would avoid any encryption problems; if the inspected data never leaves the device, the encryption protection would stay intact.

But this plan for the process to stay on the device seems highly unlikely for multiple reasons. The first problem is device capabilities and hardware age. Although Apple and Google engineers would be working with the latest devices, much of the UK population is using much older and less capable hardware, analysts said. 

Although a 2-, 3- or 4-year-old phone might still be able to handle the additional load, it would likely suffer a dramatic slowdown sufficient to make users decidedly unhappy. That would mean that even if the execution of the data analysis began on the device, it would likely have to be shifted to the cloud for performance reasons. And once it moved into the cloud, the encrypted data problem begins. 

Trying to do this scanning on-device in the UK would fail, said Flavio Villanustre, CISO for the LexisNexis Risk Solutions Group. “It will make unusable the majority of devices used in the UK today. It just can’t work on-device.”

However, Villanustre observed that on-device analysis for this kind of effort, which would need to scan everything that gets downloaded to the phone in search of prohibited images, might be viable in a few years, once the typical device becomes much more powerful. But not today.

Creates new risks

Leading secure messaging app provider Signal also issued a strong statement opposing Starmer’s proposal.

“The UK governmentʼs demand that all content on all devices sold or used in the UK be scanned on the presumption of nudity, using a dystopian combination of age verification and content scanning, will not safeguard children. It endangers us all, whilst strengthening Apple, Google and Microsoft’s market dominance and their control over our most personal information,” Signal said.  “Once created, [the program] will be expanded, forming a dangerous tool that will be wielded both in the UK and abroad to censor and surveil whatever they might consider ‘threats’ or ‘harmful content.’”

Signal has aggressively fought against such programs before. Similar privacy campaigns have also been launched in other parts of Europe. 

The long held fear is that moving encrypted data to the cloud, regardless of whether it remains encrypted or is converted to clear text, creates opportunities for attackers to access the sensitive data.

“The mechanism that flags and reports a match to external authorities creates a new, built-in exfiltration path,” said Jeff Valdes, a director at consulting firm Acceligence.

Could do more harm than good

Sanchit Vir Gogia, chief analyst at Greyhound Research, argued that the UK proposal is likely to do far more damage than good. He pointed to the short three month timeframe as evidence of a lack of good faith.

“Legislation of this complexity cannot be drafted in a quarter. The deadline is a pressure instrument, not a delivery schedule. Child safety is the destination. Device-wide inspection is the wrong vehicle,” Gogia said. “Apple and Google already run on-device nudity detection in bounded contexts, and it works: a child can be warned, an image blurred, a sharing attempt interrupted.”

Gogia pointed to another logistical problem, which is that some devices such as tablets are often shared between family members, which makes reliable age determinations all but impossible. 

“The deeper flaw is that the policy assumes a stable mapping between device, person, and age, and that mapping does not exist in real households,” Gogia said. “A device cannot know its holder has changed. The only architecture that survives this is default-child with recurring adult verification, which is surveillance arriving through the back door of household economics.”

In addition, he noted, “Children disproportionately inherit the old, out-of-support handsets the mandate cannot reach. Forcing churn manufactures electronic waste and punishes the families least able to buy new.”

Carmi Levy, an independent technology analyst, agreed that the computing overhead alone for such an effort could make this a deal-killer. 

“The compute requirements, particularly in light of the need to execute this kind of filtering in real time, would be immense. It is futile to assume this capability can ever be rolled out at scale without running into massive concerns on several fronts,” Levy said. “Simply deciding how to tune the filters is an almost impossible task. Although the overall definition of nudity, namely not wearing clothing, is generally agreed upon, the line where it becomes inappropriate for minors is neither static nor universally established. So it’s wildly optimistic to assume that a single threshold would be workable at the scale proposed by Prime Minister Starmer.”

Nidhi Luthra, a director at Acceligence, added that the logistical and technological roadblocks are also a big problem. 

“Technically, parts of this can work,” she said, but vendors would have to deal with age verifications, drifts in the models and false positives, and there is also the “lack of contextual information that truly would have let this work.” 

Puts CISOs in ‘an impossible bind’

The UK proposal also puts enterprise CISOs and IT directors who need to protect sensitive data in an impossible bind, Gogia said. 

They “can govern device management and conditional access. What they cannot govern is a mandatory inspection capability that updates according to political appetite rather than enterprise risk appetite,” he pointed out. “The proposal does not automatically create a breach inside Signal, WhatsApp, or Teams, but it creates the conditions for a new class of breach around them. The weakness need not live in the messaging protocol. It can live in the mandated inspection layer, the classifier update mechanism, the age-assurance workflow, or the logs that enforcement inevitably generates.”

Regime change could lead to abuse

Another common concern is that governments change hands, so limited capabilities granted today to one government might be used very differently by a future government. 

Brian Jackson, principal research director at Info-Tech Research Group, noted, “the current government may only use it to detect nudes, but what is to stop a future authoritarian government from using it to detect unfavorable political commentary? Creating a back door means there is potential for third parties — hackers — to exploit that back door to gain access to the user’s communications. This is exactly what encryption and on-device security measures are supposed to prevent.”

He added, “Apple’s Communication Safety feature, Google’s Family Link, and a range of parental control tools already use on-device AI to detect and restrict explicit imagery on children’s devices. The government is not filling a gap the market failed to address. It is proposing to transfer control of an existing capability from the device owner to the state. Parents can deploy this protection right now, on their terms. That is where the decision should sit.”

Ryan O’Leary, research director for privacy and legal technology at IDC, said the current proposal only involves the UK, and there’s no way to determine whether other governments will try something similar. He noted that the EU’s GDPR was widely expected to go global when it launched in 2016, but in ten years, it hasn’t.

O’Leary said that if this proposal is enacted in the UK, he would advise IT and cybersecurity executives to be extra cautious when sending team members to the region. 

“It would essentially be ‘China rules’” such as air gapping systems and traveling with disposable data-limited burner phones, O’Leary said. “It’s an exceptionally big deal if it goes through,” but, he added, the chance of it happening is very low. “It seems like the technology companies will call his bluff.”

This article originally appeared on CSOonline.