Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Tsaaro got CERT-IN Empanelled | MeitY has published the DPDP Rules, 2023.
Back To Home
Research Team (Tsaaro)
UK’s Data Watchdog Demands Answers on Racial Bias in Police Facial Recognition System
Mar 3, 2026
The UK’s data protection regulator, the Information Commissioner’s Office (ICO), has requested urgent clarity from the government following a Home Office report that highlighted significant racial and gender bias within the retrospective facial recognition (RFR) technology used by police forces. This intervention highlights escalating regulatory concerns regarding the ethics and accuracy of biometric data use in public sector services.
Stark Discrepancies Revealed in NPL Report
The National Physical Laboratory (NPL) report specifically tested the Cognitec FaceVACS-DBScan ID v5.5 algorithm, which is integral to RFR systems that execute approximately 25,000 searches monthly against the Police National Database. These searches aim to match images from sources like CCTV and social media with police records.
The NPL findings revealed a stark difference in false positive identification rates (FPIR) across demographic groups, meaning the algorithm is more likely to incorrectly match certain groups during a search.
Key Findings on Racial and Gender Bias
The data presented severe demographic variations in accuracy:
White Subjects: False Positive Rate (FPIR) was substantially lower at 0.04%.
Asian Subjects: FPIR was significantly higher at 4%.
Black Subjects: FPIR reached 5.5%.
Furthermore, a critical gender bias was observed within the Black demographic:
Black Male Subjects: FPIR was 0.4%.
Black Female Subjects: The rate surged to 9.9%.
ICO and APCC Express Disappointment and Demand Transparency
Deputy Information Commissioner, Emily Keaney stated that while the ICO acknowledges the steps being taken by the Home Office to correct these flaws, it was disappointing that we had not previously been told about this, despite regular engagement with the government. Both the ICO and the Association of Police and Crime Commissioners (APCC) stressed that public confidence in the use of such advanced, invasive technologies is paramount. The APCC warned that the lack of transparency about known system failures, which could have led to adverse impacts, undermined trust, particularly among communities historically wary of the police.
Home Office Procures New Algorithm, Calls for Pre-Deployment Checks
In response to the NPL findings, the Home Office has already procured a new algorithm designed to operate with no significant demographic variation in performance. This new system is slated for operational testing early next year.
The APCC, however, called for mandatory, robust, and independent assessment of such technologies before deployment, advocating for full transparency and clear accountability to the public.
Source: https://www.infosecurity-magazine.com/news/ico-demands-clarity-facial/
News of the week
1.Portugal Passes Law Exempting Ethical Hackers from Prosecution Under Strict Data Privacy Rules
Portugal has recently updated its approach to digital defence, becoming the newest European country to formalise a legal defence for ethical hackers and cybersecurity researchers through an amendment to its cybercrime law, made public on December 4. Titled “Acts not punishable due to public interest in cybersecurity,” this critical exception shields researchers from prosecution for identifying system vulnerabilities, provided their actions are undertaken strictly according to rigorous ethical and data protection standards. To qualify, researchers must not seek economic gain, and their methods are severely restricted, expressly forbidding intrusive tactics such as denial-of-service (DoS) attacks, social engineering, phishing, and any form of data theft or alteration. Furthermore, any action taken must be strictly proportionate, limited solely to the research purpose, and must not cause any disruption or damage to the affected systems or organisations.
In addition to these methodological restrictions, the new law imposes strict requirements for responsible disclosure and data handling. Security researchers are mandated to promptly report their findings to both the system owner/manager and the national data protection regulator, and they must maintain the confidentiality of this data across the entire process. Crucially, they must also ensure the deletion of all associated data within ten days of the identified vulnerability being successfully patched. This legislative change aligns Portugal with a clear international trend, following similar reforms in nations like Germany and revised prosecution policies in the US. This global movement, which the UK is also exploring through proposed amendments to its Computer Misuse Act, reflects a rising consensus that protecting researchers who disclose flaws in good faith is essential for strengthening collective digital resilience.
Source: https://www.infosecurity-magazine.com/news/portugal-cybercrime-law-security/
2.Australian Regulator Levies Record Fine Against Commonwealth Bank for Breaching Consumer Data Right
The Commonwealth Bank of Australia (CBA) has been hit with a significant fine of A$792,000 by the Australian Competition and Consumer Commission (ACCC) for alleged non-compliance with Australia’s Consumer Data Right (CDR) Regulations. This substantial penalty represents the largest sum levied so far for violations of the CDR system, underscoring the serious regulatory demand for financial entities to fully support consumer data transferability. The ACCC’s infringement notices stem from the allegation that CBA failed to enable data sharing for certain accounts held by business consumers and partnerships. This non-compliance directly prevented the affected customers from utilising the CDR to share their personal data and access CDR-enabled products and services, such as specialised business accounting tools, thereby forcing them to resort to less secure and manual data-sharing methods. ACCC Deputy Chair Catriona Lowe stressed that deficiencies in data quality and the failure to adhere to strict compliance deadlines are priority enforcement targets, highlighting that the CDR is a crucial, economy-wide reform designed to empower Australians to safely and securely use their own data for convenience, better deals, and more efficient financial management.
In response to the regulatory action, CBA has agreed to an administrative resolution with the ACCC, which includes a commitment to enable consumer data sharing for all remaining affected business accounts by December 19, 2025. Crucially, the bank will implement a remediation programme for customers and accredited data recipients affected by the non-compliance, set to begin in January 2026. This remediation will include goodwill payments to eligible business customers and additional payments for those who can substantiate further financial or non-financial loss. This enforcement follows a similar penalty against National Australia Bank earlier this year, which emphasises the ACCC’s zero-tolerance approach and serves as a strong reminder to all CDR participants that full compliance with the mandated data sharing rules is non-negotiable.
3.CISA and International Partners Issue Guidance for Secure AI in Infrastructure
A significant partnership between major global cybersecurity bodies has resulted in a new recommendation aimed at helping critical infrastructure operators safely integrate Artificial Intelligence (AI) into Operational Technology (OT) frameworks. The report, issued on December 3, was a joint effort between the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), with input from international partners, including the UK’s National Cyber Security Centre (NCSC). The guidance focuses on a range of AI technologies, including those based on large language models (LLMs) and machine learning, which are highly relevant to the complex OT environments overseeing critical public utilities such as energy, water distribution, and manufacturing. It offers an in-depth perspective on AI’s potential, balancing its advantages in efficiency and cost savings against the security and safety risks it introduces to physical control systems. It is strongly recommended that critical infrastructure organisations adopt a structured framework centred on robust governance and proactive security strategies. Operators are urged to take the lead in fostering internal AI development and performing detailed evaluations of every AI application within the OT domain.
This organisational push involves tackling integration challenges posed by frequently outdated OT systems and actively managing risks stemming from system complexities and reliance on cloud technology. Additionally, the guidance stresses the importance of safeguarding OT data used for AI model training; this protection must extend beyond static engineering configuration details to include highly sensitive, real-time process measurements vulnerable to leaks. Recognising the market trend of vendors embedding AI into their products, the guidance advises that operators must demand full transparency from vendors regarding AI capabilities, the security of their software supply chains, and explicit data usage policies. Maintaining “Human-in-the-Loop” oversight is paramount, as continuous monitoring of AI outputs, coupled with clear fail-safe mechanisms and regular model testing in strictly controlled environments, is essential for operational reliability. Finally, operators are instructed to align all AI integration efforts with existing cybersecurity frameworks and commit to evolving international standards for governance and audits.
Source: https://www.infosecurity-magazine.com/news/us-guidance-secure-ai-ot/
Image: https://www.meritalk.com/articles/cisa-issues-guidance-for-integration-of-ai-with-operational-tech/