The Criminal Law Reform Now Network (CLRNN) was launched in 2017 in order to facilitate collaboration between academics and other legal experts to discuss, draft and disseminate comprehensible proposals for criminal law reform to the wider community. Our research contacts include members of the public and mainstream media as well as legal and industry professionals, police, policymakers, and politicians. We immediately established computer misuse and private prosecutions as priority areas for reform, and indeed, four years later, both items are high on the agenda within government. CLRNN has been funded by an AHRC Network Grant. On 22 January 2020, we launched at Westminster (and published open-access) the outcome of our first project, Reforming the Computer Misuse Act 1990. The report makes several recommendations for reform, including to the core offences/defences in the primary legislation, to CPS guidance, to sentencing guidelines, and highlighted the potential for civil penalties. The current follow-on funding bid focuses on the possibilities of reform of the primary legislation, the Computer Misuse Act 1990 (CMA). This has become more urgent since the Home Secretary announced on 11 May 2021 that the CMA should be revised and amended. Existing 'hacking' offences were originally drafted in the CMA to reflect an outdated view that unauthorised access to another's computer is always harmful. But site owners may be thought likely to deny access even though there are vulnerabilities in their site which may enable them to be used aggressively by hackers. Cyber security today depends upon an understanding that site owners should not have an absolute say in allowing vulnerabilities to persist; indeed some compromised sites will be run by cyber criminals who have no reason to authorise any testing. Nor can the police and National Crime Agency cope with the workload in keeping the internet safe from cyber threats. So, licensing cyber security experts to conduct tests, both to close down vulnerabilities and to detect sources of threats, is the best way forward. But there is no such framework in the CMA and no defence at all for responsible experts to act in the public interest. During the drafting of our report, we worked closely with cyber security representatives to understand the chilling effect that the current law has on work in their industry (e.g, either limiting the services they can provide; or risking prosecution for arguably criminal acts). In our Report, we propose the creation of a new public interest defence. The government's present interest in reforming the CMA goes wider, including a new sentencing regime, but we have anticipated many of the salient issues here in our Report too; and should legislative reform be coming, with harsher sentences, we think that the CPS will wish to revise their own prosecutions policies accordingly, and so our work on CPS policy within the Report may also need to be further disseminated and explained. The NCC Group are our project partners in this follow-on bid, as an industry based advocate for CMA Reform (Cyber-Up Campaign). Their Cyber-Up Campaign appears to have had the most effect on government so far, and they have acknowledged our contributions in the process. But their efforts require legal input, including at meetings. We therefore seek follow-on funding for the continued work of our network facilitator to coordinate meetings and research briefings, as well as for an impact event to be hosted at the University of Cambridge at the end of 2021 to re-engage our primary political stakeholders and re-emphasise the legal and academic case for reform. The next year looks likely to be critical for reform and we are keen that our work to date should have maximum impact.

Malware (short for "malicious software") refers to any software that perform malicious activities, such as stealing information (e.g., spyware) and damaging systems (e.g., ransomware). Malware authors constantly update their attack strategies to evade detection of antivirus systems, and automatically generate multiple variants of the same malware that are harder to recognize than the original. Traditional malware detection methods relying on manually defined patterns (e.g., sequences of bytes) are time consuming and error prone. Hence, academic and industry researchers have started exploring how Machine Learning (ML) can help in detecting new, unseen malware types. In this context, explaining ML decisions is fundamental for security analysts to verify correctness of a certain decision, and develop patches and remediations faster. However, it has been shown that attackers can induce arbitrary, wrong explanations in ML systems; this is achieved by carefully modifying a few bytes of their malware. This project, XAdv ("X" for explanation, and "Adv" for adversarial robustness), aims to design "robust explanations" for malware detection, i.e., explanations of model decisions which are easy to understand and visualize for security analysts (to support faster verification of maliciousness, and development of patches), and which are trustworthy and reliable even in presence of malware evolution over time and evasive malware authors. Moreover, this project will explore how robust explanations can be used to automatically adapt ML-based malware detection models to new threats over time, as well as to integrate domain knowledge from security analysts' feedback from robust explanations to improve detection accuracy.

Our 2-year interdisciplinary project will investigate how the lack of repairability in the consumer Internet of Things (IoT) will adversely impact equity, inclusion, and sustainability in the digital economy. IoT products are becoming the default, with wireless connectivity and automation bundled into mundane household items like TVs, energy meters, toys and phones. Whilst the IoT can still be a consumer choice now, its growth means citizens may see it imposed on them in the future. We use theory and methodologies from Human-Computer Interaction (HCI), Design and Law to anticipate the future impacts of a digital divide caused by redundant IoT devices, particularly for lower income households. We will envision how to build more equitable IoT devices and avoid future inequalities posed by the poor long-term cybersecurity, exploitative uses of data and lacking environmental sustainability that define the current IoT. Some citizens can afford to replace broken devices but others cannot and require support to repair them or face the impacts. We will examine how equality issues from IoT arise across society, generations and geographies. We will then investigate how to create more repairable devices that respect citizens legal rights, provide long-term cybersecurity, minimise eWaste, and are supported by local community repairability networks. To do this, we have a research programme driven by stakeholder engagement and co-creation with citizens and project partners, namely: - Local community repair and maker space, The Making Rooms Blackburn - Consumer rights and advocacy group, Which? - Public broadcaster and new media experience developers, BBC Research & Development - IoT cybersecurity firm, NCC Group - Climate futures focused artist, Rachel Jacobs/Active Ingredient, - Social inclusion and digital skills body, the Department of Employment and Social Development in the Canadian Government. Our 4 integrated work packages (WPs) are underpinned by technical prototype development; qualitative evaluation and participatory research activities; public engagement; and policy driven activities to foster change in the sector to address current IoT led inequalities. Key focal points of the WPs include: examining legal and ethical challenges for equality posed by current IoT; creating and running an IoT Repair Shop installation in Blackburn with citizens and local repair networks; designing prototypes and user experiences that demonstrate how to build in repairability to address inequalities posed by current IoT; and developing an 'Equal-IoT' toolkit that will practically support development of more equitable futures when living with IoT. The toolkit is a novel contribution that includes design recommendations and action plans for manufacturers to change current practices; policy guidelines and briefings to shape government activities; digital skills guidelines for enabling repairability in the community; development of an IoT repair shop blueprint model to roll out to other parts of the UK; touring the Repair Shop as a public engagement activity with citizens; developing a manifesto for citizens and repairers to showcase their rights and champion change in IoT development.

The consumption of a seamless travel experience requires travellers to share their personal data with numerous individual travel and tourism service providers. There is a general lack of guidelines on how travellers should manage their data sharing activities while travelling, which lead to two unwanted situations: 1) travellers simply share their data without understanding the privacy and security risks and consequences; 2) travellers become over-worried about such risks so that they stop sharing data, which reduce their overall travel experience and prevent organisations to provide better (more personalised) services. The wide spectrum of data sharing with many entities including on social media, instant messaging and other online social platforms makes the situations worse as travellers often cannot see a big picture of how they have shared their data in the past to adapt their data sharing behaviour. PriVELT will address the two-sided challenges associated with offering a seamless and highly personalised end-to-end travel experience while balancing the privacy and security needs of leisure travellers. On the one hand, travel service providers need to identify effective ways to incentivise travellers to share personal data in exchange of tangible benefits such as higher quality service, personalised offers, discounts, or add-on services. On the other hand, travellers need to better manage the sharing of their personal data to minimise privacy-related risks while optimising value from a seamless travel experience. Therefore, PriVELT aims to develop an innovative user-centric and privacy-aware digital platform that will empower leisure travellers to better manage the sharing of their personal data with travel service providers and other entities and foster new business opportunities for the travel and tourism industry through encouraging better (more transparent and effective) usage of travellers' data. PriVELT will develop the user-centric platform based on a holistic socio-technical framework of privacy-related traveller behaviour. The framework will provide intervention points to effectively nudge travellers to share their personal data more responsibly. PriVELT draws from theories in social sciences, including consumer psychology and behavioural economics, to better explain how consumers make decisions to disclose personal information in exchange for values. PriVELT also considers travellers' psychological limitation, such as limited understanding of privacy risks, which may induce irrational behaviour in privacy-related decision-making process while traveling. In order to achieve its aim, PriVELT's research will be interdisciplinary, co-created, theory-informed, evidence-based, user-centric, and real world-facing. PriVELT will combine both social and technical methods to collect and analyse data, integrating focus groups and interviews with relevant stakeholders, a panel survey, lab-based user studies, and field studies with real domestic and international travellers (end users) to identify and apply an array of effective nudging strategies to inform travellers with risks and consequences of sharing personal data while traveling. One of the key outcomes will be a digital platform that will be used for: 1) monitoring travellers' data sharing activities; 2) enhancing situational awareness of privacy risks related to data shared; 3) providing an innovative way of achieving dynamic consent management for participants, allowing dynamic updating of the consent while travelling; ; 4) providing better recommendations for travellers to adapt their data sharing behaviours. The digital platform will be composed of three main components: 1) tools at the traveller (user/client) side in the form of a mobile app, 2) an infrastructure and tools at the server side for anonymised data aggregation and analytics purposes, and 3) the API and user interfaces for consumers of data shared by travellers.

Within the next few years the number of devices connected to each other and the Internet will outnumber humans by almost 5:1. These connected devices will underpin everything from healthcare to transport to energy and manufacturing. At the same time, this growth is not just in the number or variety of devices, but also in the ways they communicate and share information with each other, building hyper-connected cyber-physical infrastructures that span most aspects of people's lives. For the UK to maximise the socio-economic benefits from this revolutionary change we need to address the myriad trust, identity, privacy and security issues raised by such large, interconnected infrastructures. Solutions to many of these issues have previously only been developed and tested on systems orders of magnitude less complex in the hope they would 'scale up'. However, the rapid development and implementation of hyper-connected infrastructures means that we need to address these challenges at scale since the issues and the complexity only become apparent when all the different elements are in place. There is already a shortage of highly skilled people to tackle these challenges in today's systems with latest estimates noting a shortfall of 1.8M by 2022. With an estimated 80Bn malicious scans and 780K records lost daily due to security and privacy breaches, there is an urgent need for future leaders capable of developing innovative solutions that will keep society one step ahead of malicious actors intent on compromising security, privacy and identity and hence eroding trust in infrastructures. The Centre for Doctoral Training (CDT) 'Trust, Identity, Privacy and Security - at scale' (TIPS-at-Scale) will tackle this by training a new generation of interdisciplinary research leaders. We will do this by educating PhD students in both the technical skills needed to study and analyse TIPS-at-scale, while simultaneously studying how to understand the challenges as fundamentally human too. The training involves close involvement with industry and practitioners who have played a key role in co-creating the programme and, uniquely, responsible innovation. The implementation of the training is novel due to its 'at scale' focus on TIPS that contextualises students' learning using relevant real-world, global problems revealed through project work, external speakers, industry/international internships/placements and masterclasses. The CDT will enrol ten students per year for a 4-year programme. The first year will involve a series of taught modules on the technical and human aspects of TIPS-at-scale. There will also be an introductory Induction Residential Week, and regular masterclasses by leading academics and industry figures, including delivery at industrial facilities. The students will also undertake placements in industry and research groups to gain hands-on understanding of TIPS-at-scale research problems. They will then continue working with stakeholders in industry, academia and government to develop a research proposal for their final three years, as well as undertake internships each year in industry and international research centres. Their interdisciplinary knowledge will continue to expand through masterclasses and they will develop a deep appreciation of real-world TIPS-at-scale issues through experimentation on state-of-the-art testbed facilities and labs at the universities of Bristol and Bath, industry and a city-wide testbed: Bristol-is-Open. Students will also work with innovation centres in Bath and Bristol to develop novel, interdisciplinary solutions to challenging TIPS-at-scale problems as part of Responsible Innovation Challenges. These and other mechanisms will ensure that TIPS-at-Scale graduates will lead the way in tackling the trust, identity, privacy and security challenges in future large, massively connected infrastructures and will do so in a way that considers wider sosocial responsibility.