Thursday’s opening arguments offered a glimpse into Tesla’s strategy for defending its Autopilot features, which have been linked to more than 700 crashes since 2019 and at least 17 fatalities, according to a Washington Post analysis of National Highway Traffic Safety Administration data. The crux of the company’s defense is that the driver is ultimately in control of the vehicle, and they must keep their hands on the wheel and eyes on the road while using the feature.

...The cluster of trials set for the next year is also likely to demonstrate how much the technology actually relies on human intervention — despite CEO Elon Musk’s claims that cars operating in Autopilot are safer than those controlled by humans. The outcomes could amount to a pivotal moment for Tesla, which has for years tried to absolve itself from responsibility when one of its cars on Autopilot is involved in a crash.

...“It’s possible the drivers (of Teslas) understand the risks,” Zipper said. “But even if they accept that, what about everyone on a public road or street who is not in a Tesla? None of us signed on to be a guinea pig.”

...Before Lee’s car collided with the palm tree, court documents say, he attempted to regain control of the car, but “Autopilot and/or Active Safety features would not allow.” That failure, according to the complaint, led to Lee’s “gruesome and ultimately fatal injuries.”

9/28/23

All the while Microsoft was also investing in AI. It first announced it was working with OpenAI in 2016; it has since invested $13bn, for what is reported to be a 49% stake. The deal not only allows Microsoft to use OpenAI’s technology, but also stipulates that OpenAI’s models and tools run on Azure, in effect making OpenAI’s customers into indirect clients of Microsoft. And it isn’t just OpenAI. Microsoft has bought 15 AI-related firms since Mr Nadella took over. That includes paying $20bn for Nuance, a health-care firm with cutting-edge speech-to-text technology, in 2022.

Today Microsoft’s business relies on three divisions for growth. The first is Azure. For the past five years it has been closing in on AWS (see chart 2). Cloud spending is slowing as IT managers tighten purse strings. Despite this, in the most recent quarter the business grew by 27% year on year. Microsoft does not reveal Azure’s sales, but analysts think that it accounts for about a quarter of the firm’s revenue, which hit $212bn last year. Gross margins for its cloud business are also secret, but Bernstein puts them at a lofty 60% or so.

Second is Microsoft 365, which also accounts for about a quarter of revenue. That has been growing by about 10% a year of late, thanks to take-up among smaller businesses, especially in service industries such as restaurants. The third source of growth is cybersecurity. In earnings calls Microsoft executives have said it accounts for roughly $20bn in revenue (about a tenth of the total). That is more than the combined revenues of the five biggest firms that provide only cybersecurity. What is more, revenues are growing by around 30% each year. (Microsoft’s video-game arm, which brings in $15bn a year, is also set to grow substantially now that British antitrust regulators have signalled they will approve the long-delayed acquisition of Activision Blizzard, another gamemaker, for $69bn.)

...Even if spiralling costs are contained, there are plenty of other risks. Competition is white-hot. One battle is for the $340bn market for business software. In May Google announced Duet for Workspace, its version of Copilots. Last week it released features allowing Bard, its chatbot, to access user’s Gmail inboxes and Google Docs. Salesforce, a software giant, has Einstein. Slack, a messaging app and one of Salesforce’s subsidiaries, has Slack GPT. ServiceNow, whose software helps firms manage their workflow, has Now Assist. Zoom offers Zoom Companion. Intuit is selling Intuit Assist. Startups such as Adept and Cohere offer ai assistants, too. OpenAI launched its enterprise-focused ChatGPT in August.

9/27/23

We leave digital traces about our health everywhere we go: by completing forms like BetterHelp’s. By requesting a prescription refill online. By clicking on a link. By asking a search engine about dosages or directions to a clinic or pain in chest dying???? By shopping, online or off. By participating in consumer genetic testing. By stepping on a smart scale or using a smart thermometer. By joining a Facebook group or a Discord server for people with a certain medical condition. By using internet-connected exercise equipment. By using an app or a service to count your steps or track your menstrual cycle or log your workouts. Even demographic and financial data unrelated to health can be aggregated and analyzed to reveal or infer sensitive information about people’s physical or mental-health conditions.

All of this information is valuable to advertisers and to the tech companies that sell ad space and targeting to them. It’s valuable precisely because it’s intimate: More than perhaps anything else, our health guides our behavior. And the more these companies know, the easier they can influence us. Over the past year or so, reporting has found evidence of a Meta tracking tool collecting patient information from hospital websites, and apps from Drugs.com and WebMD sharing search terms such as herpes and depression, plus identifying information about users, with advertisers. (Meta has denied receiving and using data from the tool, and Drugs.com has said that it was not sharing data that qualified as “sensitive personal information.”) In 2021, the FTC settled with the period and ovulation app Flo, which has reported having more than 100 million users, after alleging that it had disclosed information about users’ reproductive health with third-party marketing and analytics services, even though its privacy policies explicitly said that it wouldn’t do so. (Flo, like BetterHelp, said that its agreement with the FTC wasn’t an admission of wrongdoing and that it didn’t share users’ names, addresses, or birthdays.)

...Companies that sell ads are often quick to point out that information is aggregated: Tech companies use our data to target swaths of people based on demographics and behavior, rather than individuals. But those categories can be quite narrow: Ashkenazi Jewish women of childbearing age, say, or men living in a specific zip code, or people whose online activity may have signaled interest in a specific disease, according to recent reporting. Those groups can then be served hyper-targeted pharmaceutical ads at best, and unscientific “cures” and medical disinformation at worst. They can also be discriminated against: Last year, the Department of Justice settled with Meta over allegations that the latter had violated the Fair Housing Act in part by allowing advertisers to not show housing ads to users who Facebook’s data-collection machine had inferred were interested in topics including “service animal” and “accessibility.”

9/21/23

The reality is, unfortunately, worse. Retail companies do collect massive volumes of terrifically sensitive data: demographic information, geographic location, websites you’ve visited, brick-and-mortar stores you have patronized, products you own, products you’ve browsed, products you’ve searched for, even products they think you might have looked at but passed over in the store. They do this not only to predict your future behavior, but to influence it.

...Smartphones gave stores even more refined information about their customers, facilitating new kinds of in-store spying that most people probably don’t even know exists. Mousetrap-size radio transmitters called beacons ping off apps on your phone and can track your location down to the inch inside a store, giving retailers granular insight into what types of products you linger over. This information, combined with other data the store has collected itself and bought from third parties, can paint a vivid picture of who you are and what you might be persuaded to buy for what price in the moment: In principle, you can linger over the sugary cereals in the grocery store, opt for the whole grains, and then be served an ad on your phone for 10 percent off Lucky Charms, which the ad may remind you are actually part of a balanced breakfast.

Retailers have also started to test facial- and voice-recognition technologies in stores, giving them yet another way to track customer behavior. In-store Wi-Fi helps with the signal-inhibiting effects of many stores’ concrete-and-steel construction, but it also allows stores to collect your email address and browsing traffic, and in some cases to install cookies on your device that track you long after you leave the store and its network. Store-specific apps offer deals and convenience, but they also collect loads of information via features that allow you to make shopping lists or virtually “try on” clothing or makeup by scanning your likeness. Club cards enable stores to log every item your household purchases and analyze your profile for trends and sales opportunities.

Ordinary people may not realize just how much offline information is collected and aggregated by the shopping industry rather than the tech industry. In fact, the two work together to erode our privacy effectively, discreetly, and thoroughly. Data gleaned from brick-and-mortar retailers get combined with data gleaned from online retailers to build ever-more detailed consumer profiles, with the intention of selling more things, online and in person—and to sell ads to sell those things, a process in which those data meet up with all the other information Big Tech companies such as Google and Facebook have on you. “Retailing,” Joe Turow told me, “is the place where a lot of tech gets used and monetized.” The tech industry is largely the ad-tech industry. That makes a lot of data retail data. “There are a lot of companies doing horrendous things with your data, and people use them all the time, because they’re not on the public radar.” The supermarket, in other words, is a panopticon just the same as the social network.

9/13/23

The Mozilla Foundation spent 600 hours of research studying 25 privacy policies for major car brands. None of them met the Foundation’s minimum standards around security and privacy; all of them claim the right to collect huge amounts of personal data in dozens of categories from both the car and associated apps. Eighty-four percent of the brands studied share or sell personal data and “inferences” about you based on the data they collect, such as how intelligent you are, your abilities, and your interests. More than half of the companies will share your information with government or law enforcement based on a simple request, not requiring a subpoena. The vast majority of car companies, 92 percent, give drivers “little or no control over their personal data,” Mozilla also found, with the two exceptions being European-based brands Renault and Dacia, which have to comply with the GDPR privacy law.

But Mozilla Foundation holds special antipathy for Nissan, whose privacy policy it calls “probably the most mind boggling creepy, scary, sad, messed up privacy policy we have ever read” because “They come right out and say they can collect and share your sexual activity, health diagnosis data, and genetic information and other sensitive personal information for targeted marketing purposes.” Nissan also discloses that it will share and sell "Inferences drawn from any Personal Data collected to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes" to others for targeted marketing purposes.”

...While Nissan’s privacy policy is the most dystopian, all of the companies collect masses of data about the people who drive their cars. Some also collect tons of data about the world around the car. While Nissan’s privacy policy ranks as the creepiest, Tesla scored the worst on Mozilla’s scorecard, with its malfunctioning Autopilot function and “Full self-driving” beta program which is not actually self-driving and frequently attempts to do very dangerous things leading to analysts penalizing it for “untrustworthy AI.”

Even when car companies aren’t actively selling your data to brokers, they are vulnerable to hacks or other leaks and breaches. For example, Volkswagen and Audi, Toyota, and Mercedes-Benz have all recently suffered data leaks or breaches that affected millions of customers.

9/6/23

Google has amassed 90 percent of the search engine market in the United States and 91 percent globally, according to Similarweb, a data analysis firm.

...Rivals have long accused Google of brandishing its power in search to suppress competitors’ links to travel, restaurant reviews and maps, while giving greater prominence to its own content. Those complaints brought scrutiny from regulators, though little action was taken.

...Google’s actions had harmed consumers and stifled competition, the agency said, and could affect the future technological landscape as the company positioned itself to control “emerging channels” for search distribution. The agency added that Google had behaved similarly to Microsoft in the 1990s, when the software giant made its own web browser the default on the Windows operating system, crushing competitors.

...Some tech executives said the Justice Department’s actions made Microsoft more cautious, clearing the way for start-ups like Google to compete in the next era of computing. Bill Gates, a Microsoft founder, has blamed the hangover from the antitrust suit for the company’s slow entry into mobile technology and the failure of its Windows phone. But others have argued that the settlement did little to increase competition.

9/6/23

The federal government has shelled out at least $22 million in an effort to develop “smart” clothing that spies on the wearer and its surroundings. Similar to previous moonshot projects funded by military and intelligence agencies, the inspiration may have come from science fiction and superpowers, but the basic applications are on brand for the government: surveillance and data collection.

Billed as the “largest single investment to develop Active Smart Textiles,” the SMART ePANTS — Smart Electrically Powered and Networked Textile Systems — program aims to develop clothing capable of recording audio, video, and geolocation data, the Office of the Director of National Intelligence announced in an August 22 press release. Garments slated for production include shirts, pants, socks, and underwear, all of which are intended to be washable.

...“They’re now in a position of serious authority over you. In TSA, they can swab your hands for explosives,” Jacobsen said. “Now suppose SMART ePANTS detects a chemical on your skin — imagine where that can lead.” With consumer wearables already capable of monitoring your heartbeat, further breakthroughs could give rise to more invasive biometrics.

...If SMART ePANTS succeeds, it’s likely to become a tool in IARPA’s arsenal to “create the vast intelligence, surveillance, and reconnaissance systems of the future,” said Jacobsen. “They want to know more about you than you.”

9/2/23

“Obviously this is a great fit for abusers who live with their victims or have physical access, however brief, to their wallets,” Eva Galperin, the director of cybersecurity at activist organization the Electronic Frontier Foundation (EFF) and who has extensively researched how abusive partners use technology, told 404 Media. “​​Credit card info is not a goddamn unique identifier.”

...The issue is that the feature requires no other authentication—no account linked to an email, for example—meaning that anyone with a target’s details can enter it and snoop on their movements. Greg Sadetsky originally alerted 404 Media to the OMNY privacy issue.

...Activists have long been concerned with what data the OMNY system may collect and provide to law enforcement. The Surveillance Technology Oversight Project (STOP) previously published a report with its concerns about the technology. “Given how often government agencies, including the New York Police Department (‘NYPD’), have abused surveillance data to target ethnic and religious minorities and how for- profit corporations face overwhelming pressure to monetize user data, OMNY has the potential to expose millions of transit users to troubling repercussions,” the report reads.

The difference with this feature on the OMNY site is that essentially anyone can abuse it, as long as they have the credit card information of the target.

8/30/23

The revision follows years of criticism of the policy. Last year, a third-party audit commissioned by Meta found the company’s censorship rules systematically violated the human rights of Palestinians by stifling political speech, and singled out the DOI policy...

...Observers like Shtaya have long objected to how the DOI policy has tended to disproportionately censor political discourse in places like Palestine — where discussing a Meta-banned organization like Hamas is unavoidable — in contrast to how Meta rapidly adjusted its rules to allow praise of the Ukrainian Azov Battalion despite its neo-Nazi sympathies.

...The revision does little to address the heavily racialized way in which Meta assesses and attempts to thwart dangerous groups, Díaz added. While the company still refuses to disclose the blacklist or how entries are added to it, The Intercept published a full copy in 2021. The document revealed that the overwhelming majority of the “Tier 1” dangerous people and groups — who are still subject to the harshest speech restrictions under the new policy — are Muslim, Arab, or South Asian. White, American militant groups, meanwhile, are overrepresented in the far more lenient “Tier 3” category.

Díaz said, “Tier 3 groups, which appear to be largely made up of right-wing militia groups or conspiracy networks like QAnon, are not subject to bans on glorification.”

8/30/23

WIRED’s conversations with clinic staff who worked at 12 different facilities and recent OSHA citations, however, suggest that OMRs, typically emergency medical technicians, have sometimes been encouraged to steer workers toward in-house treatment. “Everything that we were doing was kind of pseudo-medical, enough to have the gloss of being medical,” says an EMT who worked in a Nevada AmCare. “When we’re in ambulances as EMTs, the entire point is to get people to definitive care. Then I get to Amazon, and it's like, ‘No, we're not getting them to a doctor.’ So what did you need me for? I'm the person who gets people to doctors.”

...OMRs typically treat employees who visit AmCare with heat, ice, or over-the-counter painkillers and handle referrals to workers’ compensation doctors. They can also refer workers to internal injury specialists, typically athletic trainers, for stretches and exercises designed to prevent further injury. Those staff and OMRs report to health and safety managers, who are not medical professionals. By limiting treatment to first aid provided by staff who don’t work under their medical licenses, Amazon avoids having to report these injuries to OSHA. Despite the “first” in first aid, AmCare staff often treat injured employees for days or weeks while they continue doing the job that injured them. OSHA says this can put employees at increased risk of developing enduring health issues.

...In April, OSHA issued Amazon the third citation in the agency’s 53-year history for medical mismanagement, finding that it seriously endangered employees’ health. That put the online retailer in the company of employers found to operate first aid clinics that put workers at risk of infection, scarring, or long-lasting injuries. Amazon had already received at least three warnings about AmCare from OSHA dating back to 2016, The Intercept reported. OSHA now found that over a six-month period, Amazon staff at a warehouse outside Albany, New York, sent at least six employees with serious injuries back to work instead of referring them to doctors, worsening their pain and potentially leading to “prolonged injuries and lifelong suffering.” The company is appealing. “We disagree with the claims in this citation,” Vogel of Amazon says, “and will continue our long-standing efforts to improve safety at our sites.”

...While on-site first aid clinics are common at large employers, the sort of prolonged, medically unsupervised treatment that Amazon offers is not, says Debbie Berkowitz, a former OSHA chief of staff and fellow at Georgetown University’s Kalmanovitz Initiative for Labor and the Working Poor. She says the practice of using on-site clinics to prevent recordable injuries became common in the meatpacking industry, which has a history of abusing its workforce. “So they’re taking a page out of a really low-road industry that treats workers as expendable,” she says.

8/16/23

“Not only can QR codes act as malicious links, bringing you to a nefarious website or downloading malware, but they can also be programmed to make calls and send messages to your contacts,” Hayden said. “A client of mine scanned a QR code that surreptitiously wrote and sent emails from his account to his entire contact list. The emails contained malicious links that sought to harvest recipients’ bank login information… and friends and family clicked because of the well-worded disguise.”

...The QR code parking scam has hit parking meters and lots in Myrtle Beach, in and around Atlanta, Baton Rouge, Portland, Maine, and… well, no need to mention every city in the country. You get the point. As if finding a good, affordable parking space isn’t hard enough. Now we all have to worry about being ripped off by fake parking QR codes.

...“Scammers placed their own malicious QR sticker over the restaurant’s legitimate one. Unsuspecting customers scanned the code, leading them to download malware, effectively compromising their personal information,” Chaudhuri said.

...Earlier this year, a woman in Singapore went to a bubble tea shop and saw a sticker pasted on the front door. The sticker said that if customers scanned the QR code and completed an online survey, they’d get a free cup of milk tea. That night, scammers entered the woman’s bank account and took $20,000.

8/16/23

But the industry’s embrace of A.I. technology faces challenges, including concerns over accuracy and hallucinations, in which a system provides an answer that is incorrect or nonsensical.

...Dusty has 120 units on sites across the United States, but that is just the beginning. Ms. Lau calls the units, which can collect gigabytes of data, “Trojan horses to train the A.I.s of the future.”

8/15/23

The use of the technology will also require individual's consent, the CAC said in a statement. It added that non-biometric identification solutions should be favored over facial recognition in cases where such methods are equally effective.

Biometric identification, especially facial recognition, has become widespread in China. In 2020, local media reported that facial recognition was used to activate toilet roll dispensers in public toilets, which triggered both public and regulatory concerns at the time.

...CAC's draft rules on Tuesday said image capturing and personal identification devices should not be installed in hotel rooms, public bathrooms, changing rooms, toilets, and other places that may infringe upon others' privacy.

8/8/23

“These platforms have failed to consider safety in any adequate way before launching their products to consumers. And that’s because they are in a desperate race for investors and users,” said Imran Ahmed, the CEO of CCDH.

...There’s already evidence that people with eating disorders are using AI. CCDH researchers found that people on an online eating disorder forum with over 500,000 users were already using ChatGPT and other tools to produce diets, including one meal plan that totaled 600 calories per day.

...My takeaway: Many of biggest AI companies have decided to continue generating content related to body image, weight loss and meal planning even after seeing evidence of what their technology does. This is the same industry that’s trying to regulate itself.

They may have little economic incentive to take eating disorder content seriously. “We have learned from the social media experience that failure to moderate this content doesn’t lead to any meaningful consequences for the companies or, for the degree to which they profit off this content,” said Hannah Bloch-Wehba, a professor at Texas A&M School of Law, who studies content moderation.

8/7/23

TikTok is to be fined potentially millions of pounds for breaching children’s privacy after a ruling by EU data protection regulator.

The European Data Protection Board said it had reached a binding decision on the Chinese-owned video-sharing platform over its processing of children’s data.

...On Friday, the company said new measures it had taken to comply with the DSA included: making it easier for EU users to report illegal content; allowing them to turn off personalised recommendations for videos; and removing targeted advertising for users aged 13 to 17.

8/4/23

Meta and Facebook Israel’s internal documents state that Onavo Protect was “a business intelligence tool” for Meta, which provided Meta with “a sample of users who we are able to know nearly everything they are doing on their mobile device”...

...Where the theoretical maximum penalty is in the billions or trillions of dollars, the overall maximum penalty will not be a meaningful factor in the court’s assessment. In these circumstances, the appropriate range is best assessed by reference to factors other than where the conduct falls in the range of seriousness of offending in relation to the maximum penalty.

Last year, Instagram received a record fine of $400m for the abuse of children’s data. Elsewhere, Meta was fined $277m for a data breach which impacted around 500 million users. Some believe that social networks simply consider fines like these to be the cost of doing business. A few million dollars here or there doesn’t necessarily convince those responsible to do anything about it.

7/31/23

Republican and Democratic aides familiar with ongoing defense-spending negotiations in Congress say officials at the National Security Agency (NSA) have approached lawmakers charged with its oversight about opposing an amendment that would prevent it from paying companies for location data instead of obtaining a warrant in court.

Introduced by US representatives Warren Davidson and Sara Jacobs, the amendment, first reported by WIRED, would prohibit US military agencies from “purchasing data that would otherwise require a warrant, court order, or subpoena” to obtain. The ban would cover more than half of the US intelligence community, including the NSA, the Defense Intelligence Agency, and the newly formed National Space Intelligence Center, among others.

...A prior ruling had held that Americans could not reasonably expect privacy in all cases while also voluntarily providing companies with stores of information about themselves. But in 2018 the court refused to extend that thinking to what it called a “new phenomenon”: wireless data that may be “effortlessly compiled” and the emergence of technologies capable of granting the government what it called “near perfect surveillance.” Because this historical data can effectively be used to “travel back in time to retrace a person’s whereabouts,” the court said, it raises “even greater privacy concerns” than devices that can merely pinpoint a person’s location in real time.

...A senior advisory group to the director of national intelligence, Avril Haines, the government’s top spy, stated in the report declassified last month that intelligence agencies were continuing to consider information “nonsensitive” merely because it had been commercially obtained. This outlook ignores “profound changes in the scope and sensitivity” of such information, the advisors warned, saying technological advancements had “undermined the historical policy rationale” for arguing that information that is bought may be freely used “without significantly affecting the privacy and civil liberties of US persons.”

7/27/23

“By passing the Fourth Amendment Is Not For Sale Act, both Democrats and Republicans on the House Judiciary Committee just made clear that the Data Broker Loophole must and will be closed,” Senior Policy Counsel Sean Vitka at activist group Demand Progress said in a statement. “This is a major step forward for privacy in the digital age, but among the most significant moments were statements from Chairman Jordan and Representative Lofgren that this will be included in legislation to make major reforms to FISA, which will be considered before the end of the year.”

7/19/23

In recent years, security researchers and white-hat hackers have identified sprawling vulnerabilities in internet-connected home and public charging hardware that could expose customer data, compromise Wi-Fi networks, and, in a worst-case scenario, bring down power grids. Given the dangers, everyone from device manufacturers to the Biden administration is rushing to fortify these increasingly common machines and establish security standards. “This is a major problem,” said Jay Johnson, a cybersecurity researcher at Sandia National Laboratories. “It is potentially a very catastrophic situation for this country if we don’t get this right.”

Chinks in EV charger security aren’t hard to find. Johnson and his colleagues summarized known shortcomings in a paper published last fall in the journal Energies. They found everything from the possibility of hackers being able to track users to vulnerabilities that “may expose home and corporate [Wi-Fi] networks to a breach.” Another study, led by Concordia University and published last year in the journal Computers & Security, highlighted more than a dozen classes of “severe vulnerabilities,” including the ability to turn chargers on and off remotely, as well as deploy malware.

When British security research firm Pen Test Partners spent 18 months analyzing seven popular EV charger models, it found five had critical flaws. For instance, it identified a software bug in the popular ChargePoint network that hackers could likely exploit to obtain sensitive user information (the team stopped digging before acquiring such data). A charger sold in the U.K. by Project EV allowed researchers to overwrite its firmware.

...“It’s not about your charger, it’s about everyone’s charger at the same time,” he said. Many home users leave their cars connected to chargers even if they aren’t drawing power. They might, for example, plug in after work and schedule the vehicle to charge overnight when prices are lower. If a hacker were to switch thousands, or millions, of chargers on or off simultaneously, it could destabilize and even bring down entire electricity networks. “We’ve inadvertently created a weapon that nation-states can use against our power grid,” said Munro. The United States glimpsed what such an attack might look like in 2021 when hackers hijacked Colonial Pipeline and disrupted gasoline supplies nationwide. The attack ended once the company paid millions of dollars in ransom.

7/18/23

Other repairers worry that without an industry-wide overhaul that forces automakers to standardize and open up their data, car companies will find ways to limit access to repair information, or push customers towards their own dealership networks to boost profits. They say that if auto owners had clear and direct ownership over the data generated by their vehicles—without the involvement of automakers’ specialized tools or systems—they could use it themselves to diagnose and repair a car, or authorize the repair shop of their choice to do the work. “My fear, if no one gives some stronger guidelines, is that I know automakers are going to monetize car data in a way that’s unaffordable for us to gain access,” says Dwayne Myers, co-owner of Dynamic Automotive, an auto repair business with several locations in Maryland.

...The hearing follows national wrangling over a Massachusetts law passed by a 2020 ballot measure that gave state car owners firmer control over the data generated by their cars. The Alliance for Automotive Innovation sued the state over the law, preventing lawmakers from enforcing it, and a judge has yet to decide the case. But last month, the Massachusetts attorney general announced she would begin to penalize automakers that withheld data for not complying with the rule. Days later, the US Department of Transportation warned automakers not to comply with the Massachusetts law, citing concerns it would open vehicles to hacking. The letter appeared to contradict the Biden administration’s prior commitments to right-to-repair issues.

...Myers, the Maryland independent repairer, says that allowing customers to own their car's data today would, first and foremost, “give them the right to choose where they get their car fixed.” But he also has his eye on the future. “Down the road, we will find out what automakers are collecting,” he says—and why. He’d rather establish car owners’ right to control that information now, before they discover too late that it’s being used in ways they don’t like.

7/17/23

In a reply to a tweet offering business advice, Musk tweeted Saturday, “We’re still negative cash flow, due to (about a) 50% drop in advertising revenue plus heavy debt load.”

...Ever since he took over Twitter in a $44 billion deal last fall, Musk has tried to reassure advertisers who were concerned about the ouster of top executives, widespread layoffs and a different approach to content moderation. Some high-profile users who had been banned were allowed back on the site.

7/15/23

The FTC’s demands of OpenAI are the first indication of how it intends to enforce those warnings. If the FTC finds that a company violates consumer protection laws, it can levy fines or put a business under a consent decree, which can dictate how the company handles data. The FTC has emerged as the federal government’s top Silicon Valley cop, bringing large fines against Meta, Amazon and Twitter for alleged violations of consumer protection laws.

The FTC called on OpenAI to provide detailed descriptions of all complaints it had received of its products making “false, misleading, disparaging or harmful” statements about people. The FTC is investigating whether the company engaged in unfair or deceptive practices that resulted in “reputational harm” to consumers, according to the document.

The FTC also asked the company to provide records related to a security incident that the company disclosed in March when a bug in its systems allowed some users to see payment-related information, as well as some data from other users’ chat history. The FTC is probing whether the company’s data security practices violate consumer protection laws. OpenAI said in a blog post that the number of users whose data was revealed to someone else was “extremely low.”

...Khan responded that libel and defamation aren’t a focus of FTC enforcement, but that misuse of people’s private information in AI training could be a form of fraud or deception under the FTC Act. “We’re focused on, ‘Is there substantial injury to people?’ Injury can look like all sorts of things,” Khan said.

7/13/23

On Wednesday, the lawmakers released a report detailing how TaxAct, H&R Block, and TaxSlayer put Meta and Google’s tracking pixels on their sites, sharing taxpayers’ data with those companies in what could be a violation of the law. It shows how extensive this data collection and sharing is, even on web services that you’d expect or trust would keep your information private. The situation also shows how a lack of privacy laws has helped make this practice so widespread and ingrained into the fabric of the internet itself, to the point that even companies that may have a legal obligation to keep our data private don’t know or don’t care that they aren’t doing so.

“Giant tax prep companies have recklessly shared millions of taxpayers’ most sensitive, private tax information with Meta in what appears to be a violation of the law,” Warren told Vox. “The Department of Justice and FTC must immediately investigate and prosecute any Big Tax Prep or Big Tech company that broke the law, and we must expand the IRS’ free, direct-file program to ensure taxpayers have the option to protect their privacy from greedy, reckless corporations.”

The seven-month-long investigation was prompted by a report from the Markup, which found Meta’s trackers on the three tax prep companies’ websites. Those trackers, the article said, were sending the sensitive financial and biographical information that the tax prep sites collect to Meta. That data could include names, addresses, phone numbers, which pages users clicked on, and even their income, refund amount, and other financial data. (Intuit, which makes TurboTax, also had trackers on its sites, but the data it shared was limited.)

7/12/23

Their report urges federal agencies to investigate and potentially go to court over the wealth of information that H&R Block, TaxAct and TaxSlayer shared with the social media giant.

...That data came to Meta through its Pixel code, which the tax firms installed on their websites to gather information on how to improve their own marketing campaigns. In exchange, Meta was able to access the data to write targeted algorithms for its own users.

The program collected information on taxpayers’ filing status, income, refund amounts, names of dependents, approximate federal tax owed, which buttons were clicked on the tax preparers' websites and the names of text entry forms that the taxpayer navigated, the report states.

7/12/23

When you set up a Ring camera, you are automatically enrolled in the Neighbors service. (You can go into the Ring app's settings and toggle off the Neighbors feed integration and notifications, but the onus is on you.) Neighbors, which is also a stand-alone app, shows you an activity feed from all nearby Ring camera owners, with posts about found dogs, stolen hoses, and a Safety Report that shows how many calls for service—violent or nonviolent—were made in the past week. It also provides an outlet for public safety agencies, like local police and fire departments, to broadcast information widely.

But it also allows Ring owners to send videos they've captured with their Ring video doorbell cameras and outdoor security cameras to law enforcement. This is a feature unique to Ring—even Nextdoor removed its Forward to Police feature in 2020, which allowed Nextdoor users to forward their own safety posts to local law enforcement agencies. If a crime has been committed, law enforcement should obtain a warrant to access civilian video footage.

...Multiple members of WIRED's Gear team have spoken to Ring over the years about this feature. The company has been clear it's what customers want, even though there’s no evidence that more video surveillance footage keeps communities safer. Instead, Neighbors increases the possibility of racial profiling. It makes it easier for both private citizens and law enforcement agencies to target certain groups for suspicion of crime based on skin color, ethnicity, religion, or country of origin.

7/9/23

Yet games like AI Dungeon (and games people have made with ChatGPT, such as Love in the Classroom) are built on models that have scraped human creativity in order to generate their own content. Fanfic writers are finding their ideas in writing tools like Sudowrite, which uses OpenAI’s GPT-3, the precursor to GPT-4.

Things get even more complicated if someone pays the $9.99 per month required to incorporate Stable Diffusion, the text-to-image generator, which can conjure accompanying pictures in their AI Dungeon stories. Stability AI, the company behind Stable Diffusion, has been hit with lawsuits from visual artists and media company Getty Images.

As generative AI systems grow, the term “plagiarism machines” is beginning to catch on. It’s possible that players of a game using GPT-3 or Stable Diffusion could be making things, in-game, that pull from the work of other people. Latitude’s position appears to be much like Stability AI’s: What the tool produces does not infringe copyright, so the user is the owner of what comes out of it. (Latitude did not respond to questions about these concerns.)

Trapova suggests the game development industry is on the brink of a generative AI reckoning. “They look super cool,” she says of game development tools like AI Dungeon. “But this just gives you a flavor of the issues that we will end up having if this all goes on steroids.” Soon, such legal problems will become impossible to ignore.

7/4/23

But sometimes, individualized warrants are never issued, never asked for, never really needed, depending on which government agency is conducting the surveillance, and for what reason. Every year, countless emails, social media DMs, and likely mobile messages are swept up by the US National Security Agency—even if those communications involve a US person—without any significant warrant requirement. Those digital communications can be searched by the FBI. The information the FBI gleans from those searches can be used can be used to prosecute Americans for crimes. And when the NSA or FBI make mistakes—which they do—there is little oversight.

...The law and the regime it has enabled are opaque. There are definitions for "collection" of digital communications, for "queries" and "batch queries," rules for which government agency can ask for what type of intelligence, references to types of searches that were allegedly ended several years ago, "programs" that determine how the NSA grabs digital communications—by requesting them from companies or by directly tapping into the very cables that carry the Internet across the globe—and an entire, secret court that, only has rarely released its opinions to the public.

Today, on the Lock and Code podcast, with host David Ruiz, we speak with Electronic Frontier Foundation Senior Policy Analyst Matthew Guariglia about what the NSA can grab online, whether its agents can read that information and who they can share it with, and how a database that was ostensibly created to monitor foreign intelligence operations became a tool for investigating Americans at home.

7/3/23

As self-driving cars become a fixture in major American cities like San Francisco, Phoenix and Los Angeles, police are increasingly relying on their camera recordings to try to solve cases. In Waymo’s main markets, San Francisco and Arizona’s Maricopa County, Bloomberg found nine search warrants that had been issued for the company’s footage, plus another that had been sent to rival autonomous driving firm Cruise. More warrants may have been issued under seal.

While security cameras are commonplace in American cities, self-driving cars represent a new level of access for law enforcement — and a new method for encroachment on privacy, advocates say. Crisscrossing the city on their routes, self-driving cars capture a wider swath of footage. And it’s easier for law enforcement to turn to one company with a large repository of videos and a dedicated response team than to reach out to all the businesses in a neighborhood with security systems.

“We’ve known for a long time that they are essentially surveillance cameras on wheels,” said Chris Gilliard, a fellow at the Social Science Research Council. “We're supposed to be able to go about our business in our day-to-day lives without being surveilled unless we are suspected of a crime, and each little bit of this technology strips away that ability.”

...“With the lack of consumer privacy protections that we have in the US right now, companies are able to collect as much information as humanly possible,” said Matthew Guariglia, a policy analyst at the Electronic Frontier Foundation, adding that police are then able to capitalize on the trove of data.

6/29/23

The lawsuit goes to the heart of a major unresolved question hanging over the surge in “generative” AI tools such as chatbots and image generators. The technology works by ingesting billions of words from the open internet and learning to build inferences between them. After consuming enough data, the resulting “large language models” can predict what to say in response to a prompt, giving them the ability to write poetry, have complex conversations and pass professional exams. But the humans who wrote those billions of words never signed off on having a company such as OpenAI use them for its own profit.

...The suit also adds to the growing list of legal challenges to the companies building and hoping to profit from AI tech. A class-action lawsuit was filed in November against OpenAI and Microsoft for how the companies used computer code in the Microsoft-owned online coding platform GitHub to train AI tools. In February, Getty Images sued Stability AI, a smaller AI start-up, alleging it illegally used its photos to train its image-generating bot. And this month OpenAI was sued for defamation by a radio host in Georgia who said ChatGPT produced text that wrongfully accused him of fraud.

OpenAI isn’t the only company using troves of data scraped from the open internet to train their AI models. Google, Facebook, Microsoft and a growing number of other companies are all doing the same thing. But Clarkson decided to go after OpenAI because of its role in spurring its bigger rivals to push out their own AI when it captured the public’s imagination with ChatGPT last year, Clarkson said.

...The new class-action lawsuit against OpenAI goes further in its allegations, arguing that the company isn’t transparent enough with people who sign up to use its tools that the data they put into the model may be used to train new products that the company will make money from, such as its Plugins tool. It also alleges OpenAI doesn’t do enough to make sure children under 13 aren’t using its tools, something that other tech companies including Facebook and YouTube have been accused of over the years.

6/28/23

The documents, handed over by the FBI under the Freedom of Information Act, include copies of nondisclosure agreements signed by police departments requesting access to portable devices known as cell-site simulators, otherwise known by the generic trademark “Stingray” after an early model developed by L3Harris Technologies. The FBI requires the NDAs to be signed before agreeing to aid police in tracking suspects using the devices. Stipulations in the contracts include withholding information about the devices, they're functionality, and deployment from defendants and their lawyers in the event the cases prove justiciable.

Legal experts at the ACLU, Laura Moraff and Nathan Wessler, say the secrecy requirements interfere with the ability of defendants to challenge the legality of surveillance and keep judges in the dark as to how the cases before their court unfold. “We deserve to know when the government is using invasive surveillance technologies that sweep up information about suspects and bystanders alike," Moraff says. “The FBI needs to stop forcing law enforcement agencies to hide these practices.”

...Whether US government entities have ever employed some of these advanced features domestically is unknown. Certain models used by the federal government are known to come with software capable of intercepting communications; a mode in which the device executes a man-in-the-middle attack on an individual phone rather than be used to identify crowds of them. Manufacturers internationally have marketed newer simulators capable of being concealed on the body and have advertised its use for public events and demonstrations. It is widely assumed the most invasive features remain off-limits to local police departments. Hackers, meanwhile, have proven it's possible to assemble devices capable of these feats for under $1,000.

...When police use the devices to locate a suspect on the loose or gather evidence of a crime, they are generally required by the FBI not to disclose it in court. In some cases, this leads police to launder evidence using a technique known as parallel construction, whereby the method used to collect evidence is concealed by using a different method to collect the same information again after the fact. The practice is legally controversial, particularly when undisclosed in court, as it prevents evidentiary hearings from weighing the legality of actual police conduct.

6/22/23

Your car knows a lot about you. Over the past decade, vehicles have become increasingly connected and their ability to record data about us has shot up. Cars can track where you’re traveling to and from, record every press on the accelerator as well as your seatbelt settings, and gather biometric information about you. Some of this data is sold by the murky data-broker industry.

Using industry sales data, WIRED ran 10 of the most popular cars in the US through the privacy tool to see just how much information they can collect. Spoiler: It’s a lot. The analysis follows previous reporting on the amount of data modern cars can collect and share—with estimates saying cars can produce 25 gigabytes of data per hour.

...The Vehicle Privacy Report creates privacy labels under two broad categories: what a manufacturer collects (including identifiers, biometrics, location, data from synced phones, and user profiles) and whom a manufacturer sells or shares data with (affiliates, service providers, insurance firms, government, and data brokers). For the vast majority of cars and trucks released in the past few years, it’s likely that most types of data are collected.

...The documents also say data “from camera images and sensor data, voice command information, stability control or anti-lock events, security/theft alerts, and infotainment (including radio and rear-seat infotainment) system and Wi-Fi data usage” can be collected. The company can also receive “information about your home energy usage,” which relates to the charging and discharging of electric vehicles.

...Stellantis can collect your name, address, phone number, email, Social Security number, and driving license number. The driving data the company collects, according to its documents, includes the dates and times you use it, your speed, acceleration and braking data, details of the trip (including location, weather, route taken), and, among other things, cruise control data. Like other manufacturers, it also collects data about the status of your car, including “refueling activity,” battery levels, images from cameras, and error codes that are generated. Your face and fingerprint data may be collected if you use services, such as digital keys, that need this kind of information to operate, the documents say.

6/21/23

Khan’s FTC and the e-commerce giant are increasingly on a collision course. Last month, the FTC settled two lawsuits against Amazon, one regarding its Alexa speaker recording children and another regarding customer privacy and its Ring home surveillance system.

...The FTC has also sued internet phone company Vonage, video gamemaker Epic and Credit Karma over their alleged use of “dark patterns.” The Epic suit settled for $245 million in December; the Vonage case settled for $100 million.

Amazon founder Jeff Bezos owns The Washington Post. Interim CEO Patty Stonesifer sits on Amazon’s board. Amazon did not immediately respond to a request for comment.

6/21/23

“Amazon is one of the most valuable companies in the world, worth $1.3tn and its founder, Jeff Bezos, is one of the richest men in the world worth nearly $150bn,” Sanders wrote in the letter. “Amazon should be one of the safest places in America to work, not one of the most dangerous.”

...Over the past year, Amazon has opposed union organizing campaigns, resisted charges of unfair labor practices filed by workers and spent over $14.2m on anti-union consultants in 2022.

...“Amazon sets an example for the rest of the country,” Sanders said. “What Amazon does, their attitude, their lack of respect for workers permeates the American corporate world.”

6/20/23

Uber is about to start displaying video ads across its various service apps, including Uber Eats, Drizly (an Uber-owned alcohol delivery platform), and its namesake ride-hailing app. Announced via a press release on Thursday, full-length video ads — which will play on the main Uber app while users wait for their taxi to arrive — will begin rolling out to users in the US “over the coming weeks.” Uber hopes to entice advertisers with what it knows about its users.

“We have two minutes of your attention. We know where you are, we know where you are going to, we know what you have eaten,” said Uber ad exec Mark Grether to The Wall Street Journal. “We can use all of that to then basically target a video ad towards you.” Two minutes is roughly how long Uber estimates an average customer looks at the Uber app on a typical 15-minute long journey.

6/16/23

It may come as a surprise that AI-generated products are so commonplace on Etsy, a platform that was designed nearly two decades ago specifically for artisan, handmade items. But the site has been moving away from its history for years, and unrest among its longtime sellers is basically the status quo. In 2019, sellers bristled when they were pushed to offer free shipping to compete with Amazon, and CEO Josh Silverman told me at the time that “handmade” was no longer “the value proposition” of the site. Modern Etsy celebrates garbage as long as it sells.

...The Etsy seller and clip-art designer Jane Cide told me she wasn’t surprised at all that Etsy was allowing AI art. “It is a platform for making money, and AI is making a lot of money right now,” she told me. She started selling paintings on Etsy in college, but did much better with digitized illustrations, which eventually turned into her full-time job. She said her sales had dropped about 50 percent since the end of last year, which is when AI art started hitting the Etsy marketplace. “It could just be a coincidence,” she acknowledged. “There’s so many factors that go into that. But when I look up clip art on Etsy, half of the search results are AI-generated clip art. It’s kind of hard not to draw conclusions when you’re very obviously competing in a space that is no longer for you.”

6/15/23

Robert Simonds, a US financier whose credits include producing several Adam Sandler films, has been engaged in talks to acquire the blacklisted spyware company’s assets, according to multiple sources familiar with the matter.

A firm owned by Simonds’s friend, William “Beau” Wrigley – who was an heir to his family’s chewing gum fortune and has since become involved in the cannabis industry – has conducted due diligence in connection to a possible NSO deal, according to a document seen by the Guardian.

...The Guardian reported in March that one of the company’s original founders – Omri Lavie – emerged as NSO’s new majority owner following a protracted legal fight over the group’s future. Simonds then joined the board of Lavie’s Luxembourg-based company, called Dufresne, shortly thereafter with the support of the company’s remaining debt holders. One possible option being mulled by Simonds, sources suggest, would involve buying out remaining debt holders and other creditors and stripping assets like Pegasus – NSO’s key hacking tool – out of NSO and transferring it into a new company.

...Simonds is not a known figure in the cyber industry. The US executive founded and previously served as the chairman of STX Entertainment and is known to have historically courted investors from China and India, as well as having a business dealings in Saudi Arabia.

6/14/23

If you spend any time online, you probably have some idea that the digital ad industry is constantly collecting data about you, including a lot of personal information, and sorting you into specialized categories so you’re more likely to buy the things they advertise to you. But in a rare look at just how deep—and weird—the rabbit hole of targeted advertising gets, The Markup has analyzed a database of 650,000 of these audience segments, newly unearthed on the website of Microsoft’s ad platform Xandr. The trove of data indicates that advertisers could also target people based on sensitive information like being “heavy purchasers” of pregnancy test kits, having an interest in brain tumors, being prone to depression, visiting places of worship, or feeling “easily deflated” or that they “get a raw deal out of life.”

...“I think it’s the largest piece of evidence I’ve ever seen that provides information about what I call today’s “distributed surveillance economy,” said Wolfie Christl, a privacy researcher at Cracked Labs, who discovered the file and shared it with The Markup.

...Christl said he thinks the large number of companies named in the file shows that Xandr was (at least in 2021) reselling large amounts of sensitive data from a wide range of data brokers from around the world. Regarding the large amounts of segments related to sensitive topics, Christl said, “I think the file suggests that Xandr did not take even the slightest measures to exclude at least the most sensitive data from its marketplace.”

...Many medical- and health-related segments mentioned specific conditions consumers may be diagnosed with, medicine they may be taking, or conditions they may develop. This category included several segments relating to reproductive health, including some involving pregnancy tests, contraceptives, and infertility.

6/8/23

The impact of Instagram on children and teens has faced scrutiny from civil society groups and regulators concerned about predators on the platform, privacy and the mental health impacts of the social media network. The company paused its controversial plans in September 2021 to build a separate version of Instagram specifically tailored for children who are under 13. Later that year, lawmakers also grilled the head of Instagram, Adam Mosseri, over revelations surfaced in documents shared with regulators by Meta whistleblower Frances Haugen showing Instagram is harmful to a significant portion of young users, especially teen girls.

...While Instagram is a central player in facilitating the spread and sale of child sexualized imagery, other tech platforms also played a role, the report found. For instance, it found that accounts promoting self-generated child sexual abuse material were also heavily prevalent on Twitter, although the platform appears to be taking them down more aggressively.

Some of the Instagram accounts also advertised links to groups on Telegram and Discord, some of which appeared to be managed by individual sellers, the report found.

6/7/23

Since then, venture capitalists have been throwing money at AI start-ups, investing over $11 billion in May alone, according to data firm PitchBook, an increase of 86 percent over the same month last year. Companies from Moderna to Heinz have mentioned AI initiatives on recent earnings calls. And last week, AI chipmaker Nvidia became one of only a handful of companies in the world to hit $1 trillion in value.

...That’s within spitting range of Amazon, which is worth $1.26 trillion. Nvidia Chief Financial Officer Colette Kress called ChatGPT’s launch a new “iPhone moment” — comparing it to when the world realized mobile phones would completely change how people use computers.

...About $12.5 billion in investments have gone into generative AI start-ups this year so far, compared with only $4.5 billion invested in the field in all of 2022, Burke said.

...“The entire transformers team from Google left to start their own company,” Bhooshan said, referring to the Google researchers who wrote the paper on “transformers,” a key aspect of the current crop of generative AI.

6/4/23

“Really wondering about where the line is to leave the other place,” she wrote on Bluesky, a Twitter competitor. “There is a line where the harm of unchecked disinfo exceeds the benefits of direct, authentic communication. It’s really sad.”

Ocasio-Cortez added that she was “concerned about next year’s election” after Musk complied with a censorship demand from the Turkish government, and after Donald Trump, on his own Truth Social platform, posted a parody video targeting his 2024 GOP primary opponent Ron DeSantis.

...@AOCpress’s full display name — “Alexandria Ocasio-Cortez Press Release (parody)” — has raised questions about Twitter’s policies. The platform cuts off the end of the long name on many users’ timelines, meaning that the “(parody)” disclaimer isn’t visible unless they click on the account’s profile. This also means that screenshots of the account’s tweets can appear authentic.

But the man who started @AOCpress, a Trump-supporting political pundit named Michael Morrison, defended the account in direct messages with HuffPost. The words “Press Release” were included in the long display name, he said, because the account used to put out mock press statements purporting to be “official” from Ocasio-Cortez’s office.

6/2/23

Meta is temporarily blocking some Canadian users from accessing news content on Facebook and Instagram as part of a temporary test that is expected to last through the end of June, the tech giant said Thursday.

The block — which follows a similar step taken by Google earlier this year — comes in response to a proposed bill that will require tech giants to pay publishers for linking to or otherwise repurposing their content online. Bill C-18, the Online News Act, is currently being considered in the Senate and could be passed as early as this month.

Meta also said it is prepared to permanently block news content on Facebook and Instagram for Canadians if the bill passes.

6/2/23

When Kevin Smyth learned in April that Goldman Sachs and Apple were offering a savings account with higher yields than anyone else, he jumped at the chance to shift money that was earning less at another online bank. But within a few weeks, when he had to withdraw a small portion of the funds to pay for a home renovation, everything went awry.

A transaction that was supposed to take one to three business days ended up taking nearly two weeks to clear, forcing Smyth to sell stock through a Fidelity account to get the money for the renovation. Smyth now says he plans to close his Apple Savings account, disappointed in Apple and Goldman and the way customer service staff treated him. He described being “lectured” by representatives who scolded him for moving money in and out of savings accounts so quickly, even though the account’s terms and conditions didn’t describe any restrictions on doing so.

6/1/23

Rey’s investigation into the Azima case shed new light not only on BellTroX but also on several other outfits like it, establishing beyond dispute that India is home to a vast and thriving cyberattack industry. Last year, Rey secured the first detailed confession from a participant in a hacking-for-hire operation. In court papers, an Indian hacker admitted that he had infiltrated Azima’s e-mail account—as had employees at another firm. Moreover, there were countless other Indian hackers for hire, whose work was often interconnected. John Scott-Railton, a senior researcher at Citizen Lab, who helped lead the BellTroX investigation, told me that the admissions Rey obtained are “huge” and “move the whole conversation forward.” He added, “You know how in some industries, everybody ‘knows a guy’ who can do a certain thing? Well, in hacking for hire, India is ‘the guy.’ They are just so prolific.”

...Another of those private investigators, Stuart Page, who had denied that any hacking had occurred, bolstered the credibility of the new filing by flipping and confirming the core of Jain’s story. Page, a former officer for Scotland Yard, submitted an affidavit acknowledging that he had lied about the hacking. “I apologise unreservedly for the part I played in misleading the Court,” Page said. He admitted that he had worked with an Israeli private investigator and former intelligence officer who, in turn, had hired “subcontractors located outside of Israel” who had used “hacking techniques” to obtain “confidential e-mails and unauthorised access to other confidential electronic data.” Nobody had accidentally discovered Azima’s hacked e-mails online, Page admitted: the Israeli investigator who had hired the hackers had sent him a link to the cache. Moreover, the investigator’s reports were clearly full of hacked data. Page wrote, “It was obvious to me (and it would have been obvious to anyone else reading the reports) that such documents were obtained as a result of unauthorised access to computers.” (The Israeli private investigator has disputed Page’s account.)

...Rey said that, judging from the data he has obtained from Jain and his hacker colleagues, the hacking-for-hire business in India is much bigger than most experts had imagined. “In addition to BellTroX and CyberRoot, there are about ten to fifteen other Indian companies doing this,” he told me. “We have seen close to a hundred and twenty thousand victims over the past ten years, so it really is an industry.”Yet, as both Rey and Scott-Railton, of Citizen Lab, told me, Indian hackers appear to share something important with their counterparts in those authoritarian nations: a tacit alliance with their government. Rey told me that, according to target lists and other information that he gained from Indian hackers, the top dozen Indian hacking-for-hire firms “have always tended to have the same profile—they always do a little bit of government work, with private work on the side.”

This spring, federal prosecutors in New York who were armed with data provided by Citizen Lab secured a guilty plea from an Israeli private investigator named Aviram Azari, who had admitted to hiring Indian hackers to attack climate activists, investors, and many others. Azari, who faces a lengthy sentence, has refused to name his clients.

6/1/23

Katina Michael, a professor at Arizona State University who has studied location-based technologies in the private and academic spheres for more than 25 years, describes the shift to mass location sharing as one of the central tenets of uberveillance, the academic term used to mark human beings’, companies’, and governments’ widespread electronic surveillance of other people. “It’s the most powerful thing, knowing where someone is,” she says. “It’s sacred knowledge. It’s God knowledge, when you think about it.” (Perhaps this is part of the enjoyment of staring at our friends’ bubbles: We get to play God to our virtual Sim friends.)

Michael finds the casualness with which people share locations with their friends worrisome. She cites the Tempe, Arizona, man who, in 2019, was arrested for posing as a teenage girl on Snapchat to find the locations of underage girls and then watching them in their homes. (Another man was arrested for the same thing in Florida in 2022.) In France, one man tracked his girlfriend on Snap Map and ended up stabbing the man she was with. Of course, location services have also helped solve innumerable crimes, which is why so many families and friends rely on it for peace of mind. In 2019, one woman credited location sharing with saving her life after she went into anaphylactic shock and her roommate was able to find her and call an ambulance.

If location sharing is the new normal, Michael hopes to bring about changes to the ways location tracking apps breach our privacy. First and foremost, she says that people should have the right to view their own location data and delete it if they wish. She was also the working group chair of a new code of age-appropriate standards for young people, which includes guidelines for terms of service agreements written in plain, simple language. “If even lawyers can’t figure out what terms and conditions are talking about, what’s the average adult to do?” she says, never mind the teens and kids who use these features.

5/31/23

Federal regulators on Wednesday announced Amazon would pay $25 million to settle allegations that its voice assistant Alexa violated a federal law protecting children’s privacy — a sign of Washington’s mounting scrutiny of the e-commerce giant’s sprawling businesses.

...By recording children and using transcripts of those recordings to improve its product even after deletion requests, the U.S. government alleges that Amazon has violated the Children’s Online Privacy Protection Act of 1998, a law that has recently been enforced against other popular tech companies including Fortnite-maker Epic Games and YouTube.

...The commission is also fining the company over Ring, Amazon’s home surveillance company best known for its doorbell camera. Regulators say the company illegally allowed employees and contractors to view private videos of customer’s homes and are fining the company an additional $5.8 million.

5/31/23

“Right now, 11,500 WGA members across the country are on strike because companies — including Warner Bros. Discovery — refuse to negotiate a fair contract that addresses writers’ reasonable demands around pay, residuals, and the existential threat that AI poses to workers,” the union said in a statement. “It is shameful that, in the midst of an action to preserve the future of work, Boston University would use a graduation ceremony to honor someone intent on destroying its students’ prospects to build sustainable careers.”

5/31/23

On Monday, an activist named Sharon Maxwell posted on Instagram, sharing a review of her experience with Tessa. She said that Tessa encouraged intentional weight loss, recommending that Maxwell lose 1-2 pounds per week. Tessa also told her to count her calories, work towards a 500-1000 calorie deficit per day, measure and weigh herself weekly, and restrict her diet. “Every single thing Tessa suggested were things that led to the development of my eating disorder,” Maxwell wrote. “This robot causes harm.”

...“To advise somebody who is struggling with an eating disorder to essentially engage in the same eating disorder behaviors, and validating that, ‘Yes, it is important that you lose weight’ is supporting eating disorders” and encourages disordered, unhealthy behaviors,” Conason told the Daily Dot.

NEDA’s initial response to Maxwell was to accuse her of lying. “This is a flat out lie,” NEDA’s Communications and Marketing Vice President Sarah Chase commented on Maxwell’s post and deleted her comments after Maxwell sent screenshots to her, according to Daily Dot. A day later, NEDA posted its notice explaining that Tessa was taken offline due to giving harmful responses.

5/30/23

A group of industry leaders warned on Tuesday that the artificial intelligence technology they were building might one day pose an existential threat to humanity and should be considered a societal risk on a par with pandemics and nuclear wars.

...The statement comes at a time of growing concern about the potential harms of artificial intelligence. Recent advancements in so-called large language models — the type of A.I. system used by ChatGPT and other chatbots — have raised fears that A.I. could soon be used at scale to spread misinformation and propaganda, or that it could eliminate millions of white-collar jobs.

Eventually, some believe, A.I. could become powerful enough that it could create societal-scale disruptions within a few years if nothing is done to slow it down, though researchers sometimes stop short of explaining how that would happen.

...But others have argued that A.I. is improving so rapidly that it has already surpassed human-level performance in some areas, and that it will soon surpass it in others. They say the technology has shown signs of advanced abilities and understanding, giving rise to fears that “artificial general intelligence,” or A.G.I., a type of artificial intelligence that can match or exceed human-level performance at a wide variety of tasks, may not be far off.

5/30/23

Meredith Whittaker, president of the Signal Foundation and cofounder and chief advisor of the ​​AI Now Institute, a nonprofit focused AI and the concentration of power in the tech industry, says many of those who signed the statement likely believe probably that the risks are real, but that the alarm “doesn’t capture the real issues.”

She adds that discussion of existential risk presents new AI capability as if they were a product of natural scientific progress rather than a reflection of products shaped by corporate interests and control. “This discourse is kind of an attempt to erase the work that has already been done to identify concrete harms and very significant limitations on these systems.” Such issues range from AI bias, to model interpretability, and corporate power, Whittaker says.

Margaret Mitchell, a researcher at Hugging Face who left Google in 2021 amid fallout over a research paper that drew attention to the shortcomings and risks of large language models, says it is worth thinking about the long-term ramifications of AI. But she adds that those behind the statement seem to have done little to consider how they might prioritize more immediate harms including how AI is being used for surveillance. “This statement as written, and where it's coming from, suggest to me that it’ll be more harmful than helpful in figuring out what to prioritize,” Mitchell says.

5/30/23

European Commissioner Thierry Breton tweeted that Twitter had pulled out of the EU’s disinformation “code of practice” that other major social media platforms have pledged to support. But he added that Twitter’s “obligation” remained, referring to the EU’s tough new digital rules taking effect in August.

“You can run but you can’t hide,” Breton said.

...Breton said that under the new digital rules that incorporate the code of practice, fighting disinformation will become a “legal obligation.”

5/27/23

“… The current body of evidence indicates that while social media may have benefits for some children and adolescents, there are ample indicators that social media can also have a profound risk of harm to the mental health and well-being of children and adolescents,” U.S. Surgeon General Dr. Vivek Murthy wrote in the advisory. “At this time, we do not yet have enough evidence to determine if social media is sufficiently safe for children and adolescents.”

...“Nearly every teenager in America uses social media, and yet we do not have enough evidence to conclude that it is sufficiently safe for them,” the advisory warns. “Our children have become unknowing participants in a decades-long experiment.”

...The surgeon general’s specific policy recommendations include implementing higher standards for youth data privacy, enforced age minimums, deepening research in these areas and weaving digital media literacy education into cirriculums.

...The issue comes up time and time again in Congressional hearings, but the possibility of thoughtful U.S. regulation addressing tech’s ability to manipulate the behavior of young users while monetizing their data continues to take a backseat to partisan politics and political grandstanding. While the EU passes meaningful new rules for social media like the Digital Services Act, lawmakers in the U.S. continue to fail on core, cross-platform issues like data privacy and dangerous content.

5/24/23

Ferguson’s lawsuit against Google asserted that the tech giant deceptively led consumers to believe that they have control over how Google collects and uses their location data. In reality, consumers could not effectively prevent Google from collecting, storing and profiting from their location data.

The lawsuit itself, announced back in January 2022, claimed Google used a “number of deceptive and unfair practices” to obtain user content for tracking. Practices highlighted included “hard to find” location settings, misleading descriptions of location settings, and “repeated nudging” to enable location settings alongside incomplete disclosures of Google’s location data collection.

These practices were set alongside the large amount of profit Google generated from using consumer data to sell advertising. Google made close to $150 billion from advertising in 2020, and the case pointed out that location data is a key component of said advertising. As per the Attorney General:

5/23/23

The Irish Data Protection Commission ordered Meta to suspend all transfers of personal data belonging to users in the E.U. and the European Economic Area — which includes non-E. U. countries Iceland, Liechtenstein and Norway — to the United States.

The Irish Data Protection Commission said in a statement that Meta’s data transfers were in breach of the E.U.’s General Data Protection Regulation (GDPR), rules that restrict what companies can do with people’s personal data. It is the largest GDPR fine handed down by the bloc, surpassing the previous record of $887 million against Amazon, a penalty issued in 2021 by a European privacy regulator that the firm said it would appeal.

...Meta has faced regulatory scrutiny over its privacy practices for more than a decade, including from the Federal Trade Commission in the United States. Monday’s fine is far smaller than the $5 billion settlement that the company reached with the FTC in 2019 over its alleged mishandling of user data, ending an investigation that began in the wake of the Cambridge Analytica scandal.

That record-breaking fine marked a historic censure of a major tech company, but it was largely shrugged off by investors. The company’s critics in Congress said the penalty did not go far enough, calling it a “Christmas present” and a “mosquito bite” for the tech behemoth. Yet the FTC settlement is a harbinger of how government penalties can inflict more than financial pain on a company.

5/22/23

On Monday morning, a verified Twitter account called Bloomberg Feed shared an ominous tweet. Beneath the words, “Large Explosion near The Pentagon Complex in Washington, D.C. - Initial Report,” it showed an image of a huge plume of black smoke next to a vaguely Pentagon-like building.

On closer inspection, the image was a fake, likely generated by artificial intelligence, and the report of an explosion was quickly debunked — though not before it was picked up by large accounts, including the Russian state media organ Russia Today. The tweet may have also briefly moved the stock market, as the Dow Jones Industrial Index dropped 85 points within four minutes, then rebounded just as quickly.

...And Twitter is looking like an increasingly likely vector, as new owner Elon Musk has gutted its human workforce, laid off a team that used to fact-check viral trends, and changed account verification from a manual authentication process to one that’s largely automated and pay-for-play. The signature blue badges once indicated authority for public figures, large organizations, celebrities and others at risk of impersonation. Now, Twitter awards them to any one willing to pay $8 a month and confirm their phone number.

5/22/23

Congress’s relationship to privacy comes when it’s politically expedient and disappears as soon as members feel as if they could be too easily painted as being soft on crime or national security. Despite calls over the last few years for federal legislation to reign in big tech companies, we’ve seen nothing significant in limiting tech company's ability to collect data (then accessed by the NSA via Prism), or regulate biometric surveillance, or close the backdoor that allows the government to buy personal information rather than get a warrant, much less create a new Church Committee to investigate the intelligence community’s overreaches. It’s why so many cities and states have had to take it upon themselves to ban face recognition or predictive policing, or pass laws to protect consumer privacy and stop biometric data collection without consent.

It’s been 10 years since the Snowden revelations and Congress needs to wake up and finally pass some legislation that actually protects our privacy, from companies as well as from the NSA directly.

5/19/23

In Fall 2023, Congress will get a chance to seriously reform or end Section 702 of FISA in light of its impending sunset. Section 702 allows the government to conduct surveillance inside the United States by vacuuming up digital communications so long as the surveillance is directed at foreigners currently located outside of the United States. It also prohibits intentionally targeting Americans. Nevertheless, the NSA routinely (“incidentally”) acquires innocent Americans' communications without a probable cause warrant. Once collected, the FBI can search through this massive database of information by “querying” the communications of specific individuals.

In 2021 alone, the FBI conducted up to 3.4 million warrantless searches of Section 702 data to find Americans’ communications. Congress and the FISA Court have imposed modest limitations on these “backdoor searches,” but according to several recent FISA Court opinions, the FBI has engaged in “widespread violations” of even these minimal privacy protections.

The Snowden revelations gave names to two of the key types of surveillance that the NSA conducts under Section 702: Prism and Upstream. Upstream has been central to EFF’s litigation, as we had direct evidence about it long before we knew its name. If 702 ends, both of these two programs should end along with them.

5/19/23

But in the end, the court didn’t even address Section 230. It decided it didn’t need to, once it concluded the social media companies hadn’t violated U.S. law by automatically recommending or monetizing terrorist groups’ tweets or videos.

...Yet the wording of Thomas’s opinion is cause for concern to those who would like to see platforms held liable in other sorts of cases, such as the Pennsylvania mother suing TikTok after her 10-year-old died attempting a viral “blackout challenge.” His comparison of social media platforms to cellphones and email suggests an inclination to view them as passive hosts of information even when they recommend it to users.

“If there were people pushing on that door, this pretty firmly kept it closed,” said Evelyn Douek, an assistant professor at Stanford Law School.

5/18/23

The announcement comes just a few months after journalists at Futurism revealed that CNET had published articles written by AI instead of by its writers—articles which contained a multitude of extremely basic errors—and that it had not properly disclosed that fact to its team. Despite these developments in CNET’s content creation, a representative for the union said that organizing had started long before.

...“CNET media workers have been subjected to ongoing restructuring, cost-cutting austerity measures, shifting job roles and promotion freezes,” the letter reads. “In the past year, three major rounds of layoffs have deeply impacted our reporting and our teams. Red Ventures cut senior editorial positions, eliminated the Roadshow cars section, drastically slashed our video team, gutted our news division and shut down science and culture coverage. These unilateral overhauls created low morale and unease, resulting in a wave of resignations and talent attrition.”

“We face a lack of transparency and accountability from management around performance evaluations, sponsored content and plans for artificial intelligence,” it continues. “We are concerned about the blurring of editorial and monetization strategies.”

5/16/23

The AFWERX contract is the first publicly reported relationship between SafeGraph and the US military, but the company has a history of working with other government agencies. In 2018, it sold two years of raw data to the Illinois Department of Transportation. In the first months of the Covid-19 pandemic, it inked a $420,000 deal with the Centers for Disease Control. Meanwhile, Veraset gave raw, individualized data about millions of people to the Washington, DC, Department of Health and other agencies around the country. And in 2020 and 2021, Santa Clara County used SafeGraph data to monitor attendance at a local church as part of a broader effort to enforce Covid restrictions. Materials shared with the Air Force mention relationships with the US Department of Agriculture, the Federal Reserve Bank, and the Los Angeles County, New York City, and New Jersey governments.

...In May 2022, Vice revealed that SafeGraph was selling access to aggregated counts of where people were before and after visiting abortion clinics, including Planned Parenthood. In response, 14 US senators sent the company a letter demanding answers about its business practices, and SafeGraph promised to stop selling data about abortion clinic visitors.

Although SafeGraph is best known for dealing in cell-phone-based location data, its pitch to the Air Force makes little mention of data about human movement—the only direct reference is a slide that says it can help “analyze human activity for Landing Zone (LZ) selection,” without explaining what that means. But SafeGraph has recently expanded its business to incorporate other kinds of data as well. For example, in 2022, it launched Spend, a product that profiles the customers of brick-and-mortar stores, including what they spend, what wireless carriers they use, and whether they take out short-term “buy now, pay later” loans.

...SafeGraph is funded in part by the CIA-backed venture capital firm In-Q-Tel, and In-Q-Tel head of investments George Hoyem sits on SafeGraph’s board, according to its slide deck. SafeGraph has also received investments from a motley crew including Peter Thiel, Sam Harris, former Republican House majority leader Eric Cantor, and former Saudi Arabian intelligence chief Prince Turki bin Faisal Al Saud. SafeGraph’s last funding round valued the company at $370 million, according to the records.

5/8/23

The third-party service provider at the heart of the data breach is Fortra, which was recently targeted by the Cl0p ransomware gang in a string of attacks that leveraged an undisclosed vulnerability in the file transfer software called GoAnywhereMFT, which Fortra develops and which is used by businesses worldwide. Malwarebytes Labs reported on the vulnerability in February, urging users to deploy a patch.

GoAnywhere MFT, which stands for managed file transfer, allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, predominantly ones with over 10,000 employees and 1B USD in revenue.

...For many organizations, Brightline offers virtual behavioral and mental health services for the children of benefits-eligible employees. In this light, Brightline has published a list of covered entities impacted by the breach.

5/8/23

An investigation into mental health apps has revealed that many of the most popular services are failing to protect the privacy and security of their users. Following up on a report from last year’s Privacy Not Included guide, researchers at Mozilla found that apps designed for sensitive issues like therapy and mental health conditions are still collecting large amounts of personal data under questionable or deceptive privacy policies.

The team re-reviewed 27 of the mental health, meditation, and prayer apps featured in the previous year’s study, including Calm, Youper, and Headspace, in addition to five new apps requested by the public. Of those 32 total apps, 22 were slapped with a “privacy not included” warning label, something Mozilla assigns to products that have the most privacy and personal data concerns. That’s a minor improvement on the 23 that earned the label last year, though Mozilla said that around 17 of the 27 apps it was revisiting still scored poorly — if not worse — for privacy and security this time around.

...Meanwhile, some of the apps featured on last year’s list did see some improvements. Youper is highlighted as the most improved of the bunch, having overhauled its data collection practices and updated its password policy requirements to push for stronger, more secure passwords. Moodfit, Calm, Modern Health, and Woebot also made notable improvements by clarifying their privacy policies, while researchers praised Wysa and PTSD Coach for being “head and shoulders above the other apps in terms of privacy and security.”

5/4/23

Years ago, Alexa was the chat technology that took Silicon Valley by storm, with hundreds of products from many manufacturers embedding the voice technology into their wares. Now OpenAI's ChatGPT has taken center stage, and Amazon's competitors, such as Microsoft, are having success using it, with Google hot on Microsoft's tail with its own competitor. Meanwhile, the once promising Alexa unit has struggled in recent years and gone through both major layoffs and cost cuts.

5/3/23

The Writers Guild of America is on strike, after six weeks of negotiating with a number of major entertainment companies, including Netflix, Amazon, Apple, and Disney, under the Alliance of Motion Picture and Television Producers (AMPTP). The walkout is the first Hollywood strike to occur in 15 years, and comes at an unprecedented moment—for the first time ever, writers are negotiating the studios’ use of generative AI tools like ChatGPT.

...“Initially, the WGA's AI proposals looked like outliers. Everything else on the list was talking about writer compensation, making sure writers were paid fairly to justify the immense value they were bringing to the studios. Over the negotiation, it became clear that the AI proposals are really part of a larger pattern. The studios would love to treat writers as gig workers. They want to be able to hire us for a day at a time, one draft at a time, and get rid of us as quickly as possible. I think they see AI as another way to do that,” John August, a screenwriter known for writing the films Charlie’s Angles and Charlie and the Chocolate Factory, told Motherboard.

“The idea that our concerns could be addressed by an annual meeting is absurd and honestly offensive. Everyone watching AI can tell you that these large language models are progressing at an incredible rate. AI-generated material isn't something that's going to become a factor in a few years. It's here now. It's lucky that we're negotiating our contract this year and not next year, before these systems become widely entrenched,” August said.

5/3/23

Motherboard has previously covered the various parts of the vehicle data collection business. One company called Otonomo sells granular location data of peoples’ vehicles. In another case, a surveillance contractor that has sold services to the U.S. military had aspirations to sell similar information to government customers.

After entering their VIN, the Vehicle Privacy Report tool says the types of data it believes the car manufacturer collects. This includes identifiers, location data, biometrics, and data synced from mobile phones. The tool also lists the sorts of entities the manufacturer may share or sell data to, such as insurance companies, data brokers, or the government. (It is expected behavior for companies to share collected data with law enforcement under a valid court order or similar).

The tool will also say if the vehicle has telematics, which is when a car has its own cellular data plan separate from the driver’s smartphone. For cars with telematics, the tool describes them as a “smartphone on wheels.” For those without, the tool says they are like a “hard-drive on wheels.”

5/2/23

This Amazon form is asking for something more extraordinary: “use and disclosure of protected health information.” It authorizes Amazon to have your “complete patient file” and notes that the information “may be re-disclosed,” after which it “will no longer be protected by HIPAA.”

Wait, you agreed to what? Amazon is essentially pushing people to waive some of their federal privacy protections, say the lawyers at the Electronic Privacy Information Center whom I asked to inspect the jargon. Amazon is required by law to say doing so is voluntary — but in practice you must agree to become a patient at its Clinic. There’s only one button to click: “Continue.”

What could go wrong? There are lots of icky ways Amazon could use your health information: to upsell you on other services, to target marketing for its giant advertising business, or to build out artificial intelligence or patient-risk models.

...I’m just as frustrated with our lawmakers as I am with Amazon. HIPAA was written in 1996 primarily to make medical records portable, at a time when many were stored in folders on shelves. No wonder the law can’t keep up with digital businesses harvesting health information. HIPAA also doesn’t cover the growing trove of body information collected by Apple Watches and even Google searches.

5/1/23

More than that, the DOJ said that the trolls targeted an online platform labeled “Company-1” to disrupt meetings of pro-democracy activists commiserating about the Tiananmen Square massacre. ABC News reported based on anonymous sources that the listed company was Zoom, and that an insider at Zoom was assisting with these repression campaigns. Prosecutors said the trolls posted threats in the Zoom chat, and in another instance, the trolls drowned out another meeting of anti-CCP dissidents with “loud music, vulgar screams, and threats.”

...The accusations against Zoom echo previous allegations against the company. Back in 2020, the DOJ accused a Zoom exec Xinjiang “Julien” Jin of working with the Beijing government to surveil and censor video calls. The allegations were that the Zoom exec shared user information and disrupted video calls on behalf of the CCP. The video meeting platform previously claimed to Gizmodo that no Zoom employee provided the Chinese government with the names or data of users not based in China.

4/17/23

The list of people and organizations that are hungry for your location data—collected so routinely and packaged so conveniently that it can easily reveal where you live, where you work, where you shop, pray, eat, and relax—includes many of the usual suspects.

Advertisers, obviously, want to send targeted ads to you and they believe those ads have a better success rate if they're sent to, say, someone who spends their time at a fast-food drive-through on the way home from the office, as opposed to someone who doesn't, or someone who's visited a high-end department store, or someone who, say, vacations regularly at expensive resorts. Hedge funds, interestingly, are also big buyers of location data, constantly seeking a competitive edge in their investments, which might mean understanding whether a fast food chain's newest locations are getting more foot traffic, or whether a new commercial real estate development is walkable from nearby homes.

...According to a recent investigation from Electronic Frontier Foundation and The Associated Press, a company called Fog Data Science has been gathering Americans' location data and selling it exclusively to local law enforcement agencies in the United States. Fog Data Science's tool—a subscription-based platform that charges clients for queries of the company's database—is called Fog Reveal. And according to Bennett Cyphers, one of the investigators who uncovered Fog Reveal through a series of public record requests, it's rather powerful.

4/10/23

But the way these products work—receiving instructions from users and then scouring the internet for answers—creates a ton of new risks. With AI, they could be used for all sorts of malicious tasks, including leaking people’s private information and helping criminals phish, spam, and scam people. Experts warn we are heading toward a security and privacy “disaster.”

...Over the last year, an entire cottage industry of people trying to “jailbreak” ChatGPT has sprung up on sites like Reddit. People have gotten the AI model to endorse racism or conspiracy theories, or to suggest that users do illegal things such as shoplifting and building explosives.

Malicious actors could also send someone an email with a hidden prompt injection in it. If the receiver happened to use an AI virtual assistant, the attacker might be able to manipulate it into sending the attacker personal information from the victim’s emails, or even emailing people in the victim’s contacts list on the attacker’s behalf.

...“Language models themselves act as computers that we can run malicious code on. So the virus that we’re creating runs entirely inside the ‘mind’ of the language model,” he says.

4/3/23

“There's always an option to let us leak your data,” a message posted on the ransomware group’s website reads next to Ring’s logo. The ransomware group claiming responsibility for the attack is ALPHV, whose malware is known as BlackCat.

...ALPHV has previously leaked medical data, and hacked hospitality companies. It recently claimed an attack on an Irish university too.

In 2019, hackers on a Discord channel began hacking a series of Ring cameras all over the country by reusing credentials exposed in earlier hacks. These hackers then terrorized their victims; in Tennessee, for example, a hacker broke into the camera installed in the bedroom of three young girls and spoke through the camera's speaker to the girls and played the song "Tiptoe Through the Tulips" to the girls. At one point, the hackers created a podcast where they broke into Ring users' cameras live on air.

3/13/23

Even before this latest blog post, some security researchers had already recommended ditching LastPass. Jeremi Gosney, a member of the core development team for password cracking software Hashcat, previously supported LastPass, he said in a lengthy Mastodon post in December. That changed. Issues Gosney flagged included LastPass suffering a total of seven major security breaches in the last ten years, ignoring vulnerability reports, and how LastPass keeps your vault encryption key in memory.

Companies get hacked all the time. Sometimes the companies are under-resourced, or face an attacker that genuinely outwitted them. Some breaches are mostly inconsequential, dealing with accounts for a particular, and not that important, website. But password management companies are not ordinary tech companies or sites. They are the custodians of their customers’ passwords that in turn can be used to completely pry open their digital lives. These are peoples’ most valuable secrets, and should be treated as such. For a password manager, you shouldn’t expect anything less than world class. Especially when you’re paying for the service, which is the case with many LastPass customers (a change the company did in 2021, which made not paying for the service incredibly inconvenient.).

At a minimum, LastPass customers should change any passwords they stored inside the service, as well as their master password which is used to access this information. They should start with their most sensitive accounts first. Unfortunately, this is likely to be a time-consuming process. Beyond that, it’s time to find another password manager altogether.

2/28/23

The EU’s upcoming AI Act and AI liability law will require companies to document how they are mitigating harms. In the US, lawmakers in New York, California, and elsewhere are working on regulation for the use of AI in high-risk sectors such as employment. In early October, the White House unveiled the AI Bill of Rights, which lays out five rights Americans should have when it comes to automated systems. The bill is likely to spur federal agencies to increase their scrutiny of AI systems and companies.

And while the volatile global economy has led many tech companies to freeze hiring and threaten major layoffs, responsible-AI teams have arguably never been more important, because rolling out unsafe or illegal AI systems could expose the company to huge fines or requirements to delete their algorithms. For example, last spring the US Federal Trade Commission forced Weight Watchers to delete its algorithms after the company was found to have illegally collected data on children. Developing AI models and collecting databases are significant investments for companies, and being forced by a regulator to completely delete them is a big blow.

Burnout and a persistent sense of being undervalued could lead people to leave the field entirely, which could harm the field of AI governance and ethics research as a whole. It’s especially risky given that those with the most experience in solving and addressing harms caused by an organization’s AI may be the most exhausted.

...“The only mechanism that big tech companies have to handle the reality of this is to ignore the reality of it.”

10/28/22

Our investigation revealed wide gaps between Worldcoin’s public messaging, which focused on protecting privacy, and what users experienced. We found that the company’s representatives used deceptive marketing practices, collected more personal data than it acknowledged, and failed to obtain meaningful informed consent. These practices may violate the European Union’s General Data Protection Regulations (GDPR)—a likelihood that the company’s own data consent policy acknowledged and asked users to accept—as well as local laws.

...Central to Worldcoin’s distribution was the high-tech orb itself, armed with advanced cameras and sensors that not only scanned irises but took high-resolution images of “users’ body, face, and eyes, including users’ irises,” according to the company’s descriptions in a blog post. Additionally, its data consent form notes that the company also conduct “contactless doppler radar detection of your heartbeat, breathing, and other vital signs.” In response to our questions, Worldcoin said it never implemented vital sign detection techniques, and that it will remove this language from its data consent form. (As of press time, the language remains.)

...But of the people we interviewed, none were explicitly told—or, in the case of orb operators, told others—that they were “test users,” that photographs and videos of their faces, and 3D body maps were captured and being used to train the orb’s “anti-fraud algorithm” to “differentiate between people,” that their data was treated differently from the way others’ would be handled later, or that they could ask for their data to be deleted.

...Pete Howson, a senior lecturer at Northumbria University who researches cryptocurrency in international development, categorizes Worldcoin’s actions as a sort of crypto-colonialism, where “blockchain and cryptocurrency experiments are being imposed on vulnerable communities essentially because…these people can’t push back,” he told MIT Technology Review in an email.

...Speaking to Blania clarified something we had struggled to make sense of: how a company could speak so passionately about its privacy-protecting protocols while clearly violating the privacy of so many. Our interview helped us see that, for Worldcoin, these legions of test users were not, for the most part, its intended end users. Rather, their eyes, bodies, and very patterns of life were simply grist for Worldcoin’s neural networks. The lower-level orb operators, meanwhile, were paid pennies to feed the algorithm, often grappling privately with their own moral qualms. The massive effort to teach Worldcoin’s AI to recognize who or what was human was, ironically, dehumanizing to those involved.

4/6/22

Although the company told Motherboard it has not sold the product to the U.S. government at this time, the news highlights the scale and reach of car-tracking technology, and the fact that car location data is of interest not just to insurance companies and the finance sector, but to government contractors who explicitly say they want to source the data for intelligence and surveillance purposes.

..."Vehicle telematics is data transmitted from the vehicle to the automaker or OEM through embedded communications systems in the car," the Ulysses document continues. "Among the thousands of other data points, vehicle location data is transmitted on a constant and near real time basis while the vehicle is operating."

...With a consumer using a GPS navigation tool, for instance, "The OEM will have first dibs to the data, because they made the car and have access to the telematics," Andrea Amico, the founder of Privacy4Cars, which, among other things, sells tools to help dealerships remove data from vehicles, told Motherboard in a phone call. "But the company that provides the map itself, for instance, would have access to it; the company that provides the infotainment system may have access to it; the company that provides the traffic data may have access to it; the company that provides the parking data may have access to it. Right there and then you've got five companies that are getting your location."

...The role of data that cars collect and who has access to it was a flashpoint in the November elections in Massachusetts. A "right to repair" ballot measure there sought to give independent manufacturers and owners greater ability to access repair information on vehicles; car manufacturers spent $25 million lobbying against it, claiming that passing the law would also give access to telematics data collected by various sensors. Manufacturers said this data was highly sensitive, and that wider access to it could be used by "sexual predators" to stalk innocent people (there was no specific provision in the measure that allowed this, and the measure overwhelmingly passed). Meanwhile, car companies are sharing this type of data with third-parties themselves.

3/17/21