America's Bureau of Alcohol, Tobacco, Firearms and Explosives has "canceled its contract for a surveillance tool that enables warrantless tracking of mobile devices," reports the Associated Press.

They note the move comes "after lawmakers, a prosecutor and a judge raised concerns about the legality of the tool in criminal investigations." ATF, the federal agency responsible for enforcing the nation's gun laws, told The Associated Press that it discontinued what it called a "pilot" program using a tool called Webloc after Rep. Michael Cloud, a Republican from Texas, and Sen. Ron Wyden, a Democrat from Oregon, expressed reservations about the agency's use of bulk commercial location data. Webloc, which is made by a vendor called Penlink, sources data from consumer apps and advertising networks, which collect the location of mobile devices from consumers who download apps or browse the web...

The U.S. Supreme Court ruled in 2018 that police needed a warrant to obtain historic movement data from cellphone companies on a criminal suspect. But it has never addressed the growing practice of commercially acquired data.

Other users of Webloc include the U.S. military and U.S. Immigration and Customs Enforcement but also local law enforcement agencies such as police in places like Elk Grove, Calif. and Durham, N.C. The technology has also expanded around the world, with the national police in El Salvador and Hungarian intelligence agencies as customers, according to a report from earlier this year from Citizen Lab, a group of researchers at the University of Toronto who investigate digital threats to civil society.
The article notes that other U.S. law enforcement agencies continue to buy commercial geolocation data, "including the FBI and the Department of Homeland Security."

Jack Nekhala had a business selling on Amazon — and in December he received an unusual offer, reports Bloomberg. A woman said she could bribe an Amazon employee "to help him retrieve $90,000 in funds that the e-commerce giant had frozen after suspending him over an alleged violation of review policy." Hoping to ingratiate himself with the company and restart his business, Nekhala offered to provide evidence, including recorded conversations and screen shots, that he said proved Amazon personnel were peddling inside information and influence. The smoking gun, Nekhala told the representative: information about his seller account. Only certain Amazon employees are supposed to have access to such details, but Nekhala had received them from the woman on WeChat, the Chinese messaging app. Nekhala's experience, which he documented and shared with Bloomberg, provides a rare glimpse into an international black market that has been a persistent scourge of Amazon's online store. On one side are sellers looking for a variety of favors: a competitive edge over their rivals, information on how to boost sales, a way to get themselves unsuspended. On the other are middlemen who lurk on message apps like Telegram, WeChat and WhatsApp offering access to people inside Amazon who can get things done for a price...

It's impossible to determine the scope of the illicit activity, but it's an open secret among Amazon sellers and consultants, who are frequently approached on social-media platforms and messaging apps. "The message is always the same: 'I'm going to show you screenshots to prove I have inside access,'" said Chris McCabe, a former Amazon employee who runs a seller consulting firm... In 2020, federal prosecutors exposed an international bribery scheme involving Amazon sellers and employees. The ring allegedly extracted about $100 million in unfair advantages by bribing Amazon employees in Asia to help them sell more products and sabotage their competitors. Five people in the US were convicted and received jail terms or probation. Last year, law enforcement officials in India began investigating more than 20 former Amazon employees suspected of accepting bribes from trucking companies in exchange for routes, according to The Times of India.

After Nekhala reported his own experience to Amazon, the representative committed to "do some digging" and to email him instructions on how his evidence could be shared, according to a recording of the conversation. But Nekhala said he never heard back. The employee who leaked his personal information had already been fired for unrelated misconduct, according to Amazon.
Amazon told Bloomberg employee involvement was "very rare," and that "We invest heavily in this area and have dedicated teams and systems in place to prevent all types of fraud, including by our own employees."

The Los Angeles Police Department says about 1,500 police agencies across America have drone programs, reports SFGate, and 58 of those drone-using police agencies are in California.

The Sacramento County sheriff's office recently posted drone footage on Instagram set to theme from "Mission: Impossible," claiming "a nationwide first" where their drone successfully disarmed a felon "seen earlier with a firearm" (though now not moving, but holding a knife while lying face down in a garage). In the video the "not responding" suspect continues not moving as the drone dangles a magnet which catches on the knife. The drone then pulls multiple times until it comes out of the unmoving suspect's hand. The sheriff's office says their footage shows their drone "disarm an armed suspect, helping bring the incident to a safe resolution," in their post on Instagram, "rather than rush into a potentially deadly encounter..." Was he pretending to be dead or simply lying in wait for deputies to approach...?

It's also worth noting that our drones are labeled as "military equipment" (even though anyone can purchase them at their local Walmart), but are really just another piece of technology helping deputies resolve dangerous situations safely. Their use protects both law enforcement personnel and suspects.
SFGate offers more reports from around California: In Yucaipa, officials launched a Drone as First Responder (DFR) pilot program on May 28, the San Bernardino County Sheriff's Department announced this month. According to the release, drones have already been used to respond to over 100 calls for service, arriving before deputies for 71% of them. "The drones also contributed to 12 arrests, assisted in locating persons of interest on 37 occasions, and provided aerial overwatch during 44 incidents," it continues, though details on how they assisted the police are unclear. The drones, manufactured by Skydio, were also used to locate a young person experiencing a mental health crisis and another person launching illegal fireworks.

"The US government has allowed Anthropic to release its powerful Mythos AI model to select companies and organizations," reports CNN, "revising license requirements after ordering an export block earlier this month in the wake of national security fears." Since the export ban earlier in June, "Anthropic has worked with the US government to address risks associated with the Covered Models," Commerce Secretary Howard Lutnick wrote to the company in a letter dated Friday. In light of progress in that work, Lutnick wrote, "I have determined that appropriate safeguards are in place to permit certain trusted partners to access the Claude Mythos 5 Model."

The letter does not include permission for Anthropic to release Fable, a less powerful version of Mythos. "We received notice from the US government that Mythos 5, our strongest cybersecurity model, can be redeployed to a small group of cyber defenders and infrastructure providers," Anthropic said in a statement...

Conversations between Anthropic and the government are expected to continue into the weekend, with an eye to restoring access to Fable, as well, a source familiar with the discussions told CNN.

Longtime Slashdot reader schwit1 shares a report from autoevolution: The U.S. Department of Commerce's Bureau of Industry and Security denied Polestar an authorization under the Connected Vehicle Rule. Polestar will continue to sell its existing inventory of Polestar 3 and 4 crossovers in the United States and will continue to offer support to customers and access to its service network. But no new 2027 models will set wheels on American soil.

The Connected Vehicle Rule is a regulation that restricts the import and sale of vehicles equipped with Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS) tied to foreign adversaries, primarily from China and Russia. Polestar is owned by Chinese auto giant Geely, which has also been the parent company of Swedish brand Volvo since 2010. However, Volvo has recently been granted authorization to sell connected vehicles in the United States.

The rule, set out by the Bureau of Industry and Security (BIS), classifies modern vehicles as mobile data centers and is designed to protect national security by keeping sensitive driver data and vehicle control systems out of the hands of foreign governments. Michael Lohscheller, Polestar CEO, confirms that the company is well aware that the automotive industry is entering a new phase, based on regional dynamics. So, Polestar will shift its strategy to its biggest market as it is preparing its exit from the U.S. market. The report notes that Polestar sold 5,384 cars in the U.S. in 2025, with 60,119 units sold globally.

The Trump administration has reportedly asked OpenAI to stagger the release of GPT-5.6 over security concerns. The model will initially be offered to a small group of partners, with the government "approving access customer by customer during this preview period," reports The Information. The request came from conversations with the Office of the National Cyber Director and the Office of Science and Technology Policy, the report said.

BrianFagioli writes: The Linux Foundation has announced Akrites, a new initiative to coordinate vulnerability disclosure and remediation for critical open source software as AI dramatically speeds up vulnerability discovery. Founding members include AWS, Google, Microsoft, OpenAI, Red Hat, NVIDIA, IBM, Cisco, JPMorganChase, and others. Akrites will provide a shared Security Incident Response Team (SIRT), a standardized coordinated vulnerability disclosure process, and act as a "maintainer of last resort" for abandoned but widely used packages.

The goal is to reduce duplicate reports, avoid conflicting patches, and help upstream maintainers address vulnerabilities before they can be exploited. As AI makes it easier to find security flaws, can a coordinated industry effort help protect open source, or does it risk giving large corporations too much influence over the ecosystem? "Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer," the Linux Foundation said in an open letter. "Akrites participants will contribute engineering resources; work to build and ship fixes; or fund the engineers who do. Some companies have contributed mightily already. The reality is, collectively, we need to contribute more."

LastPass says hackers stole customers' personal information, support case records, and sales data by breaching market research partner Klue. The password manager told TechCrunch that its own systems and password vaults were unaffected. However, the hackers used their access to obtain "reams of data about LastPass customers," the report says. From the report: In a blog post that shared information about the incident, LastPass said the hackers took customers' names, phone numbers, email addresses, and physical addresses, as well as customer support case data and sales-related data. It's not yet known what was in the contents of customer support tickets, although they likely contain fragments of potentially private or sensitive information. Customers typically contact customer service when they are having a billing issue or need assistance in gaining access to their accounts. Past incidents involving customer support tickets have included credentials and government-issued identity documents. The last data breach LastPass reported was in 2022, when hackers stole the company's entire store of customer password vaults.

An anonymous reader quotes a report from Ars Technica: Anthropic has accused the Chinese firm Alibaba of launching the largest attack yet attempting to clone Claude, as China races to match the capabilities of Anthropic's leading model following Mythos' release and subsequent restriction from foreign markets. Ars obtained a June 10 letter sent to Senators Tim Scott (R-S.C.) and Elizabeth Warren (D-Mass.) one day ahead of a Senate committee hearing on "AI and the American Dream." In the letter, Anthropic shared "new, confidential evidence of the largest campaign to illicitly extract Claude's capabilities we have ever measured."

The attacks occurred between April 22 and June 5, when "operators afliated with Alibaba and Alibaba Qwen, Alibaba's AI lab" allegedly generated "more than 28.8 million exchanges with Claude through almost 25,000 fraudulent accounts," Anthropic said. Violating Claude's terms of service and access restrictions, this campaign "targeted some of Claude's most valuable capabilities, such as agentic reasoning, software engineering, and long-horizon tasks." According to Anthropic, Alibaba evaded detection by "using obfuscation techniques and proxy networks." As Chinese demand for reliable obfuscation techniques increases, Anthropic warned there's already "a growing circumvention economy" to fuel an ever-expanding web of future distillation attacks. [...]

"Alibaba is governed by an independent board, none of whom has any military affiliation," Alibaba said. "Its products and services are built for retail, logistics, and enterprise information technology -- not weapons, defense, or intelligence." Anthropic appears unconvinced, however, that Alibaba isn't working with the Chinese government. In the letter, Anthropic warned that without stronger interventions, these distillation attacks will "help China reach Mythos Preview-level capabilities sooner."

To keep the US ahead of China, Anthropic recommended that Congress pass legislation with three objectives. First, antitrust laws must be updated to allow AI firms to share information about evolving Chinese tactics to deter more threats. Second, the US needs more export controls on chips to hamstring Chinese access to advanced compute so that they simply can't train on US model outputs. That could make conducting distillation attacks pointless, Anthropic suggested. Finally, Congress should pass laws penalizing Chinese labs' "bad behavior" so that it's "more difficult and costly" to rely on distillation attacks to advance Chinese models. Penalties could include limiting Chinese firms from accessing US models or advanced US chips or from relying on data centers outside of China, Anthropic suggested.

An anonymous reader quotes a report from Ars Technica: Google spent the last few years locked in a legal grudge match with Epic Games, which claimed that Google's stewardship of the Play Store was anticompetitive. Now, the companies are thick as thieves, and Google is beginning to implement app store changes as agreed in its settlement with Epic. The lower developer fees and new payment options that Google promised are rolling out in select markets this month before expanding. [...] Starting on June 30, developers in Europe, the UK, and the US will have access to the new fee structure. This system will split the commission into two components: billing and service fees.

The biggest win for small developers is the new flat 10 percent service fee for the first $1 million in earnings every year. Above that, the rate for various transaction types may reach 25 percent on existing installs. Apps installed after June 30 will top out at 20 percent. Developers will finally be allowed to send users outside the Play Store to complete a transaction, too. Google says they can design a choice screen "in accordance with our UX guidelines" to direct users to these external options. Devs pay the standard service fee on these purchases, but they'll avoid the billing fee. All transactions that run through Google's Play Store platform add a 5 percent billing fee -- even the base rate for publishers earning less than $1 million. Google notes that the billing fee is set at 5 percent in the initial markets, but it could be different in other regions. Google will expand the new fee structure globally through September 2027, while also offering reduced fees through updated developer programs.

Although the changes may let developers retain more revenue, Google will continue controlling Android distribution and collecting a share of sales as it works toward allowing certified third-party app stores to operate more like the Play Store.

Meta has paused its Model Compatibility Initiative that tracked employee mouse movements, clicks, keystrokes, and screen content to train AI agents, after some of its collected data became accessible to more employees than intended. Meta says it has no evidence the information was improperly accessed and will not restart the program until it is confident in its safeguards. Wired reports: Meta rolled out the Model Compatibility Initiative (MCI) tool in April to US employees. The tool "collects computer inputs such as mouse movements, click locations and keystrokes, as well as screen content," according to workers who have been petitioning against it over privacy, security, and personal liberty concerns. When MCI launched, employees couldn't opt out, but that changed to a limited degree after workers protested. Meta executives have repeatedly defended the data-gathering project, saying it was necessary to train AI systems to operate computer software the way humans do and that employees were the best examples for the artificial intelligence to learn from.

On Monday, a Meta engineer issued an internal security notice stating that databases filled with information gathered by MCI had been exposed to anyone inside the company. A former employee actively involved in pushing back against MCI describes the lapse as "a mess" -- and one that employees had expected would occur. "When workers raised concerns, leadership doubled down and failed to acknowledge the risks workers raised about the safety and privacy of worker and customer data," the person says. "Leadership has clearly created an authoritarian environment where workers are no longer respected or heard."

But after critical comments poured into internal forums on Monday expressing frustration about the security issue, Meta shocked some of its staff by pausing MCI altogether, telling WIRED about the development several hours before announcing it to employees. A few workers told WIRED they were confused in the meantime because the tool was continuing to run on their laptops. Late on Monday, Stephane Kasriel, a Meta vice president overseeing AI research, announced the pause and told staff that the security issue had been discovered on June 18 and addressed within four hours. But the initial fix didn't stick and access to the data had to be further locked down. The issue made "some MCI-derived data" accessible to more people than intended, he wrote, without elaborating.

A 29-year-old bug in the Squid web proxy, dubbed Squidbleed and tracked as CVE-2026-47729, can let an authorized proxy user retrieve fragments of another user's cleartext HTTP requests, including credentials and session tokens. The security researcher who reported the flaw credited Anthropic's Claude Mythos Preview for the discovery. The Hacker News reports: Squid describes this as an attack by a trusted client: someone already permitted to use the proxy, not any random host on the internet. That matches Squid's usual home, shared networks like schools, offices, and public Wi-Fi. In those setups, the attacker is just another user of the same proxy. The leak also only reaches traffic that Squid can read. Normal HTTPS rides an opaque CONNECT tunnel, so Squid never sees inside it; the exposed traffic is cleartext HTTP, plus TLS-terminating setups where Squid decrypts and inspects. The attacker also needs the proxy to reach an FTP server they control on port 21. Both FTP and that port are on by default.

[...] If you patch, verify the fix, not just the version. Confirm the guard is in FtpGateway.cc, or check your distribution's backport, since distros ship their own builds (Debian packages Squid 5.7). The public thread is still inconsistent: maintainer Amos Jeffries first said Squid 7.6 carried the fix, then corrected that to 7.7, and on June 22 Debian's Salvatore Bonaccorso noted the referenced commit looks like it is already in 7.6. The fix is small, a null-terminator check before the vulnerable strchr calls, merged to the development branch in April and v7 in May. Squid 7.6 does separately patch CVE-2026-50012, an unrelated cache_digest heap overflow.

The cleaner move is the one the researchers recommend anyway: turn FTP off. Chromium dropped FTP years ago, and most networks carry almost none of it, so disabling it removes this attack surface for free, whatever build you run. The risk is real but bounded. SUSE rates it moderate, CVSS 6.5, and the vector explains the score: the attacker needs proxy access (low privileges), and the only impact is confidentiality, nothing on integrity or availability.

Garfield AI, the UK's first regulator-approved AI law firm, has won its first court case after helping a freelancer recover 7,000 pounds in unpaid fees. "I was owed money for work I had done, but it felt like the process of recovering it could be too stressful, expensive and time-consuming," said Tamires Camal Taquidir, a freelancer who had provided HR-related services to a hospitality business. "Garfield made it possible for me to pursue the claim and keep going. When the counterclaim was brought, it was intended to intimidate me, but I knew I had accessible, cost-effective and competent support. I'm delighted by the result." Computer Weekly reports: After attempting to resolve a dispute over paid fees without court action, Camal Taquidir [...] used Garfield AI to help her pursue the case in court. She was able to generate pre-action correspondence, and then prepare and issue court proceedings. The AI legal assistant conducted all of the legal work preceding the court trial. The defendant instructed solicitors and brought a counterclaim, which the claimant disputed with the support of Garfield AI.

The claimant continued to trial, including dealing with document production, the preparation witness statements and trial bundles. Garfield then instructed a junior, shortly before the trial began. She won the claim over unpaid fees following a three-hour trial at Wandsworth County Court. The claimant paid around 400 pounds in Garfield AI fees to recover the 7,000 pounds owed, while the defendant instructed both a solicitor and a barrister. [...] Following a three-hour trial at Wandsworth County Court on 14 May 2026, in which both sides were represented by barristers, the court found in favor of the claimant, awarding 7,000 pounds and dismissing the counterclaim.

America's state prison systems need ways "to keep people from returning to prison," reports the Wall Street Journal, "when an estimated 40% end up back behind bars within three years." Part of the problem comes in the form of filing cabinets, manila folders and legacy digital databases. In other words, records for a single prisoner might be kept in a dozen places... Now a group of 19 prison systems are tackling the problem with digital tools and artificial intelligence in some cases. They are contracting with San Francisco nonprofit Recidiviz, whose computer systems bring together prisoner data from its disparate sources into digital dashboards. From there, corrections staff can see information — such as court records and notes from parole-board hearings — about a prisoner or parolee all in one place.

The company says its efforts are working: Recidivism has fallen 16% in the prison population its systems track. It is the result of "just streamlining these workflows and knitting someone's journey together end to end," says Clementine Jacoby, chief executive officer of Recidiviz. Some criminal-justice groups show that recidivism is trending downward in general, though most of that data is nearly a decade old... The statistics from 11 states stop at 2019, and for four states stop at 2016. With 10 other states, no data was reported.

PC Gamer reports: The UK government is considering an Australia-style ban on social media for under-16s, with Prime Minister Keir Starmer saying that the ban could take effect as soon as spring next year. As for the much nearer future, Science and Technology Secretary Liz Kendall told BBC Breakfast earlier this week, "We will make further statements in July about VPNs and further restrictions."

To be clear, no specific restrictions have yet been announced and Kendall sounded somewhat cautious about an outright ban during a parliament debate that took place the same day. "I have commissioned further research about their usage. There are really important issues to balance here," she says. "Many people want to use VPNs for privacy — that is important — but we know that some children use them to get around restrictions. I will come back to that in July in our response to the consultation." So, we'll have to wait until next month for anything definite, but it's hard not to feel like a full ban on VPNs is already on the table. If that does come to pass, more than the contents of my Bluesky inbox will be at stake.

Utah in the US has already tried to implement a full VPN ban (though this was postponed until September after Aylo, the parent company of Pornhub, challenged the law in court)... [T]he UK could just be the next domino after Utah, potentially setting off a chain reaction that affects users around the world.
The article also argues that age checks can also be a privacy nightmare "with the security breach that exposed the personal info of 70,000 Discord users last year being one case in point."

Here's the complete statement from UK Technology Secretary Kendall. "I'll come back in July with a further statement around VPNs but also additional measures that we want to look at, further restrictions on AI chatbots that parents have found very worrying, more about overnight curfews or breaks in doomscrolling for 16- and 17-year-olds."