×
The Courts

Lawsuit Claims Microsoft Tracked Sex Toy Shoppers With 'Recording In Real Time' Software (404media.co) 36

Samantha Cole reports via 404 Media: A woman is suing Microsoft and two major U.S. sex toy retailers with claims that their websites are tracking users without their consent, despite promising they wouldn't do that. In a complaint (PDF) filed on June 25 in the Northern District of California, San Francisco resident Stella Tatola claims that Babeland and Good Vibrations -- both owned by Barnaby Ltd., LLC -- allowed Microsoft to see what visitors to their websites searched for and bought.

"Unbeknownst to Plaintiff and other Barnaby website users, and constituting the ultimate violation of privacy, Barnaby allows an undisclosed third-party, Microsoft, to intercept, read, and utilize for commercial gain consumers' private information about their sexual practices and preferences, gleaned from their activity on Barnaby's websites," the complaint states. "This information includes but is not limited to product searches and purchase initiations, as well as the consumer's unique Microsoft identifier." The complaint claims that Good Vibrations and Babeland sites have installed trackers using Microsoft's Clarity software, which does "recording in real time," and tracks users' mouse movements, clicks or taps, scrolls, and site navigation. Microsoft says on the Clarity site that it "processes a massive amount of anonymous data around user behavior to gain insights and improve machine learning models that power many of our products and services."

"By allowing undisclosed third party Microsoft to eavesdrop and intercept users' PPSI in such a manner -- including their sexual orientation, preferences, and desires, among other highly sensitive, protected information -- Barnaby violates its Privacy Policies, which state it will never share such information with third parties," the complaint states. The complaint includes screenshots of code from the sexual health sites that claims to show them using Machine Unique Identifier ("MUID") cookies that "identifies unique web browsers visiting Microsoft sites," according to Microsoft, and are used for "advertising, site analytics, and other operational purposes." The complaint claims that this violates the California Invasion of Privacy Act, the Federal Wiretap Act, and Californians' reasonable expectation of privacy.

Books

Appeals Court Seems Lost On How Internet Archive Harms Publishers (arstechnica.com) 26

An anonymous reader quotes a report from Ars Technica: The Internet Archive (IA) went before a three-judge panel Friday to defend its open library's controlled digital lending (CDL) practices after book publishers last year won a lawsuit claiming that the archive's lending violated copyright law. In the weeks ahead of IA's efforts to appeal that ruling, IA was forced to remove 500,000 books from its collection, shocking users. In an open letter to publishers, more than 30,000 readers, researchers, and authors begged for access to the books to be restored in the open library, claiming the takedowns dealt "a serious blow to lower-income families, people with disabilities, rural communities, and LGBTQ+ people, among many others," who may not have access to a local library or feel "safe accessing the information they need in public."

During a press briefing following arguments in court Friday, IA founder Brewster Kahle said that "those voices weren't being heard." Judges appeared primarily focused on understanding how IA's digital lending potentially hurts publishers' profits in the ebook licensing market, rather than on how publishers' costly ebook licensing potentially harms readers. However, lawyers representing IA -- Joseph C. Gratz, from the law firm Morrison Foerster, and Corynne McSherry, from the nonprofit Electronic Frontier Foundation -- confirmed that judges were highly engaged by IA's defense. Arguments that were initially scheduled to last only 20 minutes stretched on instead for an hour and a half. Ultimately, judges decided not to rule from the bench, with a decision expected in the coming months or potentially next year. McSherry said the judges' engagement showed that the judges "get it" and won't make the decision without careful consideration of both sides.

"They understand this is an important decision," McSherry said. "They understand that there are real consequences here for real people. And they are taking their job very, very seriously. And I think that's the best that we can hope for, really." On the other side, the Association of American Publishers (AAP), the trade organization behind the lawsuit, provided little insight into how the day went. When reached for comment, AAP simply said, "We thought it was a strong day in court, and we look forward to the opinion." [...] "There is no deadline for them to make a decision," Gratz said, but it "probably won't happen until early fall" at the earliest. After that, whichever side loses will have an opportunity to appeal the case, which has already stretched on for four years, to the Supreme Court. Since neither side seems prepared to back down, the Supreme Court eventually weighing in seems inevitable.

Crime

Nearly 4,000 Arrested In Global Police Crackdown On Online Scam Networks (therecord.media) 17

According to Interpol, nearly 4,000 people around the world have been arrested for a variety of online crimes, with $257 million in assets seized. The Record reports: The operation, dubbed First Light, was conducted by police officers from 61 countries and targeted phishing, investment fraud, fake online shopping sites, romance scams, and impersonation scams, according to a statement by Interpol. In addition to arresting thousands of potential cybercriminals, the police also identified over 14,600 other possible suspects across all continents.

During the searches, law enforcement seized suspects' real estate, high-end vehicles, expensive jewelry, and many other high-value items and collections. They also froze 6,745 bank accounts used for transferring money obtained through illegal operations. In one case, the police intercepted $331,000 gleaned from a business email compromise fraud involving a Spanish victim who unknowingly transferred money to someone in Hong Kong. In another case, authorities in Australia successfully recovered $3.7 million on behalf of an impersonation scam victim after the funds were fraudulently transferred to bank accounts in Malaysia and Hong Kong.

The criminal networks identified during the operation were spread around the globe. In Namibia, for example, the police rescued 88 local youths who were forced into conducting scams as part of a sophisticated international crime network, according to Interpol. Law enforcement from Singapore, Hong Kong, and China prevented an attempted tech support scam, saving a 70-year-old victim from losing $281,200 worth of savings.

The Courts

Supreme Court Ruling Kneecaps Federal Regulators (theverge.com) 372

The Supreme Court on Friday overturned a long-standing legal doctrine in the US, making a transformative ruling that could hamper federal agencies' ability to regulate all kinds of industry. The Verge adds: Six Republican-appointed justices voted to overturn the doctrine, called Chevron deference, a decision that could affect everything from pollution limits to consumer protections in the US.

Chevron deference allows courts to defer to federal agencies when there are disputes over how to interpret ambiguous language in legislation passed by Congress. That's supposed to lead to more informed decisions by leaning on expertise within those agencies. By overturning the Chevron doctrine, the conservative-dominated SCOTUS decided that judges ought to make the call instead of agency experts.

The Courts

SEC Sues ConsenSys (coindesk.com) 7

The SEC sued Ethereum software provider ConsenSys over its MetaMask service on Friday, alleging the wallet product was an unregistered broker that "engaged in the offer and sale of securities." From a report: MetaMask also offered an unregistered securities program through its staking service, the SEC alleged in a filing in the courthouse in the Eastern District of New York. The SEC alleged in its lawsuit that it offered staking services for Lido and Rocket Pool as investment contracts, meaning they are also unregistered securities. "Consensys has collected over $250 million in fees," the SEC alleged. You can read the full lawsuit here [PDF].
Privacy

Amazon Is Investigating Perplexity Over Claims of Scraping Abuse (wired.com) 7

Amazon's cloud arm is investigating Perplexity AI for potential violations of its web services rules, the e-commerce giant told Wired. The startup, backed by Jeff Bezos' family fund and Nvidia, allegedly scraped websites that had explicitly forbidden such access.

Earlier this month, WIRED uncovered evidence of Perplexity using an unmarked IP address to bypass restrictions on major news sites. The company's CEO, Aravind Srinivas, claimed a third-party contractor was responsible but declined to name them.
Microsoft

Microsoft Informs Customers that Russian Hackers Spied on Emails 37

Russian hackers who broke into Microsoft's systems and spied on staff inboxes earlier this year also stole emails from its customers, the tech giant said on Thursday, around six months after it first disclosed the intrusion. Reuters: The disclosure underscores the breadth of the breach as Microsoft faces increasing regulatory scrutiny over the security of its software and systems against foreign threats. An allegedly Chinese hacking group that separately breached Microsoft last year stole thousands of U.S. government emails. Microsoft said it was also sharing the compromised emails with its customers, but did not say how many customers had been impacted, nor how many emails may have been stolen.
The Courts

The Nation's Oldest Nonprofit Newsroom Is Suing OpenAI and Microsoft (engadget.com) 16

The Center for Investigative Reporting (CIR), the nation's oldest nonprofit newsroom, sued OpenAI and Microsoft in federal court on Thursday for allegedly using its content to train AI models without consent or compensation. CIR, founded in 1977 in San Francisco, evolved into a multi-platform newsroom with its flagship distribution platform Reveal. In February, it merged with Mother Jones.

"OpenAI and Microsoft started vacuuming up our stories to make their product more powerful, but they never asked for permission or offered compensation, unlike other organizations that license our material," said Monika Bauerlein, CEO of the Center for Investigative Reporting, in a statement. "This free rider behavior is not only unfair, it is a violation of copyright. The work of journalists, at CIR and everywhere, is valuable, and OpenAI and Microsoft know it." Bauerlein said that OpenAI and Microsoft treat the work of nonprofit and independent publishers "as free raw material for their products," and added that such moves by generative AI companies hurt the public's access to truthful information in a "disappearing news landscape." Engadget reports: The CIR's lawsuit, which was filed in Manhattan's federal court, accuses OpenAI and Microsoft, which owns nearly half of the company, of violating the Copyright Act and the Digital Millennium Copyright Act multiple times.

News organizations find themselves at an inflection point with generative AI. While the CIR is joining publishers like The New York Times, New York Daily News, The Intercept, AlterNet and Chicago Tribune in suing OpenAI, others publishers have chosen to strike licensing deals with the company. These deals will allow OpenAI to train its models on archives and ongoing content published by these publishers and cite information from them in responses offered by ChatGPT.

Privacy

Microsoft Blamed For Million-Plus Patient Record Theft At US Hospital Giant (theregister.com) 37

Brandon Vigliarolo reports via The Register: American healthcare provider Geisinger fears highly personal data on more than a million of its patients has been stolen -- and claimed a former employee at a Microsoft subsidiary is the likely culprit. Geisinger on Monday announced the results of a probe into a November computer security breach, placing the blame on Microsoft-owned Nuance Communications for not cutting off one of its employees' access to corporate files after that person was fired. The Pennsylvania-based healthcare giant uses Nuance as an IT provider. We're told that after the Microsoft-owned entity terminated one of its workers, that staffer two days later may have accessed and taken copies of sensitive records on a huge number of Geisinger patients -- for reasons as yet unknown.

Geisinger -- which says it operates 13 hospitals and has more than 600,000 members -- said it discovered the improper access on November 29, informed Nuance, and the IT supplier immediately cut off the former employee from the healthcare group's data before involving police. "Because it could have impeded their investigation, law enforcement investigators asked Nuance to delay notifying patients of this incident until now," Geisinger claimed, explaining why only now this is coming to light. "The former Nuance employee has been arrested and is facing federal charges." It's not immediately clear if or what charges have been laid -- we've asked Geisinger for details.

Speech recognition firm Nuance performed its own probe, according to Geisinger, and determined that the former employee may have stolen information on a million-plus people. That info would include birth dates, addresses, hospital admission and discharge records, demographic information, and other medical data. The ex-employee didn't swipe insurance or other financial information, the multi-billion-dollar healthcare group stated. "We continue to work closely with the authorities on this investigation, and while I am grateful that the perpetrator was caught and is now facing federal charges," Geisinger chief privacy officer Jonathan Friesen alleged, adding: "I am sorry that this happened."

Patents

Microsoft's Canceled Xbox Cloud Console Gets Detailed In New Patent (windowscentral.com) 4

Microsoft's canceled Xbox cloud console, codenamed Keystone, has been detailed in a new patent spotted by Windows Central's Zac Bowden. From the report: Back in 2021, Microsoft announced that it was working on a dedicated streaming device for Xbox Game Pass. That device was later revealed to be codenamed Keystone, which took the form of a streaming box that would sit under your TV, cost a fraction of the price of a normal Xbox, and enable the ability to play Xbox games via the cloud. Unfortunately, it appears Microsoft has since scrapped plans to ship Xbox Keystone due to an inability to bring the price down to a level where it made sense for customers. Xbox CEO Phil Spencer is on record saying the device should have costed around $99 or $129, but the company was unable to achieve this.

Thanks to a patent discovered by Windows Central, we can finally take a closer look at the box Microsoft had conjured up internally. First up, the patent reveals that the console took the form of an even square with a circle shape on top, similar to the black circular vent on an Xbox Series S. The front of the box had the Xbox power button, and a USB-A port. Around the back, there were three additional ports; HDMI, ethernet, and power. On the right side of the console there was appears to be an Xbox controller pairing button, and the underside featured a circular "Hello from Seattle" plate that the console sat on, similar to the Xbox Series X. This patent was filed in June 2022, which was around the time when the first details of Xbox Keystone were being revealed.

Apple

Apple Expands Self-Service Repair Diagnostics To Europe 2

Apple has extended its self-service repair diagnostics tool to 32 European countries, including the UK, France, and Germany. The software, previously limited to technicians, allows customers to perform system configuration after self-repairs on iPhones, Macs, and Studio Displays.

Launched in the U.S. last year, the tool is part of Apple's Self Service Repair program, which provides access to genuine parts, tools, and manuals for select models. The expansion supports 42 Apple products in 33 countries and 24 languages, furthering the company's efforts to extend product lifespan.
The Courts

Mozilla's CPO Sues Over Discrimination Post-Cancer Diagnosis (theregister.com) 43

Thomas Claburn reports via The Register: Mozilla Corporation was sued this month in the US, along with three of its executives, for alleged disability discrimination and retaliation against Chief Product Officer Steve Teixeira. Teixeira, according to a complaint filed in King County Superior Court in the State of Washington, had been tapped to become CEO when he was diagnosed with ocular melanoma on October 3, 2023. Teixeira then took medical leave for cancer treatment from October 30, 2023, through February 1, 2024. "Immediately, upon his return, Mozilla campaigned to demote or terminate Mr Teixeira citing groundless concerns and assumptions about his capabilities as an individual living with cancer," the complaint [PDF] says. "Interim Chief Executive Officer Laura Chambers and Chief People Officer Dani Chehak were clear with Mr Teixeira: He could not continue as Chief Product Officer -- and could not continue as a Mozilla employee in any capacity beyond 2024 -- because of his diagnosis."

Chambers and Chehak are both named in the complaint, along with Mitchell Baker, the former CEO of Mozilla who stepped down in February and announced Chambers as her successor. "Mr Teixeira was enthusiastic to resume his critical role after treatment, but Mozilla would not tolerate an executive with cancer," said Amy Kangas Alexander, an attorney with law firm Stokes Lawrence who is representing the plaintiff, in an email to The Register. "When Mr Teixeira refused to be marginalized because of his disability, Mozilla retaliated and placed him on leave against his will. Mozilla has sidelined Mr Teixeira at the very moment he needs to be preparing his family for the possibility of a future without him."

The complaint claims that Teixeira, appointed in August 2022, helped reverse the decade-long decline of Firefox, which generates about 90 percent of Mozilla's revenue and is the company's only profitable product. He's further credited with growing Mozilla's advertising business, and AI capabilities, and with reducing investment in the money-losing Pocket service. These and other successes, it's alleged, led to conversation in September 2023 when Baker outlined a plan for Teixeira to become CEO. Then he took medical leave and before he could return, the complaint says, Chambers was appointed interim CEO and Baker was removed, becoming Executive Chair of the Board of Directors. [...]
A Mozilla spokesperson said in a statement: "We are aware of the lawsuit filed against Mozilla. We deny the allegations and intend to vigorously defend against this lawsuit. Mozilla has a 25-plus-year track record of maintaining the highest standards of integrity and compliance with all applicable laws. We look forward to presenting our defense in court and are confident that the facts will demonstrate that we have acted appropriately. As this is an ongoing legal matter, we will not be providing further comments at this time."
Crime

Man Flies To Florida To Attack Another Player Over an Online Gaming Dispute (apnews.com) 123

An anonymous reader quotes a report from the Associated Press: An online gaming dispute made its way to the real world when a New Jersey man flew to Florida to attack another player with a hammer, authorities said. Edward Kang, 20, is charged with attempted second-degree murder and armed burglary with a mask, according to Nassau County court records. He was arrested early Sunday morning. Kang and the victim, another young man around the same age as Kang, had never met in real life, but they both played ArcheAge, a medieval fantasy massively multiplayer online role-playing game. The game's publisher announced in April that it would be shutting down servers in Europe and North America on June 27, citing a declining number of active players.

Kang flew from Newark, New Jersey, to Jacksonville, Florida, last Thursday after telling his mother that he was going to visit a friend that he had met while playing a video game, officials said. Officials didn't say how Kang learned where the victim lives. Upon arrival, Kang took an Uber to a hotel in Fernandina Beach, about 35 miles north of Jacksonville, and then bought a hammer at a local hardware store, deputies said. Kang went to the victim's Fernandina Beach home, which was unlocked, around 2 a.m. Sunday, authorities said. The victim was walking out of his bedroom when he was confronted by Kang, who hit him on the head with the hammer, officials said. The two struggled as the victim called for help. His stepfather responded and helped to restrain Kang until police arrived. The victim suffered several head wounds that were not considered life-threatening, officials said. Online court records didn't list an attorney for Kang. He was being held without bond.

Piracy

South Korean ISP 'Infected' 600,000 Torrenting Subscribers With Malware (torrentfreak.com) 21

An anonymous reader quotes a report from TorrentFreak: Last week, an in-depth investigative report from JBTC revealed that Korean Internet provider KT, formerly known as Korea Telecom, distributed malware onto subscribers' computers to interfere with and block torrent traffic. File-sharing continues to be very popular in South Korea, but operates differently than in most other countries. "Webhard" services, short for Web Hard Drive, are particularly popular. These are paid BitTorrent-assisted services, which also offer dedicated web seeds, to ensure that files remain available.

Webhard services rely on the BitTorrent-enabled 'Grid System', which became so popular in Korea that ISPs started to notice it. Since these torrent transfers use a lot of bandwidth, which is very costly in the country, providers would rather not have this file-sharing activity on their networks. KT, one of South Korea's largest ISPs with over 16 million subscribers, was previously caught meddling with the Grid System. In 2020, their throttling activities resulted in a court case, where the ISP cited 'network management' costs as the prime reason to interfere. The Court eventually sided with KT, ending the case in its favor, but that wasn't the end of the matter. An investigation launched by the police at the time remains ongoing. New reports now show that the raid on KT's datacenter found that dozens of devices were used in the 'throttling process' and they were doing more than just limiting bandwidth.

When Webhard users started reporting problems four years ago, they didn't simply complain about slow downloads. In fact, the main concern was that several Grid-based Webhard services went offline or reported seemingly unexplainable errors. Since all complaining users were KT subscribers, fingers were pointed in that direction. According to an investigation by Korean news outlet JBTC, the Internet provider actively installed malware on computers of Webhard services. This activity was widespread and effected an estimated 600,000 KT subscribers. The Gyeonggi Southern Police Agency, which carried out the raid and investigation, believes this was an organized hacking attempt. A dedicated KT team allegedly planted malware to eavesdrop on subscribers and interfere with their private file transfers. [...] Why KT allegedly distributed the malware and what it precisely intended to do is unclear. The police believe there were internal KT discussions about network-related costs, suggesting that financial reasons played a role.

Earth

Colorado Law To Ban Everyday Products With PFAS (theguardian.com) 83

An anonymous reader quotes a report from The Guardian: A new law coming into effect in Colorado in July is banning everyday products that intentionally contain toxic "forever chemicals," including clothes, cookware, menstruation products, dental floss and ski wax -- unless they can be made safer. Under the legislation, which takes effect on 1 July, many products using per- and poly-fluoroalkyl substances -- or PFAS chemicals linked to cancer risk, lower fertility and developmental delays -- will be prohibited starting in 2026. By 2028, Colorado will also ban the sale of all PFAS-treated clothes, backpacks and waterproof outdoor apparel. The law will also require companies selling PFAS-coated clothing to attach disclosure labels.

The initial draft of state senate bill 81, introduced in 2022, included a full ban on PFAS beginning in 2032. But that measure was written out after facing opposition. Colorado has already passed a measure requiring companies to phase out PFAS in carpets, furniture, cosmetics, juvenile products, some food packaging and those used in oil and gas production. The incoming law's diluted version illustrates the challenges lawmakers have in regulating chemicals that are used to make products waterproof, nonstick or resistant to staining. Manufacturers say the products, at best, will take time to make with a safer replacement -- or at worst, are not yet possible to get made in such fashion. [...]

In Colorado, state senator Lisa Cutter, one of the sponsors of the new law there, has said she still wants a complete ban on PFAS but acknowledges the problems. "As much as I want PFAS to go away forever and forever, there are going to be some difficult pivots," she told the outlet. They include balancing the potential cost to consumers in making products PFAS-free. Cutter told CBS News that it was "really hard" challenging lobbying groups that "spent a lot of money ensuring that these chemicals can continue being put into our products and make profits." Cutter had been accused of stifling innovation and industry. She said she believed companies could be successful while also looking out for the communities they serve. "Certainly, there are cases where it's not plausible right away to gravitate away from them, but we need to be moving in that direction," Cutter said. "Our community shouldn't have to pay the price for their health."

Crime

Julian Assange Reaches Plea Deal With US, Allowing Him To Go Free (cnn.com) 260

WikiLeaks founder Julian Assange has agreed to a plea deal with the U.S. Justice Department over his alleged role in one of the largest U.S. government breaches of classified material. As a result, he will avoid imprisonment in the United States. CNN reports: Under the terms of the new agreement (PDF), Justice Department prosecutors will seek a 62-month sentence -- which is equal to the amount of time Assange has served in a high-security prison in London while he fought extradition to the US. The plea deal would credit that time served, allowing Assange to immediately return to Australia, his native country. The plea deal must still be approved by a federal judge.

Assange had faced 18 counts from a 2019 indictment for his alleged role in the breach that carried a max of up to 175 years in prison, though he was unlikely to be sentenced to that time in full. Assange was being pursued by US authorities for publishing confidential military records supplied by former Army intelligence analyst Chelsea Manning in 2010 and 2011. US officials alleged that Assange goaded Manning into obtaining thousands of pages of unfiltered US diplomatic cables that potentially endangered confidential sources, Iraq war-related significant activity reports and information related to Guantanamo Bay detainees.

The Courts

Major Record Labels Sue AI Company Behind 'BBL Drizzy' (theverge.com) 53

A group of record labels including the big three -- Universal Music Group (UMG), Sony Music Entertainment, and Warner Records -- are suing two of the top names in generative AI music making, alleging the companies violated their copyright "en masse." From a report: The two AI companies, Suno and Udio, use text prompts to churn out original songs. Both companies have enjoyed a level of success: Suno is available for use in Microsoft Copilot though a partnership with the tech giant. Udio was used to create "BBL Drizzy," one of the more notable examples of AI music going viral.

The case against Suno was filed in Boston federal court, and the Udio case was filed in New York. The labels say artists across genres and eras had their work used without consent. The lawsuits were brought by the Recording Industry Association of America (RIAA), the powerful group representing major players in the music industry, and a group of labels. The RIAA is seeking damages of up to $150,000 per work, along with other fees.

Government

Amazon Retaliated After Employee Walkout Over Return-to-Office Policy, Says NLRB (theverge.com) 78

America's National Labor Relations Board "has filed a complaint against Amazon..." reports the Verge, "that alleges the company 'unlawfully disciplined and terminated an employee' after they assisted in organizing walkouts last May in protest of Amazon's new return-to-work [three days per week] directives, issued early last year." [T]housands of Amazon employees signed petitions against the new mandate and staged a walkout several months later. Despite the protests and pushback, according to a report by Insider, in a meeting in early August 2023, Jassy reaffirmed the company's commitment to employees returning to the office for the majority of the week.

The NLRB complaint alleges Amazon "interrogated" employees about the walkout using its internal Chime system. The employee was first put on a performance improvement plan by Amazon following their organizing efforts for the walkout and later "offered a severance payment of nine weeks' salary if the employee signed a severance agreement and global release in exchange for their resignation." According to the NLRB's lawyers, all of that was because the employee engaged in organizing, and the retaliation was intended to discourage "...protected, concerted activities...."

The NLRB's general counsel is seeking several different forms of remediation from Amazon, including reimbursement for the employee's "financial harms and search-for-work and work related expenses," a letter of apology, and a "Notice to Employees" that must be physically posted at the company's facilities across the country, distributed electronically, and read by an Amazon rep at a recorded videoconference.

Amazon says their actions were entirely unrelated to the workers activism against their return-to-work policies. An Amazon spokesperson told the Verge that instead, the employee "consistently underperformed over a period of nearly a year and repeatedly failed to deliver on projects she was assigned. Despite extensive support and coaching, the former employee was unable to improve her performance and chose to leave the company."
Electronic Frontier Foundation

EFF: New License Plate Reader Vulnerabilties Prove The Tech Itself is a Public Safety Threat (eff.org) 97

Automated license plate readers "pose risks to public safety," argues the EFF, "that may outweigh the crimes they are attempting to address in the first place." When law enforcement uses automated license plate readers (ALPRs) to document the comings and goings of every driver on the road, regardless of a nexus to a crime, it results in gargantuan databases of sensitive information, and few agencies are equipped, staffed, or trained to harden their systems against quickly evolving cybersecurity threats. The Cybersecurity and Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security, released an advisory last week that should be a wake up call to the thousands of local government agencies around the country that use ALPRs to surveil the travel patterns of their residents by scanning their license plates and "fingerprinting" their vehicles. The bulletin outlines seven vulnerabilities in Motorola Solutions' Vigilant ALPRs, including missing encryption and insufficiently protected credentials...

Unlike location data a person shares with, say, GPS-based navigation app Waze, ALPRs collect and store this information without consent and there is very little a person can do to have this information purged from these systems... Because drivers don't have control over ALPR data, the onus for protecting the data lies with the police and sheriffs who operate the surveillance and the vendors that provide the technology. It's a general tenet of cybersecurity that you should not collect and retain more personal data than you are capable of protecting. Perhaps ironically, a Motorola Solutions cybersecurity specialist wrote an article in Police Chief magazine this month that public safety agencies "are often challenged when it comes to recruiting and retaining experienced cybersecurity personnel," even though "the potential for harm from external factors is substantial." That partially explains why, more than 125 law enforcement agencies reported a data breach or cyberattacks between 2012 and 2020, according to research by former EFF intern Madison Vialpando. The Motorola Solutions article claims that ransomware attacks "targeting U.S. public safety organizations increased by 142 percent" in 2023.

Yet, the temptation to "collect it all" continues to overshadow the responsibility to "protect it all." What makes the latest CISA disclosure even more outrageous is it is at least the third time in the last decade that major security vulnerabilities have been found in ALPRs... If there's one positive thing we can say about the latest Vigilant vulnerability disclosures, it's that for once a government agency identified and reported the vulnerabilities before they could do damage... The Michigan Cyber Command center found a total of seven vulnerabilities in Vigilant devices; two of which were medium severity and 5 of which were high severity vulnerabilities...

But a data breach isn't the only way that ALPR data can be leaked or abused. In 2022, an officer in the Kechi (Kansas) Police Department accessed ALPR data shared with his department by the Wichita Police Department to stalk his wife.

The article concludes that public safety agencies should "collect only the data they need for actual criminal investigations.

"They must never store more data than they adequately protect within their limited resources-or they must keep the public safe from data breaches by not collecting the data at all."
Privacy

Change Healthcare Confirms Ransomware Hackers Stole Medical Records on a 'Substantial Proportion' of Americans (techcrunch.com) 10

Change Healthcare has confirmed a February ransomware attack on its systems, which brought widespread disruption to the U.S. healthcare system for weeks and resulted in the theft of medical records affecting a "substantial proportion of people in America." TechCrunch: In a statement Thursday, Change Healthcare said it has begun the process of notifying affected individuals whose information was stolen during the cyberattack. The health tech giant, owned by U.S. insurance conglomerate UnitedHealth Group, processes patient insurance and billing for thousands of hospitals, pharmacies and medical practices across the U.S. healthcare sector. As such, the company has access to massive amounts of health information on about a third of all Americans.

Slashdot Top Deals