The Ninth Circuit Court of Appeals is set to review a California district court's ruling in Neo4j v. PureThink, which upheld Neo4j's right to modify the GNU AGPLv3 with additional binding terms. If the appellate court affirms this decision, it could set a precedent allowing licensors to impose unremovable restrictions on open-source software, potentially undermining the enforceability of GPL-based licenses and threatening the integrity of the open-source ecosystem. The Register reports: The GNU AGPLv3 is a free and open source software (FOSS) license largely based on the GNU GPLv3, both of which are published by the Free Software Foundation (FSF). Neo4j provided database software under the AGPLv3, then tweaked the license, leading to legal battles over forks of the software. The AGPLv3 includes language that says any added restrictions or requirements are removable, meaning someone could just file off Neo4j's changes to the usage and distribution license, reverting it back to the standard AGPLv3, which the biz has argued and successfully fought against in that California district court.

Now the matter, the validity of that modified FOSS license, is before an appeals court in the USA. "I don't think the community realizes that if the Ninth Circuit upholds the lower court's ruling, it won't just kill GPLv3," PureThink's John Mark Suhy told The Register. "It will create a dangerous legal precedent that could be used to undermine all open-source licenses, allowing licensors to impose unexpected restrictions and fundamentally eroding the trust that makes open source possible."

Perhaps equally concerning is the fact that Suhy, founder and CTO of PureThink and iGov (the two firms sued by Neo4j), and presently CTO of IT consultancy Greystones Group, is defending GPL licenses on his own, pro se, without the help of the FSF, founded by Richard Stallman, creator of the GNU General Public License. "I'm actually doing everything pro se because I used up all my savings to fight it in the lower court," said Suhy. "I'm surprised the Free Software Foundation didn't care too much about it. They always had an excuse about not having the money for it. Luckily the Software Freedom Conservancy came in and helped out there."

UPDATE (3/1/2025): "We need a license to allow us to make some of the basic functionality of Firefox possible," Mozilla explained Wednesday in a clarification a recent Terms of Use update. "Without it, we couldn't use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice."

But Friday they went further, and revised those new Terms of Use "to more clearly reflect the limited scope of how Mozilla interacts with user data," according to a Mozilla blog post. ("You give Mozilla the rights necessary to operate Firefox... This does not give Mozilla any ownership in that content.")

Slashdot's original post below...

New submitter SharkByte writes: Mozilla just updated its Terms of Use and Privacy Policy for Firefox with a very disturbing "You Give Mozilla Certain Rights and Permissions" clause:

H/T to reader agristin as well, who also wrote about this.

Researchers at George Mason University discovered a vulnerability in Apple's Find My network that allows hackers to silently track any Bluetooth device as if it were an AirTag, without the owner's knowledge. 9to5Mac reports: Although AirTag was designed to change its Bluetooth address based on a cryptographic key, the attackers developed a system that could quickly find keys for Bluetooth addresses. This was made possible by using "hundreds" of GPUs to find a key match. The exploit called "nRootTag" has a frightening success rate of 90% and doesn't require "sophisticated administrator privilege escalation."

In one of the experiments, the researchers were able to track the location of a computer with an accuracy of 10 feet, which allowed them to trace a bicycle moving through the city. In another experiment, they reconstructed a person's flight path by tracking their game console. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this," said one of the researchers. Apple has acknowledged the George Mason researchers for discovering a Bluetooth exploit in its Find My network but has yet to issue a fix. "For now, they advise users to never allow unnecessary access to the device's Bluetooth when requested by apps, and of course, always keep their device's software updated," reports 9to5Mac.

Apple announced a new feature allowing parents to share a child's age with app developers without exposing sensitive information, as lawmakers debate age-verification laws for social media and apps. Reuters reports: States, such as Utah and South Carolina, are currently debating laws that would require app store operators such as Apple and Alphabet's Google to check the ages of users. That has set up a conflict in the tech industry over which party should be responsible for checking ages for users under 18 -- app stores, or each individual app. Meta, for instance, has long argued in favor of legislation requiring app stores to check ages when a child downloads an app.

Apple on Thursday said it does not want to be responsible for collecting sensitive data for those age verifications. "While only a fraction of apps on the App Store may require age verification, all users would have to hand over their sensitive personally identifying information to us -- regardless of whether they actually want to use one of these limited set of apps," Apple wrote in a whitepaper on its website.

An anonymous reader quotes a report from TechCrunch: Security researchers are warning that data exposed to the internet, even for a moment, can linger in online generative AI chatbots like Microsoft Copilot long after the data is made private. Thousands of once-public GitHub repositories from some of the world's biggest companies are affected, including Microsoft's, according to new findings from Lasso, an Israeli cybersecurity company focused on emerging generative AI threats.

Lasso co-founder Ophir Dror told TechCrunch that the company found content from its own GitHub repository appearing in Copilot because it had been indexed and cached by Microsoft's Bing search engine. Dror said the repository, which had been mistakenly made public for a brief period, had since been set to private, and accessing it on GitHub returned a "page not found" error. "On Copilot, surprisingly enough, we found one of our own private repositories," said Dror. "If I was to browse the web, I wouldn't see this data. But anyone in the world could ask Copilot the right question and get this data."

After it realized that any data on GitHub, even briefly, could be potentially exposed by tools like Copilot, Lasso investigated further. Lasso extracted a list of repositories that were public at any point in 2024 and identified the repositories that had since been deleted or set to private. Using Bing's caching mechanism, the company found more than 20,000 since-private GitHub repositories still had data accessible through Copilot, affecting more than 16,000 organizations. Lasso told TechCrunch ahead of publishing its research that affected organizations include Amazon Web Services, Google, IBM, PayPal, Tencent, and Microsoft. [...] For some affected companies, Copilot could be prompted to return confidential GitHub archives that contain intellectual property, sensitive corporate data, access keys, and tokens, the company said.

An anonymous reader shares a report: The company behind WordPress, Automattic Inc., and its founder, Matt Mullenweg, continue to face backlash over a "nuclear war" started with WP Engine (WPE) that allegedly messed with maintenance and security of hundreds of thousands of websites.

In a proposed class action lawsuit filed this weekend, a WPE customer, Ryan Keller, accused Automattic and Mullenweg of "deliberately abusing their power and control over the WordPress ecosystem to purposefully, deliberately, and repeatedly disrupt contracts" -- all due to a supposed trademark infringement claim. If granted, the class would include "all persons in the United States who had ongoing active WPE WordPress Web Hosting Plans on or before September 24, 2024 through December 10, 2024."

WPE had previously sued Automattic and Mullenweg, alleging that the attack on WPE was actually an attempt to extort what Keller alleged was "tens of millions of dollars" in payments from WPE for using the WordPress trademark. Mullenweg made it clear that the value of the payments was "based on what he thought WPE could afford, rather than what the value of the trademark actually was," Keller's complaint alleged. Automattic's "poorly disguised attempt to extort WPE," Keller alleged, was lobbed "against the threat of making it virtually impossible for WPE (and its customers) to conduct its ordinary business."

Google has updated its Results About You tool with a redesigned hub, easier removal requests directly from Search, and the ability to refresh outdated results. Engadget reports: Today, the tech giant is announcing the latest changes, including a redesigned hub and the ability to update outdated search results to reflect the latest changes.

The redesign isn't only for show. You can now submit removal requests directly from Search with fewer actions by clicking or tapping the three dots beside a search result. If you manage to have content about you deleted or changed from a website but Google Search hasn't caught up, you can refresh the search, which will "recrawl the page and obtain the latest information." In other words, you can always see the most up-to-date results about you.

An anonymous reader quotes a report from the New York Times: As investigators struggled for weeks to find who might have committed the brutal stabbings of four University of Idaho students in the fall of 2022, they were focused on a key piece of evidence: DNA on a knife sheath that was found at the scene of the crime. At first they tried checking the DNA with law enforcement databases, but that did not provide a hit. They turned next to the more expansive DNA profiles available in some consumer databases in which users had consented to law enforcement possibly using their information, but that also did not lead to answers.

F.B.I. investigators then went a step further, according to newly released testimony, comparing the DNA profile from the knife sheath with two databases that law enforcement officials are not supposed to tap: GEDmatch and MyHeritage. It was a decision that appears to have violated key parameters of a Justice Department policy that calls for investigators to operate only in DNA databases "that provide explicit notice to their service users and the public that law enforcement may use their service sites."

It also seems to have produced results: Days after the F.B.I.'s investigative genetic genealogy team began working with the DNA profiles, it landed on someone who had not been on anyone's radar:Bryan Kohberger, a Ph.D. student in criminology who has now been charged with the murders. The case has shown both the promise and the unregulated power of genetic technology in an era in which millions of people willingly contribute their DNA profiles to recreational databases, often to hunt for relatives. In the past, law enforcement officials would need to find a direct match between DNA at the crime scene and that of a specific suspect. Now, investigators can use consumer DNA data to build family trees that can zero in on a person of interest -- within certain policy limits.

Online-education company Chegg said it is conducting a business review and exploring alternatives such as selling the company or taking it private as it continues to lose subscribers to artificial-intelligence-enabled rivals. From a report: Chegg and other virtual-learning companies have ceded ground to generative-AI companies such as ChatGPT, which provides free alternatives to the homework help that Chegg charges $19.95 for to its subscribers. Although Chegg built its own AI products, the company has faced scores of canceled subscriptions. The business review comes as the company swung to a loss in the fourth quarter, with revenue falling 24%, and guided for lower-than-expected revenue for the first quarter. In November, Chegg said it would cut its workforce by an additional 21%. Chegg's shares have fallen 99% since its peak in 2021.

All 50 U.S. states have now introduced some form of right to repair legislation, marking a significant milestone that "shows the power of the grassroots political movement," reports 404 Media. From the report: Thursday, Wisconsin became the final state in the country to introduce a right to repair bill. So far, right to repair laws have been passed in Massachusetts, New York, Minnesota, Colorado, California, and Oregon. Another 20 states are formally considering right to repair bills during this current legislative session. The rest have previously introduced bills that have not passed; so far we have seen that many states take several years to move a given right to repair bill through the legislative process. iFixit's Kyle Wiens said covering the entire map is a "tipping point" for the movement: "We've gone from a handful of passionate advocates to a nationwide call for repair autonomy. People are fed up with disposable products and locked-down devices. Repair is the future, and this moment proves it."

An anonymous reader quotes a report from TorrentFreak: In France, rightsholders have taken legal action to compel large VPN providers to support their pirate site blocking program. The aim is to reinforce existing blocking measures, but VPN providers see this as a dangerous move, leading to potential security issues and overblocking. As a result, some are considering leaving France altogether if push comes to shove. [...] Earlier this month, sports rightsholders Canal+ and LFP requested blocking injunctions that would require popular VPNs to start blocking pirate sites and services. The full requests are not public, but the details available show that Cyberghost, ExpressVPN, NordVPN, ProtonVPN, and Surfshark are listed as respondents. [...]

The blocking request has yet to be approved and several of the targeted VPN providers have reserved detailed commentary, for now. That said, the VPN Trust Initiative (VTI), which includes ExpressVPN, NordVPN and Surfshark as members, has been vocal in its opposition. VTI is part of the i2Coalition and while it doesn't speak directly for any of the members, the coalition's Executive Director Christian Dawson has been in regular discussions with VPN providers. From this, it became clear that VPN providers face difficult decisions. If VPN providers are ordered to block pirate sites, some are considering whether to follow in the footsteps of Cisco, which discontinued its OpenDNS service in the country, to avoid meddling with its DNS resolver.

Speaking with TorrentFreak, VTI's Dawson says that VPNs have previously left markets like India and Pakistan in response to restrictive requirements. This typically happens when privacy or security principles are at risk, or if the technical implementation of blocking measures is infeasible. VTI does not rule out that some members may choose to exit France for similar reasons, if required to comply with blocking measures. "We've seen this before in markets like India and Pakistan, where regulatory requirements forced some VPN services to withdraw rather than compromise on encryption standards or log-keeping policies," Dawson says. "France's potential move to force VPN providers to block content could put companies in a similar position -- where they either comply with measures that contradict their purpose or leave the market altogether." "This case in France is part of a broader global trend of regulatory overreach, where governments attempt to control encrypted services under the guise of content regulation. We've already seen how China, Russia, Myanmar, and Iran have imposed VPN restrictions as part of broader censorship efforts."

"The best path forward is for policymakers to focus on targeted enforcement measures that don't undermine Internet security or create a precedent for global Internet fragmentation," concludes Dawson. "As seen in other cases, blanket blocking measures do not effectively combat piracy but instead create far-reaching consequences that disrupt the open Internet."

Chegg has filed a lawsuit against Google, accusing the tech giant of using AI-generated overviews to undermine publishers by reducing site traffic and eroding financial incentives for original content. Chegg claims this practice violates antitrust laws and threatens the integrity of the online information ecosystem. Reuters reports: This will eventually lead to a "hollowed-out information ecosystem of little use and unworthy of trust," the company said. The Santa Clara, California-based company has said Google's AI overviews have caused a drop in visitors and subscribers. Chegg was trading at around $1.63 on Monday, down more than 98% from its peak price in 2021.

The company announced it would lay off 21% of its staff in November. Nathan Schultz, CEO of Chegg, said on Monday that Google is profiting off the company's content for free. "Our lawsuit is about more than Chegg -- it's about the digital publishing industry, the future of internet search, and about students losing access to quality, step-by-step learning in favor of low-quality, unverified AI summaries," he said.

Publishers allow Google to crawl their websites to generate search results, which Google monetizes through advertising. In exchange, the publishers receive search traffic to their sites when users click on the results, Chegg said. But Google has started coercing publishers to let it use the information for AI overviews and other features that result in fewer site visitors, the company said. Chegg argued the conduct violates a law against conditioning the sale of one product on the customer selling or giving its supplier another product.

An anonymous reader shared this report from the Telegraph: Workers with an axe to grind against their employer are using AI to bombard businesses with costly and inaccurate lawsuits, experts have warned.

Frustration is growing among employment lawyers who say they are seeing a trend of litigants using AI to help them run their claims, which they say is generating "inconsistent, lengthy, and often incorrect arguments" and causing a spike in legal fees... Ailie Murray, an employment partner at law firm Travers Smith, said AI submissions are produced so rapidly that they are "often excessively lengthy and full of inconsistencies", but employers must then spend vast amounts of money responding to them. She added: "In many cases, the AI-generated output is inaccurate, leading to claimants pleading invalid claims or arguments.

"It is not an option for an employer to simply ignore such submissions. This leads to a cycle of continuous and costly correspondence. Such dynamics could overburden already stretched tribunals with unfounded and poorly pleaded claims."
There's definitely been a "significant increase" in the number of clients using AI, James Hockin, an employment partner at Withers, told the Telegraph. The danger? "There is a risk that we see unrepresented individuals pursuing the wrong claims in the UK employment tribunal off the back of a duff result from an AI tool."

An anonymous reader shared this report from the Washington Post's "Tech Brief": Last fall, reports that Kroger was considering bringing facial recognition technology into its stores sparked outcry from lawmakers and customers. They worried personalized data could be used to charge different prices for different customers based on their shopping habits, financial circumstances or appearance. Kroger, the country's largest supermarket chain, had already been using digital price tags in its stores.

Kroger told lawmakers that it doesn't use facial recognition to help it set prices, a stance the company reiterated to the Tech Brief on Thursday. Still, the uproar helped to spark a push by consumer advocates who warn that the threat of invasive, personalized pricing schemes is real. Now, Democratic lawmakers in several states are working to ban so-called "surveillance pricing" — when businesses charge customers more or less for the same item based on their personal information.
Besides a bill in California, three more bill were introduced this month in Colorado, Georgia, and Illinois that also ban "surveillance wages," which the article defines as employers adjusting wages based on how much data an employee collects. "Both surveillance pricing and surveillance wages really disrupt fundamental ideals of fairness," University of California, Irvine law professor Veena Dubal tells the Washington Post.

Dubal is one of the consumer advocates behind a new report which notes information released last month by America's consumer-protecting FTC that "suggests that surveillance pricing tools are being actively developed and marketed across a range of industries, including consumer-facing businesses like 'grocery stores, apparel retailers, health and beauty retailers, home goods and furnishing stores, convenience stores, building and hardware stores, and general merchandise retailers such as department or discount stores." The consumer advocates (which include the Electronic Privacy Information Center) put it this way.

"Imagine walking into a grocery store and seeing a price for milk that's higher than what the next shopper pays because an algorithm calculated that you're willing to spend more..."

California sued to fine a data-harvesting company, reports the Washington Post, calling it "a rare step to put muscle behind one of the strongest online privacy laws in the United States." Even when states have tried to restrict data brokers, it has been tough to make those laws stick. That has generally been a problem for the 19 states that have passed broad laws to protect personal information, said Matt Schwartz, a policy analyst for Consumer Reports. He said there has been only 15 or so public enforcement actions by regulators overseeing all those laws. Partly because companies aren't held accountable, they're empowered to ignore the privacy standards. "Noncompliance is fairly widespread," Schwartz said. "It's a major problem."

That's why California is unusual with a data broker law that seems to have teeth. To make sure state residents can order all data brokers operating in the state to delete their personal records [with a single request], California is now requiring brokers to register with the state or face a fine of $200 a day. The state's privacy watchdog said Thursday that it filed litigation to force one data broker, National Public Data, to pay $46,000 for failing to comply with that initial phase of the data broker law. NPD declined to comment through an attorney... This first lawsuit for noncompliance, Schwartz said, shows that California is serious about making companies live up to their privacy obligations... "If they can successfully build it and show it works, it will create a blueprint for other states interested in this idea," he said.
Last summer NPD "spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online," according to the blog Krebs on Security, adding that another NPD data broker sharing access to the same consumer records "inadvertently published the passwords to its back-end database in a file that was freely available from its homepage..."

California's attempt to regulate the industry inspired the nonprofit Consumer Reports to create an app called Permission Slip that reveals what data companies collect and, for people in U.S. states, will "work with you to file a request, telling companies to stop selling your personal information."

Other data-protecting options suggested by The Washington Post:

• Use Firefox, Brave or DuckDuckGo, "which can automatically tell websites not to sell or share your data. Those demands from the web browsers are legally binding or will be soon in at least nine states."

• Use Privacy Badger, an EFF browser extension which the EFF says "automatically tells websites not to sell or share your data including where it's required by state law."

WinRAR 7.10 now lets users remove potentially sensitive metadata from downloaded files while preserving core Windows security features. The file compression tool's latest release introduces a "Zone value only" setting that strips download locations and IP addresses from Windows' Mark-of-the-Web security flags during file extraction.

The new privacy control, enabled by default, maintains only the basic security zone identifier that triggers Windows' safety prompts for downloaded files. This change prevents recipients of shared archives from accessing metadata that could reveal where files originated. The update from win.rar GmbH, whose compression software claims 500 million users worldwide, also adds performance improvements through larger memory page support and introduces a dark mode interface.

California is considering officially recognizing Bigfoot as its state cryptid through Assembly Bill 666, introduced last week by North Coast Assemblymember Chris Rogers. "Rogers' district spans Del Norte, Humboldt, Mendocino, Sonoma and Trinity counties, a region known as the epicenter of Bigfoot lore," reports SFGATE. From the report: Assemblyman Rogers' Assembly Bill 666 is still in its early stages. According to the California Legislative Information website, the bill's title has been read aloud in the state Assembly and is now being printed and distributed to committee members for review. If it clears committee, it must then pass the Assembly and Senate before reaching the governor's desk to be signed into law.

[Matt Moneymaker, a longtime Bigfoot researcher and former star of the Animal Planet series 'Finding Bigfoot], is eager to witness history. "If there's going to be a date, an occasion when they're voting on whether or not to make it the official cryptid, I would love to be up there in Sacramento," he said. "I would gladly pay my way to be there when that happens." "Mankind has always had a fascination with monsters, and mythologies from around the world include stories of strange and terrifying creatures," writes Slashdot reader Pickens in a story published in 2008. "Examples include the half-bull, half-human Minotaur of Greek myths, the living clay Golem of Jewish traditions, British elves and Chinese dragons..." What's your favorite monster?

An anonymous reader quotes a report from Ars Technica: Just because Meta admitted to torrenting a dataset of pirated books for AI training purposes, that doesn't necessarily mean that Meta seeded the file after downloading it, the social media company claimed in a court filing (PDF) this week. Evidence instead shows that Meta "took precautions not to 'seed' any downloaded files," Meta's filing said. Seeding refers to sharing a torrented file after the download completes, and because there's allegedly no proof of such "seeding," Meta insisted that authors cannot prove Meta shared the pirated books with anyone during the torrenting process.

[...] Meta ... is hoping to convince the court that torrenting is not in and of itself illegal, but is, rather, a "widely-used protocol to download large files." According to Meta, the decision to download the pirated books dataset from pirate libraries like LibGen and Z-Library was simply a move to access "data from a 'well-known online repository' that was publicly available via torrents." To defend its torrenting, Meta has basically scrubbed the word "pirate" from the characterization of its activity. The company alleges that authors can't claim that Meta gained unauthorized access to their data under CDAFA. Instead, all they can claim is that "Meta allegedly accessed and downloaded datasets that Plaintiffs did not create, containing the text of published books that anyone can read in a public library, from public websites Plaintiffs do not operate or own."

While Meta may claim there's no evidence of seeding, there is some testimony that might be compelling to the court. Previously, a Meta executive in charge of project management, Michael Clark, had testified (PDF) that Meta allegedly modified torrenting settings "so that the smallest amount of seeding possible could occur," which seems to support authors' claims that some seeding occurred. And an internal message (PDF) from Meta researcher Frank Zhang appeared to show that Meta allegedly tried to conceal the seeding by not using Facebook servers while downloading the dataset to "avoid" the "risk" of anyone "tracing back the seeder/downloader" from Facebook servers. Once this information came to light, authors asked the court for a chance to depose Meta executives again, alleging that new facts "contradict prior deposition testimony." "Meta has been 'silent so far on claims about sharing data while 'leeching' (downloading) but told the court it plans to fight the seeding claims at summary judgement," notes Ars.

An anonymous reader quotes a report from TorrentFreak: Altice, parent company of Internet provider Optimum, must disclose the personal details of a hundred alleged music pirates. The request comes from a group of prominent record labels and is part of an ongoing copyright infringement liability lawsuit (PDF). Altice, meanwhile, will receive anti-piracy information, including that related to a letter the RIAA previously sent to BitTorrent Inc., the owner of popular torrent client uTorrent. [...] Details are scarce, but the group will likely consist of subscribers who were repeatedly warned over alleged piracy activity. The music labels could use this information to gather further evidence to support their allegations. For example, subscriber testimony could help to strengthen the argument that the ISP failed to take effective measures against repeat infringers.

There's nothing to suggest that these people will be approached with any claims directly. The names, emails, and addresses of the subscribers are marked as "highly confidential" and can only be viewed by attorneys acting for the music companies. The subscribers will be informed about the forthcoming disclosure of their personal details and any objections will be heard by the court. [...] Subscriber details are just a fraction of the information requested by the parties during discovery. Altice, for example, will also gain access to some non-privileged documents and communications between the music companies and their anti-piracy partners, including the RIAA, OpSec, and Audible Magic.

This includes information regarding a letter (PDF) the RIAA sent to the company behind the uTorrent and BitTorrent clients in 2015. [...] The nature of information sought by Altice isn't clear. The company previously said that if music labels are concerned about piracy, they are free to go after developers of 'piracy' software. While neutral torrent clients don't fall into that category, the ISP will be interested in any related legal considerations that took place behind the scenes.

The U.S. Federal Trade Commission has launched an inquiry into potential "censorship" by technology platforms ranging from Meta to Uber, marking an escalation in scrutiny of content moderation practices. FTC Chair Andrew Ferguson called for public comment on what he termed "Big Tech censorship," describing it as "un-American" and "potentially illegal."

The broad probe could examine social media, video sharing, ride-sharing and event planning services. The announcement follows long-standing Republican claims that conservative viewpoints face discrimination on social media platforms.