An anonymous reader quotes a report from BuzzFeed News: Clearview AI, the facial recognition company that claims to have amassed a database of more than 3 billion photos scraped from Facebook, YouTube, and millions of other websites, is scrambling to deal with calls for bans from advocacy groups and legal threats. These troubles come after news reports exposed its questionable data practices and misleading statements about working with law enforcement. Following stories published in the New York Times and BuzzFeed News, the Manhattan-based startup received cease-and-desist letters from Twitter and the New Jersey attorney general. It was also sued in Illinois in a case seeking class-action status.

Despite its legal woes, Clearview continues to contradict itself, according to documents obtained by BuzzFeed News that are inconsistent with what the company has told the public. In one example, the company, whose code of conduct states that law enforcement should only use its software for criminal investigations, encouraged officers to use it on their friends and family members. In the aftermath of revelations about its technology, Clearview has tried to clean up its image by posting informational webpages, creating a blog, and trotting out surrogates for media interviews, including one in which an investor claimed Clearview was working with "over a thousand independent law enforcement agencies." Previously, Clearview had stated that the number was around 600. Clearview has also tried to allay concerns that its technology could be abused or used outside the scope of police investigations. In a code of conduct that the company published on its site earlier this month, it said its users should "only use the Services for law enforcement or security purposes that are authorized by their employer and conducted pursuant to their employment." It bolstered that idea with a blog post on Jan. 23, which stated, "While many people have advised us that a public version would be more profitable, we have rejected the idea.""Clearview exists to help law enforcement agencies solve the toughest cases, and our technology comes with strict guidelines and safeguards to ensure investigators use it for its intended purpose only," the post stated.

But in a November email, a company representative encouraged a police officer to use the software on himself and his acquaintances. "Have you tried taking a selfie with Clearview yet?" the email read. "It's the best way to quickly see the power of Clearview in real time. Try your friends or family. Or a celebrity like Joe Montana or George Clooney. Your Clearview account has unlimited searches. So feel free to run wild with your searches."

Some U.S. colleges are now apparently requiring students to install a location tracking app to track attendance. Sean Hollister writes for The Verge: The Kansas City Star reported that at the University of Missouri, new students "won't be given a choice" of whether to install the SpotterEDU app, which uses Apple's iBeacons to broadcast a Bluetooth signal that can help the phone figure out whether a student is actually in a room. But a university spokesperson told Campus Reform on Sunday that only athletes are technically required to use the app, and a new statement from the university on Monday not only claims that it's "completely optional" for students, but that the app's being piloted with fewer than 2 percent of the student body.

What the reports do agree on: the app uses local Bluetooth signals, not GPS, so it's probably not going to be very useful to track students outside of school. "No GPS tracking is enabled, meaning the technology cannot locate the students once they leave class," reads part of the university's statement. SpotterEDU isn't just used at the University of Missouri, though -- it's being tested at nearly 40 schools, company founder and former college basketball coach Rick Carter told The Washington Post in December. The Post's story makes it sound remarkably effective, with one Syracuse professor attesting that classes have never been so full, with more than 90 percent attendance. But that same professor attested that an earlier version of the app did have access to GPS coordinates, if only for a student to proactively share their location with a teacher. The Post reports that Degree Analytics is also being used in an additional 19 schools, but unlike SpotterEDU, it uses Wi-Fi signals instead of Bluetooth.

The New York Times also reported in September of a similar app from a company called FanMaker that provides "loyalty points" to students who stick around to watch college sports games at the stadium instead of skipping out. That app is in use at 40 schools, the Times wrote.

A security flaw in LabCorp's website exposed thousands of medical documents, like test results containing sensitive health data. From a report: It's the second incident in the past year after LabCorp said in June that 7.7 million patients had been affected by a credit card data breach of a third-party payments processor. The breach also hit several other laboratory testing companies, including Quest Diagnostics. This latest security lapse was caused by a vulnerability on a part of LabCorp's website, understood to host the company's internal customer relationship management system. Although the system appeared to be protected with a password, the part of the website designed to pull patient files from the back-end system was left exposed. That unprotected web address was visible to search engines and was later cached by Google, making it accessible to anyone who knew where to look. The cached search result only returned one document -- a document containing a patient's health information. But changing and incrementing the document number in the web address made it possible to access other documents. The bug is now fixed.

Facebook has been determined to give people privacy controls while they're on the social network, but on Tuesday, it rolled out a long-promised tool that hopes to give people control from the social network. From a report: In a blog post on Data Privacy Day, Facebook CEO Mark Zuckerberg announced that the "Off-Facebook Activity" tool would finally be launched globally, a tool that allows people to manage how Facebook tracks them across the internet. Zuckerberg had promised this feature since May 2018, which at the time he called a "Clear History" button. While it had slow roll-outs around the world, starting last August, it should be available now to the 2.4 billion people who use Facebook every month, Zuckerberg said. In the blog post, he explained the delay was because "we had to rebuild some of our systems to make this possible." "Other businesses send us information about your activity on their sites and we use that information to show you ads that are relevant to you," Zuckerberg said in the post. "Now you can see a summary of that information and clear it from your account if you want to."

Ring isn't just a product that allows users to surveil their neighbors. The company also uses it to surveil its customers. An investigation by EFF of the Ring doorbell app for Android found it to be packed with third-party trackers sending out a plethora of customers' personally identifiable information (PII). From the report, shared by reader AmiMoJo: Four main analytics and marketing companies were discovered to be receiving information such as the names, private IP addresses, mobile network carriers, persistent identifiers, and sensor data on the devices of paying customers. The danger in sending even small bits of information is that analytics and tracking companies are able to combine these bits together to form a unique picture of the user's device. This cohesive whole represents a fingerprint that follows the user as they interact with other apps and use their device, in essence providing trackers the ability to spy on what a user is doing in their digital lives and when they are doing it.

All this takes place without meaningful user notification or consent and, in most cases, no way to mitigate the damage done. Even when this information is not misused and employed for precisely its stated purpose (in most cases marketing), this can lead to a whole host of social ills. Ring has exhibited a pattern of behavior that attempts to mitigate exposure to criticism and scrutiny while benefiting from the wide array of customer data available to them. It has been able to do so by leveraging an image of the secure home, while profiting from a surveillance network which facilitates police departments' unprecedented access into the private lives of citizens, as we have previously covered. For consumers, this image has cultivated a sense of trust in Ring that should be shaken by the reality of how the app functions: not only does Ring mismanage consumer data, but it also intentionally hands over that data to trackers and data miners.

An anonymous reader quotes a report from The Hill: The Privacy and Civil Liberties Oversight Board (PCLOB), an independent agency, is coming under increasing pressure to recommend the federal government stop using facial recognition. Forty groups, led by the Electronic Privacy Information Center, sent a letter Monday to the agency calling for the suspension of facial recognition systems "pending further review." "The rapid and unregulated deployment of facial recognition poses a direct threat to 'the precious liberties that are vital to our way of life,'" the advocacy groups wrote.

The PCLOB "has a unique responsibility, set out in statute, to assess technologies and polices that impact the privacy of Americans after 9-11 and to make recommendations to the President and executive branch," they wrote. The agency, created in 2004, advises the administration on privacy issues. The letter cited a recent New York Times report about Clearview AI, a company which claims to have a database of more than 3 billion photos and is reportedly collaborating with hundreds of police departments. It also mentioned a study by the National Institute of Standards and Technology, part of the Commerce Department, which found that the majority of facial recognition systems have "demographic differentials" that can worsen their accuracy based on a person's age, gender or race.

CaptainDork shares a report from CNET: The Twitter accounts of several NFL teams were hacked on Monday ahead of this weekend's Super Bowl game. Around 15 teams, including the Green Bay Packers, Chicago Bears, Dallas Cowboys and San Francisco 49ers, were all targeted. The accounts had their profile images removed and some included messages from OurMine, the Saudi Arabia-based hacker group that appears to be responsible. "We are here to show people that everything is hackable," a message on a handful of hacked accounts reads. "To improve your accounts security contact us." The message includes an email address and Twitter handle for OurMine, though the account was suspended. The NFL's main account was hijacked in the hacking spree. Some teams also had their Instagram and Facebook accounts hacked.

A proposed law introduced in Maryland's state senate last week would criminalize the possession of ransomware and other criminal activities with a computer. However, CEO of Luta Security Katie Moussouris warns that the current bill "would prohibit vulnerability disclosure unless the specific systems or data accessed by the helpful security researcher were explicitly authorized ahead of time and would prohibit public disclosure if the reports were ignored." Ars Technica reports: The bill, Senate Bill 3, covers a lot of ground already covered by U.S. Federal law. But it classifies the mere possession of ransomware as a misdemeanor punishable by up to 10 years of imprisonment and a fine of up to $10,000. The bill also states (in all capital letters in the draft) that "THIS PARAGRAPH DOES NOT APPLY TO THE USE OF RANSOMWARE FOR RESEARCH PURPOSES."

Additionally, the bill would outlaw unauthorized intentional access or attempts to access "all or part of a computer network, computer control language, computer, computer software, computer system, computer service, or computer database; or copy, attempt to copy, possess, or attempt to possess the contents of all or part of a computer database accessed." It also would criminalize under Maryland law any act intended to "cause the malfunction or interrupt the operation of all or any part" of a network, the computers on it, or their software and data, or "possess, identify, or attempt to identify a valid access code; or publicize or distribute a valid access code to an unauthorized person." There are no research exclusions in the bill for these provisions. "While access or attempted access would be a misdemeanor (punishable by a fine of $1,000, three years of imprisonment, or both), breaching databases would be a felony if damages were determined to be greater than $10,000 -- punishable by a sentence of up to 10 years, a fine of $10,000, or both," the report adds. "The punishments go up if systems belonging to the state government, electric and gas utilities, or public utilities are involved, with up to 10 years of imprisonment and a $25,000 fine if more than $50,000 in damage is done."

Apple applied for a patent for an ambitious design for a new all-in-one computer which integrates both its keyboard and screen into a single curved sheet of glass. The Verge reports: The patent application, which was first spotted by Patently Apple, and which was filed in May last year, describes how the iMac-like computer's "input area" and "display area" could be built into a single continuous surface, while a support structure behind the display could then contain the computer's processing unit, as well as providing space for all the machine's ports.

It's a pretty striking design for a couple of reasons. For one thing, the amount of curved glass involved is far more than Apple has ever used in one of its products before. It's also interesting to see that the company is thinking about taking the iMac's all-in-one design even further, by integrating not just the computer and display together, but also a keyboard and touchpad as well (although the application also describes how the keyboard could be detached during use). The patent also describes how one could dock a MacBook into the device and output the screen to the iMac's display, while its keyboard would pass through a hole in the middle of the machine to let you use it as normal.

Additionally, "the application suggests that its single sheet of glass could fold down its middle to allow you to pack it away when not in use," reports The Verge.

The Metropolitan Police has announced it will use live facial recognition cameras operationally for the first time on London streets. From a report: The cameras will be in use for five to six hours at a time, with bespoke lists of suspects wanted for serious and violent crimes drawn up each time. Police say the cameras identified 70% of suspects but an independent review found much lower accuracy. Privacy campaigners said it was a "serious threat to civil liberties." Following earlier pilots in London and deployments by South Wales Police, the cameras are due to be put into action within a month. Police say they will warn local communities and consult with them in advance.

Over the past two weeks, Mozilla's add-on review team has banned 197 Firefox add-ons that were caught executing malicious code, stealing user data, or using obfuscation to hide their source code. From a report: The add-ons have been banned and removed from the Mozilla Add-on (AMO) portal to prevent new installs, but they've also been disabled in the browsers of the users who already installed them. The bulk of the ban was levied on 129 add-ons developed by 2Ring, a provider of B2B software. The ban was enforced because the add-ons were downloading and executing code from a remote server. According to Mozilla's rules, add-ons must self-contain all their code, and not download code dynamically from remote locations. Mozilla has recently begun strictly enforcing this rule across its entire add-on ecosystem. A similar ban for downloading and executing remote code in users' Firefox browsers was also levied against six add-ons developed by Tamo Junto Caixa, and three add-ons that were deemed fake premium products (their names were not shared).

An antivirus program used by hundreds of millions of people around the world is selling highly sensitive web browsing data to many of the world's biggest companies, a joint investigation by Motherboard and PCMag has found. From the report: Our report relies on leaked user data, contracts, and other company documents that show the sale of this data is both highly sensitive and is in many cases supposed to remain confidential between the company selling the data and the clients purchasing it. The documents, from a subsidiary of the antivirus giant Avast called Jumpshot, shine new light on the secretive sale and supply chain of peoples' internet browsing histories. They show that the Avast antivirus program installed on a person's computer collects data, and that Jumpshot repackages it into various different products that are then sold to many of the largest companies in the world. Some past, present, and potential clients include Google, Yelp, Microsoft, McKinsey, Pepsi, Sephora, Home Depot, Conde Nast, Intuit, and many others. Some clients paid millions of dollars for products that include a so-called "All Clicks Feed," which can track user behavior, clicks, and movement across websites in highly precise detail.

ProtonVPN open sourced its code this week, ZDNet reports: On Tuesday, the virtual private network (VPN) provider, also known for the ProtonMail secure email service, said that the code backing ProtonVPN applications on every system -- Microsoft Windows, Apple macOS, Android, and iOS -- is now publicly available for review in what Switzerland-based ProtonVPN calls "natural" progression.

"There is a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like GDPR," the company says. "Making all of our applications open source is, therefore, a natural next step." Each application has also undergone a security audit by SEC Consult, which ProtonVPN says builds upon a previous partnership with Mozilla...

The source code for each app is now available on GitHub (Windows, macOS, Android, iOS). "As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible," ProtonVPN says.

"Going open source helps us to do that and serve you better at the same time."
They're also publishing the results of an independent security audit for each app. "As former CERN scientists, publication and peer review are a core part of our ethos..." the company wrote in a blog post. They also point out that Switzerland has some of the world's strongest privacy laws -- and that ProtonVPN observes a strict no-logs policy.

But how do they feel about their competition? "Studies have found that over one-third of Android VPNs actually contain malware, many VPNs suffered from major security lapses, and many free VPN services that claimed to protect privacy are secretly selling user data to third parties."

An anonymous reader quotes the Associated Press: Attorneys general in 20 states and the District of Columbia filed a lawsuit Thursday challenging a federal regulation that could allow blueprints for making guns on 3D printers to be posted on the internet.

New York Attorney General Tish James, who helped lead the coalition of state attorneys general, argued that posting the blueprints would allow anyone to go online and use the downloadable files to create unregistered and untraceable assault-style weapons that could be difficult to detect... Proponents have argued there is a constitutional right to publish the material, but critics counter that making the blueprints readily accessible online could lead to an increase in gun violence and put weapons in the hands of criminals who are legally prohibited from owning them... For years, law enforcement officials have been trying to draw attention to the dangers posed by the so-called ghost guns, which contain no registration numbers that could be used to trace them.

McGruber quotes the Mercury News:
In her regular attendance at the San Jose federal courthouse for hearings in her high-stakes criminal fraud case, Theranos founder Elizabeth Holmes has been flanked by expensive lawyers. But in an Arizona civil case, she took part in a hearing this week representing herself, and by phone, according to a report Friday.

Holmes has seven lawyers preparing for the August trial start in her criminal case in U.S. District Court, and fighting federal prosecutors over evidence. In the Arizona case — a lawsuit filed by blood-testing customers against Holmes, the defunct Palo Alto startup Theranos, and drug store chain Walgreens — court records earlier this month indicated she had two lawyers defending her. That was after three attorneys representing her in that case quit in the fall, saying she hadn't paid them for more than a year and probably never would. Now, the court docket shows Holmes representing herself in the civil case.

And, according to a Bloomberg report, she didn't appear at a hearing in that case Thursday, instead calling in to the courtroom via an audio feed. She told the judge she wouldn't make any arguments, but would rely on arguments made by lawyers for the other defendants in the case, Bloomberg reported Friday, citing an unnamed lawyer said to be present at the proceedings.

Legal experts say Holmes faces considerable financial peril from the legal actions against her, with legal fees on top of possible restitution for investors, fines and a prison sentence.