×
AI

What Happened When California's State Government Examined the Risks and Benefits of AI? (msn.com) 80

An anonymous reader shared this report from the Los Angeles Times: AI that can generate text, images and other content could help improve state programs but also poses risks, according to a report released by the governor's office on Tuesday. Generative AI could help quickly translate government materials into multiple languages, analyze tax claims to detect fraud, summarize public comments and answer questions about state services. Still, deploying the technology, the analysis warned, also comes with concerns around data privacy, misinformation, equity and bias. "When used ethically and transparently, GenAI has the potential to dramatically improve service delivery outcomes and increase access to and utilization of government programs," the report stated...

AI advancements could benefit California's economy. The state is home to 35 of the world's 50 top AI companies and data from Pitchfork says the GenAI market could reach $42.6 billion in 2023, the report said. Some of the risks outlined in the report include spreading false information, giving consumers dangerous medical advice and enabling the creation of harmful chemicals and nuclear weapons. Data breaches, privacy and bias are also top concerns along with whether AI will take away jobs. "Given these risks, the use of GenAI technology should always be evaluated to determine if this tool is necessary and beneficial to solve a problem compared to the status quo," the report said.

Facebook

Meta Knowingly Collected Data on Pre-Teens, Unredacted Evidence From Lawsuit Shows (msn.com) 56

The New York Times reports: Meta has received more than 1.1 million reports of users under the age of 13 on its Instagram platform since early 2019 yet it "disabled only a fraction" of those accounts, according to a newly unsealed legal complaint against the company brought by the attorneys general of 33 states.

Instead, the social media giant "routinely continued to collect" children's personal information, like their locations and email addresses, without parental permission, in violation of a federal children's privacy law, according to the court filing. Meta could face hundreds of millions of dollars, or more, in civil penalties should the states prove the allegations. "Within the company, Meta's actual knowledge that millions of Instagram users are under the age of 13 is an open secret that is routinely documented, rigorously analyzed and confirmed," the complaint said, "and zealously protected from disclosure to the public...."

It also accused Meta executives of publicly stating in congressional testimony that the company's age-checking process was effective and that the company removed underage accounts when it learned of them — even as the executives knew there were millions of underage users on Instagram... The lawsuit argues that Meta elected not to build systems to effectively detect and exclude such underage users because it viewed children as a crucial demographic — the next generation of users — that the company needed to capture to assure continued growth.

More from the Wall Street Journal: An internal 2020 Meta presentation shows that the company sought to engineer its products to capitalize on the parts of youth psychology that render teens "predisposed to impulse, peer pressure, and potentially harmful risky behavior," the filings show... "Teens are insatiable when it comes to 'feel good' dopamine effects," the Meta presentation shows, according to the unredacted filing, describing the company's existing product as already well-suited to providing the sort of stimuli that trigger the potent neurotransmitter. "And every time one of our teen users finds something unexpected their brains deliver them a dopamine hit...."

"In December 2017, an Instagram employee indicated that Meta had a method to ascertain young users' ages but advised that 'you probably don't want to open this pandora's box' regarding age verification improvements," the states say in the suit. Some senior executives raised the possibility that cracking down on underage usage could hurt Meta's business... The states say Meta made little progress on automated detection systems or adequately staffing the team that reviewed user reports of underage activity. "Meta at times has a backlog of 2-2.5 million under-13 accounts awaiting action," according to the complaint...

The unredacted material also includes allegations that Meta Chief Executive Mark Zuckerberg instructed his subordinates to give priority to boosting its platforms' usage above the well being of users... Zuckerberg also repeatedly dismissed warnings from senior company officials that its flagship social-media platforms were harming young users, according to unsealed allegations in a lawsuit filed by Massachusetts earlier this month...

The complaint cites numerous other executives making public claims that were allegedly contradicted by internal documents. While Meta's head of global safety, Antigone Davis, told Congress that the company didn't consider profitability when designing products for teens, a 2018 internal email stated that product teams should keep in mind that "The lifetime value of a 13 y/o teen is roughly $270" when making product decisions.

Piracy

File-Sharing Giant Uloz Bans File-Sharing Citing EU's Digital Services Act 12

TorrentFreak: File-sharing and hosting giant Uloz has announced a radical change to its business model. The Czech site has been under fire for some time and was recently branded a 'notorious market' by the MPA. However, Uloz says that an imminent ban on file-sharing in favor of a private, cloud-based storage model, is due to the strict conditions imposed by the EU's Digital Services Act.
The Courts

Dbrand is Suing Casetify For Ripping Off Its Teardown Designs (theverge.com) 22

New submitter Kiddo 9000 writes: Dbrand, a company known best for making cases for phones, game consoles, and laptops, has filed a lawsuit against case manufacturer CASETiFY over their "Inside Out" case lineup. Dbrand alleges that CASETiFY copied the designs from their Teardown skins and put them on their own products without permission. In a video published by JerryRigEverything, several easter eggs placed in the Teardown skins were found in the CASETiFY designs, alongside numerous tweaks and layout changes, and even Dbrand's logo.
Patents

Lenovo Seeks Halt of Asus Laptop Sales Over Alleged Patent Infringement (arstechnica.com) 20

Lenovo has filed a lawsuit against Asus, claiming that the company's laptops infringe on four of their patents. "Lenovo is seeking damages and for Asus to stop selling Zenbook laptops and other allegedly infringing products in the U.S.," reports Ars Technica. From the report: The lawsuit [PDF] centers on four patents. The first, entitled "Methods and apparatus for transmitting in resource blocks" was issued in 2021 and relates to minimizing the delay experienced during an uplink package transmission by reducing the number of steps for a wireless device to upload data. Lenovo's lawsuit, which uses Asus' Zenbook Pro 14 OLED (UX6404) as an example of an allegedly infringing product, also claims Asus is selling laptops that violate the wireless wake-on-LAN power management patent issued to Lenovo in 2010.

Another patent Lenovo is suing over was issued in 2010 and entitled "Touchpad diagonal scrolling." It allows users to "initiate a diagonal scroll at any location on a touchpad by using two fingers," the lawsuit says. Finally, Lenovo is upset about Asus' purported infringing of its "Dual shaft hinge with angle timing shaft mechanism" patent rewarded in 2014. Lenovo describes it as a hinge block enabling 2-in-1 laptops to go from clamshell mode to tablet mode. For this accused patent infringement, Lenovo's lawsuit points to Asus' Zenbook Flip 14 UX461, which Asus advertises as having a 360-degree "ErgoLift" hinge that "lifts and tilts the keyboard into the perfect typing position when the display is rotated into laptop mode."

As noted by The Register today, in a letter to the ITC dated November 15 [PDF], Lenovo said it wants Asus to "cease and desist from marketing, advertising, distributing, offering for sale, selling, or otherwise transferring, including the movement or shipment of inventory" products that infringe upon the four patents in question. In a further dig, Lenovo added that a limited exclusion order wouldn't harm US consumers or competition, due to Asus' smaller market share. According to the IDC, Asus represented about 7.1 percent of the PC market (which includes laptops and desktops) in Q3 2023. Lenovo led at 23.5 percent.

The Courts

Robocar Tech Biz Sues Nvidia, Claims Stolen Code Shared In Teams Meeting Blunder (theregister.com) 25

Dan Robinson reports via The Register: Nvidia is facing legal action in the U.S. for theft of trade secrets from a German automotive company, which alleges its ex-employee made an epic blunder of showing something he shouldn't have when minimizing a Powerpoint slide at a joint Microsoft Teams meeting both companies were attending. The automotive firm, Valeo Schalter und Sensoren, claims the flashing of its source code for the assisted parking app on the call is evidence to support its accusations that the ex-staffer stole the IP before leaving to join Nvidia. The two tech companies were both on the call as they were each suppliers on contract for a parking and driving assistance project with a major automotive OEM that was not named in the suit. Under the terms of the contract with the OEM, the suit states, engineers from both Valeo and Nvidia had to schedule collaboration meetings so that "Nvidia employees could ask Valeo employees questions about Valeo's ultrasonic hardware and data associated with the hardware."

The complaint [PDF], filed by Valeo in the US District Court for Northern California, goes on to allege misappropriation of trade secrets by Nvidia, through which the company claims the GPU-maker attempted to take a shortcut into the automotive marketplace by using its stolen software. Nvidia is a relative newcomer to the automotive market, introducing its Nvidia Drive platform at the CES trade show in 2015. Valeo says that it only discovered the theft during a conference call on March 8, 2022 between its engineers and those of Nvidia to collaborate on work for an automotive OEM, a customer of both companies. Valeo develops automotive hardware such as cameras and sensors, in addition to software to processes the data from the hardware. The court filing states that Valeo previously provided the OEM in question with both hardware and software for its autonomous vehicle technology, but in this instance, it asked Valeo to provide ultrasonic hardware only. For the software side, the OEM instead chose Nvidia. One of the Nvidia engineers on the call, named as Mohammad Moniruzzaman, was a former employee of Valeo, and during the call, made using Microsoft's Teams software, he shared his screen in order to give a presentation containing questions for the Valeo participants.

Yet also visible on his screen after the presentation finished - or so the complaint alleges - was a window of source code, which the Valeo participants recognized as belonging to their company. According to the filing, one of the Valeo engineers succeeded in capturing a screenshot as evidence. According to Valeo, the source code file names that were allegedly visible in the screenshot were identical to those used in its source code, and it also claims the source code appeared to be identical to proprietary code maintained in Valeo's repositories. The company says in the suit that it then conducted a comprehensive internal forensic IT audit, and alleges it discovered that Moniruzzaman had copied four repositories containing the code for Valeo's parking and driving assistance software, prior to leaving the company in May 2021. [...] The claim is that Valeo's source code and documentation has been used in the development of Nvidia's software, and this provided the GPU giant and its engineers with a shortcut in the development of its parking assistance code, saving Nvidia perhaps hundreds of millions of dollars in development costs.

According to the court filing, Nvidia said it removed Moniruzzaman's additions to its code. However, those additions underwent "a peer review process of 10-30 iterations of feedback loops" before the code was fully merged into Nvidia's database. Valeo contends that this process of extensive edits by others means it is not realistic that Nvidia could have fully remove Moniruzzaman's contributions. Valeo claims it has suffered competitive harm as a result of Nvidia's action and as a result is seeking damages, to be determined at trial, as well as an injunction prohibiting Nvidia or its employees from using or disclosing Valeo's trade secrets. A date for jury trial has yet to be announced.

Canada

Third-Party Data Breach Affecting Canadian Government Could Involve Data From 1999 (theregister.com) 4

Connor Jones reports via The Register: The government of Canada has confirmed its data was accessed after two of its third-party service providers were attacked. The third parties both provided relocation services for public sector workers and the government is currently analyzing a "significant volume of data" which could date back to 1999. No formal conclusions have yet been made about the number of workers impacted due to the large-scale task of analyzing the relevant data. However, the servers impacted by the breach held data related to current and former Canadian government staff, members of the Canadian armed forces, and Royal Canadian Mounted Police workers -- aka Mounties.

"At this time, given the significant volume of data being assessed, we cannot yet identify specific individuals impacted; however, preliminary information indicates that breached information could belong to anyone who has used relocation services as early as 1999 and may include any personal and financial information that employees provided to the companies," a government statement read. Those who think they may be affected are advised to update any login details that may be similar to those used to access BGRS or Sirva's systems. Enabling MFA across all accounts that are used for online transactions is also advised, as is the manual monitoring of personal accounts for any potential malicious activity. Work is currently being carried out to identify and address any vulnerabilities that may have led to the incident, according to the statement.

Privacy

CEO Reminds Everyone His Company Collects Customers' Sleep Data (404media.co) 46

An anonymous reader quotes a report from 404 Media: Matteo Franceschetti, the CEO of Eight Sleep, which makes the $2,295 smart mattress topper "The Pod" tweeted: "Breaking news: The OpenAI drama is real. We checked our data and last night, SF saw a spike in low-quality sleep. There was a 27 percent increase in people getting under 5 hours of sleep. We need to fix this. Source: @eightsleep data." Franceschetti's tweet reminds us that The Pod is essentially a mattress with both a privacy policy and a terms of service, and that the data Eight Sleep collects about its users can and is used to further its business goals. It's also a reminder that many apps, smart devices, and apps for smart devices collect a huge amount of user data that they can then directly monetize or deploy for marketing or Twitter virality purposes whenever they feel like it.

The Pod does "intelligent cooling and heating for any bed," and learns and adjusts the temperature of the bed based on your sleep habits, tracks your sleep and vital signs while you sleep, and gives you a "Sleep Fitness Score" based on your quality, routine, and time of sleep. As someone who often does not sleep well, The Pod is a compelling product that I cannot currently afford. Quickly, to get it out of the way: Eight Sleep's data does not and cannot actually show that "San Francisco" had a spike in low-quality sleep. What it shows is that people in San Francisco who have purchased a $2,295 smart mattress topper and have not successfully opted out of Eight Sleep's analytics -- a group that surely overindexes on tech workers -- slept less Sunday night.

The top of Eight Sleep's terms of service states "At Eight Sleep we pledge to respect your privacy and to keep your data safe. We only collect data that helps us improve our products and services." Both Eight Sleep's privacy policy and terms of service then go on to note that the company collects a huge amount of data that can be used for a wide variety of purposes, including marketing, retargeting, and scientific studies. It can also, apparently, be used by the CEO for commenting on the day's tech news. Specifically, the company notes that "data about your sleep activity is transferred from your Device to our servers" every time the Pod's app syncs with the Pod. Certain features on the device also require location data "including GPS signals, device sensors, Wi-Fi access points, and cell tower IDs." This data is then used to give users personalized sleep recommendations, but they are also "used in research to understand and improve the Eight Device and Eight Service," "to enforce the Eight Terms of Service," and, critically, "de-identified data that does not identify you may be used to inform the health and scientific community about trends; for marketing and promotional use; or for sale to interested audiences." The terms of service add that it "may share or sell" this data.

The Courts

Sarah Silverman Hits Stumbling Block in AI Copyright Infringement Lawsuit Against Meta (hollywoodreporter.com) 93

Winston Cho writes via The Hollywood Reporter: A federal judge has dismissed most of Sarah Silverman's lawsuit against Meta over the unauthorized use of authors' copyrighted books to train its generative artificial intelligence model, marking the second ruling from a court siding with AI firms on novel intellectual property questions presented in the legal battle. U.S. District Judge Vince Chhabria on Monday offered a full-throated denial of one of the authors' core theories that Meta's AI system is itself an infringing derivative work made possible only by information extracted from copyrighted material. "This is nonsensical," he wrote in the order. "There is no way to understand the LLaMA models themselves as a recasting or adaptation of any of the plaintiffs' books."

Another of Silverman's arguments that every result produced by Meta's AI tools constitutes copyright infringement was dismissed because she didn't offer evidence that any of the outputs "could be understood as recasting, transforming, or adapting the plaintiffs' books." Chhabria gave her lawyers a chance to replead the claim, along with five others that weren't allowed to advance. Notably, Meta didn't move to dismiss the allegation that the copying of books for purposes of training its AI model rises to the level of copyright infringement.
In July, Silverman and two authors filed a class action lawsuit against Meta and OpenAI for allegedly using their content without permission to train AI language models.
Crime

North Koreans Use Fake Names, Scripts To Land Remote IT Work For Cash 60

Using fake names, sham LinkedIn profiles, counterfeit work papers and mock interview scripts, North Korean IT workers seeking employment in Western tech companies are deploying sophisticated subterfuge to get hired. From a report: Landing a job outside North Korea to secretly earn hard currency for the isolated country demands highly-developed strategies to convince Western hiring managers, according to documents reviewed by Reuters, an interview with a former North Korean IT worker and cybersecurity researchers. North Korea has dispatched thousands of IT workers overseas, an effort that has accelerated in the last four years, to bring in millions to finance Pyongyang's nuclear missile programme, according to the United States, South Korea, and the United Nations.

"People are free to express ideas and opinions," reads one interview script used by North Korean software developers that offers suggestions for how to describe a "good corporate culture" when asked. Expressing one's thoughts freely could be met with imprisonment in North Korea. The scripts totalling 30 pages, were unearthed by researchers at Palo Alto Networks, a U.S. cybersecurity firm which discovered a cache of internal documents online that detail the workings of North Korea's remote IT workforce. The documents contain dozens of fraudulent resumes, online profiles, interview notes, and forged identities that North Korean workers used to apply for jobs in software development.
Encryption

Sunbird is Shutting Down Its iMessage App for Android (theverge.com) 12

Sunbird, the app that brings iMessage to Android, has temporarily shut down the service over "security concerns." From a report: In a notice to users, Sunbird says it has "decided to pause Sunbird usage for now" while it investigates reports that its messages aren't actually end-to-end encrypted. Sunbird launched in 2022 as a messaging app that attempts to put the blue versus green bubble battle to rest. It has only been available to those who sign up for its waitlist, touting numerous privacy features, like end-to-end encryption, no message data collection, and no ads.

Last week, Sunbird partnered with Nothing, the phone brand owned by OnePlus co-founder Carl Pei, on the launch of Nothing Chats. The Sunbird-powered messaging service is supposed to let owners of the Phone 2 send texts via iMessage, but it was pulled from the Google Play Store just one day after its launch. At the time, Nothing said it had to fix "several bugs" within the app. However, its removal from the Play Store came around the same time a post from Texts.blog revealed that messages sent via Sunbird may not be end-to-end encrypted.

United States

Secretive White House Surveillance Program Gives Cops Access To Trillions of US Phone Records (wired.com) 104

An anonymous reader quotes a report from Wired: A little-known surveillance program tracks more than a trillion domestic phone records within the United States each year, according to a letter WIRED obtained that was sent by US senator Ron Wyden to the Department of Justice (DOJ) on Sunday, challenging the program's legality. According to the letter, a surveillance program now known as Data Analytical Services (DAS) has for more than a decade allowed federal, state, and local law enforcement agencies to mine the details of Americans' calls, analyzing the phone records of countless people who are not suspected of any crime, including victims. Using a technique known as chain analysis, the program targets not only those in direct phone contact with a criminal suspect but anyone with whom those individuals have been in contact as well.

The DAS program, formerly known as Hemisphere, is run in coordination with the telecom giant AT&T, which captures and conducts analysis of US call records for law enforcement agencies, from local police and sheriffs' departments to US customs offices and postal inspectors across the country, according to a White House memo reviewed by WIRED. Records show that the White House has, for the past decade, provided more than $6 million to the program, which allows the targeting of the records of any calls that use AT&T's infrastructure -- a maze of routers and switches that crisscross the United States. In a letter to US attorney general Merrick Garland on Sunday, Wyden wrote that he had "serious concerns about the legality" of the DAS program, adding that "troubling information" he'd received "would justifiably outrage many Americans and other members of Congress." That information, which Wyden says the DOJ confidentially provided to him, is considered "sensitive but unclassified" by the US government, meaning that while it poses no risk to national security, federal officials, like Wyden, are forbidden from disclosing it to the public, according to the senator's letter.
AT&T spokesperson Kim Hart Jonson said only that the company is required by law to comply with a lawful subpoena. However, "there is no law requiring AT&T to store decades' worth of Americans' call records for law enforcement purposes," notes Wired. "Documents reviewed by WIRED show that AT&T officials have attended law enforcement conferences in Texas as recently as 2018 to train police officials on how best to utilize AT&T's voluntary, albeit revenue-generating, assistance."

"The collection of call record data under DAS is not wiretapping, which on US soil requires a warrant based on probable cause. Call records stored by AT&T do not include recordings of any conversations. Instead, the records include a range of identifying information, such as the caller and recipient's names, phone numbers, and the dates and times they placed calls, for six months or more at a time." It's unclear exactly how far back the call records accessible under DAS go, although a slide deck released under the Freedom of Information Act in 2014 states that they can be queried for up to 10 years.
Firefox

Firefox 120 Ready With Global Privacy Control, WebAssembly GC On By Default (phoronix.com) 32

Firefox 120 will be available tomorrow, bringing support for the Global Privacy Control "Sec-GPC" request header to indicate whether a user consents to a website or service selling or sharing their personal information with third parties. It's also enabling the WebAssembly GC extension by default, opening up new languages like Dart and Kotlin to run in the browser. Phoronix's Michael Larabel highlights some of the other features included in this release: - Ubuntu Linux users now have the ability to import data from Chromium when both are installed as Snap packages. - Picture-in-Picture mode now supports corner snapping on Windows and Linux.
- Support for the light-dark() CSS color function that allows setting of colors for both light and dark without needing to use the prefers-color-scheme media feature. This allows conveniently specifying the preferred light color theme value followed by the dark color theme value.
- CSS support for the lh and rlh line height units.

The Almighty Buck

Venmo, Cash App Users Sue Apple Over Peer-To-Peer Payment Fees (reuters.com) 24

An anonymous reader quotes a report from Reuters: Apple has been sued by Venmo and Cash App customers in a proposed class action claiming the iPhone maker abused its market power to curb competition for mobile peer-to-peer payments, causing consumers to pay "rapidly inflating prices." Four consumers in New York, Hawaii, South Carolina and Georgia filed the lawsuit (PDF) on Friday in San Jose, California, federal court. They alleged Apple violated U.S. antitrust law through its agreements with PayPal's Venmo and Block's Cash App.

Apple's agreements limit "feature competition" within peer-to-peer payment apps, including prohibiting existing or new platforms from using "decentralized cryptocurrency technology," the complaint said. The lawsuit seeks an injunction that could force Apple to divest or segregate its Apple Cash business.

Cellphones

FCC Tightens Telco Rules To Combat SIM-Swapping (securityweek.com) 21

An anonymous reader quotes a report from SecurityWeek: Moving to clamp down on the growing scourge of SIM-swapping and port-out fraud, the Federal Communications Commission (FCC) has unveiled new rules mandating telcos to give consumers greater control of their mobile phone accounts. Under the new rules, wireless carriers are required to notify customers of any SIM transfer requests, a measure designed to thwart fraudulent attempts by cybercriminals. The FCC has also revised its customer proprietary network information and local number portability rules, making it more challenging for scammers to access sensitive subscriber information.

The new protective measures (PDF) are meant to address SIM-swapping and port-out attacks widely documented in cybercriminal attacks against businesses and consumers. The attack technique is used to hijack mobile accounts, change and steal passwords, bypass MFA roadblocks and raid bank accounts. Studies have found that major mobile carriers in the US are vulnerable to SIM-swapping with the Federal Bureau of Investigation (FBI) receiving thousands of consumer complaints every year.

Databases

Online Atrocity Database Exposed Thousands of Vulnerable People In Congo (theintercept.com) 6

An anonymous reader quotes a report from The Intercept: A joint project of Human Rights Watch and New York University to document human rights abuses in the Democratic Republic of the Congo has been taken offline after exposing the identities of thousands of vulnerable people, including survivors of mass killings and sexual assaults. The Kivu Security Tracker is a "data-centric crisis map" of atrocities in eastern Congo that has been used by policymakers, academics, journalists, and activists to "better understand trends, causes of insecurity and serious violations of international human rights and humanitarian law," according to the deactivated site. This includes massacres, murders, rapes, and violence against activists and medical personnel by state security forces and armed groups, the site said. But the KST's lax security protocols appear to have accidentally doxxed up to 8,000 people, including activists, sexual assault survivors, United Nations staff, Congolese government officials, local journalists, and victims of attacks, an Intercept analysis found. Hundreds of documents -- including 165 spreadsheets -- that were on a public server contained the names, locations, phone numbers, and organizational affiliations of those sources, as well as sensitive information about some 17,000 "security incidents," such as mass killings, torture, and attacks on peaceful protesters.

The data was available via KST's main website, and anyone with an internet connection could access it. The information appears to have been publicly available on the internet for more than four years. [...] The spreadsheets, along with the main KST website, were taken offline on October 28, after investigative journalist Robert Flummerfelt, one of the authors of this story, discovered the leak and informed Human Rights Watch and New York University's Center on International Cooperation. HRW subsequently assembled what one source close to the project described as a "crisis team." Last week, HRW and NYU's Congo Research Group, the entity within the Center on International Cooperation that maintains the KST website, issued a statement that announced the takedown and referred in vague terms to "a security vulnerability in its database," adding, "Our organizations are reviewing the security and privacy of our data and website, including how we gather and store information and our research methodology." The statement made no mention of publicly exposing the identities of sources who provided information on a confidential basis. [...] The Intercept has not found any instances of individuals affected by the security failures, but it's currently unknown if any of the thousands of people involved were harmed.
"We deeply regret the security vulnerability in the KST database and share concerns about the wider security implications," Human Rights Watch's chief communications officer, Mei Fong, told The Intercept. Fong said in an email that the organization is "treating the data vulnerability in the KST database, and concerns around research methodology on the KST project, with the utmost seriousness." Fong added, "Human Rights Watch did not set up or manage the KST website. We are working with our partners to support an investigation to establish how many people -- other than the limited number we are so far aware of -- may have accessed the KST data, what risks this may pose to others, and next steps. The security and confidentiality of those affected is our primary concern."
Canada

Canada Court Overturns Government Ruling That Some Plastics Are Toxic (reuters.com) 35

A court in Canada struck down a regulation classifying some plastic products as toxic, "a ruling that could hurt a push by Ottawa to ban single-use plastic items like bags, straws and forks." From the report: A ban on manufacturing and importing "harmful" single-use plastics came into effect last December after the federal government formally drew up a order that added them to a list of toxic items. But the Federal Court in Ottawa overturned that decision, calling the listing "unreasonable and unconstitutional." The case was brought by plastics manufacturers such as Dow Inc as well as Imperial Oil.

The office of Environment Minister Stephen Guilbeault said it was considering an appeal. "We strongly believe in taking action to tackle this crisis and keep millions of garbage bags worth of trash off our beaches, out of our waters, and away from nature," spokeswoman Kaitlin Power said in a statement.

Privacy

Prison Phone Company Leaked 600,000 Users' Data and Didn't Notify Them (arstechnica.com) 45

An anonymous reader quotes a report from Ars Technica: Prison phone company Global Tel*Link leaked the personal information of nearly 650,000 users and failed to notify most of the users that their personal data was exposed, the Federal Trade Commission said today. The company agreed to a settlement that requires it to change its security practices and offer free credit monitoring and identity protection to affected users, but the settlement doesn't include a fine. "Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing," the FTC said.

A security researcher notified Global Tel*Link of the breach on August 13, 2020, according to the FTC's complaint (PDF). This happened just after "the company and a third-party vendor copied a large volume of sensitive, unencrypted personal information about nearly 650,000 real users of its products and services into the cloud but failed to take adequate steps to protect the data," the FTC said. The data was copied to an Amazon Web Services test environment to test a new version of a search software product. For about two days, the data was in the test environment and "accessible via the Internet without password protection or other access controls," the FTC said. After hearing from the security researcher, Global Tel*Link reconfigured the test environment to cut off public access. But a few weeks later, the firm was notified by an identity monitoring vendor that the data was available on the dark web. Global Tel*Link didn't notify any users until May 2021, and even then, it only notified a subset of them, according to the FTC. [...]

The complaint said that Global Tel*Link violated the Federal Trade Commission Act's section on unfair or deceptive acts or practices and charged the firm with unfair data security practices, unfair failure to notify affected consumers of the incident, misrepresentations regarding data security, misrepresentations to individual users regarding the incident, misrepresentations to individual users regarding notice, and deceptive representations to prison facilities regarding the incident. To settle the charges, the company agreed to new security protocols, including "'change management' measures to all of its systems to help reduce the risk of human error, use of multifactor authentication, and procedures to minimize the amount of data it collects and stores," the FTC said. Global Tel*Link also has to notify the affected users who were not previously notified of the breach and provide them with credit monitoring and identity protection products. The product must include $1,000,000 worth of identity theft insurance to cover costs related to identity theft or fraud. The company must also notify consumers and prison facilities within 30 days of future data breaches and notify the FTC of the incidents, the agency said. Violations of the settlement could result in fines of $50,120 for each violation, the FTC said.

Android

Children's Tablet Has Malware and Exposes Kids' Data, Researcher Finds (techcrunch.com) 37

An anonymous reader shares a report: In May this year, Alexis Hancock's daughter got a children's tablet for her birthday. Being a security researcher, Hancock was immediately worried. "I looked at it kind of sideways because I've never heard of Dragon Touch," Hancock told TechCrunch, referring to the tablet's maker. As it turned out, Hancock, who works at the Electronic Frontier Foundation, had good reasons to be concerned. Hancock said she found that the tablet had a slew of security and privacy issues that could have put her daughter's and other children's data at risk.

The Dragon Touch KidzPad Y88X contains traces of a well-known malware, runs a version of Android that was released five years ago, comes pre-loaded with other software that's considered malware and a "potentially unwanted program" because of "its history and extensive system level permissions to download whatever application it wants," and includes an outdated version of an app store designed specifically for kids, according to Hancock's report, which was released on Thursday and seen by TechCrunch ahead of its publication. Hancock said she reached out to Dragon Touch to report these issues, but the company never responded. Dragon Touch did not respond to TechCrunch's questions either.
After TechCrunch reached out to the company, Walmart removed the listing from its website, while Amazon said it's looking into the matter.
Government

FCC Can Now Punish Telecom Providers For Charging Customers More For Less (theverge.com) 75

An anonymous reader quotes a report from The Verge: The Federal Communications Commission has approved (PDF) a new set of rules aiming to prevent "digital discrimination." It means the agency can hold telecom companies accountable for digitally discriminating against customers -- or giving certain communities poorer service (or none at all) based on income level, race, or religion. The new rules come as part of the Biden Administration's 2021 Bipartisan Infrastructure Law, which requires the FCC to develop and adopt anti-digital discrimination rules. "Many of the communities that lack adequate access to broadband today are the same areas that suffer from longstanding patterns of residential segregation and economic disadvantage," FCC Chairwoman Jessica Rosenworcel said following today's vote. "It shows that minority status and income correlate with broadband access."

Under the new rules, the FCC can fine telecom companies for not providing equal connectivity to different communities "without adequate justification," such as financial or technical challenges of building out service in a particular area. The rules are specifically designed to address correlations between household income, race, and internet speed. Last year, a joint report from The Markup and the Associated Press found that AT&T, Verizon, and other internet service providers offer different speeds depending on the neighborhood in cities throughout the US. The report revealed neighborhoods with lower incomes and fewer white people get stuck with slower internet while still having to pay the same price as those with faster speeds. At the time, USTelecom, an organization that represents major telecom providers, blamed the higher price on having to maintain older equipment in certain communities.

The FCC was nearly divided on the new set of rules, as it passed with a 3-2 vote. Critics of the new policy argue the rules are an overextension of the FCC's power. Jonathan Spalter, the CEO of USTelecom, says the FCC is "taking overly intrusive, unworkably vague, and ultimately harmful steps in the wrong direction." Spalter adds the framework "is counter" to Congress' goal of giving customers equal access to the internet. Still, supporters of the new rules believe they can go a long way toward improving fractured broadband coverage throughout the US. The FCC will also establish an "improved" customer portal, where the agency will field and review complaints about digital discrimination. It will take things like broadband deployment, network upgrades, and maintenance across communities into account when evaluating providers for potential rule violations, giving it the authority to hopefully finally address the disparities in internet access throughout the US.

Slashdot Top Deals