"The federal government has not justified its excessive secrecy about the massive telephone surveillance program known as Hemisphere, a court ruled in an EFF Freedom of Information Act lawsuit on Thursday." schwit1 quotes the EFF announcement: As a result, the federal government must submit roughly 260 pages of previously withheld or heavily redacted records to the court so that it can review them and decide whether to make more information about Hemisphere public. Hemisphere is a partnership between AT&T and federal, state, and local law enforcement agencies that allows police almost real-time access to telephone call detail records. The program is both extremely controversial -- AT&T requires police to hide its use from the public -- and appears to violate our First and Fourth Amendment rights.
Government lawyers had argued the disputed documents were restricted to use at the federal level, but the court remained unconvinced, especially "after EFF demonstrated that many of them appeared to have been given to state and local law enforcement."

"Any measure that weakens encryption works against the national interest," reports a bipartisan committee in the U.S. Congress. Mark Wilson quotes Beta News: The Congressional Encryption Working Group (EWG) was set up in the wake of the Apple vs FBI case in which the FBI wanted to gain access to the encrypted contents of a shooter's iPhone. The group has just published its end-of-year report summarizing months of meetings, analysis and debate. The report makes four key observations, starting off with: "Any measure that weakens encryption works against the national interest".

This is certainly not a new argument against encryption backdoors for the likes of the FBI, but it is an important one... The group says: "Congress should not weaken this vital technology... Cryptography experts and information security professionals believe that it is exceedingly difficult and impractical, if not impossible, to devise and implement a system that gives law enforcement exceptional access to encrypted data without also compromising security against hackers, industrial spies, and other malicious actors...
The report recommends that instead, Congress "should foster cooperation between the law enforcement community and technology companies," adding "there is already substantial cooperation between the private sector and law enforcement." [PDF] It also suggests that analyzing the metadata from "our digital 'footprints'...could play a role in filling in the gap. The technology community leverages this information every day to improve services and target advertisements. There appears to be an opportunity for law enforcement to better leverage this information in criminal investigations."

earlytime writes: Large scale account hacks such as the billion user Yahoo breach and targeted phishing hacks of gmail accounts during the U.S. election have made 2016 an infamous year for web security. Along comes U2F/web-security keys to address these issues at a critical time. Ars Technica reports that U2F keys "may be the world's best hope against account takeovers": "The Security Keys are based on Universal Second Factor, an open standard that's easy for end users to use and straightforward for engineers to stitch into hardware and websites. When plugged into a standard USB port, the keys provide a 'cryptographic assertion' that's just about impossible for attackers to guess or phish. Accounts can require that cryptographic key in addition to a normal user password when users log in. Google, Dropbox, GitHub, and other sites have already implemented the standard into their platforms. After more than two years of public implementation and internal study, Google security architects have declared Security Keys their preferred form of two-factor authentication. The architects based their assessment on the ease of using and deploying keys, the security it provided against phishing and other types of password attacks, and the lack of privacy trade-offs that accompany some other forms of two-factor authentication."

The researchers wrote in a recently published report: "We have shipped support for Security Keys in the Chrome browser, have deployed it within Google's internal sign-in system, and have enabled Security Keys as an available second factor in Google's Web services. In this work, we demonstrate that Security Keys lead to both an increased level of security and user satisfaction as well as cheaper support cost."

An anonymous reader quotes a report from TechCrunch: BitTorrent has now done for live video what it did for file downloads: invented peer-to-peer technology that moves the burden of data transfer from a centralized source to the crowd. Instead of cables and satellites, BitTorrent piggybacks on the internet bandwidth of its users. Since P2P live streaming is so much cheaper than traditional ways to deliver live content, BitTorrent could pay channel owners more for distribution per viewer. And BitTorrent can offer that content to viewers for free or much cheaper than a cable subscription. The transfer technology and the app that aggregates these channels are both called BitTorrent Live. Now, almost a year after the protocol's debut on smart TVs, and six months after it was supposed to arrive on iPhone, the BitTorrent Live app quietly became available on iOS this week. Until now it's only existed on Mac, Apple TV and Amazon Fire TV -- much less popular platforms. And that's after being in development since 2009. The app features 15 channels, including NASA TV, France One, QVC Home and TWiT (This Week In Tech) that you can watch live. The latency is roughly 10 seconds, which could be faster than terrestrial cable, as well as systems like Sling TV that can delay content more than a minute. The problem right now is that BitTorrent Live has a pretty lackluster channel selection. It's still working on striking deals with more name-brand channels. It could offer some for pay-per-view, but cheaper than the same content on traditional TV due to the reduced broadcasting costs.

schwit1 quotes a report from Politico: Since Tuesday, foreign travelers arriving in the United States on the visa waiver program have been presented with an "optional" request to "enter information associated with your online presence," a government official confirmed Thursday. The prompt includes a drop-down menu that lists platforms including Facebook, Google+, Instagram, LinkedIn and YouTube, as well as a space for users to input their account names on those sites. The new policy comes as Washington tries to improve its ability to spot and deny entry to individuals who have ties to terrorist groups like the Islamic State. But the government has faced a barrage of criticism since it first floated the idea last summer. The Internet Association, which represents companies including Facebook, Google and Twitter, at the time joined with consumer advocates to argue the draft policy threatened free expression and posed new privacy and security risks to foreigners. Now that it is final, those opponents are furious the Obama administration ignored their concerns. The question itself is included in what's known as the Electronic System for Travel Authorization, a process that certain foreign travelers must complete to come to the United States. ESTA and a related paper form specifically apply to those arriving here through the visa-waiver program, which allows citizens of 38 countries to travel and stay in the United States for up to 90 days without a visa. "There are very few rules about how that information is being collected, maintained [and] disseminated to other agencies, and there are no guidelines about limiting the government's use of that information," said Michael W. Macleod-Ball, chief of staff for the American Civil Liberties Union's Washington office. "While the government certainly has a right to collect some information... It would be nice if they would focus on the privacy concerns some advocacy groups have long expressed."

An anonymous reader quotes a report from Reuters: The FBI is investigating how hackers infiltrated computers at the Federal Deposit Insurance Corporation for several years beginning in 2010 in a breach senior FDIC officials believe was sponsored by China's military, people with knowledge of the matter said. The security breach, in which hackers gained access to dozens of computers including the workstation for former FDIC Chairwoman Sheila Bair, has also been the target of a probe by a congressional committee. The FDIC is one of three federal agencies that regulate commercial banks in the United States. It oversees confidential plans for how big banks would handle bankruptcy and has access to records on millions of individual American deposits. Last month, the banking regulator allowed congressional staff to view internal communications between senior FDIC officials related to the hacking, two people who took part in the review said. In the exchanges, the officials referred to the attacks as having been carried out by Chinese military-sponsored hackers, they said. The staff was not allowed to keep copies of the exchanges, which did not explain why the FDIC officials believe the Chinese military was behind the breach. After FDIC staff discovered the hack in 2010, it persisted into the next year and possibly later, with staff working at least through 2012 to verify the hackers were expunged, according to a 2013 internal probe conducted by the FDIC's inspector general, an internal watchdog. The intrusion is part of series of cybersecurity lapses at the FDIC in recent years that continued even after the hack suspected to be linked to Beijing. This year, the FDIC has reported to Congress at least seven cybersecurity incidents it considered to be major which occurred in 2015 or 2016.

The off-duty police officer who killed the Russian ambassador in Turkey was shot by Turkish special forces minutes after the crime. He had an iPhone 4S on him, and now, Haberturk, Turkish authorities asked for Russia's help to unlock the iPhone. From a report: Given that it's an iPhone 4S and it has a 4-digit passcode, it should be quite easy to unlock the device. There are many solutions out there to do this and authorities don't even need to ask for Apple's help. The iPhone 4S is quite old now and it was a much less secure device. First, the iPhone 4S runs iOS 5 to iOS 9, but many iPhone 4S owners didn't update to recent iOS versions. If the device runs iOS 7 or earlier, getting the content of the device is a piece of cake. The content of the device isn't encrypted as Apple started encrypting all data with iOS 8. Authorities can access this data quite easily. Second, if the iPhone is running iOS 8, remember that the iPhone 4S didn't have a Secure Enclave and Touch ID sensor. The Secure Enclave is a coprocessor that utilizes a secure boot process to make sure that it's uncompromized. It has a secret unique ID not accessible by the rest of the phone, Apple or anyone -- it's like a private key. The phone generates ephemeral keys (think public keys) to talk with the Secure Enclave. They only work with the unique ID to encrypt and decrypt the data on the coprocessor.

IBM wants to put the patent war in perspective. Big Blue said that it is poised to get the most U.S. patents of any tech company for the 24th year in a row. From a report on VentureBeat: In 2015, IBM received more than 7,355 patents, down slightly from 7,534 in 2014. A spokesperson for IBM said the company is on track to receive well over 7,000 patents in 2016. In 2016, IBM is also hitting another interesting milestone, with more than 1,000 patents for artificial intelligence and cognitive computing. IBM has been at it for more than a century, and it is seeking patents in key strategic areas -- such as AI and cognitive computing. In fact, one-third of IBM's researchers are dedicated to cognitive computing. IBM CEO Ginni Rometty said during the World of Watson conference in October that the company expects to reach more than 1 billion consumers via Watson by the end of 2017. (Watson is the supercomputer that beat the world's best Jeopardy player in 2011.)

The US Government has listed some of the largest piracy websites and other copyright-infringing venues. The USTR calls on foreign countries to take action against popular piracy sites such as The Pirate Bay, which has important "symbolic value," according to the authorities. In addition, stream-ripping is mentioned as an emerging threat. TorrentFreak adds: The overview is largely based on input from industry groups including the RIAA and MPAA, who submitted their recommendations a few weeks ago. While the USTR admits that the list is not meant to reflect legal violations, the goal of the review is to motivate owners and foreign Governments to take appropriate action and reduce piracy. "The United States encourages all responsible authorities to intensify efforts to combat piracy and counterfeiting, and to use the information contained in the Notorious Markets List to pursue legal actions where appropriate," the USTR announced.

An Uber employee has filed a lawsuit accusing the company of misleading employees about their equity compensation. Uber "devised a fraudulent scheme to recruit highly sought software engineers," according to the case. From a report on TechCrunch: The lawsuit claims that Uber promised a more tax favorable type of options at the time employees were hired and then later changed the plan. The case alleges that at least 100 others on the Uber staff may have been impacted and that these stock options can potentially be worth "hundreds of millions of dollars" to employees and also save Uber "millions of dollars of tax deductions." The plaintiff, Lenza McElrath, who was previously a lawyer and is now an engineer at Uber, says that he was under the impression that all his shares could be treated as ISOs, which do not require an upfront tax bill. He said he was later given a notice about a change to the exercisability schedule, that effectively turned most of his shares into NSOs, which are taxed at the time they are exercised. While many startups allow their shares to become exercisable over the course of a four-year vesting agreement, Uber has share agreements that become exercisable after just six months. In other words, Uber employees can buy the stock they are entitled to shortly after they gain employment.

An anonymous reader quotes a report from ZDNet: Earlier this year, we were sent a series of large, encrypted files purportedly belonging to a U.S. police department as a result of a leak at a law firm, which was insecurely synchronizing its backup systems across the internet without a password. Among the files was a series of phone dumps created by the police department with specialist equipment, which was created by Cellebrite, an Israeli firm that provides phone-cracking technology. We obtained a number of these so-called extraction reports. One of the more interesting reports by far was from an iPhone 5 running iOS 8. The phone's owner didn't use a passcode, meaning the phone was entirely unencrypted. The phone was plugged into a Cellebrite UFED device, which in this case was a dedicated computer in the police department. The police officer carried out a logical extraction, which downloads what's in the phone's memory at the time. (Motherboard has more on how Cellebrite's extraction process works.) In some cases, it also contained data the user had recently deleted. To our knowledge, there are a few sample reports out there floating on the web, but it's rare to see a real-world example of how much data can be siphoned off from a fairly modern device. We're publishing some snippets from the report, with sensitive or identifiable information redacted.

An anonymous reader quotes a report from SFGate: Uber is moving its self-driving pilot to Arizona, one day after the California Department of Motor Vehicles ordered the autonomous vehicles off the roads in San Francisco. "Our cars departed for Arizona this morning by truck," an Uber spokeswoman said Thursday afternoon in a statement. "We'll be expanding our self-driving pilot there in the next few weeks, and we're excited to have the support of Governor Ducey." After starting its San Francisco pilot on Dec. 14, the ride-hailing company angered the mayor and officials at the DMV by refusing to get a permit to operate its self-driving cars. And so, around noon on Thursday, a fleet of Uber self-driving cars passed through the South of Market area on the backs of several flat-bed trucks. Commuters gawked at the fleet with their distinctive hoods, backing up traffic as the convoy slowly drove by. In a statement Thursday, Arizona Governor Doug Ducey called California's regulations "burdensome" and said Arizona welcomes Uber's self-driving car pilot with "open arms." "While California puts the brakes on innovation and change with more bureaucracy and more regulation, Arizona is paving the way for new technology and new businesses," he said. It is unclear which city -- or cities -- the cars are headed to.

schwit1 quotes a report from Reuters: A hacking group linked to the Russian government and high-profile cyber attacks against Democrats during the U.S. presidential election likely used a malware implant on Android devices to track and target Ukrainian artillery units from late 2014 through 2016, according to a new report released Thursday. The malware was able to retrieve communications and some locational data from infected devices, intelligence that would have likely been used to strike against the artillery in support of pro-Russian separatists fighting in eastern Ukraine, the report from cyber security firm CrowdStrike found. The hacking group, known commonly as Fancy Bear or APT 28, is believed by U.S. intelligence officials to work primarily on behalf of the GRU, Russia's military intelligence agency. The implant leveraged a legitimate Android application developed by a Ukrainian artillery officer to process targeting data more quickly, CrowdStrike said. Its deployment "extends Russian cyber capabilities to the front lines of the battlefield," the report said, and "could have facilitated anticipatory awareness of Ukrainian artillery force troop movement, thus providing Russian forces with useful strategic planning information."

An anonymous reader quotes a report from CNN: Edward Snowden has been in contact with Russian intelligence officials since arriving in Russia in 2013, according to a new report from Congress. "Since Snowden's arrival in Moscow, he has had, and continues to have, contact with Russian intelligence services," the 33-page report, issued Thursday by the bipartisan House Permanent Select Committee on Intelligence, said. Snowden, the former National Security Agency contractor who leaked volumes of information on American intelligence and surveillance operations to the media, settled in Moscow after initially traveling to Hong Kong following his 2013 public disclosure of classified information. The Russian government granted asylum to Snowden shortly thereafter. Large portions of the pertinent section, entitled "foreign influence," are redacted, but one paragraph reveals the Russian link, saying that Frants Klintsevich, the deputy chairman of the Russian parliament's defense and security committee, "publicly conceded that 'Snowden did share intelligence' with his government." Snowden immediately took to Twitter following the report's release to dispute the accusations, writing "they claim without evidence that I'm in cahoots with the Russians." The report cites classified material in the section linking Snowden to Russian intelligence. The investigation also noted that Snowden left encrypted hard drives containing classified information in Hong Kong and that the CIA had refused to grant Snowden access to sensitive information years before he began working with the NSA, documenting numerous issues that Snowden had with supervisors and co-wokers during his various jobs in the intelligence community.

93 Escort Wagon writes: San Francisco bicyclists can breathe a sigh of relief now that Uber has suspended testing of its autonomous fleet in the city. The company announced the decision after the California Department of Motor Vehicles suspended the registration of the vehicles involved in the testing. Uber remains "100 percent committed to California and will be redoubling our efforts to develop workable statewide rules," the company said. A spokesperson for Uber told Recode, "We are open to having the conversation about applying for a permit, but Uber does not have plans to do so."

chicksdaddy quotes a report from The Security Ledger: With functional, quantum computers on the (distant?) horizon, The National Institute of Standards and Technology (NIST) is asking the public for help heading off what it calls "a looming threat to information security:" powerful quantum computers capable of breaking even the strongest encryption codes used to protect the privacy of digital information. In a statement Tuesday, NIST asked the public to submit ideas for "post-quantum cryptography" algorithms that will be "less susceptible to a quantum computer's attack." NIST formally announced its quest in a publication on The Federal Register. Dustin Moody, a mathematician at NIST said the Institute's main focus is developing new public key cryptography algorithms, which are used today to protect both stored and transmitted information. "We're looking to replace three NIST cryptographic standards and guidelines that would be the most vulnerable to quantum computers," Moody said. They are FIPS 186-4, NIST SP 800-56A and NIST SP 800-56B. Researchers have until November, 2017 to submit their ideas. After the deadline, NIST will review the submissions. Proposals that meet the "post-quantum crypto" standards set up by NIST will be invited to present their algorithms at an open workshop in early 2018.

An anonymous reader writes: Last week, WordPress security firm WordFence revealed it detected over 1.65 million brute-force attacks originating from an ISP in Ukraine that generated more malicious traffic than GoDaddy, OVH, and Rostelecom, put together. A week later, after news of WordFence's findings came to light, Ukrainian users have tracked down the ISP to a company called SKS-Lugan in the city of Alchevs'k, in an area controlled by pro-Russian forces in eastern Ukraine. All clues point to the fact that the ISP's owners are using the chaos created by the Russian military intervention in Ukraine to host cyber-crime operations on their servers. Some of the criminal activities the ISP hosts, besides servers for launching brute-force attacks, include command-and-control servers for the Locky ransomware, [email, comment, and forum] spam botnets, illegal streaming sites, DDoS stressers, carding sites, several banking trojans (Vawtrack, Tinba), and infostealers (Pony, Neurevt). UPDATE 12/22/16: The headline and summary have been updated to reflect the fact that Ukraine is fighting a Russian invasion, and is not in a "civil war," as mentioned in the source.

New submitter jbwiebe quotes a report from CBC.ca: The Canadian Radio-television and Telecommunications Commission (CRTC) has declared broadband internet a basic telecommunications service. In a ruling handed down today, the national regulator ordered the country's internet providers to begin working toward boosting internet service and speeds in rural and isolated areas. With today's ruling, CRTC has set new targets for internet service providers to offer customers in all parts of the country download speeds of at least 50 megabits per second (Mbps) and upload speeds of at least 10 Mbps, and to also offer the option of unlimited data. The CRTC estimates two million Canadian households, or roughly 18 per cent, don't have access to those speeds or data. The CRTC's goal is to reduce that to 10 per cent by 2021. To achieve that, the CRTC will require providers pay into a fund that's set to grow to $750 million over five years. The companies will be able to dip into that fund to help pay for the infrastructure needed to extend high-speed service to areas where it is not currently available. The fund is similar to one that subsidized the expansion of local landline telephone service in years past. Providers used to pay 0.53 per cent of their revenues, excluding broadband, into that fund. Now they'll pay the same rate on all revenues, including broadband.

An anonymous reader quotes a report from Reuters: Yahoo Inc's secret scanning of customer emails at the behest of a U.S. spy agency is part of a growing push by officials to loosen constitutional protections Americans have against arbitrary governmental searches, according to legal documents and people briefed on closed court hearings. The order on Yahoo from the secret Foreign Intelligence Surveillance Court (FISC) last year resulted from the government's drive to change decades of interpretation of the U.S. Constitution's Fourth Amendment right of people to be secure against "unreasonable searches and seizures," intelligence officials and others familiar with the strategy told Reuters. The unifying idea, they said, is to move the focus of U.S. courts away from what makes something a distinct search and toward what is "reasonable" overall. The basis of the argument for change is that people are making much more digital data available about themselves to businesses, and that data can contain clues that would lead to authorities disrupting attacks in the United States or on U.S. interests abroad. While it might technically count as a search if an automated program trawls through all the data, the thinking goes, there is no unreasonable harm unless a human being looks at the result of that search and orders more intrusive measures or an arrest, which even then could be reasonable. Civil liberties groups and some other legal experts said the attempt to expand the ability of law enforcement agencies and intelligence services to sift through vast amounts of online data, in some cases without a court order, was in conflict with the Fourth Amendment because many innocent messages are included in the initial sweep. But the general counsel of the Office of the Director of National Intelligence (ODNI), Robert Litt, said in an interview with Reuters on Tuesday that the legal interpretation needed to be adjusted because of technological changes.

Before the new administration takes over next month, President Obama took new action Wednesday to place large sections of the Arctic and the Atlantic Oceans off limits to oil drilling. NPR reports: The Arctic protections are a joint partnership with Canada. "These actions, and Canada's parallel actions, protect a sensitive and unique ecosystem that is unlike any other region on earth," the White House said in a statement. "They reflect the scientific assessment that, even with the high safety standards that both our countries have put in place, the risks of an oil spill in this region are significant and our ability to clean up from a spill in the region's harsh conditions is limited," the White House added. "By contrast, it would take decades to fully develop the production infrastructure necessary for any large-scale oil and gas leasing production in the region -- at a time when we need to continue to move decisively away from fossil fuels." Obama's action designates 31 Atlantic canyons "off limits to oil and gas exploration and development activity," totaling 3.8 million acres, according to the administration. It provides the same protections to much of the Arctic's waters, covering the "vast majority of U.S. waters in the Chukchi and Beaufort Seas," totaling 115 million acres. Canada is doing the same to "all Arctic Canadian waters," the joint statement adds. Obama took these actions by invoking a law called the Outer Continental Shelf Lands Act, which gives the president the authority to withdraw lands from oil and gas leases.

An anonymous reader quotes a report from Polygon: Netflix, Marvel and various Marvel-affiliated Twitter accounts became the latest victims of hacker group OurMine on Wednesday. On Wednesday morning, the group took over control of Netflix's twitter account, issuing a message to the company's 2.4 million followers about the lack of security Netflix had. The full message was followed by a secondary tweet that invited Twitter users to see how secure their accounts were by emailing the hacking group responsible, OurMine. Netflix was eventually able to regain control of its account and deleted the tweets, but OurMine didn't stop there. Around 12 p.m. ET today, OurMine took over control of Marvel's main Twitter account and those affiliated with the company. Accounts for Black Panther, Captain America, Iron Man, Ant-Man, Thor, Doctor Strange and Marvel Music were all compromised in the attack. Like the takeover Netflix suffered from earlier in the day, OurMine used the attack to post messages about security -- or lack thereof -- that major companies had when it came to their social media accounts. Marvel's main Twitter account has close to 4.4 million followers, nearly double Netflix's online following. It only took Marvel about ten minutes to regain control of its accounts and delete OurMine's tweets. Those tweets can no longer be seen on any of the affiliated accounts, but can still be found through Twitter searches thanks to people's screenshots.

Facebook said Wednesday that government requests for user account data rose 27 percent in the first half of 2016, compared to the second half of last year, with U.S. law enforcement agencies topping the list. From a report on TechCrunch: According to the report, government requests for account data increased by 27 percent globally as compared with the last half of 2015. The number of requests grew from 46,710 to 59,229, Facebook said. The majority of the requests (56 percent) received from U.S. law enforcement contained a non-disclosure clause that prevented Facebook from notifying the user in question, the company noted. As with prior transparency reports, Facebook also detailed the number of content restriction requests -- that is, the requests from governments in response to postings that violate local laws. These actually decreased by 83 percent from 55,827 to 9,663. However, those figures don't point to a general decline in these sorts of requests from governments. Instead, the last cycle's numbers were elevated more than usual due to a sharp increase in requests related to a single image from the terrorist attacks in Paris last November.

An anonymous reader writes: A Google product manager has filed a lawsuit against the company for its confidentiality policies on the grounds they violate California labor laws. California labor laws give employees the right to discuss workplace issues with law enforcement, regulators, the media, and other employees. Google is accused of firing the employee for exercising his rights, then smearing his reputation in an internal email sent to the rest of the company. These policies are put in place to allegedly prevent the leaking of potentially damaging information to regulators or law enforcement. They in turn prohibit employees from speaking out about illegal activity within the company, even to its own lawyers, and encourage them to report other employees suspected of leaking information. The Verge has obtained a copy of the complaint, linked below in full. "Google's motto is 'don't be evil.' Google's illegal confidentiality agreements and policies fail this test," the lawsuit reads. One policy allegedly even prevents employees from writing a novel about working for a large Silicon Valley corporation -- like, for instance, Dave Eggers' dystopian novel, The Circle -- without first getting final draft approval from Google. The Information confirmed that this lawsuit was filed by the same individual, known in the suit only as "John Doe," who filed a complaint with the National Labor Relations Board earlier this year over many of the same confidentiality policies.

"General and indiscriminate retention" of emails and electronic communications by governments is illegal, the EU's highest court has ruled, in a judgment that could trigger challenges against the UK's new Investigatory Powers Act -- the so-called snooper's charter. From a report on The Guardian: Only targeted interception of traffic and location data in order to combat serious crime -- including terrorism -- is justified, according to a long-awaited decision by the European court of justice (ECJ) in Luxembourg. The finding came in response to a legal challenge initially brought by the Brexit secretary, David Davis, when he was a backbench MP, and Tom Watson, Labour's deputy leader, over the legality of GCHQ's bulk interception of call records and online messages. Davis and Watson, who were supported by Liberty, the Law Society, the Open Rights Group and Privacy International, had already won a high court victory on the issue, but the government appealed and the case was referred by appeal judges to the ECJ. The case will now return to the court of appeal to be resolved in terms of UK legislation.

The White House has released a new report warning of a not-too-distant future where artificial intelligence and robotics will take the place of human labor. Recode highlights in its report the three key areas the White House says the U.S. government needs to prepare for the next wave of job displacement caused by robotic automation: -- Fund more research in robotics and artificial intelligence in order for the U.S. to maintain its leadership in the global technology industry. The report calls on the government to steer that research to support a diverse workforce and to focus on combating algorithmic bias in AI.
-- Invest in and increase STEM education for youth and job retraining for adults in technology-related fields. That means offering computer science education for all K-12 students, as well as expanding national workforce retraining by investing six times the current amount spent to keep American workers competitive in a global economy.
-- Modernize and strengthen the federal social safety net, including public health care, unemployment insurance, welfare and food stamps. The report also calls for increasing the minimum wage, paying workers overtime and and strengthening unions and worker bargaining power.

The report says the government, meaning the the incoming Trump administration, will have to forge ahead with new policies and grapple with the complexities of existing social services to protect the millions of Americans who face displacement by advances in automation, robotics and artificial intelligence. The report also calls on the government to keep a close eye on fostering competition in the AI industry, since the companies with the most data will be able to create the most advanced products, effectively preventing new startups from having a chance to even compete.

Long-time Slashdot reader emil writes about how ADUPS, an Android "firmware provisioning" company specializing in both big data collection of Android usage and hostile app installation and/or firmware control, has been found pre-loaded on Barnes and Noble's new $50 tablet: ADUPS was recently responsible for data theft on BLU phones and an unsafe version of the ADUPS agent is pre-loaded on the Barnes and Noble BNTV450. ADUPS' press releases claim that Version 5.5 of their agent is safe, but the BNTV450 is running 5.2. The agent is capable of extracting contacts, listing installed apps, and installing new apps with elevated privilege. Azzedine Benameur, director of research at Kryptowire, claims that "owners can expect zero privacy or control while using it."

Federals agents have accused Brian Brundage, the former owner of Chicago-based electronics recycling company Intercon Solutions and current owner of EnviroGreen Processing, of fraud for failing to properly break down and recycle electronic devices according to federal guidelines. Brundage allegedly shipped Cathode Ray Tubes (CRTs) from old computer and TV monitors, which contained "hazardous amounts of lead," and batteries to overseas landfills for disposal. The leftover electronics that weren't shipped overseas were destroyed inappropriately at his businesses or stored in warehouses, which is forbidden by federal guidelines. Ars Technica reports: According to the indictment (PDF), Brundage also improperly resold many of the electronics he acquired. Between 2009 and 2015, Brundage received shipments of calculators from an unnamed technology company in Texas with instructions to disassemble the calculators and recycle them accordingly. But Brundage apparently resold the calculators to another company based in Tampa, Florida, which purchased and sold used electronics. In exchange for the shipments of calculators, Brundage allegedly had the company in Tampa directly pay some of Brundage's personal expenses. Those expense include between $31,000 and $39,000 per year for a nanny and $26,000 to $42,000 per year for a housekeeper, as well as tens of thousands of dollars for jewelry expenses and payments to an Indiana-based casino. Among the more colorful accusations in the US government's indictment of Brundage: the businessman allegedly went to lengths to fool third-party auditors into giving his companies the certifications necessary to keep doing business as an e-recycler. Brundage allegedly invited unknowing customers on sham tours of Intercon's facility. Once there, he "directed Intercon's warehouse staff to set up a staged disassembly line to make it falsely appear as though Intercon regularly processed e-waste in a manner that was consistent with its public representations." The Chicago Tribune published a feature on Intercon in 2007. In it, Brundage is quoted saying, "We put old products on a disassembly line. We break each item down to raw materials and send them off to be smelted and reused." He added, "nothing that leaves here goes to a landfill."

An anonymous reader quotes a report from ABC News: The Obama administration has failed to renegotiate portions of an international arms control arrangement to make it easier to export tools related to hacking and surveillance software -- technologies that can be exploited by bad actors, but are also used to secure computer networks. The rare U.S. move to push for revisions to a 2013 rule was derailed earlier this month at an annual meeting in Vienna, where officials from 41 countries that signed onto it were meeting. That leaves it up to President-elect Donald Trump's administration whether the U.S. will seek revisions again next year. U.S. officials had wanted more precise language to control the spread of such hacking tools without the unintended negative consequences for national cybersecurity and research that industry groups and lawmakers have complained about for months. Critics have argued that the current language, while well meaning, broadly sweeps up research tools and technologies used to create or otherwise support hacking and surveillance software. As one of those 41 member countries of the 1996 Wassenaar Arrangement, which governs the highly technical world of export controls for arms and certain technologies, the United States agreed to restrict tools related to cyber "intrusion software" that could fall into the hands of repressive regimes. The voluntary arrangement relies on unanimous agreement to abide by its rules on export controls for hundreds of items, including arms such as tanks or military aircraft and "dual-use" technologies such as advanced radar that can be used for both peaceful and military means.

Last week, an unidentified Twitter user tweeted a seizure-inducing animation at Newsweek and Vanity Fair writer Kurt Eichenwald, who has epilepsy. Now, Eichenwald has taken the first step toward identifying the user. In response to a civil suit filed by Eichenwald this week in Dallas district court, Twitter has agreed to hand over all relevant subscriber data for the user in question. The attack came in apparent retaliation for Eichenwald's aggressive coverage of President-elect Trump. From a report on the Verge: While Eichenwald has yet to file criminal charges, the civil suit was sufficient for an ex parte order from the district judge. Twitter subsequently agreed to expedited relief, declining to challenge the order or demand further evidence from Eichenwald. The next step is likely to be a lawsuit against wireless carriers or service providers implicated by Twitter's records, who will have records linking IP addresses and other metadata to the attacker's legal name.

The European Commission has charged Facebook with providing misleading information during its takeover of the online messaging service WhatsApp, opening the company to a possible fine of 1 percent of its turnover. From a report on Reuters: The statement of objections sent to Facebook will not have an impact on the approval of the $22 billion merger in 2014, the Commission said in a statement on Tuesday. Facebook becomes the latest Silicon Valley target of EU antitrust chief Margrethe Vestager, who has demanded Apple pay back $14 billion in taxes to Ireland and hit Google with two market abuse investigations. The issue regards a WhatsApp privacy policy change in August when it said it would share some users' phone numbers with parent company Facebook, triggering investigations by a number of EU data protection authorities. The Commission said Facebook had indicated in its notification of the planned acquisition that it would be unable reliably to match the two companies' user accounts. "In today's Statement of Objections, the Commission takes the preliminary view that, contrary to Facebook's statements and reply during the merger review, the technical possibility of automatically matching Facebook users' IDs with WhatsApp users' IDs already existed in 2014," it said.

An anonymous reader quotes a report from Ars Technica: The U.S. electric grid continued to transform in 2016. No new coal plants were added, and solar became the top new source of generating capacity. Combined with wind, a small bit of hydro, and the first nuclear plant added to the grid in decades, sources that generate power without carbon emissions accounted for two-thirds of the new capacity added in 2016. These numbers come from the U.S. Energy Information Administration, which asked utilities about what sources they expected to have online at the end of the year. These numbers typically show a burst of activity in December, as projects are raced to completion to take advantage of the tax benefits of reaching operational status in the current year. Overall, the EIA recorded 26 GW of new capacity added to the grid in 2016. This includes a small amount (0.3GW) of new hydropower and a smattering of projects collected under "other" that produce a similar magnitude. Notably absent from the list is coal. Also absent is distributed solar, meaning panels installed on homes and other small-scale projects. Distributed solar accounted for about 2GW of new capacity in 2015, and the EIA notes that the incentives for these projects haven't changed considerably in 2016. Even without that 2GW, solar comes out on top, with 9.5GW of new additions this year. At 8GW, natural gas comes in second place on the EIA's list, followed by wind at 6.8GW. Thanks to the opening of a new reactor at Watts Bar in Tennessee, nuclear also joins the list for the first time in years, adding 1.1GW of capacity. Combined, wind, nuclear, hydro, and solar account for 68 percent of the new additions, making 2016 a low-carbon year for the U.S. grid. Assuming distributed solar this year is similar to its 2015 levels, the percentage of new non-fossil generation goes up above 70.

mi writes: The drama is over, Donald J. Trump passed the 270 electoral votes necessary to become President. A few electors dissented, resulting in their prompt dismissal and replacement per their state's laws. Ironically, more dissenters turned on Clinton than on Trump... The sky may not be falling yet, but the Earth is already in peril.

An anonymous reader quotes a report from ZDNet: People buying new computers and devices in South Carolina would be blocked from accessing porn under a newly proposed law. A bill, pre-filed earlier this month by state lawmaker Bill Chumley, is called the Human Trafficking Prevention Act, and would require computer makers and sellers to install filters that would prevent users from accessing porn and other sexual material. The aim is to prevent access to sites that facilitate prostitution and trafficking, Chumley told a local newspaper this weekend, which the state has struggled to curtail in recent years. "If we could have manufacturers install filters that would be shipped to South Carolina, then anything that children have access on for pornography would be blocked," Chumley reportedly said. "We felt like that would be another way to fight human trafficking."

Reader Presto Vivace shares a report on The Intercept: IBM employees are taking a public stand following a personal pitch to Donald Trump from CEO Ginni Rometty and the company's initial refusal to rule out participating in the creation of a national Muslim registry. In November, Rometty wrote Trump directly, congratulating him on his electoral victory and detailing various services the company could sell his administration. The letter was published on an internal IBM blog along with a personal note from Rometty to her enormous global staff. "As IBMers, we believe that innovation improves the human condition. ... We support, tolerance, diversity, the development of expertise, and the open exchange of ideas," she wrote in the context of lending material support to a man who won the election by rejecting all of those values. Employee comments were a mix of support and horror. Now, some of those who were horrified are going public, denouncing Rometty's letter and asserting "our right to refuse participation in any U.S. government contracts that violate constitutionally protected civil liberties." The IBMPetition.org effort has been spearheaded in part by IBM cybersecurity engineer Daniel Hanley, who told The Intercept he started organizing with his coworkers after reading Rometty's letter. "I was shocked, of course," Hanley said, "because IBM has purported to espouse diversity and inclusion, and yet here's Ginni Rometty in an unqualified way reaching out to an admin whose electoral success was based on racist programs."

A bipartisan House Oversight and Government Reform Committee report released today urges Congress to pass legislation to regulate cell-site simulation surveillance devices like the Stingray. From a report: The devices, used by local and federal law enforcement agencies around the country, have been controversial, both for their power to track mobile devices and the secrecy often accompanying their use. As the report notes, the devices are still often used by local law enforcement agencies without warrants, instead relying on various lower standards of evidence. The committee's investigation, which last year prompted the Justice Department and Department of Homeland Security to change their policies on when to require a warrant before using the devices, found that the Justice Department uses 310 of the devices and spent $71 million on them between fiscal years 2010 and 2014. Homeland Security has 124 devices and spent $24 million in the same period. [...] The committee recommends that agencies become more "candid" about the devices, and urges states to pass legislation that would "require, with limited exceptions, issuance of a probable cause based warrant prior to law enforcement's use of these devices."

Next month, the Finnish government is going to try something completely different to help its unemployed citizens: give them free money. From a report on The Outline: On Jan. 9, 2017, a randomly selected group of 2,000 unemployed citizens in Finland will receive a check for 560 euros (about $585) with no strings attached. They'll continue to receive that check every month for two years straight, even if they find a job or continue to remain unemployed. This is part of an experiment to see what happens to people's participation in the labor market after they've been guaranteed a certain amount of money.

An anonymous reader writes: Turkey's President Erdogan and the ruling AKP party are increasingly bent on silencing online dissent, and that now affects you even if you're smart enough to evade typical censorship methods. Watchdog group Turkey Blocks has confirmed that Turkey is blocking the Tor anonymity network's direct access mode for most users. You can still use a bridge mode for now, but there are hints that internet providers might be hurting performance even then. The restrictions come alongside a recent government ban on virtual private network services.

Apple has launched a legal challenge to a record $14 billion EU tax demand, arguing that EU regulators ignored tax experts and corporate law and deliberately picked a method to maximize the penalty, senior executives said. From a report on Reuters: Apple's combative stand underlines its anger with the European Commission, which said on Aug. 30 the company's Irish tax deal was illegal state aid and ordered it to repay up to 13 billion euros ($13.8 billion) to Ireland, where Apple has its European headquarters. European Competition Commissioner Margrethe Vestager, a former Danish economy minister, said Apple's Irish tax bill implied a tax rate of 0.005 percent in 2014. General Counsel Bruce Sewell and Chief Financial Officer Luca Maestri outlined in an interview with Reuters at Apple's global headquarters in Cupertino the company's plans for its appeal against the Commission's ruling at Europe's second highest court. The iPhone and iPad maker was singled out because of its success, Sewell said. "Apple is not an outlier in any sense that matters to the law. Apple is a convenient target because it generates lots of headlines. It allows the commissioner to become Dane of the year for 2016," he said, referring to the title accorded to Vestager by Danish newspaper Berlingske last month.

Every year more than 10 million packages are stolen off doorsteps, according to a study by August Home Inc. -- a company which sells a "smart" door lock that's controlled by your cellphone so you can remotely let a delivery person into your house. But that's just one of the weird ways consumers are using technology to try to fight package thieves. An anonymous reader reports: Some online shopping sites will now also text you when one of their packages gets left on your doorstep, according to GeekWire, which reports that for a thousand bucks you can also just buy a lockable iBin parcel-delivery box. But there's also a startup selling an odd new product called Package Guard, "a Frisbee sized, wi-fi-enabled device that alerts a user when a package has been delivered and set on top of it. Package Guard sets off a loud alarm if anyone unauthorized tries to remove the package."

GeekWire details the frustration of one Seattle police detective. "Bach knows the crimes are happening, he knows it all spikes during the holiday season and he knows that the few thieves who are caught are likely to see little if any jail time." (Though Bach admits "We do a wide variety of undercover stings," including a recent operation involving mobile surveillance with a "major delivery company.") One Seattle man even attempted to stop thieves by installing a Ring smart doorbell to film activity on his doorstep, only to discover that this only enabled him to watch helplessly as a thief opened his package, and then successfully stole all of its contents.
Though he yelled at the video "Bring my package back now!" that thief was never caught.

"Over a century of fear and filing cabinets" at the FBI has been exposed through six years of Freedom of Information Act requests. And now MuckRock founder (and long-time Slashdot reader) v3rgEz writes: MuckRock recently published its 100th look into historical FBI files, and to celebrate they've also compiled a timeline of the FBI's history. It traces the rise and fall of J. Edgar Hoover as well as some of the Bureau's more questionable investigations into famous figures ranging from Steve Jobs to Hannah Arendt. Read the timeline, or browse through all of MuckRock's FBI FOIA work.
The FBI interviewed 29 people about Steve Jobs (after he was appointed to the President's Export Council in 1991), with several citing his "past drug use," and several individuals also saying Jobs would "distort reality."

This week the FBI arrested a 26-year-old southern California man for launching a DDoS attack against online chat service Chatango at the end of 2014 and in early 2015 -- part of a new crackdown on the customers of "DDoS-for-hire" services. An anonymous reader writes: Sean Krishanmakoto Sharma, a computer science graduate student at USC, is now facing up to 10 years in prison and/or a fine of up to $250,000. Court documents describe a service called Xtreme Stresser as "basically a Linux botnet DDoS tool," and allege that Sharma rented it for an attack on Chatango, an online chat service. "Sharma is now free on a $100,000 bail," reports Bleeping Computer, adding "As part of his bail release agreement, Sharma is banned from accessing certain sites such as HackForums and tools such as VPNs..."

"Sharma's arrest is part of a bigger operation against DDoS-for-Hire services, called Operation Tarpit," the article points out. "Coordinated by Europol, Operation Tarpit took place between December 5 and December 9, and concluded with the arrest of 34 users of DDoS-for-hire services across the globe, in countries such as Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom and the United States." It grew out of an earlier investigation into a U.K.-based DDoS-for-hire service which had 400 customers who ultimately launched 603,499 DDoS attacks on 224,548 targets.
Most of the other suspects arrested were under the age of 20.

Less than four weeks after Microsoft formally acquired LinkedIn for $26 billion, there's been a database breach. An anonymous reader writes: LinkedIn is sending emails to 9.5 million users of Lynda.com, its online learning subsidiary, warning the users of a database breach by "an unauthorized third party". The affected database included contact information for at least some of the users. An email to customers says "while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure." Ironically, the breach comes less than a month after Russia blocked access to LinkedIn over privacy concerns.
LinkedIn has also reset the passwords for 55,000 Lynda.com accounts (though apparently many of its users don't have accounts with passwords).

An anonymous reader writes: Apple has been ordered to cut a $2 million check for denying some of its retail workers meal breaks. The lawsuit was first filed in 2011 by four Apple employees in San Diego. They alleged that the company failed to give them meal and rest breaks [as required by California law], and didn't pay them in a timely manner, among other complaints. In 2013, the case became a class action lawsuit that included California employees who had worked at Apple between 2007 and 2012, approximately 21,000 people...

The complaint says Apple's culture of secrecy keeps employees from talking about the company's poor working conditions. "If [employees] so much as discuss the various labor policies, they run the risk of being fired, sued or disciplined."
Apple changed their break policy in 2012, according to CNN, which reports that the second half of the case should conclude later this week. The employees that had been affected by Apple's original break policy could get as much as $95 each from Friday's settlement, according to CNN, "but it's likely some of the money will go toward attorney fees."

Electronic Frontier Foundation has dispatched a team of technologists and lawyers to a protest site in Standing Rock, North Dakota, to investigate "several reports of potentially unlawful surveillance." An anonymous reader writes: The EFF has "collected anecdotal evidence from water protectors about suspicious cell phone behavior, including uncharacteristically fast battery drainage, applications freezing, and phones crashing completely," according to a recent report. "Some water protectors also saw suspicious login attempts to their Google accounts from IP addresses originating from North Dakota's Information & Technology Department. On social media, many reported Facebook posts and messenger threads disappearing, as well as Facebook Live uploads failing to upload or, once uploaded, disappearing completely."

The EFF reports "it's been very difficult to pinpoint the true cause or causes," but they've targeted over 20 law enforcement agencies with public records requests, noting that "Of the 15 local and state agencies that have responded, 13 deny having any record at all of cell site simulator use, and two agencies -- Morton County and the North Dakota State Highway Patrol (the two agencies most visible on the ground) -- claim that they can't release records in the interest of "public safety"...
"Law enforcement agencies should not be allowed to sidestep public inquiry into the surveillance technologies they're using," EFF writes, "especially when citizens' constitutional rights are at stake... It is past time for the Department of Justice to investigate the scope of law enforcement's digital surveillance at Standing Rock and its consequences for civil liberties and freedoms in the digital world."

Long-time Slashdot reader ClickOnThis quotes CNN: Some scientists and academics are embarking on a frenzied mission to archive reams of scientific data on climate change, energized by a concern that a Trump administration could seek to wipe government websites of hard-earned research... The chief concern: publicly available climate change data and research found on government websites would be wiped clean or made otherwise inaccessible to the public. Some worry the information could only be retrieved with a taxing Freedom of Information Act request.
One associate professor at the University of Texas tells CNN, "There is a very short window for when the new administration will come in and that's why there's a lot of anxiety. There's a lot of information to save."

Friday the United Nations agreed to discuss a ban on "killer robots" in 2017. The 123 signatories to a long-standing conventional weapons pact "agreed to formalize their efforts next year to deal with the challenges raised by weapons systems that would select and attack targets without meaningful human control," according to Human Rights Watch. "The governments meeting in Geneva took an important step toward stemming the development of killer robots, but there is no time to lose," said Steve Goose, arms director of Human Rights Watch, a co-founder of the Campaign to Stop Killer Robots. "Once these weapons exist, there will be no stopping them. The time to act on a pre-emptive ban is now."
schwit1 reminded us that IEEE Spectrum ran a guest post Thursday by AI professor Toby Walsh, who addressed the U.N. again this week. "If we don't get a ban in place, there will be an arms race. And the end point of this race will look much like the dystopian future painted by Hollywood movies like The Terminator."

"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.

Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.

Calling it "the next revolution in roadway safety," the U.S. Department of Transportation hopes to standardize "vehicle communications" technology. Slashdot reader coondoggie writes: The idea is to enable a multitude of new crash-avoidance applications that could save lives by preventing "hundreds of thousands of crashes every year by helping vehicles 'talk' to each other," the DOT stated... [D]evices would use the dedicated short range communications to transmit data, such as location, direction and speed, to nearby vehicles. That data would be updated and broadcast up to 10 times per second to nearby vehicles, and using that information, V2V-equipped vehicles can identify risks and provide warnings to drivers to avoid imminent crashes.
Self-driving cars (and human drivers) could be informed when it's safe to enter the passing lane (or when cars move into a vehicle's blind spot), for example, and "often in situations in which the driver and on-board sensors alone cannot detect the threat." Federal agencies estimate it will cost just $350 per vehicle by 2020 (and dropping over the decades to come), and they've also already issued guidelines about securing these systems from unauthorized access.

An anonymous reader quotes The Hill: China said Saturday it will return the unmanned U.S. drone it seized in the South China Sea, calling the issue "hyped up" by the U.S. "Upon confirming that the device was a U.S. underwater drone, the Chinese side decided to transfer it to the U.S. side in an appropriate manner," said the spokesman for the Chinese Defense Ministry, Sr. Col. Yang Yujun, according to CNN. "China and the United States have been communicating about this process. It is inappropriate -- and unhelpful for a resolution -- that the U.S. has unilaterally hyped up the issue. We express our regret over that."
A Defense Ministry spokesman added that China opposes U.S. "surveillance and military surveys in waters facing China...and demands the U.S. cease such activities. China will stay alert over relevant U.S. activities and will take necessary measures to counter them."

An anonymous reader quotes a report from ABC News: German officials are stepping up their criticism of Facebook, saying the social network is doing too little to stop hate speech and could face stiff fines unless it deletes illegal content faster. In an interview published Friday, Justice Minister Heiko Maas said his ministry was checking whether it would be possible to make social networking sites legally liable for illegal posts. Germany has seen a sharp increase in vitriolic posts on social media in recent years amid a heated public debate over the influx of more than a million migrants since the start of 2015. The country has laws against speech deemed to be racist, defamatory or inciting violence -- a response to Germany's Nazi legacy. But authorities have struggled with the deluge of often anonymous postings on foreign-owned websites. Thomas Oppermann, a senior lawmaker in Maas' Social Democratic Party, told German weekly Der Spiegel that dominant social media sites like Facebook could be required to delete illegal posts within 24 hours or face fines up to 500,000 euros ($522,000). Facebook also could be compelled to distribute corrections that reach the same number of people as the original post, Oppermann suggested, something traditional media companies in Germany are already required to do.