In addition to the public profile data of up to 87 million Facebook users, political data firm Cambridge Analytica also reportedly harvested people's private messages, too (Warning: source may be paywalled; alternative source). The New York Times reports: On Monday, Facebook began informing people whose data may have been compromised by Cambridge Analytica through an app developed by the researcher Aleksandr Kogan. In its notifications, Facebook said that while the information harvested was largely limited to what was on people's public profiles, "a small number of people" also shared information from their Facebook timeline, posts and messages. Facebook did not specify how many people's messages were gathered and said it was taking as broad a view as possible when notifying people that their data may have been taken.

A federal court in Texas today has ordered Apple to pay $502.6 million to a patent troll called VirnetX, the latest twist in a dispute now in its eighth year. "VirnetX claimed that Apple's FaceTime, VPN on Demand and iMessage features infringe four patents related to secure communications, claims that Apple denied," reports Bloomberg. From the report: The dispute has bounced between the district court, patent office and Federal Circuit since 2010. There have been multiple trials, most recently one involving earlier versions of the Apple devices. A jury in that case awarded $302 million that a judge later increased to $439.7 million. Kendall Larsen, CEO of VirnetX, said the damages, which were based on sales of more than 400 million Apple devices, were "fair." "The evidence was clear," Larsen said after the verdict was announced. "Tell the truth and you don't have to worry about anything." For VirnetX, the jury verdict in its favor could be a short-lived victory. The Patent Trial and Appeal Board has said the patents are invalid, in cases that are currently before the U.S. Court of Appeals for the Federal Circuit in Washington. The Federal Circuit, which handles all patent appeals, declined to put this trial on hold, saying it was so far along that a verdict would come before a final validity decision.

Democratic Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) today proposed a "privacy bill of rights" that would prevent Facebook and other websites from sharing or selling sensitive information without a customer's opt-in consent. The proposed law would protect customers' web browsing and application usage history, private messages, and any sensitive personal data such as financial and health information. Ars Technica reports: Markey teamed with Sen. Richard Blumenthal (D-Conn.) to propose the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act. You can read the full legislation here. "Edge providers" refers to websites and other online services that distribute content over consumer broadband networks. Facebook and Google are the dominant edge providers when it comes to advertising and the use of customer data to serve targeted ads. No current law requires edge providers to seek customers' permission before using their browsing histories to serve personalized ads. The online advertising industry uses self-regulatory mechanisms in which websites let visitors opt out of personalized advertising based on browsing history, and websites can be punished by the Federal Trade Commission (FTC) if they break their privacy promises.

The Markey/Blumenthal bill's stricter opt-in standard would require edge providers to "obtain opt-in consent from a customer to use, share, or sell the sensitive customer proprietary information of the customer." Edge providers would not be allowed to impose "take-it-or-leave-it" offers that require customers to consent in order to use the service. The FTC and state attorneys general would be empowered to enforce the new opt-in requirements. The bill would require edge providers to notify users about all collection, use, and sharing of their information. The bill also requires edge providers "to develop reasonable data security practices" and to notify customers about data breaches that affect them.

An anonymous reader quotes a report from The Verge: Twitter today pledged to support a proposed Senate bill that would require technology platforms that sell advertising space to disclose the source of and amount of money paid for political ads. Called the Honest Ads Act, the bipartisan bill was first introduced back in October by Sen. Amy Klobuchar (D-MN), Sen. Mark Warner (D-VA), and Sen. John McCain (R-AZ). As part of its transparency efforts, Twitter says it's launched a new platform called the Ads Transparency Center, or ATC, that will "go beyond the requirements of the Honest Ads Act and eventually provide increased transparency to all advertisements on Twitter." Twitter says the platform will increase transparency for political and so-called issue ads, which target specific topics like immigration and gun control, by providing even more information on the origin of an ad that is required by the Honest Ads Act. "We have a dedicated team that is fully resourced to implementing the ATC and are committed to launching it this summer," the company states. "Twitter is moving forward on our commitment to providing transparency for online ads. We believe the Honest Ads Act provides an appropriate framework for such ads and look forward to working with bill sponsors and others to continue to refine and advance this important proposal."

Facebook on Tuesday launched a data abuse bug bounty program, just hours ahead of CEO Mark Zuckerberg's testimony to the Senate judiciary and commerce committees in Washington, DC. The bug bounty program is asking for people to report any apps that abuse data on Facebook, and it offers a reward based on how severe the abuse is. From a report: "While there is no maximum, high impact bug reports have garnered as much as $40,000 for people who bring them to our attention," Collin Greene, Facebook's head of product security, said in a post. The new program comes almost a month after the New York Times and the UK's Observer and Guardian papers revealed that Cambridge Analytica, a voter profiling firm, took advantage of a Facebook app to siphon off personal information on 87 million people. The scandal has fanned the flames of a backlash against Facebook by lawmakers and users.

Soon, it will be much easier to log into more websites using a hardware key plugged into your laptop, a dedicated app, or even the fingerprint scanner on your phone. Motherboard: On Tuesday, a spread of organizations and businesses, including top browser vendors such as Microsoft and Google, announced a new standards milestone that will streamline the process for web developers to add extra login methods to their sites, potentially keeping consumers' accounts and data more secure. "For users, this will be a natural transition. People everywhere are already using their fingers and faces to 'unlock' their mobile phones and PCs, so this will be natural to them -- and more convenient," Brett McDowell, executive director at the FIDO Alliance, one of the organizations involved in setting up the standard, told Motherboard in an email.

"What they use today to 'unlock' will soon allow them to 'login' to all their favorite websites and a growing number of native apps that already includes Bank of America, PayPal, eBay and Aetna," he added. Passwords continue to be one of the weaker points in online security. A hacker may phish a target's password and log into their account, or take passwords from one data breach and use them to break into accounts on another site. The login standard, called Web Authentication (WebAuthn), will let potentially any website or online service use apps, security keys, or biometrics as a login method instead of a password, or use those alternative approaches as a second method of verification. The key here is making it easy and open for developers to use, and for it to work across all different brands of browsers. The functionality is already available in Mozilla's Firefox, and will be rolled out to Microsoft's Edge and Google Chrome in the new few months. Opera has committed to supporting WebAuthn as well.

An anonymous reader quotes a report from KATU: Oregon Gov. Kate Brown signed a bill Monday withholding state business from internet providers who throttle traffic, making the state the second to finalize a proposal aimed at thwarting moves by federal regulators to relax net neutrality requirements. The bill stops short of actually putting new requirements on internet service providers in the state, but blocks the state from doing business with providers that offer preferential treatment to some internet content or apps, starting in 2019. The move follows a December vote by the Federal Communications Commission repealing Obama-era rules that prohibited such preferential treatment, referred to generally as throttling, by providers like AT&T, Comcast, and Verizon. Brown's signature makes the state the second to enact such legislation, according to the National Conference of State Legislatures. It also stakes out the state's claim to a moderate approach, compared to others: Five weeks to the day before Brown, Washington State Gov. Jay Inslee signed a bill in his state to directly regulate providers there. The prohibition, which restricts with whom the state may contract for internet services, applies to cities and counties, but exempts areas with only a single provider.

The mobile apps for four popular news apps in China, including the most popular aggregator, Jinri Toutiao, were removed from a number of Chinese smartphone app stores following reports of a crackdown by the country's media watchdog, local media reported on Monday. From the report: Toutiao, with about 120 million daily active users, was not available on the app stores of smartphone manufacturers Xiaomi and Meizu on Monday afternoon. The apps for Tiantian Kuaibao, Netease News and Ifeng News were also not found on Xiaomi. China's authorities have asked several of the country's smartphone app stores to remove the four apps by 3pm on Monday as part of efforts to "regulate order in the broadcasting environment," according to Chinese news portal Sohu.com. The apps will be removed for between three days to three weeks, with Toutiao being offline for the longest period, according to the Sohu report. [...] China has shut down more than 13,000 websites in the last three years as Beijing sought to tighten its grip on the internet.

Facebook owns many other apps and services, including the Oculus virtual-reality platform, which collects incredibly detailed information about where users are looking and how they're moving. Since most of the discussion about how Facebook handles user information is focused on the social network itself, The Verge's Adi Robertson looks into the link between Facebook and Oculus: A VR platform like Oculus offers lots of data points that could be turned into a detailed user profile. Facebook already records a "heatmap" of viewer data for 360-degree videos, for instance, flagging which parts of a video people find most interesting. If it decided to track VR users at a more detailed level, it could do something like track overall movement patterns with hand controllers, then guess whether someone is sick or tired on a particular day. Oculus imagines people using its headsets the way they use phones and computers today, which would let it track all kinds of private communications. The Oculus privacy policy has a blanket clause that lets it share and receive information from Facebook and Facebook-owned services. So far, the company claims that it exercises this option in very limited ways, and none of them involve giving data to Facebook advertisers. "Oculus does not share people's data with Facebook for third-party advertising," a spokesperson tells The Verge.

Oculus says there are some types of data it either doesn't share or doesn't retain at all. The platform collects physical information like height to calibrate VR experiences, but apparently, it doesn't share any of it with Facebook. It stores posts that are made on the Oculus forums, but not voice communications between users in VR, although it may retain records of connections between them. The company also offers a few examples of when it would share data with Facebook or vice versa. Most obviously, if you're using a Facebook-created VR app like Spaces, Facebook gets information about what you're doing there, much in the same way that any third-party app developer would. You can optionally link your Facebook account to your Oculus ID, in which case, Oculus will use your Facebook interests to suggest specific apps or games. If you've linked the accounts, any friend you add on Facebook will also become your friend on Oculus, if they're on the platform. Oculus does, however, share data between the two services to fight certain kinds of banned activity. "If we find someone using their account to send spam on one service, we can disable all of their accounts," an Oculus spokesperson says. "Similarly, if there's 'strange activity' on a specific Oculus account, they can share the IP address it's coming from with Facebook," writes Robertson. "The biggest problem is that there's nothing stopping Facebook and Oculus from choosing to share more data in the future."