Binance, its founder Changpeng Zhao and the crypto exchange's former Chief Compliance Officer Samuel Lim plan to seek the dismissal of a Commodity Futures Trading Commission lawsuit. From a report: The response to the CFTC complaint is due July 27 and the defendants intend to submit motions to dismiss, according to a court filing on Monday. They also sought permission to exceed a 15-page limit on supporting briefs, citing the complexity of the case and the number of arguments they anticipate making. The CFTC in March alleged that Binance and CEO Zhao, also known as CZ, routinely broke US derivatives rules as the firm grew to be the world's largest digital-asset trading platform.

Binance should have registered with the agency years ago and continues to violate the CFTC's rules, the regulator said at the time. The crypto platform previously described the CFTC lawsuit as "unexpected and disappointing." The US Securities & Exchange Commission last month accused Binance and Zhao of mishandling customer funds, misleading investors and regulators, and breaking securities rules. Binance has said that it intends to defend its platform "vigorously."

Alphabet's Google violated a software developer's patent rights with its remote-streaming technology and must pay $338.7 million in damages, a federal jury in Waco, Texas decided on Friday. From a report: The jury found that Google's Chromecast and other devices infringe patents owned by Touchstream Technologies related to streaming videos from one screen to another. Google spokesperson Jose Castaneda said on Monday that the company will appeal the verdict and has "always developed technology independently and competed on the merits of our ideas." Touchstream attorney Ryan Dykal said on Monday that Touchstream was pleased with the verdict. New York-based Touchstream, which also does business as Shodogg, said in its 2021 lawsuit that founder David Strober invented technology in 2010 to "move" videos from a small device like a smartphone to a larger device like a television.

The New York Times points out that so-called "shadow libraries," like Library Genesis, Z-Library or Bibliotik, "are obscure repositories storing millions of titles, in many cases without permission — and are often used as A.I. training data." A.I. companies have acknowledged in research papers that they rely on shadow libraries. OpenAI's GPT-1 was trained on BookCorpus, which has over 7,000 unpublished titles scraped from the self-publishing platform Smashwords. To train GPT-3, OpenAI said that about 16 percent of the data it used came from two "internet-based books corpora" that it called "Books1" and "Books2." According to a lawsuit by the comedian Sarah Silverman and two other authors against OpenAI, Books2 is most likely a "flagrantly illegal" shadow library.

These sites have been under scrutiny for some time. The Authors Guild, which organized the authors' open letter to tech executives, cited studies in 2016 and 2017 that suggested text piracy depressed legitimate book sales by as much as 14 percent.

Efforts to shut down these sites have floundered. Last year, the F.B.I., with help from the Authors Guild, charged two people accused of running Z-Library with copyright infringement, fraud and money laundering. But afterward, some of these sites were moved to the dark web and torrent sites, making it harder to trace them. And because many of these sites are run outside the United States and anonymously, actually punishing the operators is a tall task.

Tech companies are becoming more tight-lipped about the data used to train their systems.

Forbes' senior writer on cybersecurity writes on the "warrantless monitoring of citizens en masse" in the United States.

Here's how county police armed with a "powerful new AI tool" identified the suspicious driving pattern of a grey Chevy owned by David Zayas: Searching through a database of 1.6 billion license plate records collected over the last two years from locations across New York State, the AI determined that Zayas' car was on a journey typical of a drug trafficker. According to a Department of Justice prosecutor filing, it made nine trips from Massachusetts to different parts of New York between October 2020 and August 2021 following routes known to be used by narcotics pushers and for conspicuously short stays. So on March 10 last year, Westchester PD pulled him over and searched his car, finding 112 grams of crack cocaine, a semiautomatic pistol and $34,000 in cash inside, according to court documents. A year later, Zayas pleaded guilty to a drug trafficking charge.

The previously unreported case is a window into the evolution of AI-powered policing, and a harbinger of the constitutional issues that will inevitably accompany it... Westchester PD's license plate surveillance system was built by Rekor, a $125 million market cap AI company trading on the NASDAQ. Local reporting and public government data reviewed by Forbes show Rekor has sold its ALPR tech to at least 23 police departments and local governments across America, from Lauderhill, Florida to San Diego, California. That's not including more than 40 police departments across New York state who can avail themselves of Westchester County PD's system, which runs out of its Real-Time Crime Center... It also runs the Rekor Public Safety Network, an opt-in project that has been aggregating vehicle location data from customers for the last three years, since it launched with information from 30 states that, at the time, were reading 150 million plates per month. That kind of centralized database with cross-state data sharing, has troubled civil rights activists, especially in light of recent revelations that Sacramento County Sheriff's Office was sharing license plate reader data with states that have banned abortion...

The ALPR market is growing thanks to a glut of Rekor rivals, including Flock, Motorola, Genetec, Jenoptik and many others who have contracts across federal and state governments. They're each trying to grab a slice of a market estimated to be worth at least $2.5 billion... In pursuit of that elusive profit, the market is looking beyond law enforcement to retail and fast food. Corporate giants have toyed with the idea of tying license plates to customer identities. McDonalds and White Castle have already begun using ALPR to tailor drive-through experiences, detecting returning customers and using past orders to guide them through the ordering process or offer individualized promotion offers. The latter restaurant chain uses Rekor tech to do that via a partnership with Mastercard.
A senior staff attorney at the ACLU tells Forbes that "The scale of this kind of surveillance is just incredibly massive."

Thanks to long-time Slashdot reader Geek_Cop for sharing the article.

Gizmodo reports: Thousands of top Russian officials and state employees have reportedly been banned from using iPhones and other Apple products over concerns they could serve as surreptitious spying tools for Western intelligence agencies...

Russia's trade minister, according to a Financial Times report, said the new ban will take effect Monday, July 17. The move affects a variety of Apple products from iPhones, iPads, and laptops, and builds off of similar restrictions already put in place by the digital development ministry and state-owned defense conglomerate Rostec. Kremlin officials also advised staff working on Vladimir Putin's 2024 presidential re-election campaign against using a variety of US-developed smartphones over similar espionage conveners earlier this year...

Russian intelligence officials last month accused the US National Security Agency of hacking into thousands of Russian-owned iPhones and targeting the phones of foreign diplomats based in Russia... To be clear, Russian officials still haven't provided any clear evidence proving the alleged US conspiracy. Apple has also publicly denied the claims and recently told the Times it "has never worked with any government to build a backdoor into any Apple product, and never will."
The Financial Times got a skeptical response to that from Dmitry Medvedev, deputy head of Russia's Security Council and one of the country's fiercest hardliners. "When a big tech compan...â.âclaims it does not co-operate with the intelligence community — either it lies shamelessly or it is about to [go bust]."

Thanks to Slashdot reader dovthelachma for sharing the news.

The major gaming platform Roblox has suffered a major data breach, leading to the release of personal information including addresses from those who attended the Roblox Developer Conference between 2017-2020. PCGamer reports: The leak contains almost 4,000 names, phone numbers, email addresses, dates of birth, and physical addresses. Such identifying information is gold dust for bad actors, and raises serious questions about the data security of one of the largest gaming platforms around. The website haveibeenpwned says the original breach date was 18 December 2020, with the information becoming available on 18 July 2023, with a total of 3,943 compromised accounts. The site notes that as well as all the above information, the leak even includes each individual's t-shirt size.

The implications of this for those affected are identity theft and scams, with the quantity of data especially worrying: this is basically all you need to effectively impersonate someone. Beyond the above statement, Roblox has made no further comment, and it's likely that the ramifications of this will continue to unfold for some time, especially if anyone on the list is indeed targeted. Anyone concerned should search on haveibeenpwned and enable two-factor authentication on all accounts (as well as keeping an especially close eye on bank transactions for a while). Troy Hunt, the engineer behind haveibeenpwned, said the leak was posted in 2021 but according to an unnamed source didn't spread outside of niche Roblox communities, while at the time the company did not publicly disclose the leak or alert anyone affected. The leak then appeared on a public forum a few days ago. "Roblox is aware of a third-party security issue where there were indications of unauthorized access to limited personal information of a subset of our creator community," said a Roblox spokesperson to PC Gamer. "We engaged independent experts to support the investigation led by our information security team. Those who are impacted will receive an email communicating the next steps we are taking to support them. We will continue to be vigilant in monitoring and vetting the cyber security posture of Roblox and our third-party vendors."

An anonymous reader quotes a report from Ars Technica: A few months ago, the developers behind the Wii/GameCube emulator Dolphin said they were indefinitely postponing a planned Steam release, after Steam-maker Valve received a request from Nintendo to take down the emulator's "coming soon" page. This week, after consulting with a lawyer, the team says it has decided to abandon its Steam distribution plans altogether. "Valve ultimately runs the store and can set any condition they wish for software to appear on it," the team wrote in a blog post on Thursday. "In the end, Valve is the one running the Steam storefront, and they have the right to allow or disallow anything they want on said storefront for any reason."

The Dolphin team also takes pains to note that this decision was not the result of an official DMCA notice sent by Nintendo. Instead, Valve reached out to Nintendo to ask about the planned Dolphin release, at which point a Nintendo lawyer cited the DMCA in asking Valve to take down the page. At that point, the Dolphin team says, Valve "told us that we had to come to an agreement with Nintendo in order to release on Steam... But given Nintendo's long-held stance on emulation, we find Valve's requirement for us to get approval from Nintendo for a Steam release to be impossible. Unfortunately, that's that." "As for Nintendo, this incident just continues their existing stance towards emulation," the post continues. "We don't think that this incident should change anyone's view of either company."

Despite the disappointing result for the Steam release, the Dolphin team is adamant that "we do not believe that Dolphin is in any legal danger." That's despite the emulator's inclusion of the Wii Common Key, which could run afoul of the DMCA's anti-circumvention provisions. The Dolphin Team notes that the Wii Common Key has been freely shared across the Internet since its initial discovery and publication in 2008. And while that key has been in the Dolphin code base since 2009, "no one has really cared," the team writes. [...] With what they believe is a firm legal footing, the team writes that Dolphin development will continue away from Steam, but including a number of UI and quality of life features originally designed for the Steam release. Meanwhile, emulators like RetroArch and the innovative 3dSen continue to be available on Steam, with no immediate sign of a further crackdown from Valve or Nintendo.

The hack of Microsoft's cloud that resulted in the compromise of government emails was an example of a traditional espionage threat, a senior National Security Agency official said. From a report: Speaking at the Aspen Security Forum, Rob Joyce, the director of cybersecurity at the N.S.A., said the United States needed to protect its networks from such espionage, but that adversaries would continue to try to secretly extract information from each other. "It is China doing espionage," Mr. Joyce said. "It is what nation-states do. We have to defend against it, we need to push back against it. But that is something that happens."

The hackers took emails from senior State Department officials including Nicholas Burns, the U.S. ambassador to China. The theft of Mr. Burns's emails was earlier reported by The Wall Street Journal and confirmed by a person familiar with the matter. Daniel J. Kritenbrink, the assistant secretary of state for East Asia, also had his email hacked, a U.S. official said. The emails of Commerce Secretary Gina Raimondo were also obtained in the hack, which was discovered in June by State Department cybersecurity experts scouring user logs for unusual activity. Microsoft later determined that Chinese hackers had obtained access to email accounts a month earlier.

Top AI companies including OpenAI, Alphabet and Meta Platforms have made voluntary commitments to the White House to implement measures such as watermarking AI-generated content to help make the technology safer, the Biden administration said on Friday. From a report: The companies -- which also include Anthropic, Inflection, Amazon.com and OpenAI partner Microsoft -- pledged to thoroughly test systems before releasing them and share information about how to reduce risks and invest in cybersecurity.

The move is seen as a win for the Biden administration's effort to regulate the technology which has experienced a boom in investment and consumer popularity. Since generative AI, which uses data to create new content like ChatGPT's human-sounding prose, became wildly popular this year, lawmakers around the world began considering how to mitigate the dangers of the emerging technology to national security and the economy.

According to a new study from online game development platform School XYZ, the exodus of major international video game publishers from Russia led to a sharp rise in the number of video gamers playing pirates games. TorrentFreak reports: Almost seven out of ten video gamers (69%) said they'd played at least one pirated copy in 2022, and more than half (51%) said that they're now pirating more than they did in 2021. As first reported by the Russian news outlet Vedomosti (paywall), the study was conducted across all regions of Russia and took into account all unlicensed game formats, in most cases downloaded from torrent sites. While over a quarter of respondents (27%) said they'd pirated three PC games in 2022, and 20% confessed to pirating more than 10, other figures from the study are more positive. Of the 31% of gamers who reported pirating nothing in 2022, all said that they were opposed to piracy. Just 7% of gamers admitted to buying no games at all in 2022, meaning that 93% bought at least one piece of legitimate content.

According to Alexander Kuzmenko, the former editor of Russian videogame magazine and gaming website Igromania (Game Mania), it's not just the departure of publishers including Sony, Microsoft, and Nintendo causing problem for gamers. When platforms like Steam and GOG, known for their ease of access, stopped supporting Russian bank cards, barriers appeared in a previously frictionless system. Yegor Tomsky, CEO at Watt Studio, agrees that buying content has become much more difficult. "Players are used to buying games on Steam in one click, and now, to buy a game, you need to perform the same actions as when downloading a pirated version, so everyone chooses to save money," Tomsky says.

As the Russian economy faces huge difficulties directly linked to the invasion of Ukraine, some fear that game piracy rates are heading towards the 90%+ mark last seen around two decades ago. People everywhere are trying to save money and according to Konstantin Sakhnov, co-founder of Vengeance Games, overseas game publishers may see lost profits reach $200-$300 million. A report from Kommersant published today indicates that local companies are also feeling the pain. According to data published by job search platform HH.ru, during the first half of 2023 the number of vacancies for video game developers in Russia plummeted 38%.

Researchers have warned that leaked information from a ransomware attack on hardware-maker Gigabyte two years ago may contain critical zero-day vulnerabilities that pose a significant risk to the computing world. The vulnerabilities were found in firmware made by AMI for BMCs (baseboard management controllers), which are small computers integrated into server motherboards allowing remote management of multiple computers. These vulnerabilities, which can be exploited by local or remote attackers with access to Redfish remote management interfaces, could lead to unauthorized access, remote code execution, and potential physical damage to servers. Ars Technica reports: Until the vulnerabilities are patched using an update AMI published on Thursday, they provide a means for malicious hackers -- both financially motivated or nation-state sponsored -- to gain superuser status inside some of the most sensitive cloud environments in the world. From there, the attackers could install ransomware and espionage malware that runs at some of the lowest levels inside infected machines. Successful attackers could also cause physical damage to servers or indefinite reboot loops that a victim organization can't interrupt. Eclypsium warned such events could lead to "lights out forever" scenarios.

The researchers went on to note that if they could locate the vulnerabilities and write exploits after analyzing the publicly available source code, there's nothing stopping malicious actors from doing the same. And even without access to the source code, the vulnerabilities could still be identified by decompiling BMC firmware images. There's no indication malicious parties have done so, but there's also no way to know they haven't. The researchers privately notified AMI of the vulnerabilities, and the company created firmware patches, which are available to customers through a restricted support page. AMI has also published an advisory here.

An anonymous reader quotes a report from PBS: An IRS plan to test drive a new electronic free-file tax return system next year has got supporters and critics of the idea mobilizing to sway the public and Congress over whether the government should set up a permanent program to help people file their taxes without needing to pay somebody else to figure out what they owe. On one side, civil society groups this week launched a coalition to promote the move toward a government-run free-file program. On the other, tax preparation firms like Intuit -- the parent company of TurboTax -- and H&R Block have been pouring millions into trying to stop the idea cold. The advocacy groups are exponentially out-monied.

An April AP analysis found that overall, Intuit, H&R Block, and other private companies and advocacy groups for large tax preparation businesses, as well as proponents in favor of electronic free file, have reported spending $39.3 million since 2006 to lobby on "free-file" and other matters. Federal law doesn't require domestic lobbyists to itemize expenses by specific issue, so the sums are not limited to free-file. Intuit spent at least $25.6 million since 2006 on lobbying, H&R Block about $9.6 million and the conservative Americans for Tax Reform roughly $3 million. In contrast, the NAACP has spent $140,000 lobbying on "free-file" since 2006 and Public Citizen has spent $110,000 in the same time frame. "What we have on our side is public opinion," said Igor Volsky, executive director of the liberal Groundwork Action advocacy group. Volsky's organization and leaders from Public Citizen, the Center for the Study of Social Policy, Code for America, the Economic Security Project and others launched the "Coalition for Free and Fair Filing" on Wednesday. The group's mission is to "ensure all U.S. taxpayers can easily file tax returns and get the tax credits they deserve by safeguarding and expanding" the new IRS program. "The overwhelming majority of people demand a free-file option," Volsky said. "Now the question for us is how do you channel that into effective political pressure."

The IRS in May released a report that said most taxpayers are interested in filing their taxes directly to the IRS for free, and concurrently announced plans to launch the pilot program for the 2024 filing season. The goal is to test a direct file system that will help the IRS decide whether to move forward with a more permanent program. That idea has faced the immediate threat of budget cuts from congressional Republicans. Republicans on the House Appropriations Committee in June proposed a budget rider that would prohibit funds to be used for the IRS to create a government-run tax preparation software, unless approved by a group of House and Senate committees. The move "safeguards the IRS from an obvious conflict of interest where the tax collector becomes the tax preparer," the bill's summary states.

Google continues the rollout of its Privacy Sandbox APIs -- its replacement for tracking cookies for the online advertising industry. From a report: Today, right on schedule and in time for the launch of Chrome 115 into the stable release channel, Google announced that it will now start enabling the relevance and measurement APIs in its browser. This will be a gradual rollout, with Google aiming for a 99% availability by mid-August. At this point, Google doesn't expect to make any major changes to the APIs. This includes virtually all of the core Privacy Sandbox features, including Topics, Protected Audience, Attribution Reporting, Private Aggregation, Shared Storage and Fenced Frames. It's worth noting that for the time being, Privacy Sandbox will run in parallel with third-party cookies in the browser. It won't be until early 2024 that Google will deprecate third-party cookies for 1% of Chrome users. After that, the process will speed up though and Google will deprecate these cookies for all users by the second half of 2024.

A bipartisan pair of senators unveiled a bill Wednesday to ban stock ownership by lawmakers and administration officials. The Hill reports: The bill, introduced by Sens. Kirsten Gillibrand (D-N.Y.) and Josh Hawley (R-Mo.), would establish firmer stock trading bans and disclosure requirements for lawmakers, senior executive branch officials and their spouses and dependents. The bill would ban congressional members, the president, vice president, senior executive branch members, and their spouses and dependents from holding or trading stocks, with no exception to blind trusts. Congressional members who violate this ban would be required to pay at least 10 percent of the banned investments.

The legislation also establishes harsh penalties for executive branch stock trading, requiring executive branch officials to give up profits from covered finance interests to the Department of Treasury, while also facing a fine from the Automatic Special Counsel. Congressional members, senior congressional staff and senior executive branch employees would also be required to report if they, a spouse or a dependent applies for or receives a "benefit of value" from the federal government, including loans, contracts, grants, agreements and payments. If they fail to file, they will face a $500 penalty.

The bill aims to increase transparency, requiring public databases of personal financial disclosures and financial transaction filings required by the STOCK Act, which prohibits members of Congress from using insider information when buying and selling stocks. The penalty for the failing to file STOCK Act transaction reports would also increase from $200 to $500.

An anonymous reader quotes a report from TechCrunch: The Biden administration has launched its long-awaited Internet of Things (IoT) cybersecurity labeling program that aims to protect Americans against the myriad of security risks associated with internet-connected devices. The program, officially named the "U.S. Cyber Trust Mark," aims to help Americans ensure they are buying internet-connected devices that include strong cybersecurity protections against cyberattacks. The Internet of Things, a term encompassing everything from fitness trackers and routers to baby monitors and smart refrigerators, has long been considered a weak cybersecurity link. Many devices ship with easy-to-guess default passwords and offer a lack of security regular updates, putting consumers at risk of being hacked.

The Biden administration says its voluntary Energy Star-influenced labeling system will "raise the bar" for IoT security by enabling Americans to make informed decisions about the security credentials of the internet-connected devices they buy. The U.S. Cyber Trust Mark will take the form of a distinct shield logo, which will appear on products that meet established cybersecurity criteria. This criterion, established by the National Institute of Standards and Technology (NIST), will require, for example, that devices require unique and strong default passwords, protect both stored and transmitted data, offer regular security updates, and ship with incident detection capabilities.

The full list of standards is not yet finalized. The White House said that NIST will immediately start work on defining cybersecurity standards for "higher-risk" consumer-grade routers, devices that attackers frequently target to steal passwords and create botnets that can be used to launch distributed denial-of-service (DDoS) attacks. This work will be completed by the end of 2023, with the aim that the initiative will cover these devices when it launches in 2024. In a call with reporters, the White House confirmed that the Cyber Trust Mark will also include a QR code that will link to a national registry of certified devices and provide up-to-date security information, such as software updating policies, data encryption standards and vulnerability remediation. Amazon and Best Buy are some of the first major U.S. retailers to have signed up for the initiative. Others include Cisco, Google, LG, Qualcomm and Samsung.

The U.S. Department of Energy also said it is working with industry partners to develop cybersecurity labeling requirements for smart meters and power inverters.

An anonymous reader quotes a report from Motherboard: A phone-recorded video posted to Reddit shows a wooden desk strewn with various office supplies. On a monitor on the desk, a video begins to play: an Amazon delivery driver, being recorded by a driver-facing camera in their van, leans out of their window to talk to a customer. Though the video is cute, the setup is not: The camera's AI tracks their movements, surrounding them with a bright green box. Below them on the monitor's screen, a yellow line marks the length of the clip sent to the driver's dispatcher. Above them sits a timecode and a speed marker of "0 MPH." The driver opens their door, and moments later, a small French bulldog leaps into the van, tail wagging. The driver is delighted. The person behind the camera laughs a little. [...] The desk set-up looks consistent with that of an Amazon delivery service partner (DSP), the small-business contractors responsible for Amazon's door-to-door deliveries. The DSPs usually operate out of Amazon delivery warehouses, where they are given a desk like the one in the video, in a small area of the warehouse, out of which they select routes, dispatch drivers, and monitor their actions on the road with the help of the cameras.

The video is one of a slew of in-van surveillance videos recently posted to Reddit, a phenomenon which hasn't frequently been seen on the site before. Over the past two weeks, many users in the Amazon delivery service partner drivers subreddit (r/AmazonDSPDrivers) have shared video footage from the cameras, either directly or by recording it on their phone from a monitor within the warehouse. It is clear that many of the videos are not being posted by the subject of the video themselves, and highlights the fact that Amazon drivers, who already have incredibly difficult jobs, are being monitored at all times.

When Motherboard first wrote about the "Biometric Consent" form drivers had to sign that allows them to be monitored while on the job, Amazon insisted that the program was about safety only, and that workers shouldn't be worried about their privacy: "Don't believe the self-interested critics who claim these cameras are intended for anything other than safety," a spokesperson told us at the time. But this video, and a rash of others that have recently become public, shows that access to the camera feeds is being abused. [...] It's not clear why there has been a sudden spate of videos being posted publicly. One current Amazon delivery driver said that the drivers themselves did not have access to the videos -- only Amazon, Netradyne, and the relevant DSPs did.

Norway's data protection regulator has accused Meta of violating user privacy by tracking their activities, threatening to fine the company $100,000 per day if it fails to take corrective action. "It is so clear that this is illegal that we need to intervene now and immediately," said Tobias Judin, head of Norway's privacy commission, Datatilsynet. Engadget reports: The move follows a European court ruling banning Meta from harvesting user data like location, behavior and more for advertising. Datatilsynet has referred its actions to Europe's Data Protection Board, which could widen the fine across Europe. The aim is to put "additional pressure" on Meta, Judin said. (Norway is a member of the European single market, but not technically an EU member.)

Meta told Reuters that it's reviewing Datatilsynet's decision and that the decision wouldn't immediately impact its services. "We continue to constructively engage with the Irish DPC, our lead regulator in the EU, regarding our compliance with its decision," a spokesperson said. "The debate around legal bases has been ongoing for some time and businesses continue to face a lack of regulatory certainty in this area."

Millions of US military emails have been misdirected to Mali through a "typo leak" that has exposed highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers. Financial Times: Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses. The problem was first identified almost a decade ago by Johannes Zuurbier, a Dutch internet entrepreneur who has a contract to manage Mali's country domain.

Zuurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He holds close to 117,000 misdirected messages -- almost 1,000 arrived on Wednesday alone. In a letter he sent to the US in early July, Zuurbier wrote: "This risk is real and could be exploited by adversaries of the US."

The Washington Post begins a recent article with the story of an 18-year-old drug dealer with mental health issues named Zachary Burkard, who shot two unarmed 17-year-olds with a "ghost gun" he built from a kit bought online.

The father of one of those 17-year-olds thinks "They've just made it entirely too easy to get these guns... A child can buy one. There's no background checks. You don't even need a bank account. You can go to 7-Eleven and get a debit card, put money on it and buy a gun." The families of the two teens, with the help of the anti-gun-violence group Everytown for Gun Safety, are now suing the distributor of the parts Burkard used to make his ghost gun, 80P Builder of Florida, and the manufacturer, Polymer80 of Nevada, for gross negligence in providing a teenager with a weapon when he was not legally able to buy a handgun from a federally licensed dealer. The case, those who track the weapons say, demonstrates a frightening phenomenon... Teenagers have discovered the ease with which they can acquire the parts for a ghost gun, and they have been buying, building and shooting the homemade guns with alarming frequency. Everytown for Gun Safety compiled a list of more than 50 incidents involving teens and ghost guns since 2019. Among them:

- In Brooklyn Park, Minn., police arrested two teens with ghost guns in December after authorities said one of them attempted to shoot someone outside their car but instead killed their friend inside it.
- In New Rochelle, N.Y., a 16-year-old created a "ghost gun factory" in his bedroom last year, police said, before killing another 16-year-old...

The Bureau of Alcohol, Tobacco and Firearms (ATF) estimated that Polymer80 was responsible for more than 88 percent of the ghost guns recovered by police between 2017 and 2021, though there are nearly 100 manufacturers selling parts, or full kits, which can be made into unserialized guns, a list compiled by Everytown shows. Teens are hardly the only users. Last year, police departments seized at least 25,785 ghost guns nationwide, the Justice Department said recently, and those are just the weapons submitted by police to ATF for tracing, even though they don't have serial numbers and largely cannot be traced. In 2021, the number of guns recovered was 19,344, meaning seizures rose 33 percent the following year.

ATF has linked ghost guns to 692 homicides and nonfatal shootings through 2021, including mass killings and school shootings...

[This May] in Baltimore, authorities arrested three 14-year-olds after armed robberies and an armed carjacking. Police said one of them had a ghost gun. And in Valdosta, Ga., authorities said, a 16-year-old bought a ghost gun kit online in 2021 and assembled her own Glock-style pistol. One day while some friends were at her house, the teen accidentally shot a 14-year-old in the head, leaving him partially paralyzed, with severe brain damage and permanent physical and cognitive issues, his family's lawyer Melvin Hewitt said.
While some states have passed regulations, last year America's national firearm-regulating agency also declared parts of ghost guns to be firearms, according to the article, in an attempt to close a commonly-cited loophole. The parts makers challenged the new rule in court, lost twice, then won in a conservative federal court in Texas. The U.S. Justice Department may now appeal that decision to the higher Fifth Circuit court, and if it loses there "could appeal to the Supreme Court." Dudley Brown, the president of the National Association for Gun Rights, said he is against all regulation of privately made firearms, calling the practice of building weapons a "long and storied tradition in America."

Bank of America "will pay more than $250 million in refunds and fines," reports the Washington Post, "after federal regulators found the company systematically overcharged customers, withheld promised bonuses and opened accounts without customer approval." The Consumer Financial Protection Bureau [or CFPB] found the bank made "substantial additional revenue" for years by repeatedly charging customers $35 overdraft fees on the same transaction. The bank also denied cash and points bonuses it had pledged to tens of thousands of credit card customers. And starting in 2012, Bank of America employees enrolled customers in credit card accounts without their approval, obtaining credit reports without permission to complete the applications, the bureau said.
The bureau's director emphasized that "These practices are illegal and undermine customer trust," adding that America's CFPB "will be putting an end to these practices across the banking system."

The Post points out that Bank of America will now pay more than $100 million in restitution to customers, a $90 million fine to the CFPB and another $60 million fine to the Office of the Comptroller of the Currency. "Bank of America already has refunded customers denied credit card rewards and bonuses, the consumer bureau said. It will be repaying those it overcharged on fees by depositing funds into their account or sending a check..."

But how widespread is hte problem? Hundreds of thousands of customers were harmed over several years, the consumer agency said. Bank of America is the second largest U.S. bank, with 68 million residential and small business customers... In extra fees alone, the bank charged customers "tens of millions of dollars" between March 2020 and November 2021, federal regulators found. The regulator said Bank of America in that period hit customers with a $35 fee if they had insufficient funds to cover a charge. If the customer still lacked funds when the merchant resubmitted the transaction, the company assessed another $35 penalty... And bank employees opened credit card accounts for customers without their knowledge in a bid to meet individual sales goals, the CFPB said...

[T]he practice has given the banking industry a major black eye in recent years. Wells Fargo reached a $3.7 billion settlement with federal regulators in December over a range of violations, including opening millions of fake accounts. The CFPB fined U.S. Bank $37.5 million last summer over its own sham accounts scandal.

This is not Bank of America's first brush with federal regulators over its treatment of customers. The CFPB ordered the company to pay $727 million in 2014 over illegal credit card practices. The company paid another $225 million last year in fines over mishandling state unemployment benefits during the pandemic and a separate $10 million civil penalty over unlawful garnishments.
"The company did not admit or deny wrongdoing in its settlement with the agency..." notes the article. But a statement from the chairman of the U.S. Senate Banking Committee said Bank of America "has clearly broken the law in yet another case of Wall Street banks taking Americans' money to pad their already-massive profits...

"This kind of abuse is why we will continue to hold the big banks accountable, and it's why we need the Consumer Financial Protection Bureau — so consumers can keep their hard-earned money."

"While some states have taken steps to protect cell phone information, Massachusetts could become the first state to outright ban the sale of location data from cell phones," reports WBUR: Data brokers are able to buy and sell cell phone location data to anyone with a credit card without many restrictions. "There's very little in terms of law that prevents companies from doing this, as long as they at least include somewhere in their privacy policies that this is something that they're doing," said Andrew Sellars, a Boston University law professor and director of the Technology Law Clinic. Sellars said that there have been recent updates to operating systems that can alert users when their data is being tracked or obscure the specificity of the users' location, but overall there's little protection for buying and selling location data.

Can law enforcement agencies buy cell phone data? Yes. Sellars says that under the current law, law enforcement can circumvent obtaining a warrant to get data by buying data directly from brokers. "The Electronic Privacy Information Center has done some studies on this recently and shown that there's been a growing market of consumer location data that's handled by data brokers being bought by law enforcement at all different levels: federal, state, and local law enforcement," said Sellars...

The bill provides a defined scope of purpose in which companies can collect and use a customer's location data. Under the legislation, companies would only be allowed to use location data to provide a product or service that a consumer wants. "For example, if you are ordering food on a food app and it's using your location to know where to deliver the food, that would be a permissible use," said Sellars. "But aside from that, you are essentially prohibited from doing anything else with the data."
Earlier this week WBUR noted that the Massachusetts bill is "pending" before a state-government committee, "which has not scheduled a hearing on it."

Long-time Slashdot reader schwit1 shared this report from Reason.com: When people search for Jeffery Battle in Bing, they get the following (at least sometimes; this is the output of a search that I ran Tuesday):

Jeffrey Battle, also known as The Aerospace Professor, is the President and CEO of Battle Enterprises, LLC, and its subsidiary The Aerospace Professor Company... Battle was sentenced to eighteen years in prison after pleading guilty to seditious conspiracy and levying war against the United States...

But it turns out that this combines facts about two separate people with similar names: (1) Jeffery Battle, who is indeed apparently a veteran, businessman, and adjunct professor, and (2) Jeffrey Leon Battle, who was convicted of trying to join the Taliban shortly after 9/11. The two have nothing in common other than their similar names. The Aerospace Professor did not plead guilty to seditious conspiracy....

[T]o my knowledge, this connection was entirely made up out of whole cloth by Bing's summarization feature (which is apparently based on ChatGPT); I know of no other site that actually makes any such connection (which I stress again is an entirely factually unfounded connection).

Battle is now suing Microsoft for libel over this...

"The Biden administration announced Friday that 804,000 borrowers will have their student debt wiped away, totaling $39 billion worth of debt, in the coming weeks..." reports CNN.

That's an average of $48,507 per borrower, each of whom has "been paying down their debts for 20 years or more and should qualify for relief," according to a statement from the administration Friday's action addresses "historical failures" and administrative errors that miscounted qualifying payments made by borrowers, according to the Department of Education...

Since Biden took office, his administration has approved $116.6 billion in student debt relief for more than 3.4 million Americans, according to the Department of Education... Despite the Supreme Court last month striking down Biden's loan forgiveness program to provide millions of borrowers up to $20,000 in one-time federal student debt relief, his administration has continued to pursue other avenues to cancel debt and make it easier for borrowers to receive loan forgiveness...

While not part of today's actions, the Department of Education is also moving ahead with a separate and significant change to the federal student loan system that will enable Americans to enroll in a new income-driven repayment plan... Once the plan is fully implemented, people will see their monthly bills cut in half and remaining debt canceled after making at least 10 years of payments.
Last month the administration described student debt relief as "good for the economy... [G]ood for the country."

Congress will pour billions more dollars into the Space Launch System (SLS) rocket and its associated architecture, even as NASA science missions remain vulnerable to cuts. TechCrunch reports: Both the House and Senate Appropriations Committees recommend earmarking around $25 billion for NASA for the next fiscal year (FY 24), which is in line with the amount of funding the agency received this year (FY 23). However, both branches of Congress recommend increasing the portion of that funding that would go toward the Artemis program and its transportation cornerstones, SLS and the Orion crew capsule. Those programs would receive $7.9 billion per the House bill or $7.74 billion per the Senate bill, an increase of about $440 million from FY 2023 levels. Meanwhile, science missions are looking at cuts of around that same amount, with the House recommending a budget of $7.38 billion versus $7.79 billion in FY 2023.

Overall, NASA received $25.4 billion in funding for FY '23, with $2.6 billion earmarked toward SLS, $1.34 billion to Orion, and $1.48 to the Human Landing System contract programs. Science programs -- which include the Mars Sample Return mission and Earth science missions -- received $7.8 billion overall.

dcblogs writes: According to federal officials at a U.S. House hearing Thursday, the monumental federal buildings in Washington are largely empty, with some agencies using 25% or less of their headquarters' building capacity on average. The government owns some 511 million of square feet of office space, and capacity problems open the door to the possibility of conversions to housing or commercial uses. Commercial reuse has happened before. In 2013, the General Services Administration leased the Old Post Office Building at 1100 Pennsylvania Ave., to the Trump organization for a hotel.

"The taxpayer is quite literally paying to keep the lights on even when no one is home," said Rep. Scott Perry (R-Pa.), who chairs the infrastructure subcommittee meeting. The blame for the low utilization has several causes: a shift to hybrid work, out-of-date buildings that waste space, and designs before technology reduced the need for certain types of workers. The Republicans want federal workers to return to offices and reduce telecommuting to at least pre-pandemic levels. In February, the House passed H.R. 139, the Stopping Home Office Work's Unproductive Problems Act of 2023 -- or the Show Up Act -- requiring agencies to revert to 2019 pre-pandemic telework policies. A companion bill, S. 1565, is pending in the Senate. It has six Republican sponsors but no Democrats.

The Internet Archive has taken the rather unusual step of sending a DMCA notice to protect the copyrights of book publishers and authors. The non-profit organization asked GitHub to remove a tool that can strip DRM from books in its library. The protective move is likely motivated by the ongoing legal troubles between the Archive and book publishers. TorrentFreak reports: The Internet Archive sent a takedown request to GitHub, requesting the developer platform to remove a tool that circumvents industry-standard technical protection mechanisms for digital libraries. This "DeGouRou" software effectively allows patrons to save DRM-free copies of the books they borrow. "This DMCA complaint is about a tool made available on github which purports to circumvent technical protections in violation of the copyright act section 1201," the notice reads. "I am reporting a Git which provides a tool specifically used to circumvent industry standard library TPMs which are used by Internet Archive, and other libraries, to permit patrons to borrow an encrypted book, read the encrypted book, and return an encrypted book."

Interestingly, an IA representative states that they are "not authorized by the copyright owners" to submit this takedown notice. Instead, IA is acting on its duty to prevent the unauthorized downloading of copyright-protected books. It's quite unusual to see a party sending takedown notices without permission from the actual rightsholders. However, given the copyright liabilities IA faces, it makes sense that the organization is doing what it can to prevent more legal trouble. Permission or not, GitHub honored the takedown request. It removed all the DeGourou repositories that were flagged and took the code offline. [...] After GitHub removed the code, it soon popped up elsewhere.

An anonymous reader quotes a report from Ars Technica: Newly raised concerns about lead-covered telephone cables installed across the US many decades ago are putting pressure on companies like AT&T and Verizon to identify the locations of all the cables and account for any health problems potentially caused by the toxic metal. US Sen. Edward Markey (D-Mass.) wrote a letter to the USTelecom industry trade group this week after a Wall Street Journal investigative report titled, "America Is Wrapped in Miles of Toxic Lead Cables." The WSJ said it found evidence of more than 2,000 lead-covered cables and that there "are likely far more throughout the country."

WSJ reporters had researchers collect samples as part of their investigation. They "found that where lead contamination was present, the amount measured in the soil was highest directly under or next to the cables, and dropped within a few feet -- a sign the lead was coming from the cable," the article said. Markey wrote to USTelecom, "According to the Wall Street Journal's investigation, 'AT&T, Verizon and other telecom giants have left behind a sprawling network of cables covered in toxic lead that stretches across the US, under the water, in the soil and on poles overhead... As the lead degrades, it is ending up in places where Americans live, work and play.'"

Markey wants answers to a series of questions by July 25: "Do the companies know the locations and mileage of lead-sheathed cables that they own or for which they are responsible -- whether aerial, underwater, or underground? Are there maps of the locations and installations? If not, what plans do the companies have to identify the cables? Why have the companies that knew about the cables -- and the potential exposure risks they pose -- failed to monitor them or act?" Markey also asked what plans telcos have to address environmental and public health problems that could arise from lead cables. He asked the companies to commit to "testing for soil, water, and other contamination caused by the cables," to remediate any contamination, and warn communities of the potential hazards. Markey also asked USTelecom if the phone companies will guarantee "medical treatment and compensation to anyone harmed by lead poisoning caused by the cables." "There is no safe level of lead exposure -- none -- which is why I'm so disturbed by these reports of lead cable lines throughout the country," added US Rep. Frank Pallone Jr. (D-NJ). "It is imperative that these cables be properly scrutinized and addressed."

Another Congressman, Rep. Patrick Ryan (D-NY), said he is considering legislation on remediating contamination from the cables and that telecom companies should "do the right thing and clean up their mess." The Wall Street Journal said its testing in a playground in Ryan's district "registered high levels of lead underneath an aerial cable running along the perimeter of the park."

Senate Majority Leader Chuck Schumer is proposing legislation to create a commission with the power to declassify government documents related to UFOs and extraterrestrial matters. The New York Times reports: The measure offers the possibility of pushing back against the conspiracy theories that surround discussions of U.F.O.s and fears that the government is hiding critical information from the public. The legislation, which Mr. Schumer will introduce as an amendment to the annual defense policy bill, has bipartisan support, including that of Senator Mike Rounds, Republican of South Dakota, and Senator Marco Rubio, Republican of Florida, who has championed legislation that has forced the government to release a series of reports on unidentified phenomena. Support in the House is also likely. On Wednesday, the chamber included a narrower measure (PDF) in its version of the annual defense bill that would push the Pentagon to release documents about unidentified aerial phenomena.

The Senate measure sets a 300-day deadline for government agencies to organize their records on unidentified phenomena and provide them to the review board. President Biden would appoint the nine-person review board, subject to Senate approval. Senate staff members say the intent is to select a group of people who would push for disclosure while protecting sensitive intelligence collection methods. [...] Under Mr. Schumer's legislation, the president could decide to delay material the commission has chosen to release based on national security concerns. But the measure would establish a timetable to release documents and codify the presumption that the material should be public. "You now will have a process through which we will declassify this material," said Allison Biasotti, a spokeswoman for Mr. Schumer.

In July 2015, the marital infidelity website AshleyMadison.com was hacked by a group called the Impact Team, threatening to release data on all 37 million users unless the site shut down. In an article published earlier today, security researcher Brian Krebs explores the possible involvement of a former employee and self-describe expert in search engine optimization (SEO), William Brewster Harrison, who had a history of harassment towards then-CEO Noel Biderman and may have had the technical skills to carry out the hack. However, Harrison committed suicide in 2014, raising doubts about his role in the breach. Here's an excerpt from the report: [...] Does Harrison's untimely death rule him out as a suspect, as his stepmom suggested? This remains an open question. In a parting email to Biderman in late 2012, Harrison signed his real name and said he was leaving, but not going away. "So good luck, I'm sure we'll talk again soon, but for now, I've got better things in the oven," Harrison wrote. "Just remember I outsmarted you last time and I will outsmart you and out maneuver you this time too, by keeping myself far far away from the action and just enjoying the sideline view, cheering for the opposition." Nothing in the leaked Biderman emails suggests that Ashley Madison did much to revamp the security of its computer systems in the wake of Harrison's departure and subsequent campaign of harassment -- apart from removing an administrator account of his a year after he'd already left the company.

KrebsOnSecurity found nothing in Harrison's extensive domain history suggesting he had any real malicious hacking skills. But given the clientele that typically employed his skills -- the adult entertainment industry -- it seems likely Harrison was at least conversant in the dark arts of "Black SEO," which involves using underhanded or else downright illegal methods to game search engine results. Armed with such experience, it would not have been difficult for Harrison to have worked out a way to maintain access to working administrator accounts at Ashley Madison. If that in fact did happen, it would have been trivial for him to sell or give those credentials to someone else. Or to something else. Like Nazi groups. As KrebsOnSecurity reported last year, in the six months leading up to the July 2015 hack, Ashley Madison and Biderman became a frequent subject of derision across multiple neo-Nazi websites.

Some readers have suggested that the data leaked by the Impact Team could have originally been stolen by Harrison. But that timeline does not add up given what we know about the hack. For one thing, the financial transaction records leaked from Ashley Madison show charges up until mid-2015. Also, the final message in the archive of Biderman's stolen emails was dated July 7, 2015 -- almost two weeks before the Impact Team would announce their hack. Whoever hacked Ashley Madison clearly wanted to disrupt the company as a business, and disgrace its CEO as the endgame. The Impact Team's intrusion struck just as Ashley Madison's parent was preparing go public with an initial public offering (IPO) for investors. Also, the hackers stated that while they stole all employee emails, they were only interested in leaking Biderman's. Also, the Impact Team had to know that ALM would never comply with their demands to dismantle Ashley Madison and Established Men. In 2014, ALM reported revenues of $115 million. There was little chance the company was going to shut down some of its biggest money machines. Hence, it appears the Impact Team's goal all along was to create prodigious amounts of drama and tension by announcing the hack of a major cheating website, and then let that drama play out over the next few months as millions of exposed Ashley Madison users freaked out and became the targets of extortion attacks and public shaming.

After the Impact Team released Biderman's email archives, several media outlets pounced on salacious exchanges in those messages as supposed proof he had carried on multiple affairs. Biderman resigned as CEO of Ashley Madison on Aug. 28, 2015. Complicating things further, it appears more than one malicious party may have gained access to Ashley's Madison's network in 2015 or possibly earlier. Cyber intelligence firm Intel 471 recorded a series of posts by a user with the handle "Brutium" on the Russian-language cybercrime forum Antichat between 2014 and 2016. Brutium routinely advertised the sale of large, hacked databases, and on Jan. 24, 2015, this user posted a thread offering to sell data on 32 million Ashley Madison users. However, there is no indication whether anyone purchased the information. Brutium's profile has since been removed from the Antichat forum. Note: This is Part II of a story published last week on reporting that went into a new Hulu documentary series on the 2015 Ashley Madison hack.

Texas's ban on TikTok at state institutions violates the First Amendment, claims a lawsuit filed Thursday by a group of academics and civil society researchers. CNN reports: The Knight First Amendment Institute at Columbia University filed the lawsuit on behalf of the Coalition for Independent Technology Research, which works to study the impact of technology on society. The lawsuit specifically challenges Texas' TikTok ban in relation to public universities, saying it compromises academic freedom and impedes vital research. "The ban is not just ineffective but counterproductive. It's impeding researchers and scholars from studying the very things that Texas says it's concerned about -- like data-collection and disinformation," Jameel Jaffer, executive director of the Institute, told CNN.

The lawsuit cites the example of a University of North Texas researcher who studies young people's use of social media, who has been forced to abandon research projects that rely on university computers and to remove material about TikTok from her courses. The Knight Institute lawsuit notes that Texas has not imposed a ban on other online platforms that collect similar user data, such as Meta and Google. It further argues that a ban doesn't "meaningfully" constrain China's ability to collect sensitive data about Americans, because this data is widely available from other data brokers.

"It's entirely legitimate for government officials to be concerned about social media platforms' data-collection practices, but Imposing broad bans on Americans' access to the platforms isn't a reasonable, effective, or constitutional response to those concerns," Jaffer told CNN. "Like it or not, TikTok is an immensely popular communications platform, and its policies and practices are influencing culture and politics around the world," said Dave Karpf, a Coalition for Independent Technology Research board member and associate professor in the George Washington University School of Media and Public Affairs. "It's important that scholars and researchers be able to study the platform and illuminate the risks associated with it. Ironically, Texas's misguided ban is impeding our members from studying the very risks that Texas says it wants to address."

The FTC has asked a federal court to temporarily halt Microsoft's $69 billion acquisition of "Call of Duty" maker Activision Blizzard. Microsoft won its fight against the FTC on Tuesday, after a California judge said the agency had failed to show the deal would be illegal under antitrust law. The FTC appealed that loss yesterday, and Microsoft said it would fight that appeal. Reuters reports: In its motion, the FTC asked for an order that would prevent the deal from closing until after the 9th U.S. Circuit Court of Appeals has ruled on a separate stay request filed with that court. Any outstanding regulatory hurdle makes it more likely the agreement between Microsoft and Activision will expire on July 18 without the deal having been completed. After July 18, either company will be free to walk away from the deal unless they negotiate an extension.

In its motion for the stay to Judge Jacqueline Scott Corley, the FTC argued her denial of a preliminary injunction to halt the deal "raises serious, substantial issues for the Court of Appeals to resolve." Specifically, the FTC said she had applied the wrong standard in considering the agency's request for a preliminary injunction. "Granting an injunction pending appeal is warranted because the FTC is likely to succeed on appeal," the agency wrote.

An anonymous reader quotes a report from Polygon: Bungie has won almost $500,000 in damages from a Destiny 2 player who harassed one of its community managers and his wife with abusive, racist, and distressing calls and messages, and sent an unsolicited pizza order to their home in a manner designed to intimidate and frighten the couple. According to members of Bungie's legal team, the judgment from a Washington state court sets important precedents that will empower employers to go after anyone who harasses their employees online, and strengthen the enforcement of laws against online trolling and harassment. "This one is special," Bungie's attorney Dylan Schmeyer tweeted.

As laid out in the court's judgment, the defendant, Jesse James Comer, was "incensed" when the community manager -- whom both Bungie and the court declined to name, to protect them from further harassment -- spotlighted some fan art by a Black community member. Using anonymous phone numbers, Comer left a string of "hideous, bigoted" voicemails on the community manager's personal phone, some asking that Bungie create options in Destiny 2 "in which only persons of color would be killed," before proceeding to threaten the community manager's wife with more racist voicemails and texts. Then he ordered a pizza to be delivered to their home, leaving instructions for the driver to knock at least five times, loudly, to make the intrusion as frightening as possible.

The court ruled that Comer was liable to pay over $489,000 in damages, fees, and expenses it had accrued in protecting and supporting its employees, investigating Comer, and prosecuting the case against him. As laid out in a Twitter thread by Kathryn Tewson, a crusading paralegal who worked on the case, the judgment is significant because it recognizes that patterns of harassment escalate from online trolling to real-world violence; establishes that harassment of an employee for doing their job damages the employer as well, which can then use its resources to go after the culprit; and recognized a new tort -- a legal term for a form of injury or harm for which courts can impose liability -- around cyber and telephone harassment. While it may seem odd to celebrate a judgment that awards a company -- rather than an individual -- with damages for personal harassment, the significance of the case is that its legal precedent empowers and motivates employers to use their resources to protect employees who face harassment as part of their jobs. Bungie and its lawyers have broken important new ground that could improve the level of protection for workers in the game industry and beyond.

It was the court case the entire crypto industry was waiting for -- the showdown between the Securities and Exchange Commission and Ripple, an early digital assets firm behind the popular XRP token. From a report: The SEC alleged that sales of XRP constituted offering unregistered securities, while Ripple defended its $25 billion market, chiding the SEC's lack of clear guidance. On Thursday, a federal judge agreed partly in favor of both parties, with Ripple -- and the broader crypto industry -- appearing the early victor. The existential question for the U.S. crypto sector has been whether the thousands of tokens, from Bitcoin and Ether to Dogecoin and Pepecoin, are securities -- a financial term for an investment contract, which would require registration with the SEC. Crypto firms have argued that working with the agency is impossible under the current rules, while the SEC has accused nearly every token, with the clear exception of Bitcoin, as operating illegally.

Ripple became an important trial balloon for the debate. In 2020, the SEC charged the company -- founded in 2012 with the promise of disrupting the global payments network through its proprietary token, XRP -- and two of its executives with raising over $1.3 billion through an unregistered digital asset securities offering. Unlike other subjects of SEC lawsuits, Ripple challenged the case, which has been litigated for the past three years in the Southern District of New York. The proceedings have enraptured the crypto industry, especially as the SEC has aggressively pursued other exchanges and projects for allegedly offering unregistered securities. A decision that found XRP was not a security could buoy other firms and weaken the SEC's torrent of lawsuits against the industry, while a total victory for the SEC would have proved disastrous and likely climbed its way to the Supreme Court.

The former chief executive officer of bankrupt crypto lender Celsius Network was arrested following a probe into the company's collapse, Bloomberg reported Thursday. From the report: The arrest took place Thursday morning, according to the person, who asked not to be identified because the criminal case isn't public. The Securities and Exchange Commission also filed a lawsuit against Mashinsky and the company Thursday, according to court records. Celsius was one of several high-profile crypto firms that imploded last year. The company gained popularity paying high interest rates on digital-asset deposits. But following the collapse of the TerraUSD stablecoin and a downturn in the digital-asset markets the company was left with a giant hole in its balance sheet and unable to meet an influx of customer withdrawals.

Democratic senators, including Elizabeth Warren and Bernie Sanders, are calling (PDF) for an investigation into popular online tax filing companies, accusing them of sharing sensitive taxpayer data with Meta and Google without user consent. The Verge reports: On Tuesday, Sens. Elizabeth Warren (D-MA), Bernie Sanders (I-VT), and others asked the Justice Department, Federal Trade Commission, Treasury Department, and the IRS to investigate whether TaxSlayer, H&R Block, and TaxAct violated taxpayer privacy laws by sharing sensitive user information with the two tech firms. Senators also released (PDF) their own report Wednesday detailing the accusations, first raised by The Markup last November.

The report alleges that for years, tax preparation companies infused their products with Meta and Google tracking pixels that revealed identifying information -- like a user's full name, address, and date of birth. The senators also suggest that some of the information provided, like the forms a user accessed, could be used to show "whether taxpayers were eligible for certain deductions or exemptions." The senators claim that the companies did not receive user consent to share this information, which could violate laws banning tax preparers from sharing tax return information with third parties, especially since much of this data could be used for advertising purposes.

A U.S. judge has dismissed a lawsuit in which the founder of WallStreetBets, which helped ignite investors' fascination with "meme" stocks, accused Reddit of wrongly banning him from moderating the community and usurping his trademark rights. From a report: Jaime Rogozinski, who founded WallStreetBets in 2012, said Reddit ousted him in April 2020 as a pretext to keep him from controlling a "a famous brand that helped Reddit rise to a $10 billion valuation" by late 2021. Rogozinski had applied to trademark "WallStreetBets" in March 2020, when the community reached 1 million subscribers. It now has 14 million.

In a 15-page decision, U.S. District Judge Maxine Chesney in San Francisco rejected Rogozinski's claim that he owns the WallStreetBets trademark because the market associated it with him and he made the brand famous. She also dismissed Rogozinski's state law claims related to his ouster, saying either that they were preempted by a federal law that provides "broad immunity" to websites publishing mainly outside content, or that he lacked standing to sue.

An anonymous reader shares a report: On his way to catch a flight, Sen. Jeff Merkley (D-Ore.) was asked to have his photo taken by a facial recognition machine at airport security. The Transportation Security Administration has been testing use of facial recognition software to verify travelers' identification at some airports. Use of the technology is voluntary, the TSA has told the public and Congress. If you decline, a TSA agent is supposed to verify your identification, as we have done at airport security for years. When Merkley said no to the face scan at Washington's Reagan National Airport, he was told it would cause a significant delay, a spokeswoman for the senator said. There was no delay. The spokeswoman said the senator showed his photo ID to the TSA agent and cleared security.

Is facial recognition technology really voluntary if a United States senator has trouble saying no? The TSA is using facial recognition technology for a limited purpose that the agency says is accurate. As flying reaches record highs again this summer, the technology could improve safety and efficiency with fewer risks than controversial uses of facial recognition such as police trying to identify crime suspects from vast numbers of images. But problems encountered by Merkley and others raise questions about whether the technology can be used fairly and how far it might spread in American life without true oversight.

An anonymous reader quotes a report from The Guardian: Australian user data is accessible to TikTok employees based in China on a "very strict basis," the company's head of data security, Will Farrell, has said. In their first public appearance before Australian members of parliament since the government joined Canada, the US and the UK in banning TikTok from government-owned devices amid concerns about the company's connections to China, TikTok executives were questioned at length by a parliamentary committee examining foreign interference on social media. Liberal senator and chair of the committee James Paterson, who has led the opposition's push against the app, questioned how many times Australian user data had been accessed by TikTok staff based within China. Farrell could not provide the number immediately, but admitted it did happen.

Farrell said there were "a number of protections in place", including that employees only get the minimum amount of access to data to do their job, and when they access that data they need to provide a business justification that needs to be approved by their manager and the database owner within TikTok. If the data is being accessed across a national border, it has to be approved by the global security team based in the US, which also monitors all data access. "Employees can't get access without a clear justification and levels of approval," Farrell said. A similar security review would apply if an employee based in China tried to change the recommendations algorithm, he said.

The company's local head of public policy, Ella Woods-Joyce, said China's 2017 national security law -- which requires companies to give the government any personal data relevant to national security -- would apply to any company that had operations and staff in China. When asked on what ground TikTok would refuse to comply with the law, Woods-Joyce said TikTok had never been asked for personal data by the Chinese government and would refuse if asked. [...] It was revealed in December that employees had used the app to attempt to identify the source of a leak to journalists. Hunter told the committee that he stood by the sentiments expressed in his original article, and blamed "rogue employees" who had since been fired from the company for accessing the data. He said "serious misconduct from these rogue employees" had taken place. He said GPS location information was not collected in Australia.

"CNN reports on a wide-ranging class action lawsuit claiming Google scraped and misused data to train its AI systems," writes long-time Slashdot reader david.emery. "This goes to the heart of what can be done with information that is available over the internet." From the report: The complaint alleges that Google "has been secretly stealing everything ever created and shared on the internet by hundreds of millions of Americans" and using this data to train its AI products, such as its chatbot Bard. The complaint also claims Google has taken "virtually the entirety of our digital footprint," including "creative and copywritten works" to build its AI products. The complaint points to a recent update to Google's privacy policy that explicitly states the company may use publicly accessible information to train its AI models and tools such as Bard.

In response to an earlier Verge report on the update, the company said its policy "has long been transparent that Google uses publicly available information from the open web to train language models for services like Google Translate. This latest update simply clarifies that newer services like Bard are also included." [...] The suit is seeking injunctive relief in the form of a temporary freeze on commercial access to and commercial development of Google's generative AI tools like Bard. It is also seeking unspecified damages and payments as financial compensation to people whose data was allegedly misappropriated by Google. The firm says it has lined up eight plaintiffs, including a minor. "Google needs to understand that 'publicly available' has never meant free to use for any purpose," Tim Giordano, one of the attorneys at Clarkson bringing the suit against Google, told CNN in an interview. "Our personal information and our data is our property, and it's valuable, and nobody has the right to just take it and use it for any purpose."

The plaintiffs, the Clarkson Law Firm, previously filed a similar lawsuit against OpenAI last month.

Roger Thomas Clark, also known as Variety Jones, will spend much of the rest of his life in prison for his key role in building the world's first dark web drug market. Wired: Nearly ten years ago, the sprawling dark web drug market known as the Silk Road was torn offline in a law enforcement operation coordinated by the FBI, whose agents arrested that black market's boss, Ross Ulbricht, in a San Francisco library. It would take two years for Ulbricht's second-in-command -- an elusive figure known as Variety Jones -- to be tracked down and arrested in Thailand. Today, a decade after the Silk Road's demise, Clark has been sentenced to join his former boss in federal prison.

In a Manhattan courtroom on Monday, Roger Thomas Clark -- also known by his online handles including Variety Jones, Cimon and Plural of Mongoose -- was sentenced to 20 years behind bars for his role in building and running Silk Road. Clark, a 62-year-old Canadian national, will now likely spend much of the rest of his life incarcerated for helping to pioneer the anonymous, cryptocurrency-based model for online illegal sales of drugs and other contraband that still persists on the dark web today. The sentence is the maximum Clark faced in accordance with the plea agreement he made with prosecutors.

Clark "misguidedly turned his belief that drugs should be legal into material assistance for a criminal enterprise," Judge Sidney Stein said in his sentencing statement. "These beliefs crossed over into patently illegal behavior." Stein added that Clark was "clear-eyed and intentional" in his work as Ulbricht's "right-hand man" in the Silk Road's operations. "The sentence must reflect the vast criminal enterprise of which he was a leader," Stein said.

An anonymous reader quotes a report from Gizmodo: Disgraced Theranos co-founder Elizabeth Holmes' prison sentence has been reduced by two years, according to the Bureau of Prisons records. Holmes was sentenced to 11 years and three months in prison for defrauding investors by claiming her blood-testing company provided quick and reliable results but she was found to have lied about the reliability of those tests. Holmes surrendered to the Bureau of Prisons in California on May 30 to serve out her sentence at a minimum-security all-female federal prison camp in Bryan, Texas.

Less than two months after she reported to prison, her sentence was quietly changed, with her new release date scheduled for December 29, 2032, the Bureau's site says. The Bureau has not provided additional information for why Holmes' projected release date was shortened, but its site says an inmate's good behavior, substance abuse program completion, and time credits they receive for activities and programs they've completed can result in a lessened sentence. Only last month, Theranos' former president and chief operating officer Ramesh "Sunny" Balwani's 13-year sentence was likewise reduced by two years, making his new projected release date April 11, 2034.

Holmes is serving out her remaining nine-year sentence at FPC Bryan, an all-female prison camp, where the women adhere to a strict schedule requiring them to begin work at 6 a.m. each day. Those who are considered eligible to work are assigned jobs earning between 12 cents and $1.15 an hour in roles like food service and factory employment.

An anonymous reader quotes a report from the Washington Post: If you're printing something on actual paper, there's a good chance it's important, like a tax form or a job contract. But popular printing products and services won't promise not to read it. In fact, they won't even promise not to share it with outside marketing firms. The spread of digital file-sharing -- along with obnoxious business practices by printing manufacturers -- has pushed many U.S. households to give up at-home printers and rely on nearby printing services instead. At the same time, major printer manufacturers have adopted mobile apps and cloud-based storage, creating new opportunities to collect personal data from customers. Whether you're walking to the corner store or sending your files to the cloud, it's tough to figure out whether you're printing in private.

Ideally, printing services should avoid storing the content of your files, or at least delete daily. Print services should also communicate clearly upfront what information they're collecting and why. Some services, like the New York Public Library and PrintWithMe, do both. Others dodged our questions about what data they collect, how long they store it and whom they share it with. Some -- including Canon, FedEx and Staples -- declined to answer basic questions about their privacy practices. Wondering whether your printer app or printing service stores the content of your documents? Here's The Washington Post Help Desk's at-a-glance guide to printer privacy. Here's a summary of each company's privacy policy as it pertains to storing the content of your files:

HP: HP's privacy policy states that it does not store the content of files when using their printers or HP Smart app, providing reassurance that they do not invade privacy by snooping into print jobs.
Canon: Canon's privacy policy indicates that it can collect personal data, including files and content, which may be used for marketing purposes. However, Canon did not disclose whether they store, use, or share the content of printed documents.
FedEx: FedEx's privacy policy states that it collects user-uploaded information, including the contents of documents uploaded for printing services, leaving room for potential advertising or sharing with third parties. Although FedEx prioritizes customer privacy, it did not specify the extent of encryption or whether document content is included.
UPS: While the UPS Store, a subsidiary of UPS, can store the contents of printed documents, it does not use this information for marketing or advertising without user consent. The storage duration is undisclosed, but UPS honors customer requests for data deletion.
Staples: According to Staples' privacy policy, the company can store personal data such as copy/print materials, driver's license numbers, passport numbers, and mail contents. They may also use copy/print materials for advertising. The duration of data storage is not disclosed.
PrintWithMe: PrintWithMe, a company placing printers in shared spaces, temporarily stores printed documents with a third-party cloud provider for 24 hours. CEO Jonathan Treble assures that the data is never used for advertising.
Your local library: The New York Public Library, one of the largest library systems, does not store the contents of printed documents. Their computers only retain file names and delete them at the end of the day. However, privacy policies may vary among different libraries, so it is advisable to inquire beforehand.

An anonymous reader quotes a report from Ars Technica: The European Commission today decided it is safe for personal data to be transferred from the European Union to US-based companies, handing a victory to firms like Facebook and Google despite protests from privacy advocates who worry about US government surveillance. The commission announced that it "adopted its adequacy decision for the EU-US Data Privacy Framework," concluding "that the United States ensures an adequate level of protection -- comparable to that of the European Union -- for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards."

In May, Facebook-owner Meta was fined 1.2 billion euros for violating the General Data Protection Regulation (GDPR) with transfers of personal data to the United States and was ordered to stop storing European Union user data in the US within six months. But Meta said at the time that if the pending data-transfer pact "comes into effect before the implementation deadlines expire, our services can continue as they do today without any disruption or impact on users." The data-transfer deal "is expected to face a legal challenge from European privacy advocates, who have long said that the US needs to make substantial changes to surveillance laws," a Wall Street Journal report said today. "Transfers of data from Europe to the US have been in question since an EU court ruled in 2020 that a previous deal allowing trans-Atlantic data flows was illegal because the US didn't give EU individuals an effective way to challenge surveillance of their data by the US government."

The EC's announcement said the new framework has "binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access." The new court "will be able to order the deletion" of data that is found to have been collected in violation of the new rules. The framework will be administered and monitored by the US Department of Commerce and the "US Federal Trade Commission will enforce US companies' compliance," the EC announcement said. EU residents who challenge data collection will have free access to "independent dispute resolution mechanisms and an arbitration panel." US companies can join the EU-US framework "by committing to comply with a detailed set of privacy obligations, for instance the requirement to delete personal data when it is no longer necessary for the purpose for which it was collected, and to ensure continuity of protection when personal data is shared with third parties," the European Commission said. The latest deal is expected to get challenged, according to the WSJ. European Parliament member Birgit Sippel, who is in Germany's Social Democratic Party, said the "framework does not provide any meaningful safeguards against indiscriminate surveillance conducted by US intelligence agencies," according to The New York Times.

The Computer & Communications Industry Association, which represents major tech companies like Amazon, Apple, Google and Meta, said: "Today's decision means that EU and US businesses will soon have full legal certainty again to transfer personal data across the Atlantic... Data flows are vital to transatlantic trade and the EU-US economic relationship, which is worth 5.5 trillion euros per year. Nevertheless, the two economies had been left without guidelines for data transfers after an EU Court ruling invalidated the previous framework back in 2020."

Massachusetts lawmakers are weighing a near total ban on buying and selling of location data drawn from consumers' mobile devices in the state, in what would be a first-in-the-nation effort to rein in a billion-dollar industry. From a report: The legislature held a hearing last month on a bill called the Location Shield Act, a sweeping proposal that would sharply curtail the practice of collecting and selling location data drawn from mobile phones in Massachusetts. The proposal would also institute a warrant requirement for law-enforcement access to location data, banning data brokers from providing location information about state residents without court authorization in most circumstances.

Location data is typically collected through mobile apps and other digital services and doesn't include information such as a name or a phone number. But often, a device's movement patterns are enough to derive a possible identity of its owner. For example, where a phone spends its evening and overnight hours is usually the owner's home address and can be cross-checked against other databases for additional insight. The Massachusetts proposal is part of a flurry of state-level activity to better protect the digital privacy of residents in the absence of a comprehensive national law. Ten states have enacted privacy laws in recent years under both Republican and Democratic-controlled legislatures. Several bipartisan proposals are under consideration in Congress but have failed to gain traction.

"More major cities in the United States are letting public transit riders hop on board for free," reports CNN: Kansas City; Raleigh; Richmond; Olympia; Tucson; Alexandria, Virginia; and other cities are testing dropping fares on their transit systems. Denver is dropping fares across its system this summer. Boston is piloting three zero-fare public bus routes, and New York City is expected to test free buses on five lines.

Eliminating fares gives a badly needed boost to ridership, removes cost burdens — particularly for lower-income riders — — and reduces boarding times at stops. Proponents also hope it will compel more people to get out of their cars and ride transit... At least 35 US agencies have eliminated fares across their network, according to the American Public Transit Association. Massachusetts Sen. Edward Markey and US Rep. Ayanna Pressley have introduced a bill in Congress to establish a $25 billion grant program to support state and local efforts for fare-free systems.

The zero-fare push comes as ridership nationwide remains sluggish after people shifted to working from home during the pandemic. Ridership is at about 70% of pre-pandemic levels nationwide, and transit agency budget shortfalls threaten service cuts, layoffs and fare hikes.
CNN also reports the case against. Experts "say there are more effective policies to get people out of their cars and onto transit, such as congestion pricing and parking restrictions.

"And dropping fares does not make buses run on time or lead to faster and cleaner trains. These are the improvements that will get more people to take transit instead of drive, according to passenger surveys."

Slashdot reader j3x0n shared this report from California newspaper the Sacramento Bee: In 2015, Democratic Elk Grove Assemblyman Jim Cooper voted for Senate Bill 34, which restricted law enforcement from sharing automated license plate reader (ALPR) data with out-of-state authorities. In 2023, now-Sacramento County Sheriff Cooper appears to be doing just that. The Electronic Frontier Foundation (EFF) a digital rights group, has sent Cooper a letter requesting that the Sacramento County Sheriff's Office cease sharing ALPR data with out-of-state agencies that could use it to prosecute someone for seeking an abortion.

According to documents that the Sheriff's Office provided EFF through a public records request, it has shared license plate reader data with law enforcement agencies in states that have passed laws banning abortion, including Alabama, Oklahoma and Texas. Adam Schwartz, EFF senior staff attorney, called automated license plate readers "a growing threat to everyone's privacy ... that are out there by the thousands in California..." Schwartz said that a sheriff in Texas, Idaho or any other state with an abortion ban on the books could use that data to track people's movements around California, knowing where they live, where they work and where they seek reproductive medical care, including abortions.

The Sacramento County Sheriff's Office isn't the only one sharing that data; in May, EFF released a report showing that 71 law enforcement agencies in 22 California counties — including Sacramento County — were sharing such data... [Schwartz] said that he was not aware of any cases where ALPR data was used to prosecute someone for getting an abortion, but added, "We think we shouldn't have to wait until the inevitable happens."
In May the EFF noted that the state of Idaho "has enacted a law that makes helping a pregnant minor get an abortion in another state punishable by two to five years in prison."

An anonymous reader quotes this report from Engadget: A disgruntled Tom Clancy's Rainbow Six Siege gamer who called in a fake emergency to Ubisoft's Montreal office was sentenced this week to three years of community service, according to The Montreal Gazette. Yanni Ouahioune, 22, was handed the sentence on Monday in Paris following his call to authorities about a fake hostage situation in November 2020.

Police say Ouahioune called in the hoax because he was angry he had been banned several times from Tom Clancy's Rainbow Six Siege. In response to the bogus call, a heavily armed squad of police officers surrounded the building. The officers secured the headquarters — and closed several nearby streets — before confirming there wasn't an active threat. Ouahioune allegedly called from his parents' house using Russian servers to mask his identity (unsuccessfully). After being charged, La Presse reported (via Polygon) that Ouahioune pleaded for Ubisoft to unban his account. "Can you say that I am kindly asking the Ubisoft team to 'unban' my account please," Ouahioune said. "I have put over $1,500 in cosmetic enhancements in my profile."

The sentencing also includes Ouahioune's alleged part in a DDoS attack against a French government office and making threats against Minecraft developers. The convicted hoaxer will reportedly be required to "compensate victims, undergo treatment for a mental health problem and either work or undergo training" in addition to the community service.

A Bangladeshi government website leaked the personal information of citizens, including full names, phone numbers, email addresses and national ID numbers. TechCrunch reports: Viktor Markopoulos, a researcher who works for Bitcrack Cyber Security, said he accidentally discovered the leak on June 27, and shortly after contacted the Bangladeshi e-Government Computer Incident Response Team (CERT). He said the leak includes data of millions of Bangladeshi citizens. TechCrunch was able to verify that the leaked data is legitimate by using a portion to query a public search tool on the affected government website. By doing this, the website returned other data contained in the leaked database, such as the name of the person who applied to register, as well as -- in some cases -- the name of their parents. We attempted this with 10 different sets of data, which all returned correct data.

TechCrunch is not naming the government website because the data is still available online, according to Markopoulos, and we haven't heard back from any of the Bangladeshi government organizations that we emailed asking for comment and alerting of the data exposure. In Bangladesh, every citizen aged 18 and older is issued a National Identity Card, which assigns a unique ID to every citizen. The card is mandatory and gives citizens access to several services, such as getting a driver's license, passport, buying and selling land, opening a bank account, and others.

Markopoulos said finding the data "was too easy." "It just appeared as a Google result and I wasn't even intending on finding it. I was Googling an SQL error and it just popped up as the second result," he told TechCrunch, referring to SQL, a language designed for managing data in a database. The exposure of email addresses, phone numbers and national ID card numbers is bad on its own, but Markopoulos said that having this type of information could also "be used in the web application to access, modify, and/or delete the applications as well as view the Birth Registration Record Verification."

An anonymous reader quotes a report from Ars Technica: Simply mentioning the name "Denuvo" among some gamers is pretty much guaranteed to get you an instant, strong reaction. Just look at the comment threads underneath any Ars article covering Denuvo and you'll see plenty of complaints about the DRM-enhancing anti-piracy technology. Irdeto, the company that acquired Denuvo in a 2018 purchase, doesn't generally make a habit of commenting at length on this reputation (or its secretive DRM schemes) in the public press. So when Irdeto Chief Operating Officer of Video Games Steeve Huin agreed to defend his company publicly in an exclusive interview with Ars Technica, I jumped at the chance to talk to him.

Huin stressed to Ars that he sees Denuvo as a positive force for the gaming community as a whole. "Anti-piracy technologies is to the benefit of the game publishers, [but also] is of benefit to the players in that it protects the [publisher's] investment and it means the publishers can then invest in the next game," he said. "But people typically don't think enough of that." "Whether people want to believe it or not, we are all gamers, we love gaming, we love being part of it," he continued. "We develop technologies with the intent to make the industry better and stronger."

[...] While the Denuvo name has become practically synonymous with its "anti-tamper" DRM technology, the company now hopes it can be just as well-known for its recent anti-cheating efforts. Denuvo's anti-cheat technology works on "some of the same principles" as its anti-tamper DRM, Huin said, but is aimed at maintaining code integrity at runtime rather than just when a game is loaded. "The core is the same, but the function of what they do is different," he said. Because of this difference, Huin allowed that, unlike Denuvo's anti-tamper DRM, the anti-cheat product could have "a very low impact" on a game's performance. "Less than one percent is the metric we use for validating," he said.

Reddit is fighting another attempt by film companies to unmask anonymous Reddit users who discussed piracy. From a report: The same companies lost a previous, similar motion to identify Reddit users who wrote comments in piracy-related threads. Reddit avoided revealing the identities of eight users by arguing that the First Amendment protected their right to anonymous speech. Reddit is seeking a similar outcome in the new case, in which the film companies' subpoena to Reddit sought "Basic account information including IP address registration and logs from 1/1/2016 to present, name, email address and other account registration information" for six users who wrote comments on Reddit threads in 2011 and 2018.