alternative_right writes: Grocery delivery service Instacart will refund $60 million to settle FTC claims that it misled customers with false advertising and unlawfully enrolled them in paid subscriptions. Instacart partners with over 1,800 retailers to provide online shopping, delivery, and pickup services from nearly 100,000 stores across North America. Its platform serves millions of customers and is also used by roughly 600,000 independent shoppers across thousands of cities in Canada and the United States.

In a complaint filed on Thursday, the FTC claimed Instacart engaged in multiple deceptive tactics that raised costs for customers, including failing to provide advertised refunds and falsely advertising "free delivery" while still charging mandatory service fees that added up to 15% to order costs. The FTC said Instacart also advertised a "100% satisfaction guarantee," but typically offered only small credits toward future orders rather than full refunds to customers experiencing problems with deliveries or service. The company allegedly hid refund options from "self-service" menus, leading customers to believe credits were their only option.

More carbon dioxide in the environment is making food more calorific but less nutritious -- and also potentially more toxic, a study has found. From a report: Sterre ter Haar, a lecturer at Leiden University in the Netherlands, and other researchers at the institution created a method to compare multiple studies on plants' responses to increased CO2 levels. The results, she said, were a shock: although crop yields increase, they become less nutrient-dense. While zinc levels in particular drop, lead levels increase.

"Seeing how dramatic some of the nutritional changes were, and how this differed across plants, was a big surprise," she told the Guardian. "We aren't seeing a simple dilution effect but rather a complete shift in the composition of our foods... This also raises the question of whether we should adjust our diets in some way, or how we grow or produce our food."

While scientists have been looking at the effects of more CO2 in the atmosphere on plants for a decade, their work has been difficult to compare. The new research established a baseline measurement derived from the observation that the gas appears to have a linear effect on growth, meaning that if the CO2 level doubles, so does the effect on nutrients. This made it possible to compare almost 60,000 measurements across 32 nutrients and 43 crops, including rice, potatoes, tomatoes and wheat.

Apple released an updated developer license agreement this week that gives the company permission to recoup unpaid funds, such as commissions or any other fees, by deducting them from in-app purchases it processes on developers' behalf, among other methods. From a report: The change will impact developers in regions where local law allows them to link to external payment systems. In these cases, developers must report those payments back to Apple to pay the required commissions or fees.

The changed agreement seemingly gives Apple a way to collect what it believes is the correct fee if the company determines a developer has underreported their earnings. [...] In its new developer agreement, Apple states it will "offset or recoup" what it believes it is owed, including "any amounts collected by Apple on your behalf from end-users." This means Apple could recoup funds from developers' in-app purchases -- like those for digital goods, services, and subscriptions -- or from one-time fees for paid applications.

An anonymous reader quotes a report from Deadline: YouTube has terminated two prominent channels that used artificial intelligence to create fake movie trailers, Deadline can reveal. The Google-owned video giant has switched off Screen Culture and KH Studio, which together boasted well over 2 million subscribers and more than a billion views. The channels have been replaced with the message: "This page isn't available. Sorry about that. Try searching for something else."

Earlier this year, YouTube suspended ads on Screen Culture and KH Studio following a Deadline investigation into fake movie trailers plaguing the platform since the rise of generative AI. The channels later returned to monetization when they started adding "fan trailer," "parody" and "concept trailer" to their video titles. But those caveats disappeared In recent months, prompting concern in the fan-made trailer community. YouTube's position is that the channels' decision to revert to their previous behavior violated its spam and misleading-metadata policies. This resulted in their termination. "The monster was defeated," one YouTuber told Deadline following the enforcement action.

Deadline's investigation revealed that Screen Culture spliced together official footage with AI images to create franchise trailers that duped many YouTube viewers. Screen Culture founder Nikhil P. Chaudhari said his team of a dozen editors exploited YouTube's algorithm by being early with fake trailers and constantly iterating with videos. [...] Our deep dive into fake trailers revealed that instead of protecting copyright on these videos, a handful of Hollywood studios, including Warner Bros Discovery and Sony, secretly asked YouTube to ensure that the ad revenue from the AI-heavy videos flowed in their direction.

An anonymous reader quotes a report from 404 Media: Doublespeed, a startup backed by Andreessen Horowitz (a16z) that uses a phone farm to manage at least hundreds of AI-generated social media accounts and promote products has been hacked. The hack reveals what products the AI-generated accounts are promoting, often without the required disclosure that these are advertisements, and allowed the hacker to take control of more than 1,000 smartphones that power the company. The hacker, who asked for anonymity because he feared retaliation from the company, said he reported the vulnerability to Doublespeed on October 31. At the time of writing, the hacker said he still has access to the company's backend, including the phone farm itself.

"I could see the phones in use, which manager (the PCs controlling the phones) they had, which TikTok accounts they were assigned, proxies in use (and their passwords), and pending tasks. As well as the link to control devices for each manager," the hacker told me. "I could have used their phones for compute resources, or maybe spam. Even if they're just phones, there are around 1100 of them, with proxy access, for free. I think I could have used the linked accounts by puppeting the phones or adding tasks, but haven't tried."

As I reported in October, Doublespeed raised $1 million from a16z as part of its "Speedrun" accelerator program, "a fastpaced, 12-week startup program that guides founders through every critical stage of their growth." Doublespeed uses generative AI to flood social media with accounts and posts to promote certain products on behalf of its clients. Social media companies attempt to detect and remove this type of astroturfing for violating their inauthentic behavior policies, which is why Doublespeed uses a bank of phones to emulate the behavior of real users. So-called "click farms" or "phone farms" often use hundreds of mobile phones to fake online engagement of reviews for the same reason. [...] I've seen TikTok accounts operated by Doublespeed promote language learning apps, dating apps, a Bible app, supplements, and a massager.

The Academy has struck a multi-year deal to move the Oscars to YouTube starting in 2029, ending decades on ABC and making the ceremony free to stream worldwide with YouTube holding exclusive global rights. Variety reports: The Oscars, including red carpet coverage, behind-the-scenes content and Governors Ball, will be available live and for free on YouTube to viewers around the world, as well as to YouTube TV subscribers in the United States. Architects of the agreement said they hope the move to YouTube will help make the Oscars more accessible to "the Academy's growing global audience through features such as closed captioning and audio tracks available in multiple languages." [...]

The Academy had been seeking a new broadcast licensing agreement for the better part of 2025. Over the summer, several expected and unconventional buyers, including NBCUniversal and Netflix, had come into the mix as potential suitors. Insiders believe that YouTube shelled out over nine figures for the Oscars, besting the high eight-figure offers from Disney/ABC and NBCUniversal. Under the most recent contract, Disney was paying around $100 million annually for the Oscars -- but given the ratings declines for the kudocast, Disney/ABC were reportedly looking to spend less on license fees.

[...] It's not a secret that the Academy and Disney/ABC would occasionally have disagreements over the best path for the Oscars, including the show's length, which awards to present and who should host. Now, on a streamer with no time limits, the Oscars can be any length, and the Academy likely has carte blanche to do whatever it wants with the telecast. "They can do whatever they want," says one insider. "You can have a six-hour Oscars hosted by MrBeast."

Meta has paused its third-party Horizon OS headset program, effectively canceling planned VR headsets from Asus and Lenovo as it refocuses on "building the world-class first-party hardware and software needed to advance the VR market." Road to VR reports: A little over a year and a half ago, Meta made an "industry-altering announcement," as I called the move in my reporting: the company was rebranding the Quest operating system to 'Horizon OS' and announced it was working with select partners to launch third-party VR headsets powered by the operating system. Meta specifically named Asus and Lenovo as the first partners it was working with to build new Horizon OS headsets. Asus was said to be building an "all-new performance gaming headset," while Lenovo was purportedly working on "mixed reality devices for productivity, learning, and entertainment."

But as we've now learned, neither headset is likely to see the light of day. Meta say it has frozen the third-party Horizon OS headset program. "We have paused the program to focus on building the world-class first-party hardware and software needed to advance the VR market," a Meta spokesperson told Road to VR. "We're committed to this for the long term and will revisit opportunities for 3rd-party device partnerships as the category evolves."

Meta is informing some users that they will soon be restricted in how many link posts they can share each month, unless they pay for its Meta Verified subscription service. As per the notification message: "Starting December 16, certain Facebook profiles without Meta Verified, including yours, will be limited to sharing links in 2 organic posts per month. Subscribe to Meta Verified to share more links on Facebook, plus get a verified badge and additional benefits to help protect your brand."

To be clear, right now this is a limited test, so relatively few Pages are impacted. But understandably, a lot of users are also seeking more information on the change, and whether it could be expanded to all Pages. So, Meta's seeking to boost take-up of Meta Verified, in order to make more money out of its subscription option, which, for business users, costs between $14.99 and $499 per month, depending on which package you choose.

A Reuters investigation found that Meta knowingly tolerated large volumes of scam and illegal ads from China worth billions in revenue. Reuters reports: Though China's authoritarian government bans use of Meta social media by its citizens, Beijing lets Chinese companies advertise to foreign consumers on the globe-spanning platforms. As a result, Meta's advertising business was thriving in China, ultimately reaching over $18 billion in annual sales in 2024, more than a tenth of the company's global revenue. But Meta calculated that about 19% of that money -- more than $3 billion -- was coming from ads for scams, illegal gambling, pornography and other banned content, according to internal Meta documents reviewed by Reuters.

The documents are part of a cache of previously unreported material generated over the past four years by teams including Meta's finance, lobbying, engineering and safety divisions. The cache reveals Meta's efforts over that period to understand the scale of abuse on its platforms and the company's reluctance to introduce fixes that could undermine its business and revenues. The documents show that Meta believed China was the country of origin of roughly a quarter of all ads for scams and banned products on Meta's platforms worldwide. Victims ranged from shoppers in Taiwan who purchased bogus health supplements to investors in the United States and Canada who were swindled out of their savings. "We need to make significant investment to reduce growing harm," Meta staffers warned in an internal April 2024 presentation to leaders of its safety operations.

To that end, Meta created an anti-fraud team that went beyond previous efforts to monitor scams and other banned activity from China. Using a variety of stepped-up enforcement tools, it slashed the problematic ads by about half during the second half of 2024 -- from 19% to 9% of the total advertising revenue coming from China. Then Meta Chief Executive Mark Zuckerberg weighed in. "As a result of Integrity Strategy pivot and follow-up from Zuck," a late 2024 document notes, the China ads-enforcement team was "asked to pause" its work. Reuters was unable to learn the specifics of the CEO's involvement or what the so-called "Integrity Strategy pivot" entailed. But after Zuckerberg's input, the documents show, Meta disbanded its China-focused anti-scam team. It also lifted a freeze it had introduced on granting new Chinese ad agencies access to its platforms. One document shows that Meta shelved yet other anti-scam measures that internal tests had indicated would be effective. The document didn't detail the specifics of those measures.

Meta took these steps even as an outside consultant it hired produced research that warned "Meta's own behavior and policies" were fostering systemic corruption in the Chinese market for ads targeting users in other countries, additional documents show. The upshot: Within a few months of Meta's brief crackdown, a new crop of Chinese advertising agencies was flooding Facebook and Instagram with prohibited ads. By mid-2025, banned ads climbed back to about 16% of Meta's China revenue. Rob Leathern, who was a senior director of product management at Facebook until 2020 and is no longer at the company, said the scale of predatory advertising revealed in the documents represents a major breakdown in consumer protections at the social media giant. "The levels that you're talking about are not defensible," he said of the percentage of abusive ads. "I don't know how anyone could think this is okay."

An anonymous reader quotes a report from the Guardian: Mark Carney says that amid a fundamental shift to the nature of globalization, his government will catalyze the growth in both the public and private sector. But Canadian linguists say that's a problem. Language experts have called out the Canadian prime minister's growing "utilization" of British spellings in key documents -- including the recent federal budget and a press release issued following a meeting with Donald Trump.

Carney, who served as the governor of the bank of England for seven years, appears to have run afoul of Canadian linguistic norms, returning to his home country with a penchant for using 's' instead of 'z'- a hallmark of British spellings. In an open letter (PDF) chastising the prime minister, six linguists have asked his office, the Canadian government and parliament to stick to Canadian English spelling, "which is the spelling they consistently used from the 1970s to 2025." They warned that if governments start to use other systems for spelling, "this could lead to confusion about which spelling is Canadian."

Canadian English is a source of immense pride for the nation's pedants. But the country's distinct and somewhat arbitrary spelling reflects the legacy of how Canada was colonized. "Canadian English evolved through Loyalist settlement after the American Revolutionary War, subsequent waves of English, Scottish, Welsh and Irish immigration, and from European and global contexts," the letter says, with the current accepted spellings of words reflecting "global influences and cultures from around the world represented in our population, as well as containing words and phrases from Indigenous languages." The linguists pointed out that Canada's distinct style of spelling was widespread in media and government documents, with this deliberate decision reflecting a desire to preserve a vital element of the country's "national history, identity and pride."

Intel has quietly stopped maintaining its open-source user-space driver stack for Gaudi accelerators. Phoronix reports: It turns out earlier this year Intel archived the SynapseAI Core open-source code and is no longer maintained by Intel. The open-source Synapse AI Core GitHub repository was archived in February and README updated with: "This project will no longer be maintained by Intel. Intel has ceased development and contributions including, but not limited to, maintenance, bug fixes, new releases, or updates, to this project. Intel no longer accepts patches to this project. If you have an ongoing need to use this project, are interested in independently developing it, or would like to maintain patches for the open source software community, please create your own fork of this project."

The new chief of Britain's Secret Intelligence Service told officers this week that they must become as fluent in programming languages like Python as they are in foreign languages like Russian as the spy agency adapts to what she described as a space between peace and war. Blaise Metreweli, MI6's first female chief and previously the service's director general of technology and innovation, said in her first public speech that mastery of technology is now required across the organization.

She warned that advanced technologies including AI, biotechnology and quantum computing are revolutionizing both economies and the reality of conflict. Metreweli focused particularly on threats from Russia, saying the country is testing the UK in the grey zone through cyberattacks on critical infrastructure, drones near sensitive sites and propaganda operations.

Mozilla has named Anthony Enzor-DeMeo as its new chief executive, promoting the executive who has spent the past year leading the Firefox browser team and who now plans to make AI central to the company's future.

Enzor-DeMeo announced on Tuesday that an "AI Mode" is coming to Firefox next year. The feature will let users choose from multiple AI models rather than being locked into a single provider. Some options will be open-source models, others will be private "Mozilla-hosted cloud options," and the company also plans to integrate models from major AI companies. Mozilla itself will not train its own large language model.

"We're not incentivized to push one model or the other," Enzor-DeMeo told The Verge. Firefox currently has about 200 million monthly users, a fraction of Chrome's roughly 4 billion, though Enzor-DeMeo insists mobile usage is growing at a decent clip.

He takes over from interim CEO Laura Chambers, who led the company through a major antitrust case and what Mozilla describes as "double-digit mobile growth" in Firefox. Chambers is returning to the Mozilla board of directors. The new CEO has outlined three priorities: ensuring all products give users control over AI features including the ability to turn them off, building a business model around transparent monetization, and expanding Firefox into a broader ecosystem of trusted software. Mozilla VPN integration is planned for the browser next year.

A new study warns that glaciers in the European Alps will hit their peak extinction rate within eight years, with global glacier loss accelerating toward thousands per year unless emissions are rapidly cut. "Glaciers in the western US and Canada are forecast to reach their peak year of loss less than a decade later, with more than 800 disappearing each year by then," adds the Guardian. From the report: About 200,000 glaciers remain worldwide, with about 750 disappearing each year. However, the research indicates this pace will accelerate rapidly as emissions from burning fossil fuels continue to be released into the atmosphere. Current climate action plans from governments are forecast to push global temperatures to about 2.7C above preindustrial levels, supercharging extreme weather. Under this scenario, glacier losses would peak at about 3,000 a year in 2040 and plateau at that rate until 2060. By the end of the century, 80% of today's glaciers will have gone. By contrast, rapid cuts to carbon emissions to keep global temperature rise to 1.5C would cap annual losses at about 2,000 a year in 2040, after which the rate would decline. [...]

The new study, published in Nature Climate Change, analyzed more than 200,000 glaciers from a database of outlines derived from satellite images. The researchers used three global glacier models to assess their fate under different heating scenarios. Regions with the smallest and fastest-melting glaciers were found to be the most vulnerable. The study estimates the 3,200 glaciers in central Europe would shrink by 87% by 2100 -- even if global temperature rise is limited to 1.5C, rising to 97% under 2.7C of heating.

In the western US and Canada, including Alaska, about 70% of today's 45,000 glaciers are projected to vanish under 1.5C of heating, and more than 90% under 2.7C. The Caucasus and southern Andes are also expected to face devastating losses. Larger glaciers take longer to melt, with those in Greenland reaching their peak extinction rate in about 2063 -- losing 40% by 2100 under 1.5C of heating and 59% under 2.7C. However, the melting is forecast to continue beyond 2100. The researchers said the peak loss dates represent more than a numerical milestone. "They mark turning points with profound implications for ecosystems, water resources and cultural heritage," they wrote. "[It is] a human story of vanishing landscapes, fading traditions and disrupted daily routines."

An anonymous reader quotes a report from Ars Technica: Microsoft is killing off an obsolete and vulnerable encryption cipher that Windows has supported by default for 26 years following more than a decade of devastating hacks that exploited it and recently faced blistering criticism from a prominent US senator. When the software maker rolled out Active Directory in 2000, it made RC4 a sole means of securing the Windows component, which administrators use to configure and provision fellow administrator and user accounts inside large organizations. RC4, short for Rivist Cipher 4, is a nod to mathematician and cryptographer Ron Rivest of RSA Security, who developed the stream cipher in 1987. Within days of the trade-secret-protected algorithm being leaked in 1994, a researcher demonstrated a cryptographic attack that significantly weakened the security it had been believed to provide. Despite the known susceptibility, RC4 remained a staple in encryption protocols, including SSL and its successor TLS, until about a decade ago. [...]

Last week, Microsoft said it was finally deprecating RC4 and cited its susceptibility to Kerberoasting, the form of attack, known since 2014, that was the root cause of the initial intrusion into Ascension's network. "By mid-2026, we will be updating domain controller defaults for the Kerberos Key Distribution Center (KDC) on Windows Server 2008 and later to only allow AES-SHA1 encryption," Matthew Palko, a Microsoft principal program manager, wrote. "RC4 will be disabled by default and only used if a domain administrator explicitly configures an account or the KDC to use it." [...] Following next year's change, RC4 authentication will no longer function unless administrators perform the extra work to allow it. In the meantime, Palko said, it's crucial that admins identify any systems inside their networks that rely on the cipher. Despite the known vulnerabilities, RC4 remains the sole means of some third-party legacy systems for authenticating to Windows networks. These systems can often go overlooked in networks even though they are required for crucial functions.

To streamline the identification of such systems, Microsoft is making several tools available. One is an update to KDC logs that will track both requests and responses that systems make using RC4 when performing requests through Kerberos. Kerberos is an industry-wide authentication protocol for verifying the identities of users and services over a non-secure network. It's the sole means for mutual authentication to Active Directory, which hackers attacking Windows networks widely consider a Holy Grail because of the control they gain once it has been compromised. Microsoft is also introducing new PowerShell scripts to sift through security event logs to more easily pinpoint problematic RC4 usage. Microsoft said it has steadily worked over the past decade to deprecate RC4, but that the task wasn't easy. "The problem though is that it's hard to kill off a cryptographic algorithm that is present in every OS that's shipped for the last 25 years and was the default algorithm for so long, Steve Syfuhs, who runs Microsoft's Windows Authentication team, wrote on Bluesky. "See," he continued, "the problem is not that the algorithm exists. The problem is how the algorithm is chosen, and the rules governing that spanned 20 years of code changes."

After introducing an AI Mode shortcut earlier this year, Google has now added a new "plus" menu to its Search homepage, highlighting options for image and file uploads. 9to5Google reports: On google.com, the Search bar now has a plus icon at the far left that replaces the magnifying glass. Clicking lets you "Upload image" or "Upload file." It very much matches the AI Mode experience. Those two capabilities aren't new, but this plus menu does help emphasize that you can use Google to accomplish tasks, and not just find information. Additionally, it helps indicate that they can be used with AI Mode and AI Overviews. This is just available on desktop web (not mobile) and is live on all the devices we checked today, including across signed-out Incognito sessions.

A critical React vulnerability (CVE-2025-55182) is being actively exploited at scale by Chinese, Iranian, North Korean, and criminal groups to gain remote code execution, deploy backdoors, and mine crypto. The Register reports: React maintainers disclosed the critical bug on December 3, and exploitation began almost immediately. According to Amazon's threat intel team, Chinese government crews, including Earth Lamia and Jackpot Panda, started battering the security hole within hours of its disclosure. Palo Alto Networks' Unit 42 responders have put the victim count at more than 50 organizations across multiple sectors, with attackers from North Korea also abusing the flaw.

Google, in a late Friday report, said at least five other suspected PRC spy groups also exploited React2Shell, along with criminals who deployed XMRig for illicit cryptocurrency mining, and "Iran-nexus actors," although the report doesn't provide any additional details about who the Iran-linked groups are and what they are doing after exploitation. "GTIG has also observed numerous discussions regarding CVE-2025-55182 in underground forums, including threads in which threat actors have shared links to scanning tools, proof-of-concept (PoC) code, and their experiences using these tools," the researchers wrote.

Google has decided to retire its free dark web monitoring tool, saying it wasn't as helpful as the company hoped. From a report: In a support page, Google announced the discontinuation of the "dark web report" tool, two years after offering it as a free perk to Gmail users before expanding it more broadly. The feature worked by scanning for your email addresses to determine whether they had appeared in data breaches, which often circulate on Dark Web marketplaces. The tool could then alert you about where the data was exposed, including any accompanying details such as dates of birth, addresses, and phone numbers.

The Trump administration announced Monday the United States Tech Force, a new program to recruit around 1,000 technologists for two-year government stints starting as soon as March -- less than a year after dismantling several federal technology teams and driving thousands of tech workers out of their jobs.

The program will primarily recruit early-career software engineers and data scientists, paying between $150,000 and $200,000 annually. About 20 companies have signed on to participate, including Palantir, Meta, Oracle and Elon Musk's xAI. Some engineering managers will be allowed to take leaves of absence from their private-sector employers to join the program without divesting their stock holdings.

The initiative follows the March closure of 18F, General Services Administration's internal tech consultancy, and the shuttering of the Social Security Administration's Office of Transformation in February. The IRS had lost over 2,000 tech workers by June.

Sixty years after a team of American and Indian climbers abandoned a plutonium-powered generator on the slopes of Nanda Devi, one of the world's most forbidding Himalayan peaks, the U.S. government still refuses to acknowledge that the mission ever happened. The device, a SNAP-19C portable generator containing plutonium isotopes including Pu-239 -- the same material used in the Nagasaki bomb -- was left behind in October 1965 when a sudden blizzard forced climbers to retreat from Camp Four, just below the summit.

The mission originated from a cocktail party conversation between General Curtis LeMay and National Geographic photographer Barry Bishop, who had summited Everest in 1963. China had just detonated its first atomic bomb in October 1964, and the CIA wanted to intercept radio signals from Chinese missile tests by placing an unmanned listening station atop the Himalayas. Barry Bishop recruited elite American climbers and coordinated with Indian intelligence to haul surveillance equipment up the mountain.

Captain M.S. Kohli, the Indian naval officer commanding the mission, ordered climbers to secure the equipment and descend when the blizzard struck. Jim McCarthy, the last surviving American climber, recalled warning Kohli he was making a mistake. "You can't leave plutonium by a glacier feeding into the Ganges!" he recalled. "Do you know how many people depend on the Ganges?" When teams returned in spring 1966, the entire ice ledge where the gear had been stashed was gone -- sheared off by an avalanche. Search missions in 1967 and 1968 found nothing.

The device remains buried somewhere in the glaciers that feed tributaries of the Ganges River.