The chief content officer for New York's public radio station WNYC predicts an "AI-fueled shift to niche community and authored excellence."

And ironically, it will be fueled by "Greedy publishers and malicious propagandists... flooding the web with fake or just mediocre AI-generated 'content'" which will "spotlight and boost the value of authored creativity." And it may help give birth to a new generation of independent media. Robots will make the internet more human.

First, it will speed up our migration off of big social platforms to niche communities where we can be better versions of ourselves. We're already exhausted by feeds that amplify our anxiety and algorithms that incentivize cruelty. AI will take the arms race of digital publishing shaped by algorithmic curation to its natural conclusion: big feed-based social platforms will become unending streams of noise. When we've left those sites for good, we'll miss the (mostly inaccurate) sense that we were seeing or participating in a grand, democratic town hall. But as we find places to convene where good faith participation is expected, abuse and harassment aren't, and quality is valued over quantity, we'll be happy to have traded a perception of scale influence for the experience of real connection.

Second, this flood of authorless "content" will help truly authored creativity shine in contrast... "Could a robot have done this?" will be a question we ask to push ourselves to be funnier, weirder, more vulnerable, and more creative. And for the funniest, the weirdest, the most vulnerable, and most creative: the gap between what they do and everything else will be huge. Finally, these AI-accelerated shifts will combine with the current moment in media economics to fuel a new era of independent media.
For a few years he's seen the rise of independent community-funded journalists, and "the list of thriving small enterprises is getting longer." He sees more growth in community-funding platforms (with subscription/membership features like on Substack and Patreon) which "continue to tilt the risk/reward math for audience-facing talent....

"And the amount of audience-facing, world-class talent that left institutional media in 2023 (by choice or otherwise) is unlike anything I've seen in more than 15 years in journalism... [I]f we're lucky, we'll see the creation of a new generation of independent media businesses whose work is as funny, weird, vulnerable and creative as its creators want it to be. And those businesses will be built on truly stable ground: a direct financial relationship with people who care.

"Thank the robots."

Microsoft has begun ditching WordPad from Windows and removed the editor from the first Canary Channel build of 2024. From a report: We knew it was coming, but the reality has arrived in the Canary Channel. A clean install will omit WordPad as of build 26020 of Windows 11. At an undisclosed point, the application will be removed on upgrade.

The People app is also being axed, as expected, and the Steps Recorder won't be getting any more updates and will instead show a banner encouraging users to try something else. Perhaps ClipChamp? WordPad was always an odd tool. Certainly not something one would want to edit text with, but not much of a word processor either. It feels like a throwback to a previous era. However, it was also free, came with Windows, and didn't insist on having a connection to the internet for it to work.

Generative AI models like Google Bard and GitHub Copilot are increasingly being used in various industries, but users often overlook their limitations, leading to serious errors and inefficiencies. Daniel Stenberg of curl and libcurl highlights a specific problem of AI-generated security reports: when reports are made to look better and to appear to have a point, it takes a longer time to research and eventually discard it. "Every security report has to have a human spend time to look at it and assess what it means," adds Stenberg. "The better the crap, the longer time and the more energy we have to spend on the report until we close it." The Register reports: The curl project offers a bug bounty to security researchers who find and report legitimate vulnerabilities. According to Stenberg, the program has paid out over $70,000 in rewards to date. Of 415 vulnerability reports received, 64 have been confirmed as security flaws and 77 have been deemed informative -- bugs without obvious security implications. So about 66 percent of the reports have been invalid. The issue for Stenberg is that these reports still need to be investigated and that takes developer time. And while those submitting bug reports have begun using AI tools to accelerate the process of finding supposed bugs and writing up reports, those reviewing bug reports still rely on human review. The result of this asymmetry is more plausible-sounding reports, because chatbot models can produce detailed, readable text without regard to accuracy.

As Stenberg puts it, AI produces better crap. "A crap report does not help the project at all. It instead takes away developer time and energy from something productive. Partly because security work is considered one of the most important areas so it tends to trump almost everything else." As examples, he cites two reports submitted to HackerOne, a vulnerability reporting community. One claimed to describe Curl CVE-2023-38545 prior to actual disclosure. But Stenberg had to post to the forum to make clear that the bug report was bogus. He said that the report, produced with the help of Google Bard, "reeks of typical AI style hallucinations: it mixes and matches facts and details from old security issues, creating and making up something new that has no connection with reality." [...]

Stenberg readily acknowledges that AI assistance can be genuinely helpful. But he argues that having a human in the loop makes the use and outcome of AI tools much better. Even so, he expects the ease and utility of these tools, coupled with the financial incentive of bug bounties, will lead to more shoddy LLM-generated security reports, to the detriment of those on the receiving end.

An anonymous reader quotes a report from Ars Technica: ChatGPT is still no House, MD. While the chatty AI bot has previously underwhelmed with its attempts to diagnose challenging medical cases -- with an accuracy rate of 39 percent in an analysis last year -- a study out this week in JAMA Pediatrics suggests the fourth version of the large language model is especially bad with kids. It had an accuracy rate of just 17 percent when diagnosing pediatric medical cases. The low success rate suggests human pediatricians won't be out of jobs any time soon, in case that was a concern. As the authors put it: "[T]his study underscores the invaluable role that clinical experience holds." But it also identifies the critical weaknesses that led to ChatGPT's high error rate and ways to transform it into a useful tool in clinical care. With so much interest and experimentation with AI chatbots, many pediatricians and other doctors see their integration into clinical care as inevitable. [...]

For ChatGPT's test, the researchers pasted the relevant text of the medical cases into the prompt, and then two qualified physician-researchers scored the AI-generated answers as correct, incorrect, or "did not fully capture the diagnosis." In the latter case, ChatGPT came up with a clinically related condition that was too broad or unspecific to be considered the correct diagnosis. For instance, ChatGPT diagnosed one child's case as caused by a branchial cleft cyst -- a lump in the neck or below the collarbone -- when the correct diagnosis was Branchio-oto-renal syndrome, a genetic condition that causes the abnormal development of tissue in the neck, and malformations in the ears and kidneys. One of the signs of the condition is the formation of branchial cleft cysts. Overall, ChatGPT got the right answer in just 17 of the 100 cases. It was plainly wrong in 72 cases, and did not fully capture the diagnosis of the remaining 11 cases. Among the 83 wrong diagnoses, 47 (57 percent) were in the same organ system.

Among the failures, researchers noted that ChatGPT appeared to struggle with spotting known relationships between conditions that an experienced physician would hopefully pick up on. For example, it didn't make the connection between autism and scurvy (Vitamin C deficiency) in one medical case. Neuropsychiatric conditions, such as autism, can lead to restricted diets, and that in turn can lead to vitamin deficiencies. As such, neuropsychiatric conditions are notable risk factors for the development of vitamin deficiencies in kids living in high-income countries, and clinicians should be on the lookout for them. ChatGPT, meanwhile, came up with the diagnosis of a rare autoimmune condition. Though the chatbot struggled in this test, the researchers suggest it could improve by being specifically and selectively trained on accurate and trustworthy medical literature -- not stuff on the Internet, which can include inaccurate information and misinformation. They also suggest chatbots could improve with more real-time access to medical data, allowing the models to refine their accuracy, described as "tuning."

Long-time tech entrepreneur Anil Dash predicts a big shift in the digital landscape in 2024. And "regular internet users — not just the world's tech tycoons — may be the ones who decide how it goes." The first thing to understand about this new era of the internet is that power is, undoubtedly, shifting. For example, regulators are now part of the story — an ironic shift for anyone who was around in the dot com days. In the E.U., tech giants like Apple are being forced to hold their noses and embrace mandated changes like opening up their devices to allow alternate app stores to provide apps to consumers. This could be good news, increasing consumer choice and possibly enabling different business models — how about mobile games that aren't constantly pestering gamers for in-app purchases? Back in the U.S., a shocking judgment in Epic Games' (that's the Fortnite folks') lawsuit against Google leaves us with the promise that Android phones might open up in a similar way.

That's not just good news for the billions of people who own smartphones. It's part of a sea change for the coders and designers who build the apps, sites, and games we all use. For an entire generation, the imagination of people making the web has been hemmed in by the control of a handful of giant companies that have had enormous control over things like search results, or app stores, or ad platforms, or payment systems. Going back to the more free-for-all nature of the Nineties internet could mean we see a proliferation of unexpected, strange new products and services. Back then, a lot of technology was created by local communities or people with a shared interest, and it was as likely that cool things would be invented by universities and non-profits and eccentric lone creators as they were to be made by giant corporations....

In that era, people could even make their own little social networks, so the conversations and content you found on an online forum or discussion were as likely to have been hosted by the efforts of one lone creator than to have come from some giant corporate conglomerate. It was a more democratized internet, and while the world can't return to that level of simplicity, we're seeing signs of a modern revisiting of some of those ideas.
Dash's article (published in Rolling Stone) ends with examples of "people who had been quietly keeping the spirit of the human, personal, creative internet alive...seeing a resurgence now that the web is up for grabs again. "

• Digital artist Everest Pipkin

• The School for Poetic Computation (which Dash describes as "an eccentric, deeply charming, self-organized school for people who want to combine art and technology and a social conscience.")

• Mask On Zone, "a collaboration with the artist and coder Ritu Ghiya, which gives demonstrators and protesters in-context guidance on how to avoid surveillance."

• There's projects and tools from makers like Stefan Bohacek, Darius Kazemi, and Elan Kiderman Ullendorff (including Youtune ("a stream of relatively unviewed original songs posted to YouTube.")

Dash concludes that "We're seeing the biggest return to that human-run, personal-scale web that we've witnessed since the turn of the millennium, with enough momentum that it's likely that 2024 is the first year since then that many people have the experience of making a new connection or seeing something go viral on a platform that's being run by a regular person instead of a commercial entity.

"It's going to make a lot of new things possible..."

A big thank-you for submitting the article to long-time Slashdot reader, DrunkenTerror.

NBC News reports that the Chinese spy balloon that flew across the U.S. in February "used an American internet service provider to communicate, according to two current and one former U.S. official familiar with the assessment."

it used the American ISP connection "to send and receive communications from China, primarily related to its navigation." Officials familiar with the assessment said it found that the connection allowed the balloon to send burst transmissions, or high-bandwidth collections of data over short periods of time.

The Biden administration sought a highly secretive court order from the federal Foreign Intelligence Surveillance Court to collect intelligence about it while it was over the U.S., according to multiple current and former U.S. officials. How the court ruled has not been disclosed. Such a court order would have allowed U.S. intelligence agencies to conduct electronic surveillance on the balloon as it flew over the U.S. and as it sent and received messages to and from China, the officials said, including communications sent via the American internet service provider...

The previously unreported U.S. effort to monitor the balloon's communications could be one reason Biden administration officials have insisted that they got more intelligence out of the device than it got as it flew over the U.S. Senior administration officials have said the U.S. was able to protect sensitive sites on the ground because they closely tracked the balloon's projected flight path. The U.S. military moved or obscured sensitive equipment so the balloon could not collect images or video while it was overhead.
NBC News is not naming the internet service provider, but says it denied that the Chinese balloon had used its network, "a determination it said was based on its own investigation and discussions it had with U.S. officials." The balloon contained "multiple antennas, including an array most likely able to collect and geolocate communications," according to reports from a U.S. State Depratment official cited by NBC News in February. "It was also powered by enormous solar panels that generated enough power to operate intelligence collection sensors, the official said.

Reached for comment this week, a spokesperson for the Chinese Embassy in Washington told NBC News that the balloon was just a weather balloon that had accidentally drifted into American airspace.

"The iMessage connection software that powers Beeper Mini and Beeper Cloud is now 100% open source," Beeper announced late this week. " Anyone who wants can use it or continue development."

But while Beeper says it's done trying to bring iMessage to Android, CNET reports that the whole battle was "deeply tied" to Apple's ongoing strategy to control the mobile market: The tide seems to be changing, however: Apple said last month it would be opening up its Messages app (likely due to European regulation) to work with the newer, more feature-rich texting protocol called RCS. This hopefully will lead to a more modern and secure messaging experience when texting between an iPhone and an Android phone, and lead away from the aging SMS and MMS standards. Unfortunately, green bubbles will continue to persist even if there might be little to no functional difference. While third-party apps like Nothing Chats attempted and ultimately failed to bring iMessage to Android, Apple will likely never release the app on Google's mobile operating system.

Until RCS is fully adopted, companies are creating services to allow access to iMessage via Android phones. Apple, for its part, has been quick to block apps like Beeper Mini, citing security concerns. This, however, is raising eyebrows from lawmakers regarding competition in the messaging space and Apple's tight control over the market...

Beeper in a December 21 blog post told users to grab a jailbroken iPhone and install a free Beeper tool that'll generate iMessage registration codes to keep the service operational. It's such a roundabout and potentially expensive way of trying to get iMessage on Android that it likely won't be worth it for most people. For those not willing to go out and jailbreak an iPhone, Beeper said in a now-deleted blog post that it would allow people to rent a jailbroken unit for a small monthly fee starting next year.

Longtime Slashdot reader theodp writes: Way back in September 2012, Microsoft President Brad Smith discussed the idea of "producing a crisis" to advance Microsoft's "two-pronged" National Talent Strategy to increase K-12 CS education and the number of H-1B visas. Not long thereafter, the tech-backed nonprofit Code.org (which promotes and provides K-12 CS education and is led by Smith's next-door neighbor) and Mark Zuckerberg's FWD.us PAC (which lobbied for H-1B reform) were born, with Smith on board both. Over the past 10+ years, Smith has played a key role in establishing Code.org's influence in the new K-12 CS education "grassroots" movement, including getting buy-in from three Presidential administrations -- Obama, Trump, and Biden -- as well as the U.S. Dept. of Education and the nation's Governors.

But after recent updates, Code.org's Leadership page now indicates that Smith has quietly left Code.org's Board of Directors and thanks him for his past help and advice. Since November (when archive.org indicates Smith's photo was yanked from Code.org's Leadership page), Smith has been in the news in conjunction with Microsoft's relationship with another Microsoft-bankrolled nonprofit, OpenAI, which has come under scrutiny by the Feds and in the UK. Smith, who noted he and Microsoft helped OpenAI and CEO Sam Altman craft messaging ahead of a White House meeting, announced in a Dec. 8th tweet that Microsoft will be getting a non-voting OpenAI Board seat in connection with Altman's return to power (who that non-voting Microsoft OpenAI board member will be has not been announced).

OpenAI, Microsoft, and Code.org teamed up in December to provide K-12 CS+AI tutorials for this December's AI-themed Hour of Code (the trio has also partnered with Amazon and Google on the Code.org-led TeachAI initiative). And while Smith has left Code.org's Board, Microsoft's influence there will live on as Microsoft CTO Kevin Scott -- credited for forging Microsoft's OpenAI partnership -- remains a Code.org Board member together with execs from other Code.org Platinum Supporters ($3+ million in past 2 years) Google and Amazon.

Velcroman1 writes: Intel's new generation of "Meteor Lake" mobile CPUs herald a new age of "AI PCs," computers that can handle inference workloads such as generating images or transcribing audio without an Internet connection. Officially named "Intel Core Ultra" processors, the chips are the first to feature an NPU (neural processing unit) that's purpose-built to handle AI tasks. But there are few ways to actually test this feature at present: software will need to be rewritten to specifically direct operations at the NPU.

Intel has steered testers toward its Open Visual Inference and Neural Network Optimization (OpenVINO) AI toolkit. With those benchmarks, Tom's Hardware tested the new Intel chips against AMD -- and surprisingly, AMD chips often came out on top, even on these hand-selected benchmarks. Clearly, optimization will take some time!

jd writes: Ars Technica is reporting a newly-discovered man-in-the-middle attack against SSH. This only works if you are using "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC", so it isn't a universal flaw. The CVE numbers for this vulnerability are CVE-2023-48795, CVE-2023-46445, and CVE-2023-46446.

From TFA:

At its core, Terrapin works by altering or corrupting information transmitted in the SSH data stream during the handshake -- the earliest stage of a connection, when the two parties negotiate the encryption parameters they will use to establish a secure connection. The attack targets the BPP, short for Binary Packet Protocol, which is designed to ensure that adversaries with an active position can't add or drop messages exchanged during the handshake. Terrapin relies on prefix truncation, a class of attack that removes specific messages at the very beginning of a data stream.

The Terrapin attack is a novel cryptographic attack targeting the integrity of the SSH protocol, the first-ever practical attack of its kind, and one of the very few attacks against SSH at all. The attack exploits weaknesses in the specification of SSH paired with widespread algorithms, namely ChaCha20-Poly1305 and CBC-EtM, to remove an arbitrary number of protected messages at the beginning of the secure channel, thus breaking integrity. In practice, the attack can be used to impede the negotiation of certain security-relevant protocol extensions. Moreover, Terrapin enables more advanced exploitation techniques when combined with particular implementation flaws, leading to a total loss of confidentiality and integrity in the worst case.

NASA has successfully beamed an ultra-high definition streaming video from a record-setting 19 million miles away. The Deep Space Optical Communications experiment, as it is called, is part of a NASA technology demonstration aimed at streaming HD video from deep space to enable future human missions beyond Earth orbit. From a NASA press release: The [15-second test] video signal took 101 seconds to reach Earth, sent at the system's maximum bit rate of 267 megabits per second (Mbps). Capable of sending and receiving near-infrared signals, the instrument beamed an encoded near-infrared laser to the Hale Telescope at Caltech's Palomar Observatory in San Diego County, California, where it was downloaded. Each frame from the looping video was then sent "live" to NASA's Jet Propulsion Laboratory in Southern California, where the video was played in real time.

The laser communications demo, which launched with NASA's Psyche mission on Oct. 13, is designed to transmit data from deep space at rates 10 to 100 times greater than the state-of-the-art radio frequency systems used by deep space missions today. As Psyche travels to the main asteroid belt between Mars and Jupiter, the technology demonstration will send high-data-rate signals as far out as the Red Planet's greatest distance from Earth. In doing so, it paves the way for higher-data-rate communications capable of sending complex scientific information, high-definition imagery, and video in support of humanity's next giant leap: sending humans to Mars.

Uploaded before launch, the short ultra-high definition video features an orange tabby cat named Taters, the pet of a JPL employee, chasing a laser pointer, with overlayed graphics. The graphics illustrate several features from the tech demo, such as Psyche's orbital path, Palomar's telescope dome, and technical information about the laser and its data bit rate. Tater's heart rate, color, and breed are also on display. There's also a historical link: Beginning in 1928, a small statue of the popular cartoon character Felix the Cat was featured in television test broadcast transmissions. Today, cat videos and memes are some of the most popular content online. "Despite transmitting from millions of miles away, it was able to send the video faster than most broadband internet connections," said Ryan Rogalin, the project's receiver electronics lead at JPL. "In fact, after receiving the video at Palomar, it was sent to JPL over the internet, and that connection was slower than the signal coming from deep space. JPL's DesignLab did an amazing job helping us showcase this technology -- everyone loves Taters."

In 1999 Los Angeles Times reporter Michael Hiltzik co-authored a Pulitzer Prize-winning story. Now a business columnist for the Times, he writes that a Southern California maker of pornographic films named Strike 3 Holdings is also "a copyright troll," according to U.S. Judge Royce C. Lamberth: Lamberth cwrote in 2018, "Armed with hundreds of cut-and-pasted complaints and boilerplate discovery motions, Strike 3 floods this courthouse (and others around the country) with lawsuits smacking of extortion. It treats this Court not as a citadel of justice, but as an ATM." He likened its litigation strategy to a "high-tech shakedown." Lamberth was not speaking off the cuff. Since September 2017, Strike 3 has filed more than 12,440 lawsuits in federal courts alleging that defendants infringed its copyrights by downloading its movies via BitTorrent, an online service on which unauthorized content can be accessed by almost anyone with a computer and internet connection.

That includes 3,311 cases the firm filed this year, more than 550 in federal courts in California. On some days, scores of filings reach federal courthouses — on Nov. 17, to select a date at random, the firm filed 60 lawsuits nationwide... Typically, they are settled for what lawyers say are cash payments in the four or five figures or are dismissed outright...

It's impossible to pinpoint the profits that can be made from this courthouse strategy. J. Curtis Edmondson, a Portland, Oregon, lawyer who is among the few who pushed back against a Strike 3 case and won, estimates that Strike 3 "pulls in about $15 million to $20 million a year from its lawsuits." That would make the cases "way more profitable than selling their product...." If only one-third of its more than 12,000 lawsuits produced settlements averaging as little as $5,000 each, the yield would come to $20 million... The volume of Strike 3 cases has increased every year — from 1,932 in 2021 to 2,879 last year and 3,311 this year.

What's really needed is a change in copyright law to bring the statutory damages down to a level that truly reflects the value of a film lost because of unauthorized downloading — not $750 or $150,000 but perhaps a few hundred dollars.
Anone of the lawsuits go to trial. Instead ISPs get a subpoena demanding the real-world address and name behind IP addresses "ostensibly used to download content from BitTorrent..." according to the article. Strike 3 will then "proceed by sending a letter implicitly threatening the subscriber with public exposure as a pornography viewer and explicitly with the statutory penalties for infringement written into federal copyright law — up to $150,000 for each example of willful infringement and from $750 to $30,0000 otherwise."

A federal judge in Connecticut wrote last year that "Given the nature of the films at issue, defendants may feel coerced to settle these suits merely to prevent public disclosure of their identifying information, even if they believe they have been misidentified."

Thanks to Slashdot reader Beerismydad for sharing the article.

Using a "recently refurbished" telescope array, SETI scientists performed 541 hours of additional observations — and found 35 new "Fast Radio Bursts" (or FRBs). SciTechDaily reports: All 35 FRBs were found in the lower part of the frequency spectrum, each with its unique energy signature. "This work is exciting because it provides both confirmation of known FRB properties and the discovery of some new ones," said the SETI Institute's Dr. Sofia Sheikh, NSF MPS-Ascend Postdoctoral Fellow and lead author. "We're narrowing down the source of FRBs, for example, to extreme objects such as magnetars, but no existing model can explain all of the properties that have been observed so far. It has been wonderful to be part of the first FRB study done with the Allen Telescope Array — this work proves that new telescopes with unique capabilities, like the Allen Telescope Array, can provide a new angle on outstanding mysteries in FRB science."

The detailed findings, recently published in the journal Monthly Notices of the Royal Astronomical Society (MNRAS), showcase the intriguing behaviors of FRBs. These mysterious signals exhibit downward frequency drifting, a connection between their bandwidth and center frequency, and changes in burst duration over time. The team also observed something that had never been reported before: there was a noticeable drop in the center frequency of bursts over the two months of observation, revealing an unexpected cosmic slide-whistle...

No clear pattern was found, highlighting the unpredictability of these celestial phenomena.
SETI says its Allen Telescope Array (or ATA) was custom-built for SETI searches, "thanks to the interest and benevolence of many donors, including technologists Paul Allen (co-founder of Microsoft) and Nathan Myhrvold (former Chief Technology Officer for Microsoft)." The Allen Telescope Array offers SETI scientists access to an instrument seven days a week, and permits the search of several different targets (usually nearby star systems) simultaneously. This can result in a speed-up of SETI searches by a factor of at least 100.

The Washington Post reports that America's largest pharmacy chains have "handed over Americans' prescription records to police and government investigators without a warrant, a congressional investigation found, raising concerns about threats to medical privacy." Though some of the chains require their lawyers to review law enforcement requests, three of the largest — CVS Health, Kroger and Rite Aid, with a combined 60,000 locations nationwide — said they allow pharmacy staff members to hand over customers' medical records in the store... Pharmacies' records hold some of the most intimate details of their customers' personal lives, including years-old medical conditions and the prescriptions they take for mental health and birth control. Because the chains often share records across all locations, a pharmacy in one state can access a person's medical history from states with more-restrictive laws. Carly Zubrzycki, an associate professor at the University of Connecticut law school, wrote last year that this could link a person's out-of-state medical care via a "digital trail" back to their home state...

In briefings, officials with eight American pharmacy giants — Walgreens Boots Alliance, CVS, Walmart, Rite Aid, Kroger, Cigna, Optum Rx and Amazon Pharmacy — told congressional investigators that they required only a subpoena, not a warrant, to share the records.

A subpoena can be issued by a government agency and, unlike a court order or warrant, does not require a judge's approval. To obtain a warrant, law enforcement must convince a judge that the information is vital to investigate a crime. Officials with CVS, Kroger and Rite Aid said they instruct their pharmacy staff members to process law enforcement requests on the spot, saying the staff members face "extreme pressure to immediately respond," the lawmakers' letter said. The eight pharmacy giants told congressional investigators that they collectively received tens of thousands of legal demands every year, and that most were in connection with civil lawsuits. It's unclear how many were related to law enforcement demands, or how many requests were fulfilled.

Only one of the companies, Amazon, said it notified customers when law enforcement demanded its pharmacy records unless there was a legal prohibition, such as a "gag order," preventing it from doing so, the lawmakers said...

Most investigative requests come with a directive requiring the company to keep them confidential, a CVS spokeswoman said; for those that don't, the company considers "on a case-by-case basis whether it's appropriate to notify the individual."
The article points out that Americans "can request the companies tell them if they've ever disclosed their data...but very few people do.

"CVS, which has more than 40,000 pharmacists and 10,000 stores in the United States, said it received a 'single-digit number' of such consumer requests last year, the letter states."