While he couldn't even ethically accept the million dollars, PC Magazine's senior security analyst Max Eddy writes that "how this happened in the first place is indicative of some of the information security industry's worst impulses. It doesn't have to be this way." Back in 2017, Telegram founder Pavel Durov and I had a disagreement... Durov tweeted about how the Signal secure messaging app had received money from the U.S. government. This is true; Signal received funds from the Open Technology Fund (OTF) — a nonprofit that previously was part of the US-backed Radio Free Asia. According to the OTF's website, it gave nearly $3 million to between 2013 and 2016. It's entirely legitimate to be suspicious of government funding (even if TOR, OpenVPN, and WireGuard also received OTF money), and even take a moral stand against recipients of money from governments you disagree with.

But Durov went far beyond that. He seemed to think this meant Signal was bought off by the feds and predicted that a backdoor would be found within five years.

That's quite an accusation to make, especially without real proof, and it made me mad. Not because people were mouthing off on Twitter — that seems to be that platform's primary function. It made me mad that companies ostensibly working to better people's lives by protecting their security and privacy were trying to drag each other down publicly. This is not new; the VPN industry is full of whisper campaigns and counter-accusations. I can't tell you how many conversations I've had with VPN vendors that start with "first off, everything you heard is a lie...." But generally the message from companies in this industry is one of cooperation and protecting everyone. It's a common theme to keynotes at the RSA Conference and Black Hat that the people who work in infosec have a higher calling to protect other people first and do business second.
And then this happened (on Twitter):


Max Eddy: It's one thing to point out funding and another to say that a "backdoor will be found within five years."

Pavel Durov: I am certain of what I'm saying and am willing to bet $1M (1:1) on it.


While Eddy didn't have a million dollars, "I knew there was no way I would lose. This would be the easiest million-dollar bet I ever make." I was confident Durov was wrong because Signal, like many companies, has made an effort toward transparency that I can have some confidence in. Signal has made its code available, has registered as a nonprofit, has a fairly comprehensive privacy policy, and has made abundantly clear that it has no information to provide in response to law enforcement requests. Signal's protocol is also used by competitors, such as WhatsApp and Facebook Messenger, which have surely done their homework when selecting a method for encrypting messages. Most recently, a document revealed that even the FBI has been frustrated in its attempts to get data from Signal (and Telegram, too).
It's been five years, and Eddy now writes that Signal "continues to be recommended by advocacy groups of all kinds as a safe and secure way to communicate..."

"Neither Durov nor Telegram responded to my attempts to contact them for this story."

"Telegram became one of the top-5 downloaded apps worldwide in 2022 and now has over 700 million monthly active users," they announced this weekend. "This growth is solely from personal recommendations — Telegram has never paid to advertise its apps."

But they add significantly that "As Telegram keeps growing at rocket speed, many users have expressed their will to support our team." And so Telegram is now adding a premium tier, TechCrunch reports. "The firm did not disclose how much it is charging for the premium tier, but the monthly subscription appears to be priced in the range of $5 to $6." The premium tier adds a range of additional and improved features to the messaging app, which topped 500 million monthly active users in January 2021. Telegram Premium enables users to send files as large as 4GB (up from 2GB) and supports faster downloads, for instance, Telegram said. Paying customers will also be able to follow up to 1,000 channels, up from 500 offered to free users, and create up to 20 chat folders with as many as 200 chats each. Telegram Premium users will also be able to add up to four accounts in the app and pin up to 10 chats.

The move is Dubai-headquartered firm's attempt to keep its development "driven primarily by its users, not advertisers," it said. It's also the first time an instant messaging app with hundreds of millions of users has rolled out a premium tier. Signal, WhatsApp, Facebook Messenger, Apple's Messages and Google's Messages, some of Telegram's top rivals, don't offer a premium tier.

Some analysts had earlier hoped that Telegram would be able to monetize the platform through its blockchain token project. But after several delays and regulatory troubles, Telegram said in 2020 that it had abandoned the project and offered to return $1.2 billion it had raised from investors....

"Today is an important day in the history of Telegram — marking not only a new milestone, but also the beginning of Telegram's sustainable monetization," the firm said in a blog post Sunday.
Premium users will also get animated profile videos and new home screen icons, along with a special chat-list badge, animated stickers, and additional reaction emojis, according to Telegram's blog post. (And of course, no ads.) Telegram's premium tier "will allow us to offer all the resource-heavy features users have asked for over the years," according to the blog post, "while preserving free access to the most powerful messenger on the planet..."

"The contributions of premium subscribers will help improve and expand the app for decades to come, while Telegram will remain free, independent and uphold its users-first values, redefining how a tech company should operate."

Ars Technica describes Travis CI as "a service that helps open source developers write and test software." They also wrote Monday that it's "leaking thousands of authentication tokens and other security-sensitive secrets.

"Many of these leaks allow hackers to access the private accounts of developers on Github, Docker, AWS, and other code repositories, security experts said in a new report." The availability of the third-party developer credentials from Travis CI has been an ongoing problem since at least 2015. At that time, security vulnerability service HackerOne reported that a Github account it used had been compromised when the service exposed an access token for one of the HackerOne developers. A similar leak presented itself again in 2019 and again last year.

The tokens give anyone with access to them the ability to read or modify the code stored in repositories that distribute an untold number of ongoing software applications and code libraries. The ability to gain unauthorized access to such projects opens the possibility of supply chain attacks, in which threat actors tamper with malware before it's distributed to users. The attackers can leverage their ability to tamper with the app to target huge numbers of projects that rely on the app in production servers.

Despite this being a known security concern, the leaks have continued, researchers in the Nautilus team at the Aqua Security firm are reporting. A series of two batches of data the researchers accessed using the Travis CI programming interface yielded 4.28 million and 770 million logs from 2013 through May 2022. After sampling a small percentage of the data, the researchers found what they believe are 73,000 tokens, secrets, and various credentials.

"These access keys and credentials are linked to popular cloud service providers, including GitHub, AWS, and Docker Hub," Aqua Security said. "Attackers can use this sensitive data to initiate massive cyberattacks and to move laterally in the cloud. Anyone who has ever used Travis CI is potentially exposed, so we recommend rotating your keys immediately."

Microsoft updated the Microsoft Store policies yesterday to prohibit publishers from charging fees for software that is open source or generally available for free. They're also no longer allowed to set irrationally high price tags for their products. gHacks reports: If you have been to the Microsoft Store in the past couple of years, you may have noticed that it is home to more and more open source and free products. While that would be a good thing if the original developer would have uploaded the apps and games to the store, it is not, because the uploads have been made by third-parties. Even worse is the fact that many of these programs are not freely available, but available as paid applications. In other words: Microsoft customers have to pay money to buy a Store version of an app that is freely available elsewhere. Sometimes, free and paid versions exist side by side in the Store. Having to pay for a free application is bad enough, but this is not the only issue that users may experience when they make the purchase. Updates may be of concern as well, as the copycat programs may not be updated as often or as quickly as the source applications.

Open source and free products may not be sold anymore on the Microsoft Store, if generally available for free, and publishers are not allowed to set irrationally high price tags for their products anymore. The developers of open source and free applications may charge for their products on the Microsoft Store, the developer of Paint.net does that, for example. If Microsoft enforces the policies, numerous applications will be removed from the Store. Developers could report applications to Microsoft before, but the new policies give Microsoft control over application listings and submissions directly.

Adobe has started testing a free-to-use version of Photoshop on the web and plans to open the service up to everyone as a way to introduce more users to the app. From a report: The company is now testing the free version in Canada, where users are able to access Photoshop on the web through a free Adobe account. Adobe describes the service as "freemium" and eventually plans to gate off some features that will be exclusive to paying subscribers. Enough tools will be freely available to perform what Adobe considers to be Photoshop's core functions. "We want to make [Photoshop] more accessible and easier for more people to try it out and experience the product," says Maria Yap, Adobe's VP of digital imaging.

Instant messaging app Telegram, which is used by over 500 million active users, said on Friday it's working on a premium tier, but plans to keep many of the current features available to existing users. In a post, Telegram Pavel Durov wrote: Since the day Telegram was launched almost 9 years ago, we've been giving our users more features and resources than any other messaging app. A free app as powerful as Telegram was revolutionary in 2013 and is still unprecedented in 2022. To this day, our limits on chats, media and file uploads are unrivaled. And yet, many have been asking us to raise the current limits even further, so we looked into ways to let you go beyond what is already crazy. The problem here is that if we were to remove all limits for everyone, our server and traffic costs would have become unmanageable, so the party would be unfortunately over for everyone.

After giving it some thought, we realized that the only way to let our most demanding fans get more while keeping our existing features free is to make those raised limits a paid option. That's why this month we will introduce Telegram Premium, a subscription plan that allows anyone to acquire additional features, speed and resources. It will also allow users to support Telegram and join the club that receives new features first. Not to worry though: all existing features remain free, and there are plenty of new free features coming. Moreover, even users who don't subscribe to Telegram Premium will be able to enjoy some of its benefits: for example, they will be able to view extra-large documents, media and stickers sent by Premium users, or tap to add Premium reactions already pinned to a message to react in the same way. While our experiments with privacy-focused ads in public one-to-many channels have been more successful than we expected, I believe that Telegram should be funded primarily by its users, not advertisers. This way our users will always remain our main priority.

An anonymous reader quotes a report from Eater NY: Two weeks after Grubhub rolled out a disastrous, citywide free lunch promo that overloaded NYC restaurants with delivery orders, some businesses are still waiting for the company to refund them for undelivered food orders. The New York Post reports that salad chain Fresh & Co. lost about $4,000 on the promotion stemming from orders that were never picked up, according to the company's CEO. Upper West Side restaurateur Jeremy Wladis tells the Post that he's down $1,500 from the promotion.

Grubhub has promised to reach out to restaurants that are requesting refunds over the snafu starting this week, according to the Post. A sales representative told the paper that "all orders from the Free Lunch Promo will be refunded." At the height of the hours-long promotional frenzy, the app was recording 6,000 orders per minute, according to Grubhub.

LastPass says they're now the first password manager with a passwordless sign-in feature. Engadget reports: Grant permission through the LastPass Authenticator mobile app and you can update account info on the web without entering your master password. The approach relies on FIDO-compliant password-free technology. The feature is available to both personal and business users. LastPass is also promising options beyond the Authenticator app in the future, such as relying on biometric scans or hardware security keys.

Apple brought its iPad tablet a bit closer to the Mac computers in spirit on Monday at WWDC 2022, announcing new features for its iPadOS 16 software that add better multitasking features. From a report: The new changes to the iPad represent another key shift to the device, aiming to advance the "pro" capabilities of Apple's tablets. While Apple's added to the power and capabilities of its iPads, the software has been criticized by many reviewers, including us at CNET, for not offering enough functionality. [...] Apple also has a collaborative workspace app called Freeform, coming later this year, that will work like a giant whiteboard. Invited collaborators could can start adding stuff at the same time.

iPadOS 16 is also aiming to make better use of more advanced iPads that feature Apple's M1 chip. Metal 3 promises better graphics, but Apple's also aiming to add more desktop-like features in apps: Some will have customizable toolbars, and the Files app looks like it's finally getting a little more versatile for file management. M1 iPads are getting display scaling to create an effectively larger-feeling display, allowing more app screen space (but with smaller text and images). There's also free-form window resizing, along with external display support. Both features have been overdue on iPadOS. Stage Manager, a MacOS feature that's coming later this year, is also on iPadOS. The result looks to be windows that can overlap and be different sizes, just like a Mac.

Apple demonstrated "passkeys" at WWDC 2022, a new biometric sign-in standard that could finally kill off the password for good. TechCrunch reports: Passkeys are based on the Web Authentication API (WebAuthn), a standard that uses public-key cryptography instead of passwords for authenticating users to websites and applications, and are stored on-device rather than on a web server. The digital password replacement uses Touch ID or Face ID for biometric verification, which means that rather than having to input a long string of characters, an app or website you're logging into will push a request to your phone for authentication.

During its WWDC demo of the password-free technology, Apple showed how passkeys are backed up within the iCloud Keychain and can be synced across Mac, iPhone, iPad and Apple TV with end-to-end encryption. Users will also be able to sign in to websites and apps on non-Apple devices using an iPhone or iPad to scan a QR code and Touch ID or Face ID to authenticate. "Because it's just a single tap to sign in, it's simultaneously easier, faster and more secure than almost all common forms of authentication today," said Garrett Davidson, an Apple engineer on the Authentication Experience team.

The /e/OS-powered Murena One is the first smartphone from Murena that does its best to free you from Google without sacrificing too many core features. There are no Google apps, Google Play Services, or even the Google Assistant. It's all been replaced by open-source software alternatives with privacy-respecting features. ZDNet's Steven Vaughan-Nichols reports: Murena and Mandrake Linux founder Gael Duval was sick of it by 2017. He wanted his data to be his data, and he wanted open-source software. Almost five years later, Duval and his co-developers launched the Murena One X2. It's the first high-end Android phone using the open-source /e/OS Android fork to arrive on the market. The privacy heart of the Murena One is /e/OS V1. There have been many attempts to create an alternative to Google-based Android and Apple's iOS -- Ubuntu One, FirefoxOS, and Windows Mobile -- but all failed. Duval's approach isn't to reinvent the mobile operating system wheel, but to clean up Android of its squeaky Google privacy-invading features and replace them with privacy-respecting ones. To make this happen, Duval started with LineageOS -- an Android-based operating system, which is descended from the failed CyanogenMod Android fork. It also blends in features from the Android Open Source Project (AOSP) source-code trees.

In the /e/OS, most (but not all) Google services have been removed and replaced with MicroG services. MicroG replaces Google's libraries with purely open-source implementations without hooks to Google's services. This includes libraries and apps which provide Google Play, Maps, Geolocation, and Messaging services for Android applications. In addition, /e/OS does its best to free you from higher-level Google services. For instance, Google's default search engine has been replaced with Murena's own meta-search engine. Other internet-based services, such as Domain Name Server (DNS) and Network Time Protocol (NTP), use non-Google servers. Above the operating system, you'll find Google-free applications. This includes a web browser; an e-mail client; a messaging app; a calendar; a contact manager; and a maps app that relies on Mozilla Location Service and OpenStreetMap. While it's not here yet, Murena is also working on its own take on Google Assistant, Elivia-AI. You can also run many, but not all Android apps. You'll find these apps on the operating system's App Lounge. [...]

There's still one big problem: the App Lounge still relies on you logging in with your Google account. In short, the App Lounge is mainly a gateway to Google Store apps. Munera assures me that the Lounge anonymizes your data -- except if you use apps that require payment. Still, this is annoying for people who want to cut all their ties with Google. The fundamental problem is this: Muena does all it can to separate its operating system and applications from Google, but it can't -- yet -- replace Google's e-commerce and software store system. As for hardware specs, the $379 Murena One features a 6.5-inch IPS LCD display, eight-core MediaTek Helio P60 processor, side-mounted fingerprint scanner, three rear cameras (48MP + 8MP + 5MP) and 25MP front camera, and 4,500mAh battery. It also features a microSD card slot for expandable storage and headphone port.

"The developer of the open source email client FairEmail pulled all of his applications from Google Play and announced that he would stop development," reports gHacks. The announcement comes shortly after the developer received an email from Google stating that they believed the app was spyware. From the report: FairEmail was a popular email client for Google's Android operating system that was free to use. It was privacy-friendly, had no limitations in regards to email accounts that users could set up in the app, supported unified inbox, conversation threading, two-way synchronizing, support for OpenPGP, and a lot more. Marcel Bokhorst, the developer of the application, announced major changes to the project yesterday on XDA Developers.

Earlier that week, Bokhorst received a policy violation email from Google stating that Google believed that the FairEmail application was spyware. The full statement has not been published, but Bokhorst believes that Google might have misinterpreted the use of favicons in the app. He resubmitted a new version of the application that had the use of favicons removed. The appeal he received as a response "resulted in a standard answer". While the content of the answer is unclear, it appears to have been a generic answer that Google Play Store developers have been frustrated with for a long time. Bokhorst decided to pull the application and all of his other applications from the Google Play Store. The apps won't be maintained and supported anymore according to the info.

Other factors played a role in Bokhorst's decision, including the discrepancy between answering thousands of support questions per month and the application's revenue, and the inability to do something against unfair reviews in the Google Play Store. He considered keeping the applications on GitHub, but this would result in an 98% loss of audience. Google also recently forced Total Commander's developer to remove the ability to install APKs from the File Manager.

If you're looking for an alternative email client, gHacks recommends the open-source app K-9 Mail.

An anonymous reader quotes a report from TechCrunch: WhatsApp is continuing its push into the business market with today's news it's launching the WhatsApp Cloud API to all businesses worldwide. Introduced into beta testing last November, the new developer tool is a cloud-based version of the WhatsApp Business API -- WhatsApp's first revenue-generating enterprise product -- but hosted on parent company Meta's infrastructure. The company had been building out its Business API platform over the past several years as one of the key ways the otherwise free messaging app would make money. Businesses pay WhatsApp on a per-message basis, with rates that vary based on the region and number of messages sent. As of late last year, tens of thousands of businesses were set up on the non-cloud-based version of the Business API including brands like Vodafone, Coppel, Sears Mexico, BMW, KLM Royal Dutch Airlines, Iberia Airlines, Itau Brazil, iFood, Bank Mandiri and others. This on-premise version of the API is free to use.

The cloud-based version, however, aims to attract a market of smaller businesses and reduces the integration time from weeks to only minutes, the company had said. It is also free. Businesses integrate the API with their back-end systems, where WhatsApp communication is usually just one part of their messaging and communication strategy. They may also want to direct their communications to SMS, other messaging apps, emails and more. Typically, businesses would work with a solutions provider like Zendeks or Twilio to help facilitate these integrations. Providers during the cloud API beta tests had included Zendesk in the U.S., Take in Brazil and MessageBird in the E.U. "The best business experiences meet people where they are," said Meta CEO Mark Zuckerberg, during its "Conversations" live event today. "Already more than 1 billion users connect with a business account across our messaging services every week. They're reaching out for help, to find products and services, and to buy anything from big-ticket items to everyday goods. And today, I am excited to announce that we're opening WhatsApp to any business of any size around the world with WhatsApp Cloud API."

Meta also claims the Cloud API "will help partners to eliminate costly server expenses and help them provide customers with quick access to new features as they arrive," adds TechCrunch.

A delivery app marketing campaign offering a "free lunch" -- aka a $15 promo code valid for three hours -- sent customers and restaurant workers alike into a spiral on Tuesday as thousands of orders jammed the system and disgruntled New Yorkers tweeted through their hunger pains. BuzzFeed News reports: GrubHub's New York City campaign on May 17 touted the physical and mental benefits of eating lunch, but yielded dozens of complaints, cancelled orders and service workers telling BuzzFeed News they were "exhausted" trying to keep up. GrubHub told BuzzFeed News that at times during the promotion that ran from 11 a.m. to 2 p.m. the app was averaging 6,000 orders per minute.

"It got overwhelming," said Brandon Ching, who was working the counter at Greenberg's Bagels, a popular sandwich spot in Bedford-Stuyvesant, Brooklyn. "We were short-staffed today so it really added extra stress to my day." And customers were frustrated at the delays. Ebenezer Ackon told BuzzFeed News he was in 3,630th place in line to talk to GrubHub's customer service when he gave up, after waiting more than an hour for food, and went to get something from across the street from his apartment. Blake, who didn't want to use his last name, said the small Brooklyn cafe he ordered from received 200 orders in five minutes as soon as the promo began, so they reluctantly had to cancel orders -- including his. [...] Customers may be frustrated about not getting a product they wanted, but for service industry workers it was a day of non-stop stress.

A spokesperson from GrubHub sent BuzzFeed News a statement following the fiasco: "It's clear, New Yorkers were hungry for lunch! While we knew 72% of New York workers call lunch the most important meal of the day, our free lunch promotion exceeded all expectations." Tuesday's campaign received six times more orders than a similar promo last year, they said. The company's statement mentioned that "initial demand temporarily overwhelmed" the app and served customers an error message that was "rectified so New Yorkers could enjoy their much-deserved lunch."

An anonymous reader quotes a report from The Guardian: Researchers in China revealed they have developed a contact lens that can sense an increase in pressure within the eye and release an anti-glaucoma drug should the pressure exceed a certain level. Writing in the journal Nature Communications, the team describe how they created the device using an upper and lower lens, with a snowflake-shaped pressure sensor and wireless power transfer device sandwiched between them around the rim of the lenses. The arrangement appears to give the effect of the wearer having golden irises. However, the team say the design allows the necessary components to be included in the device without blocking the wearer's view or irritating the eye.

When the pressure inside the eye increases, the gap between the upper and lower lenses decreases. This is detected by the pressure sensor by means of a cantilever. The sensor then sends a signal to the wireless system which subsequently triggers the release of an anti-glaucoma drug, from a hydrogel attached to an electrode, and enables it to cross the cornea of the eye. The drug, brimonidine, acts to reduce the pressure within the eye. The study reveals that the contact lenses have so far been tested on pigs' eyes and on the eyes of living rabbits -- albeit with smaller-sized lenses -- although trials have yet to be carried out in humans. The researchers note the lenses are not only soft and minimally invasive but are also battery-free, adding that the approach could be expanded to help tackle other eye diseases. "We can now imagine that a glaucoma sufferer wearing these contact lenses will not only receive real-time information about the pressures within the eye, since the contact lens has built-in wireless capacity and can easily communicate with an app on your smartphone, but also receive, for example, pressure-relieving drugs when needed," said Prof Zubair Ahmed from the Institute of Inflammation and Aging at the University of Birmingham. "The materials required to create such contact lenses are inexpensive and soon could be mass-produced," he added.

The Washington Post reports on the "My Friends My Data" coalition, a group of start-up founders "working to push tech giants to adopt a new industry-wide standard that would allow users to transfer their followings from one app to another, thereby creating more competition between platforms." "Large social media companies are intentionally holding our personal contact information hostage," said Daniel Liss, founder and CEO of Dispo, a photography-based social network. "This limits consumer choice, stymies competition and inhibits free speech. We are committed to giving our community members control of their friend data...."

MFMD's founding members include a who's who of buzzy social apps like Dispo, Itsme, Clash App, Muze, Spam app and Collage, which together have received more than $100 million in venture funding and amassed tens of millions of downloads. The group has issued letters to Meta, TikTok, Snap, Twitter and other large social platforms calling on them to join their crusade. As the start-ups have found, competing with tech giants like Meta or YouTube is difficult when the top talent on the Internet is essentially locked in to specific platforms because of their inability to take followers elsewhere.

Many creators are already on board with MFMD's initiative. Some learned lessons about ownership the hard way after the fall of Vine. Many top Vine stars were overleveraged, investing all their energy in building out their following on the short-form video platform. When the app shuttered in 2016 those who hadn't used Vine to springboard to other apps like YouTube were left without access to the massive fandoms they had built....

[Liss] said that in addition to putting public pressure on the tech giants he hopes the MFMD can be a political force as well. "I'm very comfortable engaging in the political process on behalf of what we think is right," Liss said. "Not just for our companies but also for the next generation of consumer start-ups."
Eugene Park, a gaming Twitch streamer in Los Angeles with 300,000 followers, likes the idea of making followers transferrable to other services, telling the Post it "would be taking power from the tech companies and putting it in the hands of creators who really make up these giant platforms."

In the meantime, the article points out, TikTok users "have taken to referring to other apps like Instagram and YouTube using 'algospeak' pseudonyms, because they say even uttering the name of a competitor can downrank your content."

An anonymous reader quotes a report from Motherboard: The anonymous message board app Yik Yak is designed in a way that it is possible to get the precise location of a user's post, and see users' unique IDs, potentially allowing someone to dox and stalk users, according to a researcher. Yik Yak is an anonymous social media network popular primarily on college campuses. It was launched in 2013. The app shut down completely in 2017, after it was accused of being a platform used to harass and cyberbully students, and even to post bomb threats. These allegations have followed the app since its very beginning. In 2014, the company blocked access to middle school and high school students because of reports of threats of violence and bullying. The app came back last year, a comeback no one was really asking for, as my colleague Gita Jackson pointed out at the time. Yik Yak does have so-called "community guardrails" to "to ensure everyone feels welcomed and stays safe." But students are still reporting the same old problems.

In April, David Teather, a computer science student, analyzed what kind of data Yik Yak exposes by intercepting data sent and received by his Yik Yak app using a free and open source tool called mitmproxy and by writing "code that pretended to be the Yik Yak app to extract information from it." By doing that, he realized that Yik Yak sent the precise GPS coordinates of every post to his app, as well as a user's unique ID -- nrCi213RA3SncY6mVLZzuGUIJ2T2 for example -- which could have allowed him to track users' posts by looking at where they posted over time, opening up the possibility to de-anonymize and stalk users, according to a blog post he published this week. Teather demonstrated the flaw in a video call to Motherboard, showing a post in his area, and its GPS coordinates.

After Teather alerted Yik Yak of this flaw on April 11, the company made some changes and pushed out new versions of the app on April 28, May 9, and May 10. Teather told Yik Yak that he was planning to publish his research on May 9, according to email correspondence that he shared with Motherboard. After Yik Yak pushed the new updated apps, the privacy issues are only partially fixed, according to Teather. Teather said that as of today, on the app's latest version, Yik Yak does not expose GPS locations, and the app doesn't display a user's unique ID when intercepting data the same way he did in April. But, Teather told Motherboard that he is still able to recover both coordinates and user ID by analyzing the app's API from previous app versions. What's worse, the app now shows the distance, in feet, between a user and other users' posts, according to Teather and Zach Edwards, an independent privacy researcher who analyzed the Yik Yak app for Motherboard. "Since the distance is in feet though it should be still possible to triangulate a particular user/post by changing your location until you can figure that out," Teather told Motherboard.

Edwards added: "you can still probably dox someone by merely spoofing your own location and recording the number of feet from the person posting."

The European Commission has proposed controversial new regulation that would require chat apps like WhatsApp and Facebook Messenger to selectively scan users' private messages for child sexual abuse material (CSAM) and "grooming" behavior. The proposal is similar to plans mooted by Apple last year but, say critics, much more invasive. From a report: After a draft of the regulation leaked earlier this week, privacy experts condemned it in the strongest terms. "This document is the most terrifying thing I've ever seen," tweeted cryptography professor Matthew Green. "It describes the most sophisticated mass surveillance machinery ever deployed outside of China and the USSR. Not an exaggeration." Jan Penfrat of digital advocacy group European Digital Rights (EDRi) echoed the concern, saying, "This looks like a shameful general #surveillance law entirely unfitting for any free democracy." (A comparison of the PDFs shows differences between the leaked draft and final proposal are cosmetic only.) The regulation would establish a number of new obligations for "online service providers" -- a broad category that includes app stores, hosting companies, and any provider of "interpersonal communications service."

Back in March, Google halted Android app and subscription purchases in Russia due to sanctions. Google Play is now "blocking the downloading of paid apps and updates to paid apps in Russia starting May 5, 2022.â 9to5Google reports: The company cites "compliance efforts" as being responsible for this latest policy. There are no changes to free applications as Google says in the Q&A of its support article on the matter: "Can I publish new apps or update existing apps during this pause? You can still publish new free apps, and update existing free apps. Updates to paid apps are blocked for compliance reasons."

Google has recommended developers defer payment renewals (which is possible for up to one year). Another given possibility for developers was making apps free or removing the paid subscription "during this pause." That was advised for applications that provide a "critical service to users that keeps them safe and provides access to information."

An anonymous reader quotes a report from Engadget: Notorious facial recognition company Clearview AI has agreed to permanently halt sales of its massive biometric database to all private companies and individuals in the United States as part of a legal settlement with the American Civil Liberties Union, per court records. Monday's announcement marks the close of a two-year legal dispute brought by the ACLU and privacy advocate groups in May of 2020 against the company over allegations that it had violated BIPA, the 2008 Illinois Biometric Information Privacy Act. This act requires companies to obtain permission before harvesting a person's biometric information -- fingerprints, gait metrics, iris scans and faceprints for example -- and empowers users to sue the companies who do not.

In addition to the nationwide private party sales ban, Clearview will not offer any of its services to Illinois local and state law enforcement agencies (as well as all private parties) for the next five years. "This means that within Illinois, Clearview cannot take advantage of BIPA's exception for government contractors during that time," the ACLU points out, though Federal agencies, state and local law enforcement departments outside of Illinois will be unaffected. That's not all. Clearview must also end its free trial program for police officers, erect and maintain an opt-out page for Illinois residents, and spend $50,000 advertising it online. The settlement must still be approved by a federal judge before it takes effect. "Fourteen years ago, the ACLU of Illinois led the effort to enact BIPA -- a groundbreaking statute to deal with the growing use of sensitive biometric information without any notice and without meaningful consent," Rebecca Glenberg, staff attorney for the ACLU of Illinois, said in a statement. "BIPA was intended to curb exactly the kind of broad-based surveillance that Clearview's app enables. Today's agreement begins to ensure that Clearview complies with the law. This should be a strong signal to other state legislatures to adopt similar statutes."