A San Francisco jury ruled that Meta violated the California Invasion of Privacy Act by collecting sensitive data from users of the Flo period-tracking app without consent. "The plaintiff's lawyers who sued Meta are calling this a 'landmark' victory -- the tech company contends that the jury got it all wrong," reports SFGATE. From the report: The case goes back to 2021, when eight women sued Flo and a group of other tech companies, including Google and Facebook, now known as Meta. The stakes were extremely personal. Flo asked users about their sex lives, mental health and diets, and guided them through menstruation and pregnancy. Then, the women alleged, Flo shared pieces of that data with other companies. The claims were largely based on a 2019 Wall Street Journal story and a 2021 Federal Trade Commission investigation. Google, Flo and the analytics company Flurry, which was also part of the lawsuit, reached settlements with the plaintiffs, as is common in class action lawsuits about tech privacy. But Meta stuck it out through the entire trial and lost.

The case against Meta focused on its Facebook software development kit, which Flo added to its app and which is generally used for analytics and advertising services. The women alleged that between June 2016 and February 2019, Flo sent Facebook, through that kit, various records of "Custom App Events" -- such as a user clicking a particular button in the "wanting to get pregnant" section of the app. Their complaint also pointed to Facebook's terms for its business tools, which said the company used so-called "event data" to personalize ads and content.

In a 2022 filing (PDF), the tech giant admitted that Flo used Facebook's kit during this period and that the app sent data connected to "App Events." But Meta denied receiving intimate information about users' health. Nonetheless, the jury ruled (PDF) against Meta. Along with the eavesdropping decision, the group determined that Flo's users had a reasonable expectation they weren't being overheard or recorded, as well as ruling that Meta didn't have consent to eavesdrop or record. The unanimous verdict was that the massive company violated the California Invasion of Privacy Act. The jury's ruling could impact over 3.7 million U.S. users who registered between November 2016 and February 2019, with updates to be shared via email and a case website. The exact compensation from the trial or potential settlements remains uncertain.

In a report published Monday, Cloudflare accused Perplexity of deploying undeclared web crawlers that masquerade as regular Chrome browsers to access content from websites that have explicitly blocked its official bots. Since then, Perplexity has publicly and loudly announced that Cloudflare's claims are baseless and technically flawed. "This controversy reveals that Cloudflare's systems are fundamentally inadequate for distinguishing between legitimate AI assistants and actual threats," says Perplexity in a blog post. "If you can't tell a helpful digital assistant from a malicious scraper, then you probably shouldn't be making decisions about what constitutes legitimate web traffic."

Perplexity continues: "Technical errors in Cloudflare's analysis aren't just embarrassing -- they're disqualifying. When you misattribute millions of requests, publish completely inaccurate technical diagrams, and demonstrate a fundamental misunderstanding of how modern AI assistants work, you've forfeited any claim to expertise in this space."

AI startup Perplexity is deploying undeclared web crawlers that masquerade as regular Chrome browsers to access content from websites that have explicitly blocked its official bots, according to a Cloudflare report published Monday. When Perplexity's declared crawlers encounter robots.txt restrictions or network blocks, the company switches to a generic Mozilla user agent that impersonates "Chrome/124.0.0.0 Safari/537.36" running on macOS, the web infrastructure firm reported.

Cloudflare engineers tested the behavior by creating new domains with robots.txt files prohibiting all automated access. Despite the restrictions, Perplexity provided detailed information about the protected content when queried, while the stealth crawler generated 3-6 million daily requests across tens of thousands of domains. The undeclared crawler rotated through multiple IP addresses and network providers to evade detection.

Proton VPN reported a 1,400 percent hourly increase in signups over its baseline Friday — the day the UK's age verification law went into effect. For UK users, "apps with explicit content must now verify visitors' ages via methods such as facial recognition and banking info," notes Mashable: Proton VPN previously documented a 1,000 percent surge in new subscribers in June after Pornhub left France, its second-biggest market, amid the enactment of an age verification law there... A Proton VPN spokesperson told Mashable that it saw an increase in new subscribers right away at midnight Friday, then again at 9 a.m. BST. The company anticipates further surges over the weekend, they added. "This clearly shows that adults are concerned about the impact universal age verification laws will have on their privacy," the spokesperson said... Search interest for the term "Proton VPN" also saw a seven-day spike in the UK around 2 a.m. BST Friday, according to a Google Trends chart.
The Financial Times notes that VPN apps "made up half of the top 10 most popular free apps on the UK's App Store for iOS this weekend, according to Apple's rankings." Proton VPN leapfrogged ChatGPT to become the top free app in the UK, according to Apple's daily App Store charts, with similar services from developers Super Unlimited and Nord Security also rising over the weekend... Data from Google Trends also shows a significant increase in search queries for VPNs in the UK this weekend, with up to 10 times more people looking for VPNs at peak times...

"This is what happens when people who haven't got a clue about technology pass legislation," Anthony Rose, a UK-based tech entrepreneur who helped to create BBC iPlayer, the corporation's streaming service, said in a social media post. Rose said it took "less than five minutes to install a VPN" and that British people had become familiar with using them to access the iPlayer outside the UK. "That's the beauty of VPNs. You can be anywhere you like, and anytime a government comes up with stupid legislation like this, you just turn on your VPN and outwit them," he added...

Online platforms found in breach of the new UK rules face penalties of up to £18mn or 10 percent of global turnover, whichever is greater... However, opposition to the new rules has grown in recent days. A petition submitted through the UK parliament website demanding that the Online Safety Act be repealed has attracted more than 270,000 signatures, with the vast majority submitted in the past week. Ministers must respond to a petition, and parliament has to consider its topic for a debate, if signatures surpass 100,000.
X, Reddit and TikTok have also "introduced new 'age assurance' systems and controls for UK users," according to the article. But Mashable summarizes the situation succinctly.

"Initial research shows that VPNs make age verification laws in the U.S. and abroad tricky to enforce in practice."

Palmer Luckey, known for founding Oculus and defense-tech firm Anduril, is now eyeing U.S.-manufactured laptops as his next venture. While past American laptops have largely relied on foreign components, Luckey is exploring the possibility of building a fully "Made in USA" device that meets strict FTC standards -- though doing so may cost a premium. Tom's Hardware reports: ["Would you buy a Made In America computer from Anduril for 20% more than Chinese-manufactured options from Apple?" asked Luckey in a post on X.] Luckey previously asked the same question at the Reindustrialize Summit, a conference whose website said it was devoted to "convening the brightest and most motivated minds at the intersection of technology and manufacturing," which shared a clip of Luckey discussing the subject, wherein he talks about the extensive research he has already done around building a PC in the U.S. Luckey wouldn't be the first to make a laptop in the U.S. (PCMag collected a list of domestic PCs, including laptops, in 2021.) But those products use components sourced from elsewhere; they're assembled in the U.S. rather than manufactured there.

That distinction matters, according to the Made in USA Standard published by the Federal Trade Commission. To quote: "For a product to be called Made in USA, or claimed to be of domestic origin without qualifications or limits on the claim, the product must be 'all or virtually all' made in the U.S. [which] means that the final assembly or processing of the product occurs in the United States, all significant processing that goes into the product occurs in the United States, and all or virtually all ingredients or components of the product are made and sourced in the United States. That is, the product should contain no -- or negligible -- foreign content." How much more would you be willing to pay for a laptop that was truly made in America?

Google users click on fewer website links when the search engine displays AI-generated summaries at the top of results pages, according to new research from the Pew Research Center. The study analyzed browsing data from 900 U.S. adults and found users clicked on traditional search result links during 8% of visits when an AI summary appeared, compared to 15% of visits without summaries.

Users also rarely clicked on sources cited within the AI summaries themselves, doing so in just 1% of visits. The research found that 58% of respondents conducted at least one Google search in March 2025 that produced an AI summary, and users were more likely to end their browsing session entirely after encountering pages with AI summaries compared to traditional search results.

Alaska Airlines and Horizon Air grounded all flights Sunday night due to a major IT outage, prompting a system-wide FAA ground stop that lasted until early Monday. Although operations have since resumed, passengers are still facing delays and residual disruptions. Gizmodo reports: The airline requested a system-wide ground stop from federal aviation authorities at about 11 p.m. ET on Sunday night. That stop remained in effect until around 2 a.m. ET Monday, when the Federal Aviation Administration confirmed it had been lifted. But disruptions didn't end there. Alaska warned passengers to brace for likely delays throughout the day. [...] The FAA's website listed the stop as applying to all Alaska Airlines aircraft. Gizmodo notes that the incident comes nearly a year after the massive 2024 CrowdStrike crash, which has become known as the largest IT outage in history. "The July 2024 outage brought down an estimated 8.5 million Microsoft Windows systems running CrowdStrike's Falcon Sensor software, disrupting everything from hospitals and airports to broadcast networks."

"There's no word yet from Alaska on whether the outage ties into a broader software problem, but the timing, almost exactly a year after the CrowdStrike crash, isn't going unnoticed on social media, with users wondering if the events are related."

Microsoft will stop using China-based engineers to support U.S. military cloud services after a ProPublica report revealed their involvement, prompting backlash from Senator Tom Cotton and a two-week Pentagon review ordered by Defense Secretary Pete Hegseth. In response, Hegseth announced an immediate ban on any Chinese involvement in Department of Defense cloud contracts. Reuters reports: The report detailed Microsoft's use of Chinese engineers to work on U.S. military cloud computing systems under the supervision of U.S. "digital escorts" hired through subcontractors who have security clearances but often lacked the technical skills to assess whether the work of the Chinese engineers posed a cybersecurity threat. [Microsoft] told ProPublica it disclosed its practices to the U.S. government during an authorization process.

On Friday, Microsoft spokesperson Frank Shaw said on social media website X the company changed how it supports U.S. government customers "in response to concerns raised earlier this week ... to assure that no China-based engineering teams are providing technical assistance" for services used by the Pentagon.

Dictionary.com abruptly deleted all user accounts and saved word lists from its premium apps without notice or refunds, leaving long-time logophiles "devastated." "The company deleted all accounts, as well as the only ways to use Dictionary.com without seeing ads -- even if you previously paid for an ad-free experience," reports Ars Technica. From the report: Dictionary.com offers a free dictionary through its website and free Android and iOS apps. It used to offer paid-for mobile apps, called Dictionary.com Pro, that let users set up accounts, use the app without ads, and enabled other features (like grammar tips and science and rhyming dictionaries) that are gone now. Dictionary.com's premium apps also let people download an offline dictionary (its free apps used to let you buy a downloadable dictionary as a one-time purchase), but offline the dictionaries aren't available anymore.

About a year ago, claims of Dictionary.com's apps being buggy surfaced online. We also found at least one person claiming that they were unable to buy an ad-free upgrade at that time. Reports of Dictionary.com accounts being deleted and the apps not working as expected, and with much of its content removed, started appearing online about two months ago. Users reported being unable to log in and access premium features, like saved words. Soon after, Dictionary.com's premium apps were removed from Google Play and Apple's App Store. The premium version was available for download for $6 as recently as March 23, per the Internet Archive's Wayback Machine.

VPN provider BulletVPN has shut down its servers with immediate effect, leaving subscribers without service regardless of their subscription terms. The company announced the closure on its website, citing "shifts in market demand, evolving technology requirements, and sustainability of operations."

Users with active subscriptions can receive a free six-month subscription to competitor Windscribe, "along with discounted long-term plans." Windscribe clarified it has not acquired BulletVPN or assumed control of its operations, and no user data including email addresses or account information was shared between the companies.

Lucid Motors set a Guinness World Record for the longest journey by an electric car on a single charge, covering a distance of 749 miles (about 1,205 km), reports New Atlas. "In doing so, Lucid broke the 1,045-km (649-mile) record previously achieved by the Mercedes-Benz EQS450+ in June 2025 by the Japanese car website www.webcg.net/articles/-/52268webCG." The electric vehicle covered this journey between St. Moritz, Switzerland, and Munich, Germany, traveling through highways, secondary roads, and alpine roads — all without a single halt for charging. Given that the vehicle has a 960-km (596-mile) WLTP range, my guess is that the test team must have made good use of favorable road and weather conditions to make the feat possible. With a net elevation decrease of just over 1,310 m (about 4,300 ft) throughout the drive, the EV most certainly benefited from regenerative braking, a rather useful feature that turns downhill momentum back into battery power. Lucid has yet to release official data like average speed or total drive time, but what is apparent is that this was not a high-speed dash but rather a well-planned route to achieve one impressive result...

The Air Grand Touring has two all-wheel drive electric motors with a combined system output of 611 kW (819 horsepower) and 1,200 Nm (885 lb.ft) of torque. Power is provided by an NMC battery, which has a gross energy capacity of 117 kWh (112 kWh usable). Best of all, it can go from 0-60 mph in just three seconds flat... For reference, the almost half-priced BMW i4 and jazzy Porsche Taycan offer less than half the WLTP range of the Lucid Air GT. So, it's not like there's a head-to-head competition out there. Lucid is miles ahead in its class (pun intended!)

Starting at US$112,650, the Air Grand Touring is among the most luxurious sedans on the market right now. But as you can see, it comes at a price. Still, knowing that there is technology to conquer range anxiety is comforting. It might take a while, but there's no reason why we can't expect such range figures from reasonably priced EVs in the near future.

An anonymous reader shares a report: This week has seen the shortest days of the year so far. According to data from the U.S. Naval Observatory and the International Earth Rotation and Reference Systems Service, Tuesday's rotation was about 1.34 milliseconds less than 24 hours. More quick spins are expected this week, later this month and in early August, according to predictions from the website Time and Date.

This isn't completely out of the ordinary: Our world's spins have been faster than usual lately. The average day has mostly shortened over the past decade, and within the past five years or so, the full rotation has clocked in at a hair less than 24 hours more often than not. Factors driving the change include movements at Earth's core, atmospheric changes and the moon's position.

But long-term trends do not suggest that the days will shorten in perpetuity. In fact, it is just the opposite. For many millenniums, the days have been growing longer. A Tyrannosaurus rex that lived 70 million years ago would have experienced an average daily rotation of about 23 1/2 hours, studies have found.

Dubai-based airline Emirates is partnering with Crypto.com to integrate Bitcoin payments into the airliner's payment systems and add NFT collectibles on the company's websites for trading. The airline is also hiring staff to support its blockchain, crypto, and metaverse ambitions, positioning itself at the forefront of digital transformation in aviation.

"NFTs and metaverse are two different applications and approaches," explained Emirates Chief Operating Officer Adel Ahmed Al-Redha, adding that the airline will also seek to use the blockchain in tracing records of aircraft. "With the metaverse, you will be able to transform your whole processes -- whether it is in operation, training, sales on the website, or complete experience -- into a metaverse type application, but more importantly making it interactive."

The official integration of crypto payments is expected to take place next year, according to the announcement.

Over 240 browser extensions with nearly a million total installs have been covertly turning users' browsers into web-scraping bots. "The extensions serve a wide range of purposes, including managing bookmarks and clipboards, boosting speaker volumes, and generating random numbers," reports Ars Technica. "The common thread among all of them: They incorporate MellowTel-js, an open source JavaScript library that allows developers to monetize their extensions." Ars Technica reports: Some of the data swept up in the collection free-for-all included surveillance videos hosted on Nest, tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive and Intuit.com, vehicle identification numbers of recently bought automobiles along with the names and addresses of the buyers, patient names and the doctors they saw, travel itineraries hosted on Priceline, Booking.com, and airline websites, Facebook Messenger attachments and Facebook photos, even when the photos were set to be private. The dragnet also collected proprietary information belonging to Tesla, Blue Origin, Amgen, Merck, Pfizer, Roche, and dozens of other companies.

Tuckner said in an email Wednesday that the most recent status of the affected extensions is:

- Of 45 known Chrome extensions, 12 are now inactive. Some of the extensions were removed for malware explicitly. Others have removed the library.
- Of 129 Edge extensions incorporating the library, eight are now inactive.
- Of 71 affected Firefox extensions, two are now inactive.

Some of the inactive extensions were removed for malware explicitly. Others have removed the library in more recent updates. A complete list of extensions found by Tuckner is here.

An anonymous reader quotes a report from Wired: If you want a job at McDonald's today, there's a good chance you'll have to talk to Olivia. Olivia is not, in fact, a human being, but instead an AI chatbot that screens applicants, asks for their contact information and resume, directs them to a personality test, and occasionally makes them "go insane" by repeatedly misunderstanding their most basic questions. Until last week, the platform that runs the Olivia chatbot, built by artificial intelligence software firm Paradox.ai, also suffered from absurdly basic security flaws. As a result, virtually any hacker could have accessed the records of every chat Olivia had ever had with McDonald's applicants -- including all the personal information they shared in those conversations -- with tricks as straightforward as guessing the username and password "123456."

On Wednesday, security researchers Ian Carroll and Sam Curryrevealedthat they found simple methods to hack into the backend of the AI chatbot platform on McHire.com, McDonald's website that many of its franchisees use to handle job applications. Carroll and Curry, hackers with along track record of independent security testing, discovered that simple web-based vulnerabilities -- including guessing one laughably weak password -- allowed them to access a Paradox.ai account and query the company's databases that held every McHire user's chats with Olivia. The data appears to include as many as 64 million records, including applicants' names, email addresses, and phone numbers.

Carroll says he only discovered that appalling lack of security around applicants' information because he was intrigued by McDonald's decision to subject potential new hires to an AI chatbot screener and personality test. "I just thought it was pretty uniquely dystopian compared to a normal hiring process, right? And that's what made me want to look into it more," says Carroll. "So I started applying for a job, and then after 30 minutes, we had full access to virtually every application that's ever been made to McDonald's going back years." Paradox.ai confirmed the security findings, acknowledging that only a small portion of the accessed records contained personal data. The company stated that the weak-password account ("123456") was only accessed by the researchers and no one else. To prevent future issues, Paradox is launching a bug bounty program. "We do not take this matter lightly, even though it was resolved swiftly and effectively," Paradox.ai's chief legal officer, Stephanie King, told WIRED in an interview. "We own this."

In a statement to WIRED, McDonald's agreed that Paradox.ai was to blame. "We're disappointed by this unacceptable vulnerability from a third-party provider, Paradox.ai. As soon as we learned of the issue, we mandated Paradox.ai to remediate the issue immediately, and it was resolved on the same day it was reported to us," the statement reads. "We take our commitment to cyber security seriously and will continue to hold our third-party providers accountable to meeting our standards of data protection."

Apple displayed a full-screen ad for "F1 The Movie" in its TV app that linked directly to a web browser for ticket purchases without showing warning screens that the company requires other developers to include when directing users outside their apps.

The "Buy Tickets" button sent users to the F1 movie website in their default browser without confirmation dialogs or interstitial warnings. Apple mandates that third-party developers show scare sheets when linking out of apps to sell digital content, but considers movie tickets a "real-world experience" exempt from its In-App Purchase system.

Further reading: iPhone Customers Upset By Apple Wallet Ad Pushing F1 Movie.

An anonymous reader shares a report: Google has ended tests of a feature that would have let users open a snapshot of cooking-recipe content directly in web search results -- a welcome development for creators and food bloggers who were concerned about eroding traffic to their sites.

In recent months, Alphabet-owned Google has tested Recipe Quick View, which showed some food bloggers' content in search. The company framed the feature as an attempt to help users determine whether they are interested in a recipe before visiting a website. But some bloggers said they feared that the product would keep users from clicking through to their sites, depriving them of traffic and ad revenue.

Google on Tuesday confirmed it ended the trial.

Let's Encrypt, a certificate authority (CA) known for its free TLS/SSL certificates, has begun issuing digital certificates for IP addresses. From a report: It's not the first CA to do so. PositiveSSL, Sectigo, and GeoTrust all offer TLS/SSL certificates for use with IP addresses, at prices ranging from $40 to $90 or so annually. But Let's Encrypt does so at no cost.

For those with a static IP address who want to host a website, an IP address certificate provides a way to offer visitors a secure connection with that numeric identifier while avoiding the nominal expense of a domain name.

"Slashdot regularly posts milestones on CO2 levels reported by the Mauna Loa Observatory," writes longtime Slashdot reader symbolset, pointing to a new article highlighting how the Trump administration's proposed budget would eliminate funding for the lab's carbon dioxide monitoring. "Continuous observation records since 1958 will end with the new federal budget as ocean and atmospheric sciences are defunded." From a report: [I]t's the Mauna Loa laboratory that is the most prominent target of the President Donald Trump's climate ire, as measurements that began there in 1958 have steadily shown CO2's upward march as human activities have emitted more and more of the planet-warming gas each year. The curve produced by the Mauna Loa measurements is one of the most iconic charts in modern science, known as the Keeling Curve, after Charles David Keeling, who was the researcher who painstakingly collected the data. His son, Ralph Keeling, a professor at the Scripps Institution of Oceanography at UC San Diego, now oversees collecting and updating that data.

Today, the Keeling Curve measurements are made possible by the National Oceanic and Atmospheric administration, but the data gathering and maintenance of the historical record also is funded by Schmidt Sciences and Earth Networks, according to the Keeling Curve website. In the event of a NOAA shut down of the lab, Scripps could seek alternate sources of funding to host the instruments atop the same peak or introduce a discontinuity in the record by moving the instruments elsewhere in Hawaii.

The proposal to shut down Mauna Loa had been made public previously but was spelled out in more detail on Monday when NOAA submitted a budget document (PDF) to Congress. It made more clear that the Trump administration envisions eliminating all climate-related research work at NOAA, as had been proposed in Project 2025, the conservative blueprint for overhauling the government. It would do this in large part by cutting NOAA's Office of Oceanic and Atmospheric Research entirely, including some labs that are also involved in improving weather forecasting. NOAA has long been one of the world's top climate science agencies, but the administration would steer it instead towards being more focused on operational weather forecasting and warning responsibilities.

Cloudflare today announced a "Pay Per Crawl" program that allows website owners to charge AI companies for accessing their content, a potential revenue stream for publishers whose work is increasingly being scraped to train AI models. The system uses HTTP response code 402 to enable content creators to set per-request prices across their sites. Publishers can choose to allow free access, require payment at a configured rate, or block crawlers entirely.

When an AI crawler requests paid content, it either presents payment intent via request headers for successful access or receives a "402 Payment Required" response with pricing information. Cloudflare acts as the merchant of record and handles the underlying technical infrastructure. The company aggregates billing events, charges crawlers, and distributes earnings to publishers.

Alongside Pay Per Crawl, Cloudflare has switched to blocking AI crawlers by default for its customers, becoming the first major internet infrastructure provider to require explicit permission for AI access. The company handles traffic for 20% of the web and more than one million customers have already activated its AI-blocking tools since their September 2024 launch, it wrote in a blog post.