An anonymous reader quotes a report from The Register: The world got a first glimpse into the US government's far-reaching surveillance of American citizens' communications -- namely, their Verizon telephone calls -- 10 years ago this week when Edward Snowden's initial leaks hit the press. [...] In the decade since then, "reformers have made real progress advancing the bipartisan notion that Americans' liberty and security are not mutually exclusive," [US Senator Ron Wyden (D-OR)] said. "That has delivered tangible results: in 2015 Congress ended bulk collection of Americans' phone records by passing the USA Freedom Act." This bill sought to end the daily snooping into American's phone calls by forcing telcos to collect the records and make the Feds apply for the information.

That same month, a federal appeals court unanimously ruled that the NSA's phone-records surveillance program was unlawful. The American Civil Liberties Union (ACLU) and the New York Civil Liberties Union sued to end the secret phone spying program, which had been approved by the Foreign Intelligence Surveillance Court, just days after Snowden disclosed its existence. "Once it was pushed out into open court, and the court was able to hear from two sides and not just one, the court held that the program was illegal," Ben Wizner, director of the ACLU Speech, Privacy and Technology project, told The Register. The Freedom Act also required the federal government to declassify and release "significant" opinions of the Foreign Intelligence Surveillance Court (FISC), and authorized the appointment of independent amici -- friends of the court intended to provide an outside perspective. The FISC was established in 1978 under the FISA -- the legislative instrument that allows warrantless snooping. And prior to the Freedom Act, this top-secret court only heard the government's perspective on things, like why the FBI and NSA should be allowed to scoop up private communications.

"To its credit, the government has engaged in reforms, and there's more transparency now that, on the one hand, has helped build back some trust that was lost, but also has made it easier to shine a light on surveillance misconduct that has happened since then," Jake Laperruque, deputy director of the Center for Democracy and Technology's Security and Surveillance Project, told The Register. Wyden also pointed to the sunsetting of the "deeply flawed surveillance law," Section 215 of the Patriot Act, as another win for privacy and civil liberties. That law expired in March 2020 after Congress did not reauthorize it. "For years, the government relied on Section 215 of the USA Patriot Act to conduct a dragnet surveillance program that collected billions of phone records (Call Detail Records or CDR) documenting who a person called and for how long they called them -- more than enough information for analysts to infer very personal details about a person, including who they have relationships with, and the private nature of those relationships," Electronic Frontier Foundation's Matthew Guariglia, Cindy Cohn and Andrew Crocker said. James Clapper, the former US Director of National Intelligence, "stated publicly that the Snowden disclosures accelerated by seven years the adoption of commercial encryption," Wizner said. "At the individual level, and at the corporate level, we are more secure."

"And at the corporate level, what the Snowden revelations taught big tech was that even as the government was knocking on the front door, with legal orders to turn over customer data, it was breaking in the backdoor," Wizner added. "Government was hacking those companies, finding the few points in their global networks where data passed unencrypted, and siphoning it off." "If you ask the government -- if you caught them in a room, and they were talking off the record -- they would say the biggest impact for us from the Snowden disclosures is that it made big tech companies less cooperative," he continued. "I regard that as a feature, not a bug."

The real issue that the Snowden leaks revealed is that America's "ordinary system of checks and balances doesn't work very well for secret national security programs," Wizner said. "Ten years have gone by," since the first Snowden disclosures, "and we don't know what other kinds of rights-violating activities have been taking place in secret, and I don't trust our traditional oversight systems, courts and the Congress, to ferret those out," Wizner said. "When you're dealing with secret programs in a democracy, it almost always requires insiders who are willing to risk their livelihoods and their freedom to bring the information to the public."

An anonymous reader quotes a report from TechCrunch: Security researchers have linked to the notorious Clop ransomware gang a new wave of mass-hacks targeting a popular file transfer tool, as the first victims of the attacks begin to come forward. It was revealed last week that hackers are exploiting a newly discovered vulnerability in MOVEit Transfer, a file-transfer tool widely used by enterprises to share large files over the internet. The vulnerability allows hackers to gain unauthorized access to an affected MOVEit server's database. Progress Software, which develops the MOVEit software, has already released some patches. Over the weekend, the first victims of the attacks began to come forward.

Zellis, a U.K.-based human resources software maker and payroll provider, confirmed in a statement that its MOVEit system was compromised, with the incident affecting a "small number" of its corporate customers. One of those customers is U.K. airline giant British Airways, which told TechCrunch that the breach included the payroll data of all of its U.K.-based employees. [...] The U.K.'s BBC also confirmed it was affected by the incident affecting Zellis. [...] The government of Nova Scotia, which uses MOVEit to share files across departments, said in a statement that some citizens' personal information may have been compromised. The Nova Scotia government said it took its affected system offline, and is working to determine "exactly what information was stolen, and how many people have been impacted."

It was initially unclear who was behind this new wave of hacks, but Microsoft security researchers are attributing the cyberattacks to a group it tracks as "Lace Tempest." This gang is a known affiliate of the Russia-linked Clop ransomware group, which was previously linked to mass-attacks exploiting flaws in Fortra's GoAnywhere file transfer tool and Accellion's file transfer application. Microsoft researchers said that the exploitation of the MOVEit vulnerability is often followed by data exfiltration. Mandiant isn't yet making the same attribution as Microsoft, but noted in a blog post over the weekend that there are "notable" similarities between a newly created threat cluster it's calling UNC4857 that has as-of-yet "unknown motivations," and FIN11, a well-established ransomware group known to operate Clop ransomware. "Ongoing analysis of emerging activity may provide additional insights," Mandiant said. "It's likely many more victims of the MOVEit breach will come to light over the next few days," adds TechCrunch.

"Shodan, a search engine for publicly exposed devices and databases, showed that more than 2,500 MOVEit Transfer servers were discoverable on the internet."

Google has agreed to an $8 million settlement with Texas over deceptive ads for its Pixel 4 smartphone, in which radio DJs were hired to provide testimonials without being given the phone to use. Texas Attorney General Ken Paxton made the announcement last week. Ars Technica reports: At issue was Google's trustworthiness as an advertiser after the tech giant "hired radio DJs to record and broadcast detailed testimonials about their personal experiences with the Pixel 4," but then "refused to provide the DJs with a phone for them to use," Paxton said. The tech giant had previously settled claims from the Federal Trade Commission and six other states for approximately $9 million, and Paxton seemed proud that his "settlement recovers $8 million for the State of Texas alone."

Paxton said that "if Google is going to advertise in Texas, their statements better be true." He decided to take action to hold Google "accountable for lying to Texans for financial gain," saying that large companies should not expect "special treatment under the law." "Texas will do whatever it takes to protect our citizens and our state economy from corporations' false and misleading advertisements," Paxton said.

In the U.S., at least three early candidates for president from both parties "want to make it clear they would not support any proposals for a central bank-backed digital US dollar," reports Bloomberg — which may be a little premature, because "A central bank digital currency, or CBDC, is far from reality in the U.S." Some officials at the Federal Reserve have expressed doubt over the need for one, especially for use by everyday Americans. The Fed has also said it would want approval from Congress before moving forward with a digital dollar. But that hasn't stopped the relatively niche issue from emerging as a flash point for individuals eyeing a presidential run.

The idea of a digital dollar has already faced backlash from Wall Street and other banks, because lenders are worried about it acting as a direct competitor to private bank deposits. Digital-asset companies like Circle Internet Financial LLC that issue stablecoins — a form of cryptocurrency traditionally tied to reserve assets like the US dollar or gold and that offers similar features to a retail digital dollar — have also pushed back against certain CBDCs. Circle's Head of Global Policy Dante Disparte said he'd be opposed to a digital dollar if it allows the Fed to control users' access to funds, compromises privacy or disrupts a two-tiered banking and payments system. "I've gone as far as saying that's the version that is un-American," he said in an interview. In a report published last year in response to a Federal Reserve discussion paper, Circle also warned that a digital dollar could "destabilize" the banking sector.

In Congress, Republicans on Capitol Hill have introduced legislation to ban such direct-to-consumer CBDCs, saying they could be used by the federal government to surveil US citizens.

Proponents of a CBDC have argued that it could offer real benefits, including making payments — especially cross-border payments — faster and ensuring the dollar's dominance in the global economy. It could be particularly useful for settling certain financial-market transactions, such as interbank transfers, some Fed officials have said. The government has also indicated it would prefer to have private-sector intermediaries offer accounts and facilitate CBDC payments, rather than taking on that role itself. Supporters have argued it can be tailored in a way to protect consumer privacy, which the Fed has also said is critical if it decides to move forward.
Bloomberg also summarized the analysis of one political consultant specializing in cryptocurrency. "In addition to the potential appeal to libertarian voters and to constituents in banking and crypto, pushing back against a U.S. digital dollar can provide a relatively safe avenue for candidates to attract votes from conspiracy theorists who have rallied around the anti-CBDC movement."

New York will launch the nation's first major offshore wind farms later this year off of Long Island. CBS News reports: Long Island winds, strong and consistent, will power New York's first offshore wind farm, and its first power cable has made landfall. Snaking 60 miles, by year's end it will connect 12 wind turbines being built 35 miles east of Montauk, ushering in clean energy to 70,000 homes. It's the biggest dive into offshore wind in the nation -- a first of many. It's named South Fork. It will be the first of five wind farms in the works, with four to five more to come. [...] New York's first five wind farms will power 2.5 million homes within five years. Its goal is to produce all electricity with zero emissions by 2040.

"Right now, Long Island is powered about 80% by fossil fuels. And when we go to 2040 it will be 0% for New York. Off shore wind will probably provide 25% of the state's electricity within the next 10 to 15 years. So it's a massive, renewable clean source of energy at affordable prices. And it's located right near where all the electricity demand is," CEO of LIPA Tom Falcone said. "We need to transition downstate from fossil fuels to renewables. And that's a great challenge for New York, because we can't really build anything on the land because there isn't land. So we have to share the ocean," said Adrienne Esposito from Citizens Campaign for the Environment.

First Citizens has agreed to buy a $72 billion chunk of Silicon Valley Bridge Bank, the California lender formerly known as Silicon Valley Bank that was taken over by the FDIC two weeks ago after depositors, in a crisis of confidence, made a run on it. SVB served as lifeblood to thousands of startups before its collapse, the biggest in U.S. banking in years, sent shockwaves through the financial sector. From a report: Seventeen former branches of Silicon Valley Bank will open as First Citizens Bank later today, the FDIC said. The U.S. Federal Deposit Insurance Corporation said in a statement that it estimates the failure will cost its Deposit Insurance Fund about $20 billion. It will provide an exact figure when the deal and FDIC receivership conclude. There is significant money at stake here, but with depositors and confidence continuing to be shaky, it's taken weeks to get a deal done and each passing day has arguably devalued the assets a little bit. The FDIC has previously run two unsuccessful auction processes for Silicon Valley Bridge Bank , as it had to modify what it was selling, including breaking up the assets. This deal with First Citizens includes purchase deposits and loans, worth about $72 billion, at a discount of $16.5 billion.

Gartner, the prestigious tech research and consulting firm, has released its annual predictions for "strategic tech trends" in the coming year.

Forbes offers a summary. Some highlights: Digital Immune Systems. [A]ntiquated development and testing approaches are no longer sufficient for delivering robust and resilient business-critical solutions that also provide a superior user experience. A Digital Immune System combines several software engineering strategies such as observability, automation, and extreme testing to enhance the customer experience by protecting against operational and security risks. By 2025, Gartner predicts that organizations that invest in building digital immunity will increase end-user satisfaction through applications that achieve greater uptime and deliver a stronger user experience.

Applied Observability. The path to data-driven decision making includes a shift from monitoring and reacting to data to proactively applying that data in an orchestrated and integrated way across the enterprise. Doing so can shorten the time it takes to reach critical decisions while also facilitating faster, more accurate planning. Gartner notes observable data as an organization's "most precious monetizable asset" and encourages leaders to seek use cases and business capabilities in which this data can deliver competitive advantage.
"By 2025, Gartner predicts that 50% of CIOs will have performance metrics tied to the sustainability of the IT organization," Forbes writes. But they also note that Gartner is predicting platform engineering — "a curated set of reusable self-service tools, capabilities, and processes" to speed up and optimize development. "Gartner predicts that by 2026, 80% of software engineering organizations will establish platform teams."

They're also predicting "adaptive" AI that can change after being deployed. But Forbes summarizes Gartner's related prediction, that AI leaders "increasingly must bake governance, trustworthiness, fairness, reliability, efficacy and privacy into AI operations" to improve adoption and user acceptance. This will include tools that "make AI models easier to interpret and explain while improving overall privacy and security."

PC Magazine offers this summary of a related prediction from Gartner: "By 2025, without sustainable AI practices, AI will consume more energy than the average European country, offsetting any environmental gains that AI creates by 25%."

Gartner also predicts a phasing out of marketing that uses social media sites' data about individuals — and that fully virtual workspaces "will account for 30% of the investment growth in metaverse technologies and will 'reimagine' the office experience through 2027," writes PC Magazine: [Gartner Fellow Daryl Plummer] said people need to reimagine how work will be done. He said that few people want to go back to the office full-time, but that virtual participants in calls often feel like second-class citizens. A fully immersive world is an answer to this, he said, with the interactive experience more important than information exchange. He believes metaverse experiences will be where people collaborate in ways they couldn't do in the office, blurring the line between home and work.

By 2025, "labor volatility" will cause 40% of organizations to report a material business loss, forcing a shift in talent strategy from acquisition to resilience. Plummer talked about revamping the way talent is valued. He said people don't want to do just one thing, but want to be "versatilists," which makes them more valuable to the company and less likely to leave.

Clearview AI, the controversial facial recognition firm that scrapes selfies and other personal data off the Internet without consent to feed an AI-powered identity-matching service it sells to law enforcement and others, has been hit with another fine in Europe. From a report: This one comes after it failed to respond to an order last year from the CNIL, France's privacy watchdog, to stop its unlawful processing of French citizens' information and delete their data. Clearview responded to that order by, well, ghosting the regulator -- thereby adding a third GDPR breach (non-cooperation with the regulator) to its earlier tally.

Here's the CNIL's summary of Clearview's breaches:
Unlawful processing of personal data (breach of Article 6 of the GDPR)
Individuals' rights not respected (Articles 12, 15 and 17 of the GDPR)
Lack of cooperation with the CNIL (Article 31 of the RGPD)

"Clearview AI had two months to comply with the injunctions formulated in the formal notice and to justify them to the CNIL. However, it did not provide any response to this formal notice," the CNIL wrote in a press release today announcing the sanction [emphasis its]. The size of the fine is $19.57 million.

Elon Musk announced that he was activating Starlink in response to U.S. Secretary of State Antony Blinken's tweet announcing the issuing of a General License to provide the Iranian people with access to digital communications. Teslarati reports: Currently, in Iran, massive protests are happening as a result of the death of 22-year-old Mahsa Amini, who was detained by the morality police for her head scarf not being properly worn. Although she had no known heart-related health problems, the police said she suddenly died of heart failure. Eyewitnesses said that she was beaten and her head hit the side of a police car. This along with leaked medical scans suggested cerebral hemorrhage and stroke. In response to her death, there have been several large-scale protests across Iran that received international support from world leaders, celebrities, and organizations.

The Iranian government sided with the morality police and has been suppressing the protests, shooting protestors with metal pellets and birdshot, and deploying tear gas and water cannons. The government also blocked access to many apps including Instagram and WhatsApp and limited internet access to prevent protestors from organizing. This is where Starlink comes in. A few days ago, Elon Musk said that Starlink would seek exemption from Iranian sanctions. This was in response to @Erfankasraie who asked if Elon could provide Starlink to the Iranian people. "It could be a game changer for the future." Elon also responded, "OK," to @agusantonetti who asked if he could do the same for other countries under a dictatorship such as Cuba. Further reading: As Unrest Grows, Iran Restricts Access To Instagram, WhatsApp

An anonymous reader shares a report: In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades.

Now, 30 months later, security researchers have shown that it's trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn't require any special hardware or expensive software, and will generate fake IDs that pass inspection using the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system. "To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence," Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.

Writing for the New Yorker, Ronan Farrow reports on Pegasus, "a spyware technology designed by NSO Group, an Israeli firm, which can extract the contents of a phone, giving access to its texts and photographs, or activate its camera and microphone to provide real-time surveillance — exposing, say, confidential meetings." Pegasus is useful for law enforcement seeking criminals, or for authoritarians looking to quash dissent.... In Catalonia, more than sixty phones — owned by Catalan politicians, lawyers, and activists in Spain and across Europe — have been targeted using Pegasus. This is the largest forensically documented cluster of such attacks and infections on record. Among the victims are three members of the European Parliament... Catalan politicians believe that the likely perpetrators of the hacking campaign are Spanish officials, and the Citizen Lab's analysis suggests that the Spanish government has used Pegasus....

In recent years, investigations by the Citizen Lab and Amnesty International have revealed the presence of Pegasus on the phones of politicians, activists, and dissidents under repressive regimes. An analysis by Forensic Architecture, a research group at the University of London, has linked Pegasus to three hundred acts of physical violence. It has been used to target members of Rwanda's opposition party and journalists exposing corruption in El Salvador. In Mexico, it appeared on the phones of several people close to the reporter Javier Valdez Cárdenas, who was murdered after investigating drug cartels. Around the time that Prince Mohammed bin Salman of Saudi Arabia approved the murder of the journalist Jamal Khashoggi, a longtime critic, Pegasus was allegedly used to monitor phones belonging to Khashoggi's associates, possibly facilitating the killing, in 2018. (Bin Salman has denied involvement, and NSO said, in a statement, "Our technology was not associated in any way with the heinous murder.") Further reporting through a collaboration of news outlets known as the Pegasus Project has reinforced the links between NSO Group and anti-democratic states.

But there is evidence that Pegasus is being used in at least forty-five countries, and it and similar tools have been purchased by law-enforcement agencies in the United States and across Europe. Cristin Flynn Goodwin, a Microsoft executive who has led the company's efforts to fight spyware, told me, "The big, dirty secret is that governments are buying this stuff — not just authoritarian governments but all types of governments...." "Almost all governments in Europe are using our tools," Shalev Hulio, NSO Group's C.E.O., told me. A former senior Israeli intelligence official added, "NSO has a monopoly in Europe." German, Polish, and Hungarian authorities have admitted to using Pegasus. Belgian law enforcement uses it, too, though it won't admit it.
Calling the spyware industry "largely unregulated and increasingly controversial," the article notes how it's now impacting major western democracies. "The Citizen Lab's researchers concluded that, on July 26 and 27, 2020, Pegasus was used to infect a device connected to the network at 10 Downing Street, the office of Boris Johnson, the Prime Minister of the United Kingdom.... The United States has been both a consumer and a victim of this techÂnology. Although the National Security Agency and the C.I.A. have their own surveillance technology, other government offices, including in the military and in the Department of Justice, have bought spyware from private companies, according to people involved in those transactions."

But are the company's fortunes faltering? The company has been valued at more than a billion dollars. But now it is contending with debt, battling an array of corporate backers, and, according to industry observers, faltering in its long-standing efforts to sell its products to U.S. law enforcement, in part through an American branch, Westbridge Technologies. It also faces numerous lawsuits in many countries, brought by Meta (formerly Facebook), by Apple, and by individuals who have been hacked by NSO....

In November, the [U.S.] Commerce Department added NSO Group, along with several other spyware makers, to a list of entities blocked from purchasing technology from American companies without a license. I was with Hulio in New York the next day. NSO could no longer legally buy Windows operating systems, iPhones, Amazon cloud servers — the kinds of products it uses to run its business and build its spyware.

Virgil Griffith, a US cryptocurrency expert, was sentenced on Tuesday to 63 months in prison after pleading guilty to assisting the Democratic People's Republic of Korea (DPRK) with technical info on how to evade sanctions. BleepingComputer reports: The sanctions imposed by the International Emergency Economic Powers Act (IEEPA) and Executive Order 13466 forbid the export of any goods, services, or technology to the DPRK without a Department of the Treasury license issued by the Office of Foreign Assets Control (OFAC). Griffith, who worked as a special projects developer and research scientist for the Ethereum Foundation, was arrested in November 2019 by the FBI following a presentation in North Korea on how the country could use cryptocurrency and blockchain tech (i.e., smart contracts) to launder money and evade sanctions.

Despite being denied permission by the US Department of State, Griffith went to the North Korean conference knowing that doing so without a license from the OFAC would violate US sanctions against the DPRK. According to court documents, the cryptocurrency expert asked to receive his travel visa on a separate paper and not on his US passport, likely to avoid creating physical evidence of his travel to North Korea.

At the DPRK Cryptocurrency Conference, "Griffith and his co-conspirators also answered specific questions about blockchain and cryptocurrency technologies for the DPRK audience, including individuals whom Griffith understood worked for the North Korean government." DOJ said today. He also tried recruiting "other US citizens to travel to North Korea and provide similar services to DPRK persons and attempted to broker introductions for the DPRK to other cryptocurrency and blockchain service providers." During the DPRK Cryptocurrency Conference, he also talked about how North Korea could use cryptocurrency to gain financial independence from the global banking system.

The U.S. and the European Union reached a preliminary deal to allow data about Europeans to be stored on U.S. soil, heading off a growing threat to thousands of companies' trans-Atlantic operations. From a report: The deal, announced Friday by President Biden and European Commission President Ursula von der Leyen, could if concluded resolve one of the thorniest outstanding issues between the two economic giants. It also assuages concerns of companies including Meta and Alphabet's Google that were facing mounting legal challenges to data transfers that underpin some of their operations in Europe. An earlier deal regulating trans-Atlantic data flows was deemed illegal by the EU's top court in 2020. That ruling was the second time since 2015 that the EU's Court of Justice had deemed U.S. safeguards on Europeans' data to be insufficient. The court said the U.S. didn't provide EU citizens effective means to challenge U.S. government surveillance of their data. Mr. Biden and Ms. von der Leyen didn't provide details of how the new agreement would work and withstand legal challenges. At issue in the talks has been whether the U.S. could convince the EU -- and its top court -- with new administrative appeals mechanisms for Europeans, but without a change to U.S. law, which would require approval by Congress, people briefed on the talks have said in recent months. Officials and observers on both sides of the Atlantic expect any new agreement to be challenged in court again, raising uncertainty about how long Friday's deal will last.

An anonymous reader quotes a report from TechCrunch: Use of Google Analytics has now been found to breach European Union privacy laws in France -- after a similar decision was reached in Austria last month. The French data protection watchdog, the CNIL, said today that an unnamed local website's use of Google Analytics is non-compliant with the bloc's General Data Protection Regulation (GDPR) -- breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections. The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it's being used or to seek redress for any misuse.

France's CNIL has been investigating one of 101 complaints filed by European privacy advocacy group, noyb, back in August 2020 -- after the bloc's top court invalidated the EU-U.S. Privacy Shield agreement on data transfers. Since then (indeed, long before) the legality of transatlantic transfers of personal data have been clouded in uncertainty. While it has taken EU regulators some time to act on illegal data transfers -- despite an immediate warning from the European Data Protection Board of no grace period in the wake of the July 2020 CJEU ruling (aka 'Schrems II) -- decisions are now finally starting to flow. Including another by the European Data Protection Supervisor last month, also involving Google Analytics. In France, the CNIL has ordered the website which was the target of one of noyb's complaints to comply with the GDPR -- and "if necessary, to stop using this service under the current conditions" -- giving it a deadline of one month to comply.

"[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services," the CNIL writes in a press release announcing the decision. "There is therefore a risk for French website users who use this service and whose data is exported." The CNIL does leave open the door to continued use of Google Analytics -- but only with substantial changes that would ensure only "anonymous statistical data" gets transferred. The French regulator is also very emphatic that under "current conditions" use of Google Analytics is non-compliant -- and may therefore need to cease in order for the site in question to comply with the GDPR. The CNIL also suggests use of an alternative analytics tool which does not involve a transfer outside the EU to end the breach. Additionally, it says it's launched an evaluation program to determine which website audience measurement and analysis services may be exempt from the need to obtain user consent (i.e. because they only produce anonymous statistical data which can be exported legally under GDPR). Which suggests the CNIL could issue guidance in future that recommends GDPR compliant alternatives to Google Analytics.

America's Internal Revenue Service created an uproar with early plans to require live-video-feed selfies to verify identities for online tax services (via an outside company called ID.me).

But Wired points out that more than 20 U.S. federal agencies are already using a digital identification system (named Login.gov and built on services from LexisNexis) that "can use selfies for account verification."

It's run by America's General Services Administration, or GSA.... The GSA's director of technology transformation services Dave Zvenyach says facial recognition is being tested for fairness and accessibility and not yet used when people access government services through Login.gov. The GSA's administrator said last year that 30 million citizens have Login.gov accounts and that it expects the number to grow significantly as more agencies adopt the system.

"ID.me is supplying something many governments ask for and require companies to do," says Elizabeth Goodman, who previously worked on Login.gov and is now senior director of design at federal contractor A1M Solutions. Countries including the UK, New Zealand, and Denmark use similar processes to ID.me's to establish digital identities used to access government services. Many international security standards are broadly in line with those of the U.S., written by the National Institute of Standards and Technology (NIST).

Goodman says that such programs need to provide offline options such as visiting a post office for people unable or unwilling to use phone apps or internet services....
In fact, Wired argues that in many cases, a selfie or biometric data is virtually required by U.S. federal security guidelines from 2017: NIST's 2017 standard says that access to systems that can leak sensitive data or harm public programs should require verifying a person's identity by comparing them to a photo — either remotely or in person — or using biometrics such as a fingerprint scanner. It says that a remote check can be done either by video with a trained agent, or using software that checks for an ID's authenticity and the "liveness" of a person's photo or video.... California's Employment Development Department said that ID.me blocked more than 350,000 fraudulent claims in the last three months of 2020. But the state auditor said an estimated 20 percent of legitimate claimants were unable to verify their identities with ID.me.

Caitlin Seeley George, director of campaigns and operations with nonprofit Fight for the Future, says ID.me uses the specter of fraud to sell technology that locks out vulnerable people and creates a stockpile of highly sensitive data that itself will be targeted by criminals. ...

Apple is making U.S. states foot part of the bill and provide customer support for its plan to turn iPhones into digital identification cards, according to confidential documents obtained by CNBC. From the report: The company requires states to maintain the systems needed to issue and service credentials, hire project managers to respond to Apple inquiries, prominently market the new feature and push for its adoption with other government agencies, all at taxpayer expense, according to contracts signed by four states. Apple announced in June that its users could soon store state-issued identification cards in the iPhone's Wallet app, billing it as a more secure and convenient way for customers to provide credentials in a variety of in-person and remote settings. The feature, when combined with Apple's biometric security measures like Face ID, could cut down on fraud.

But the move has brought questions from industry observers about why local authorities are ceding control of citizens' identities to a $2.46 trillion private corporation. Beyond that, the integration of identity into powerful mobile devices has drawn concern from privacy experts about the risk of dystopian scenarios involving surveillance. The contracts between Cupertino, California-based Apple and states including Georgia, Arizona, Kentucky and Oklahoma provide a rare glimpse into the dealings of the powerful company. Apple is known for its obsession with secrecy. It typically forces potential partners to sign non-disclosure agreements to prevent its documents from spilling into public view.

An anonymous reader quotes a report from Bloomberg: Unsealed emails reveal the role baby-powder maker Johnson & Johnson played in a report that an industry group submitted to U.S. regulators deciding whether to keep warnings off talc-based products linked to cancer. The emails -- unsealed in the state of Mississippi's lawsuit against J&J over its refusal to add a safety warning -- show J&J and its talc supplier chose the scientists hired by their trade association, the Personal Care Products Council, to write the 2009 report assessing talc-based powders' health risks. They also show the researchers changed the final version of their report at the companies' behest. The U.S. Food and Drug Administration said it relied in part on the report in its decision to forgo a warning for the product.

The emails among executives of J&J and Rio Tinto Minerals, its supplier at the time, provide a behind-the-scenes glimpse of dealings between companies and their industry group that successfully fended off a cancer warning on talc-based powders for nearly 40 years. Now, almost 39,000 users and their families are suing J&J, most claiming their ovarian cancers and those of loved ones were linked to asbestos, the potent carcinogen in the products pulled from U.S. and Canadian shelves in May 2020. Dependence on industry data creates a situation that's ripe for lobbyists to exert pressure on the FDA. The unsealed emails pull back the curtain on how such efforts get launched, who pays for them, and who has a hand in delivering the final product to regulators.

While the practice of companies having a say in industry group submissions to the FDA isn't new or illegal, the emails reveal just how involved J&J got in a report meant to assess product safety -- down to selecting individual scientists to produce it and having them write an executive summary. J&J denied any wrongdoing in its decision not to acknowledge its input to the report that the PCPC lobbying group sent to the FDA. [...] FDA officials acknowledged they weighed the PCPC's response to the citizens' petitions demanding a warning for talc-based powders before finding there was "inconclusive evidence" the mineral caused ovarian and other forms of cancer. "The FDA reviewed and considered all of the information submitted to us in the two petitions, the comments received in response to the petitions, and additional scientific information," said Tara Rabin, a spokeswoman.

"Lebanon's electricity network collapsed on Saturday," reports the Washington Post, "after the two most important power stations ran out of fuel, leaving private generators as the only source of power." The state-owned electricity company has been providing citizens with just a few hours of power a day for months, but the total collapse of the national grid will compound the misery of those who can't afford to run generators and had relied on those few hours. The outage marks the latest milestone in the unraveling of Lebanon, which is undergoing what the World Bank has described as one of the world's three biggest financial collapses of the past 150 years.

The banking system was the first to implode in 2019, triggering a 90 percent slide in the value of the currency that has left the government unable to afford fuel, food and medicine imports while plunging millions of Lebanese into poverty. The electricity grid ground to a halt after the country's two main power stations, Deir Ammar and Zahrani, ran out of diesel fuel, leaving the nationwide network without the minimum amount of power required to sustain it, said Energy Minister Walid Fayyad.

The government is working to secure emergency fuel supplies from other sources, including the army, to bridge the shortfall until a shipment of Iraqi oil due to arrive Saturday night can be offloaded and distributed into the network. At most, he said, the total outage can be expected to last only a couple of days, and he hoped to find a stopgap solution faster. But the collapse is a reminder of the dire state of Lebanon's electricity sector, which has been unable to provide 24-hour power for decades. In recent months, its capacity has been further eroded by the lack of money and by corruption, with smugglers diverting state purchases of fuel to sell at a profit in neighboring Syria.

A recent deal struck with Iraq to supply 80,000 tons of fuel a month still falls short of the minimum amount required to ensure a stable grid and at most will be able to keep the power on for about four hours a day, Fayyad said.

In the U.S. healthcare system, "hospitals are charging patients wildly different amounts for the same basic services," reports the New York Times — citing an investigation into medical care costs at 60 major hospitals.

This year the U.S. government ordered hospitals to publish complete lists of the prices they negotiate with private insurers, "and it provides numerous examples of major health insurers — some of the world's largest companies, with billions in annual profits — negotiating surprisingly unfavorable rates for their customers." In fact America's government-run Medicare health insurance for senior citizens is negotiating much lower rates than the privately-insured patients are getting, the Times points out — sometimes paying just 10% of what the major health plans are paying.

"In many cases, insured patients are getting prices that are higher than they would if they pretended to have no coverage at all..." Until now, consumers had no way to know before they got the bill what prices they and their insurers would be paying. Some insurance companies have refused to provide the information when asked by patients and the employers that hired the companies to provide coverage. This secrecy has allowed hospitals to tell patients that they are getting "steep" discounts, while still charging them many times what a public program like Medicare is willing to pay. And it has left insurers with little incentive to negotiate well.

The peculiar economics of health insurance also help keep prices high. Customers judge insurance plans based on whether their preferred doctors and hospitals are covered, making it hard for an insurer to walk away from a bad deal. The insurer also may not have a strong motivation to, given that the more that is spent on care, the more an insurance company can earn. Federal regulations limit insurers' profits to a percentage of the amount they spend on care. And in some plans involving large employers, insurers are not even using their own money. The employers pay the medical bills, and give insurers a cut of the costs in exchange for administering the plan.

As Cubans take to the streets to protest against the government's mishandling of the economy and coronavirus health crisis, the country's government is turning to censorship to crack down on dissent. According to NBC News, the government "has taken steps to block citizens' use of the encrypted chat apps WhatsApp, Signal and Telegram." They've also shut off the internet. According to a case study from Top10VPN, Cuba went offline for 32 hours, which affected 7 millions users and cost the country more than $13 million. NBC News reports: Widespread internet use in Cuba is still relatively new, and Cubans mostly reach the web through their smartphones. The country only has a single major internet provider, the national telecommunications company ETECSA. That means most Cubans have to rely on a single, centralized, government-affiliated hub, making government censorship substantially easier. NetBlocks, an internet monitoring nonprofit, said Monday that it had detected disruptions to multiple messaging apps through ETECSA's service. A number of messaging apps, including WhatsApp, Signal and Telegram, are all blocked in Cuba, said Arturo Filasto, the project lead at the Open Observatory of Network Interference (OONI).

OONI, an international nonprofit, relies on volunteers around the world to install a program that probes for which types of internet use are being censored and how. Its data showed that ETECSA began blocking WhatsApp on Sunday night, then Signal and Telegram on Monday. All three were still blocked on Tuesday, Filasto said. "We have never seen instant messaging apps being blocked in the country," he said. "It's sort of unprecedented that we would see such a heavy crackdown on the internet in Cuba." Marianne Diaz Hernandez, a fellow at the digital rights nonprofit Access Now, said some Cubans have reported that their specific SIM cards for their phones have been rendered useless, keeping them offline. And some virtual private networks have themselves been blocked, she said. Two major VPNs, Tor and Psiphon, appear to still work. While Cuba has deployed various censorship techniques in the past, this is the first time they have all been deployed at the same time, Hernandez said. "Since they have had internet, this is the largest blackout in history," she said. On Tuesday, Gov. Ron DeSantis said he wants Florida companies to provide internet connection to residents in Cuba.

"What does the regime do when you start to see these images? They shut down the internet. They don't want the truth to be out, they don't want people to be able to communicate," said DeSantis during a roundtable with Republican lawmakers and members of the Cuban exile community in Miami. "And so one of the things I think we should be able to do with our private companies or with the United States is to provide some of that internet via satellite. We have companies on the Space Coast that launch these things," he added. DeSantis said he would make some calls to "see what are the options" to make it happen.