An anonymous reader quotes a report from BleepingComputer: The Securities and Exchange Commission (SEC) has adopted amendments to Regulation S-P that require certain financial institutions to disclose data breach incidents to impacted individuals within 30 days of discovery. Regulation S-P was introduced in 2000 and controls how some financial entities must treat nonpublic personal information belonging to consumers. These rules include developing and implementing data protection policies, confidentiality and security assurances, and protecting against anticipated threats.

The new amendments (PDF) adopted earlier this week impact financial firms, such as broker-dealers (funding portals included), investment firms, registered investment advisers, and transfer agents. The modifications were initially proposed in March of last year to modernize and improve the protection of individual financial information from data breaches and exposure to non-affiliated parties. Below is a summary of the introduced changes:

- Notify affected individuals within 30 days if their sensitive information is, or is likely to be, accessed or used without authorization, detailing the incident, breached data, and protective measures taken. Exemption applies if the information isn't expected to cause substantial harm or inconvenience to the exposed individuals.
- Develop, implement, and maintain written policies and procedures for an incident response program to detect, respond to, and recover from unauthorized access or use of customer information. This should include procedures to assess and contain security incidents, enforce policies, and oversee service providers.
- Expand safeguards and disposal rules to cover all nonpublic personal information, including that received from other financial institutions.
- Require documentation of compliance with safeguards and disposal rules, excluding funding portals.
- Align annual privacy notice delivery with the FAST Act, exempting certain conditions.
- Extend safeguards and disposal rules to transfer agents registered with the SEC or other regulatory agencies.

An anonymous reader quotes a report from Techdirt: Last week, hundreds of nurses protested the implementation of sloppy AI into hospital systems in front of Kaiser Permanente. Their primary concern: that systems incapable of empathy are being integrated into an already dysfunctional sector without much thought toward patient care: "No computer, no AI can replace a human touch," said Amy Grewal, a registered nurse. "It cannot hold your loved one's hand. You cannot teach a computer how to have empathy."

There are certainly roles automation can play in easing strain on a sector full of burnout after COVID, particularly when it comes to administrative tasks. The concern, as with other industries dominated by executives with poor judgement, is that this is being used as a justification by for-profit hospital systems to cut corners further. From a National Nurses United blog post (spotted by 404 Media): "Nurses are not against scientific or technological advancement, but we will not accept algorithms replacing the expertise, experience, holistic, and hands-on approach we bring to patient care," they added.

Kaiser Permanente, for its part, insists it's simply leveraging "state-of-the-art tools and technologies that support our mission of providing high-quality, affordable health care to best meet our members' and patients' needs." The company claims its "Advance Alert" AI monitoring system -- which algorithmically analyzes patient data every hour -- has the potential to save upwards of 500 lives a year. The problem is that healthcare giants' primary obligation no longer appears to reside with patients, but with their financial results. And, that's even true in non-profit healthcare providers. That is seen in the form of cut corners, worse service, and an assault on already over-taxed labor via lower pay and higher workload (curiously, it never seems to impact outsized high-level executive compensation).

"Tens of millions" of people are using technical workarounds to secretly access WhatsApp in countries where it is banned, the messaging platform's boss has said. From a report: "You'd be surprised how many people have figured it out," Will Cathcart told BBC News. Like many Western apps, WhatsApp is banned in Iran and North Korea and, intermittently, in Syria. And last month, China joined the list of those banning users from accessing the secure platform. Other countries, including Qatar, Egypt, Jordan and the United Arab Emirates, restrict features such as voice calls.

But WhatsApp can see where its users truly are, thanks to their registered phone numbers. "We have a lot of anecdotal reports of people using WhatsApp and what we can do is look at some of the countries where we're seeing blocking and still see tens of millions of people connecting to WhatsApp," Mr Cathcart told BBC News. China ordered Apple to block Chinese iPhone users from downloading WhatsApp from the AppStore in April, a move Mr Cathcart calls "unfortunate" -- although the country was never a major market for the app. "That's a choice Apple has made," he said. "There aren't alternatives. I mean, that is really a situation where they've put themselves in the position to be able to truly stop something."

Pablo Escobar, the name of the late Colombian drug kingpin, can't be registered as a trademark in the European Union after judges said that approving his brother's bid would go against "principles of morality." From a report: The public "associate that name with drug trafficking and narco-terrorism and with the crimes and suffering resulting therefrom, rather than with his possible good deeds in favor of the poor in Colombia," the EU's General Court in Luxembourg said on Wednesday. Trademarking the name is "counter to the fundamental values and moral standards prevailing within Spanish society," the court said.

Many investors are lining up to bet on the collapse of former President Donald J. Trump's social media company, Trump Media & Technology Group Corp., which made its stock market debut last week under the ticker "DJT." The stock has been called the "mother of all meme stocks" since it is highly volatile and there are no fundamental underpinnings. It's being valued at roughly 1,600 times its annual revenue, at Wednesday's closing price. "By comparison, the stock of Facebook's owner trades at about eight times revenues, and Google's owner trades at six times," notes Fast Company. The New York Times reports: Trump Media is the most "shorted" special purpose acquisition vehicle in the country, according to the financial data company S3 Partners. Short-sellers bet that the price of a stock will fall. They do that by borrowing shares of a company and selling them into the market, hoping to buy them back later at a lower price, before returning the shares to the lender and pocketing the difference as profit. The demand to short Trump Media, the parent company of the social media platform Truth Social, is so great that stock lenders can charge enormous fees, making it hard for short-sellers to turn a profit unless the shares fall significantly. Still, there is a lot of interest in taking the bet. "They are looking for this stock to crater and crater very quickly," said Ihor Dusaniwsky, managing director of predictive analytics at S3. Last month, traders lost $126 million betting against Trump Media, according to S3.

On Monday, Trump Media published updated financial information, revealing little revenue, large losses and a statement from the company's independent auditor expressing "substantial doubt" about its financial viability. This appeared to galvanize investors betting against the company, as the stock slipped from its highs. But short-sellers are finding it difficult and costly to trade in Trump Media. There are roughly 137 million shares in the company, and only around five million of those are available to short-sellers. Mr. Trump owns about 60 percent of shares, and company executives also hold a chunk of the stock. Company insiders tend not to lend their shares to short-sellers. Big asset managers like BlackRock, Vanguard and State Street, which regularly lend out shares, are not major holders of Trump Media, further crimping the supply.

According to S3, 4.9 million of the roughly five million available shares are already on loan. As with any loan, when share owners lend their stock to a short-seller, they charge a fee, usually expressed as an annual interest rate on the stock's current value. Typically, the fee for borrowing stock is a fraction of a percentage point. For Trump Media, it has risen to 550 percent, Mr. Dusaniwsky said. Trump Media's stock currently trades at around $50. That means that shorting it for a month would cost more than $20 per share. For a short-seller to break even, the stock price would have to fall by almost half by early May.

There is another wrinkle, too. One large broker said much of the short trading was not an outright bet against Trump Media. Since the advent of meme-stock trading and the vilification of short-sellers that win only if popular companies lose, large investors are wary of making such trades. Instead, the current trade driving demand is designed to capture the difference between DJT's stock price and outstanding "warrants," which will give the owners the right to new stock at a fixed price as long as regulators approve the new shares. Partly because of that uncertainty, those warrants currently trade below $19, with a list of hedge funds as recent holders. Even after the high cost to borrow stock is accounted for, they are still able to profit from the $30 difference between existing stock and what the warrants are worth, assuming the warrants become registered as shares.

An anonymous reader quotes a report from GamingOnLinux: After repeatedly suffering issues with scam apps making it onto the Snap Store, Canonical maker of Ubuntu Linux have now decided to manually look over submissions. I've covered the issues with the Snap Store a few times now like on March 19th when ten scam crypto apps appeared, got taken down and then reappeared under a different publisher. Also earlier back in February there was an issue where a user actually lost their wallet as a result of a fake app. Multiple fake apps were also put up back in October last year as well, so it was a repeating issue that really needed dealing with properly.

So to try and do something about it, Canonical's Holly Hall has posted on their Discourse forum about how "The Store team and other engineering teams within Canonical have been continuously monitoring new snaps that are being registered, to detect potentially malicious actors" and that they will now do manual reviews whenever people try to register "a new snap name." On top of that soon they will also be releasing a new policy regarding "crypto-wallet and other sensitive snaps" with "guidelines for how to publish such a snap." Currently all of this is not supposed to be long-term, as it's an evolving situation.

Earlier today, the U.S. and U.K. accused hackers linked to the Chinese state of being behind "malicious" cyber campaigns targeting political figures. The U.K. government also blamed China for a 2021 cyberattack that compromised the personal information of millions of U.K. voters. In response, PBS reports that the U.S. and British government announced sanctions against a company and two people linked to the Chinese government. From the report: Officials said those sanctioned are responsible for a hack that may have gained access to information on tens of millions of U.K. voters held by the Electoral Commission, as well as for cyberespionage targeting lawmakers who have been outspoken about the China threat. The Foreign Office said the hack of the election registers "has not had an impact on electoral processes, has not affected the rights or access to the democratic process of any individual, nor has it affected electoral registration." The Electoral Commission said in August that it identified a breach of its system in October 2022, though it added that "hostile actors" had first been able to access its servers since 2021. At the time, the watchdog said the data included the names and addresses of registered voters. But it said that much of the information was already in the public domain.

In Washington, the Treasury Department said it sanctioned Wuhan Xiaoruizhi Science and Technology Company Ltd., which it calls a Chinese Ministry of State Security front company that has "served as cover for multiple malicious cyberoperations." It named two Chinese nationals, Zhao Guangzong and Ni Gaobin, affiliated with the Wuhan company, for cyberoperations that targeted U.S. critical infrastructure sectors, "directly endangering U.S. national security." Separately, British cybersecurity officials said that Chinese government-affiliated hackers "conducted reconnaissance activity" against British parliamentarians who are critical of Beijing in 2021. They said no parliamentary accounts were successfully compromised.

Three lawmakers, including former Conservative Party leader Iain Duncan Smith, told reporters Monday they have been "subjected to harassment, impersonation and attempted hacking from China for some time." Duncan Smith said in one example, hackers impersonating him used fake email addresses to write to his contacts. The politicians are members of the Inter-Parliamentary Alliance on China, an international pressure group focused on countering Beijing's growing influence and calling out alleged rights abuses by the Chinese government.

The U.K. government has blamed China for a 2021 cyberattack that compromised the personal information of millions of U.K. voters. From a report: In a statement to lawmakers in Parliament on Monday, U.K. deputy prime minister Oliver Dowden attributed the 2021 data breach at the Electoral Commission to hackers working for the Chinese government. Dowden told lawmakers that the U.K. government "will not hesitate to take swift and robust actions wherever the Chinese government threatens the United Kingdom's interests."

It's the first time the United Kingdom has attributed the breach since the cyberattack was first disclosed in 2023. The Electoral Commission, which maintains copies of the U.K. register of citizens eligible to vote, said at the time hackers took the names and addresses of an estimated 40 million U.K. citizens, including those who were registered to vote between 2014 and 2022 and overseas voters. The data breach began as early as 2021 but wasn't detected until a year later. In a statement Monday, the U.K. National Cyber Security Centre (NCSC) said it is "highly likely" that the Chinese hackers accessed and exfiltrated emails and data from the electoral register during the hack.

Jessica Lyons reports via The Register: Vulnerabilities in common Electronic Logging Devices (ELDs) required in US commercial trucks could be present in over 14 million medium- and heavy-duty rigs, according to boffins at Colorado State University. In a paper presented at the 2024 Network and Distributed System Security Symposium, associate professor Jeremy Daily and systems engineering graduate students Jake Jepson and Rik Chatterjee demonstrated how ELDs can be accessed over Bluetooth or Wi-Fi connections to take control of a truck, manipulate data, and spread malware between vehicles. "These findings highlight an urgent need to improve the security posture in ELD systems," the trio wrote [PDF].

The authors did not specify brands or models of ELDs that are vulnerable to the security flaws they highlight in the paper. But they do note there's not too much diversity of products on the market. While there are some 880 devices registered, "only a few tens of distinct ELD models" have hit the road in commercial trucks. A federal mandate requires most heavy-duty trucks to be equipped with ELDs, which track driving hours. These systems also log data on engine operation, vehicle movement and distances driven -- but they aren't required to have tested safety controls built in. And according to the researchers, they can be wirelessly manipulated by another car on the road to, for example, force a truck to pull over.

The academics pointed out three vulnerabilities in ELDs. They used bench level testing systems for the demo, as well as additional testing on a moving 2014 Kenworth T270 Class 6 research truck equipped with a vulnerable ELD. [...] For one of the attacks, the boffins showed how anyone within wireless range could use the device's Wi-Fi and Bluetooth radios to send an arbitrary CAN message that could disrupt of some of the vehicle's systems. A second attack scenario, which also required the attacker to be within wireless range, involved connecting to the device and uploading malicious firmware to manipulate data and vehicle operations. Finally, in what the authors described as the "most concerning" scenario, they uploaded a truck-to-truck worm. The worm uses the compromised device's Wi-Fi capabilities to search for other vulnerable ELDs nearby. After finding the right ELDs, the worm uses default credentials to establish a connection, drops its malicious code on the next ELD, overwrites existing firmware, and then starts the process over again, scanning for additional devices. "Such an attack could lead to widespread disruptions in commercial fleets, with severe safety and operational implications," the researchers warned.

Lindsay Clark reports via The Register: The UK Information Commissioner's Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration. Employment as a nurse or midwife depends on enrollment with the NMC in the UK. According to whistleblower evidence seen by The Register, the databases on which the personal information is held lack rudimentary technical standards and practices. The NMC said its data was secure with a high level of quality, allowing it to fulfill its regulatory role, although it was on "a journey of improvement." But without basic documentation, or the primary keys or foreign keys common in database management, the Microsoft SQL Server databases -- holding information about 800,000 registered professionals -- are difficult to query and manage, making assurances on governance nearly impossible, the whistleblower told us.

The databases have no version control systems. Important fields for identifying individuals were used inconsistently -- for example, containing junk data, test data, or null data. Although the tech team used workarounds to compensate for the lack of basic technical standards, they were ad hoc and known by only a handful of individuals, creating business continuity risks should they leave the organization, according to the whistleblower. Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register. The NMC stores sensitive data on behalf of the professionals that it registers, including gender, sexual orientation, gender identity, ethnicity and nationality, disability details, marital status, as well as other personal information.

The whistleblower's complaint claims the NMC falls well short of [the standards required under current UK law for data protection and the EU's General Data Protection Regulation (GDPR)]. The statement alleges that the NMC's "data management and data retrieval practices were completely unacceptable." "There is not even much by way of internal structure of the databases for self-documentation, such as primary keys, foreign keys (with a few honorable exceptions), check constraints and table constraints. Even fields that should not be null are nullable. This is frankly astonishing and not the practice of a mature, professional organization," the statement says. For example, the databases contain a unique ten-digit number (or PRN) to identify individuals registered to the NMC. However, the fields for PRNs sometimes contain individuals' names, start with a letter or other invalid data, or are simply null. The whistleblower's complaint says that the PRN problem, and other database design deficiencies, meant that it was nearly impossible to produce "accurate, correct, business critical reports ... because frankly no one knows where the correct data is to be found." A spokesperson for the NMC said the register was "organized and documented" in the SQL Server database. "For clarity, the register of all our nurses, midwives and nursing practitioners is held within Dynamics 365 which is our system of record. This solution and the data held within it, is secure and well documented. It does not rely on any SQL database. The SQL database referenced by the whistleblower relates to our data warehouse which we are in the process of modernizing as previously shared."

More than one-quarter of scholarly articles are not being properly archived and preserved, a study of more than seven million digital publications suggests. From a report: The findings, published in the Journal of Librarianship and Scholarly Communication on 24 January, indicate that systems to preserve papers online have failed to keep pace with the growth of research output. "Our entire epistemology of science and research relies on the chain of footnotes," explains author Martin Eve, a researcher in literature, technology and publishing at Birkbeck, University of London. "If you can't verify what someone else has said at some other point, you're just trusting to blind faith for artefacts that you can no longer read yourself."

Eve, who is also involved in research and development at digital-infrastructure organization Crossref, checked whether 7,438,037 works labelled with digital object identifiers (DOIs) are held in archives. DOIs -- which consist of a string of numbers, letters and symbols -- are unique fingerprints used to identify and link to specific publications, such as scholarly articles and official reports. Crossref is the largest DOI registration agency, allocating the identifiers to about 20,000 members, including publishers, museums and other institutions.

The sample of DOIs included in the study was made up of a random selection of up to 1,000 registered to each member organization. Twenty-eight percent of these works -- more than two million articles -- did not appear in a major digital archive, despite having an active DOI. Only 58% of the DOIs referenced works that had been stored in at least one archive. The other 14% were excluded from the study because they were published too recently, were not journal articles or did not have an identifiable source.

An anonymous reader quotes a report from Ars Technica: A judge has dismissed (PDF) a complaint from a parent and guardian of a girl, now 15, who was sexually assaulted when she was 12 years old after Snapchat recommended that she connect with convicted sex offenders. According to the court filing, the abuse that the girl, C.O., experienced on Snapchat happened soon after she signed up for the app in 2019. Through its "Quick Add" feature, Snapchat "directed her" to connect with "a registered sex offender using the profile name JASONMORGAN5660." After a little more than a week on the app, C.O. was bombarded with inappropriate images and subjected to sextortion and threats before the adult user pressured her to meet up, then raped her. Cops arrested the adult user the next day, resulting in his incarceration, but his Snapchat account remained active for three years despite reports of harassment, the complaint alleged.

Two years later, at 14, C.O. connected with another convicted sex offender on Snapchat, a former police officer who offered to give C.O. a ride to school and then sexually assaulted her. The second offender is also currently incarcerated, the judge's opinion noted. The lawsuit painted a picture of Snapchat's ongoing neglect of minors it knows are being targeted by sexual predators. Prior to C.O.'s attacks, both adult users sent and requested sexually explicit photos, seemingly without the app detecting any child sexual abuse materials exchanged on the platform. C.O. had previously reported other adult accounts sending her photos of male genitals, but Snapchat allegedly "did nothing to block these individuals from sending her inappropriate photographs."

Among other complaints, C.O.'s lawsuit alleged that Snapchat's algorithm for its "Quick Add" feature was the problem. It allegedly recklessly works to detect when adult accounts are seeking to connect with young girls and, by design, sends more young girls their way -- continually directing sexual predators toward vulnerable targets. Snapchat is allegedly aware of these abuses and, therefore, should be held liable for harm caused to C.O., the lawsuit argued. Although C.O.'s case raised difficult questions, Judge Barbara Bellis ultimately agreed with Snapchat that Section 230 of the Communications Decency Act barred all claims and shielded Snap because "the allegations of this case fall squarely within the ambit of the immunity afforded to" platforms publishing third-party content. According to Bellis, C.O.'s family had "clearly alleged" that Snap had failed to design its recommendations systems to block young girls from receiving messages from sexual predators. Specifically, Section 230 immunity shields Snap from liability in this case because Bellis considered the messages exchanged to be third-party content. Snapchat designing its recommendation systems to deliver content is a protected activity, Bellis ruled. Despite a seemingly conflicting ruling in Los Angeles that found that "Section 230 didn't protect Snapchat from liability for allegedly connecting teens with drug dealers," Bellis didn't appear to consider it persuasive. She did, however, critique Section 230's broad application, suggesting courts are limited without legislative changes, despite the morally challenging nature of some cases.

A software error on the part of Firefly Aerospace doomed Lockheed Martin's Electronic Steerable Antenna (ESA) demonstrator to a shorter-than-expected orbital life following a botched Alpha launch. From a report: According to Firefly's mission update, the error was in the Guidance, Navigation, and Control (GNC) software algorithm, preventing the system from sending the necessary pulse commands to the Reaction Control System (RCS) thrusters before the relight of the second stage. The result was that Lockheed's payload was left in the wrong orbit, and Firefly's engineers were left scratching their heads.

The launch on December 22, 2023 -- dubbed "Fly the Lightning" -- seemed to go well at first. It was the fourth for the Alpha, and after Firefly finally registered a successful launch a few months earlier in September, initial indications looked good. However, a burn of the second stage to circularize the orbit did not go to plan, and Lockheed's satellite was left in the wrong orbit, with little more than weeks remaining until it re-entered the atmosphere.

As it turned out, the Lockheed team completed their primary mission objectives. The payload was, after all, designed to demonstrate faster on-orbit sensor calibration. Just perhaps not quite that fast. Software issues aboard spacecraft are becoming depressingly commonplace. A recent example was the near disastrous first launch of Boeing's CST-100 Starliner, where iffy code could have led, in NASA parlance, to "spacecraft loss." In a recent interview with The Register, former Voyager scientist Garry Hunt questioned if the commercial spaceflight sector of today would take the same approach to quality as the boffins of the past.

The U.S. Patent and Trademark Office has denied OpenAI's attempt to trademark "GPT," ruling that the term is "merely descriptive" and therefore unable to be registered. From a report: [...] The name, according to the USPTO, doesn't meet the standards to register for a trademark and the protections a "TM" after the name affords. (Incidentally, they refused once back in October, and this is a "FINAL" in all caps denial of the application.) As the denial document puts it: "Registration is refused because the applied-for mark merely describes a feature, function, or characteristic of applicant's goods and services."

OpenAI argued that it had popularized the term GPT, which stands in this case for "generative pre-trained transformer," describing the nature of the machine learning model. It's generative because it produces new (ish) material, pre-trained in that it is a large model trained centrally on a proprietary database, and transformer is the name of a particular method of building AIs (discovered by Google researchers in 2017) that allows for much larger models to be trained. But the patent office pointed out that GPT was already in use in numerous other contexts and by other companies in related ones.

An anonymous reader quotes a report from Ars Technica: On Thursday, AMC notified subscribers of a proposed $8.3 million settlement that provides awards to an estimated 6 million subscribers of its six streaming services: AMC+, Shudder, Acorn TV, ALLBLK, SundanceNow, and HIDIVE. The settlement comes in response to allegations that AMC illegally shared subscribers' viewing history with tech companies like Google, Facebook, and X (aka Twitter) in violation of the Video Privacy Protection Act (VPPA). Passed in 1988, the VPPA prohibits AMC and other video service providers from sharing "information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider." It was originally passed to protect individuals' right to private viewing habits, after a journalist published the mostly unrevealing video rental history of a judge, Robert Bork, who had been nominated to the Supreme Court by Ronald Reagan.

The so-called "Bork Tapes" revealed little -- other than that the judge frequently rented spy thrillers and British costume dramas -- but lawmakers recognized that speech could be chilled by monitoring anyone's viewing habits. While the law was born in the era of Blockbuster Video, subscribers suing AMC wrote in their amended complaint (PDF) that "the importance of legislation like the VPPA in the modern era of datamining is more pronounced than ever before." According to subscribers suing, AMC allegedly installed tracking technologies -- including the Meta Pixel, the X Tracking Pixel, and Google Tracking Technology -- on its website, allowing their personally identifying information to be connected with their viewing history. [...]

If it's approved, AMC has agreed to "suspend, remove, or modify operation of the Meta Pixel and other Third-Party Tracking Technologies so that use of such technologies on AMC Services will not result in AMC's disclosure to the third-party technology companies of the specific video content requested or obtained by a specific individual." All registered users of AMC services who "requested or obtained video content on at least one of the six AMC services" between January 18, 2021, and January 10, 2024, are currently eligible to submit claims under the proposed settlement. The deadline to submit is April 9. In addition to distributing the $8.3 million settlement fund among class members, subscribers will also receive a free one-week digital subscription.

A registered sex offender has become the first person in England and Wales to be convicted of cyber-flashing. The BBC reports: Nicholas Hawkes, 39, of Basildon, Essex, sent unsolicited photos of his erect penis to a 15-year-old girl and a woman on Friday. The woman took screenshots of the image on WhatsApp and reported Hawkes to Essex Police the same day. Hawkes admitted two charges when he appeared before magistrates in Southend earlier. He is the first person to be convicted of the new offense of cyber-flashing, which was brought in under the Online Safety Act and came into effect on January 31.

After pleading guilty to two counts of sending a photograph or film of genitals to cause alarm, distress, or humiliation, he was remanded in custody until March 11, when he will be sentenced at Basildon Crown Court. Hawkes is a registered sex offender until November 2033 after he was convicted and given a community order for sexual activity with a child under 16 and exposure last year at Basildon Crown Court, the CPS said. He will also be sentenced for breaching the order when he is sentenced in March.

FT Alphaville: Last year, Norway's $1.5tn sovereign wealth fund revealed that it had lost NKr980mn, roughly $92mn, on an error relating to how it calculated its mandated benchmark. Here's what Norges Bank Investment Management said at the time: "In February this year, a calculation error was discovered in the composition of the index we're measured against. This error led to a marginal overweight in US fixed income relative to global fixed income. When this was discovered, we immediately set about correcting it, but because the fund is so large, the return was 0.7 basis points. Due to this our previously reported positive relative return of NOK 118 billion was adjusted down to NOK 117 billion."

It is a good example of how even tiny operational mistakes can have mammoth-sized consequences in nominal terms when you manage one of the world's biggest pools of capital. Sometimes a mistake can even lead to a windfall -- such as in 2021, when NBIM apparently made NKr582mn by accidentally accumulating an outsized position in a rising stock. But the 2023 index snafu is by far the biggest the fund has registered, almost twice as large as the cumulative operational-accidental losses it suffered from 2010-20. Alphaville was intrigued. What exactly went wrong? Well, in a recently-released anthropological report commissioned to investigate its own culture, NBIM seems to have inadvertently revealed just how minuscule the mistake was.

Here's an NBIM employee called "Simon" recounting the debacle to the report's author, Tone Danielsen. Alphaville's emphasis below: "Last year (spring 2022) we had an off-site. One of our workshops was on 'Mistakes and how to deal with them.' We wrote post-it notes, classifying them into different categories from harmless to no-goes. One of my post-it notes, I remember it vividly, read: Miscalculation of the Ministry of Finance benchmark. I placed it in the category unforgivable.

When I wrote that note, I honestly couldn't even dare to think about the consequences. And less than a year later, I did exactly that. My worst nightmare. It was a manual mistake. My mistake. I used the wrong date, December 1st instead of November 1st which is clearly stated in our mandate. The mistake was not revealed until months later, by the Ministry of Finance. They reported back that the numbers did not add up. I did all the numbers once more, and the cause of the mistake was identified. I immediately reported to Patrick [Global Head] and Dag [Chief]. I openly express that this was my mistake, and mine alone. I felt miserable and was ready to take the consequences -- whatever they might be."

An anonymous reader quotes a report from MacRumors: Apple Vision Pro owners who forget the passcode they set will need to take the device to an Apple retail location to get it reset, reports Bloomberg's Mark Gurman. There is apparently no on-device way to reset a Vision Pro passcode if it is forgotten. [...] Customers who have forgotten their Vision Pro passcodes have been told by Apple that they will need to visit a retail store for a fix or will need to ship the headset to Apple if there isn't a nearby store. Like Apple's iOS devices, the incorrect passcode cannot be entered too many times or the device will be disabled, with a waiting period before a passcode can be entered again. Removing the passcode requires erasing all content on the Vision Pro. [...]

There is an erase content setting on the Vision Pro, but there is no way to get into the reset mode using a combination of button presses. Erasing Vision Pro can only be done through the Settings app. Customers who have the $300 Developer Strap may be able to wipe the device from a Mac, but most users will not be able to get this accessory as it is limited to registered developers in the United States.

The Verge reports that Threads is "booming," according to figures shared by Mark Zuckerberg on Meta's earnings call, with 130 million active users a month.

TechCrunch reports: Threads is continuing to grow, having tripled its downloads month-over-month in December, which gave it a place in the top 10 most downloaded apps for the month across both the App Store and Google Play...

Threads famously had a record-breaking launch, reaching 100 million registered users within its first five days. However, the app saw its daily downloads decline starting last September through the end of the year. But in December, Threads once again returned to growth, likely due to the push Meta had given the app by displaying promos on Facebook that featured Threads' viral posts. Today, there are an estimated 160 million Threads users, according to one tracker...

The app could also be benefiting from its move into the "fediverse" — the social network comprised of interconnected servers that communicate via the ActivityPub protocol, like Mastodon... In addition, Threads recently announced the launch of an endpoint, allowing developers of third-party apps and websites to use a dynamic URL to refill text into the Threads composer. For example, there's now a website where anyone can generate Threads share links and profile badges. Marketing tool provider Shareaholic also just launched Threads Share buttons for websites, including both desktop and mobile sites. This flurry of activity around Threads is helping to move the app up in the chart rankings, though some inorganic boosts from Meta itself are likely also responsible for the jump in downloads, given the size.

The Guardian reports that "Hundreds of thousands of EU citizens were wrongly fined for driving in London's Ulez clean air zone, according to European governments..." The Guardian can reveal Transport for London (TfL) has been accused by five EU countries of illegally obtaining the names and addresses of their citizens in order to issue the fines, with more than 320,000 penalties, some totalling thousands of euros, sent out since 2021...

Since Brexit, the UK has been banned from automatic access to personal details of EU residents. Transport authorities in Belgium, Spain, Germany and the Netherlands have confirmed to the Guardian that driver data cannot be shared with the UK for enforcement of London's ultra-low emission zone (Ulez), and claim registered keeper details were obtained illegally by agents acting for TfL's contractor Euro Parking Collection. In France, more than 100 drivers have launched a lawsuit claiming their details were obtained fraudulently, while Dutch lorry drivers are taking legal action against TfL over £6.5m of fines they claim were issued unlawfully.

According to the Belgian MP Michael Freilich, who has investigated the issue on behalf of his constituents, TfL is treating European drivers as a "cash cow" by using data obtained illegitimately to issue unjustifiable fines.
Freilich describes the situation as "possibly one of the largest privacy and data breaches in EU history," according to the article.

Some drivers have even received penalties of up to five-figure sums — for compliant vehicles which had simply not yet been registered. And "some low-emission cars have been misclassed as heavy goods diesel vehicles and fined under the separate low-emission zone scheme, which incurs penalties of up to £2,000 a day."

Thanks to Slashdot reader Bruce66423 for sharing the article.