TikTok is being investigated by the FTC over its data and security practices, "a probe that could lead to a settlement or a lawsuit against the company," reports the Associated Press. From the report: In its investigation, the FTC has been looking into whether TikTok violated a portion of federal law that prohibits "unfair and deceptive" business practices by denying that individuals in China had access to U.S. user data, said the person, who is not authorized to discuss the investigation. The agency also is scrutinizing the company over potential violations of the Children's Online Privacy Protection Act, which requires kid-oriented apps and websites to get parents' consent before collecting personal information of children under 13.

The agency is nearing the conclusion of its investigation and could settle with TikTok in the coming weeks. But there's not a deadline for an agreement, the person said. If the FTC moves forward with a lawsuit instead, it would have to refer the case to the Justice Department, which would have 45 days to decide whether it wants to file a case on the FTC's behalf, make changes or send it back to the agency to pursue on its own.

An anonymous reader quotes a report from The Register: It's sanctions central at the US Treasury this week as a further 15 are slapped on organizations and individuals in Russia. The Treasury's Office of Foreign Assets Control (OFAC) designated 13 organizations and two individuals -- all concerning financial services organizations, including cryptocurrency exchanges that offered services to already-sanctioned dark web marketplaces in Russia, and those who helped run them. Five of the 13 freshly designated entities were also controlled by individuals who were already sanctioned. The latest round of trade restrictions were placed on those who are believed to have helped evade existing US sanctions.

"Many of the individuals and entities designated today facilitated transactions or offered other services that helped OFAC-designated entities evade sanctions," an OFAC statement read. "These designations build upon OFAC's February 23, 2024 action to target companies servicing Russia's core financial infrastructure and curtail Russia's use of the international financial system to further its war against Ukraine." They follow the initial seven sanctions announced on Monday, all relating to Chinese nationals and members of Beijing's APT31 offensive cyber outfit.

"If you've ever jokingly wondered if your search or viewing history is going to 'put you on some kind of list,' your concern may be more than warranted," writes Mashable : In now unsealed court documents reviewed by Forbes, Google was ordered to hand over the names, addresses, telephone numbers, and user activity of Youtube accounts and IP addresses that watched select YouTube videos, part of a larger criminal investigation by federal investigators.

The videos were sent by undercover police to a suspected cryptocurrency launderer... In conversations with the bitcoin trader, investigators sent links to public YouTube tutorials on mapping via drones and augmented reality software, Forbes details. The videos were watched more than 30,000 times, presumably by thousands of users unrelated to the case. YouTube's parent company Google was ordered by federal investigators to quietly hand over all such viewer data for the period of Jan. 1 to Jan. 8, 2023...
"According to documents viewed by Forbes, a court granted the government's request for the information," writes PC Magazine, adding that Google was asked "to not publicize the request." The requests are raising alarms for privacy experts who say the requests are unconstitutional and are "transforming search warrants into digital dragnets" by potentially targeting individuals who are not associated with a crime based simply on what they may have watched online.
That quote came from Albert Fox-Cahn, executive director at the Surveillance Technology Oversight Project, who elaborates in Forbes' article. "No one should fear a knock at the door from police simply because of what the YouTube algorithm serves up. I'm horrified that the courts are allowing this."

Thanks to long-time Slashdot reader schwit1 for sharing the article.

Lindsay Clark reports via The Register: The UK Information Commissioner's Office has received a complaint detailing the mismanagement of personal data at the Nursing and Midwifery Council (NMC), the regulator that oversees worker registration. Employment as a nurse or midwife depends on enrollment with the NMC in the UK. According to whistleblower evidence seen by The Register, the databases on which the personal information is held lack rudimentary technical standards and practices. The NMC said its data was secure with a high level of quality, allowing it to fulfill its regulatory role, although it was on "a journey of improvement." But without basic documentation, or the primary keys or foreign keys common in database management, the Microsoft SQL Server databases -- holding information about 800,000 registered professionals -- are difficult to query and manage, making assurances on governance nearly impossible, the whistleblower told us.

The databases have no version control systems. Important fields for identifying individuals were used inconsistently -- for example, containing junk data, test data, or null data. Although the tech team used workarounds to compensate for the lack of basic technical standards, they were ad hoc and known by only a handful of individuals, creating business continuity risks should they leave the organization, according to the whistleblower. Despite having been warned of the issues of basic technical practice internally, the NMC failed to acknowledge the problems. Only after exhausting other avenues did the whistleblower raise concern externally with the ICO and The Register. The NMC stores sensitive data on behalf of the professionals that it registers, including gender, sexual orientation, gender identity, ethnicity and nationality, disability details, marital status, as well as other personal information.

The whistleblower's complaint claims the NMC falls well short of [the standards required under current UK law for data protection and the EU's General Data Protection Regulation (GDPR)]. The statement alleges that the NMC's "data management and data retrieval practices were completely unacceptable." "There is not even much by way of internal structure of the databases for self-documentation, such as primary keys, foreign keys (with a few honorable exceptions), check constraints and table constraints. Even fields that should not be null are nullable. This is frankly astonishing and not the practice of a mature, professional organization," the statement says. For example, the databases contain a unique ten-digit number (or PRN) to identify individuals registered to the NMC. However, the fields for PRNs sometimes contain individuals' names, start with a letter or other invalid data, or are simply null. The whistleblower's complaint says that the PRN problem, and other database design deficiencies, meant that it was nearly impossible to produce "accurate, correct, business critical reports ... because frankly no one knows where the correct data is to be found." A spokesperson for the NMC said the register was "organized and documented" in the SQL Server database. "For clarity, the register of all our nurses, midwives and nursing practitioners is held within Dynamics 365 which is our system of record. This solution and the data held within it, is secure and well documented. It does not rely on any SQL database. The SQL database referenced by the whistleblower relates to our data warehouse which we are in the process of modernizing as previously shared."

An anonymous reader quotes a report from CBC News: An array of advanced tests found no brain injuries or degeneration among U.S. diplomats and other government employees who suffer mysterious health problems once dubbed "Havana syndrome," researchers reported Monday. The National Institutes of Health's (NIH) nearly five-year study offers no explanation for symptoms including headaches, balance problems and difficulties with thinking and sleep that were first reported in Cuba in 2016 and later by hundreds of American personnel in multiple countries. But it did contradict some earlier findings that raised the spectre of brain injuries in people experiencing what the State Department now calls "anomalous health incidents."

"These individuals have real symptoms and are going through a very tough time," said Dr. Leighton Chan, NIH's chief of rehabilitation medicine, who helped lead the research. "They can be quite profound, disabling and difficult to treat." Yet sophisticated MRI scans detected no significant differences in brain volume, structure or white matter -- signs of injury or degeneration -- when Havana syndrome patients were compared to healthy government workers with similar jobs, including some in the same embassy. Nor were there significant differences in cognitive and other tests, according to findings published in the Journal of the American Medical Association.

Connor Jones reports via The Register: Stanford University says the cybersecurity incident it dealt with last year was indeed ransomware, which it failed to spot for more than four months. Keen readers of El Reg may remember the story breaking toward the end of October 2023 after Akira posted Stanford to its shame site, with the university subsequently issuing a statement simply explaining that it was investigating an incident, avoiding the dreaded R word. Well, surprise, surprise, ransomware was involved, according to a data breach notice sent out to the 27,000 people affected by the attack.

Akira targeted the university's Department of Public Safety (DPS) and this week's filing with the Office of the Maine Attorney General indicates that Stanford became aware of the incident on September 27, more than four months after the initial breach took place. According to Monday's filing, the data breach occurred on May 12 2023 but was only discovered on September 27 of last year, raising questions about whether the attacker(s) was inside the network the entire time and why it took so long to spot the intrusion.

It's not fully clear what information was compromised, but the draft letters include placeholders for three different variables. However, the filing with Maine's AG suggests names and social security numbers are among the data types to have been stolen. All affected individuals have been offered 24 months of free credit monitoring, including access to a $1 million insurance reimbursement policy and ID theft recovery services. Akira's post dedicated to Stanford on its leak site claims it stole 430 GB worth of data, including personal information and confidential documents. It's all available to download via a torrent file and the fact it remains available for download suggests the research university didn't pay whatever ransom the attackers demanded.

Controversial eyeball scanning startup Worldcoin has failed to get an injunction against a temporary suspension ordered Wednesday by Spain's data protection authority, the AEPD. TechCrunch: The authority used emergency powers contained in the European Union's General Data Protection Regulation (GDPR) to make the local order, which can apply for up to three months. It said it was taking the precautionary measure against Worldcoin's operator, Tools for Humanity, in light of the sensitive nature of the biometric data being collected, which could pose a high risk to the rights and freedoms of individuals. It also raised specific concerns about risks to minors, citing complaints received.

Today a Madrid-based High Court declined to grant an injunction against the AEPD's order, saying that the "safeguarding of public interest" must be prioritized. As we reported Friday, the crypto blockchain biometrics digital identity firm shuttered scanning in the market shortly after the AEPD order -- which gave it 72 hours to comply. Today's court decision means Worldcoin's services remain suspended in Spain -- for up to three months.

A Toronto Sun columnist writes that two Canadian civil liberties groups are "sounding alarms" about the proposed new Online Harms Act (C-63): The Canadian Civil Liberties Association (CCLA) and the Canadian Constitution Foundation (CCF) say while the proposed legislation contains legitimate measures to protect children from online sexual abuse, cyber-bulling and self-harm, and to combat the spread of so-called "revenge porn," its provisions to prevent the expression of hate are draconian, vaguely worded and an attack on free speech... "[D]on't be fooled," said CCF executive director Joanna Baron. "Most of the bill is aimed at restricting freedom of expression. This heavy-handed bill needs to be severely pared down to comply with the constitution."

Both the CCLA and CCF warn the bill could lead to life imprisonment for someone convicted of "incitement to genocide" — a vague term only broadly defined in the bill — and up to five years in prison for other vaguely defined hate speech crimes. The legislation, for example, defines illegal hate speech as expressing "detestation or vilification of an individual or group of individuals," while legally protected speech, "expresses dislike or disdain, or ... discredits, humiliates, hurts or offends." The problem, critics warn, will be determining in advance which is which, with the inevitable result that people and organizations will self-censor themselves because of fear of being prosecuted criminally, or fined civilly, for what is actually legal speech.
"Both the CCLA and the CCF say the proposed legislation, known as Bill C-63, will require major amendments before becoming law to pass constitutional muster," according to the columnist.

Some specific complains:

• The CCF argues that the Bill "would allow judges to put prior restraints on people who they believe on reasonable grounds may commit speech crimes in the future."

• The CCLA adds that the proposed bill also grants authorities "sweeping new search powers of electronic data, with no warrant requirement," according to the Toronto Sun, and also warns about the creation of a government-appointed "digital safety commission" given "vast authority" and "sweeping powers" to "interpret the law, make up new rules, enforce them, and then serve as judge, jury, and executioner."

And in addition, the CCF points out under the proposed rules the Canadian Human Rights Commission "could order fines of up to $50,000, and awards of up to $20,000 paid to complainants, who in some cases would be anonymous."

"Findings would be based on a mere 'balance of probabilities' standard rather than the criminal standard of proof beyond a reasonable doubt... The mere threat of human rights complaints will chill large amounts of protected speech."

Thanks to long-time Slashdot reader sinij for sharing the article.

As reported by 404 Media, the New York Times has issued hundreds of copyright takedown requests against Wordle clones "in which it asserts not just ownership over the Wordle name but over the broad concepts and mechanics of the word game, which includes its '5x6 grid' and 'green tiles to indicate correct guesses.'" From the report: The Times filed at least three DMCA takedown requests with coders who have made clones of Wordle on GitHub. These include two in January and, crucially, a new DMCA filed this week against Chase Wackerfuss, the coder of a repository called âoeReactle,â which cloned Wordle in React JS (JavaScript). The most recent takedown request is critical because it not only goes after Reactle but anyone who has forked Reactle to create a different spinoff game; an archive of the Reactle code repository shows that it was forked 1,900 times to create a diverse set of games and spinoffs. These include Wordle clones in dozens of languages, crossword versions of Wordle, emoji and bird versions of world, poker and AI spinoffs, etc.

"I write to submit a revised DMCA Notice regarding an infringing repository (and hundreds of forked repositories) hosted by Github that instruct users how to infringe The New York Times Co.'s ('The Times') copyright in its immensely popular Wordle game and create knock-off copies of the same. Unfortunately, hundreds of individuals have followed these instructions and published infringing Wordle knock-off games that The Times has spent the past month removing, including off of Github's websites," the DMCA takedown request against Reactle reads. "The Times's Wordle copyright includes the unique elements of its immensely popular game, such as the 5x6 grid, green tiles to indicate correct guesses, yellow tiles to indicate the correct letter but the wrong place within the word, and the keyboard directly beneath the grid. This gameplay is copied exactly in the repository, and the owner instructs others how to knock off the game and create an identical word game," it adds.

The DMCA request then says that GitHub must delete forks of the repository, which it writes were "infringing to the same extent as the parent repository" and which it says were made in what was "clearly bad faith." [...] The DMCA takedown requests are particularly notable because they come at a time when the New York Times is financially thriving, while many of its competitors are losing money, laying people off, and shutting down. The Times is thriving in part because Wordle, the crossword puzzle, and its recipe apps are juggernauts. The company has been aggressively expanding its "Games" business with Wordle, Connections, and a brand new word search game called Strands. The New York Times issued a statement in response: "The Times has no issue with individuals creating similar word games that do not infringe The Times's 'Wordle' trademarks or copyrighted gameplay. The Times took action against a GitHub user and others who shared his code to defend its intellectual property rights in Wordle. The user created a 'Wordle clone' project that instructed others how to create a knock-off version of The Times's Wordle game featuring many of the same copyrighted elements. As a result, hundreds of websites began popping up with knock-off 'Wordle' games that used The Times's 'Wordle' trademark and copyrighted gameplay without authorization or permission."

John Timmer reports via Ars Technica: A company called Colossal plans to pioneer the de-extinction business, taking species that have died within the past few thousand years and restoring them through the use of DNA editing and stem cells. It's grabbed headlines recently by announcing some compelling targets: the thylacine, an extinct marsupial predator, and an icon of human carelessness, the dodo. But the company was formed to tackle an even more audacious target: the mammoth, which hasn't roamed the Northern Hemisphere for thousands of years. Obviously, there are a host of ethical and conservation issues that would need to be worked out before Colossal's plans go forward. But there are some major practical hurdles as well, most of them the product of the distinct and extremely slow reproductive biology of the mammoth's closest living relatives, the elephants. At least one of those has now been cleared, as the company is announcing the production of the first elephant stem cells. The process turned out to be extremely difficult, suggesting that the company still has a long road ahead of it. [...] Overall, it's a project that has a high probability of failure and may ultimately require generations of scientists. If we do successfully de-extinct a species, the first example will probably be a different species, even though the projects launched later.

But Colossal is forging ahead and cleared one of the many hurdles it faces: It created the first induced stem cells from elephants and will be placing a draft manuscript describing the process on a public repository on Wednesday. (Colossal provided Ars with an advanced version of the draft that, outside of a few editing errors, appears largely complete.) Beyond providing the technical details of how the process works, the manuscript describes a long, failure-ridden route to eventual success. Several methods have been developed to allow us to induce stem cells from the cells of an adult organism. The original Nobel-winning process developed by Shinya Yamanaka involved inserting the genes that encode four key embryonic regulatory genes into adult cells and allowing them to reprogram the adult cell into an embryonic state. That has proven effective in a variety of species but has a couple of drawbacks due to the fact that the four genes can potentially stick around, interfering with later development steps. Although there are ways around that, others have developed a cocktail of chemicals that perform a similar function by activating signaling pathways that, collectively, can also reprogram adult cells. When it works, this simplifies matters, as you only have to remove the chemicals to allow the stem cells to adopt other fates. Colossal tried both of these. Neither worked with elephant cells: "Multiple attempts with current standard reprogramming methods were tried, and failed, and resulted in no, or incomplete, reprogramming." Apparently, lots of additional trial and error ensued. The eventual solution ended up being based in part on combining the two primary options: Cells were first exposed to a chemical reprogramming cocktail and then given the four genes used in the alternative reprogramming method. On its own, however, that wasn't enough. The researchers also had to address a quirk of elephant biology.

Obviously, for Colossal, this is a means to an end: the mammoth. But that's remarkably underplayed in the manuscript. Instead, its emphasis is on the technology's use in the conservation of existing species. [T]he researchers note that studying things like elephant development and metabolism in actual elephants is not especially realistic. But we can potentially induce the stem cells developed here into any cell we'd want to study -- nerve, liver, heart, and so on. So, the stem cells described here could be a useful tool for research. So, these cells are being presented as a valuable tool for the research community. Still, you can expect the people behind the de-extinction project to be getting to work on some of the easier things: showing that the genome in the cells can be edited and that they can be induced to start the process of embryogenesis. Separately, some unfortunate individuals will need to be working on the hard problems we mentioned earlier.

The U.S. government announced Tuesday sanctions against the founder of the notorious spyware company Intellexa and one of his business partners. From a report: This is the first time the U.S. government has targeted specific people, in addition to companies, with sanctions related to the misuse of commercial spyware. And it signifies an escalation of the White House and U.S. government's efforts to curb the spyware industry. "Today's actions represent a tangible step forward in discouraging the misuse of commercial surveillance tools, which increasingly present a security risk to the United States and our citizens," said Brian E. Nelson, U.S Treasury's under secretary for terrorism and financial intelligence, was quoted as saying in a press release.

"The United States remains focused on establishing clear guardrails for the responsible development and use of these technologies while also ensuring the protection of human rights and civil liberties of individuals around the world." The U.S. Treasury imposed sanctions on Tal Dilian, the founder of Intellexa and a veteran of the spyware industry; and Sara Aleksandra Fayssal Hamou, who is not as well-known as Dilian. Hamou, according to the Treasury, has a leadership role in Intellexa, is an expert in off-shoring, and provided the company managerial services, such as renting office space in Greece.

An anonymous reader quotes an excerpt from a Wired article: In 2019, a government contractor and technologist named Mike Yeagley began making the rounds in Washington, DC. He had a blunt warning for anyone in the country's national security establishment who would listen: The US government had a Grindr problem. A popular dating and hookup app, Grindr relied on the GPS capabilities of modern smartphones to connect potential partners in the same city, neighborhood, or even building. The app can show how far away a potential partner is in real time, down to the foot. But to Yeagley, Grindr was something else: one of the tens of thousands of carelessly designed mobile phone apps that leaked massive amounts of data into the opaque world of online advertisers. That data, Yeagley knew, was easily accessible by anyone with a little technical know-how. So Yeagley -- a technology consultant then in his late forties who had worked in and around government projects nearly his entire career -- made a PowerPoint presentation and went out to demonstrate precisely how that data was a serious national security risk.

As he would explain in a succession of bland government conference rooms, Yeagley was able to access the geolocation data on Grindr users through a hidden but ubiquitous entry point: the digital advertising exchanges that serve up the little digital banner ads along the top of Grindr and nearly every other ad-supported mobile app and website. This was possible because of the way online ad space is sold, through near-instantaneous auctions in a process called real-time bidding. Those auctions were rife with surveillance potential. You know that ad that seems to follow you around the internet? It's tracking you in more ways than one. In some cases, it's making your precise location available in near-real time to both advertisers and people like Mike Yeagley, who specialized in obtaining unique data sets for government agencies.

Working with Grindr data, Yeagley began drawing geofences -- creating virtual boundaries in geographical data sets -- around buildings belonging to government agencies that do national security work. That allowed Yeagley to see what phones were in certain buildings at certain times, and where they went afterwards. He was looking for phones belonging to Grindr users who spent their daytime hours at government office buildings. If the device spent most workdays at the Pentagon, the FBI headquarters, or the National Geospatial-Intelligence Agency building at Fort Belvoir, for example, there was a good chance its owner worked for one of those agencies. Then he started looking at the movement of those phones through the Grindr data. When they weren't at their offices, where did they go? A small number of them had lingered at highway rest stops in the DC area at the same time and in proximity to other Grindr users -- sometimes during the workday and sometimes while in transit between government facilities. For other Grindr users, he could infer where they lived, see where they traveled, even guess at whom they were dating.

Intelligence agencies have a long and unfortunate history of trying to root out LGBTQ Americans from their workforce, but this wasn't Yeagley's intent. He didn't want anyone to get in trouble. No disciplinary actions were taken against any employee of the federal government based on Yeagley's presentation. His aim was to show that buried in the seemingly innocuous technical data that comes off every cell phone in the world is a rich story -- one that people might prefer to keep quiet. Or at the very least, not broadcast to the whole world. And that each of these intelligence and national security agencies had employees who were recklessly, if obliviously, broadcasting intimate details of their lives to anyone who knew where to look. As Yeagley showed, all that information was available for sale, for cheap. And it wasn't just Grindr, but rather any app that had access to a user's precise location -- other dating apps, weather apps, games. Yeagley chose Grindr because it happened to generate a particularly rich set of data and its user base might be uniquely vulnerable. The report goes into great detail about how intelligence and data analysis techniques, notably through a program called Locomotive developed by PlanetRisk, enabled the tracking of mobile devices associated with Russian President Vladimir Putin's entourage. By analyzing commercial adtech data, including precise geolocation information collected from mobile advertising bid requests, analysts were able to monitor the movements of phones that frequently accompanied Putin, indicating the locations and movements of his security personnel, aides, and support staff.

This capability underscored the surveillance potential of commercially available data, providing insights into the activities and security arrangements of high-profile individuals without directly compromising their personal devices.

Hackers targeting individuals in the cryptocurrency sector are using a sophisticated phishing scheme that begins with a malicious link on Calendly. "The attackers impersonate established cryptocurrency investors and ask to schedule a video conference call," reports Krebs on Security. "But clicking the meeting link provided by the scammers prompts the user to run a script that quietly installs malware on macOS systems." From the report: A search in Google for a string of text from that script turns up a December 2023 blog post from cryptocurrency security firm SlowMist about phishing attacks on Telegram from North Korean state-sponsored hackers. "When the project team clicks the link, they encounter a region access restriction," SlowMist wrote. "At this point, the North Korean hackers coax the team into downloading and running a 'location-modifying' malicious script. Once the project team complies, their computer comes under the control of the hackers, leading to the theft of funds."

SlowMist says the North Korean phishing scams used the "Add Custom Link" feature of the Calendly meeting scheduling system on event pages to insert malicious links and initiate phishing attacks. "Since Calendly integrates well with the daily work routines of most project teams, these malicious links do not easily raise suspicion," the blog post explains. "Consequently, the project teams may inadvertently click on these malicious links, download, and execute malicious code."

SlowMist said the malware downloaded by the malicious link in their case comes from a North Korean hacking group dubbed BlueNoroff, which Kaspersky Labs says is a subgroup of the Lazarus hacking group. "A financially motivated threat actor closely connected with Lazarus that targets banks, casinos, fin-tech companies, POST software and cryptocurrency businesses, and ATMs," Kaspersky wrote of BlueNoroff in Dec. 2023.

According to the Wall Street Journal (paywalled), Canada has proposed new rules that would compel digital platforms to remove online content that features the sexual exploitation of children or intimate images without consent of the individuals involved. From a report: The rules were years in the making, and represent the third and possibly final installment of measures aimed at regulating digital platforms. Measures introduced since 2022 aim to increase the amount of domestic, Canadian-made content on streaming services, such as Netflix, and require digital platforms to help Canadian news-media outlets finance their newsroom operations. The legislation needs to be approved by Canada's Parliament before it takes effect.

Canada said its rules are based on concepts introduced by the European Union, the U.K. and Australia. Canadian officials say the proposed measures would apply to social-media platforms, adult-entertainment sites where users can upload content, and live-streaming services. These services, officials said, are expected to expeditiously remove two categories of content: That which sexually exploits a child or an abuse survivor, and intimate content broadcast without an individual's consent. The latter incorporates so-called revenge porn, or the nonconsensual posting or dissemination of intimate images, often after the end of a romantic relationship. Officials said private and encrypted messaging services are excluded from the proposed regulations.

Canadian officials said platforms will have a duty to either ensure the material is not published, or take it down once notified. Canada also intends to set up a new agency, the Digital Safety Commission, to enforce the rules, order harmful content taken down, and hold digital services accountable. Platforms that violate the rules could face a maximum penalty of up to 25 million Canadian dollars, or the equivalent of $18.5 million, officials said.

The US Supreme Court is hearing oral arguments Monday in two cases that could dramatically reshape social media, weighing whether states such as Texas and Florida should have the power to control what posts platforms can remove from their services. From a report: The high-stakes battle gives the nation's highest court an enormous say in how millions of Americans get their news and information, as well as whether sites such as Facebook, Instagram, YouTube and TikTok should be able to make their own decisions about how to moderate spam, hate speech and election misinformation. At issue are laws passed by the two states that prohibit online platforms from removing or demoting user content that expresses viewpoints -- legislation both states say is necessary to prevent censorship of conservative users.

More than a dozen Republican attorneys general have argued to the court that social media should be treated like traditional utilities such as the landline telephone network. The tech industry, meanwhile, argues that social media companies have First Amendment rights to make editorial decisions about what to show. That makes them more akin to newspapers or cable companies, opponents of the states say. The case could lead to a significant rethinking of First Amendment principles, according to legal experts. A ruling in favor of the states could weaken or reverse decades of precedent against "compelled speech," which protects private individuals from government speech mandates, and have far-reaching consequences beyond social media. A defeat for social media companies seems unlikely, but it would instantly transform their business models, according to Blair Levin, an industry analyst at the market research firm New Street Research.

Fast Company notes that "the deadly impacts of Pegasus and other cyberweapons — wielded by governments from Spain to Saudi Arabia against human rights defenders, journalists, lawyers and others — is by now well documented. A wave of scrutiny and sanctions have helped expose the secretive, quasi-legal industry behind these tools, and put financial strain on firms like Israel's NSO Group, which builds Pegasus.

"And yet business is booming." New research published this month by Google and Meta suggest that despite new restrictions, the cyberattack market is growing, and growing more dangerous, aiding government violence and repression and eroding democracy around the globe.

"The industry is thriving," says Maddie Stone, a researcher at Google's Threat Analysis Group (TAG) who hunts zero-day exploits, the software bugs that have yet to be fixed and are worth potentially hundreds of millions to spyware sellers. "More companies keep popping up, and their government customers are determined to buy from them, and want these capabilities, and are using them." For the first time, half of known zero-days against Google and Android products now come from private companies, according to a report published this month by Stone's team at Google. Beyond prominent firms like NSO and Candiru, Google's researchers say they are tracking about 40 companies involved in the creation of hacking tools that have been deployed against "high risk individuals."

Of the 72 zero-day exploits Google discovered in the wild between 2014 and last year, 35 were attributed to these and other industry players, as opposed to state-backed actors. "If governments ever had a monopoly on the most sophisticated capabilities, that era is certainly over," reads the report.

The Google findings and a spyware-focused threat report published by Meta a week later reflect an increasingly tough response by Big Tech to an industry that profits from breaking into its systems. The reports also put new pressure on the US and others to take action against the mostly unregulated industry.
"In its report, Google describes a 'rise in turnkey espionage solutions' offered by dozens of shady companies..."

Thanks to Slashdot reader tedlistens for sharing the article.

Long-time Slashdot reader theodp writes: In 2012, Microsoft President Brad Smith unveiled Microsoft's National Talent Strategy, which called for K-12 Computer Science education for U.S. schoolchildren to address a "talent crisis [that] endangers long-term growth and prosperity". The following year, tech-backed nonprofit Code.org burst onto the scene to deliver that education to schoolchildren, with Smith and execs from tech giants Google and Amazon on its Board of Directors (and Code.org donors Bill Gates and Mark Zuckerberg as lead K-12 CS instructors).

Using a mix of paid individuals, universities and other organizations that it helped to fund, along with online self-paced courses, Code.org boasts it quickly "prepared more than 106,000 new teachers to teach CS across grades K-12" through its professional learning programs. "No computer science experience required," Code.org teases prospective K-12 teachers (as does Code.org partner Amazon Future Engineer). Code.org organized K-12 CS teacher workforce expansion workshops.

However, at least one state is taking steps to put an end to the practice of rebranding individuals as K-12 CS teachers in as little as a day, albeit with a generous 10-year loophole for currently uncertified K-12 CS teachers. "At the start of the 2024-2025 academic year," reports GovTech, "the New York State Education Department (NYSED) is honing its credential requirements for computer science teachers, though the state has yet to join the growing list of those mandating computer science instruction for high school graduation. According to the department's website, as of Sept. 1, 2024, educators who teach computer science will need either a Computer Science Certificate issued by the state Board of Regents or a Computer Science Statement of Continued Eligibility (SOCE), which may be given to instructors who don't have the specific certificate but have nonetheless taught computer science since Sept. 1, 2017....

"The NYSED website says the SOCE is a temporary measure that will be phased out after 10 years, at which point all computer science instructors will need a Computer Science Certificate."

Switzerland is advocating for a United Nations expert group to explore the merits of solar geoengineering. The proposal seeks to ensure multilateral oversight of solar radiation modification (SRM) research, amidst concerns over its potential implications for food supply, biodiversity, and global inequalities. The Guardian reports: The Swiss proposal, submitted to the United Nations environment assembly that begins next week in Nairobi, focuses on solar radiation modification (SRM). This is a technique that aims to mimic the effect of a large volcanic eruption by filling the atmosphere with sulphur dioxide particles that reflect part of the sun's heat and light back into space. Supporters of the proposal, including the United Nations environment program (UNEP), argue that research is necessary to ensure multilateral oversight of emerging planet-altering technologies, which might otherwise be developed and tested in isolation by powerful governments or billionaire individuals.

Critics, however, argue that such a discussion would threaten the current de-facto ban on geoengineering, and lead down a "slippery slope" towards legitimization, mainstreaming and eventual deployment. Felix Wertli, the Swiss ambassador for the environment, said his country's goal in submitting the proposal was to ensure all governments and relevant stakeholders "are informed about SRM technologies, in particular about possible risks and cross-border effects." He said the intention was not to promote or enable solar geoengineering but to inform governments, especially those in developing countries, about what is happening.

The executive director of the UNEP, Inger Andersen, stressed the importance of "a global conversation on SRM" in her opening address to delegates at a preliminary gathering in Nairobi. She and her colleagues emphasized the move was a precautionary one rather than an endorsement of the technology.

An anonymous reader quotes a report from Ars Technica: A judge has dismissed (PDF) a complaint from a parent and guardian of a girl, now 15, who was sexually assaulted when she was 12 years old after Snapchat recommended that she connect with convicted sex offenders. According to the court filing, the abuse that the girl, C.O., experienced on Snapchat happened soon after she signed up for the app in 2019. Through its "Quick Add" feature, Snapchat "directed her" to connect with "a registered sex offender using the profile name JASONMORGAN5660." After a little more than a week on the app, C.O. was bombarded with inappropriate images and subjected to sextortion and threats before the adult user pressured her to meet up, then raped her. Cops arrested the adult user the next day, resulting in his incarceration, but his Snapchat account remained active for three years despite reports of harassment, the complaint alleged.

Two years later, at 14, C.O. connected with another convicted sex offender on Snapchat, a former police officer who offered to give C.O. a ride to school and then sexually assaulted her. The second offender is also currently incarcerated, the judge's opinion noted. The lawsuit painted a picture of Snapchat's ongoing neglect of minors it knows are being targeted by sexual predators. Prior to C.O.'s attacks, both adult users sent and requested sexually explicit photos, seemingly without the app detecting any child sexual abuse materials exchanged on the platform. C.O. had previously reported other adult accounts sending her photos of male genitals, but Snapchat allegedly "did nothing to block these individuals from sending her inappropriate photographs."

Among other complaints, C.O.'s lawsuit alleged that Snapchat's algorithm for its "Quick Add" feature was the problem. It allegedly recklessly works to detect when adult accounts are seeking to connect with young girls and, by design, sends more young girls their way -- continually directing sexual predators toward vulnerable targets. Snapchat is allegedly aware of these abuses and, therefore, should be held liable for harm caused to C.O., the lawsuit argued. Although C.O.'s case raised difficult questions, Judge Barbara Bellis ultimately agreed with Snapchat that Section 230 of the Communications Decency Act barred all claims and shielded Snap because "the allegations of this case fall squarely within the ambit of the immunity afforded to" platforms publishing third-party content. According to Bellis, C.O.'s family had "clearly alleged" that Snap had failed to design its recommendations systems to block young girls from receiving messages from sexual predators. Specifically, Section 230 immunity shields Snap from liability in this case because Bellis considered the messages exchanged to be third-party content. Snapchat designing its recommendation systems to deliver content is a protected activity, Bellis ruled. Despite a seemingly conflicting ruling in Los Angeles that found that "Section 230 didn't protect Snapchat from liability for allegedly connecting teens with drug dealers," Bellis didn't appear to consider it persuasive. She did, however, critique Section 230's broad application, suggesting courts are limited without legislative changes, despite the morally challenging nature of some cases.

An anonymous reader quotes a report from Ars Technica: On Thursday, AMC notified subscribers of a proposed $8.3 million settlement that provides awards to an estimated 6 million subscribers of its six streaming services: AMC+, Shudder, Acorn TV, ALLBLK, SundanceNow, and HIDIVE. The settlement comes in response to allegations that AMC illegally shared subscribers' viewing history with tech companies like Google, Facebook, and X (aka Twitter) in violation of the Video Privacy Protection Act (VPPA). Passed in 1988, the VPPA prohibits AMC and other video service providers from sharing "information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider." It was originally passed to protect individuals' right to private viewing habits, after a journalist published the mostly unrevealing video rental history of a judge, Robert Bork, who had been nominated to the Supreme Court by Ronald Reagan.

The so-called "Bork Tapes" revealed little -- other than that the judge frequently rented spy thrillers and British costume dramas -- but lawmakers recognized that speech could be chilled by monitoring anyone's viewing habits. While the law was born in the era of Blockbuster Video, subscribers suing AMC wrote in their amended complaint (PDF) that "the importance of legislation like the VPPA in the modern era of datamining is more pronounced than ever before." According to subscribers suing, AMC allegedly installed tracking technologies -- including the Meta Pixel, the X Tracking Pixel, and Google Tracking Technology -- on its website, allowing their personally identifying information to be connected with their viewing history. [...]

If it's approved, AMC has agreed to "suspend, remove, or modify operation of the Meta Pixel and other Third-Party Tracking Technologies so that use of such technologies on AMC Services will not result in AMC's disclosure to the third-party technology companies of the specific video content requested or obtained by a specific individual." All registered users of AMC services who "requested or obtained video content on at least one of the six AMC services" between January 18, 2021, and January 10, 2024, are currently eligible to submit claims under the proposed settlement. The deadline to submit is April 9. In addition to distributing the $8.3 million settlement fund among class members, subscribers will also receive a free one-week digital subscription.