An anonymous reader quotes a report from The Register: A German court has told Apple to stop advertising its Watches as being carbon-neutral, ruling that this was misleading and could not fly under the country's competition law. Apple has been marketing its newest smartwatches as being carbon-neutral for nearly two years now, with an array of rationales. It claims that clean energy for manufacturing, along with greener materials and shipping, lop around three-quarters off the carbon emissions for each model of the Apple Watch. The remaining emissions are offset by the purchase of carbon credits, according to Apple.

Deutsche Umwelthilfe (well, DUH – that's the acronym), a prominent environmental group, begged to differ on that last point. It applied for an injunction in May and Tuesday's ruling (in German), which will only be published in full later this week, led it to claim victory. The ruling means Apple can't advertise the Watch as a "CO2-neutral product" in Germany. [...] The ruling revolved around the Paraguayan forestry program that Apple claimed was offsetting some of the Watch's production emissions. The project involves commercial eucalyptus plantations on leased land, where the leases for three-quarters of the land will run out in 2029 with no guarantee of renewal.

According to the court, consumers' expectations of carbon compensation schemes are shaped by the prominent 2015 Paris Agreement, which commits countries to achieving carbon neutrality by the second half of this century. It said consumers would therefore "assume" that the carbon-neutrality claims around the Apple Watch would mean neutrality was assured through 2050. That leaves a 21-year gap of uncertainty in this case. The Verified Carbon Standard program, in which Apple is participating, has a "pooled buffer account" scheme to hedge against this sort of uncertainty. However, the German court was not impressed, saying it would only allow Apple to monitor the situation after the leases run out, which is a far cry from definitely being able to keep offsetting those emissions if the plantation gets cleared.

An anonymous reader quotes a report from TechCrunch: Before 16-year-old Adam Raine died by suicide, he had spent months consulting ChatGPT about his plans to end his life. Now, his parents are filing the first known wrongful death lawsuit against OpenAI, The New York Times reports. Many consumer-facing AI chatbots are programmed to activate safety features if a user expresses intent to harm themselves or others. But research has shown that these safeguards are far from foolproof.

In Raine's case, while using a paid version of ChatGPT-4o, the AI often encouraged him to seek professional help or contact a help line. However, he was able to bypass these guardrails by telling ChatGPT that he was asking about methods of suicide for a fictional story he was writing. OpenAI has addressed these shortcomings on its blog. "As the world adapts to this new technology, we feel a deep responsibility to help those who need it most," the post reads. "We are continuously improving how our models respond in sensitive interactions." Still, the company acknowledged the limitations of the existing safety training for large models. "Our safeguards work more reliably in common, short exchanges," the post continues. "We have learned over time that these safeguards can sometimes be less reliable in long interactions: as the back-and-forth grows, parts of the model's safety training may degrade."

Anthropic reached a settlement with authors in a high-stakes copyright class action that threatened the AI company with potentially billions of dollars in damages. From a report: In a Tuesday filing in the US Court of Appeals for the Ninth Circuit, both sides asked the court to pause all proceedings while they finalize the deal. The parties signed a binding term sheet on Aug. 25 outlining the core terms of a proposed class settlement to resolve litigation brought by authors.

"This historic settlement will benefit all class members," said the authors' counsel, Justin Nelson of Susman Godfrey LLP. "We look forward to announcing details of the settlement in the coming weeks." The case is one of several copyright actions brought against AI developers in courts around the country. Judge William Alsup of the US District Court for the Northern District of California had allowed the class action to proceed for authors whose books were contained in two pirate databases Anthropic downloaded.

The Michigan Supreme Court has drawn a firm line around digital privacy, ruling that police cannot use overly broad warrants to comb through every corner of a person's phone. From a report: In People v. Carson, the court found [PDF] that warrants for digital devices must include specific limitations, allowing access only to information directly tied to the suspected crime. Michael Carson became the focus of a theft investigation involving money allegedly taken from a neighbor's safe. Authorities secured a warrant to search his phone, but the document placed no boundaries on what could be examined.

It permitted access to all data on the device, including messages, photos, contacts, and documents, without any restriction based on time period or relevance. Investigators collected over a thousand pages of information, much of it unrelated to the accusation. The court ruled that this kind of expansive warrant violates the Fourth Amendment, which requires particularity in describing what police may search and seize.

Amazon is facing a proposed class action lawsuit alleging it misleads customers by advertising digital movies and TV shows as "purchases," when in reality buyers only receive revocable licenses that can disappear if Amazon loses distribution rights. From the Hollywood Reporter: On Friday, a proposed class action was filed in Washington federal court against Amazon over a "bait and switch" in which the company allegedly misleads consumers into believing they've purchased content when they're only getting a license to watch, which can be revoked at any time. [...] The lawsuit accuses Amazon, which didn't respond to a request for comment, of misrepresenting the nature of movie and TV transactions during the purchase process. On its website and platform, the company tells consumers they can "buy" a movie. But hidden in a footnote on the confirmation page is fine print that says, "You receive a license to the video and you agree to our terms," the complaint says.

The issue is already before a court. In a 2020 lawsuit alleging unfair competition and false advertising over the practice, Amazon maintained that its use of the word "buy" for digital content isn't deceptive because consumers understand their purchases are subject to licenses. Quoting Webster's Dictionary, it said that the term means "rights to the use or services of payment" rather than perpetual ownership and that its disclosures properly warn people that they may lose access. The court ultimately rebuffed Amazon's bid to dismiss the lawsuit outside of a claim alleging a violation of Washington's unjust enrichment law.

Apple has filed a lawsuit against former Apple Watch staffer Dr. Chen Shi, alleging that he "conspired to steal Apple's trade secrets relating to Apple Watch and to disclose them to his new employers (Oppo)." The company alleges he downloaded 63 sensitive documents, attended technical meetings, and coordinated with Oppo to transfer proprietary information, though Oppo denies wrongdoing. The Verge reports: Ahead of starting his new job at Oppo, the employee, Dr. Chen Shi, attended "dozens" of meetings with technical members on the Apple Watch team to learn about their work and downloaded 63 documents "from a protected Box folder" that he loaded onto a USB drive, according to the lawsuit. Shi allegedly sent a message to Oppo saying that he was working to "collect as much information as possible" before starting his job. And he searched the internet for terms like "how to wipe out macbook" and "Can somebody see if I've opened a file on a shared drive?" from his Apple-issued MacBook before leaving the company.

Shi was formerly a sensor system architect at Apple, and the company says he had "a front row seat to Apple's development of its cutting-edge health sensor technology, including highly confidential roadmaps, design and development documents, and specifications for ECG sensor technology." He now heads up a team working on sensing technology at Oppo -- which Apple says it learned because of "messages he left on his Apple-issued work iPhone." In his resignation letter to Apple, Shi said he was leaving "due to personal and family reasons." Via that iPhone, Apple also says it found messages from Oppo demonstrating that it "encouraged, approved, and agreed to Dr. Shi's plan to collect Apple's proprietary information before leaving Apple."

An anonymous reader shares a report: Elon Musk's AI startup xAI sued Apple and ChatGPT maker OpenAI in U.S. federal court in Texas on Monday, accusing them of illegally conspiring to thwart competition for artificial intelligence.

Musk earlier this month had threatened to sue Cupertino, California-based Apple, saying in a post on his social media platform X that "Apple is behaving in a manner that makes it impossible for any AI company besides OpenAI to reach #1 in the App Store."

People in Mississippi no longer have access to Bluesky. "If you access Bluesky from a Mississippi IP address, you'll see a message explaining why the app isn't available," announced a Bluesky blog post Friday.

The reason is a new Mississippi law that "requires all users to verify their ages before using common social media sites ranging from Facebook to Nextdoor," noted NPR. Bluesky wrote that their block "will remain in place while the courts decide whether the law will stand." [U]nder the law, we would need to verify every user's age and obtain parental consent for anyone under 18. The potential penalties for non-compliance are substantial — up to $10,000 per user. Building the required verification systems, parental consent workflows, and compliance infrastructure would require significant resources that our small team is currently unable to spare.
Bluesky also notes that the law "requires collecting and storing sensitive personal information from all users...not just those accessing age-restricted content" — and that this information would include "detailed tracking of minors."

TechCrunch notes that even blocking Mississippi has created some problems: Some Bluesky users outside Mississippi subsequently reported issues accessing the service due to their cell providers routing traffic through servers in the state, with CTO Paul Frazee responding Saturday that the company was "working deploy an update to our location detection that we hope will solve some inaccuracies." The company's blog post notes that its decision only applies to the Bluesky app built on the AT Protocol. Other apps may approach the decision differently.
Interestingly, the law had been immediately challenged by NetChoice (a trade association of major tech companies). But while a District Court agreed, blocking the law from going into effect (until court challenges finished), an Appeals Court then lifted that block. A final appeal to America's Supreme Court was unsuccessful — although the ruling by Justice Kavanaugh suggests the law could be overturned later: "To be clear, NetChoice has, in my view, demonstrated that it is likely to succeed on the merits — namely, that enforcement of the Mississippi law would likely violate its members' First Amendment rights under this Court's precedents... [U]nder this Court's case law as it currently stands, the Mississippi law is likely unconstitutional. Nonetheless, because NetChoice has not sufficiently demonstrated that the balance of harms and equities favors it at this time, I concur in the Court's denial of the application for interim relief."

Bluesky has blocked access to its service in Mississippi rather than comply with a new state law requiring age verification for all social media users. TechCrunch reports: In a blog post published on Friday, the company explains that, as a small team, it doesn't have the resources to make the substantial technical changes this type of law would require, and it raised concerns about the law's broad scope and privacy implications. Mississippi's HB 1126 requires platforms to introduce age verification for all users before they can access social networks like Bluesky. On Thursday, U.S. Supreme Court justices decided to block an emergency appeal that would have prevented the law from going into effect as the legal challenges it faces played out in the courts. As a result, Bluesky had to decide what it would do about compliance.

Instead of requiring age verification before users could access age-restricted content, this law requires age verification of all users. That means Bluesky would have to verify every user's age and obtain parental consent for anyone under 18. The company notes that the potential penalties for noncompliance are hefty, too -- up to $10,000 per user. Bluesky also stresses that the law goes beyond child safety, as intended, and would create "significant barriers that limit free speech and disproportionately harm smaller platforms and emerging technologies." To comply, Bluesky would have to collect and store sensitive information from all its users, in addition to the detailed tracking of minors. This is different from how it's expected to comply with other age verification laws, like the U.K.'s Online Safety Act (OSA), which only requires age checks for certain content and features.

Mississippi's law blocks anyone from using the site unless they provide their personal and sensitive information. The company notes that its decision only applies to the Bluesky app built on the AT Protocol. Other apps may approach the decision differently.

An anonymous reader quotes a report from the BBC: A lawyer representing the online message board 4chan says it won't pay a proposed fine by the UK's media regulator as it enforces the Online Safety Act. According to Preston Byrne, managing partner of law firm Byrne & Storm, Ofcom has provisionally decided to impose a 20,000-pound fine "with daily penalties thereafter" for as long as the site fails to comply with its request. "Ofcom's notices create no legal obligations in the United States," he told the BBC, adding he believed the regulator's investigation was part of an "illegal campaign of harassment" against US tech firms.

"4chan has broken no laws in the United States -- my client will not pay any penalty," Mr Byrne said. Ofcom began investigating 4chan over whether it was complying with its obligations under the UK's Online Safety Act. Then in August, it said it had issued 4chan with "a provisional notice of contravention" for failing to comply with two requests for information. Ofcom said its investigation would examine whether the message board was complying with the act, including requirements to protect its users from illegal content. "American businesses do not surrender their First Amendment rights because a foreign bureaucrat sends them an email," law firms Byrne & Storm and Coleman Law wrote. "Under settled principles of US law, American courts will not enforce foreign penal fines or censorship codes. If necessary, we will seek appropriate relief in US federal court to confirm these principles."

The statement calls on the Trump administration to intervene and protect American businesses from "extraterritorial censorship mandates."

An anonymous reader quotes a report from the New York Times: Jay Blahnik was a fitness superstar with a book and nearly two decades of work with Nike before he was hired in 2013 to work on the Apple Watch. He became known inside Apple as the creator of the watch's signature fitness feature: three circular bands that people could complete through the day by exercising, standing and burning calories. Marketed with the tagline "Close Your Rings," the concept helped galvanize sales of Apple's first breakout product after Steve Jobs's death. But along the way, Mr. Blahnik created a toxic work environment (Warning: source may be paywalled; alternative source), said nine current and former employees who worked with or for Mr. Blahnik and spoke about personnel issues on the condition of anonymity. They said Mr. Blahnik, 57, who leads a roughly 100-person division as vice president for fitness technologies, could be verbally abusive, manipulative and inappropriate. His behavior contributed to decisions by more than 10 workers to seek extended mental health or medical leaves of absence since 2022, about 10 percent of the team, these people said.

When confronted with Mr. Blahnik's behavior, Apple moved to protect him after an internal investigation. The company settled one complaint alleging sexual harassment by Mr. Blahnik and is fighting a lawsuit by an employee, Mandana Mofidi, who said he had bullied her. Mr. Blahnik stayed in his job after company officials said their investigation had found no evidence of wrongdoing, according to interviews and Ms. Mofidi's lawsuit, which she filed against Mr. Blahnik and Apple last year in Los Angeles County Superior Court. The tension inside Mr. Blahnik's division speaks to workplace dysfunction at the heart of one of Apple's signature health initiatives. These employees said the company was more willing to protect a star executive than address the concerns of rank-and-file workers.

A federal appeals court rejected T-Mobile's attempt to overturn $92 million in fines for selling customer location information to third-party firms. From a report: The Federal Communications Commission last year fined T-Mobile, AT&T, and Verizon, saying the carriers illegally shared access to customers' location information without consent and did not take reasonable measures to protect that sensitive data against unauthorized disclosure. The fines relate to sharing of real-time location data that was revealed in 2018, but it took years for the FCC to finalize the penalties.

The three carriers appealed the rulings in three different courts, and the first major decision was handed down Friday. A three-judge panel at the US Court of Appeals for the District of Columbia Circuit ruled unanimously against T-Mobile and its subsidiary Sprint. "Every cell phone is a tracking device," the ruling begins. "To receive service, a cell phone must periodically connect with the nearest tower in a wireless carrier's network. Each time it does, it sends the carrier a record of the phone's location and, by extension, the location of the customer who owns it. Over time, this information becomes an exhaustive history of a customer's whereabouts and 'provides an intimate window into [that] person's life.'"

An anonymous reader quotes a report from Adweek: Meta wanted advertisers to believe its ecommerce ad product, Shops ads, was outperforming the competition, per a whistleblower complaint filed in a U.K. court. The former employee alleges the social media giant artificially inflated return on ad spend (ROAS) by counting shipping fees as revenue, subsidizing bids in ad auctions, and applying undisclosed discounts. The complaint, viewed by ADWEEK, was filed with the London Central Employment Tribunal on Wednesday (August 20) by Samujjal Purkayastha, a former product manager on Meta's Shops ads team. The document claims Meta artificially inflated performance metrics to push brands toward its fledgling ecommerce ad product.

The company's motivation, the complaint says, was in part to combat Apple's 2021 privacy changes that cut the troves of iOS tracking information that had long powered Meta's ad machine. Meta's former chief financial officer (CFO), David Wehner, said the changes would cost "on the order of $10 billion" in losses during the company's Q4 2021 earnings call. User purchases on Facebook or Instagram Shops pages would provide more first-party data, however. Purkayastha, who joined Meta (then Facebook) in 2020 as a product manager on the Facebook Artificial Intelligence Applied Research team, was reassigned to the Shops Ads team in March 2022 and remained at the company until Feb. 19, 2025, when he was terminated.

He alleged that during internal reviews in early 2024, Meta data scientists found the return on ad spend (ROAS) from Shops ads had been inflated between 17% and 19%. This discrepancy stemmed from Meta counting shipping fees and taxes as part of a sale, even though that money never went to merchants, he alleged. The company's other ad products exclude those figures, in line with competitors like Google, the complaint reads. Without including the fees and taxes, Shops ads performed no better than Meta's traditional ads, Purkayastha claimed. "This was significant," the complaint reads. "In addition to the ROAS performance metric being overstated by nearly a fifth, it meant that, rather than having exceeded our primary target, the Shops Ads team had in fact missed it once the figure was reduced to take account of the artificial inflation." Purkayastha raised these concerns with senior leadership in multiple meetings between 2022 and 2024, and is now seeking interim relief through his employment tribunal filing to have his former position reinstated.

A Meta spokesperson told ADWEEK the company is "actively defending these proceedings," adding that "allegations related to the integrity of our advertising practices are without merit and we have full confidence in our performance review processes."

Last week, following a recent U.S. Customs ruling, Apple reintroduced blood oxygen monitoring to certain Apple Watch models in the U.S., sidestepping an ITC import ban stemming from its legal dispute with medical device maker Masimo. Today, Masimo fired back with a new lawsuit against the U.S. Customs and Border Protection. 9to5Mac reports: The company says US Customs and Border Protection (CBP) overstepped its authority and violated due process when it reversed its earlier decision on August 1 and allowed Apple to restore the feature. Moreover, Masimo says it found out about the decision when Apple publicly announced the return of the feature: "It has now come to light that CBP thereafter reversed itself without any meaningful justification, without any material change in circumstances, and without any notice to Masimo, let alone an opportunity for Masimo to be heard. CBP changed its position on Apple's watch-plus-iPhone redesign through an ex parte proceeding. Specifically, on August 1, 2025, CBP issued an 3 ex parte ruling permitting Apple to import devices that, when used with iPhones already in the United States, perform the same functionality that the ITC found to infringe Masimo's patents. Masimo only discovered this ruling on Thursday, August 14, 2025, when Apple publicly announced it would be reintroducing the pulse oximetry functionality through a software update."

The company is now asking the court for a temporary restraining order and preliminary injunction to block the CBP's decision, and reinstate the original ruling that "determined that Apple's redesigned watches could be imported only to the extent the infringing functionality was completely disabled." As reported by Bloomberg Law, Masimo says the following in its supporting brief: "Each passing day that this unlawful ruling remains in effect irreparably deprives Masimo of its right to be free from unfair trade practices and to preserve its competitive standing in the U.S. marketplace." Masimo further argues that CBP's move "effectively nullified" the ITC's exclusion order against Apple. Apple's appeal of that ban is still pending before the Federal Circuit.

A 22-year-old Oregon man has been charged with operating one of the most powerful botnets ever recorded. The network, known as Rapper Bot, launched over 370,000 DDoS attacks worldwide, including against X, DeepSeek, U.S. tech firms, and even Defense Department systems. It was allegedly operated by Ethan Foltz of Eugene, Oregon. The Wall Street Journal reports: Foltz faces a maximum of 10 years in prison on a charge of abetting computer intrusions, the Justice Department said in a news release. Rapper Bot was made up of tens of thousands of hacked devices and was capable of flooding victims' websites with enough junk internet traffic to knock them offline, an attack known as a distributed denial of service, or DDoS.

In February, the networking company Nokia measured a Rapper Bot attack against a gaming platform at 6.5 trillion bits per second, well above the several hundred million bits a second of the average high-speed internet connection. "This would place Rapper Bot among the most powerful DDoS botnets to have ever existed," said a criminal complaint that the prosecutors filed Tuesday in a federal court in Alaska. Investigators said Rapper Bot's attacks were so powerful that they were able to overwhelm all but the most robust networks.

Foltz allegedly rented out Rapper Bot to paying customers, including gambling website operators who would use the network in extortion attempts, according to the complaint. The botnet was used to launch more than 370,000 attacks in 80 countries, including China, Japan and the U.S., prosecutors said. It launched its attacks from hacked routers, digital video recorders and cameras, not from computers. [...] "At its height, it mobilized tens of thousands of devices, many with no prior role in DDoS," said Jerome Meyer, a researcher with Nokia's Deepfield network-analysis division. "Taking it down removes a major source of the largest attacks we see."

FTC, in a press release Wednesday: The Federal Trade Commission today sued the operators of LA Fitness and other gyms over allegations they make it exceedingly difficult for consumers to cancel their gym memberships and related services that continued indefinitely unless cancelled. The agency is seeking a court order prohibiting the allegedly unfair conduct and money back for consumers harmed by the difficulty in cancelling memberships.

"The FTC's complaint describes a scenario that too many Americans have experienced -- a gym membership that seems impossible to cancel," said Christopher Mufarrige, Director of the Bureau of Consumer Protection. "Tens of thousands of LA Fitness customers reported difficulties -- cancellation was often restricted to specific times or required speaking to specific managers who were often not present or available. The FTC will not hesitate to act on behalf of consumers when it believes companies are stifling consumers' ability to choose which recurring charges they want to keep."

In a pair of class actions filed this week, passengers from each coast quibbled with United Airlines and Delta Air Lines' policies charging extra for window seats that are not actually beside windows, instead offering a view of a blank aircraft wall. From a report: "Delta indicated to the plaintiff and class members that the particular seats they chose had a 'window'; even though Delta knew full well they did not," the plaintiffs taking on Delta said in an 18-page complaint filed in federal court in New York, accusing the airline of false advertising and deceptive business practices.

Half of Delta's fleet of nearly 1,000 aircraft comprises Boeing 737s, Boeing 757s and Airbus A321s -- all of which have at least one wall-adjacent seat with no window, according to the plaintiffs. It's where vertical air conditioning riser ducts are located, making putting a window there impossible, the competing Alaska Airlines explains on its website. But unlike Alaska and others, the plaintiffs complain, Delta advertises the seats as having a window, offering them as a "window seat" option on its seat map during checkout.

An analysis of Rotten Tomatoes data reveals average Tomatometer scores have climbed steadily since Fandango's 2016 acquisition of the review aggregation platform. The average number of reviewers per mainstream film release increased by 40 to 70 critics following the purchase. New additions to the critic pool include smaller outlets such as Denerstein Unleashed and KKFI-FM Kansas City. Prior to 2016, critic and audience scores demonstrated stable correlation year-over-year. Post-acquisition data shows the two metrics diverged sharply as Tomatometer ratings rose.

Fandango, America's largest movie-ticketing platform, is partially owned by NBCUniversal and Warner Bros. Discovery. In 2023 Vulture reported PR firms court reviewers from smaller outlets to secure higher Tomatometer scores before film releases.

The U.S. Federal Trade Commission sued ticket reseller Key Investment Group for evading purchasing limits to buy up thousands of tickets to live events including Taylor Swift's Eras tour and resell them at a markup, according to a complaint filed in Maryland federal court on Monday. From a report: The Baltimore, Maryland-based company, which operates ticket resale sites including TotalTickets.com, used thousands of Ticketmaster accounts, including fake or purchased accounts, the FTC said.

Ticketmaster faced intense criticism after its botched 2022 sale of tickets to Swift's much-hyped Eras tour, when billions of requests from Swift fans, bots and ticket resellers overwhelmed its website and the company canceled a planned ticket sale to the general public.

For one Swift concert in Las Vegas in March 2023, Key Investment Group and its affiliates used 49 different accounts to purchase 273 tickets and evade a 6-ticket purchase limit, netting more than $119,000 in revenue on resales, the FTC said on Monday. The company made more than $1.2 million reselling 2,280 Swift concert tickets it purchased in 2023, the agency said.

The women-only dating-advice app Tea "has been hit with 10 potential class action lawsuits in federal and state court," NBC News reported last week, "after a data breach led to the leak of thousands of selfies, ID photos and private conversations online." The suits could result in Tea having to pay tens of millions of dollars in damages to the plaintiffs, which could be catastrophic for the company, an expert told NBC News... One of the suits lists the right-wing online discussion board 4chan and the social platform X as defendants, alleging that they allowed bad actors to spread users' personal information.
But meanwhile, a new competing app for men called "TeaOnHer" has already been launched. And it was also found to have enormous security flaws, reports TechCrunch, that "exposed its users' personal information, including photos of their driver's licenses and other government-issued identity documents..." [W]hen we looked at the TeaOnHer's public internet records, it had no meaningful information other than a single subdomain, appserver.teaonher.com. When we opened this page in our browser, what loaded was the landing page for TeaOnHer's API (for the curious, we uploaded a copy here)... It was on this landing page that we found the exposed email address and plaintext password (which wasn't that far off from "password") for [TeaOnHer developer Xavier] Lampkin's account to access the TeaOnHer "admin panel"... This API landing page included an endpoint called /docs, which contained the API's auto-generated documentation (powered by a product called Swagger UI) that contained the full list of commands that can be performed on the API [including administrator commands to return user data]...

While it's not uncommon for developers to publish their API documentation, the problem here was that some API requests could be made without any authentication — no passwords or credentials were needed...

The records returned from TeaOnHer's server contained users' unique identifiers within the app (essentially a string of random letters and numbers), their public profile screen name, and self-reported age and location, along with their private email address. The records also included web address links containing photos of the users' driver's licenses and corresponding selfies. Worse, these photos of driver's licenses, government-issued IDs, and selfies were stored in an Amazon-hosted S3 cloud server set as publicly accessible to anyone with their web addresses. This public setting lets anyone with a link to someone's identity documents open the files from anywhere with no restrictions...

The bugs were so easy to find that it would be sheer luck if nobody malicious found them before we did. We asked, but Lampkin would not say if he has the technical ability, such as logs, to determine if anyone had used (or misused) the API at any time to gain access to users' verification documents, such as by scraping web addresses from the API. In the days since our report to Lampkin, the API landing page has been taken down, along with its documentation page, and it now displays only the state of the server that the TeaOnHer API is running on as "healthy."
The flaws were discovered while TeaOnHer was the #2 free app in the Apple App Store, the article points out. And while these flaws "appear to be resolved," the article notes a larger issue. "Shoddy coding and security flaws highlight the ongoing privacy risks inherent in requiring users to submit sensitive information to use apps and websites,"

And TeaOnHer also had another authentication issue. A female reporter at Cosmopolitan also noted Friday that TeaOnHer "lets you browse through profiles before your verifications are complete. So literally anyone (like myself) can read reviews..."