The Securities and Exchange Commission charged Terraform Labs and its CEO, Do Kwon, with fraud, alleging that they orchestrated a multibillion dollar "crypto asset securities fraud," the SEC said Thursday. CNBC reports: Kwon and Terraform allegedly schemed from Apr. 2018 until the collapse of TerraUSD, also known as UST, and its sister coin luna in May 2022 to raise billions of dollars from investors through the offer and sale of an "inter-connected suite" of crypto asset securities, including securities-based swaps that mirrored U.S. equities, and most famously, the so-called "algorithmic stablecoin" Terra USD. The company advertised UST as a "yield-bearing" coin, offering to pay interest of up to 20 percent, according to the complaint.

Like many stablecoins, UST was pegged at a 1-to-1 ratio with the dollar. Minting one new UST required "burning," or destroying, one luna. This structure allowed for arbitrage opportunities that were key to maintaining the peg: Users could always swap one luna for UST and vice versa at a guaranteed price of $1, regardless of the market price of either token at the time. But the price of luna grew unstable and forced UST to break its $1 peg, an effort which sent both terra and luna spiraling.

The complaint against Kwon and Terraform was filed in federal court for the Southern District of New York in Manhattan, and charges both with violating the registration and anti-fraud provisions of both the Securities and Exchange Acts. The SEC alleges that Kwon marketed those assets, including those mAsset swaps and Terra, as profit-bearing securities, "repeatedly claiming" the tokens would increase in value. [...] Kwon's current whereabouts are unknown, but the Terra co-founder was recently believed to be in Serbia, according to South Korean intelligence. Kwon is wanted in South Korea for his involvement in the collapse of TerraUSD.

An anonymous reader quotes a report from Ars Technica: When New York became the first state to pass a heavily modified right-to-repair bill late last year, it was apparent that lobbyists had succeeded in last-minute changes to the law's specifics. A new report from the online magazine Grist details the ways in which Gov. Kathy Hochul made changes identical to those proposed by a tech trade association. In a report co-published with nonprofit newsroom The Markup, Maddie Stone writes that documents surrounding the drafting and debate over the bill show that many of the changes signed by Hochul were the same as those proposed by TechNet, which represents Apple, Google, Samsung, and other technology companies.

The bill would have required that companies that provide parts, tools, manuals, and diagnostic equipment or software to their own repair networks also make them available to independent repair shops and individuals. It saw heavy opposition from trade groups before its passing. New York Assemblymember Patricia Fahy, the bill's sponsor, told Grist that backers had to make "a lot of changes to get it over the finish line in the first day or two of June." The bill passed with broad bipartisan support, but it was pared down to focus only on small electronics. Between that passage and the December signing, lobbyists working for TechNet and firms including Apple, Google, and Microsoft met with the governor, according to state ethics filings. Apple, IBM, and TechNet asked Hochul to veto the bill, while Microsoft sought to cooperate with Fahy on changes.

Later, TechNet sent a version of the bill that limited the effects to later products and excluded printed circuit boards and business-to-business or government contracts, according to Grist. Crucially, the new version, which had changes attributed to a TechNet vice president, allows for companies to offer "assemblies" of parts if the companies say the parts pose a "safety risk." TechNet's version also suggested independent repair shops should be forced to provide customers with "a written notice of US warranty laws" before they can start work. TechNet's suggestions made their way to the Federal Trade Commission. A staffer at the FTC took aim at the assembly clause, the exclusion of security workarounds for repair, and other elements. Dan Salsburg, chief counsel for the FTC's Office of Technology, Research, and Investigation, wrote that TechNet's suggestions had "a common theme -- ensuring that manufacturers retain control over the market for the repair of their products."

When you use supermarket discount cards, you are sharing much more than what is in your cart. From a report: When you hit the checkout line at your local supermarket and give the cashier your phone number or loyalty card, you are handing over a valuable treasure trove of data that may not be limited to the items in your shopping cart. Many grocers systematically infer information about you from your purchases and "enrich" the personal information you provide with additional data from third-party brokers, potentially including your race, ethnicity, age, finances, employment, and online activities.

Some of them even track your precise movements in stores. They then analyze all this data about you and sell it to consumer brands eager to use it to precisely target you with advertising and otherwise improve their sales efforts. Leveraging customer data this way has become a crucial growth area for top supermarket chain Kroger and other retailers over the past few years, offering much higher margins than milk and eggs. And Kroger may be about to get millions of households bigger. In October 2022, Kroger and another top supermarket chain, Albertsons, announced plans for a $24.6 billion merger that would combine the top two supermarket chains in the U.S., creating stiff competition for Walmart, the overall top seller of groceries.

U.S. regulators and members of Congress are scrutinizing the deal, including by examining its potential to erode privacy: Kroger has carefully grown two "alternative profit business" units that monetize customer information, expected by Kroger to yield more than $1 billion in "profits opportunity." Folding Albertsons into Kroger will potentially add tens of millions of additional households to this data pool, netting half the households in America as customers. While Kroger is certainly not the only large retailer collecting and monetizing shopper data through the use of loyalty programs, the company's evolution from a traditional grocery business to a digitally sophisticated retailer with its own data science unit sets it apart from its larger competitors like Walmart, which also collects, analyzes and monetizes shopper data for brands and for targeted advertising on its own retail ad network.

The Supreme Court is about to reconsider Section 230, a law that's been foundational to the internet for decades. But whatever the court decides might end up changing the rules for a technology that's just getting started: artificial intelligence-powered search engines like Google Bard and Microsoft's new Bing. From a report: Next week, the Supreme Court will hear arguments in Gonzalez v. Google, one of two complementary legal complaints. Gonzalez is nominally about whether YouTube can be sued for hosting accounts from foreign terrorists. But its much bigger underlying question is whether algorithmic recommendations should receive the full legal protections of Section 230 since YouTube recommended those accounts to others. While everyone from tech giants to Wikipedia editors has warned of potential fallout if the court cuts back these protections, it poses particularly interesting questions for AI search, a field with almost no direct legal precedent to draw from.

Companies are pitching large language models like OpenAI's ChatGPT as the future of search, arguing they can replace increasingly cluttered conventional search engines. (I'm ambivalent about calling them "artificial intelligence" -- they're basically very sophisticated autopredict tools -- but the term has stuck.) They typically replace a list of links with a footnote-laden summary of text from across the web, producing conversational answers to questions. These summaries often equivocate or point out that they're relying on other people's viewpoints. But they can still introduce inaccuracies.

Police use of automated data analysis to prevent crime in some German states was unconstitutional, a top German court said on Thursday, ruling in favour of critics of software provided by the CIA-backed Palantir. From a report: Provisions regulating the use of the technology in Hesse and Hamburg violate the right to informational self-determination, a statement from the constitutional court said. Hesse has been given a Sept. 30 deadline to rewrite its provisions, while legislation in Hamburg -- where the technology was not yet in use -- was nullified. "Given the particularly broad wording of the powers, in terms of both the data and the methods concerned, the grounds for interference fall far short of the constitutionally required threshold of an identifiable danger," the court said. However, court president Stephan Harbarth said states had the option "of shaping the legal basis for further processing of stored data files in a constitutional manner."

An anonymous reader quotes a report from Reuters: The founder of WallStreetBets, which has been credited with helping ignite investors' frenzy into "meme" stocks, sued Reddit on Wednesday, accusing it of wrongly banning him from moderating the community and undermining his trademark rights. Jaime Rogozinski said his ouster, ostensibly for violating Reddit policy by "attempting to monetize a community," was a pretext to keep him from trying to control "a famous brand that helped Reddit rise to a $10 billion valuation" by late 2021.

According to the complaint filed in federal court in Oakland, California, Rogozinski applied to trademark "WallStreetBets" in March 2020, one month before his ouster, when the community reached 1 million subscribers. Founded in 2012, the community now has 13.6 million subscribers. "If you build it, they will come," the complaint said, quoting from the 1989 movie "Field of Dreams. "Reddit's dreams, however, turned out to be Mr. Rogozinski's nightmare as the company insists, 'if you build it, we will take it from you.'" Rogozinski said he is a dual U.S.-Mexican citizen, and lives in Mexico City. He is seeking at least $1 million in damages for breach of contract and violations of his publicity rights, and a ban on Reddit's use of WallStreetBets unless it reinstates him as senior moderator of the r/WallStreetBets subreddit. Reddit rejected Rogozinski's claims. "This is a completely frivolous lawsuit with no basis in reality," a spokeswoman said. "Jamie was removed as a moderator of r/WallStreetBets by Reddit and banned by the community moderators for attempting to enrich himself. This lawsuit is another transparent attempt to enrich himself."

An anonymous reader quotes a report from The Guardian: Australians would gain greater control of their personal information, including the ability to opt out of targeted ads, erase their data and sue for serious breaches of privacy, under a proposal to the Albanese government. On Thursday the attorney general, Mark Dreyfus, will release a review conducted by his department into modernization of the Privacy Act which calls to expand its remit to small businesses and add new safeguards for use of data by political parties. Although the document is not government policy, in January Dreyfus told Guardian Australia the right to sue for privacy breaches and European-style reforms such as the right to be forgotten would be considered for the next tranche of legislation.

In 2022 the Albanese government passed a bill increasing penalties for companies that fail to protect customer data in the wake of major data breaches at telco Optus and health insurer Medibank. A summary section of the review, seen in advance by Guardian Australia, called for the exemption from the Privacy Act for small businesses to be abolished, citing community expectations that if small businesses are provided personal information "they will keep it safe." But first the government should conduct an "impact analysis" and give support to ensure small businesses can comply with their obligations, it said. Despite calls to abolish the privacy exemptions for political parties, the review proposed only increased safeguards, such as for parties to publish a privacy policy and not target voters "based on sensitive information or traits" except for political opinions, membership of a political association, or a trade union. "There was very strong support for increasing the protections for personal information under the Act," the review said.

The review called for new limits on targeted advertising, including to prohibit targeting to a child except where it is in their "best interests," and to provide others with an "an unqualified right to opt-out" of targeted ads and their information being disclosed for direct marketing purposes. The Privacy Act should include a new overarching requirement that "the collection, use and disclosure of personal information must be fair and reasonable in the circumstances," it said. The review also proposes individual rights modeled on the European Union's general data protection regulation including to: object to the collection, use or disclosure of personal information; request erasure of personal information; and to de-index online search results containing sensitive information, excessive detail or "inaccurate, out-of-date, incomplete, irrelevant, or misleading" information. The review suggested that consent should be required for collection and use of precise geolocation tracking data. The government should "consult on introducing a criminal offense for malicious re-identification of de-identified information where there is an intention to harm another or obtain an illegitimate benefit," it said. The report said that individuals wanted "more agency to seek redress for interferences with their privacy," proposing the creation of a right to sue for "serious invasions of privacy," which was also a recommendation of the Australian Law Reform Commission in 2014.

An anonymous reader quotes a report from BleepingComputer: Oakland has declared a local state of emergency because of the impact of a ransomware attack that forced the City to take all its IT systems offline on February 8th. Interim City Administrator G. Harold Duffey declared (PDF) a state of emergency to allow the City of Oakland to expedite orders, materials and equipment procurement, and activate emergency workers when needed. "Today, Interim City Administrator, G. Harold Duffey issued a local state of emergency due to the ongoing impacts of the network outages resulting from the ransomware attack that began on Wednesday, February 8," a statement issued today reads. The incident did not affect core services, with the 911 dispatch and fire and emergency resources all working as expected.

While last week's ransomware attack only impacted non-emergency services, many systems taken down immediately after the incident to contain the threat are still offline. The ransomware group behind the attack is currently unknown, and the City is yet to share any details regarding ransom demands or data theft from compromised systems. "The City's IT Department is working with a leading forensics firm to perform an extensive incident response and analysis, as well as with additional cybersecurity and technology firms on recovery and remediation efforts," the statement said. "This continues to be an ongoing investigation with multiple local, state, and federal agencies involved."

An anonymous reader quotes a report from BleepingComputer: Domain registrar Namecheap had their email account breached Sunday night, causing a flood of MetaMask and DHL phishing emails that attempted to steal recipients' personal information and cryptocurrency wallets. The phishing campaigns started around 4:30 PM ET and originated from SendGrid, an email platform used historically by Namecheap to send renewal notices and marketing emails. After recipients began complaining on Twitter, Namecheap CEO Richard Kirkendall confirmed that the account was compromised and that they disabled email through SendGrid while they investigated the issue.

Namecheap published a statement Sunday night stating that their systems were not breached but rather it was an issue at an upstream system that they use for email. "We have evidence that the upstream system we use for sending emails (third-party) is involved in the mailing of unsolicited emails to our clients. As a result, some unauthorized emails might have been received by you," reads a statement issued by Namecheap. "We would like to assure you that Namecheap's own systems were not breached, and your products, accounts, and personal information remain secure." After the phishing incident, Namecheap says they stopped all emails, including two-factor authentication code delivery, trusted devices' verification, and password reset emails, and began investigating the attack with their upstream provider. Services were restored later that night at 7:08 PM EST.

While Namecheap did not state the name of this upstream system, the CEO of Namecheap previously tweeted that they were using SendGrid, which is also confirmed in the phishing emails' mail headers. However, Twilio SendGrid told BleepingComputer that Namecheap's incident was not the result of a hack or compromise of the email service provider's systems, adding more confusion as to what happened: "Twilio SendGrid takes fraud and abuse very seriously and invests heavily in technology and people focused on combating fraudulent and illegal communications. We are aware of the situation regarding the use of our platform to launch phishing email and our fraud, compliance and cyber security teams are engaged in the matter. This situation is not the result of a hack or compromise of Twilio's network. We encourage all end users and entities to take a multi-pronged approach to combat phishing attacks, deploying security precautions such as two factor authentication, IP access management, and using domain-based messaging. We are still investigating the situation and have no additional information to provide at this time."

Laura Dobberstein writes via The Register: Mycroft AI, creator of a Linux-based virtual assistant, announced on Friday it would not be able to fulfill rewards for its Mark II Kickstarter campaign. Furthermore, without immediate new investment, the company will be forced to cease development by the end of the month, said the company's former CEO and operator of the Kickstarter campaign, Joshua Montgomery. "We will still be shipping all orders that are made through the Mycroft website, because these sales directly cover the costs of producing and shipping the products," confirmed Montgomery. He said the company was now at bare-bones employee count: layoffs had reduced the staff down to two developers, one customer service agent and one attorney. Montgomery said he had "poured a lot of [his] own savings, and additional funding from [his] foundation into Mycroft" but the company was running out of cash.

Mycroft AI experienced many challenges one would expect to encounter at a startup, such as difficulty finding hardware partners, which forced it to resort to off-the-shelf parts. [...] But what truly killed the company and product, he claimed, were expenses related to ongoing litigation. In 2020, Mycroft AI was sued for patent infringement from what it labeled a "patent troll." The company suing Mycroft AI, Voice Tech Corporation, dropped its litigation, but not before costing the startup deeply. "If we had that million dollars we would be in a very different state right now," said Montgomery. Billed as an "open answer" to Amazon Echo and Google Home but with data privacy, the Mark II went from costing $99 in components each to $300. That total doesn't include the costs of spending $100,000 on injection molds. The product currently sells on the company's website for $499.

The Kickstarter campaign brought in 2,245 backers for the smart speaker and raised over $394,000. The goal had been set at a mere $50,000. It's uncertain how many backers received a Mark II. Backers have left disappointed and upset responses on its Kickstarter page -- some mourning the death of hardware crowdsourcing, some pleading for their product, some alleging scam, and others urging the company to push through. "Send us the components to assemble the pieces ourselves if that's the outstanding problem at this point," offered one Kickstarter supporter. "Why can't we make it into a group project to assemble MyCroft II in our homes?" "I don't mind that I don't get my Mark II: the bigger goal of open source artificial intelligence was more important to me," said another.

An anonymous reader quotes a report from TorrentFreak: The U.S. Government's crackdown against Z-Library late last year aimed to wipe out the pirate library for good. The criminal prosecution caused disruption but didn't bring the site completely to its knees. Z-Library continued to operate on the dark web and this weekend, reappeared on the clearnet, offering a 'unique' domain name to all users. [...] Sites can often be seen hardening their operations to mitigate disruption caused by domain name seizures. Many have a list of backup domains that can be deployed when needed; The Pirate Bay infamously launched its hydra setup consisting of five different domain names. Z-Library is taking this hydra-inspired scheme to the next level. A new announcement reveals that the platform is publicly available once again and offering a unique and private domain name to every user.

"We have great news for you -- Z-Library is back on the Clearnet again! To access it, follow this link singlelogin.me and use your regular login credentials," the Z-Library team writes. "After logging into your account, you will be redirected to your personal domain. Please keep your personal domain private! Don't disclose your personal domain and don't share the link to your domain, as it is protected with your own password and cannot be accessed by other users." While we can't confirm that all users will get unique domain names, people are indeed redirected to different clearnet domains after logging in. After doing so, a popup message reminds them to keep their personal domain secret.

The domain names in question are subdomains of newly registered TLDs that rely on different domain name registries. Every user has two of these 'personal' domains listed on their personal profile page. If users can't access the universal login page, Z-Library says they can log in through TOR or I2P and get their personal clearnet domains there. How many new domain names Z-Library has is unclear but that's exactly the point. The site's operators want to prevent future domain name seizures and with the U.S. Government on its back, new domains are far from safe.

Sensitive mental health data is for sale by little-known data brokers, at times for a few hundred dollars and with little effort to hide personal information such as names and addresses, according to research released Monday. From a report: The research, conducted over the span of two months at Duke University's Sanford School of Public Policy, which studies the ecosystem of companies buying and selling personal data, consisted of asking 37 data brokers for bulk data on people's mental health. Eleven of them agreed to sell information that identified people by issues, including depression, anxiety and bipolar disorder, and often sorted them by demographic information such as age, race, credit score and location.

The researchers did not buy the data, but in many cases received free samples to prove that the broker was legitimate, a common industry practice. The study doesn't name the data brokers. Some of the brokers were particularly cavalier with sensitive data. One made no demands on how information it sold was used and advertised that it could offer names and addresses of people with "depression, bipolar disorder, anxiety issues, panic disorder, cancer, post-traumatic stress disorder, obsessive-compulsive disorder and personality disorder, as well as individuals who have had strokes and data on theirs races and ethnicities," the report found. "[T]he industry appears to lack a set of best practices for handling individuals' mental health data, particularly in the areas of privacy and buyer vetting." the report found.

In 2019 Slashdot covered Mycroft, an open-source voice assistant for Linux-based devices (including Raspberry Pi boards). But this week the company's CEO posted on Kickstarter that "without immediate new investment, we will have to cease development by the end of the month....

"We will still be shipping all orders that are made through the Mycroft website, because these sales directly cover the costs of producing and shipping the products. However we do not have the funds to continue fulfilling rewards from this crowdfunding campaign, or to even continue meaningful operations."

The announcement details Mycroft's long, strange trip, from a hardware-focused partner that couldn't provide stable hardware to their switch to using off-the-shelf parts — followed by supply chain disruptions (with hefty import and manufacturing fees): The best plan we could devise to fulfill the remaining campaign rewards was to use the slim margins we have on new sales to cover the increased costs of hardware production. With that plan in mind, we pushed forward and started production. We got plastic injection molds cast. We started printing custom PCBs. We engaged audio engineers to optimize the quality and volume of the sound output. We got the device FCC and CE approved. Many of these steps took multiple iterations to get right, and there are many more things that I'm glossing over. All up this costs — a lot of money. Far more than the total contributions from the campaign, which is why I personally committed so much additional funding. I could see a clear way forward that strengthened Mycroft as a project, as a business, and as a community.

So what went wrong? The single most expensive item that I could not predict was our ongoing litigation against the non-practicing patent entity that has never stopped trying to destroy us. If we had that million dollars we would be in a very different state right now.

With so much of our focus on hardware, and less funding to devote to improving our software — the quality and features available on the Mark II at launch were clearly underwhelming. It is more robust and stable than it has ever been, but this came at the cost of fewer new features. That in turn I believe has resulted in less than flattering reviews, and little mainstream coverage. The hardware itself has proven itself to be a solid base to work from, but without good reviews you get less sales, and without strong sales, the plan doesn't work.
Thanks to stx23 (Slashdot reader #14,942) for sharing the news.

An anonymous reader shares a report from Tom's Hardware: According to the PC Security Channel (via TechSpot), Microsoft's Windows 11 sends data not only to the Redmond, Washington-based software giant, but also to multiple third parties. To analyze DNS traffic generated by a freshly installed copy of Windows 11 on a brand-new notebook, the PC Security Channel used the Wireshark network protocol analyzer that reveals precisely what is happening on a network. The results were astounding enough for the YouTube channel to call Microsoft's Windows 11 "spyware."

As it turned out, an all-new Windows 11 PC that was never used to browse the Internet contacted not only Windows Update, MSN and Bing servers, but also Steam, McAfee, geo.prod.do, and Comscore ScorecardResearch.com. Apparently, the latest operating system from Microsoft collected and sent telemetry data to various market research companies, advertising services, and the like.
When Tom's Hardware contacted Microsoft, their spokesperson argued that flowing data is common in modern operating systems "to help them remain secure, up to date, and keep the system working as anticipated."

"We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy."

Two non-profit news site, the Markup and Grist, have co-published their investigation into how big tech rewrote America's first cellphone repair law.

"That New York passed any electronics right-to-repair bill is 'huge,' Repair.org executive director Gay Gordon-Byrne told Grist. But 'it could have been huger' if not for tech industry interference." The passage of the Digital Fair Repair Act last June reportedly caught the tech industry off guard, but it had time to act before Governor Kathy Hochul would sign it into law. Corporate lobbyists went to work, pressing for exemptions and changes that would water the bill down. They were largely successful: While the bill Hochul signed in late December remains a victory for the right-to-repair movement, the more corporate-friendly text gives consumers and independent repair shops less access to parts and tools than the original proposal called for. (The state Senate still has to vote to adopt the revised bill, but it's widely expected to do so.)

The new version of the law applies only to devices built after mid-2023, so it won't help people to fix stuff they currently own. It also exempts electronics used exclusively by businesses or the government. All those devices are likely to become electronic waste faster than they would have had Hochul, a Democrat, signed a tougher bill. And more greenhouse gases will be emitted manufacturing new devices to replace broken electronics....

Jessa Jones, who founded iPad Rehab, an independent repair shop in Honeoye Falls, about 20 miles south of Rochester, New York, says the original bill included provisions that would have made it far easier for independent shops like hers to get the tools, parts, and know-how needed to make repairs. She pointed to changes that allow manufacturers to release repair tools that only work with spare parts they make, while at the same time controlling how those spare parts are used... "If you keep going down this road, allowing manufacturers to force us to use their branded parts and service, where they're allowed to tie the function of the device to their branded parts and service, that's not repair," Jones said. "That's authoritarian control."
The bill's sponsor believes it could create momentum for dozens of other states trying to pass similar laws, the article points out, possibly leading ultimately to one national agreement between electronics manufacturers and the repair community. A lawmaker from another state argued that New York's law "gives us something to work from. We're going to take that now and try to do a better piece of legislation."

Thanks to long-time Slashdot reader Z00L00K for submitting the article.

Russ Cox, a Google software engineer steering the development of the open source Go programming language, has presented a possible plan to implement telemetry in the Go toolchain. However many in the Go community object because the plan calls for telemetry by default. The Register reports: These alarmed developers would prefer an opt-in rather than an opt-out regime, a position the Go team rejects because it would ensure low adoption and would reduce the amount of telemetry data received to the point it would be of little value. Cox's proposal summarized lengthier documentation in three blog posts.

Telemetry, as Cox describes it, involves software sending data from Go software to a server to provide information about which functions are being used and how the software is performing. He argues it is beneficial for open source projects to have that information to guide development. And the absence of telemetry data, he contends, makes it more difficult for project maintainers to understand what's important, what's working, and to prioritize changes, thereby making maintainer burnout more likely. But such is Google's reputation these days that many considering the proposal have doubts, despite the fact that the data collection contemplated involves measuring the usage of language features and language performance. The proposal isn't about the sort of sensitive personal data vacuumed up by Google's ad-focused groups. "Now you guys want to introduce telemetry into your programming language?" IT consultant Jacob Weisz said. "This is how you drive off any person who even considered giving your project a chance despite the warning signs. Please don't do this, and please issue a public apology for even proposing it. Please leave a blast radius around this idea wide enough that nobody even suggests trying to do this again."

He added: "Trust in Google's behavior is at an all time low, and moves like this are a choice to shove what's left of it off the edge of a cliff."

Meanwhile, former Google cryptographer and current open source maintainer Filippo Valsorda said in a post to Mastodon: "This is a large unconventional design, there are a lot of tradeoffs worth discussing and details to explore," he wrote. "When Russ showed it to me I made at least a dozen suggestions and many got implemented."

"Instead: all opt-out telemetry is unethical; Google is evil; this is not needed. No one even argued why publishing any of this data could be a problem."

GitHub and digital rights group EFF have filed briefs supporting stream-ripping site Yout.com in its legal battle with the RIAA. GitHub warns that the lower court's decision threatens to criminalize the work of many other developers. The EFF, meanwhile, stresses that an incorrect interpretation of the DMCA harms people who use stream-rippers lawfully. TorrentFreak reports: In 2020, YouTube ripper Yout.com sued the RIAA, asking a Connecticut district court to declare that the site does not violate the DMCA's anti-circumvention provision. The music group had previously used DMCA takedown notices to remove many of Yout's appearances in Google's search results. This had a significant impact on revenues, the site argued, adding that it always believed it wasn't breaking any laws and hoped the court would agree. Last October, the Connecticut district court concluded that Yout had failed to show that it doesn't circumvent YouTube's technological protection measures. As such, it could be breaking the law. Yout operator Johnathan Nader opted to appeal the decision. Nader's attorneys filed their opening brief (PDF) last week at the Court of Appeals for the Second Circuit, asking it to reverse the lower court's decision. The YouTube ripper is not the only party calling for a reversal. Yesterday, Microsoft-owned developer platform GitHub submitted an amicus brief that argues for the same. And in a separate filing, the EFF also agrees that the lower court's decision should be overturned.

GitHub's brief starts by pointing out that the company takes no position on the ultimate resolution of this appeal, nor does it side with all of Yout's arguments. However, it does believe that the lower court's interpretation of the DMCA is dangerous. The district court held that stream rippers can violate the DMCA's anti-circumvention provision. The court noted that these tools allow people to download video and audio from YouTube, despite the streaming platform's lack of a download button. According to GitHub, this conclusion is premature, dangerous, and places other software types at risk. In the present lawsuit, GitHub reiterates that stream-ripping tools should not be outlawed. The fact that YouTube doesn't have a download button doesn't mean that tools that enable people to download videos circumvent technological access restrictions. "YouTube's decision not to provide its own 'download' button, however, is not a restriction on access to works. It merely affects how users experience them," GitHub writes. If the court order is allowed to stand, GitHub warns that a broad group of developers could be exposed to criminal liability, effectively chilling technological innovation. YouTube download tools are not the only types of software at risk, according to GitHub. There are many others that affect 'how users experience' online websites. These could also be seen as problematic, based on the district court's expansive interpretation of the DMCA. These widely accepted tools could put their creators at risk if the DMCA is interpreted too strictly, GitHub warns.

The Electronic Frontier Foundation (EFF) also submitted an amicus curiae brief (PDF) yesterday. The digital rights group takes interest in copyright cases, particularly when they get in the way of people's ability to freely use technology. In this instance, EFF points out that stream-rippers such as Yout.com provide a neutral technology with plenty of legal uses. They can be used for infringing purposes, but that's also true for existing technologies -- the printing press, for example. "Like every reproduction technology -- from the printing press to the smartphone -- these programs, colloquially called 'streamrippers,' have important lawful uses as well as infringing ones. "Video creators, educators, journalists, and human rights organizations all depend on the ability to make copies of user-uploaded videos," EFF adds. In common with GitHub, EFF notes that the absence of a download button on YouTube doesn't imply that download tools automatically violate the DMCA, especially when there are no effective download restrictions on the platform. [...] According to EFF, Yout and similar tools provide the same functions as video cassette recorders once did. They allow people to make copies of videos that are posted publicly by their creators. In addition, these tools are vital for some reporters and useful to creatives who use them for future work.

"Wherever you live, you should be paying attention to Utah Senate Bill 152 and the somewhat similar House Bill 311," writes tech journalist and long-time child safety advocate Larry Magid in an op-ed via the Mercury News. "Even though it's legislation for a single state, it could set a dangerous precedent and make it harder to pass and enforce sensible federal legislation that truly would protect children and other users of connected technology." From the report: SB 152 would require parents to provide their government-issued ID and physical address in order for their child or teenager to access social media. But even if you like those provisions, this bill would require everyone -- including adults -- to submit government-issued ID to sign up for a social media account, including not just sites like Facebook, Instagram, Snapchat and TikTok, but also video sharing sites like YouTube, which is commonly used by schools. The bill even bans minors from being online between 10:30 p.m. and 6:30 a.m., empowering the government to usurp the rights of parents to supervise and manage teens' screen time. Should it be illegal for teens to get up early to finish their homework (often requiring access to YouTube or other social media) or perhaps access information that would help them do early morning chores? Parents -- not the state -- should be making and enforcing their family's schedule.

I oppose these bills from my perch as a long-time child safety advocate (I wrote "Child Safety on the Information Highway" in 1994 for the National Center for Missing & Exploited Children and am currently CEO of ConnectSafely.org). However well-intentioned, they could increase risk and deny basic rights to children and adults. SB 152 would require companies to keep a "record of any submissions provided under the requirements," which means there would not only be databases of all social media users, but also of users under 18, which could be hacked by criminals or foreign governments seeking information on Utah children and adults. And, in case you think that's impossible, there was a breach in 2006 of a database of children that was mandated by the State of Utah to protect them from sites that displayed or promoted pornography, alcohol, tobacco and gambling. No one expects a data breach, but they happen on a regular basis. There is also the issue of privacy. Social media is both media and speech, and some social media are frequented by people who might not want employers, family members, law enforcement or the government to know what information they're consuming. Whatever their interests, people should have the right to at least anonymously consume information or express their opinions. This should apply to everyone, regardless of who they are, what they believe or what they're interested in. [...]

It's important to always look at the potential unintended consequences of legislation. I'm sure the lawmakers in Utah who are backing this bill have the best interests of children in mind. But this wouldn't be the first law designed to protect children that actually puts them at risk or violates adult rights in the name of child protection. I applaud any policymaker who wants to find ways to protect kids and hold technology companies accountable for doing their part to protect privacy and security as well as employing best-practices when it comes to the mental health and well being of children. But the legislation, whether coming from Utah, another state or Washington, D.C., must be sensible, workable, constitutional and balanced, so it at the very least, does more good than harm.

An anonymous reader quotes a report from KrebsOnSecurity: Authorities in the United States and United Kingdom today levied financial sanctions against seven men accused of operating "Trickbot," a cybercrime-as-a-service platform based in Russia that has enabled countless ransomware attacks and bank account takeovers since its debut in 2016. The U.S. Department of the Treasury says the Trickbot group is associated with Russian intelligence services, and that this alliance led to the targeting of many U.S. companies and government entities. Initially a stealthy trojan horse program delivered via email and used to steal passwords, Trickbot evolved into "a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks," the Treasury Department said.

"During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States," the sanctions notice continued. "In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group."

Only one of the men sanctioned today is known to have been criminally charged in connection with hacking activity. According to the Treasury Department, the alleged senior leader of the Trickbot group is 34-year-old Russian national Vitaly "Bentley" Kovalev. A New Jersey grand jury indicted Kovalev in 2012 after an investigation by the U.S. Secret Service determined that he ran a massive "money mule" scheme, which used phony job offers to trick people into laundering money stolen from hacked small to mid-sized businesses in the United States. The 2012 indictment against Kovalev relates to cybercrimes he allegedly perpetrated prior to the creation of Trickbot. A copy of the now-unsealed 2012 indictment of Kovalev is here (PDF).

An anonymous reader shares a report: Stalkers and domestic abusers in the US for years have been able to access the kind of surveillance tools typically associated with foreign spies. That's all because of a pervasive industry that promises to help people who want to secretly monitor their family members. Now, because of an action brought by the New York Attorney General, one player in the so-called stalkerware industry has agreed to notify the people who were infected with its spyware. But it was required to pay just $410,000 in civil penalties, in part because rather than taking issue with the harmful nature of the technology, state prosecutors cited only the companies' use of deceptive marketing.

A detailed legal filing provides a glimpse into the pernicious capabilities that stalkerware firms provide to consumers -- enabling buyers to collect victims' texts, photos, emails, direct messages, you name it. The case is the latest evidence that such apps are more popular than previously understood. The New York investigation determined that one Florida man owned 16 companies, distributing apps with names such as PhoneSpector and AutoForward Data Services that promoted mobile surveillance software. Once installed on a device, some of the apps would be invisible on a user's home screen and allow a stalker to remotely activate an individual's camera or microphone without their knowledge, according to the legal filing.