An anonymous reader quotes a report from The Register: Comcast says data on 237,703 of its customers was in fact stolen in a cyberattack on a debt collector it was using, contrary to previous assurances it was given that it was unaffected by that intrusion. That collections agency, Financial Business and Consumer Solutions aka FBCS, was compromised in February, and according to a filing with Maine's attorney general, the firm informed the US cable giant about the unauthorized access in March. At the time, FBCS told the internet'n'telly provider that no Comcast customer information was affected. However, that changed in July, when the collections outfit got in touch again to say that, actually, the Comcast subscriber data it held had been pilfered.

Among the data types stolen were names, addresses, Social Security numbers, dates of birth, and the Comcast account numbers and ID numbers used internally at FBCS. The data pertains to those registered as customers at "around 2021." Comcast stopped using FBCS for debt collection services in 2020. Comcast made it clear its own systems, including those of its broadband unit Xfinity, were not broken into, unlike that time in 2023. FBCS earlier said more than 4 million people had their records accessed during that February break-in. As far as we're aware, the agency hasn't said publicly exactly how that network intrusion went down. Now Comcast is informing subscribers that their info was taken in that security breach, and in doing so seems to be the first to say the intrusion was a ransomware attack. [...]

FBCS's official statement only attributes the attack to an "unauthorized actor." It does not mention ransomware, nor many other technical details aside from the data types involved in the theft. No ransomware group we're aware of has ever claimed responsibility for the raid on FBCS. When we asked Comcast about the ransomware, it simply referred us back to the customer notification letter. The cableco used that notification to send another small middle finger FBCS's way, slyly revealing that the agency's financial situation prevents it from offering the usual identity and credit monitoring protection for those affected, so Comcast is having to foot the bill itself.

An anonymous reader quotes a report from TechCrunch: The European Union's top court has sided with a privacy challenge to Meta's data retention policies. It ruled on Friday that social networks, such as Facebook, cannot keep using people's information for ad targeting indefinitely. The judgement could have major implications on the way Meta and other ad-funded social networks operate in the region. Limits on how long personal data can be kept must be applied in order to comply with data minimization principles contained in the bloc's General Data Protection Regulation (GDPR). Breaches of the regime can lead to fines of up to 4% of global annual turnover -- which, in Meta's case, could put it on the hook for billions more in penalties (NB: it is already at the top of the leaderboard of Big Tech GDPR breachers). [...]

The original challenge to Meta's ad business dates back to 2014 but was not fully heard in Austria until 2020, per noyb. The Austrian supreme court then referred several legal questions to the CJEU in 2021. Some were answered via a separate challenge to Meta/Facebook, in a July 2023 CJEU ruling -- which struck down the company's ability to claim a "legitimate interest" to process people's data for ads. The remaining two questions have now been dealt with by the CJEU. And it's more bad news for Meta's surveillance-based ad business. Limits do apply. Summarizing this component of the judgement in a press release, the CJEU wrote: "An online social network such as Facebook cannot use all of the personal data obtained for the purposes of targeted advertising, without restriction as to time and without distinction as to type of data."

The ruling looks important on account of how ads businesses, such as Meta's, function. Crudely put, the more of your data they can grab, the better -- as far as they are concerned. Back in 2022, an internal memo penned by Meta engineers which was obtained by Vice's Motherboard likened its data collection practices to tipping bottles of ink into a vast lake and suggested the company's aggregation of personal data lacked controls and did not lend itself to being able to silo different types of data or apply data retention limits. Although Meta claimed at the time that the document "does not describe our extensive processes and controls to comply with privacy regulations." How exactly the adtech giant will need to amend its data retention practices following the CJEU ruling remains to be seen. But the law is clear that it must have limits. "[Advertising] companies must develop data management protocols to gradually delete unneeded data or stop using them," noyb suggests. The court also weighed in a second question that concerns sensitive data that has been "manifestly made public" by the data subject, "and whether sensitive characteristics could be used for ad targeting because of that," reports TechCrunch. "The court ruled that it could not, maintaining the GDPR's purpose limitation principle."

An anonymous reader quotes a report from Ars Technica: On Friday, Meta announced a preview of Movie Gen, a new suite of AI models designed to create and manipulate video, audio, and images, including creating a realistic video from a single photo of a person. The company claims the models outperform other video-synthesis models when evaluated by humans, pushing us closer to a future where anyone can synthesize a full video of any subject on demand. The company does not yet have plans of when or how it will release these capabilities to the public, but Meta says Movie Gen is a tool that may allow people to "enhance their inherent creativity" rather than replace human artists and animators. The company envisions future applications such as easily creating and editing "day in the life" videos for social media platforms or generating personalized animated birthday greetings.

Movie Gen builds on Meta's previous work in video synthesis, following 2022's Make-A-Scene video generator and the Emu image-synthesis model. Using text prompts for guidance, this latest system can generate custom videos with sounds for the first time, edit and insert changes into existing videos, and transform images of people into realistic personalized videos. [...] Movie Gen's video-generation model can create 1080p high-definition videos up to 16 seconds long at 16 frames per second from text descriptions or an image input. Meta claims the model can handle complex concepts like object motion, subject-object interactions, and camera movements. You can view example videos here. Meta also released a research paper with more technical information about the model.

As for the training data, the company says it trained these models on a combination of "licensed and publicly available datasets." Ars notes that this "very likely includes videos uploaded by Facebook and Instagram users over the years, although this is speculation based on Meta's current policies and previous behavior."

The Register's Thomas Claburn reports: Buck Shlegeris, CEO at Redwood Research, a nonprofit that explores the risks posed by AI, recently learned an amusing but hard lesson in automation when he asked his LLM-powered agent to open a secure connection from his laptop to his desktop machine. "I expected the model would scan the network and find the desktop computer, then stop," Shlegeris explained to The Register via email. "I was surprised that after it found the computer, it decided to continue taking actions, first examining the system and then deciding to do a software update, which it then botched." Shlegeris documented the incident in a social media post.

He created his AI agent himself. It's a Python wrapper consisting of a few hundred lines of code that allows Anthropic's powerful large language model Claude to generate some commands to run in bash based on an input prompt, run those commands on Shlegeris' laptop, and then access, analyze, and act on the output with more commands. Shlegeris directed his AI agent to try to SSH from his laptop to his desktop Ubuntu Linux machine, without knowing the IP address [...]. As a log of the incident indicates, the agent tried to open an SSH connection, and failed. So Shlegeris tried to correct the bot. [...]

The AI agent responded it needed to know the IP address of the device, so it then turned to the network mapping tool nmap on the laptop to find the desktop box. Unable to identify devices running SSH servers on the network, the bot tried other commands such as "arp" and "ping" before finally establishing an SSH connection. No password was needed due to the use of SSH keys; the user buck was also a sudoer, granting the bot full access to the system. Shlegeris's AI agent, once it was able to establish a secure shell connection to the Linux desktop, then decided to play sysadmin and install a series of updates using the package manager Apt. Then things went off the rails.

"It looked around at the system info, decided to upgrade a bunch of stuff including the Linux kernel, got impatient with Apt and so investigated why it was taking so long, then eventually the update succeeded but the machine doesn't have the new kernel so edited my Grub [bootloader] config," Buck explained in his post. "At this point I was amused enough to just let it continue. Unfortunately, the computer no longer boots." Indeed, the bot got as far as messing up the boot configuration, so that following a reboot by the agent for updates and changes to take effect, the desktop machine wouldn't successfully start.

An anonymous reader quotes a report from TechCrunch: A federal judge blocked one of California's new AI laws on Wednesday, less than two weeks after it was signed by Governor Gavin Newsom. Shortly after signing AB 2839, Newsom suggested it could be used to force Elon Musk to take down an AI deepfake of Vice President Kamala Harris he had reposted (sparking a petty online battle between the two). However, a California judge just ruled the state can't force people to take down election deepfakes -- not yet, at least. AB 2839 targets the distributors of AI deepfakes on social media, specifically if their post resembles a political candidate and the poster knows it's a fake that may confuse voters. The law is unique because it does not go after the platforms on which AI deepfakes appear, but rather those who spread them. AB 2839 empowers California judges to order the posters of AI deepfakes to take them down or potentially face monetary penalties.

Perhaps unsurprisingly, the original poster of that AI deepfake -- an X user named Christopher Kohls -- filed a lawsuit to block California's new law as unconstitutional just a day after it was signed. Kohls' lawyer wrote in a complaint that the deepfake of Kamala Harris is satire that should be protected by the First Amendment. On Wednesday, United States district judge John Mendez sided with Kohls. Mendez ordered a preliminary injunction to temporarily block California's attorney general from enforcing the new law against Kohls or anyone else, with the exception of audio messages that fall under AB 2839. [...] In essence, he ruled the law is simply too broad as written and could result in serious overstepping by state authorities into what speech is permitted or not.

A study published in Nature has found that conservative social media users were more likely to face sanctions, but attributes this to their higher propensity to share low-quality news rather than political bias. Researchers analyzed 9,000 Twitter users during the 2020 U.S. election, finding pro-Trump users were 4.4 times more likely to be suspended than pro-Biden users.

However, they also shared significantly more links from sites rated as untrustworthy by both politically balanced groups and Republican-only panels. Similar patterns were observed across multiple datasets spanning 16 countries from 2016 to 2023. The study concludes that asymmetric enforcement can result from neutral policies when behavior differs between groups.

WhatsApp and its parent Meta asked a judge to award them a total win against spyware maker NSO Group as punishment for discovery violations in a years-long case accusing the Israeli company of violating anti-hacking laws. From a report: NSO Group violated the Federal Rules of Civil Procedure, repeatedly ignoring the court's orders and its discovery obligations, according to a motion for sanctions filed Wednesday in the US District Court for the Northern District of California. "NSO's discovery violations were willful, and unfairly skew the record on virtually every key issue in the case, from the merits, to jurisdiction, to damages, making a full and fair trial on the facts impossible," they said. Judge Phyllis J. Hamilton should award the companies judgment as a matter of law or, "if the court finds that the limited discovery produced in this case does not suffice," enter default judgment against NSO, WhatsApp and Meta wrote.

The social media platforms first filed their complaint in October 2019, accusing NSO of using WhatsApp to install NSO spyware on the phones of about 1,400 WhatsApp users. The move follows Apple asking a court last month to dismiss its three-year-old hacking lawsuit against spyware pioneer NSO Group, arguing that it might never be able to get the most critical files about NSO's Pegasus surveillance tool and that its own disclosures could aid NSO and its increasing number of rivals.

An anonymous reader quotes a report from Ars Technica: Attackers are actively exploiting a critical vulnerability in mail servers sold by Zimbra in an attempt to remotely execute malicious commands that install a backdoor, researchers warn. The vulnerability, tracked as CVE-2024-45519, resides in the Zimbra email and collaboration server used by medium and large organizations. When an admin manually changes default settings to enable the postjournal service, attackers can execute commands by sending maliciously formed emails to an address hosted on the server. Zimbra recently patched the vulnerability. All Zimbra users should install it or, at a minimum, ensure that postjournal is disabled.

On Tuesday, Security researcher Ivan Kwiatkowski first reported the in-the-wild attacks, which he described as "mass exploitation." He said the malicious emails were sent by the IP address 79.124.49[.]86 and, when successful, attempted to run a file hosted there using the tool known as curl. Researchers from security firm Proofpoint took to social media later that day to confirm the report. On Wednesday, security researchers provided additional details that suggested the damage from ongoing exploitation was likely to be contained. As already noted, they said, a default setting must be changed, likely lowering the number of servers that are vulnerable. [...]

Proofpoint has explained that some of the malicious emails used multiple email addresses that, when pasted into the CC field, attempted to install a webshell-based backdoor on vulnerable Zimbra servers. The full cc list was wrapped as a single string and encoded using the base64 algorithm. When combined and converted back into plaintext, they created a webshell at the path: /jetty/webapps/zimbraAdmin/public/jsp/zimbraConfig.jsp. Proofpoint went on to say: "Once installed, the webshell listens for inbound connection with a pre-determined JSESSIONID Cookie field; if present, the webshell will then parse the JACTION cookie for base64 commands. The webshell has support for command execution via exec or download and execute a file over a socket connection."

After fifteen years of fighting to make the web safer and more accessible, the World Wide Web Foundation is shutting down. From a report: In a letter shared via the organization's website, co-founders Sir Tim Berners-Lee -- inventor of the World Wide Web -- and Rosemary Leith explain that the organization's mission has been somewhat accomplished and a new battle needs to be waged. When the foundation was founded in 2009, just over 20 percent of the world had access to the web and relatively few organizations were trying to change that, say Sir Tim and Leith. A decade and a half later, with nearly 70 percent of the world online, there are many similar non-governmental organizations trying to make the web more accessible and affordable.

The two founders thank their supporters over the years who "have enabled us to move the needle in a big way" with regard to access and affordability. But the issues facing the web have changed, they insist, and the foundation believes other advocacy groups can take it from here. Chief among the more pressing problems, claim Sir Tim and Leith, is the social media business model that commoditized user data and concentrates power with platforms, contrary to Sir Tim's original vision for the web. To address that threat, Sir Tim intends to dismantle his foundation so he can focus on decentralized technology. "We, along with the Web Foundation board, have been asking ourselves where we can have the most impact in the future," the authors say. "The conclusion we have reached is that Tim's passion on restoring power over and control of data to individuals and actively building powerful collaborative systems needs to be the highest priority going forward. In order to best achieve this, Tim will focus his efforts to support his vision for the Solid Protocol and other decentralized systems."

schwit1 shares a report from The Independent: Thousands of Bank of America customers reported trouble accessing their bank accounts Wednesday afternoon as the financial institution faced a widespread outage. On social media, customers said they could not view their account balances. Those who could view their accounts said they were met with an alarming $0 balance. For many, a "Connection Error" message popped up while trying to log into the banking app. The message said it was "unable to complete your request" and asked the user to "try again later."

By 1:15 p.m. Eastern Time, nearly 20,000 customers said they were having trouble, according to Downdetector, which reports web outages. That number dropped before rising again around 2:45 p.m. ET. It is unclear what caused the outage

Apple's iOS 18 update has introduced changes to contact sharing that could significantly impact social app developers. The new feature allows users to selectively share contacts with apps, rather than granting access to their entire address book. While Apple touts this as a privacy enhancement, developers warn it may hinder the growth of new social platforms. Nikita Bier, a start-up founder, called it "the end of the world" for friend-based social apps. Critics argue the change doesn't apply to Apple's own services, potentially giving the tech giant an unfair advantage.

Russian authorities are considering a ban on Discord, citing unspecified legal violations. According to the Russian daily newspaper Kommersant, the ban may happen "in the coming days." PC Gamer reports: The opening salvo has already been fired. The Russian state media regulator Roskomnadzor has issued five separate rulings relating to Discord since September 20, which can all now be used as justification for an upcoming ban. Say what you will about authoritarian regimes, but they love their bureaucracy. Kommersant quotes an anonymous official source as saying the ban is being considered for violations of Russian law: needless to say, these violations have not been detailed, nor are likely to be.

Russian users have also complained about periodic outages on Discord over September, with many resorting to VPNs, and both the web and mobile versions of the platform affected. Should the ban become a reality, the big losers will be Russian players and developers, with no obvious domestic replacement. "The problem is that for Russian developers, communication with the community, including the international one, and technical support are implemented through Discord," said Vasily Ovchinnikov, head of Russia's Organization for the Development of the Video Game Industry. Today, a Moscow court fined Discord 3.5 million roubles ($37,675) for, apparently, failing to restrict access to banned information.

Reddit has implemented new restrictions on moderators' ability to alter community visibility settings, the social media platform announced Monday. Moderators must now obtain admin approval before switching subreddits between public, private, or NSFW status.

The move comes in response to last year's widespread protests against API pricing changes, during which thousands of subreddits went private, disrupting platform accessibility. Reddit VP Laura Nestler stated the policy aims to prevent actions that "deliberately cause harm" and protect the site's long-term health.

Meta has been fined $101.5 million by the Irish Data Protection Commission (DPC) for storing over half a billion user passwords in plain text for years, with some engineers having access to this data for over a decade. The issue, discovered in 2019, predominantly affected non-US users, especially those using Facebook Lite. AppleInsider reports: Meta Ireland was found guilty of infringing four parts of GDPR, including how it "failed to notify the DPC of a personal data breach concerning storage of user passwords in plain text." Meta Ireland did report the failure, but only some months after it was discovered. "It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data," said Graham Doyle, Deputy Commissioner at the DPC, in a statement about the fine. "It must be borne in mind, that the passwords the subject of consideration in this case, are particularly sensitive, as they would enable access to users' social media accounts."

Other than the fine and an official reprimand, the full extent of the DPC's ruling is yet to be released publicly. The details published so far do not reveal whether the passwords included any of US users as well as ones in Ireland or across the rest of the European Union. It's most likely that the issue concerns only non-US users, however. That's because in 2019, Facebook told CNN that the majority of the plain text passwords were for a service called Facebook Lite, which it described as being a cut-down service for areas of the world with slower connectivity.

Meta Platforms' claims that Facebook doesn't polarize Americans came under new doubt as the journal Science raised questions about a prominent research paper the tech giant has cited to support its position. WSJ: In an editorial Thursday, Science said that Meta's emergency efforts to calm its platforms in the wake of the 2020 election may have swayed the conclusions of the paper, which the journal published in July 2023. The editorial, titled "Context matters in social media," was prompted by a letter that Science also published presenting new criticism of the paper. Because the study of Facebook's algorithms relied on data provided by Meta when it was undertaking extraordinary efforts to restrain incendiary political content, the letter's authors argue that the paper may have overstated the case that social media algorithms didn't contribute to political polarization.

Such criticisms of peer-reviewed research often appear below papers in academic journals, but Science's editors felt their editorial was needed to more prominently caveat this original paper's conclusions, said Holden Thorp, Science's editor in chief. "It was incumbent on us to come up with a way somehow that people who would come to the paper would know of these concerns,â Thorp said in an interview. While no correction was warranted, he said, "There's an election coming up, and we care about people citing this paper." Meta said it had been transparent with researchers about its actions during the time of the study, and the company and its research partners say it had no control over the Science paper's conclusions. Meta called debates of the sort aired on Thursday as part of the research process.

"The Federal Trade Commission is cracking down on 'automation' companies that launch and manage online businesses on behalf of customers in exchange for an upfront investment," reports CNBC's Annie Palmer. "The latest case targets Ascend Ecom, which ran an e-commerce money-making scheme, primarily on Amazon." The FTC accuses the e-commerce company of defrauding consumers of at least $25 million through false claims, deceptive marketing practices, and attempts to suppress negative reviews. From the report: Jamaal Sanford received a disturbing email in May of last year. The message, whose sender claimed to be part of a "Russian shadow team," contained Sanford's home address, social security number and his daughter's college. It came with a very specific threat. The sender said Sanford, who lives in Springfield, Missouri, would only only be safe if he removed a negative online review. "Do not play tough guy," the email said. "You have nothing to gain by keeping the reviews and EVERYTHING to lose by not cooperating."

Months earlier, Sanford had left a scathing review for an e-commerce "automation" company called Ascend Ecom on the rating site Trustpilot. Ascend's purported business was the launching and managing of Amazon storefronts on behalf of clients, who would pay money for the service and the promise of earning thousands of dollars in "passive income." Sanford had invested $35,000 in such a scheme. He never recouped the money and is now in debt, according to a Federal Trade Commission lawsuit unsealed on Friday. His experience is a key piece of the FTC's suit, which accuses Ascend of breaking federal laws by making false claims related to earnings and business performance, and threatening or penalizing customers for posting honest reviews, among other violations. The FTC is seeking monetary relief for Ascend customers and to prevent Ascend from doing business permanently.

An anonymous reader quotes a report from 404 Media: After a horseback riding accident left him paralyzed from the waist down in 2009, former jockey Michael Straight learned to walk again with the help of a $100,000 ReWalk Personal exoskeleton. Earlier this month, that exoskeleton broke because of a malfunctioning piece of wiring in an accompanying watch that makes the exoskeleton work. The manufacturer refused to fix it, saying the machine was now too old to be serviced, and Straight once again couldn't walk anymore. "After 371,091 steps my exoskeleton is being retired after 10 years of unbelievable physical therapy," Straight posted on Facebook on September 16. "The reasons [sic] why it has stopped is a pathetic excuse for a bad company to try and make more money. The reason it stopped is because of a battery in the watch I wear to operate the machine. I called thinking it was no big deal, yet I was told they stopped working on any machine that was 5 years or older. I find it very hard to believe after paying nearly $100,000 for the machine and training that a $20 battery for the watch is the reason I can't walk anymore?"

Straight's experience is a nightmare scenario that highlights what happens when companies decide to stop supporting their products and do not actively support independent repair. It's also what happens without the protection of right to repair legislation that requires manufacturers to make repair parts, guides, and tools available to the general public. Specifically, a connection wire became desoldered from the battery in a watch that connects to the exoskeleton: "It's not the actual battery, but it's the little green connection piece we need to be the right fit and that's been our problem," Straight posted on Facebook. Straight's personal exoskeleton was broken for two months, he said in a video on Facebook. He was eventually able to get the device fixed after attention from an article in the Paulick Report, a website about the horse industry, and a spot on local TV. "It took me two months, and I got no results," he said in the video. With social media and news attention, "it only took you all four days, and look at the results," he said earlier this week while standing in the exoskeleton. "This is the dystopian nightmare that we've kind of entered in, where the manufacturer perspective on products is that their responsibility completely ends when it hands it over to a customer. That's not good enough for a device like this, but it's also the same thing we see up and down with every single product," Nathan Proctor, head of citizen rights group US PIRG's right to repair project told 404 Media. "People need to be able to fix things, there needs to be a plan in place. A $100,000 product you can only use as long as the battery lasts, that's enraging. We should not have to tolerate a society where this happens."

"We have all this technology we release into the wild and it changes people's lives, but there's no long-term thinking. Manufacturers currently have no legal obligation to support the equipment indefinitely and there's no requirements that they publish sufficient documentation to allow others to do it," Proctor said. "We need to set minimum standards for documentation so that, even if a company goes bankrupt or falls off the face of the earth, a technician with sufficient knowledge can fix it."

Evan Prodromou, co-author of the ActivityPub protocol, has launched The Social Web Foundation to address the challenges of the ActivityPub ecosystem and foster the growth of the Fediverse. The foundation aims to support developers, organizations, and governments through advocacy, educational materials, and infrastructure, while maintaining a decentralized approach to improving the social web. We Distribute reports: "I wish I would've started it five years ago," Evan explains in a call, "We're seeing growth of ActivityPub in the commercial sector, we want to help guide that work, especially for devs that don't know how to engage with the Fediverse, or the work that happens in private spaces. As we're seeing a lot of growth, it's important to help push that growth forward, we're really filling in the crack no other organization is doing." The foundation launches with a dedicated team of three: Evan Prodromou is the Research Director, Mallory Knodel serves as the Executive Director, and Tom Coates acts as Product Director. The trio brings a wealth of knowledge regarding protocol development, open source development, technology policy, and product development for the Web.

In terms of fulfilling its goals, the organization has a few specific areas of focus: People, Policy, Protocol, and Plumbing. The SWF has deemed these areas as critical to their mission statement, and will start with these core focuses. [...] At launch, The Social Web Foundation has announced 12 partner organizations, who serve as a pool of knowledge, resources, and stakeholders. The majority of these entities are either building for the Fediverse directly, or providing infrastructure and services indirectly. Aside from Meta being an early supporter, one surprise is the inclusion of The Ford Foundation, a social justice organization dedicated to supporting next-generation solutions for the social good. At time of launch, the SWF will have access to more than 20 dedicated advisors, who will guide the organization on current problem areas their own efforts are facing, and provide insights on how to move forward and make progress. "The Fediverse is too big and too diverse for anyone to claim to speak for the Fediverse. That's not what we want to do or who we want to be," Evan says, "We may do things that people on the network disagree with, like encouraging media organizations to join the network, but what we want to do is help the mission of growing and improving the Fediverse over time."

OpenAI is rolling out its advanced voice interface for ChatGPT to all Plus and Team subscribers in the U.S., the company said Tuesday. The feature, unveiled four months ago, lets users speak to the AI chatbot instead of typing. Five new voices join the lineup, expanding user options. OpenAI claims improved accent recognition and smoother conversations since initial testing. VentureBeat adds: OpenAI's foray into adding voices into ChatGPT has been controversial at the onset. In its May event announcing GPT-4o and the voice mode, people noticed similarities of one of the voices, Sky, to that of the actress Scarlett Johanssen. It didn't help that OpenAI CEO Sam Altman posted the word "her" on social media, a reference to the movie where Johansson voiced an AI assistant. The controversy sparked concerns around AI developers mimicking voices of well-known individuals.

An anonymous reader shares a report: The Pacific country of Kiribati might be surrounded by water, but on land its population is running dry. The ocean around them is steadily encroaching, contaminating underground wells and leeching salt into the soil. "Our waters have been infected," climate activist and law student Christine Tekanene says. "Those who are affected, they now can't survive with the water that changed after sea level rise." The freshwater crisis is just one of the many threats driven by rising seas in Kiribati. Its people live on a series of atolls, peaking barely a couple of metres above a sprawling tract of the Pacific Ocean. As global temperatures rise and ice sheets melt, Kiribati -- and other low-lying nations like it -- are experiencing extreme and regular flooding, frequent coastal erosion and persistent food and water insecurity.

This week the United Nations general assembly will hold a high-level meeting to address the existential threats posed by sea level rise as the issue climbs the international agenda; last year the UN security council debated it for the first time. Wednesday's meeting aims to build political consensus on action to address the widespread social, economic and legal consequences of rising seas. Samoa's UN representative, Fatumanava Dr Pa'olelei Luteru, says the upcoming UN meeting is long overdue and "extremely important" for island nations. "Economically, militarily, we're not powerful," says Luteru, who also serves as the current chair of the Alliance of Small Island States (AOSIS). "At least within the context of the UN and the multilateral system we have the possibility and the opportunity to engage and achieve some of the things that are a priority for us."