Two non-profit news site, the Markup and Grist, have co-published their investigation into how big tech rewrote America's first cellphone repair law.

"That New York passed any electronics right-to-repair bill is 'huge,' Repair.org executive director Gay Gordon-Byrne told Grist. But 'it could have been huger' if not for tech industry interference." The passage of the Digital Fair Repair Act last June reportedly caught the tech industry off guard, but it had time to act before Governor Kathy Hochul would sign it into law. Corporate lobbyists went to work, pressing for exemptions and changes that would water the bill down. They were largely successful: While the bill Hochul signed in late December remains a victory for the right-to-repair movement, the more corporate-friendly text gives consumers and independent repair shops less access to parts and tools than the original proposal called for. (The state Senate still has to vote to adopt the revised bill, but it's widely expected to do so.)

The new version of the law applies only to devices built after mid-2023, so it won't help people to fix stuff they currently own. It also exempts electronics used exclusively by businesses or the government. All those devices are likely to become electronic waste faster than they would have had Hochul, a Democrat, signed a tougher bill. And more greenhouse gases will be emitted manufacturing new devices to replace broken electronics....

Jessa Jones, who founded iPad Rehab, an independent repair shop in Honeoye Falls, about 20 miles south of Rochester, New York, says the original bill included provisions that would have made it far easier for independent shops like hers to get the tools, parts, and know-how needed to make repairs. She pointed to changes that allow manufacturers to release repair tools that only work with spare parts they make, while at the same time controlling how those spare parts are used... "If you keep going down this road, allowing manufacturers to force us to use their branded parts and service, where they're allowed to tie the function of the device to their branded parts and service, that's not repair," Jones said. "That's authoritarian control."
The bill's sponsor believes it could create momentum for dozens of other states trying to pass similar laws, the article points out, possibly leading ultimately to one national agreement between electronics manufacturers and the repair community. A lawmaker from another state argued that New York's law "gives us something to work from. We're going to take that now and try to do a better piece of legislation."

Thanks to long-time Slashdot reader Z00L00K for submitting the article.

Russ Cox, a Google software engineer steering the development of the open source Go programming language, has presented a possible plan to implement telemetry in the Go toolchain. However many in the Go community object because the plan calls for telemetry by default. The Register reports: These alarmed developers would prefer an opt-in rather than an opt-out regime, a position the Go team rejects because it would ensure low adoption and would reduce the amount of telemetry data received to the point it would be of little value. Cox's proposal summarized lengthier documentation in three blog posts.

Telemetry, as Cox describes it, involves software sending data from Go software to a server to provide information about which functions are being used and how the software is performing. He argues it is beneficial for open source projects to have that information to guide development. And the absence of telemetry data, he contends, makes it more difficult for project maintainers to understand what's important, what's working, and to prioritize changes, thereby making maintainer burnout more likely. But such is Google's reputation these days that many considering the proposal have doubts, despite the fact that the data collection contemplated involves measuring the usage of language features and language performance. The proposal isn't about the sort of sensitive personal data vacuumed up by Google's ad-focused groups. "Now you guys want to introduce telemetry into your programming language?" IT consultant Jacob Weisz said. "This is how you drive off any person who even considered giving your project a chance despite the warning signs. Please don't do this, and please issue a public apology for even proposing it. Please leave a blast radius around this idea wide enough that nobody even suggests trying to do this again."

He added: "Trust in Google's behavior is at an all time low, and moves like this are a choice to shove what's left of it off the edge of a cliff."

Meanwhile, former Google cryptographer and current open source maintainer Filippo Valsorda said in a post to Mastodon: "This is a large unconventional design, there are a lot of tradeoffs worth discussing and details to explore," he wrote. "When Russ showed it to me I made at least a dozen suggestions and many got implemented."

"Instead: all opt-out telemetry is unethical; Google is evil; this is not needed. No one even argued why publishing any of this data could be a problem."

GitHub and digital rights group EFF have filed briefs supporting stream-ripping site Yout.com in its legal battle with the RIAA. GitHub warns that the lower court's decision threatens to criminalize the work of many other developers. The EFF, meanwhile, stresses that an incorrect interpretation of the DMCA harms people who use stream-rippers lawfully. TorrentFreak reports: In 2020, YouTube ripper Yout.com sued the RIAA, asking a Connecticut district court to declare that the site does not violate the DMCA's anti-circumvention provision. The music group had previously used DMCA takedown notices to remove many of Yout's appearances in Google's search results. This had a significant impact on revenues, the site argued, adding that it always believed it wasn't breaking any laws and hoped the court would agree. Last October, the Connecticut district court concluded that Yout had failed to show that it doesn't circumvent YouTube's technological protection measures. As such, it could be breaking the law. Yout operator Johnathan Nader opted to appeal the decision. Nader's attorneys filed their opening brief (PDF) last week at the Court of Appeals for the Second Circuit, asking it to reverse the lower court's decision. The YouTube ripper is not the only party calling for a reversal. Yesterday, Microsoft-owned developer platform GitHub submitted an amicus brief that argues for the same. And in a separate filing, the EFF also agrees that the lower court's decision should be overturned.

GitHub's brief starts by pointing out that the company takes no position on the ultimate resolution of this appeal, nor does it side with all of Yout's arguments. However, it does believe that the lower court's interpretation of the DMCA is dangerous. The district court held that stream rippers can violate the DMCA's anti-circumvention provision. The court noted that these tools allow people to download video and audio from YouTube, despite the streaming platform's lack of a download button. According to GitHub, this conclusion is premature, dangerous, and places other software types at risk. In the present lawsuit, GitHub reiterates that stream-ripping tools should not be outlawed. The fact that YouTube doesn't have a download button doesn't mean that tools that enable people to download videos circumvent technological access restrictions. "YouTube's decision not to provide its own 'download' button, however, is not a restriction on access to works. It merely affects how users experience them," GitHub writes. If the court order is allowed to stand, GitHub warns that a broad group of developers could be exposed to criminal liability, effectively chilling technological innovation. YouTube download tools are not the only types of software at risk, according to GitHub. There are many others that affect 'how users experience' online websites. These could also be seen as problematic, based on the district court's expansive interpretation of the DMCA. These widely accepted tools could put their creators at risk if the DMCA is interpreted too strictly, GitHub warns.

The Electronic Frontier Foundation (EFF) also submitted an amicus curiae brief (PDF) yesterday. The digital rights group takes interest in copyright cases, particularly when they get in the way of people's ability to freely use technology. In this instance, EFF points out that stream-rippers such as Yout.com provide a neutral technology with plenty of legal uses. They can be used for infringing purposes, but that's also true for existing technologies -- the printing press, for example. "Like every reproduction technology -- from the printing press to the smartphone -- these programs, colloquially called 'streamrippers,' have important lawful uses as well as infringing ones. "Video creators, educators, journalists, and human rights organizations all depend on the ability to make copies of user-uploaded videos," EFF adds. In common with GitHub, EFF notes that the absence of a download button on YouTube doesn't imply that download tools automatically violate the DMCA, especially when there are no effective download restrictions on the platform. [...] According to EFF, Yout and similar tools provide the same functions as video cassette recorders once did. They allow people to make copies of videos that are posted publicly by their creators. In addition, these tools are vital for some reporters and useful to creatives who use them for future work.

"Wherever you live, you should be paying attention to Utah Senate Bill 152 and the somewhat similar House Bill 311," writes tech journalist and long-time child safety advocate Larry Magid in an op-ed via the Mercury News. "Even though it's legislation for a single state, it could set a dangerous precedent and make it harder to pass and enforce sensible federal legislation that truly would protect children and other users of connected technology." From the report: SB 152 would require parents to provide their government-issued ID and physical address in order for their child or teenager to access social media. But even if you like those provisions, this bill would require everyone -- including adults -- to submit government-issued ID to sign up for a social media account, including not just sites like Facebook, Instagram, Snapchat and TikTok, but also video sharing sites like YouTube, which is commonly used by schools. The bill even bans minors from being online between 10:30 p.m. and 6:30 a.m., empowering the government to usurp the rights of parents to supervise and manage teens' screen time. Should it be illegal for teens to get up early to finish their homework (often requiring access to YouTube or other social media) or perhaps access information that would help them do early morning chores? Parents -- not the state -- should be making and enforcing their family's schedule.

I oppose these bills from my perch as a long-time child safety advocate (I wrote "Child Safety on the Information Highway" in 1994 for the National Center for Missing & Exploited Children and am currently CEO of ConnectSafely.org). However well-intentioned, they could increase risk and deny basic rights to children and adults. SB 152 would require companies to keep a "record of any submissions provided under the requirements," which means there would not only be databases of all social media users, but also of users under 18, which could be hacked by criminals or foreign governments seeking information on Utah children and adults. And, in case you think that's impossible, there was a breach in 2006 of a database of children that was mandated by the State of Utah to protect them from sites that displayed or promoted pornography, alcohol, tobacco and gambling. No one expects a data breach, but they happen on a regular basis. There is also the issue of privacy. Social media is both media and speech, and some social media are frequented by people who might not want employers, family members, law enforcement or the government to know what information they're consuming. Whatever their interests, people should have the right to at least anonymously consume information or express their opinions. This should apply to everyone, regardless of who they are, what they believe or what they're interested in. [...]

It's important to always look at the potential unintended consequences of legislation. I'm sure the lawmakers in Utah who are backing this bill have the best interests of children in mind. But this wouldn't be the first law designed to protect children that actually puts them at risk or violates adult rights in the name of child protection. I applaud any policymaker who wants to find ways to protect kids and hold technology companies accountable for doing their part to protect privacy and security as well as employing best-practices when it comes to the mental health and well being of children. But the legislation, whether coming from Utah, another state or Washington, D.C., must be sensible, workable, constitutional and balanced, so it at the very least, does more good than harm.

An anonymous reader quotes a report from KrebsOnSecurity: Authorities in the United States and United Kingdom today levied financial sanctions against seven men accused of operating "Trickbot," a cybercrime-as-a-service platform based in Russia that has enabled countless ransomware attacks and bank account takeovers since its debut in 2016. The U.S. Department of the Treasury says the Trickbot group is associated with Russian intelligence services, and that this alliance led to the targeting of many U.S. companies and government entities. Initially a stealthy trojan horse program delivered via email and used to steal passwords, Trickbot evolved into "a highly modular malware suite that provides the Trickbot Group with the ability to conduct a variety of illegal cyber activities, including ransomware attacks," the Treasury Department said.

"During the height of the COVID-19 pandemic in 2020, Trickbot targeted hospitals and healthcare centers, launching a wave of ransomware attacks against hospitals across the United States," the sanctions notice continued. "In one of these attacks, the Trickbot Group deployed ransomware against three Minnesota medical facilities, disrupting their computer networks and telephones, and causing a diversion of ambulances. Members of the Trickbot Group publicly gloated over the ease of targeting the medical facilities and the speed with which the ransoms were paid to the group."

Only one of the men sanctioned today is known to have been criminally charged in connection with hacking activity. According to the Treasury Department, the alleged senior leader of the Trickbot group is 34-year-old Russian national Vitaly "Bentley" Kovalev. A New Jersey grand jury indicted Kovalev in 2012 after an investigation by the U.S. Secret Service determined that he ran a massive "money mule" scheme, which used phony job offers to trick people into laundering money stolen from hacked small to mid-sized businesses in the United States. The 2012 indictment against Kovalev relates to cybercrimes he allegedly perpetrated prior to the creation of Trickbot. A copy of the now-unsealed 2012 indictment of Kovalev is here (PDF).

An anonymous reader shares a report: Stalkers and domestic abusers in the US for years have been able to access the kind of surveillance tools typically associated with foreign spies. That's all because of a pervasive industry that promises to help people who want to secretly monitor their family members. Now, because of an action brought by the New York Attorney General, one player in the so-called stalkerware industry has agreed to notify the people who were infected with its spyware. But it was required to pay just $410,000 in civil penalties, in part because rather than taking issue with the harmful nature of the technology, state prosecutors cited only the companies' use of deceptive marketing.

A detailed legal filing provides a glimpse into the pernicious capabilities that stalkerware firms provide to consumers -- enabling buyers to collect victims' texts, photos, emails, direct messages, you name it. The case is the latest evidence that such apps are more popular than previously understood. The New York investigation determined that one Florida man owned 16 companies, distributing apps with names such as PhoneSpector and AutoForward Data Services that promoted mobile surveillance software. Once installed on a device, some of the apps would be invisible on a user's home screen and allow a stalker to remotely activate an individual's camera or microphone without their knowledge, according to the legal filing.

UnknowingFool writes: UK Judge James Mellor has thrown out Craig Wright's cases against Bitcoin derivatives like Bitcoin Cash as Wright cannot claim copyright on the Bitcoin file format. Wright had sued forks of Bitcoin claiming they breached his copyrights to prevent them from operating. The judge disagreed noting that Wright had failed to meet a requirement of copyright called "fixation" detailing where/when/how the original expression was first recorded somewhere in any media.

"Whilst I accept that the law of copyright will continue to face challenges with new digital technologies, I do not see any prospect of the law as currently stated and understood in the caselaw allowing copyright protection of subject-matter which is not expressed or fixed anywhere," wrote Judge Mellor. In other words Wright has failed to show any evidence that he wrote down the file format somewhere to claim that he created the file format.

This is not the first time Wright has failed to produce credible evidence in a court case: in an Oslo, Norway case last year Wright claimed he destroyed a hard drive in 2016 containing the Nakomoto original keys despite telling a U.S. court in 2020 that he was waiting on the same keys to be delivered by a special courier. Those keys were later ruled to be fictitious. Decrypt notes that Wright is "currently in the process of suing 15 Bitcoin developers to retreive around 111,000 bitcoin after he lost the encrypted keys to access them when his home computer network was allegedly hacked."

An anonymous reader quotes a report from Motherboard: A section of the UK government has proposed making the sale or possession of bespoke encrypted phones for crime a criminal offense in its own right. The measure is intended to help the country's law enforcement agencies tackle organized crime and those who facilitate it, but civil liberties experts tell Motherboard the proposal is overbroad and poorly defined, meaning it could sweep up other forms of secure communication used by the wider population if not adjusted. "At the moment the government proposal appears to be vague and overly broad. While it states that the provisions 'will not apply to commercially available mobile phones nor the encrypted messaging apps available on them' it is difficult to see how it will not result in targeting devices used on a daily [basis] by human rights defenders, protesters and pretty much all of us who want to keep our data secure," Ioannis Kouvakas, senior legal officer and assistant general counsel at UK-based activism organization Privacy International, told Motherboard in an email.

The proposal is included in a document published by the Home Office (PDF). In that document, the Home Office proposes two legislative measures that it says could be used to improve law enforcement's response to serious and organized crime, and is seeking input from law enforcement, businesses, lawyers, civil liberties NGOs, and the wider public. [...] The first measure looks to create new criminal offenses on the "making, modifying, supply, offering to supply and possession of articles for use in serious crime." The document points to several specific items: vehicle concealments used to hide illicit goods; digital templates for 3D-printing firearms; pill presses used in the drug trade; and "sophisticated encrypted communication devices used to facilitate organized crime." In other words, this change would criminalize owning an encrypted phone, selling one, or making one for use in crime, a crime in itself. [...]

With encrypted phones, the Home Office writes that both the encryption itself and modifications made to the phones are creating "considerable barriers" to law enforcement. Typically, phones from this industry use end-to-end encryption, meaning that messages are encrypted before leaving the device, rendering any interception by law enforcement ineffective. (Multiple agencies have instead found misconfigurations in how companies' encryption works, or hacked into firms, to circumvent this protection). Encrypted phone companies sometimes physically remove the microphone, camera, and GPS functionality from handsets too. Often distributors sell these phones for thousands of dollars for yearly subscriptions. Given that price, the Home Office says it is "harder to foresee a need for anyone to use them for legitimate, legal reasons." The Home Office adds that under one option for legislation, laws could still criminalize people who did not suspect the technology would be used for serious crime, simply because the technology is so "closely associated with serious crime." Potential signs could include someone paying for a phone "through means which disguise the identity of the payer," the document reads. Often distributors sell phones for Bitcoin or cash, according to multiple encrypted phone sellers that spoke to Motherboard. The document says "the provisions will not apply to commercially available mobile phones nor the encrypted messaging apps available on them." But the Home Office does not yet have a settled definition of what encompasses "sophisticated encrypted communication devices," leaving open the question of what exactly the UK would be prepared to charge a person for possessing or selling.

For almost five years, Booking.com customers have been on the receiving end of a continuous series of scams that clearly demonstrate that criminals have obtained travel plans and other personal information customers provided to the travel site. From a report: One of the more recent shakedowns happened to an Ars Reader who asked not to be identified by his real name. A few months ago, Thomas, as I'll call him, reserved and paid for a two-night stay scheduled for this July in a hotel in Italy. Last week, out of the blue, he received two emails. The headers show that the first message came from the genuine Booking.com domain. It purported to have been sent on behalf of the hotel in Italy and asked that he click a non-existent confirm button for his upcoming stay. It went on to inform him that the hotel would "also transfer all bookings made from that address to your account." As phishy as that sounds, the email included his full name, the confirmation number of his reservation, the correct name of the hotel, and the dates of the stay.

An anonymous reader quotes a report from The Guardian: Pictures of 100 Birkin bags covered in shaggy, multi-colored fur have become the focus of a court dispute that will decide how digital artists can depict commercial activities in their art and cast new light on whether brands are protected in the metaverse. In the case, being heard this week in a New York federal courtroom, the luxury handbag maker Hermes is challenging an artist who sells the futuristic digital works known as NFTs or non-fungible tokens. Artist and entrepreneur Mason Rothschild created images of the astonishingly expensive Hermes handbag, the Birkin, digitally covered the bags in fur and turned the pictures into an "art project," which he called MetaBirkin. Then he sold editions of the images online for total earnings of more than $1m, according to court records.

Hermes promptly sued, claiming the artist was simply "a digital speculator who is seeking to get rich quick by appropriating" the Hermes brand. The "Metabirkins brand simply rips off Hermes's famous Birkin trademark by adding the generic prefix "meta," read the original complaint filed by Hermes in January last year, noting that the "meta" in the name refers to the digital metaverse now being pumped by technology innovators as the next big thing in tech profit-making. Rothschild, whose real name is Sonny Estival, countered that he has a first amendment right to depict the hard-to-buy, French handbags in his artwork, just as Andy Warhol portrayed a giant Campbell's soup cans in his famous pop culture silk screens. "I'm not creating or selling fake Birkin bags. I'm creating art works that depict imaginary, fur-covered Birkin bags," said Rothschild in a letter to the community after the case was filed. "The fact that I sell the art using NFTs doesn't change the fact that it's art." "One hurdle that Hermes will have to overcome in the case is the fact that US trademark law requires brands to register their trademarks for each specific type of use, so digital sales might require a separate registration," notes the report.

"In the end, [Michelle Cooke, a partner at the law firm Arentfox Schiff LLP, who advises brands on these types of trademark issues] says the decision might come down to whether the jury believes Rothschild did the MetaBirkin project as an artistic project 'or was it a money-making venture that he cast as an artistic project when he got into trouble.'"

An anonymous reader quotes a report from The New York Times: Many people in the United States would like to control the information that companies can learn about them online. Yet when presented with a series of true-or-false questions about how digital devices and services track users, most Americans struggled to answer them, according to a report published (PDF) on Tuesday by the Annenberg School for Communication at the University of Pennsylvania. The report analyzed the results of a data privacy survey that included more than 2,000 adults in the United States. Very few of the respondents said they trusted the way online services handled their personal data. The survey also tested people's knowledge about how apps, websites and digital devices may amass and disclose information about people's health, TV-viewing habits and doorbell camera videos. Although many understood how companies can track their emails and website visits, a majority seemed unaware that there are only limited federal protections for the kinds of personal data that online services can collect about consumers.

Seventy-seven percent of the participants got nine or fewer of the 17 true-or-false questions right, amounting to an F grade, the report said. Only one person received an A grade, for correctly answering 16 of the questions. No one answered all of them correctly. Seventy-nine percent of survey respondents said they had "little control over what marketers" could learn about them online, while 73 percent said they did not have "the time to keep up with ways to control the information that companies" had about them. "The big takeaway here is that consent is broken, totally broken,"Joseph Turow, a media studies professor at the University of Pennsylvania who was the lead author of the report, said in an interview. "The overarching idea that consent, either implicit or explicit, is the solution to this sea of data gathering is totally misguided -- and that's the bottom line."

The survey results challenge a data-for-services trade-off argument that the tech industry has long used to justify consumer tracking and to forestall government limits on it: Consumers may freely use a host of convenient digital tools -- as long as they agree to allow apps, sites, ad technology and marketing analytics firms to track their online activities and employ their personal information. But the new report suggests that many Americans aren't buying into the industry bargain. Sixty-eight percent of respondents said they didn't think it was fair that a store could monitor their online activity if they logged into the retailer's Wi-Fi. And 61 percent indicated they thought it was unacceptable for a store to use their personal information to improve the services they received from the store. Only a small minority -- 18 percent -- said they did not care what companies learned about them online. "When faced with technologies that are increasingly critical for navigating modern life, users often lack a real set of alternatives and cannot reasonably forgo using these tools," Lina M. Khan, the chair of the Federal Trade Commission, said in a speech (PDF) last year.

In the talk, Ms. Khan proposed a "type of new paradigm" that could impose "substantive limits" on consumer tracking.

"Man goes to the doctor for a sleep apnea diagnosis, a few months later he gets a letter from the state of Maryland about his sleep apnea -- and they won't tell him how they found out about it," writes Slashdot reader schwit1. NBC4 Washington reports: Dr. David Allick, a dentist in Rockville, was diagnosed with mild sleep apnea in June 2022. Months later, he received a letter from the MVA requesting additional information about his diagnosis in order "to determine your fitness to drive." The September 2022 letter noted failure to return the required forms, which included a report from his physician, could result in the suspension of his license. Allick said he isn't clear how the state learned about his medical diagnosis. But more importantly, he said he was previously unaware of a little-known Maryland law requiring people to report their sleep apnea diagnosis to state driving authorities. Allick said he still has questions about what prompted the ordeal. "Everybody I talked to -- nobody's heard of anything like this," he said, also acknowledging: "I'm sure they want to keep the roads safe." schwit1 adds: "How is this not a HIPAA violation?"

The investigation team at NBC4 Washington found that Allick is one of 1,310 people whose sleep apnea diagnoses "have led to medical reviews by the Maryland MVA." The state department didn't have data on how many of these Maryland drivers have had their license suspended.

If you have Wyze cameras or a Wyze home security system, you will need to make other arrangements to monitor your property from 12AM PT to 2AM PT tomorrow morning. The Verge reports: The smart home company sent an email to its customers this week stating that system maintenance on February 8th at 12AM PT will impact every feature of the system that relies on the app or website. That includes being able to alert Noonlight, the professional monitoring company Wyze uses for its Sense security system, about a potential break-in. Not only will your security system be down, but if you use Wyze cameras to keep an eye on things going bump in the night, you'll have to stay awake. Wyze cameras won't be able to upload any video to the cloud or send alerts for motion or other events to the app.

While it's a good thing that Wyze is giving customers a heads-up, the flip side is that everyone is getting a heads-up. It's posting a sign that any location using this equipment will be unprotected between these hours, with basically no notice to create a backup plan or take other precautions, depending on your security concerns. It's also worrisome that the professional security customers have paid for and rely on can be completely disabled for "maintenance."

A former Coinbase product manager pleaded guilty on Tuesday in what U.S. prosecutors have called the first insider trading case involving cryptocurrency, his defense lawyer said in a court hearing. From a report: Ishan Wahi, 32, pleaded guilty to two counts of conspiracy to commit wire fraud, after initially pleading not guilty last year. Prosecutors said Wahi shared confidential information with his brother Nikhil and their friend Sameer Ramani about forthcoming announcements of new digital assets that Coinbase would let users trade. "I knew that Sameer Ramani and Nikhil Wahi would use that information to make trading decisions," Ishan Wahi said during Tuesday's hearing in federal court in Manhattan. "It was wrong to misappropriate and disseminate Coinbase's property." Nikhil Wahi and Ramani were charged with using ethereum blockchain wallets to acquire digital assets and trading at least 14 times before Coinbase announcements between June 2021 and April 2022.

Artem S. Tashkinov writes: Don't buy an Android phone in China, boffins have warned, as they come crammed with preinstalled apps transmitting privacy-sensitive data to third-party domains without consent or notice. The research, conducted by Haoyu Liu (University of Edinburgh), Douglas Leith (Trinity College Dublin), and Paul Patras (University of Edinburgh), suggests that private information leakage poses a serious tracking risk to mobile phone customers in China, even when they travel abroad in countries with stronger privacy laws.

In a paper titled "Android OS Privacy Under the Loupe: A Tale from the East," the trio of university boffins analyzed the Android system apps installed on the mobile handsets of three popular smartphone vendors in China: OnePlus, Xiaomi and Oppo Realme. The researchers looked specifically at the information transmitted by the operating system and system apps, in order to exclude user-installed software. They assume users have opted out of analytics and personalization, do not use any cloud storage or optional third-party services, and have not created an account on any platform run by the developer of the Android distribution. A sensible policy, but it doesn't seem to help much. Within this limited scope, the researchers found that Android handsets from the three named vendors "send a worrying amount of Personally Identifiable Information (PII) not only to the device vendor but also to service providers like Baidu and to Chinese mobile network operators."

Ryan Graves, former Lt. U.S. Navy and F/A-18F pilot who was the first active-duty fighter pilot to come forward publicly about regular sightings of UAP, says more data is needed about unidentified anomalous phenomena (UAP). "We should encourage pilots and other witnesses to come forward and keep the pressure on Congress to prioritize UAP as a matter of national security," writes Graves in an opinion piece for The Hill. An anonymous Slashdot reader shares an excerpt from his report: As a former U.S. Navy F/A-18 fighter pilot who witnessed unidentified anomalous phenomena (UAP) on a regular basis, let me be clear. The U.S. government, former presidents, members of Congress of both political parties and directors of national intelligence are trying to tell the American public the same uncomfortable truth I shared: Objects demonstrating extreme capabilities routinely fly over our military facilities and training ranges. We don't know what they are, and we are unable to mitigate their presence. The Office of the Director of National Intelligence (ODNI) last week published its second ever report on UAP activity. While the unclassified version is brief, its findings are sobering. Over the past year, the government has collected hundreds of new reports of enigmatic objects from military pilots and sensor systems that cannot be identified and "represent a hazard to flight safety." The report also preserves last year's review of the 26-year reporting period that some UAP may represent advanced technology, noting "unusual flight characteristics or performance capabilities."

Mysteriously, no UAP reports have been confirmed to be foreign so far. However, just this past week, a Chinese surveillance balloon shut down air traffic across the United States. How are we supposed to make sense of hundreds of reports of UAP that violate restricted airspace uncontested and interfere with both civilian and military pilots? Here is the hard truth. We don't know. UAP are a national security problem, and we urgently need more data.

Why don't we have more data? Stigma. I know the fear of stigma is a major problem because I was the first active-duty fighter pilot to come forward publicly about regular sightings of UAP, and it was not easy. There has been little support or incentive for aircrew to speak publicly on this topic. There was no upside to reporting hard-to-explain sightings within the chain of command, let alone doing so publicly. For pilots to feel comfortable, it will require a culture shift inside organizations and in society at large. I have seen for myself on radar and talked with the pilots who have experienced near misses with mysterious objects off the Eastern Seaboard that have triggered unsafe evasive actions and mandatory safety reports. There were 50 or 60 people who flew with me in 2014-2015 and could tell you they saw UAP every day. Yet only one other pilot has confirmed this publicly. I spoke out publicly in 2019, at great risk personally and professionally, because nothing was being done. The ODNI report itself notes that concentrated efforts to reduce stigma have been a major reason for the increase in reports this year. To get the data and analyze it scientifically, we must uproot the lingering cultural stigma of tin foil hats and "UFOs" from the 1950s that stops pilots from reporting the phenomena and scientists from studying it. Last September, the U.S. Navy said that all of the government's UFO videos are classified information and releasing any additional UFO videos would "harm national security."

An anonymous reader quotes a report from KrebsOnSecurity: Julius "Zeekill" Kivimaki, a 25-year-old Finnish man charged with extorting a local online psychotherapy practice and leaking therapy notes for more than 22,000 patients online, was arrested this week in France. A notorious hacker convicted of perpetrating tens of thousands of cybercrimes, Kivimaki had been in hiding since October 2022, when he failed to show up in court and Finland issued an international warrant for his arrest. [...] According to the French news site actu.fr, Kivimaki was arrested around 7 a.m. on Feb. 3, after authorities in Courbevoie responded to a domestic violence report. Kivimaki had been out earlier with a woman at a local nightclub, and later the two returned to her home but reportedly got into a heated argument. Police responding to the scene were admitted by another woman -- possibly a roommate -- and found the man inside still sleeping off a long night. When they roused him and asked for identification, the 6 3 blonde, green-eyed man presented an ID that stated he was of Romanian nationality. The French police were doubtful. After consulting records on most-wanted criminals, they quickly identified the man as Kivimaki and took him into custody.

Kivimaki initially gained notoriety as a self-professed member of the Lizard Squad, a mainly low-skilled hacker group that specialized in DDoS attacks. But American and Finnish investigators say Kivimaki's involvement in cybercrime dates back to at least 2008, when he was introduced to a founding member of what would soon become HTP. Finnish police said Kivimaki also used the nicknames "Ryan", "RyanC" and "Ryan Cleary" (Ryan Cleary was actually a member of a rival hacker group -- LulzSec -- who was sentenced to prison for hacking). Kivimaki and other HTP members were involved in mass-compromising web servers using known vulnerabilities, and by 2012 Kivimaki's alias Ryan Cleary was selling access to those servers in the form of a DDoS-for-hire service. Kivimaki was 15 years old at the time. In 2013, investigators going through devices seized from Kivimaki found computer code that had been used to crack more than 60,000 web servers using a previously unknown vulnerability in Adobe's ColdFusion software.

Multiple law enforcement sources told KrebsOnSecurity that Kivimaki was responsible for making an August 2014 bomb threat against former Sony Online Entertainment President John Smedley that grounded an American Airlines plane. That incident was widely reported to have started with a tweet from the Lizard Squad, but Smedley and others said it started with a call from Kivimaki. Kivimaki also was involved in calling in multiple fake bomb threats and "swatting" incidents -- reporting fake hostage situations at an address to prompt a heavily armed police response to that location.

Microsoft wants everyone to know that it isn't looking to invade their privacy while looking through their Windows PCs to find out-of-date versions of Office software. From a report: In its KB5021751 update last month, Microsoft included a plan to scan Windows systems to smoke out those Office versions that are no longer supported or nearing the end of support. Those include Office 2007 (which saw support end in 2017) and Office 2010 (in 2020) and the 2013 build (this coming April). The company stressed that it would run only one time and would not install anything on the user's Windows system, adding that the file for the update is scanned to ensure it's not infected by malware and is stored on highly secure servers to prevent unauthorized changes to it.

The update caused some discussion among users, at least enough to convince Microsoft to make another pitch that it is respecting user privacy and won't access private data despite scanning their systems. The update collects diagnostic and performance data so that it can determine the use of various versions of Office and how to best support and service them, the software maker wrote in an expanded note this week. The update will silently run once to collect the data and no files are left on the user's systems once the scan is completed.

The Washington Post looks at the effectiveness — and the implications — of "citywide surveillance" networks, including Memphis's SkyCop , "built on 2,100 cameras that broadcast images back to a police command center every minute of every day." Known for their blinking blue lights, the SkyCop cameras now blanket many of the city's neighborhoods, gas stations, sidewalks and parks. The company that runs SkyCop, whose vice president of sales previously worked for the Memphis police, promotes it as a powerful crime deterrent that can help "neighborhoods take back their streets." But after a decade in which Memphis taxpayers have paid $10 million to expand the surveillance system, crime in the city has gone up....

No agency tracks nationwide camera installation statistics, but major cities have invested heavily in such networks. Police in Washington, D.C., said they had deployed cameras at nearly 300 intersections by 2021, up from 48 in 2007. In Chicago, more than 30,000 cameras are viewable by police; in parts of New York City, the cameras watch every block. Yet researchers have found no substantive evidence that the cameras actually reduce crime....

In federal court, judges have debated whether round-the-clock police video recording could constitute an unreasonable search as prohibited by the Fourth Amendment. Though the cameras are installed in public areas, they also capture many corners of residential life, including people's doors and windows. "Are we just going to put these cameras in front of everybody's house and monitor them and see if anybody's up to anything?" U.S. Circuit Judge O. Rogeriee Thompson said during oral arguments for one such case in 2021....

Dave Maass, a director at the digital rights group Electronic Frontier Foundation who researches police surveillance technology, said these systems have expanded rapidly in the United States without real evidence that they have led to a drop in crime. "This often isn't the community coming in and asking for it, it's police going to conferences where ... vendors are promising the world and that they'll miraculously solve crimes," Maass said. "But it's just a commercial thing. It's just business."
Nonetheless, the Post notes that in Memphis many SkyCop cameras are even outfitted "with license-plate recognition software that records the time and location of every passing car."

Slashdot reader lexios shares this report from the French international news agency Agence France-Press: European police arrested 42 suspects and seized guns, drugs and millions in cash, after cracking another encrypted online messaging service used by criminals, Dutch law enforcement said Friday. Police launched raids on 79 premises in Belgium, Germany and the Netherlands following an investigation that started back in September 2020 and led to the shutting down of the covert Exclu Messenger service.

After police and prosecutors got into the Exclu secret communications system, they were able to read the messages passed between criminals for five months before the raids, said Dutch police. Those arrested include users of the app, as well as its owners and controllers. Police in France, Italy and Sweden, as well as Europol and Eurojust, its justice agency twin, also took part in the investigation. The police raids uncovered at least two drugs labs, one cocaine-processing facility, several kilograms of drugs, four million euros in cash, luxury goods and guns, Dutch police said.
The "secure" messaging app was used by around 3 000 people who paid 800 euros (roughly $866 USD) for a six-month subscription.