OpenTable's restaurant pages still feature a lot of reviews left by anonymous diners at the moment, but that will not be the case starting next month. From a report: The online restaurant reservation service is changing its policy around reviews so that they're not as anonymous -- and it's even applying the new rule retroactively. As BleepingComputer reports, it told users in an email that starting on May 22, it "will begin displaying diner first names and profile photos on all diner reviews." Further, "this update will also apply to past reviews."

"We've heard from you, our diners, that trust and transparency are important when looking at reviews," the company also said in its letter, insinuating that it's changing the way reviews work based on user feedback. As BleepingComputer says, it'll be easy to match a bad review with customer reservation records based on the user's first name and when the post was made. While that's not nearly as bad as Glassdoor publishing people's names alongside their employer reviews without consent, it could still be very uncomfortable for people who wanted to talk about bad experiences without the fear of not being welcomed back into a particular establishment.

HP "sought to take advantage of customers' sunk costs," printer owners claimed this week in a class action lawsuit against the hardware giant. The Register: Lawyers representing the aggrieved were responding in an Illinois court to an earlier HP motion to dismiss a January lawsuit. Among other things, the plaintiffs' filing stated that the printer buyers "never entered into any contractual agreement to buy only HP-branded ink prior to receiving the firmware updates." They allege HP broke several anti-competitive statutes, which they claim: "bar tying schemes, and certain uses of software to accomplish that without permission, that would monopolize an aftermarket for replacement ink cartridges, when these results are achieved in a way that 'take[s] advantage of customers' sunk costs.'"

In the case, which began in January, the plaintiffs are arguing that HP issued a firmware update between late 2022 and early 2023 that they allege disabled their printers if they installed a replacement cartridge that was not HP-branded. They are asking for damages that include the cost of now-useless third-party cartridges and an injunction to disable the part of the firmware updates that prevent the use of third-party ink.

An anonymous reader shares a report: If you're -- apparently, one of the few people -- using the VPN service that comes with Google One, we've got bad news for you. In an email you're going to receive from Google if you haven't gotten it yet, it revealed that it's phasing out the perk sometime later this year. The company rolled out Google One's VPN feature back in 2020, but you could only access it then if you're paying for a plan with at least 2TB of storage, which costs at least $10 a month. Last year, the company expanded its availability across all One plans, including the basic $2-per-month option, making it more affordable than before.

A federal jury in Illinois on Wednesday said Amazon Web Services owes tech company Kove $525 million for violating three patents relating to its data-storage technology. From the report: The jury determined (PDF) that AWS infringed three Kove patents covering technology that Kove said had become "essential" to the ability of Amazon's cloud-computing arm to "store and retrieve massive amounts of data." An Amazon spokesperson said the company disagrees with the verdict and intends to appeal. Kove's lead attorney Courtland Reichman called the verdict "a testament to the power of innovation and the importance of protecting IP (intellectual property) rights for start-up companies against tech giants." Kove also sued Google last year for infringing the same three patents in a separate Illinois lawsuit that is still ongoing.

An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

An anonymous reader quotes a report from Ars Technica: Amid a flurry of lawsuits over AI models' training data, US Representative Adam Schiff (D-Calif.) has introduced (PDF) a bill that would require AI companies to disclose exactly which copyrighted works are included in datasets training AI systems. The Generative AI Disclosure Act "would require a notice to be submitted to the Register of Copyrights prior to the release of a new generative AI system with regard to all copyrighted works used in building or altering the training dataset for that system," Schiff said in a press release.

The bill is retroactive and would apply to all AI systems available today, as well as to all AI systems to come. It would take effect 180 days after it's enacted, requiring anyone who creates or alters a training set not only to list works referenced by the dataset, but also to provide a URL to the dataset within 30 days before the AI system is released to the public. That URL would presumably give creators a way to double-check if their materials have been used and seek any credit or compensation available before the AI tools are in use. All notices would be kept in a publicly available online database.

Currently, creators who don't have access to training datasets rely on AI models' outputs to figure out if their copyrighted works may have been included in training various AI systems. The New York Times, for example, prompted ChatGPT to spit out excerpts of its articles, relying on a tactic to identify training data by asking ChatGPT to produce lines from specific articles, which OpenAI has curiously described as "hacking." Under Schiff's law, The New York Times would need to consult the database to ID all articles used to train ChatGPT or any other AI system. Any AI maker who violates the act would risk a "civil penalty in an amount not less than $5,000," the proposed bill said. Schiff described the act as championing "innovation while safeguarding the rights and contributions of creators, ensuring they are aware when their work contributes to AI training datasets."

"This is about respecting creativity in the age of AI and marrying technological progress with fairness," Schiff said.

Apple is finally making it easier for users to repair their iPhones with used parts. From a report: In an update on Thursday, the company announced that this fall, owners of "select" iPhone models will be able to repair their devices with used, genuine parts while retaining full functionality. When repairing a phone, Apple requires iPhone users to go through a process called parts pairing, which makes them match the serial number of their device to that of a new part sold by Apple. If a user replaced a part with an aftermarket or used component, the iPhone would display pesky notifications saying that Apple isn't able to verify the newly installed piece. In the case of Face ID and Touch ID sensors, the part might not work at all. This change should do away with these notifications for used parts, as Apple says "calibration for genuine Apple parts, new or used, will happen on device after the part is installed." It also means users and repair shops will no longer have to provide the serial number of the device they're fixing when ordering most parts from the Self Service Repair Store.

DuckDuckGo, the privacy-focused web search and browser company, announced on today the launch of its first subscription service, Privacy Pro. The service, priced at $9.99 per month or $99.99 per year, includes a browser-based tool that automatically scans data broker websites for users' personal information and requests its removal. The service also includes DuckDuckGo's first VPN and an identity-theft-restoration service. Available initially only in the U.S.

An anonymous reader quotes a report from The Guardian: Ministers are considering banning the sale of smartphones to children under the age of 16 after a number of polls have shown significant public support for such a curb. The government issued guidance on the use of mobile phones in English schools two months ago, but other curbs are said to have been considered to better protect children after a number of campaigns. [...] A March survey by Parentkind, of 2,496 parents of school-age children in England, found 58% of parents believe the government should ban smartphones for under-16s. It also found more than four in five parents said they felt smartphones were "harmful" to children and young people.

Another survey by More in Common revealed 64% of people thought that a ban on selling smartphones to under-16s would be a good idea, compared with 20% who said it was a bad idea. The curb was even popular among 2019 Tory voters, according to the thinktank, which found 72% backed a ban, as did 61% of Labour voters. But the thought of another ban has left some Conservatives uneasy. One Tory government source described the idea as "out of touch," noting: "It's not the government's role to step in and microparent; we're meant to make parents more aware of the powers they have like restrictions on websites, apps and even the use of parental control apps." They said only in extreme cases could the government "parent better than actual parents and guardians."

Zack Whittaker and Carly Page report via TechCrunch: Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet. Security researchers Can Yoleri, Murat Ozfidan and Egemen Kochisarli with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft's Azure cloud service that was storing internal information relating to Microsoft's Bing search engine. The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems. But the storage server itself was not protected with a password and could be accessed by anyone on the internet.

Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations "could result in more significant data leaks and possibly compromise the services in use," Yoleri said. The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. It's not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.

President Joe Biden said he is "considering" a request from Australia to drop the prosecution of WikiLeaks founder Julian Assange. The BBC reports: The country's parliament recently passed a measure -- backed by PM Anthony Albanese -- calling for the return of Mr Assange to his native Australia. The US wants to extradite the 52-year-old from the UK on criminal charges over the leaking of military records. Mr Assange denies the charges, saying the leaks were an act of journalism. The president was asked about Australia's request on Wednesday and said: "We're considering it."

Mr Assange, 52, is fighting extradition in the UK courts. The extradition was put on hold in March after London's High Court said the United States must provide assurances he would not face the death penalty. The High Court is due to evaluate any responses from the US authorities at the end of May. The measure passed the Australian parliament in February. Mr Albanese told MPs: "People will have a range of views about Mr Assange's conduct... But regardless of where people stand, this thing cannot just go on and on and on indefinitely."

The Motion Picture Association is going off on piracy again. During CinemaCon in Las Vegas, MPA CEO Charles Rivkin announced that the organization plans on working with Congress to pass rules blocking websites with pirated content. The Verge: The MPA is a trade association representing Hollywood studios, including Paramount, Sony, Universal, and Disney (it's also behind the ratings board that gives you an R if you say curse words too often). It has long lobbied for anti-piracy laws, but it seems the battle is heating up again. In his speech on Tuesday, Rivkin highlights what a major problem piracy in the US has become, saying it costs "hundreds of thousands of jobs" and "more than one billion in theatrical ticket sales."

It's true: piracy has gone up in recent years. A report from piracy data analytics company Muso revealed that video piracy websites around the globe received 141 billion visits in 2023, making for a 12 percent increase when compared to 2019. The US and India made up most of these visits. But at the same time, the price to subscribe to a streaming service is higher than ever, and so is the cost of a movie ticket. The solution to stopping piracy, at least in Rivkin's eyes, is to prevent users from accessing piracy websites altogether.

Privacy startup Proton already offers an email app, a VPN tool, cloud storage, a password manager, and a calendar app. In April 2022, Proton acquired SimpleLogin, an open-source product that generates email aliases to protect inboxes from spam and phishing. Today, Proton acquired Standard Notes, advancing its already strong commitment to the open-source community. From a report: Standard Notes is an open-source note-taking app, available on both mobile and desktop platforms, with a user base of over 300,000. [...] Proton founder and CEO Andy Yen makes a point of stating that Standard Notes will remain open-source, will continue to undergo independent audits, will continue to develop new features and updates, and that prices for the app/service will not change. Standard Notes has three tiers: Free, which includes 100MB of storage, offline access, and unlimited device sync; Productivity for $90 per year, which includes features like markdown, spreadsheets with advanced formulas, Daily Notebooks, and two-factor authentication; and Professional for $120 per year, which includes 100GB of cloud storage, sharing for up to five accounts, no file limit size, and more.

An anonymous reader quotes a report from TorrentFreak: Cox Communications doesn't believe that ISPs should be held liable for the activities of their pirating subscribers. After a disappointing verdict from a Virginia jury and an unsatisfactory outcome at the Court of Appeals, the internet provider now intends to escalate the matter to the Supreme Court. If the present verdict stands, innocent people risk losing their Internet access, the ISP notes. [...] That's notable, as it would be the first time that a "repeat infringer" case ends up at the highest court United States. Cox asked the court of appeals to also stay its mandate pending its Supreme Court application, as this could steer the legal battle in yet another direction.

According to Cox, the Supreme Court has substantial reasons to take on the case. For one, there are currently conflicting court of appeals rulings on the "material contribution" aspect of copyright infringement. The Supreme Court could give more clarity on when a service, with a myriad of lawful uses, can be held liable for infringers. In addition, Cox also cites the recent 'Twitter vs. Taamneh' Supreme Court ruling, which held that social media platforms aren't liable for terrorists who use their network. While that's not a copyright case, it's relevant for the secondary liability question, the ISP argues. "Though Twitter was not a copyright case, it confronted a directly analogous theory of secondary liability: that social-media platforms, including Twitter and YouTube, could be liable for continuing to provide services to those they knew were using them for illegal purposes," Cox writes.

Finally, Cox notes that the Supreme Court should hear the case because it deals with an issue that's 'exceptionally important' to ISPs as well as the public. If the present verdict stands, Internet providers may be much more likely to terminate Internet access, even if the subscriber is innocent. "This Court's material-contribution standard provides powerful incentives for ISPs of all stripes to swiftly terminate internet services that have been used to infringe -- no matter the universe of lawful uses to which those services are put, or the consequences to innocent, non-infringing people who also use those services. "That is why a chorus of amici urged this Court not to adopt this standard at the panel and en banc stages, and will likely urge the Supreme Court to grant review as well," Cox adds, referring to the support it received from third-parties previously. "Cox hasn't filed a writ of certiorari yet and still has time, as it's due June 17, 2024," notes TorrentFreak. "The intention to go to the Supreme Court would be another reason to halt the new damages trial, according to Cox, but the court of appeals rejected the request."

"This means that the new damages trial can start, even if the case is still pending at the Supreme Court. However, it's clear that this legal battle is far from over yet."

An anonymous reader quotes a report from Wired: Congress may be closer than ever to passing a comprehensive data privacy framework after key House and Senate committee leaders released a new proposal on Sunday. The bipartisan proposal, titled the American Privacy Rights Act, or APRA, would limit the types of consumer data that companies can collect, retain, and use, allowing solely what they'd need to operate their services. Users would also be allowed to opt out of targeted advertising, and have the ability to view, correct, delete, and download their data from online services. The proposal would also create a national registry of data brokers, and force those companies to allow users to opt out of having their data sold. [...] In an interview with The Spokesman Review on Sunday, [Cathy McMorris Rodgers, House Energy and Commerce Committee chair] claimed that the draft's language is stronger than any active laws, seemingly as an attempt to assuage the concerns of Democrats who have long fought attempts to preempt preexisting state-level protections. APRA does allow states to pass their own privacy laws related to civil rights and consumer protections, among other exceptions.

In the previous session of Congress, the leaders of the House Energy and Commerce Committees brokered a deal with Roger Wicker, the top Republican on the Senate Commerce Committee, on a bill that would preempt state laws with the exception of the California Consumer Privacy Act and the Biometric Information Privacy Act of Illinois. That measure, titled the American Data Privacy and Protection Act, also created a weaker private right of action than most Democrats were willing to support. Maria Cantwell, Senate Commerce Committee chair, refused to support the measure, instead circulating her own draft legislation. The ADPPA hasn't been reintroduced, but APRA was designed as a compromise. "I think we have threaded a very important needle here," Cantwell told The Spokesman Review. "We are preserving those standards that California and Illinois and Washington have."

APRA includes language from California's landmark privacy law allowing people to sue companies when they are harmed by a data breach. It also provides the Federal Trade Commission, state attorneys general, and private citizens the authority to sue companies when they violate the law. The categories of data that would be impacted by APRA include certain categories of "information that identifies or is linked or reasonably linkable to an individual or device," according to a Senate Commerce Committee summary of the legislation. Small businesses -- those with $40 million or less in annual revenue and limited data collection -- would be exempt under APRA, with enforcement focused on businesses with $250 million or more in yearly revenue. Governments and "entities working on behalf of governments" are excluded under the bill, as are the National Center for Missing and Exploited Children and, apart from certain cybersecurity provisions, "fraud-fighting" nonprofits. Frank Pallone, the top Democrat on the House Energy and Commerce Committee, called the draft "very strong" in a Sunday statement, but said he wanted to "strengthen" it with tighter child safety provisions.

Across the U.S., insurance companies are using aerial images of homes as a tool to ditch properties seen as higher risk [non-paywalled link]. From a report: Nearly every building in the country is being photographed, often without the owner's knowledge. Companies are deploying drones, manned airplanes and high-altitude balloons to take images of properties. No place is shielded: The industry-funded Geospatial Insurance Consortium has an airplane imagery program it says covers 99% of the U.S. population. The array of photos is being sorted by computer models to spy out underwriting no-nos, such as damaged roof shingles, yard debris, overhanging tree branches and undeclared swimming pools or trampolines. The red-flagged images are providing insurers with ammunition for nonrenewal notices nationwide.

A jailed trader accused of stealing $110 million on the Mango Markets exchange faces a criminal trial this week that will test the reach of a US crackdown on cryptocurrencies. From a report: Prosecutors charged Avraham Eisenberg with manipulating Mango Markets futures contracts on Oct. 11, 2022, to boost the price of swaps by 1,300% in 20 minutes. He then "borrowed" from the exchange against the inflated value of those contracts, a move the government claims was a theft. Jury selection begins Monday in New York federal court, where groundbreaking crypto cases have played out. FTX co-founder Sam Bankman-Fried was sentenced there last month to 25 years in prison for orchestrating a multibillion-dollar scheme, while Terraform Labs Pte. and co-founder Do Kwon were found liable Friday for fraud in civil trial over the firm's 2022 collapse, which wiped out $40 billion in investor assets.

Eisenberg, a self-described "applied game theorist," claims his actions weren't theft at all. Rather, he says, he legally exploited a weakness in the decentralized finance application. The trial will apparently be the first time a US criminal jury will weigh what type of "DeFi" transactions are legal. In the crypto world, where digital blockchains govern who owns what, the virtual ecosystem is built around the notion that "code is law." It means that if something isn't explicitly forbidden by terms of a crypto platform, then government can't intercede. But prosecutors say those rules can't protect traders against possible criminal charges for market manipulation or fraud.

It's the world's most widely used vulnerability database, reports SC Magazine, offering standards-based data on CVSS severity scores, impacted software and platforms, contributing weaknesses, and links to patches and additional resources.

But "there is a growing backlog of vulnerabilities" submitted to America's National Vulnerability Database and "requiring analysis", according to a new announcement from the U.S. Commerce Department's National Institute of Standards. "This is based on a variety of factors, including an increase in software and, therefore, vulnerabilities, as well as a change in interagency support." From SC Magazine: According to NIST's website, the institute analyzed only 199 of 3370 CVEs it received last month. [And this month another 677 came in — of which 24 have been analyzed.]

Other than a short notice advising it was working to establish a new consortium to improve the NVD, NIST had not provided a public explanation for the problems prior to a statement published [April 2]... "Currently, we are prioritizing analysis of the most significant vulnerabilities. In addition, we are working with our agency partners to bring on more support for analyzing vulnerabilities and have reassigned additional NIST staff to this task as well."

NIST, which had its budget cut by almost 12% this year by lawmakers, said it was committed to continuing to support and manage the NVD, which it described as "a key piece of the nation's cybersecurity infrastructure... We are also looking into longer-term solutions to this challenge, including the establishment of a consortium of industry, government and other stakeholder organizations that can collaborate on research to improve the NVD," the statement said. "We will provide more information as these plans develop..."

A group of cybersecurity professionals have signed an open letter to Congress and Commerce Secretary Gina Raimondo in which they say the enrichment issue is the result of a recent 20% cut in NVD funding.
The article also cites remarks from NVD program manager Tanya Brewer (reported by Infosecurity Magazine) from last week's VulnCon conference on plans to establish a NVD consortium. "We're not going to shut down the NVD; we're in the process of fixing the current problem. And then, we're going to make the NVD robust again and we'll make it grow."

Thanks to Slashdot reader spatwei for sharing the article.

This week America's Department of Energy announced "a comprehensive plan to reduce greenhouse-gas emissions from buildings by 65% by 2035 and 90% by 2050." The U.S. Department of Energy (DOE) led the Blueprint's development in collaboration with the Department of Housing and Urban Development, the Environmental Protection Agency, and other federal agencies. The Blueprint is the first sector-wide strategy for building decarbonization developed by the federal government... "America's building sector accounts for more than a third of the harmful emissions jeopardizing our air and health..." said U.S. Secretary of Energy Jennifer M. Granholm. "As part of a whole-of-government approach, the Department of Energy is outlining for the first time ever a comprehensive federal plan to reduce energy in our homes, schools, and workplaces — lowering utility bills and creating healthier communities while combating the climate crisis."

Buildings account for more than one third of domestic climate pollution and $370 billion in annual energy costs... The Blueprint projects reductions of 90% of total greenhouse gas emissions from the buildings sector, which will save consumers more than $100 billion in annual energy costs and avoid $17 billion in annual health costs.
Just for example, the Department of Energy's Affordable Home Energy Shot program "aims to reduce the upfront cost of upgrading a home by at least 50% and reduce energy bills by 20% within a decade." (Meanwhile, the federal government's role in making more change happen faster includes financing, funding R&D on lower-cost technologies, expanding markets, and "supporting the development and implementation of emissions-reducing building codes and appliance standards.")

Besides the national blueprint, the Department also announced an expansion of its Better Buildings Commercial Building Heat Pump Accelerator initiative. In this program, "manufacturers will produce higher efficiency and life cycle cost-effective heat pump rooftop units and commercial organizations will evaluate and adopt next-generation heat pump technology."

U.S. Secretary of Energy Jennifer M. Granholm said the program "builds on more than a decade of public-private partnerships to get cutting edge clean technologies from lab to market, helping to slash harmful carbon emissions throughout our economy." On average, between 20% and 30% of the nation's energy is wasted, presenting a significant opportunity to increase energy efficiency. Through the Better Buildings Initiative, DOE partners with public and private sector stakeholders to pursue ambitious portfolio-wide energy, waste, water, and/or emissions reduction goals and publicly share solutions. By improving building design, materials, equipment, and operations, energy efficiency gains can be achieved across broad segments of the nation's economy.

The Accelerator initiative was developed with commercial end users like Amazon, IKEA, and Target, and already includes manufacturers AAON, Carrier Global Corp., Lennox International, Rheem Manufacturing Co., Trane Technologies, and York International Corp. The Accelerator aims to bring more efficient, affordable next-generation heat pump rooftop units to market as soon as 2027 — which will slash both emissions and energy costs in half compared to natural gas-fueled heat pumps. If deployed at scale, they could save American businesses and commercial entities $5 billion on utility bills every year.

While the European Parliament passed a wide-ranging "AI Act" in March, "Leaders from Microsoft, Google, and OpenAI have all called for AI regulations in the U.S.," writes CIO magazine. Even the Chamber of Commerce, "often opposed to business regulation, has called on Congress to protect human rights and national security as AI use expands," according to the article, while the White House has released a blueprint for an AI bill of rights.

But even though the U.S. Congress hasn't passed AI legislation — 16 different U.S. states have, "and state legislatures have already introduced more than 400 AI bills across the U.S. this year, six times the number introduced in 2023." Many of the bills are targeted both at the developers of AI technologies and the organizations putting AI tools to use, says Goli Mahdavi, a lawyer with global law firm BCLP, which has established an AI working group. And with populous states such as California, New York, Texas, and Florida either passing or considering AI legislation, companies doing business across the US won't be able to avoid the regulations. Enterprises developing and using AI should be ready to answer questions about how their AI tools work, even when deploying automated tools as simple as spam filtering, Mahdavi says. "Those questions will come from consumers, and they will come from regulators," she adds. "There's obviously going to be heightened scrutiny here across the board."
There's sector-specific bills, and bills that demand transparency (of both development and output), according to the article. "The third category of AI bills covers broad AI bills, often focused on transparency, preventing bias, requiring impact assessment, providing for consumer opt-outs, and other issues."

One example the article notes is Senate Bill 1047, introduced in the California State Legislature in February, "would require safety testing of AI products before they're released, and would require AI developers to prevent others from creating derivative models of their products that are used to cause critical harms."

Adrienne Fischer, a lawyer with Basecamp Legal, a Denver law firm monitoring state AI bills, tells CIO that many of the bills promote best practices in privacy and data security, but said the fragmented regulatory environment "underscores the call for national standards or laws to provide a coherent framework for AI usage."

Thanks to Slashdot reader snydeq for sharing the article.