After a revelation in May that DuckDuckGo's (DDG) privacy-focused web browser allows Microsoft tracking scripts on third-party websites, the company now says it will start blocking those too. From a report: DuckDuckGo's browser had third-party tracker loading protection by default that already blocked scripts embedded on websites from Facebook, Google, and others, but until now Microsoft's scripts from the Bing and LinkedIn domains (but not its third-party cookies) had a pass.

A security researcher named Zach Edwards pointed out the exclusion that he apparently uncovered while auditing the browser's privacy claims, and noted it is especially curious because Microsoft is the partner that delivers ads in DDG's search engine (while promising not to use that data to create a monitored profile of users to target ads, instead relying on context to decide which ones it should show). DuckDuckGo CEO Gabe Weinberg said at the time that the reason for it was a search syndication agreement with Microsoft, and that more updates on third-party tracker preventions were coming. A backlash ensued, with some seizing on DuckDuckGo's own words that "tracking is tracking," a phrase the company used against Google's cookie-replacing "privacy sandbox" ad technology. Now Weinberg writes in a blog post, "I've heard from a number of users and understand that we didn't meet their expectations around one of our browser's web tracking protections." DuckDuckGo is vowing to be more transparent about what trackers its browser and extensions are protecting users from, making its tracker blocklists available and offering users more information on how its tracking protections with a new help page.

Migrants who have been convicted of a criminal offence will be required to scan their faces up to five times a day using smartwatches installed with facial recognition technology under plans from the Home Office and the Ministry of Justice. From a report: In May, the government awarded a contract to the British technology company Buddi Limited to deliver "non-fitted devices" to monitor "specific cohorts" as part of the Home Office Satellite Tracking Service. The scheme is due to be introduced from the autumn across the UK, at an initial cost of $7.24m.

A Home Office data protection impact assessment (DPIA) from August 2021, obtained by the charity Privacy International through a freedom of information request, assessed the impact of the smartwatch technology before contracting a supplier. In the documents, seen by the Guardian, the Home Office says the scheme will involve "daily monitoring of individuals subject to immigration control," with the requirement to wear either a fitted ankle tag or a smartwatch, carried with them at all times. Those obliged to wear the devices will need to complete periodic monitoring checks throughout the day by taking a photograph of themselves on a smartwatch, with information including their names, date of birth, nationality and photographs stored for up to six years. Locations will be tracked "24/7, allowing trail monitoring data to be recorded."

The Attorneys General of all 50 states have joined forces in hopes of giving teeth to the seemingly never-ending fight against robocalls. Engadget reports: North Carolina AG Josh Stein, Indiana AG Todd Rokita and Ohio AG Dave Yost are leading the formation of the new Anti-Robocall Litigation Task Force. In Stein's announcement, he said the group will focus on taking legal action against telecoms, particularly gateway providers, allowing or turning a blind eye to foreign robocalls made to US numbers. He explained that gateway providers routing foreign phone calls into the US telephone network have the responsibility under the law to ensure the traffic they're bringing in is legal. Stein said that they mostly aren't taking any action to keep robocalls out of the US phone network, though, and they're even intentionally allowing robocall traffic through in return for steady revenue in many cases.

Stein said in a statement: "We're... going to take action against phone companies that violate state and federal laws. I'm proud to create this nationwide task force to hold companies accountable when they turn a blind eye to the robocallers they're letting on to their networks so they can make more money. I've already brought one pathbreaking lawsuit against an out-of-state gateway provider, and I won't hesitate to take legal action against others who break our laws and bombard North Carolinians with these harmful, unlawful calls."

An anonymous reader quotes a report from Ars Technica: Charter Communications has agreed to settle piracy lawsuits filed by the major record labels, which accused the cable Internet provider of failing to terminate the accounts of subscribers who illegally download copyrighted songs. Sony, Universal, Warner, and their various subsidiaries sued Charter in US District Court in Colorado in March 2019 in a suit that claimed the ISP helps subscribers pirate music by selling packages with higher Internet speeds. They filed another lawsuit against Charter in the same court in August 2021.

Both cases were settled. The record labels and Charter told the court of their settlements on Tuesday in filings (PDF) that said (PDF), "The Parties hereby notify the Court that they have resolved the above-captioned action." Upon the settlements, the court vacated the pending trials and asked the parties to submit dismissal papers within 28 days. Charter subsidiary Bright House Networks also settled (PDF) a similar lawsuit in US District Court for the Middle District of Florida this week. The record labels' case in Florida was settled one day before a scheduled trial, as TorrentFreak reported Tuesday. The case was dismissed with prejudice (PDF) after the settlement.

No details on any of the settlements were given in the documents notifying the courts. A three-week jury trial in one of the Colorado cases was scheduled to begin in June 2023 but is no longer needed. The question for Internet users is whether the settlements mean that Charter will be more aggressive in terminating subscribers who illegally download copyrighted material. Charter declined to comment today when we asked if it agreed to increase account terminations of subscribers accused of piracy. "Even if the settlements have no specific provision on terminating subscribers, Charter presumably has to pay the record labels to settle the claims," adds Ars' Jon Brodkin. "That could make the country's second-biggest ISP more likely to terminate subscribers accused of piracy in order to prevent future lawsuits."

An anonymous reader shares a report: Real problems are what legislators are supposed to be solving. The Philippines has plenty of those, ranging from (government-endorsed) extrajudicial killings of drug dealers and drug users to abuses of state power to silence journalists to the actual murders of human rights activists. But legislators with their own axes to grind will always find ways to hone this edge, even if it means subjecting themselves to international ridicule. Enter Representative Arnolfo "Arnie" Teves, Jr. The rep has introduced a bill that would criminalize the act of "ghosting." For those unfamiliar with internet slang, it may appear Teves is trying to criminalize the act of being a ghost. (Webster's Ye Olde English Dictionary, perhaps.) But ghosts actually engage in "haunting," which is not the same thing as "ghosting." Ghosting is something else. Ghosting is disengaging from a relationship (short-term or long-term) by ignoring all calls, IMs, text messages, emails, etc. from a paramour until the problem ultimately solves itself. If one interested person can't get a response from a disinterested person, sooner or later the interested person stops trying.

An innocent tweet about a wildly popular online multiplayer game led to a terrifying real-life campaign of doxxing and death threats against employees of game company Bungie. The Record reports: Two employees of Bungie, the American company behind "Destiny 2" -- a first-person shooter with 40 million users -- recently convinced an Ontario judge to order Waterloo-based TextNow to name its customers who made "racist and serious physical threats" against them. TextNow offers users anonymous phone service. [...] The two employees sought an "urgent and confidential" court order requiring TextNow to name the customers who made the threats. The judge agreed on June 15 but waited a month before releasing his reasons due to "the serious nature of the allegations of danger." TextNow collects information about each user, including email address, phone number, IP address, credit card number and logs of calls and texts.

The judge said the employees don't plan to sue the users in Ontario. "Whether they sue in the U.S. or just give the name to the police, I am satisfied that the exceptional equitable remedy ought to be available to identify people who harass others, with base racism, who dox, abuse personal information, and make overt threats of physical harm and death," he said. "Our mission is to provide everyone with an affordable way to communicate, and we place a high value on the safety and privacy of our users," a TextNow spokesperson said in an email to The Record. "From time to time, we receive lawful requests for information. We comply with all valid requests as required by law."

Democratic lawmakers are piling pressure on data brokers to stop collecting information on pregnant people in order to protect those seeking abortions. They're not having much luck. From a report: For years, brokers have sold datasets on millions of expectant parents from their trimester status to their preferred birth methods. Now that the Supreme Court has overturned Roe v. Wade, that same data is becoming a political issue, with abortion-rights groups warning that states with abortion bans are likely to weaponize it. In the three months since POLITICO reported the draft opinion against Roe, numerous congressional Democrats have sent letters to data brokers urging them to stop the practice, promised to interrogate the companies about their collections and introduced bills to restrict reproductive health data from being collected and sold.

But in the absence of federal data privacy legislation or any likely chance of it getting the support needed to pass, many brokers aren't taking heed. POLITICO found more than 30 listings from data brokers offering information on expecting parents or selling access to those people through mass email blasts. Twenty-five of them were updated after the Supreme Court's ruling on Roe v. Wade on June 24. Exact Data, a data broker that offers names, emails and mailing addresses of more than 23,000 expecting parents, updated its inventory as recently as August 1. PK List Marketing also updated its "She's Having a Baby - PRENATAL Mailing List" on August 1, according to its listing on NextMark, a directory of marketing email lists.

The Indian government is withdrawing its long-awaited Personal Data Protection Bill that drew scrutiny from several privacy advocates and tech giants who feared the legislation could restrict how they managed sensitive information while giving government broad powers to access it. From a report: The move comes as a surprise as lawmakers had indicated recently that the bill, unveiled in 2019, could see the "light of the day" soon. New Delhi received dozen of amendments and recommendations from a Joint Committee of Parliament that "identified many issues that were relevant but beyond the scope of a modern digital privacy law," said India's Junior IT Minister Rajeev Chandrasekhar. The government will now work on a "comprehensive legal framework" and present a new bill, he added.

The Personal Data Protection Bill sought to empower Indian citizens with rights relating to their data. India, the world's second largest internet market, has seen an explosion of personal data in the past decade as hundreds of citizens came online for the first time and started consuming scores of apps. But there has been uncertainty on how much power the individuals, private companies and government agencies have over it.

An anonymous reader quotes a report from The Register: The head of WhatsApp will not compromise the security of its messenger service to bend to the UK government's efforts to scan private conversations. Will Cathcart, who has been at parent company Meta for more than 12 years and head of WhatsApp since 2019, told the BBC that the popular communications service wouldn't downgrade or bypass its end-to-end encryption (EE2E) just for British snoops, saying it would be "foolish" to do so and that WhatsApp needs to offer a consistent set of standards around the globe. "If we had to lower security for the world, to accommodate the requirement in one country, that ... would be very foolish for us to accept, making our product less desirable to 98 percent of our users because of the requirements from 2 percent," Cathcart told the broadcaster. "What's being proposed is that we -- either directly or indirectly through software -- read everyone's messages. I don't think people want that."

Strong EE2E ensures that only the intended sender and receiver of a message can read it, and not even the provider of the communications channel nor anyone eavesdropping on the encrypted chatter. The UK government is proposing that app builders add an automated AI-powered scanner in the pipeline -- ideally in the client app -- to detect and report illegal content, in this case child sex abuse material (CSAM).

The upside is that at least messages are encrypted as usual when transmitted: the software on your phone, say, studies the material, and continues on as normal if the data is deemed CSAM-free. One downside is that any false positives mean people's private communications get flagged up and potentially analyzed by law enforcement or a government agent. Another downside is that the definition of what is filtered may gradually change over time, and before you know it: everyone's conversations are being automatically screened for things politicians have decided are verboten. And another downside is that client-side AI models that don't produce a lot of false positives are likely to be easily defeated, and are mainly good for catching well-known, unaltered CSAM examples.

An anonymous reader quotes a report from Forbes: According to cyber security firm Volexity, the threat research team has found the North Korean 'SharpTongue' group, which appears to be part of, or related to, the Kimsuky advanced persistent threat group, deploying malware called SHARPEXT that doesn't need your Gmail login credentials at all. Instead, it "directly inspects and exfiltrates data" from a Gmail account as the victim browses it. This quickly evolving threat, Volexity says it is already on version 3.0 according to the malware's internal versioning, can steal email from both Gmail and AOL webmail accounts, and works across three browsers: Google Chrome, Microsoft Edge, and a South Korean client called Whale.

The U.S. Cybersecurity & Infrastructure Security Agency, CISA, reports that Kimsuky has been operating since 2012, and is "most likely tasked by the North Korean regime with a global intelligence gathering mission." While CISA sees Kimsuky most often targeting individuals and organizations in South Korea, Japan, and the U. S., Volexity says that the SharpTongue group has frequently been seen targeting South Korea, the U. S. and Europe. The common denominator between them is that the victims often " work on topics involving North Korea, nuclear issues, weapons systems, and other matters of strategic interest to North Korea."

The report says that SHARPEXT differs from previous browser extensions deployed by these hacking espionage groups in that it doesn't attempt to grab login credentials but bypasses the need for these and can grab email data as the user reads it. The good news is that your system needs to be compromised by some means before this malicious extension can be deployed. Unfortunately, we know all too well that system compromise is not as difficult as it should be. Once a system has been compromised by phishing, malware, unpatched vulnerabilities, whatever, the threat actors can install the extension using a malicious VB script that replaces the system preference files. Once that's done and the extension runs quietly in the background, it is tough to detect. The user logs in to their Gmail account from their normal browser on the expected system. The security researchers recommend "enabling and analyzing PowerShell ScriptBlock logging" to detect whether you've been targeted by this attack, reports Forbes. Additionally, they recommend reviewing installed extensions regularly, especially looking for ones you don't recognize or are not available from the Chrome Web Store.

Eleven people who ran and promoted cryptocurrency firm Forsage are facing charges of operating a pyramid and Ponzi scheme that raised more than $300 million from millions of investors in the U.S. and elsewhere, according to the Securities and Exchange Commission. From a report: The Forsage executives posted videos that promised huge returns for investors, with one calling it "a powerful long-term source of passive income" and telling viewers, "Forsage means fast and furious." But securities regulators allege the service's founders weren't providing an investment strategy, but rather running a pyramid scheme, where investors made money by recruiting others. Also, earlier investors were paid through the money invested by newer customers, the hallmark of a classic Ponzi structure.

The charges underscore the financial risks of a sector that has drawn a fair share of fraudsters and scammers, aside from the massive price plunges that cryptocurrencies have experienced this year. In the case of Forsage, the service was created in 2020 and targeted retail investors who wanted to enter into crypto transactions via so-called "smart contracts" that operated on the ethereum, tron and binance blockchains. In addition to the four founders, the SEC also charged three U.S.-based promoters hired by Forsage to tout the service as well as several members of the Crypto Crusaders, a promotional group for the service, the SEC said.

Facebook's parent company Meta and major US hospitals violated medical privacy laws with a tracking tool that sends health information to Facebook, two proposed class-action lawsuits allege. From a report: The lawsuits, filed in the Northern District of California in June and July, focus on the Meta Pixel tracking tool. The tool can be installed on websites to provide analytics on Facebook and Instagram ads. It also collects information about how people click around and input information into those websites.

An investigation by The Markup in early June found that 33 of the top 100 hospitals in the United States use the Meta Pixel on their websites. At seven hospitals, it was installed on password-protected patient portals. The investigation found that the tool was sending information about patient health conditions, doctor appointments, and medication allergies to Facebook.

U.S. crypto firm Nomad has been hit by a $190 million theft, blockchain researchers said on Tuesday, the latest such heist to hit the digital asset sector this year. From a report: Nomad said in a tweet that it was "aware of the incident" and was currently investigating, without giving further details or the value of the theft. Crypto analytics firm PeckShield told Reuters $190 million worth of users' cryptocurrencies were stolen, including ether and the stablecoin USDC. Other blockchain researchers put the figure at over $150 million.

An anonymous reader quotes a report from TorrentFreak: You wouldn't steal a car, right? So why are you pirating? With this 2004 message, the movie industry hoped to turn illegal downloaders into paying customers. This campaign eventually turned into a meme and it's not the only anti-piracy advert to miss the mark. A new research paper identifies several behavioral insights that explain common mistakes made in these campaigns. [...] The general assumption of many people is that, by adding more arguments, the message will be more compelling. That's called the 'more-is-better' heuristic but behavioral research has shown that the opposite is often true. When many arguments are presented together, the stronger ones may actually be diluted by weaker ones. So, referencing malware, fines, low quality, Internet disconnections, and losses to the industry, all while associating piracy with organized crime, is not the best idea. The reduced impact of stronger and weaker arguments is also one of the reasons why the "You Wouldn't Steal a Car" campaign didn't work as planned, the researchers suggest.

Anti-piracy campaigns can also focus too much on dry numbers without putting these into context. While these statistics are vital to the industry, the average pirate will simply gloss over them. This 'mistake' can also be explained by behavioral psychology, which has shown that people identify more with a problem or victim if they feel some kind of personal connection. That's often missing from anti-piracy messages. It's worth noting that not all personal messaging is effective either. The paper mentions an Indian anti-piracy campaign where famous Bollywood actors urged people not to download films illegally, equating piracy to theft. However, the Indian public probably has little sympathy for the potential "losses" incurred by these multi-millionaire actors. In fact, the anti-piracy campaign may be seen as an extra motivation to pirate. "All videos starred well-known actors, whose net worth is estimated to be $22-$400 million dollars, in a country where the annual per capita income is a bit less than $2,000." "This can offer to pirates a moral justification: they only steal the rich to 'feed the poor', a form of 'Robin Hood effect' that makes even more sense with some cultural or sport-related goods," the researchers add.

Piracy is a widespread and global phenomenon. This makes it particularly problematic for copyright holders but emphasizing this issue in anti-piracy messages isn't a good idea. This is the third mistake that's highlighted in the article. By pointing out that people are supposed to get content legally while at the same time showing that many people don't, people might actually be encouraged to pirate. Behavioral research has shown that people often prefer to follow the descriptive norm (what people do) rather than the injunctive one (what the law prescribes). "Informing directly or indirectly individuals that many people pirate is counterproductive and encourages piracy by driving the targeted individuals to behave similarly. These messages provide to the would-be pirates the needed rationalization by emphasizing that 'everyone is doing it'," the researchers write.

Chinese tech giant Alibaba is the latest company to run afoul of the US Securities and Exchange Commission, which has threatened delisting from US stock exchanges. The Register reports: Alibaba's addition to the SEC's list of nearly 300 companies -- mostly from China -- means that US officials were unable to complete an audit of the company's finances. The 2020 Holding Foreign Companies Accountable Act (HFCAA) gives the SEC the authority to delist companies if it is suspected that financial audits may not be accurate. The news hit Alibaba stock hard on Friday, causing it to drop from $100.52 to $89.37 through the day. In a statement sent to the SEC on Monday, Alibaba said it would "strive to maintain its listing status," and that it would continue to monitor market developments and comply with applicable laws and regulations.

Addition to the SEC's HFCAA list doesn't mean that Alibaba will immediately be removed from the New York Stock Exchange (NYSE). Instead, the notice marks the company's first "non-inspection" year; Alibaba is only actually in danger of delisting if it hands in two more consecutive annual reports that run afoul of the HFCAA. The report that landed the company under scrutiny covered Alibaba's fiscal year ending on March 31, 2022. Companies on the provisional HFCAA list have 15 business days to dispute addition to the list. Along with Alibaba's inclusion last week, pet company Boqii, Cheetah Mobile, ecommerce platform MOGU, manufacturing business Highway Holdings and logistics company Novagant Corp -- all from China or Hong Kong -- were added.

An anonymous reader quotes a report from The Register: The US Commerce Department says it will strictly control use of subsidies under the recently passed CHIPS and Science Act, which promises to unlock billions of dollars in funding for domestic chip manufacturing. The eagerly anticipated spending bill paves the way for $280 billion in funding for science and technology, roughly $52 billion of which is earmarked for boosting US semiconductor production. Its passing was greeted by companies such as Intel and Micron, the latter of which promised to ramp up stateside memory production over the next few years in exchange for some of that cash.

However, the Commerce Department has given chipmakers notice that it will not be allowing a free-for-all, and will not let them use government funding for "stock buybacks or to pad their bottom line," it said in a published statement. Instead, subsidies awarded will be "no larger than is necessary to ensure a project happens here in the United States," the Commerce Department said, adding that it wanted to avoid a situation where states and municipalities became embroiled in a subsidy competition in the race to attract chipmakers to build there. The Department also warned that it will not hesitate to clawback funds or pursue other remedies from semiconductor companies that are found to have misused taxpayer dollars. Funding will come with conditions attached: chipmakers that receive a CHIPS subsidy will be prohibited from engaging in "significant transactions in China or other countries of concern" involving any leading-edge semiconductor manufacturing capacity for a period of ten years.

An anonymous reader quotes a report from The Guardian: For years Craig Wright has claimed that he is the mythical figure who created bitcoin. But a legal bid by the Australian computer scientist to defend his assertion that he is Satoshi Nakamoto resulted in a pyrrhic victory and a tarnished reputation on Monday. A high court judge ruled (PDF) Wright had given "deliberately false evidence" in a libel case and awarded him one pound in damages after he sued a blogger for alleging that his claim to be the elusive Nakamoto was fraudulent. "Because he [Wright] advanced a deliberately false case and put forward deliberately false evidence until days before trial, he will recover only nominal damages," wrote Justice Chamberlain.

Wright had sued blogger Peter McCormack over a series of tweets in 2019, and a video discussion broadcast on YouTube, in which McCormack said Wright was a "fraud" and is not Satoshi. The issue of Nakamoto's identity was not covered by the judge's ruling because McCormack had earlier abandoned a defense of truth in his case. Wright claimed that his reputation within the cryptocurrency industry had been "seriously harmed" by McCormack's claims. He said he had been invited to speak at numerous conferences after the successful submission of academic papers for blind peer review, but 10 invites had been withdrawn following McCormack's tweets. This included alleged potential appearances at events in France, Vietnam, the US, Canada and Portugal.

But McCormack submitted evidence from academics challenging Wright's claims, which were then dropped from his case at the trial in May. Wright later accepted that some of his evidence was "wrong" but said that this was "inadvertent," Chamberlain said in his judgment. The judge noted that there was "no documentary evidence" that Wright had a paper accepted at any of the conferences identified in the earlier version of his libel claim, nor that he received an invitation to speak at them except possibly at one, and that any invitation was withdrawn. Wright's explanation for abandoning this part of his case because the alleged damage to his reputation from the "disinvitations" was outside England and Wales "does not withstand scrutiny," the judge added. He concluded: "Dr Wright's original case on serious harm, and the evidence supporting it, both of which were maintained until days before trial, were deliberately false." [...] [T]he judge said that Wright's pre-trial case over the serious harm to his reputation made it "unconscionable" that he should receive "any more than nominal damages." In statement Wright said: "I intend to appeal the adverse findings of the judgment in which my evidence was clearly misunderstood. I will continue legal challenges until these baseless and harmful attacks designed to belittle my reputation stop."

Variety reports: In a setback for Visa in a case alleging the payment processor is liable for the distribution of child pornography on Pornhub and other sites operated by parent company MindGeek, a federal judge ruled that it was reasonable to conclude that Visa knowingly facilitated the criminal activity.

On Friday, July 29, U.S. District Judge Cormac Carney of the U.S. District Court of the Central District of California issued a decision in the Fleites v. MindGeek case, denying Visa's motion to dismiss the claim it violated California's Unfair Competition Law — which prohibits unlawful, unfair or fraudulent business acts and practices — by processing payments for child porn....

In the ruling, Carney held that the plaintiff "adequately alleged" that Visa engaged in a criminal conspiracy with MindGeek to monetize child pornography. Specifically, he wrote, "Visa knew that MindGeek's websites were teeming with monetized child porn"; that there was a "criminal agreement to financially benefit from child porn that can be inferred from [Visa's] decision to continue to recognize MindGeek as a merchant despite allegedly knowing that MindGeek monetized a substantial amount of child porn"; and that "the court can comfortably infer that Visa intended to help MindGeek monetize child porn" by "knowingly provid[ing] the tool used to complete the crime."

"When MindGeek decides to monetize child porn, and Visa decides to continue to allow its payment network to be used for that goal despite knowledge of MindGeek's monetization of child porn, it is entirely foreseeable that victims of child porn like plaintiff will suffer the harms that plaintiff alleges," Carney wrote.
From the judge's ruling:

"At this early stage of the proceedings, before Plaintiff has had any discovery from which to derive Visa's state of mind, the Court can comfortably infer that Visa intended to help MindGeek monetize child porn from the very fact that Visa continued to provide MindGeek the means to do so and knew MindGeek was indeed doing so."

"The Anonymous declaration of cyberwar was a top news story despite no evidence," writes cybersecurity specialist Jeremiah Fowler (an American who worked in Kyiv for the last 10 years — until fleeing in February to Poland). To investigate, Fowler performed a random sampling of 100 exposed Russian databases — and discovered that 92 of them had indeed been compromised. "Anti-Russian hackers used a similar script to the infamous 'MeowBot' that changed the name of folders and deleted the contents of the files. " (For example, renaming the folders to "putin_stop_this_war".)

And that was just the beginning, reports CNBC: Anonymous has claimed to have hacked over 2,500 Russian and Belarusian sites, said Fowler. In some instances, stolen data was leaked online, he said, in amounts so large it will take years to review. "The biggest development would be the overall massive number of records taken, encrypted or dumped online," said Fowler. Shmuel Gihon, a security researcher at the threat intelligence company Cyberint, agreed that amount of leaked data is "massive."

"We currently don't even know what to do with all this information, because it's something that we haven't expected to have in such a short period of time," he said....

The more immediate outcome of the hacks, Fowler and Gihon agreed, is that Russia's cybersecurity defenses have been revealed as being far weaker than previously thought.
Fowler's report argues that Anonymous has "rewritten the rules of how a crowdsourced modern cyberwar is conducted" — with the group also offering penetration testing to Ukraine, "finding vulnerabilities before Russia could exploit them." But in addition, Fowler writes, Anonymous's efforts have also "transformed into a larger operation that spread far beyond the Russian government, companies, or organizations, and included an information campaign aimed at Russian citizens."

Some examples: Hacking Printers — Russian censorship has blocked many inside the country from knowing the true scale of the war and Russian losses. Anonymous hacked printers across Russia and printed uncensored facts or anti-propaganda and pro-ukrainian messages. The group claims to have printed over 100,000 documents. This also includes barcode printers at grocery stores where prices were changed and product names were changed to anti-war or pro-Ukrainian slogans....

RoboDial, SMS, and Email Spam — Almost everyone on earth has received some form of spam in the form of a phone call, text, or email message. These usually try to sell a service or scam victims out of money. Now this same technology has been used to bypass Russian censorship and inform citizens of news and messages they are forbidden to learn on state sponsored propaganda channels. Anonymous affiliated Squad303 claimed to have sent over 100 million messages to Russian devices.

U.S. law let's companies like Google and Amazon's Ring doorbell/security camera system "share user footage with police during emergencies without consent and without warrants," CNET reported this week. They add that after that revelation "came under renewed criticism from privacy activists this month after disclosing it gave video footage to police in more than 10 cases without users' consent thus far in 2022 in what it described as 'emergency situations'."

"That includes instances where the police didn't have a warrant." "So far this year, Ring has provided videos to law enforcement in response to an emergency request only 11 times," Amazon vice president of public policy Brian Huseman wrote. "In each instance, Ring made a good-faith determination that there was an imminent danger of death or serious physical injury to a person requiring disclosure of information without delay...." Of the 11 emergency requests Ring has complied with so far in 2022, the company said they include cases involving kidnapping, self-harm and attempted murder, but it won't provide further details, including information about which agencies or countries the requests came from.

We also asked Ring if it notified customers after the company had granted law enforcement access to their footage without their consent.

"We have nothing to share," the spokesperson responded.
CNET also supplies this historical context: It's been barely a year since Ring made the decision to stop allowing police to email users to request footage. Facing criticism that requests like those were subverting the warrant process and contributing to police overreach, Ring directed police instead to post public requests for assistance in the Neighbors app, where community members are free to view and comment on them (or opt out of seeing them altogether)... That post made no mention of a workaround for the police during emergency circumstances.
When CNET asked why that workaround wasn't mentioned, Amazon response was that law enforcement requests, "including emergency requests, are directed to Ring (the company), the same way a warrant or subpoena is directed to Ring (and not the customer), which is why we treat them entirely separately."

CNET notes there's also no mention of warrantless emergency requests without independent oversight in Ring's own transparency reports about law enforcement requests from past years.

CNET adds that it's not just Amazon. "Google, Ring and other companies that process user video footage have a legal basis for warrantless disclosure without consent during emergency situations, and it's up to them to decide whether or not to do so when the police come calling...." (Although Google told CNET that while it reserves the right to comply with warrantless requests for user data during emergencies, to date it has never actually done so.) The article also points out that "Others, most notably Apple, use end-to-end encryption as the default setting for user video, which blocks the company from sharing that video at all... Ring enabled end-to-end encryption as an option for users in 2021, but it isn't the default setting, and Ring notes that turning it on will break certain features, including the ability to view your video feed on a third-party device like a smart TV, or even Amazon devices like the Echo Show smart display."

The bottom line? [C]onsumers have a choice to make about what they're comfortable with... That said, you can't make informed choices when you aren't well-informed to begin with, and the brands in question don't always make it easy to understand their policies and practices. Ring published a blog post last year walking through its new, public-facing format for police footage requests, but there was no mention of emergency exceptions granted without user consent or independent oversight, the details of which only came to light after a Senate probe. Google describes its emergency sharing policies within its Terms of Service, but the language doesn't make it clear that those cases include instances where footage may be shared without a warrant, subpoena or court order compelling Google to do so.