Mozilla announced last week via a support article that its Firefox Lockwise password manager app will reach end-of-life on December 13th. The final release versions are 1.8.1 (iOS) and 4.0.3 (Android) and will no longer be available to download or reinstall after that date. The Verge reports: What started in 2018 as a small experimental mobile app called Lockbox ended up bringing a way to access saved passwords and perform autofills on iOS, Android, and desktop devices to a small but enthusiastic following of Firefox fans. The app was also later adapted as a Firefox extension. It seemed like it was apt to stick around for the long run.

The support article recommends that users continue accessing passwords using the native Firefox browsers on desktop and mobile. In an added note on the support site, Mozilla suggests that later in December, the Firefox iOS app will gain the ability to manage Firefox passwords systemwide. The note alludes to Mozilla adopting the features of Lockwise and eventually integrating them into the Firefox browser apps natively on all platforms.

A security researcher has publicly disclosed an exploit for a new Windows zero-day local privilege elevation vulnerability that gives admin privileges in Windows 10, Windows 11, and Windows Server. BleepingComputer reports: As part of the November 2021 Patch Tuesday, Microsoft fixed a 'Windows Installer Elevation of Privilege Vulnerability' vulnerability tracked as CVE-2021-41379. This vulnerability was discovered by security researcher Abdelhamid Naceri, who found a bypass to the patch and a more powerful new zero-day privilege elevation vulnerability after examining Microsoft's fix. Yesterday, Naceri published a working proof-of-concept exploit for the new zero-day on GitHub, explaining that it works on all supported versions of Windows.

"This variant was discovered during the analysis of CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass," explains Naceri in his writeup. "I have chosen to actually drop this variant as it is more powerful than the original one." Furthermore, Naceri explained that while it is possible to configure group policies to prevent 'Standard' users from performing MSI installer operations, his zero-day bypasses this policy and will work anyway. BleepingComputer tested Naceri's 'InstallerFileTakeOver' exploit, and it only took a few seconds to gain SYSTEM privileges from a test account with 'Standard' privileges, as demonstrated in [this video]. When BleepingComputer asked Naceri why he publicly disclosed the zero-day vulnerability, we were told he did it out of frustration over Microsoft's decreasing payouts in their bug bounty program. A Microsoft spokesperson said in a statement: "We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim's machine."

Naceri recommends users wait for Microsoft to release a security patch, as attempting to patch the binary will likely break the installer.

While China's sweeping new data privacy laws have left tech companies confused about how to comply, they also put the U.S. even further behind in the global race to set digital standards. From a report: China enacted its Personal Information Privacy Law earlier this month, following Europe as the second major international player to have its own sweeping data privacy regulations. The law, regarded as China's version of Europe's General Data Protection Regulation, is a set of rules for how businesses can collect, use, process, share and transfer personal information. Another Chinese data regulation, the Data Security Law, went into effect Sept. 1. The laws aim to protect Chinese citizens from the private sector, while the Chinese government still has easy access to personal data.

In May, influential U.S. business groups sent comments, viewed by Axios, to the National People's Congress protesting that the draft law's vague language, monetary penalties and criminal liabilities were harsh. They also said it would hurt innovation by being overly prescriptive and burdensome. The U.S. still does not have a federal data privacy law, and China's move could allow it to set future global norms on its terms. Meanwhile, tech companies doing business in China will have to navigate the vague new rules, and that could be expensive.

Apple sued the NSO Group, the Israeli surveillance company, in federal court on Tuesday, another setback for the beleaguered firm and the unregulated spyware industry. From a report: The lawsuit is the second of its kind -- Facebook sued the NSO Group in 2019 for targeting its WhatsApp users -- and represents another consequential move by a private company to curb invasive spyware by governments and the companies that provide their spy tools. Apple, for the first time, seeks to hold NSO accountable for what it says was the surveillance and targeting of Apple users. Apple also wants to permanently prevent NSO from using any Apple software, services or devices, a move that could render the company's Pegasus spyware product worthless, given that its core business is to give NSO's government clients full access to a target's iPhone or Android smartphone.

Apple is also asking for unspecified damages for the time and cost to deal with what the company argues is NSO's abuse of its products. Apple said it would donate the proceeds from those damages to organizations that expose spyware. Since NSO's founding in 2010, its executives have said that they sell spyware to governments only for lawful interception, but a series of revelations by journalists and private researchers have shown the extent to which governments have deployed NSO's Pegasus spyware against journalists, activists and dissidents. Apple executives described the lawsuit as a warning shot to NSO and other spyware makers. "This is Apple saying: If you do this, if you weaponize our software against innocent users, researchers, dissidents, activists or journalists, Apple will give you no quarter," Ivan Krstic, head of Apple security engineering and architecture, said in an interview on Monday.

An anonymous reader quotes a report from Reuters: Indian police said on Saturday they had charged senior executives of Amazon.com's local unit under narcotics laws in a case of alleged marijuana smuggling via the online retailer. Police in the central Madhya Pradesh state arrested two men with 20 kg of marijuana on Nov. 14 and found they were using the Amazon India website to order and further smuggle the substance in the guise of stevia leaves, a natural sweetener, to other Indian states.

State police said in a statement that executive directors of Amazon India were being named as accused under the Narcotic Drugs and Psychotropic Substances Act due to differences in answers in documents provided by the company in response to police questions and facts unearthed by discussion. Police did not disclose how many executives were charged. The police, who had previously summoned and spoken to Amazon executives in the case, estimate that about 1,000 kg of marijuana, worth roughly $148,000, was sold via Amazon.

WhatsApp is rewriting its privacy policy as a result of a huge data protection fine earlier this year. From a report: Following an investigation, the Irish data protection watchdog issued a $253.29m fine -- the second-largest in history over GDPR -- and ordered WhatsApp to change its policies. WhatsApp is appealing against the fine, but is amending its policy documents in Europe and the UK to comply. However, it insists that nothing about its actual service is changing. Instead, the tweaks are designed to "add additional detail around our existing practices", and will only appear in the European version of the privacy policy, which is already different from the version that applies in the rest of the world. "There are no changes to our processes or contractual agreements with users, and users will not be required to agree to anything or to take any action in order to continue using WhatsApp," the company said, announcing the change. The new policy takes effect immediately.

In January, WhatsApp users complained about an update to the company's terms that many believed would result in data being shared with parent company Facebook, which is now called Meta. Many thought refusing to agree to the new terms and conditions would result in their accounts being blocked. In reality, very little had changed. However, WhatsApp was forced to delay its changes and spend months fighting the public perception to the contrary. During the confusion, millions of users downloaded WhatsApp competitors such as Signal.

"In a rock concert-like atmosphere, El Salvador President Nayib Bukele announced that his government will build an oceanside 'Bitcoin City' at the base of a volcano..." reports the Associated Press.

"A bond offering would happen in 2022 entirely in Bitcoin, Bukele said, wearing his signature backwards baseball cap. And 60 days after financing was ready, construction would begin." The city will be built near the Conchagua volcano to take advantage of geothermal energy to power both the city and Bitcoin mining — the energy-intensive solving of complex mathematical calculations day and night to verify currency transactions. The government is already running a pilot Bitcoin mining venture at another geothermal power plant beside the Tecapa volcano...

The government will provide land and infrastructure and work to attract investors. The only tax collected there will be the value-added tax, half of which will be used to pay the municipal bonds and the rest for municipal infrastructure and maintenance. Bukele said there would be no property, income or municipal taxes and the city would have zero carbon dioxide emissions.

"Invest here and earn all the money you want," Bukele told the cheering crowd in English at the closing of the Latin American Bitcoin and Blockchain Conference being held in El Salvador.
CNN adds some interesting details: Likening his plan to cities founded by Alexander the Great, Bukele said Bitcoin City would be circular, with an airport, residential and commercial areas, and feature a central plaza designed to look like a bitcoin symbol from the air. "If you want bitcoin to spread over the world, we should build some Alexandrias," said Bukele, a tech savvy 40-year-old who in September proclaimed himself "dictator" of El Salvador on Twitter in an apparent joke.

El Salvador plans to issue the initial bonds in 2022, Bukele said, suggesting it would be in 60 days time. Samson Mow, chief strategy officer of blockchain technology provider Blockstream, told the gathering the first 10-year issue, known as the "volcano bond", would be worth $1 billion, backed by bitcoin and carrying a coupon of 6.5% [the annual interest paid on a bond]. Half of the sum would go to buying bitcoin on the market, he said. Other bonds would follow. After a five year lock-up, El Salvador would start selling some of the bitcoin used to fund the bond to give investors an "additional coupon", Mow said, positing that the value of the cryptocurrency would continue to rise robustly.

"This is going to make El Salvador the financial center of the world," he said...

Once 10 such bonds were issued, $5 billion in bitcoin would be taken off the market for several years, Mow said. "And if you get 10 more countries to do these bonds, that's half of bitcoin's market cap right there." The "game theory" on the bonds gave first issuer El Salvador an advantage, Mow argued, saying: "If bitcoin at the five-year mark reaches $1 million, which I think it will, they will sell bitcoin in two quarters and recoup that $500 million."

Recently Australian developer Geoffrey Huntley announced they'd created a 20-terabyte archive of all NFTs on the Ethereum and Solana blockchains.

But one NFT startup company now says they tried downloading the archive — and discovered most of it was zeroes. Many of the articles are careful to point out "we have not verified the contents of the torrent," because of course they couldn't. A 20TB torrent would take several days to download, necessitating a pretty beefy internet connection and more disk space to store than most people have at their disposal. We at ClubNFT fired up a massive AWS instance with 40TB of EBS disk space to attempt to download this, with a cost estimate of $10k-20k over the next month, as we saw this torrent as potentially an easy way to pre-seed our NFT storage efforts — not many people have these resources to devote to a single news story.

Fortunately, we can save you the trouble of downloading the entire torrent — all you need is about 10GB. Download the first 10GB of the torrent, plus the last block, and you can fill in all the rest with zeroes. In other words, it's empty; and no, Geoff did not actually download all the NFTs. Ironically, Geoff has archived all of the media articles about this and linked them on TheNFTBay's site, presumably to preserve an immutable record of the spread and success of his campaign — kinda like an NFT...

We were hoping this was real... [I]t is actually rather complicated to correctly download and secure the media for even a single NFT, nevermind trying to do it for every NFT ever made. This is why we were initially skeptical of Geoff's statements. But even if he had actually downloaded all the NFT media and made it available as a torrent, this would not have solved the problem... a torrent containing all the NFTs does nothing to actually make those NFTs available via IPFS, which is the network they must be present on in order for the NFTs to be visible on marketplaces and galleries....

[A]nd this is a bit in the weeds: in order to reupload an NFT's media to IPFS, you need more than just the media itself. In order to restore a file to IPFS so it can continue to be located by the original link embedded in the NFT, you must know exactly the settings used when that file was originally uploaded, and potentially even the exact version of the IPFS software used for the upload.

For these reasons and more, ClubNFT is working hard on an actual solution to ensure that everybody's NFTs can be safely secured by the collectors themselves. We look forward to providing more educational resources on these and other topics, and welcome the attention that others, like Geoff, bring to these important issues.
Their article was shared by a Slashdot reader (who is one of ClubNFT's three founders). I'd wondered suspiciously if ClubNFT was a hoax, but if this PR Newswire press release is legit, they've raised $3 million in seed funding. (And that does include an investment from Drapen Dragon, co-founded by Tim Draper which shows up on CrunchBase). The International Business Times has also covered ClubNFT, identifying it as a startup whose mission statement is "to build the next generation of NFT solutions to help collectors discover, protect, and share digital assets." Co-founder and CEO Jason Bailey said these next-generation tools are in their "discovery" phase, and one of the first set of tools that is designed to provide a backup solution for NFTs will roll out early next year. Speaking to International Business Times, Bailey said, "We are looking at early 2022 to roll out the backup solution. But between now and then we should be feeding (1,500 beta testers) valuable information about their wallets." Bailey says while doing the beta testing, he realized that there are loopholes in the NFT storage systems and only 40% of the NFTs were actually pointing to the IPFS, while 40% of them were at risk — pointing to private servers.

Here is the problem explained: NFTs are basically a collection of metadata, that define the underlying property that is owned. Just like in the world of internet documents, links point to the art and any details about it that are being stored. But links can break, or die. Many NFTs use a system called InterPlanetary File System, or IPFS, which let you find a piece of content as long as it is hosted somewhere on the IPFS network. Unlike in the world of internet domains, you don't need to own the domain to really make sure the data is safe. Explaining the problem which the backup tool will address, Bailey said, "When you upload an image to IPFS, it creates a cryptographic hash. And if someone ever stops paying to store that image on IPFS, as long as you have the original image, you can always restore it. That's why we're giving people the right to download the image.... [W]e're going to start with this protection tool solution that will allow people to click a button and download all the assets associated with their NFT collection and their wallet in the exact format that they would need it in to restore it back up to IPFS, should it ever disappear. And we're not going to charge any money for that."

The idea, he said, is that collectors should not have to trust any company; rather they can use ClubNFT's tool, whenever it becomes available, to download the files locally... "One of the things that we're doing early around that discovery process, we're building out a tool that looks in your wallet and can see who you collect, and then go a level deeper and see who they collect," Bailey said. Bailey said that the rest of the tools will process after gathering lessons based on user feedback on the first set of solutions. He, however, seemed positive that the talks of the next set of tools will begin in the Spring of next year as the company has laid a "general roadmap."

In what's being referred to as the largest-ever cryptocurrency theft involving one person, police in Canada say they recently arrested a teen who allegedly stole $36.5 million worth of cryptocurrency from a single individual in the U.S. Engadget reports: The owner of the currency was the victim of a SIM swap attack. Their cellphone number was hijacked and used to intercept two-factor authentication requests, thereby allowing access to their protected accounts. Some of the stolen money was used to purchase a "rare" online gaming username, which eventually allowed the Hamilton Police Service, as well as FBI and US Secret Service Electronic Crimes Task Force, to identify the account holder. Police seized approximately $7 million CAD ($5.5 million) in stolen cryptocurrency when they arrested the teen.

Last December, academic publishers Elsevier, Wiley, and American Chemical Society filed a lawsuit demanding that Indian ISPs block access to Sci-Hub and Libgen for copyright infringement. The ongoing case now includes an intervention application from a group of social science researchers who say that blocking the platforms would result in a great societal loss to the country. TorrentFreak reports: Assisted and represented by the Delhi-based Internet Freedom Foundation (IFF), a group of social science researchers affiliated with universities across Delhi has now filed an intervention application that aims to educate the High Court on the negative implications of ordering local ISPs to block the platforms. "In the application, they have demonstrated the importance of the LibGen and Sci-Hub in enabling them to continue with research and discharge professional obligations," IFF explains. "They have submitted that they cannot access countless essays/books/articles because of the exorbitant rates the publishers charge for them and that these publishers own more than 50% of the total output in social science research. The only way in which they can access these resources is by relying upon LibGen and Sci-Hub. Moreover, LibGen and Sci-Hub offer access to up-to-date research which is unavailable elsewhere."

The social science researchers also draw attention to the publishers' "prohibitive pricing" models that place a serious burden on the publicly-funded academic institutions where they conduct their research. They further note that, to the best of their knowledge, individual users who rely on Sci-Hub and Libgen have not dented the profits of the publishers. "The profit margins of the [publishers] are much higher than those of enterprises in other industries such as oil, medicines and technology. Thus, the Plaintiffs' plea of blocking [Sci-Hub and Libgen] only serves their self-interest of increasing their coffers without benefitting society," their application reads. "In fact, granting the Plaintiffs' reliefs will have a detrimental impact on the social science research undertaken in India and the careers of the Applicants and those they represent before this Hon'ble Court. The unavailability of the Defendant Websites will also stunt the academic growth of the nation."

After highlighting the risks to society should the Court authorize blocking, the researchers turn to the legality of doing so. They believe that while the publishers own the copyrights to the articles, the use of those articles is allowed under India's Copyright Act, at least under certain conditions. [...] Finally, the researchers say they are contesting any blocking injunction on the basis that it would be overbroad. They note that the publishers are not seeking the removal of specific infringing content but the blocking of entire websites in perpetuity. They argue that there are less restrictive measures available and these should have been sought first, rather than going directly for complete blocking of Sci-Hub and Libgen. Before issuing any blocking order, they also ask the court to consider Article 19(1) that recognizes the fundamental right to access information.

Facebook has written to the Los Angeles Police Department (LAPD), demanding that it stop setting up fake profiles to conduct surveillance on users. From a report: This comes after the Guardian revealed that the US police department had been working with a tech firm, analysing user data to help solve crimes. Facebook expressly prohibits the creation and use of fake accounts. The intent, it said, was to "create a safe environment where people can trust and hold one another accountable". "Not only do LAPD instructional documents use Facebook as an explicit example in advising officers to set up fake social media accounts, but documents also indicate that LAPD policies simply allow officers to create fake accounts for 'online investigative activity'," wrote Facebook's vice president and deputy general counsel for civil rights Roy Austin in a letter outlining Facebook's policies. "While the legitimacy of such policies may be up to the LAPD, officers must abide by Facebook's policies when creating accounts on our services. The Police Department should cease all activities on Facebook that involve the use of fake accounts, impersonation of others, and collection of data for surveillance purposes."

The U.S. General Services Administration said Friday that the Defense Department has solicited bids from Amazon, Google, Microsoft and Oracle for cloud contracts. From a report: The outreach comes after the Pentagon set aside a highly contested $10 billion contract that Microsoft had won and Amazon had challenged. The value of the new contracts is not known, but the Defense Department estimates it could run into the multiple billions of dollars. The new effort, known as Joint Warfighting Cloud Capability, or JWCC, appears like it will bolster the top global cloud infrastructure providers, Amazon and Microsoft, although it could also provide more credibility to two smaller entities.

"The Government anticipates awarding two IDIQ contracts -- one to Amazon Web Services (AWS) and one to Microsoft Corporation (Microsoft) -- but intends to award to all Cloud Service Providers (CSPs) that demonstrate the capability to meet DoD's requirements," the GSA said in its announcement. An indefinite delivery, indefinite quantity, or IDIQ, contract includes an indefinite amount of services for a specific period of time.

In the "smart nation," robot dogs enforce social distancing and flying taxis are just over the horizon. The reality is very different. From a report: Singapore is often rendered as an aspiring techno-utopia. In World Economic Forum videos, in-flight magazines and its own pliant state-backed media, it offers a soft-focus science fiction backdrop where driverless buses ply routes between beach clubs and tech hubs, where robot dogs enforce social distancing and flying taxis flit between glass-fronted public housing overflowing with lush "sky gardens." It's a place where pilot projects hint at a future -- just over the horizon -- where the intractable problems of today are automated out of existence. Where vertical farms and "NEWater" made from treated sewage cut the island's reliance on neighbouring Malaysia for food and water. Where robots care for the elderly and drones service freighters. Where warehouses and construction sites are staffed by machines, obviating the need for the migrant workers who make Singapore function, but make Singaporeans uncomfortable. Technology keeps them safe, fed and independent; secure in a scary world, but connected to it through telecoms and air travel.

That safety requires constant vigilance. The city must be watched. The smart cameras that are being trialled in Changi are just a part of a nationwide thrust towards treating surveillance as part of everyday life. Ninety-thousand police cameras watch the streets, and by the end of the decade, there will be 200,000. Sensors, including facial recognition cameras and crowd analytics systems, are being positioned across the city. The technology alone isn't unique -- it's used in many countries. But Singapore's ruling party sees dangers everywhere, and seems increasingly willing to peer individually and en masse into people's lives. "What [technology] will do for people is make our lives a hell of a lot easier, more convenient, more easily able to plug into the good life," Monamie Bhadra Haines, an assistant professor at the Technical University of Denmark, who studies the intersection between technology and society. "But ... the surveillance is what is here, now."

The Tor Project said this week that it has seen a drop in the number of Tor relays and bridge servers and is now offering various rewards to users who help bring the number back up. From a report: Rewards include the likes of hoodies, t-shirts, and stickers and are meant to provide some sort of meaningful gift to those who help keep the Tor anonymity network alive and resilient to censorship. More specifically, the rewards will be provided to those who run "Tor bridges," which serve as entry points into the Tor network for users located in countries that block access to Tor servers. "We currently have approximately 1,200 bridges, 900 of which support the obfs4 obfuscation protocol," said Gustavo Gus, Community Team Lead for the Tor Project. "Unfortunately, these numbers have been decreasing since the beginning of this year. It's not enough to have many bridges: eventually, all of them could find themselves in block lists. We therefore need a constant trickle of new bridges that aren't blocked anywhere yet," the Tor Project member said.

Thousands of Firefox cookie databases containing sensitive data are available on request from GitHub repositories, data potentially usable for hijacking authenticated sessions. The Register reports: These cookies.sqlite databases normally reside in the Firefox profiles folder. They're used to store cookies between browsing sessions. And they're findable by searching GitHub with specific query parameters, what's known as a search "dork." Aidan Marlin, a security engineer at London-based rail travel service Trainline, alerted The Register to the public availability of these files after reporting his findings through HackerOne and being told by a GitHub representative that "credentials exposed by our users are not in scope for our Bug Bounty program."

Marlin then asked whether he could make his findings public and was told he's free to do so. "I'm frustrated that GitHub isn't taking its users' security and privacy seriously," Marlin told The Register in an email. "The least it could do is prevent results coming up for this GitHub dork. If the individuals who uploaded these cookie databases were made aware of what they'd done, they'd s*** their pants."

Marlin acknowledges that affected GitHub users deserve some blame for failing to prevent their cookies.sqlite databases from being included when they committed code and pushed it to their public repositories. "But there are nearly 4.5k hits for this dork, so I think GitHub has a duty of care as well," he said, adding that he's alerted the UK Information Commissioner's Office because personal information is at stake. Marlin speculates that the oversight is a consequence of committing code from one's Linux home directory. "I imagine in most of the cases, the individuals aren't aware that they've uploaded their cookie databases," he explained. "A common reason users do this is for a common environment across multiple machines."

NFTs are unique blockchain entries through which people can prove that they own something. However, the underlying images can be copied with a single click. This point is illustrated by The NFT Bay which links to a 19.5 Terabyte collection of 'all NFTs' on the Ethereum and Solana blockchains. (UPDATE: One NFT startup is claiming that the collection is mostly just zeroes, and does not in fact contain all of the NFTs.)

But the archive also delivered an important warning message too. TorrentFreak reports: "The Billion Dollar Torrent," as it's called, reportedly includes all the NFTs on the Ethereum and Solana blockchains. These files are bundled in a massive torrent that points to roughly 15 terabytes of data. Unpacked, this adds up to almost 20 terabytes. Australian developer Geoff is the brains behind the platform, which he describes as an art project. Speaking with TorrentFreak, he says that The Pirate Bay was used as inspiration for nostalgic reasons, which needs further explanation.

The NFT Bay is not just any random art project. It does come with a message, perhaps a wake-up call, for people who jump on the NFT bandwagon without fully realizing what they're spending their crypto profits on. "Purchasing NFT art right now is nothing more than directions on how to access or download an image. The image is not stored on the blockchain and the majority of images I've seen are hosted on Web 2.0 storage which is likely to end up as 404 meaning the NFT has even less value." The same warning is more sharply articulated in the torrent's release notes which are styled in true pirate fashion. "[T]his handy torrent contains all of the NFT's so that future generations can study this generation's tulip mania and collectively go..." it reads.

"In the past, Apple has taken an opposing stance on letting consumers repair their devices. Some of that is changing with Apple's new announcement," writes Slashdot reader wakeboarder. "Apple will sell components like batteries and screens to allow consumers to repair their own devices. This will help reduce e-waste, but will also allow Apple to control the market for parts -- not exactly what right-to-repair activists have fought for."

With that said, Apple "didn't change its policy out of the goodness of its heart," writes The Verge's Maddie Stone. The timing of this announcement was "deliberate," considering Wednesday was a key deadline in the fight over a shareholder resolution environmental advocates filed with the company in September asking Apple to re-evaluate its stance on independent repair. The issue would've likely ended up at the Securities and Exchange Commission. From the report: Apple spokesperson Nick Leahy told The Verge that the program "has been in development for well over a year," describing it as "the next step in increasing customer access to Apple genuine parts, tools, and manuals." Leahy declined to say whether the timing of the announcement was influenced by shareholder pressure. Activist shareholders believe that it was. "The timing is definitely no coincidence," says Annalisa Tarizzo, an advocate with Green Century, the mutual fund company that filed the right-to-repair resolution with Apple in September. As a result of today's announcement, Green Century is withdrawing its resolution, which asked Apple to "reverse its anti repair practices" and evaluate the benefits of making parts and tools more available to consumers.

Apple's initial response to the Green Century resolution was less than conciliatory. Tarizzo says that on October 18 (30 days before the self service announcement), Apple submitted a "no action request" to the Securities and Exchange Commission asking the investor oversight body to block the proposal. According to Tarizzo, Apple's argument before the SEC was that the proposal -- that the company "prepare a report" on the environmental and social benefits of making its devices easier to fix -- ran afoul of shareholder proposal guidance by infringing on Apple's normal business operations. However, earlier this month, the SEC issued new guidance concerning no-action requests that includes a carve-out for proposals that raise "significant social policy issues." In other words, shareholders can bring resolutions that affect a company's day-to-day business operations if those proposals raise issues with significant societal impact. Tarizzo believes that this change made it much more likely the SEC would side with Green Century rather than Apple, particularly since the mutual fund company connected the dots between increased access to repair and the fight against climate change. (Using devices as long as possible through maintenance and repair is one of the best ways to reduce the climate impact of consumer technology since the majority of the emissions associated with our gadgets occur during the manufacturing stage.)

"It wasn't a guarantee that the SEC would side with us, but the new guidance indicates it's very likely we would prevail," Tarizzo says. "It effectively took away a lot of Apple's leverage in the process." Now, Apple seems to have regained some leverage by announcing its new Self Service Repair program on the same day that Green Century was required to respond to the no-action request. Instead of arguing that the SEC should allow the shareholder resolution to move forward, Green Century is now withdrawing the resolution entirely.

Buy now, pay later services aren't just popular among consumers. They're also proving to be a hit with criminals. From a report: Fraudulent activity is on the rise at some of the largest buy now, pay later (BNPL) platforms in the industry, which include Klarna, Afterpay and Affirm, according to fraud experts who spoke with CNBC. BNPL products let shoppers split the cost of their purchases over three or four months, often interest-free. They've become massively popular in the U.S. and Europe, and generated almost $100 billion in transactions globally in 2020 alone. "Criminals love buy now, pay later," Martin Rehak, CEO and co-founder of Czech fraud detection start-up Resistant AI, told CNBC. "You can already see crime on multiple levels." Criminal gangs are exploiting weaknesses in the application process for BNPL loans, experts say, using clever tactics to slip through undetected and steal items ranging from pizza and booze to video game consoles.

One of the vulnerabilities, Rehak says, is BNPL firms' reliance on data for approving new clients. Many companies in the industry don' conduct formal credit checks, instead using internal algorithms to determine creditworthiness based on the information they have available to them. Retailers working with BNPL platforms "categorize things differently," Rehak said, adding that this can lead to inconsistency. "There is always a way to exploit this and basically steal from you using someone else's mistake." For example, a partner merchant may run a special promotion event for alcohol but assign a vague category like "special event." This runs the risk of fraud falling through the cracks if an artificial intelligence system doesn't recognize the category and gives it a more generic label with low default risk. Rehak said many scammers are stealing people's identities or taking over their accounts to evade detection, making unsuspecting victims foot the bill. He declined to name any specific companies being targeted, however, saying Resistant AI counts a number of BNPL businesses as clients.

The battle between the appetites of European Union Member States' governments to retain their citizens' data -- for fuzzy, catch-all 'security' purposes -- and the region's top court, the CJEU, which continues to defend fundamental rights by reiterating that indiscriminate mass surveillance is incompatible with general principles of EU law (such as proportionality and respect for privacy) -- has led to another pointed legal critique of national law on bulk data retention. From a report: This time it's a German data retention law that's earned the slap-down -- via a CJEU referral which joins a couple of cases, involving ISPs SpaceNet and Telekom Deutschland which are challenging the obligation to store their customers' telecommunications traffic data. The court's judgement is still pending but an influential opinion put out today by an advisor to the CJEU takes the view that general and indiscriminate retention of traffic and location data can only be permitted exceptionally -- in relation to a threat to national security -- and nor can data be retained permanently. In a press release announcing the opinion of advocate general Manuel Campos Sanchez-Bordona, the court writes that the AG "considers that the answers to all the questions referred are already in the Court's case-law or can be inferred from them without difficulty"; going on to set out his view that the German law's "general and indiscriminate storage obligation" -- which covers "a very wide range of traffic and location data" -- cannot be reconciled with EU law by a time limit imposed on storage as data is being sucked up in bulk, not in a targeted fashion (i.e. for a specific national security purpose).

An anonymous reader quotes a report from Motherboard: The South Korean Ministry of Justice has provided more than 100 million photos of foreign nationals who travelled through the country's airports to facial recognition companies without their consent, according to attorneys with the non-governmental organization Lawyers for a Democratic Society. While the use of facial recognition technology has become common for governments across the world, advocates in South Korea are calling the practice a "human rights disaster" that is relatively unprecedented. "It's unheard-of for state organizations -- whose duty it is to manage and control facial recognition technology -- to hand over biometric information collected for public purposes to a private-sector company for the development of technology," six civic groups said during a press conference last week.

The revelation, first reported in the South Korean newspaper The Hankyoreh, came to light after National Assembly member Park Joo-min requested and received documents from the Ministry of Justice related to a April 2019 project titled Artificial Intelligence and Tracking System Construction Project. The documents show private companies secretly used biometric data to research and develop an advanced immigration screening system that would utilize artificial intelligence to automatically identify airport users' identities through CCTV surveillance cameras and detect dangerous situations in real time. Shortly after the discovery, civil liberty groups announced plans to represent both foreign and domestic victims in a lawsuit.

"We, the NGOs, urge the government to immediately stop the establishment of a biometric monitoring system that is not only illegal but also significantly violates international human rights norms," wrote Advocates for Public Interest Law, MINBYUN -- Lawyers for a Democratic Society, the Institute for Digital Rights, the Joint Committee with Migrants in Korea, and the Korean Progressive Network Jinbonet, in a press release that was translated and provided to Motherboard. Attorneys claim the project directly violates South Korea's Personal Information Protection Act, a law that strictly limits the processing of personal information in the country. Still, the Ministry has yet to announce plans to halt the program, which was scheduled to be completed in 2022.