The Courts

Supreme Court Guts Protections for Cyberstalking Victims (fastcompany.com) 147

The Supreme Court ruled Tuesday that in order to find someone guilty of making a "true threat" courts must first determine that the person recklessly disregarded the fact that their words might be perceived as threats. From a report: Experts fear the decision will create new hurdles for victims of cyberstalking by requiring them to first prove that their stalkers understand the consequences of their actions. "The Supreme Court has just decreed that stalking is free speech protected by the First Amendment if the stalker genuinely believes his actions are non-threatening," tweeted Mary Anne Franks, a professor at George Washington Law School and president of the nonprofit Cyber Civil Rights Initiative. "That is, the more deluded the stalker, the more protected the stalking."

The case, Counterman v. Colorado, concerns a man named Billy Raymond Counterman, who was convicted under a Colorado anti-stalking law, after he sent a barrage of threatening Facebook messages to a woman he'd never met. The Colorado law didn't require the court to consider Counterman's mental state when he sent the messages. It only had to consider his behavior and how it was objectively received, that is, whether he repeatedly contacted, followed, or surveilled his target in a way that would cause a "reasonable person" distress. Counterman was found guilty under that statute, but he appealed his conviction, arguing that his statements were protected by the First Amendment and did not constitute "true threats," a category of speech that falls outside the bounds of the First Amendment, because it wasn't his intention to threaten his target. In its decision, the Supreme Court overwhelmingly sided with Counterman.

Encryption

Apple Joins Opposition in UK To Encrypted Message App Scanning (bbc.com) 40

Apple has criticised powers in the UK's Online Safety Bill that could be used to force encrypted messaging tools like iMessage, WhatsApp and Signal to scan messages for child abuse material. From a report: Its intervention comes as 80 organisations and tech experts have written to Technology Minister Chloe Smith urging a rethink on the powers. Apple told the BBC the bill should be amended to protect encryption. End-to-end encryption (E2EE) stops anyone but the sender and recipient reading the message. Police, the government and some high-profile child protection charities maintain the tech -- used in apps such as WhatsApp and Apple's iMessage -- prevents law enforcement and the firms themselves from identifying the sharing of child sexual abuse material.

But in a statement Apple said: "End-to-end encryption is a critical capability that protects the privacy of journalists, human rights activists, and diplomats. "It also helps everyday citizens defend themselves from surveillance, identity theft, fraud, and data breaches. The Online Safety Bill poses a serious threat to this protection, and could put UK citizens at greater risk. "Apple urges the government to amend the bill to protect strong end-to-end encryption for the benefit of all."

Encryption

3-Year Probe Into Encrypted Phones Led To Seizure of Hundreds of Tons of Drugs, Prosecutors Say (apnews.com) 60

Investigations triggered by the cracking of encrypted phones three years ago have so far led to more than 6,500 arrests worldwide and the seizure of hundreds of tons of drugs, French, Dutch and European Union prosecutors said Tuesday. From a report: The announcement underscored the staggering scale of criminality -- mainly drugs and arms smuggling and money laundering -- that was uncovered as a result of police and prosecutors effectively listening in to criminals using encrypted EncroChat phones. "It helped to prevent violent attacks, attempted murders, corruption and large-scale drug transports, as well as obtain large-scale information on organised crime," European Union police and judicial cooperation agencies Europol and Eurojust said in a statement.

The French and Dutch investigation gained access to more than 115 million encrypted communications between some 60,000 criminals via servers in the northern French town of Roubaix, prosecutors said at a news conference in the nearby city of Lille. As a result, 6,558 suspects have been arrested worldwide, including 197 "high-value targets." Seized drugs included 30.5 million pills, 103.5 metric tons (114 tons) of cocaine, 163.4 metric tons (180 tons) of cannabis and 3.3 metric tons (3.6 tons) of heroin. The investigations also led to nearly 740 million euros ($809 million) in cash being recovered and assets or bank accounts worth another 154 million euros ($168 million) frozen.

Security

Smartwatches Are Being Used To Distribute Malware (defensenews.com) 17

"Smartwatches are being sent to random military members loaded with malware, much like malware distribution via USB drives in the past," writes longtime Slashdot reader frdmfghtr. "Recipients are advised not to turn them on and report the incident to their local security office." Defense News reports: The Department of the Army Criminal Investigation Division, or CID, in an announcement last week warned the watches may contain malware, potentially granting whoever sent the peripherals "access to saved data to include banking information, contacts, and account information such as usernames and passwords."

A more innocuous tactic may also be to blame: so-called brushing, used in e-commerce to boost a seller's ratings through fake orders and reviews. The CID, an independent federal law enforcement agency consisting of thousands of personnel, did not say exactly how many smartwatches were so far distributed.

Piracy

Z-Library Releases Tor-Enabled Desktop Launcher To Improve 'Accessibility' (torrentfreak.com) 19

Pirate ebook repository Z-Library has released a dedicated desktop application that should make it easier to access the site going forward. The service is at the center of a criminal crackdown and has lost hundreds of domain names, which in part triggered the development of this new software. TorrentFreak reports: Over the past few months, Z-Library users accessed the site through a dedicated URL, which redirected them to a 'personal' domain that provided access to the library. This worked well but the entire operation could easily be wiped out by yet another round of domain seizures. The new desktop launcher, which is available on the Windows, Mac, and Linux platforms, will automatically redirect users to the right place, without being tied to a single domain name. The new desktop launcher, which is available on the Windows, Mac, and Linux platforms, will automatically redirect users to the right place, without being tied to a single domain name.

In addition to simplifying access, the new Z-Library launcher software is able to connect over the Tor network. This can help to evade blocking efforts while adding an extra privacy layer. The software may trigger a warning noting that it's from an unverified developer. According to Z-Library, this is a standard notice but, aside from the copyright infringement angle, people should always treat third-party applications with caution.

AI

Congress Sets Limits On Staff ChatGPT Use (axios.com) 15

In a memo to House staffers this morning, the chamber's Chief Administrative Officer Catherine L. Szpindor said it is placing new guardrails around use of ChatGPT by congressional offices. Axios reports: Szpindor wrote that offices are "only authorized" to use the paid ChatGPT Plus. Unlike the free service, she said, the $20-per-month subscription version "incorporates important privacy features that are necessary to protect House data." She said in addition to other versions of ChatGPT, no other large language models are authorized for use. Szpindor also laid out an array of regulations on how to use the tool.

Offices are allowed to use the tool for "research and evaluation only" and can experiment on how it can improve their operations, but are "not authorized to incorporate it into regular workflow." Offices should only input "non-sensitive" data, she added, instructing staffers not to "paste into the chat bot any blocks of text that have not already been made public." She instructed offices to enable privacy settings, which are disabled by default, to "ensure that your history is not preserved and your interactions are not incorporated back into the large language model."

Crime

Twitter Hacker Who Turned Celebrity Accounts Into Crypto Shills Gets Prison Sentence (gizmodo.com) 14

An anonymous reader quotes a report from Gizmodo: One of the cybercriminals behind 2020's major Twitter hack was sentenced to five years in U.S. federal prison on Friday. Joseph O'Connor (AKA "PlugwalkJoe"), a 24-year-old British citizen, previously pleaded guilty to seven charges associated with the digital attack. He was arrested in Spain in 2021 and extradited to the U.S. in April of this year. In addition to the five years of jail time, O'Connor was also sentenced to three additional years under supervised release and ordered to pay back more than $790,000 in illicitly obtained funds, according to a news release from the U.S. Attorney's Office of the Southern District of New York. Previously, Graham Ivan Clark, another one of the hackers involved who was 17 at the time of the attack, pleaded guilty to related charges and was sentenced to three years in prison.

With all charges combined, O'Connor faced a maximum of 77 years in prison, per a Reuters report, while prosecutors called for a seven-year sentence. Ultimately, he will likely only serve about half of his five years, after having already spent nearly 2.5 years in pre-trial custody, Judge Jed S. Rakoff said during the Friday hearing, according to TechCrunch. Along with his fellow hackers, O'Connor "used his sophisticated technological abilities for malicious purposes -- conducting a complex SIM swap attack to steal large amounts of cryptocurrency, hacking Twitter, conducting computer intrusions to take over social media accounts, and even cyberstalking two victims, including a minor victim," according to a previous statement given by prosecuting U.S. Attorney Damian Williams. [...]

An investigation by the New York State Department of Financial Services determined that the breach was made possible because Twitter "lacked adequate cybersecurity protections," according to an October 2020 report. O'Connor and co were able to gain access to the social platform's internal systems through a simple scheme of calling Twitter employees posing as the company IT department. They were able to trick four Twitter workers into providing their login credentials. The FBI launched its own investigation, which found that O'Connor and his co-conspirators had managed to transfer account ownership to unauthorized users -- sometimes themselves, and sometimes to others willing to pay for the accounts. O'Connor himself paid $10,000 to take over one specific, unnamed account, according to a Department of Justice press statement from May. In addition to the Twitter hack, O'Connor also pleaded guilty to stealing nearly $800,000 from a crypto company by SIM swapping at least three executives' phone numbers. He further admitted to blackmailing an unnamed public figure via Snapchat and swatting a 16-year-old girl.

News

'Last Minute' Law Change Bid in Ireland To 'Muzzle' Critics of Data Protection Commission (irishtimes.com) 9

A "last-minute" government amendment to a bill is an effort to "muzzle" critics of the Data Protection Commission (DPC) and will make the commission's decision-making "even more opaque," a civil liberties group has claimed. From a report: The Irish Council for Civil Liberties has urged all parties in the Dail to challenge the proposed amendment to the Courts and Civil Law (Miscellaneous Provisions) Bill 2022 when it comes up for final debate on Wednesday. The amendment provides that the Commission may direct information deemed by it to be confidential not be disclosed. Failure to comply with a non-disclosure notice issued by the commission will be an offence liable on summary conviction to a $5,450 fine. Dr Johnny Ryan of the ICCL said the amendment "will gag people from speaking about how the DPC handles their complaint and from speaking about how big tech firms or public bodies are misusing their data."
United States

Supreme Court Rejects Lawsuit Accusing Google of Stealing Millions of Song Lyrics (bloomberg.com) 35

The US Supreme Court refused to revive a lawsuit by music website Genius Media accusing Alphabet's Google of stealing millions of song lyrics. From a report: The justices left in place a ruling that tossed out the suit, which accused Google of violating a contract with Genius by using its song lyrics in search results without attribution. It's the latest victory at the Supreme Court for Google, which earlier this year won a battle over whether its video-streaming platform YouTube can be held liable for hosting terrorist videos.

There are deep disagreements over how copyright laws apply to online speech and aggregation. The lower court said Genius does not own any of the copyrights to its lyrics -- instead, those are held by the songwriters and publishers. Genius claimed that Google violated its contract by scraping lyrics and boosting them in Google Search results without any attribution. Genius, which claimed the saga caused millions of dollars in losses for the website, initially sued Google in 2019. In order to drum up attention and prove its case, Genius said it used a secret code spelling out the word "red-handed" to prove Google was stealing its lyrics. "We appreciate the court's decision, agreeing with the Solicitor General and multiple lower courts that Genius' claims have no merit," Google spokesman Jose Castaneda said Monday. "We license lyrics on Google Search from third parties, and we do not crawl or scrape websites to source lyrics."

Australia

Turn Your Phone Off Every Night For Five Minutes, Australian PM Tells Residents (theguardian.com) 126

Australia's prime minister, Anthony Albanese, has told residents they should turn their smartphones off and on again once a day as a cybersecurity measure -- and tech experts agree. From a report: Albanese said the country needed to be proactive to thwart cyber risks, as he announced the appointment of Australia's inaugural national cybersecurity coordinator. "We need to mobilise the private sector, we need to mobilise, as well, consumers," the prime minister said on Friday. "We all have a responsibility. Simple things, turn your phone off every night for five minutes. For people watching this, do that every 24 hours, do it while you're brushing your teeth or whatever you're doing." The Australian government's advice is not new. In 2020, the United State's National Security Agency issued best-practice guidelines for mobile device security, which included rebooting smartphones once a week to prevent hacking.
Crime

61-Year-Old Shot, Killed After Tracking Stolen Vehicle With Apple AirTag (bakersfield.com) 236

An anonymous reader shares news from Bakersfield, California: Four men were arrested in the shooting death of a 61-year-old Bakersfield woman who died after police said she confronted suspects who reportedly stole her car, according to a news release issued Wednesday. Victoria Anne Marie Hampton tracked her reportedly stolen car with an Apple air tag on March 19 without telling law enforcement, according to the Bakersfield Police Department.

The coroner reported she was shot at 6:32 p.m.

Two of the four suspects were 19 years old, one was 18, and one was 23.
Social Networks

Russian Coup Aided by Telegram, VPNs as Government Blocks Google News (nytimes.com) 140

Yevgeny V. Prigozhin heads the Russia-backed paramilitary Wagner Group — and was also "a close confidant of Russian president Vladimir Putin until he launched an alleged coup," according to Wikipedia.

The New York Times notes Prigozhin's remarkable ability to bypass government censorship: Despite years of creeping Kremlin control over the internet, the mercenary tycoon Yevgeny V. Prigozhin continued to comment live on Saturday through videos, audio recordings and statements posted on the messaging app Telegram.

His remarkable continued access to a public platform amid a crisis demonstrated both the limits of official restrictions and the rise of Telegram as a powerful mode of communication since the start of the war in Ukraine in February 2022. The app, along with the proliferation of virtual private networks, has effectively loosened the information controls that the Russian authorities had tightened for years.

Russian internet service providers began blocking access to Google News shortly after the authorities accused Mr. Prigozhin of organizing an armed uprising on Friday. But while unconfirmed reports surfaced of Telegram outages in some Russian cities, people within Russia continued to post on the app.

CNN just reported that Prigozhin's paramilitary group "has claimed control of several military facilities and has dispatched some of his troops towards Moscow... Russian security forces in body armor and equipped with automatic weapons have taken up a position near a highway linking Moscow with southern Russia, according to photos published by the Russian business newspaper Vedomosti Saturday."

UPDATE: CNN now reports Prigozhin "says he is turning his forces around from a march toward Moscow shortly after the Belarusian government claimed President Alexander Lukashenko had reached a deal with Prigozhin to halt the march."
Crime

US Seeks 70-Month Prison Sentence For YouTube Content ID Scammer (torrentfreak.com) 47

An anonymous reader quotes a report from TorrentFreak: By pretending to be legitimate music rightsholders, two men managed to extract over $23 million in revenue from YouTube's content-ID system. Both were arrested, pleaded guilty (PDF), and now face multi-year prison terms. This week, the U.S. requested a 70-month sentence against the 'number two' of the operation, in part to deter future fraud. [...] Last year, one of the defendants confessed to his part in the copyright swindle by pleading guilty. Webster Batista admitted it was a simple scheme: find Latin American music that wasn't yet monetized on YouTube and claim the content as their own. In February of this year, the second defendant pleaded guilty. Jose Teran signed a plea agreement admitting that he was part of the conspiracy, engaging in wire fraud and money laundering.

The Content ID scam was straightforward, Teran's plea agreement revealed. The defendants simply identified unmonetized music and uploaded those songs to YouTube. [W]e discovered there were recorded songs of musicians and bands on the internet that were not being monetized. We began searching and downloading these songs. Once songs were downloaded, Batista would then upload them to Y.T. as mp3 files." "We falsely claimed legal ownership over these songs to receive royalty payments," Teran adds, noting that the scheme brought in millions. To collect these payments Batista launched the company MediaMuv, which became a trusted YouTube Content ID member through a third-party company referred to by the initials A.R. As the scheme grew, more employees were hired and tasked with finding more unmonetized tracks.

Despite pleading guilty, both defendants face a multi-year stint in prison. Teran will be the first to be sentenced and this week, the defendant and the prosecution announced their respective positions. According to the defense, Teran wasn't the lead of the operation. As an aspiring musician he looked up to his co-defendant, who is portrayed as the brains behind the operation. [...] Teran and Batista at one point had between five and eight people working for them. These employees used special software to find unmonetized music which they would then add to their catalog, to exploit YouTube's Content ID system. "Defendant, Jose Teran, engaged in a concerted effort -- over nearly five years -- to steal royalty proceeds from approximately 50,000 song titles, causing a loss of more than $23,000,000.00," the prosecution writes (PDF). "A 70-month sentence is undoubtedly substantial but given Mr. Teran's conduct and the need to deter future fraud, it is entirely warranted," the Government's sentencing memorandum concludes.

China

Declassified US Intelligence: Still No Evidence for Covid 'Lab Leak' Theory (reuters.com) 167

Reuters reports: U.S. intelligence agencies found no direct evidence that the COVID-19 pandemic stemmed from an incident at China's Wuhan Institute of Virology, a report declassified on Friday said.
America's Director of National Intelligence was responding to March legislation requiring declassification (within 90 days) of any information on possible links between the Wuhan Institute of Virology (or "WIV") and the origin of the COVID-19 pandemic. One key finding in the just-released report?

"We continue to have no indication that the Wuhan Institute of Virology's pre-pandemic research holdings included SARS-CoV-2 or a close progenitor, nor any direct evidence that a specific research-related incident occurred involving WIV personnel before the pandemic that could have caused the COVID pandemic." The information available to the U.S. Intelligence Community "indicates that the WIV first possessed SARS-CoV-2 in late December 2019, when WIV researchers isolated and identified the virus from samples from patients diagnosed with pneumonia of unknown causes."

And in addition, "All Intelligence Community agencies assess that SARS-CoV-2 was not developed as a biological weapon."

Beyond that, the report also emphasizes that "Almost all Intelligence Community agencies assess that SARS-CoV-2 was not genetically engineered," adding "Most agencies assess that SARS-CoV-2 was not laboratory-adapted; some are unable to make a determination." The National Intelligence Council and four other Intelligence Community agencies assess that the initial human infection with SARS-CoV-2 most likely was caused by natural exposure to an infected animal that carried SARS-CoV-2 or a close progenitor, a virus that probably would be more than 99 percent similar to SARS-CoV-2...

The Central Intelligence Agency and another agency remain unable to determine the precise origin of the COVID-19 pandemic, as both hypotheses rely on significant assumptions or face challenges with conflicting reporting.

The only two outliers appear to be the Department of Energy, which gives "low confidence" support to the lab-leak theory, and the FBI (whose Trump-appointed director "said he couldn't share many details of the agency's assessment because they were classified.")

Addressing rumors online, the report notes that the lab has performed public health-related research with the army, such as work on vaccines and therapeutics. This included working "with several viruses, including coronaviruses, but no known viruses that could plausibly be a progenitor of SARS-CoV-2."

And while several researchers were ill in the fall of 2019, their symptoms "were consistent with but not diagnostic of COVID-19... [T]he researchers' symptoms could have been caused by a number of diseases and some of the symptoms were not consistent with COVID-19... [T]hey experienced a range of symptoms consistent with colds or allergies with accompanying symptoms typically not associated with COVID-19, and some of them were confirmed to have been sick with other illnesses unrelated to COVID-19." And there's no indication any of them were ever hospitalized for COVID-19 symptoms.
EU

US Vendor Accused of Violating GDPR By Reputation-Scoring EU Citizens (theregister.com) 28

TeleSign, a U.S.-based fraud prevention company, has allegedly collected data from millions of EU citizens and processed it in the United States using automated tools without their knowledge. The complaint "alleges that TeleSign is in violation of the GDPR's provisions that ban use of automated profiling tools, as well as rules that require affirmative consent be given to process EU citizen's data," reports The Register. From the report: The complaint was filed by Austrian privacy advocacy group noyb, helmed by lawyer Max Schrems, and it doesn't pull any punches in its claims that TeleSign, through its former Belgian parent company BICS, secretly collected data on cellphone users around the world. That data, noyb alleges, was fed into an automated system that generates "reputation scores" that TeleSign sells to its customers, which includes TikTok, Salesforce, Microsoft and AWS, among others, for verifying the identity of a person behind a phone number and preventing fraud.

BICS, which acquired TeleSign in 2017, describes itself as "a global provider of international wholesale connectivity and interoperability services," in essence operating as an interchange for various national cellular networks. Per noyb, BICS operates in more than 200 countries around the world and "gets detailed information (e.g. the regularity of completed calls, call duration, long-term inactivity, range activity, or successful incoming traffic) [on] about half of the worldwide mobile phone users." That data is regularly shared with TeleSign, noyb alleges, without any notification to the customers whose data is being collected and used. "Your phone provider likely forwards data to BICS who then forwards it to TeleSign. TeleSign generates a 'trust score' about you and sells phone data to third parties like Microsoft, Salesforce or TikTok -- without anyone being informed or giving consent," Schrems said. [...]

When BICS acquired TeleSign in 2017, it began to fall under the partial control of BICS' parent company, Belgian telecom giant Proximus. Proximus held a partial stake in BICS, which Proximus spun off from its own operations in 1997. In 2021, Proximus bought out BICS' other shareholders, making it the sole owner of both the telecom interchange and TeleSign. With that in mind, noyb is also leveling charges against Proximus and BICS. In its complaint, noyb said Proximus was asked by EU citizens from various countries to provide records of the data TeleSign processed, as is their right under Article 15 of the GDPR. [...] Noyb is seeking cessation of all data transfers from BICS to TeleSign, processing of said data, and is requesting deletion of all unlawfully transmitted data. It's also asking for Belgian data protection authorities to fine Proximus, which noyb said could reach as high as $257 million -- a mere 4 percent of Proximus's global turnover.

The Courts

Two Lawyers Fined For Submitting Fake Court Citations From ChatGPT 40

An anonymous reader quotes a report from The Guardian: A US judge has fined two lawyers and a law firm $5,000 after fake citations generated by ChatGPT were submitted in a court filing. A district judge in Manhattan ordered Steven Schwartz, Peter LoDuca and their law firm Levidow, Levidow & Oberman to pay the fine after fictitious legal research was used in an aviation injury claim. Schwartz had admitted that ChatGPT, a chatbot that churns out plausible text responses to human prompts, invented six cases he referred to in a legal brief in a case against the Colombian airline Avianca.

The judge P Kevin Castel said in a written opinion there was nothing "inherently improper" about using artificial intelligence for assisting in legal work, but lawyers had to ensure their filings were accurate. "Technological advances are commonplace and there is nothing inherently improper about using a reliable artificial intelligence tool for assistance," Castel wrote. "But existing rules impose a gatekeeping role on attorneys to ensure the accuracy of their filings." The judge said the lawyers and their firm "abandoned their responsibilities when they submitted nonexistent judicial opinions with fake quotes and citations created by the artificial intelligence tool ChatGPT, then continued to stand by the fake opinions after judicial orders called their existence into question."
Levidow, Levidow & Oberman said in a statement on Thursday that its lawyers "respectfully" disagreed with the court that they had acted in bad faith. "We made a good-faith mistake in failing to believe that a piece of technology could be making up cases out of whole cloth," it said.
The Courts

Coinbase Wins at Supreme Court as Ruling Reinforces Arbitration (bloomberg.com) 65

The US Supreme Court sided with a Coinbase unit in a ruling that reinforces the ability of companies to channel customer and employee disputes into arbitration. From a report: The justices, voting 5-4, ruled that lawsuits filed in federal court must be put on hold while a defendant presses an appeal that would send the case to arbitration. Writing for the court, Justice Brett Kavanaugh said allowing district courts to move forward as the appeal is ongoing would reduce the benefits of arbitration. "If the district court could move forward with pre-trial and trial proceedings while the appeal on arbitrability was ongoing, then many of the asserted benefits of arbitration (efficiency, less expense, less intrusive discovery, and the like) would be irretrievably lost," Kavanaugh wrote. Business groups rallied behind Coinbase in the case, saying that letting litigation go forward would impose unnecessary costs. Consumer advocates said judges should have the discretion to decide which claims should proceed during appeal, as courts do with other areas of the law. Coinbase is battling claims by Abraham Bielski, who said the crypto company should compensate him for $31,000 he lost after he gave a scammer remote access to his account. In a second suit that was before the high court, Coinbase is accused of holding a $1.2 million Dogecoin sweepstakes without adequately disclosing that entrants didn't have to buy or sell the cryptocurrency.
Security

SMS Phishers Harvested Phone Numbers, Shipment Data From UPS Tracking Tool (krebsonsecurity.com) 12

An anonymous reader quotes a report from KrebsOnSecurity: The United Parcel Service (UPS) says fraudsters have been harvesting phone numbers and other information from its online shipment tracking tool in Canada to send highly targeted SMS phishing (a.k.a. "smishing") messages that spoofed UPS and other top brands. The missives addressed recipients by name, included details about recent orders, and warned that those orders wouldn't be shipped unless the customer paid an added delivery fee. In a snail mail letter sent this month to Canadian customers, UPS Canada Ltd. said it is aware that some package recipients have received fraudulent text messages demanding payment before a package can be delivered, and that it has been working with partners in its delivery chain to try to understand how the fraud was occurring.

"During that review, UPS discovered a method by which a person who searched for a particular package or misused a package look-up tool could obtain more information about the delivery, potentially including a recipient's phone number," the letter reads. "Because this information could be misused by third parties, including potentially in a smishing scheme, UPS has taken steps to limit access to that information." The written notice goes on to say UPS believes the data exposure "affected packages for a small group of shippers and some of their customers from February 1, 2022 to April 24, 2023." [...]

In a statement provided to KrebsOnSecurity, Sandy Springs, Ga. based UPS [NYSE:UPS] said the company has been working with partners in the delivery chain to understand how that fraud was being perpetrated, as well as with law enforcement and third-party experts to identify the cause of this scheme and to put a stop to it. "Law enforcement has indicated that there has been an increase in smishing impacting a number of shippers and many different industries," reads an email from Brian Hughes, director of financial and strategy communications at UPS. "Out of an abundance of caution, UPS is sending privacy incident notification letters to individuals in Canada whose information may have been impacted," Hughes said. "We encourage our customers and general consumers to learn about the ways they can stay protected against attempts like this by visiting the UPS Fight Fraud website."

Transportation

Ford Gets $9.2 Billion To Help US Catch Up With China's EV Dominance (bloomberg.com) 82

The US government is providing a conditional $9.2 billion loan to Ford for the construction of three battery factories, the largest government backing for a US automaker since the 2009 financial crisis. "The enormous loan [...] marks a watershed moment for President Joe Biden's aggressive industrial policy meant to help American manufacturers catch up to China in green technologies," reports Bloomberg. From the report: The new factories that will eventually supply Ford's expansion into electric vehicles are already under construction in Kentucky and Tennessee through a joint venture called BlueOval SK, owned by the Michigan automaker and South Korean battery giant SK On Co. Ford plans to make as many as 2 million EVs by 2026, a huge increase from the roughly 132,000 it produced last year. The three-factory buildout by BlueOval plus an adjacent Ford EV assembly unit have an estimated price tag of $11.4 billion. BlueOval was previously awarded subsidies by both state governments. That means taxpayers would be providing low-interest financing for almost all of the cost.

Ford's cars and SUVs made with domestic batteries will also be eligible for billions of dollars in incentives embedded in the Inflation Reduction Act's $370 billion in clean-energy funding, part of the historic climate measure narrowly passed into law about a year ago. The US government will subsidize manufacturing of batteries, and buyers could qualify for additional tax rebates of up to $7,500 per vehicle.

The rush of incentives, government lending and private-sector investment has led to a manufacturing boom in the wake of the IRA. More than 100 battery and electric-vehicle production projects are announced or already under construction in the US, representing about $200 billion in total investments. "Not since the advent of the auto industry 100 years ago have we seen an investment like that," says Gary Silberg, KPMG's global automotive sector leader.

Crime

LexisNexis Is Selling Your Personal Data To ICE So It Can Try To Predict Crimes (theintercept.com) 43

An anonymous reader quotes a report from The Intercept: The legal research and public records data broker LexisNexis is providing U.S. Immigration and Customs Enforcement with tools to target people who may potentially commit a crime -- before any actual crime takes place, according to a contract document obtained by The Intercept. LexisNexis then allows ICE to track the purported pre-criminals' movements. The unredacted contract overview provides a rare look at the controversial $16.8 million agreement between LexisNexis and ICE, a federal law enforcement agency whose surveillance of and raids against migrant communities are widely criticized as brutal, unconstitutional, and inhumane.

"The purpose of this program is mass surveillance at its core," said Julie Mao, an attorney and co-founder of Just Futures Law, which is suing LexisNexis over allegations it illegally buys and sells personal data. Mao told The Intercept the ICE contract document, which she reviewed for The Intercept, is "an admission and indication that ICE aims to surveil individuals where no crime has been committed and no criminal warrant or evidence of probable cause." While the company has previously refused to answer any questions about precisely what data it's selling to ICE or to what end, the contract overview describes LexisNexis software as not simply a giant bucket of personal data, but also a sophisticated analytical machine that purports to detect suspicious activity and scrutinize migrants -- including their locations.

The document, a "performance of work statement" made by LexisNexis as part of its contract with ICE, was obtained by journalist Asher Stockler through a public records request and shared with The Intercept. LexisNexis Risk Solutions, a subsidiary of LexisNexis's parent company, inked the contract with ICE, a part of the Department of Homeland Security, in 2021. The document reveals that over 11,000 ICE officials, including within the explicitly deportation-oriented Enforcement and Removal Operations branch, were using LexisNexis as of 2021. "This includes supporting all aspects of ICE screening and vetting, lead development, and criminal analysis activities," the document says. In practice, this means ICE is using software to "automate" the hunt for suspicious-looking blips in the data, or links between people, places, and property. It is unclear how such blips in the data can be linked to immigration infractions or criminal activity, but the contract's use of the term "automate" indicates that ICE is to some extent letting computers make consequential conclusions about human activity. The contract further notes that the LexisNexis analysis includes "identifying potentially criminal and fraudulent behavior before crime and fraud can materialize." (ICE did not respond to a request for comment.)
"LexisNexis Risk Solutions prides itself on the responsible use of data, and the contract with the Department of Homeland Security encompasses only data allowed for such uses," said LexisNexis spokesperson Jennifer Richman. She says the company's work with ICE doesn't violate the law or federal policy.

Slashdot Top Deals