After passing with near unanimous support in both houses of the state Legislature, a bill that would allow New Yorkers to repair their electronic devices is all ready to become law as it awaits Gov. Kathy Hochul's signature. From a report: The bill's sponsor in the Assembly, Assemblywoman Pat Fahy of Albany, said the bill would create a system that we use for cars but for the electronic devices we use each day.

The bill, known as "Right to Repair," would force companies to provide tools and parts for independent repair shops or individuals to repair devices like cell phones. Opponents of the legislation have cited safety and cybersecurity threats as their issues with the legislation. Supporters of the bill, including Fahy, said the bill will allow for economic growth in this sector and could help the "tinkerers of today" become the "inventors of the future." The Federal Trade Commission has called the bill a milestone and has said it does not harm intellectual property rights.

Here's the Guardian's report on new cryptographic techniques where "you can share data while keeping that data private" — known by the umbrella term "privacy-enhancing technologies" (or "Pets). They offer opportunities for data holders to pool their data in new and useful ways. In the health sector, for example, strict rules prohibit hospitals from sharing patients' medical data. Yet if hospitals were able to combine their data into larger datasets, doctors would have more information, which would enable them to make better decisions on treatments. Indeed, a project in Switzerland using Pets has since June allowed medical researchers at four independent teaching hospitals to conduct analysis on their combined data of about 250,000 patients, with no loss of privacy between institutions. Juan Troncoso, co-founder and CEO of Tune Insight, which runs the project, says: "The dream of personalised medicine relies on larger and higher-quality datasets. Pets can make this dream come true while complying with regulations and protecting people's privacy rights. This technology will be transformative for precision medicine and beyond."

The past couple of years have seen the emergence of dozens of Pet startups in advertising, insurance, marketing, machine learning, cybersecurity, fintech and cryptocurrencies. According to research firm Everest Group, the market for Pets was $2bn last year and will grow to more than $50bn in 2026. Governments are also getting interested. Last year, the United Nations launched its "Pet Lab", which was nothing to do with the welfare of domestic animals, but instead a forum for national statistical offices to find ways to share their data across borders while protecting the privacy of their citizens.

Jack Fitzsimons, founder of the UN Pet Lab, says: "Pets are one of the most important technologies of our generation. They have fundamentally changed the game, because they offer the promise that private data is only used for its intended purposes...." The emergence of applications has driven the theory, which is now sufficiently well developed to be commercially viable. Microsoft, for example, uses fully homomorphic encryption when you register a new password: the password is encrypted and then sent to a server who checks whether or not that password is in a list of passwords that have been discovered in data breaches, without the server being able to identify your password. Meta, Google and Apple have also over the last year or so been introducing similar tools to some of their products.
The article offers quick explanations of zero-knowledge proofs, secure multiparty computation, and fully homomorphic encryption (which allows the performance of analytics on data by a second party who never reads the data or learns the result).

And "In addition to new cryptographic techniques, Pets also include advances in computational statistics such as 'differential privacy', an idea from 2006 in which noise is added to results in order to preserve the privacy of individuals."

Slashdot reader storagedude writes: Ransomware groups have been busy improving their data exfiltration tools, and with good reason: As ransomware decryption fails to work most of the time, victims are more likely to pay a ransom to keep their stolen data from being publicly leaked.

But some security researchers think the trend suggests that ransomware groups may change their tactics entirely and abandon ransomware in favor of a combined approach of data destruction and exfiltration, stealing the data before destroying it and any backups, thus leaving the stolen copy of the data as the only hope for victims to recover their data. After all, if ransomware just destroys data anyway, why waste resources developing it?

"With data exfiltration now the norm among threat actors, developing stable, secure, and fast ransomware to encrypt files is a redundant and costly endeavor compared to corrupting files and using the exfiltrated copies as the means of data recovery," Cyderes researchers wrote after analyzing an attack last month.

"Eliminating the step of encrypting the data makes the process faster and eliminates the risk of not getting the full payout, or that the victim will find other ways to decrypt the data," they added. "Data destruction is rumored to be where ransomware is going to go, but we haven't actually seen it in the wild. During a recent incident response, however, Cyderes and Stairwell discovered signs that threat actors are actively in the process of staging and developing this capability."

That incident – involving BlackCat/ALPHV ransomware – turned up an exfiltration tool with hardcoded sftp credentials that was analyzed by Stairwell's Threat Research Team, which found partially-implemented data destruction functionality.

"The use of data destruction by affiliate-level actors in lieu of RaaS deployment would mark a large shift in the data extortion landscape and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," the Stairwell researchers wrote.

Samsung is starting to roll out a "Maintenance Mode" feature for its phones that's designed to keep your messages, photos, info, and accounts safe when you're getting your phone repaired. The Verge reports: According to Samsung's press release, Maintenance Mode basically creates a separate user account that will let someone access "core functions" of the phone without being able to see any of your data. That means a repair tech will still be able to test your phone, but you won't have to worry about them seeing anything they shouldn't. Once you get your phone back, you can unlock it to turn off Maintenance Mode, which will also undo anything that was done while the phone was being repaired (e.g., test photos will be erased, new apps will be uninstalled, and settings changes will be reversed).

Samsung says the feature will be "gradually rolling out over the next few months" to select phones running the Android 13-based One UI 5 -- if you want an idea of when your phone might be getting that update, check out this article. It'll also roll out to "more Galaxy devices" throughout next year. The company does warn, however, that the "timing of availability may vary by market, model and network provider," as updates can take a while to filter through carriers.

An anonymous reader quotes a report from Ars Technica: Google has been pushing out a tool for removing personally identifiable information -- or doxxing content -- from its search results. It's a notable step for a firm that has long resisted individual moderation of search content, outside of broadly harmful or copyright-violating material. But whether it works for you or not depends on many factors. As with almost all Google features and products, you may not immediately have access to Google's new removal process. If you do, though, you should be able to click the three dots next to a web search result (while signed in), or in a Google mobile app, to pull up "About this result." Among the options you can click at the bottom of a pop-up are "Remove result." Take note, though, that this button is much more intent than immediate action -- Google suggests a response time of "a few days."

Google's blog post about this tool, updated in late September, notes that "Starting early next year," you can request regular alerts for when your personal identifying information (PII) appears in new search results, allowing for quicker reporting and potential removal. I took a trial run through the process by searching my name and a relatively recent address on Google, then reporting it. The result I reported was from a private company that, while putting on the appearance of only posting public or Freedom of Information Act-obtained records, places those records next to links that send you to the site's true owner, initiating a "background check" or other tracking services for a fee.

The first caveat Google carves out in its blog post is whether the page your information appears on also contains "other information that is broadly useful, for instance in news articles." So if your information is appearing because a newspaper or other publication regularly publishes, for example, lists of real estate transactions, Google isn't likely to take that page down. Google then notes that removing your info from a Google search "doesn't remove it from the web," so they suggest a help page they've compiled for contacting a site webmaster about removal. In other words, if Google can see a page with your information on it, so can Bing, DuckDuckGo, and other web-indexing search sites, so removing the original page is important. You could then request Google remove its own indexed result once the webmaster acts through an "outdated information" removal request. [...] Google notes that it generally aims to preserve search results if "the content is determined to be of public interest." This includes "Content on or from government and other official sources," and newsworthy and professionally relevant content. There's a different case for doxxing, notes Ars Technica's Kevin Purdy. "If there is an 'explicit or implicit threat,' or 'calls to action for others to harm or harass,' that can make the removal easier under Google's doxxing policy, initiated in May."

An anonymous reader shares a report: I wanted to know how all these merchants had gotten my professional contact info. What I discovered was both unsurprising in today's world of relentless online marketing and aggressive consumer data sharing, and also a bit disquieting. It also had less to do with these small shops than I might have expected: Square's parent company, Block, was selling access to customers' inboxes, even if all we do is elect to receive a receipt from a single transaction (more on that below). Privacy experts said selling marketing information in this way clearly falls short of best privacy practices. And while it doesn't appear to violate data protection laws, the practice is walking a fine line.

"They're trying to solve for a lot of different nuances whilst trying to serve their objective and their merchant objective, which is keeping as many people opted in as possible," said Sucharita Kodali, a vice president and retail analyst at Forrester. Experts also told Protocol the situation seems to highlight how Block, as well as other payment processors and fintech platforms, operate in a bit of a privacy gray zone. Sometimes that gray zone leaves no one in charge of consumers' data rights, and sometimes it means the companies, deep within their terms of service, have legal loopholes that give them room to use our information in ways we might not expect.

An anonymous reader quotes a report from the Guardian: A group of New Zealand Uber drivers have won a landmark case against the global ridesharing company, forcing it to treat them as employees, not contractors, and entitling them to a suite of worker rights and protections. New Zealand's employment court ruled on Tuesday that the drivers were employees, not independent contractors. While the ruling applies specifically to the case of four drivers, the court noted that it may have wider implications for drivers across the country. The court "does not have jurisdiction to make broader declarations of employment status" so all Uber drivers "do not, as a result of this judgment, instantly become employees," chief judge Christina Inglis wrote. She continued, however: "It may well have broader impact, particularly where, as here, there is apparent uniformity in the way in which the companies operate, and the framework under which drivers are engaged."

Employment status is the bedrock on which most of New Zealand's minimum employment rights rest. It is "the gate through which a worker must pass" before they can access legal minimum entitlements including the minimum wage, six minimum hours of work, rest and meal breaks, holidays, parental leave, domestic violence leave, bereavement leave, ability to pursue a personal grievance, and access to union membership and collective bargaining. A spokesperson for Uber said the company was "disappointed" and would be appealing against the decision. They said it was "too soon to speculate" on whether New Zealand's drivers having employee status would affect the company's operations in the country more broadly.

Gizmodo points out that the United Kingdom's next prime minister, Rishi Sunak, "is a certified Crypto Bro who once requested that the Royal Mint issue an NFT." From the report: During his tenure as finance minister under former PM Boris Johnson, Sunak was in charge of advancing a number of crypto-related initiatives that sought to normalize digital currencies and integrate them into the British economy. By all accounts, he is the first crypto enthusiast to serve in the UK's top office. He's also the first person of color and the youngest PM -- 42 years old -- that Britain's had in 200 years. To be fair, Sunak's efforts at crypto promotion have at least trended towards regulation and taxation as opposed to total laissez faire deregulated madness -- though those efforts could, ultimately, simply normalize a phenomenon that critics say is redundant at best and a privacy hazard at worst. In April, Sunak announced a series of programs to turn the UK into what he called a "global cryptoasset technology hub." Among the initiatives announced at the time was a plan to integrate stablecoins into the national payment system, thus "paving their way for use in the UK as a recognized form of payment." Considered to be the least volatile form of cryptocurrency, stablecoins have seen more interest by governments than other forms of crypto -- though projects like Terra and Tether have shown the potential danger in putting too much faith in the assets' stability.

Sunak's plans also suggested creating additional regulations that would've helped further incorporate crypto into the UK's economic and legal framework, thus spurring greater investment in the space. "The measures we've outlined today will help to ensure firms can invest, innovate and scale up in this country," Sunak wrote in a press release published at the time. Another ambitious initiative pushed by Sunak was the Financial Services and Markets Bill, a piece of legislation that would give local governments in Britain broad discretion to regulate cryptocurrencies, thus further assimilating them into the nation's economy. The bill, which has not yet passed, is currently being looked at by Parliament.

At the same time, Sunak also recently backed a study to look at the potential benefits of creating a central bank digital currency (CBDC), or "Britcoin" as he dubbed it. Proponents of CBDCs argue that they could have benefits for spenders, making payments "faster, cheaper, and more secure," as one op-ed puts it. However, critics argue that they are unnecessary and could ultimately spell huge privacy troubles, given the trackable nature of crypto and digital currencies. Despite his crypto track record, analysts have suggested that is is unlikely Sunak will have time to focus much on any web3-related initiatives in the near term. Given Britain's current economic dumpster fire, any work on "Britcoin" might have to take a backseat.

An anonymous reader quotes a report from Ars Technica: Generically, passkeys refer to various schemes for storing authenticating information in hardware, a concept that has existed for more than a decade. What's different now is that Microsoft, Apple, Google, and a consortium of other companies have unified around a single passkey standard shepherded by the FIDO Alliance. Not only are passkeys easier for most people to use than passwords; they are also completely resistant to credential phishing, credential stuffing, and similar account takeover attacks.

On Monday, PayPal said US-based users would soon have the option of logging in using FIDO-based passkeys, joining Kayak, eBay, Best Buy, CardPointers, and WordPress as online services that will offer the password alternative. In recent months, Microsoft, Apple, and Google have all updated their operating systems and apps to enable passkeys. Passkey support is still spotty. Passkeys stored on iOS or macOS will work on Windows, for instance, but the reverse isn't yet available. In the coming months, all of that should be ironed out, though.

Passkeys work almost identically to the FIDO authenticators that allow us to use our phones, laptops, computers, and Yubico or Feitian security keys for multi-factor authentication. Just like the FIDO authenticators stored on these MFA devices, passkeys are invisible and integrate with Face ID, Windows Hello, or other biometric readers offered by device makers. There's no way to retrieve the cryptographic secrets stored in the authenticators short of physically dismantling the device or subjecting it to a jailbreak or rooting attack. Even if an adversary was able to extract the cryptographic secret, they still would have to supply the fingerprint, facial scan, or -- in the absence of biometric capabilities -- the PIN that's associated with the token. What's more, hardware tokens use FIDO's Cross-Device Authentication flow, or CTAP, which relies on Bluetooth Low Energy to verify the authenticating device is in close physical proximity to the device trying to log in. "Users no longer need to enroll each device for each service, which has long been the case for FIDO (and for any public key cryptography)," said Andrew Shikiar, FIDO's executive director and chief marketing officer. "By enabling the private key to be securely synced across an OS cloud, the user needs to only enroll once for a service, and then is essentially pre-enrolled for that service on all of their other devices. This brings better usability for the end-user and -- very significantly -- allows the service provider to start retiring passwords as a means of account recovery and re-enrollment."

In other words: "Passkeys just trade WebAuthn cryptographic keys with the website directly," says Ars Review Editor Ron Amadeo. "There's no need for a human to tell a password manager to generate, store, and recall a secret -- that will all happen automatically, with way better secrets than what the old text box supported, and with uniqueness enforced."

If you're eager to give passkeys a try, you can use this demo site created by security company Hanko.

Japan has stepped up its push to catch up on digitization by telling a reluctant public they have to sign up for digital IDs or possibly lose access to their public health insurance. From a report: As the naming implies, the initiative is about assigning numbers to people, similar to Social Security numbers in the U.S. Many Japanese worry the information might be misused or that their personal information might be stolen. Some view the My Number effort as a violation of their right to privacy. So the system that kicked off in 2016 has never fully caught on. Fax machines are still commonplace, and many Japanese conduct much of their business in person, with cash. Some bureaucratic procedures can be done online, but many Japanese offices still require "inkan," or seals for stamping, for identification, and insist on people bringing paper forms to offices.

Now the government is asking people to apply for plastic My Number cards equipped with microchips and photos, to be linked to drivers licenses and the public health insurance plans. Health insurance cards now in use, which lack photos, will be discontinued in late 2024. People will be required to use My Number cards instead. That has drawn a backlash, with an online petition demanding a continuation of the current health cards drawing more than 100,000 signatures in a few days.

An anonymous reader quotes a report from CNBC: About four years ago, former Google CEO Eric Schmidt was appointed to the National Security Commission on Artificial Intelligence by the chairman of the House Armed Services Committee. It was a powerful perch. Congress tasked the new group with a broad mandate: to advise the U.S. government on how to advance the development of artificial intelligence, machine learning and other technologies to enhance the national security of the United States. The mandate was simple: Congress directed the new body to advise on how to enhance American competitiveness on AI against its adversaries, build the AI workforce of the future, and develop data and ethical procedures.

In short, the commission, which Schmidt soon took charge of as chairman, was tasked with coming up with recommendations for almost every aspect of a vital and emerging industry. The panel did far more under his leadership. It wrote proposed legislation that later became law and steered billions of dollars of taxpayer funds to industry he helped build -- and that he was actively investing in while running the group. If you're going to be leading a commission that is steering the direction of government AI and making recommendations for how we should promote this sector and scientific exploration in this area, you really shouldn't also be dipping your hand in the pot and helping yourself to AI investments. His credentials, however, were impeccable given his deep experience in Silicon Valley, his experience advising the Defense Department, and a vast personal fortune estimated at about $20 billion.

Five months after his appointment, Schmidt made a little-noticed private investment in an initial seed round of financing for a startup company called Beacon, which uses AI in the company's supply chain products for shippers who manage freight logistics, according to CNBC's review of investment information in database Crunchbase. There is no indication that Schmidt broke any ethics rules or did anything unlawful while chairing the commission. The commission was, by design, an outside advisory group of industry participants, and its other members included well-known tech executives including Oracle CEO Safra Catz, Amazon Web Services CEO Andy Jassy and Microsoft Chief Scientific Officer Dr. Eric Horvitz, among others. Schmidt's investment was just the first of a handful of direct investments he would make in AI startup companies during his tenure as chairman of the AI commission. "Venture capital firms financed, in part, by Schmidt and his private family foundation also made dozens of additional investments in AI companies during Schmidt's tenure, giving Schmidt an economic stake in the industry even as he developed new regulations and encouraged taxpayer financing for it," adds CNBC. "Altogether, Schmidt and entities connected to him made more than 50 investments in AI companies while he was chairman of the federal commission on AI. Information on his investments isn't publicly available."

"All that activity meant that, at the same time Schmidt was wielding enormous influence over the future of federal AI policy, he was also potentially positioning himself to profit personally from the most promising young AI companies." Citing people close to Schmidt, the report says his investments were disclosed in a private filing to the U.S. government at the time and the public and news media had no access to that document.

A spokesperson for Schmidt told CNBC that he followed all rules and procedures in his tenure on the commission, "Eric has given full compliance on everything," the spokesperson said.

The US unsealed charges claiming two Chinese intelligence officers tried to obstruct a criminal investigation of Huawei , and alleged others were working on behalf of a "foreign power" to try procure technology and recruit spies. Bloomberg reports: The charges were part of a series of recently unsealed cases the Justice Department announced Monday that officials said had disrupted criminal activity being conducted by the People's Republic of China. Ten of the 13 individuals charged were Chinese intelligence individuals, according to FBI Director Chris Wray. Deputy Attorney General Lisa Monaco added that the case involving alleged obstruction of a US probe of a telecommunications company -- which the DOJ wouldn't identify -- exposes the connection between the Chinese government and its companies. She said the telecom giant tried to "unlawfully gain an edge" to undermine the US investigation, and shows why Chinese companies shouldn't be trusted to handle the personal data of Americans.

In a complaint made public Monday, the US claims Guochun He and Zheng Wang worked on behalf of the Chinese government to target the US, from 2019 until the present, for the benefit of the company. A person familiar with the matter confirmed it is Huawei. The US claims He and Wang bribed a law enforcement employee to provide what they believed was confidential information about witnesses, evidence and possible additional charges to be filed against the technology giant. He paid the employee $61,000 in Bitcoin, according to the criminal complaint. In a separate action, four people were charged in federal court in New Jersey with conspiracy to act as an illegal agent of a foreign government. The conspiracy allegedly involved Chinese intelligence officers posing as academics to recruit US law enforcement workers and others in seeking help procuring fingerprint technology and equipment for the US. They also allegedly pressured one former official to stop protests in the US along the 2008 Olympic torch route, according to court filings.

In addition, the Justice Department announced that seven people from China were charged in an indictment unsealed in the Eastern District of New York last week with conspiring to harass a Chinese citizen living in the US in hopes of causing the person to return. The actions were allegedly part of an effort by China, called "Operation Fox Hunt," to force the repatriation of alleged fugitives living in other countries. In the case involving the Huawei probe, the complaint includes conversations between He and Wang and a US government employee working as a double agent under supervision of the Federal Bureau of Investigation. They were using an encrypted messaging program that is not identified.

PayPal has announced today that passkeys are being added as a new, password-less login method to secure PayPal accounts for iPhone, iPad, and Mac users on PayPal.com, with plans to expand passkeys to other platforms as they add support. From a report: PayPal passkeys are rolling out to US customers today and will be available to "additional countries" in early 2023. Passkeys are a new type of login credential that replaces passwords with cryptographic key pairs. They are resistant to phishing attempts and are designed to avoid sharing passkey data between platforms, addressing the weakness of current password-based authentication.

Passkeys are supported by Apple, Google, and Microsoft, who have pledged to bring the FIDO Alliance standard to their respective OSes. Reusing passwords across online accounts leaves users open to hacking and other vulnerabilities, but remembering individual login details is no easy task without a secure password manager. A study from Verizon shows that over 2.6 billion records were hacked in 2017, with 81 percent estimated to have been caused by password stealing and guessing.

Australia has confirmed an incoming legislative change will significant strengthen its online privacy laws following a spate of data breaches in recent weeks -- such as the Optus telco breach last month. From a report: "Unfortunately, significant privacy breaches in recent weeks have shown existing safeguards are inadequate. It's not enough for a penalty for a major data breach to be seen as the cost of doing business," said its attorney-general, Mark Dreyfus, in a statement at the weekend. "We need better laws to regulate how companies manage the huge amount of data they collect, and bigger penalties to incentivise better behaviour."

The changes will be made via an amendment to the country's privacy laws, following a long process of consultation on reforms. Dreyfus said the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 will increase the maximum penalties that can be applied under the Privacy Act 1988 for serious or repeated privacy breaches from the current AUS $2.22 million (~$1.4M) penalty to whichever is the greater of:
AUS $50 million (~$32M);
3x the value of any benefit obtained through the misuse of information; or
30% of a company's adjusted turnover in the relevant period.

The Verge says Facebook "might ban news sharing in Canada if the country passes legislation forcing the company to pay news outlets for their content." They cite a post Friday from Facebook's parent company Meta, and a recent report in the Wall Street Journal. If this type of law sounds familiar, it's because Australia introduced a similar one last year, called the News Media Bargaining Code, which also requires Facebook and Google to pay for news included on the platforms. Although Australia eventually passed the law, it wasn't without significant pushback from Facebook and Google. Facebook switched off news sharing in the country in response, and Google threatened to pull its search engine from the country.

While Google later walked back on its plans after striking deals with media organizations, Facebook reversed its news ban only after Australia amended its legislation. Facebook's temporary ban not only affected news outlets but also ripped down posts from government agencies, like local fire and health departments. Earlier this year, a group of Facebook whistleblowers claimed the move was a negotiation tactic, alleging Facebook used an overly broad definition of what's considered a news publisher to cause chaos in the country. The company maintains the disorder was "inadvertent."

Now Facebook's prepared to put a block on news in Canada if the country doesn't change its legislation....

"If this draft legislation becomes law, creating globally unprecedented forms of financial liability for news links or content, we may be forced to consider whether we continue to allow the sharing of news content on Facebook in Canada as defined under the Online News Act," Meta states.

Engadget writes: After nearly three weeks of escalating rhetoric, The Wire is retracting its reporting on Meta.

On Sunday, the nonprofit publication said it had discovered "certain discrepancies" with the material that had informed its reporting on the social media giant since October 6th. "The Wire believes it is appropriate to retract the stories," the outlet said, pointing to the fact it could not authenticate two emails that were critical to its previous coverage of Meta. One of the emails The Wire said it could not verify includes a message the outlet had attributed to Meta spokesperson Andy Stone.

"Our investigation, which is ongoing, does not as yet allow us to take a conclusive view about the authenticity and bona fides of the sources with whom a member of our reporting team says he has been in touch over an extended period of time," The Wire said. "We are still reviewing the entire matter, including the possibility that it was deliberately sought to misinform or deceive The Wire."
The Wire had reported Meta "had given an influential official from India's ruling party the extraordinary power to censor Instagram posts that he didn't like," according to the Washington Post. But it took a weird turn when The Wire published a video of a takedown request, according to Engadget.

"One day later, Meta said an internal investigation found the video showed a Workspace account created on October 13th, suggesting someone made the account to back up The Wire's reporting."

Harry Halpin helped create uniform cryptography standards for the World Wide Web Consortium, reports Quanta magazine — but "he also wanted to protect the lower, foundational level: the network through which the information is transmitted.

"In 2018, he started Nym Technologies to take on this problem.... Halpin spoke with Quanta from Nym's headquarters in Neuchâtel, Switzerland." Halpin: The trickier problem is this: How do I communicate with you so that no one else knows I'm communicating with you, even if our messages are encrypted? You can get a sense of what people are saying from the pattern of communication: Who are you talking with, when are your conversations, how long do they last...?

There are two key elements: One is the "mixnet," a technology invented by David Chaum in 1979 that my team has improved. It relies on the premise that you can't be anonymous by yourself; you can only be anonymous in a crowd. You start with a message and break it into smaller units, communications packets, that you can think of as playing cards. Next, you encrypt each card and randomly send it to a "mixnode" — a computer where it will be mixed with cards from other senders. This happens three separate times and at three separate mixnodes. Then each card is delivered to the intended recipient, where all the cards from the original message are decrypted and put back into the proper order. No person who oversees mixing at a single mixnode can know both the card's origin and its destination. In other words, no one can know who you are talking to.

Q: That was the original mixnet, so what improvements have you made?

Halpin: For one thing, we make use of the notion of entropy, a measure of randomness that was invented for this application by Claudia Diaz, a computer privacy professor at KU Leuven and Nym's chief scientist. Each packet you receive on the Nym network has a probability attached to it that tells you, for instance, the odds that it came from any given individual.... Our system uses a statistical process that allows you both to measure entropy and to maximize it — the greater the entropy, the greater the anonymity. There are no other systems out there today that can let users know how private their communications are.

Q: What's the second key element you referred to?

Halpin: Mixnets, as I said, have been around a long time. The reason they've never taken off has a lot to do with economics. Where do the people who are going to do the mixing come from, and how do you pay them? We think we have an answer. And the kernel of that idea came from a conversation I had in 2017 with Adam Back, a cryptographer who developed bitcoin's central "proof of work" algorithm. I asked him what he would do if he were to redesign bitcoin. He said it would be great if all the computer processing done to verify cryptocurrency transactions — by solving so-called Merkle puzzles that have no practical value outside of bitcoin — could instead be used to ensure privacy.

The computationally expensive part of privacy is the mixing, so it occurred to me that we could use a bitcoin-inspired system to incentivize people to do the mixing. We built our company around that idea....

A new paper that came out in June shows that this approach can lead to an economically sustainable mixnet....

We are not building a currency system or trying to replace the dollar. We just want to provide privacy to ordinary people.

Thursday a Forbes senior writer reported: A China-based team at TikTok's parent company, ByteDance, planned to use the TikTok app to monitor the personal location of some specific American citizens, according to materials reviewed by Forbes.

The team behind the monitoring project — ByteDance's Internal Audit and Risk Control department — is led by Beijing-based executive Song Ye, who reports to ByteDance cofounder and CEO Rubo Liang. The team primarily conducts investigations into potential misconduct by current and former ByteDance employees. But in at least two cases, the Internal Audit team also planned to collect TikTok data about the location of a U.S. citizen who had never had an employment relationship with the company, the materials show.

It is unclear from the materials whether data about these Americans was actually collected; however, the plan was for a Beijing-based ByteDance team to obtain location data from U.S. users' devices.
Challenging the article, TikTok responded on Twitter that their service "does not collect precise GPS location information from U.S. users, meaning TikTok could not monitor U.S. users in the way the article suggested." But Forbes' senior writer thinks that's a misleading denial, writing on Twitter that "We never mentioned GPS in the story. In fact, we quoted their spokesperson saying they collect approximate location via IP address. Not using GPS does not mean they could not use that approximate location to monitor certain individuals."

TikTok also acknowledged on Twitter that they do have a team that will "acquire information they need to conduct internal investigations of violations of the company codes of conduct," but says the team follows a specific set of policies and processes "as is standard in companies across our industry." In Forbes' article, TikTok spokesperson Maureen Shanahan said that TikTok collects approximate location information (based on IP addresses) to "among other things, help show relevant content and ads to users, comply with applicable laws, and detect and prevent fraud and inauthentic behavior."

But Forbes' senior writer said in their article that "the material reviewed by Forbes indicates that ByteDance's Internal Audit team was planning to use this location information to surveil individual American citizens, not to target ads or any of these other purposes." The Internal Audit and Risk Control team runs regular audits and investigations of TikTok and ByteDance employees, for infractions like conflicts of interest and misuse of company resources, and also for leaks of confidential information. Internal materials reviewed by Forbes show that senior executives, including TikTok CEO Shou Zi Chew, have ordered the team to investigate individual employees, and that it has investigated employees even after they left the company.
TikTok's response on Twitter? Behavior like that would be a firing ofference. "Any use of internal audit resources as alleged by Forbes would be grounds for immediate dismissal of company personnel."

TikTok also said on Twitter that their service "has never been used to 'target' any members of the U.S. government, activists, public figures or journalists, nor do we serve them a different content experience than other users." The response of Forbes' senior writer? "I'm glad they say TikTok hasn't been used to 'target' some specific groups. I am nonetheless concerned that they planned to use it to monitor specific Americans, which is what we reported.

"Also, for what it's worth, they didn't answer this question when we asked it to them on Wednesday.... Neither TikTok nor ByteDance denied anything we reported, either in the pre-publication process, when we told them what we planned to report and asked for comment, or since then. They have also not requested a story update."

Thanks to Slashdot reader koavf for submitting the story

"Farmers have urged whoever succeeds Liz Truss as UK prime minister to abandon plans to ban solar energy from most of England's farmland," reports the Guardian, "arguing that it would hurt food security by cutting off a vital income stream." Truss, who resigned on Thursday, and her environment secretary, Ranil Jayawardena, hoped to ban solar from about 41% of the land area of England, or about 58% of agricultural land, the Guardian revealed last week. They planned to do this by reclassifying less productive farmland as "best and most valuable", making it more difficult to use for energy infrastructure.

Members of the Country Land and Business Association (CLA), which represents 33,000 landowners, told the Guardian having solar on their less productive land allowed them to subsidise food production during less successful years, as well as providing cheap power for their estates and homes in their local area.
One farmer made the case succinctly to the Guardian. "We make unequivocally more from our solar panels than from farming."

"A U.S. judge in Texas ruled on Friday that people killed in two Boeing 737 MAX crashes are legally considered 'crime victims,'" reports Reuters, "a designation that will determine what remedies should be imposed." In December, some crash victims' relatives said the U.S. Justice Department violated their legal rights when it struck a January 2021 deferred prosecution agreement with the planemaker over two crashes that killed 346 people. The families argued the government "lied and violated their rights through a secret process" and asked U.S. District Judge Reed O'Connor to rescind Boeing's immunity from criminal prosecution — which was part of the $2.5 billion agreement — and order the planemaker publicly arraigned on felony charges.

O'Connor ruled on Friday that "in sum, but for Boeing's criminal conspiracy to defraud the (Federal Aviation Administration), 346 people would not have lost their lives in the crashes."

Paul Cassell, a lawyer for the families, said the ruling "is a tremendous victory" and "sets the stage for a pivotal hearing, where we will present proposed remedies that will allow criminal prosecution to hold Boeing fully accountable."

Boeing did not immediately comment.