An anonymous reader quotes a report from Ars Technica: A federal judge this week rejected Google's motion to throw out a class-action lawsuit alleging that it invaded the privacy of users who opted out of functionality that records a users' web and app activities. A jury trial is scheduled for August 2025 in US District Court in San Francisco. The lawsuit concerns Google's Web & App Activity (WAA) settings, with the lead plaintiff representing two subclasses of people with Android and non-Android phones who opted out of tracking. "The WAA button is a Google account setting that purports to give users privacy control of Google's data logging of the user's web app and activity, such as a user's searches and activity from other Google services, information associated with the user's activity, and information about the user's location and device," wrote (PDF) US District Judge Richard Seeborg, the chief judge in the Northern District Of California.

Google says that Web & App Activity "saves your activity on Google sites and apps, including associated info like location, to give you faster searches, better recommendations, and more personalized experiences in Maps, Search, and other Google services." Google also has a supplemental Web App and Activity setting that the judge's ruling refers to as "(s)WAA." "The (s)WAA button, which can only be switched on if WAA is also switched on, governs information regarding a user's '[Google] Chrome history and activity from sites, apps, and devices that use Google services.' Disabling WAA also disables the (s)WAA button," Seeborg wrote. But data is still sent to third-party app developers through the Google Analytics for Firebase (GA4F), "a free analytical tool that takes user data from the Firebase kit and provides app developers with insight on app usage and user engagement," the ruling said. GA4F "is integrated in 60 percent of the top apps" and "works by automatically sending to Google a user's ad interactions and certain identifiers regardless of a user's (s)WAA settings, and Google will, in turn, provide analysis of that data back to the app developer."

Plaintiffs have brought claims of privacy invasion under California law. Plaintiffs "present evidence that their data has economic value," and "a reasonable juror could find that Plaintiffs suffered damage or loss because Google profited from the misappropriation of their data," Seeborg wrote. The lawsuit was filed in July 2020. The judge notes that summary judgment can be granted when "there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Google hasn't met that standard, he ruled. In a statement provided to Ars, Google said that "privacy controls have long been built into our service and the allegations here are a deliberate attempt to mischaracterize the way our products work. We will continue to make our case in court against these patently false claims."

An anonymous reader quotes a report from Bloomberg: Italy is in advanced talks with Elon Musk's SpaceX for a deal to provide secure telecommunications for the nation's government -- the largest such project in Europe, people with knowledge of the matter said Sunday. Discussions are ongoing, and a final agreement on the five-year contract hasn't been reached, said the people, who asked not to be identified citing confidential discussions. The project has already been approved by Italy's Intelligence Services as well as Italy's Defense Ministry, they said. Italy on Monday confirmed discussions are ongoing, saying no deal had yet been reached. "The talks with SpaceX are part of normal government business," the government said.

The negotiations, which had stalled until recently, appeared to move forward after Italian Prime Minister Giorgia Meloni visited President-elect Donald Trump in Florida on Saturday. The Italian government said the two didn't discuss the issue during their meeting. Italian officials have been negotiating on a $1.6 billion deal aimed at supplying Italy with a full range of top-level encryption for telephone and Internet services used by the government, the people said. The plan also includes communications services for the Italian military in the Mediterranean area as well as the rollout of so-called direct-to-cell satellite services in Italy for use in emergencies like terror attacks or natural disasters, they said. The possible deal has been under review since mid-2023. It's been opposed by some Italian officials concerned about how the services may detract from local carriers.

BleepingComputer's Sergiu Gatlan reports: "Today, the White House announced the launch of the U.S. Cyber Trust Mark, a new cybersecurity safety label for internet-connected consumer devices. The Cyber Trust Mark label, which will appear on smart products sold in the United States later this year, will help American consumers determine whether the devices they want to buy are safe to install in their homes. It's designed for consumer smart devices, such as home security cameras, TVs, internet-connected appliances, fitness trackers, climate control systems, and baby monitors, and it signals that the internet-connected device comes with a set of security features approved by NIST.

Vendors will label their products with the Cyber Trust Mark logo if they meet the National Institute of Standards and Technology (NIST) cybersecurity criteria. These criteria include using unique and strong default passwords, software updates, data protection, and incident detection capabilities. Consumers can scan the QR code included next to the Cyber Trust Mark labels for additional security information, such as instructions on changing the default password, steps for securely configuring the device, details on automatic updates (including how to access them if they are not automatic), the product's minimum support period, and a notification if the manufacturer does not offer updates for the device. "Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations," the Biden administration said on Tuesday.

"The White House launched this bipartisan effort to educate American consumers and give them an easy way to assess the cybersecurity of such products, as well as incentivize companies to produce more cybersecure devise [sic], much as EnergyStar labels did for energy efficiency.

Telegram's Transparency Report reveals a sharp increase in U.S. government data requests, with 900 fulfilled requests affecting 2,253 users. "The news shows a massive spike in the number of data requests fulfilled by Telegram after French authorities arrested Telegram CEO Pavel Durov in August, in part because of the company's unwillingness to provide user data in a child abuse investigation," notes 404 Media. From the report: Between January 1 and September 30, 2024, Telegram fulfilled 14 requests "for IP addresses and/or phone numbers" from the United States, which affected a total of 108 users, according to Telegram's Transparency Reports bot. But for the entire year of 2024, it fulfilled 900 requests from the U.S. affecting a total of 2,253 users, meaning that the number of fulfilled requests skyrocketed between October and December, according to the newly released data. "Fulfilled requests from the United States of America for IP address and/or phone number: 900," Telegram's Transparency Reports bot said when prompted for the latest report by 404 Media. "Affected users: 2253," it added.

A month after Durov's arrest in August, Telegram updated its privacy policy to say that the company will provide user data, including IP addresses and phone numbers, to law enforcement agencies in response to valid legal orders. Up until then, the privacy policy only mentioned it would do so when concerning terror cases, and said that such a disclosure had never happened anyway. Even though the data technically covers the entire of 2024, the jump from a total of 108 affected users in October to 2253 as of now, indicates that the vast majority of fulfilled data requests were in the last quarter of 2024, showing a huge increase in the number of law enforcement requests that Telegram completed. You can access the platform's transparency reports here.

Former MoviePass CEO Theodore Farnsworth has pleaded guilty to securities fraud and conspiracy charges for misleading investors about the movie subscription service's "unlimited plan" and its parent company's capabilities, U.S. prosecutors said.

Farnsworth falsely claimed the $9.95 monthly unlimited movie plan was sustainable and that Helios & Matheson Analytics could monetize subscriber data through artificial intelligence, knowing both statements were untrue. He faces up to 20 years in prison for MoviePass-related fraud and five years for a separate conspiracy charge involving Vinco Ventures.

The shift from paywalled to open-access scientific publishing is progressing, driven in part by platforms like Sci-Hub -- a website that allows users to upload PDFs of published papers and share them with anyone. While the shadow library website has faced ongoing attempts by publishers to block access, it has another problem: the platform features many outdated or retracted papers that could spread misinformation or flawed findings. Ars Technica reports: Sci-Hub works a bit like a combination of cache and aggregator for published materials. Whenever it gets a request for a paper that's not already in its database, it uses leaked login credentials to go to the website of whatever journal published the paper and obtain a copy. If it already has a copy, however, it will simply serve that up instead. This leaves open the possibility that it will have obtained a copy of a paper prior to its retraction and continue to distribute that copy after the paper has been retracted.

To check this, the researchers obtained a list of nearly 17,000 retracted papers and searched for them on Sci-Hub. They then visually examined the documents that were returned. They found that 85 percent of them contained no indication that the paper had been retracted. "The availability of [unlabeled retracted articles] in the field of health sciences is particularly high," they note, "which indicates a significant risk of their unintended use and further citation in future research."

While corrections are less severe than retractions, they're likely to suffer a similar problem. And corrections will often involve the technical details of a paper -- the experimental approaches or raw data that will be critical for anyone wanting to replicate or extend previously published results. So, if anything, their impact will be more significant. Ars notes that a system called Crossmark is available to help find the most up-to-date version of a paper, including any corrections or retraction notices.

According to police, the man killed in the January 1st Las Vegas Cybertruck blast used ChatGPT to plan the explosion. The Hill reports: In a press conference, Tuesday, Las Vegas police released more details of the intentions of 37-year-old Matthew Livelsberger, who died of a gunshot wound prior to the car exploding. Las Vegas Sheriff Kevin McMahill said it was concerning that Livelsberger used ChatGPT, a popular artificial intelligence model created by OpenAI, to carry out the explosion. According to police, Livelsberger asked ChatGPT various questions, including where the largest gun stores in Denver were, information about the explosive targets Tannerite and pistols. "We knew that AI was going to change the game at some point or another in really all of our lives and certainly, I think this is the first incidence that I'm aware of on U.S. soil where ChatGPT is utilized to help an individual build a particular device, to learn information all across the country as they're moving forward," McMahill said.

"And so, absolutely, it's a concerning moment for us," he continued.

An anonymous reader quotes a report from Ars Technica: The US Justice Department today announced it filed an antitrust lawsuit against "six of the nation's largest landlords for participating in algorithmic pricing schemes that harmed renters." One of the landlords, Cortland Management, agreed to a settlement "that requires it to cooperate with the government, stop using its competitors' sensitive data to set rents and stop using the same algorithm as its competitors without a corporate monitor," the DOJ said. The pending settlement requires Cortland to "cooperate fully and truthfully... in any civil investigation or civil litigation the United States brings or has brought" on this subject matter.

The US previously sued RealPage, a software maker accused of helping landlords collectively set prices by giving them access to competitors' nonpublic pricing and occupancy information. The original version of the lawsuit described actions by landlords but did not name any as defendants. The Justice Department filed an amended complaint (PDF) today in order to add the landlords as defendants. The landlord defendants are Greystar, LivCor, Camden, Cushman, Willow Bridge, and Cortland, which collectively "operate more than 1.3 million units in 43 states and the District of Columbia," the DOJ said. "The amended complaint alleges that the six landlords actively participated in a scheme to set their rents using each other's competitively sensitive information through common pricing algorithms," the DOJ said. The phrase "price fixing" came up in discussions between landlords, the amended complaint said: "For example, in Minnesota, property managers from Cushman & Wakefield, Greystar, and other landlords regularly discussed competitively sensitive topics, including their future pricing. When a property manager from Greystar remarked that another property manager had declined to fully participate due to 'price fixing laws,' the Cushman & Wakefield property manager replied to Greystar, 'Hmm... Price fixing laws huh? That's a new one! Well, I'm happy to keep sharing so ask away. Hoping we can kick these concessions soon or at least only have you guys be the only ones with big concessions! It's so frustrating to have to offer so much.'"

The Justice Department is joined in the case by the attorneys general of California, Colorado, Connecticut, Illinois, Massachusetts, Minnesota, North Carolina, Oregon, Tennessee, and Washington. The case is in US District Court for the Middle District of North Carolina.

Further reading: Are We Entering an AI Price-Fixing Dystopia?

Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government. 404 Media: The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples' precise movements, and they are threatening to publish the data publicly.

The news is a crystalizing moment for the location data industry. For years, companies have harvested location information from smartphones, either through ordinary apps or the advertising ecosystem, and then built products based on that data or sold it to others. In many cases, those customers include the U.S. government, with arms of the military, DHS, the IRS, and FBI using it for various purposes. But collecting that data presents an attractive target to hackers.

An anonymous reader quotes a report from Reuters: The U.S. Defense Department said on Monday it has added Chinese tech giants including gaming and social media leader Tencent Holdings and battery maker CATL to a list of firms it says work with China's military. The list also included chip maker Changxin Memory Technologies, Quectel Wireless and drone maker Autel Robotics, according to a document published on Monday. The annually updated list (PDF) of Chinese military companies, formally mandated under U.S. law as the "Section 1260H list," designated 134 companies, according to a notice posted to the Federal Register.

U.S.-traded shares of Tencent, which is also the parent of Chinese instant messaging app WeChat, fell 8% in over-the-counter trading. Tencent said in a statement that its inclusion on the list was "clearly a mistake." It added: "We are not a military company or supplier. Unlike sanctions or export controls, this listing has no impact on our business." CATL called the designation a mistake, saying it "is not engaged in any military related activities." A Quectel spokesperson said the company "does not work with the military in any country and will ask the Pentagon to reconsider its designation, which clearly has been made in error."

While the designation does not involve immediate bans, it can be a blow to the reputations of affected companies and represents a stark warning to U.S. entities and firms about the risks of conducting business with them. It could also add pressure on the Treasury Department to sanction the companies. Two previously listed companies, drone maker DJI and Lidar-maker Hesai Technologies, both sued the Pentagon last year over their previous designations, but remain on the updated list. The Pentagon also removed six companies it said no longer met the requirements for the designation, including AI firm Beijing Megvii Technology, China Railway Construction Corporation Limited, China State Construction Group Co and China Telecommunications Corporation.

A U.S. Appeals Court ruled this week that net neutrality couldn't be reinstated by America's Federal Communications Commission. But "Despite the dismantling of the FCC's efforts to regulate broadband internet service, state laws in California, New York and elsewhere remain intact," notes the Los Angeles Times: This week's decision by the 6th U.S. Circuit Court of Appeals, striking down the FCC's open internet rules, has little bearing on state laws enacted during the years-long tug-of-war over the government's power to regulate internet service providers, telecommunications experts said. In fact, some suggested that the Cincinnati-based 6th Circuit's decision — along with other rulings and the U.S. Supreme Court's posture on a separate New York case — has effectively fortified state regulators' efforts to fill the gap. "Absent an act of Congress, the FCC has virtually no role in broadband any more," Ernesto Falcon, a program manager for the California Public Utilities Commission, said in an interview. "The result of this decision is that states like California, New York and others will have to govern and regulate broadband carriers on our own."

California has one of the nation's strongest laws on net neutrality, the principle that internet traffic must be treated equally to ensure a free and open network. Former Gov. Jerry Brown signed the measure into law in 2018, months after federal regulators in President elect-Donald Trump's first administration repealed the net neutrality rules put in place under President Obama. Colorado, Oregon and other states also adopted their own standards.

The Golden State's law has already survived legal challenges. It also prompted changes in the way internet service providers offered plans and services. "California's net neutrality law, which is seen as the gold standard by consumer advocates, carries national impact," Falcon said.... "The state's authority and role in broadband access has grown dramatically now," Falcon said.
California's net neutrality rules prohibit "throttling" data speeds, according to the article.

Brazil ended daylight saving time in 2019, reports the Washington Post, adding that some Brazilians loved the change, "particularly those who commute long distances and are no longer forced to leave their houses in pitch blackness." But "In the heavily populated southeast, the sky begins to brighten at the unconscionable hour of 4:30 a.m. during the summer, and by 8 a.m., it feels like high noon... Polls showed it ultimately lost majority support..."

And then "After several energy emergencies, and with the prospect of more to come as the effects of climate change intensify, the vanquished daylight saving time is suddenly looking a whole lot better than it once did to some in the Brazilian government." Authorities almost mandated the return of daylight saving — a portion of the calendar when clocks are turned forward to maximize seasonal daylight — late last year to conserve energy amid a historic drought that had threatened hydroelectric power generation and drove up light bills. The government is already laying the political groundwork to restore it as soon as this year...

Latin America's largest country is a global leader in green energy. An astounding 93 percent of its electricity comes from renewable sources, according to Brazil's Electric Energy Commercialization Chamber, the majority of which is hydropower. This strength, however, has also left it vulnerable to global warming. As temperatures have warmed and punishing droughts have grown more frequent, the country's water reserves have dropped precariously low at times, jeopardizing its primary source of energy. In 2021, an extended drought depleted the country's water stores, driving up light bills by an estimated 20 percent, according to the National Chamber of Electric Energy. Then came last year's drought, the worst in 70 years, and government officials started to look more seriously at daylight saving.

Alexandre Silveira [Brazil's mining and energy minister] said that month that the decision to eliminate daylight saving had been extravagance Brazil could scarcely afford. "It was massively irresponsible, without any basis in science," the energy official said. "We're living in a period of denial in Brazil in all aspects." José Sidnei Colombo Martini, an electrical engineer at the University of São Paulo, told The Washington Post that decision to end daylight saving amounted to a "national bet on whether it is going to rain." And the bet is expected to become increasingly risky as the years pass. "Brazil has always had a massive amount of available water compared to other countries — storing 12 percent of the planet's surface — but this is being altered," said Suely Araújo, public policy coordinator at the Climate Observatory. Estimates show "we could have a 40 percent reduction in our water availability in Brazil's principal hydro regions by 2040. Brazil has entered a new reality... "
Should other countries end Daylight Saving Time? "People and governments all over the world are having the same debate," the article points out, "often coming to conflicting conclusions." Countries including Azerbaijan, Mexico and Samoa have done away with daylight saving time. Meanwhile, Jordan, Namibia and Turkey have gone the opposite direction, opting for permanent daylight saving time. And Russia, discovering there's no way to tell time that pleases everyone, first tried permanent daylight saving time, then scuttled it.

Remember that massive botnet run by Chinese government hackers? Flax Typhoon "compromised computer networks in North America, Europe, Africa, and across Asia, with a particular focus on Taiwan," according to the U.S. Treasury Department. (The group's botnet breaching this autumn affected "at least 260,000 internet-connected devices," reports the Washington Post, "roughly half of which were located in the United States.")

Friday America's Treasury Department sanctioned "a Beijing-based cybersecurity company for its role in multiple computer intrusion incidents against U.S. victims..." according to an announcement from the department's Office of Foreign Assets Control. "Between summer 2022 and fall 2023, Flax Typhoon actors used infrastructure tied to Integrity Tech during their computer network exploitation activities against multiple victims. During that time, Flax Typhoon routinely sent and received information from Integrity Tech infrastructure."

From the Washington Post: The group behind the attacks was active since at least 2021, but U.S. authorities only managed to wrest control of the devices from the hackers in September, after the FBI won a court order that allowed the agency to send commands to the infected devices...

Treasury's designation follows sanctions announced last month on Sichuan Silence Information Technology Company, in which U.S. officials accused the company of exploiting technology flaws to install malware in more than 80,000 firewalls, including those protecting U.S. critical infrastructure. The new sanctions on Beijing Integrity Technology are notable due to the company's public profile and outsize role in servicing China's police and intelligence services via state-run hacking competitions. The company, which is listed in Shanghai and has a market capitalization of more than $327 million, plays a central role in providing state agencies "cyber ranges" — technology that allows them to simulate cyberattacks and defenses...

In September, FBI Director Christopher A. Wray said the Flax Typhoon attack successfully infiltrated universities, media organizations, corporations and government agencies, and in some cases caused significant financial losses as groups raced to replace the infected hardware. He said at the time that the operation to shut down the network was "one round in a much longer fight...." A 2024 assessment by the Office of the Director of National Intelligence said China is the most "active and persistent" cyberthreat and that actors under Beijing's direction have made efforts to breach U.S. critical infrastructure with the intention of lying in wait to be able to launch attacks in the event of major conflict.
"The Treasury sanctions bar Beijing Integrity Technology from access to U.S. financial systems and freeze any assets the company might hold in the United States," according to the article, "but the moves are unlikely to have a significant effect on the company," (according to Dakota Cary, a fellow at the Atlantic Council who has studied the company's role in state-sponsored hacking).

The Register's Jude Karabus reports: IBM and semiconductor maker GlobalFoundries have settled all of their litigation against each other, including breach of contract, patent, and trade secret suits, the pair say. The details of the settlement are confidential. All that both companies were prepared to say in yesterday's statements was that the deal they'd agreed would resolve "all litigation matters, inclusive of breach of contract, trade secrets, and intellectual property claims between the two companies." They added that the settlement would allow the companies to "explore new opportunities for collaboration in areas of mutual interest." In 2021, IBM sued GlobalFoundries for $2.5 billion, accusing it of failing to deliver on 10nm and 7nm chip production commitments, which disrupted IBM's hardware roadmap. GlobalFoundries poaching engineers countersued in 2023, alleging IBM misused trade secrets and poached engineers to support partnerships with Intel and Rapidus, potentially compromising proprietary technologies.

An anonymous reader quotes a report from TechCrunch: A U.S. online gift card store has secured an online storage server that was publicly exposing hundreds of thousands of customer government-issued identity documents to the internet. A security researcher, who goes by the online handle JayeLTee, found the publicly exposed storage server late last year containing driving licenses, passports, and other identity documents belonging to MyGiftCardSupply, a company that sells digital gift cards for customers to redeem at popular brands and online services.

MyGiftCardSupply's website says it requires customers to upload a copy of their identity documents as part of its compliance efforts with U.S. anti-money laundering rules, often known as "know your customer" checks, or KYC. But the storage server containing the files had no password, allowing anyone on the internet to access the data stored inside. JayeLTee alerted TechCrunch to the exposure last week after MyGiftCardSupply did not respond to the researcher's email about the exposed data. [...]

According to JayeLTee, the exposed data -- hosted on Microsoft's Azure cloud -- contained over 600,000 front and back images of identity documents and selfie photos of around 200,000 customers. It's not uncommon for companies subject to KYC checks to ask their customers to take a selfie while holding a copy of their identity documents to verify that the customer is who they say they are, and to weed out forgeries. MyGiftCardSupply founder Sam Gastro told TechCrunch: "The files are now secure, and we are doing a full audit of the KYC verification procedure. Going forward, we are going to delete the files promptly after doing the identity verification." It's not known how long the data was exposed or if the company would commit to notifying affected individuals.

A federal judge in Connecticut refused to dismiss a long-running lawsuit accusing the former Nestle Waters North America of defrauding consumers by labeling its Poland Spring bottled water as "spring water." From a report: While rejecting some claims in the proposed class action, U.S. District Judge Jeffrey Alker Meyer in New Haven called it an open question whether Poland Spring qualified as spring water under the laws of Connecticut, Maine, Massachusetts, New Hampshire, New Jersey, New York, Pennsylvania and Rhode Island. Poland Spring is now owned by Tampa, Florida-based Primo Brands, following multiple corporate transactions. Consumers sued Nestle Waters, then owned by Nestle, in 2017, saying it deceived them into overpaying for Poland Spring with labels declaring it to be "Natural Spring Water" or "100% Natural Spring Water."

The plaintiffs said "not one drop" of the 1 billion gallons sold annually in the United States came from a natural spring, and that the actual Poland Spring in Maine "ran dry" two decades before Nestle bought the brand in 1992. In seeking a dismissal, Nestle Waters said geologists and officials in the eight states agreed that Poland Spring complied with a U.S. Food and Drug Administration rule defining spring water, and each state authorized its sale as "spring water."

More than half-a-dozen VPN apps, including Cloudflare's widely-used 1.1.1.1, have been pulled from India's Apple App Store and Google Play Store following intervention from government authorities, TechCrunch reported Friday. From the report: The Indian Ministry of Home Affairs issued removal orders for the apps, according to a document reviewed by TechCrunch and a disclosure made by Google to Lumen, Harvard University's database that tracks government takedown requests globally.

An anonymous reader quotes a report from Reuters: Constellation Energy has been awarded a record $1 billion in contracts to supply nuclear power to the U.S. government over the next decade, the company said on Thursday. Constellation, the country's largest operator of nuclear power plants, will deliver electricity to more than 13 federal agencies as part of the agreements with the U.S. General Services Administration. The deal is the biggest energy purchase in the history of the GSA, which constructs and manages federal buildings, and is among the first major climate-focused energy agreement by the U.S. government to include electricity generated from existing nuclear reactors.

The GSA estimated that the contracts, set to begin on April 25, will comprise over 10 million megawatt-hours over 10 years and provide electricity equivalent to powering more than 1 million homes annually. The procurement will deliver electricity to 80 federal facilities located throughout the PJM Interconnection, a regional transmission operator with service covering more than 65 million people. The U.S. Department of Transportation, the Federal Reserve Board of Governors and the Army Corps of Engineers are some of the facilities that will receive the power. [...] Constellation said the deal will enable it to extend the licenses of existing nuclear plants and invest in new equipment and technology that will increase output by about 135 megawatts. "The investments we make as a result of this contract will keep these plants operating reliably for decades to come and put new, clean nuclear energy on the grid while making the best use of taxpayer dollars," Constellation CEO Joe Dominguez said in a release.

An anonymous reader quotes a report from The Record: Cybersecurity researchers have uncovered dozens of attacks that involve malicious updates for Chrome browser extensions, one week after a security firm was compromised in a similar incident. As of Wednesday, a total of 36 Chrome extensions injected with data-stealing code have been detected, mostly related to artificial intelligence (AI) tools and virtual private networks (VPNs), according to a report by ExtensionTotal, a platform that analyzes extensions listed on various marketplaces and public registries. These extensions, collectively used by roughly 2.6 million people, include third-party tools such as ChatGPT for Google Meet, Bard AI Chat, YesCaptcha Assistant, VPNCity and Internxt VPN. Some of the affected companies have already addressed the issue by removing the compromised extensions from the store or updating them, according to ExtensionTotal's analysis. [...]

It remains unclear whether all the compromised extensions are linked to the same threat actor. Security researchers warn that browser extensions "shouldn't be treated lightly," as they have deep access to browser data, including authenticated sessions and sensitive information. Extensions are also easy to update and often not subjected to the same scrutiny as traditional software. ExtensionTotal recommends that organizations use only pre-approved versions of extensions and ensure they remain unchanged and protected from malicious automatic updates. "Even when we trust the developer of an extension, it's crucial to remember that every version could be entirely different from the previous one," researchers said. "If the extension developer is compromised, the users are effectively compromised as well -- almost instantly."

An anonymous reader quotes a report from Ars Technica: Apple has agreed (PDF) to pay $95 million to settle a lawsuit alleging that its voice assistant Siri routinely recorded private conversations that were then sold to third parties for targeted ads. In the proposed class-action settlement (PDF) -- which comes after five years of litigation -- Apple admitted to no wrongdoing. Instead, the settlement refers to "unintentional" Siri activations that occurred after the "Hey, Siri" feature was introduced in 2014, where recordings were apparently prompted without users ever saying the trigger words, "Hey, Siri." Sometimes Siri would be inadvertently activated, a whistleblower told The Guardian, when an Apple Watch was raised and speech was detected. The only clue that users seemingly had of Siri's alleged spying was eerily accurate targeted ads that appeared after they had just been talking about specific items like Air Jordans or brands like Olive Garden, Reuters noted. It's currently unknown how many customers were affected, but if the settlement is approved, the tech giant has offered up to $20 per Siri-enabled device for any customers who made purchases between September 17, 2014, and December 31, 2024. That includes iPhones, iPads, Apple Watches, MacBooks, HomePods, iPod touches, and Apple TVs, the settlement agreement noted. Each customer can submit claims for up to five devices.

A hearing when the settlement could be approved is currently scheduled for February 14. If the settlement is certified, Apple will send notices to all affected customers. Through the settlement, customers can not only get monetary relief but also ensure that their private phone calls are permanently deleted. While the settlement appears to be a victory for Apple users after months of mediation, it potentially lets Apple off the hook pretty cheaply. If the court had certified the class action and Apple users had won, Apple could've been fined more than $1.5 billion under the Wiretap Act alone, court filings showed. But lawyers representing Apple users decided to settle, partly because data privacy law is still a "developing area of law imposing inherent risks that a new decision could shift the legal landscape as to the certifiability of a class, liability, and damages," the motion to approve the settlement agreement said. It was also possible that the class size could be significantly narrowed through ongoing litigation, if the court determined that Apple users had to prove their calls had been recorded through an incidental Siri activation -- potentially reducing recoverable damages for everyone.