The European Union’s top court ruled Thursday that an agreement that allows big tech companies to transfer data to the United States is invalid, and that national regulators need to take tougher action to protect the privacy of users’ data.
The ruling does not mean an immediate halt to all data transfers outside the EU, as there is another legal mechanism that some companies can use. But it means that the scrutiny over data transfers will be ramped up and that the EU and U.S. may have to find a new system that guarantees that Europeans’ data is afforded the same privacy protection in the U.S. as it is in the EU.
The case began after former U.S. National Security Agency contractor Edward Snowden revealed in 2013 that the American government was snooping on people’s online data and communications. The revelations included detail on how Facebook gave U.S. security agencies access to the personal data of Europeans.
Austrian activist and law student Max Schrems that year filed a complaint against Facebook, which has its EU base in Ireland, arguing that personal data should not be sent to the U.S., as many companies do, because the data protection is not as strong as in Europe. The EU has some of the toughest data privacy rules under a system known as GDPR.
Google records what people are doing on hundreds of thousands of mobile apps even when they follow the company’s recommended settings for stopping such monitoring, a lawsuit seeking class action status alleged on Tuesday.
The data privacy lawsuit is the second filed in as many months against Google by the law firm Boies Schiller Flexner on behalf a handful of individual consumers.
[…]
The new complaint in a U.S. district court in San Jose accuses Google of violating federal wiretap law and California privacy law by logging what users are looking at in news, ride-hailing and other types of apps despite them having turned off “Web & App Activity” tracking in their Google account settings.
The lawsuit alleges the data collection happens through Google’s Firebase, a set of software popular among app makers for storing data, delivering notifications and ads, and tracking glitches and clicks. Firebase typically operates inside apps invisibly to consumers.
“Even when consumers follow Google’s own instructions and turn off ‘Web & App Activity’ tracking on their ‘Privacy Controls,’ Google nevertheless continues to intercept consumers’ app usage and app browsing communications and personal information,” the lawsuit contends.
Google uses some Firebase data to improve its products and personalize ads and other content for consumers, according to the lawsuit.
Reuters reported in March that U.S. antitrust investigators are looking into whether Google has unlawfully stifled competition in advertising and other businesses by effectively making Firebase unavoidable.
In its case last month, Boies Schiller Flexner accused Google of surreptitiously recording Chrome browser users’ activity even when they activated what Google calls Incognito mode. Google said it would fight the claim.
Most GDPR consent banner implementations are deliberately engineered to be difficult to use and are full of dark patterns that are illegal according to the law.
I wanted to find out how many visitors would engage with a GDPR banner if it were implemented properly and how many would grant consent to their information being collected and shared.
[…]
If you implement a proper GDPR consent banner, a vast majority of visitors will most probably decline to give you consent. 91% to be exact out of 19,000 visitors in my study.
What’s a proper and legal implementation of a GDPR banner?
It’s a banner that doesn’t take much space
It allows people to browse your site even when ignoring the banner
It’s a banner that allows visitors to say “no” just as easy as they can say “yes”
I’ve seen a lot of people — including those who are supporting the publishers’ legal attack on the Internet Archive — insist that they “support libraries,” but that the Internet Archive’s Open Library and National Emergency Library are “not libraries.” First off, they’re wrong. But, more importantly, it’s good to see actual librarians now coming out in support of the Internet Archive as well. The Association of Research Libraries has put out a statement asking publishers to drop this counter productive lawsuit, especially since the Internet Archive has shut down the National Emergency Library.
The Association of Research Libraries (ARL) urges an end to the lawsuit against the Internet Archive filed early this month by four major publishers in the United States District Court Southern District of New York, especially now that the National Emergency Library (NEL) has closed two weeks earlier than originally planned.
As the ARL points out, the Internet Archive has been an astounding “force for good” for the dissemination of knowledge and culture — and that includes introducing people to more books.
For nearly 25 years, the Internet Archive (IA) has been a force for good by capturing the world’s knowledge and providing barrier-free access for everyone, contributing services to higher education and the public, including the Wayback Machine that archives the World Wide Web, as well as a host of other services preserving software, audio files, special collections, and more. Over the past four weeks, IA’s Open Library has circulated more than 400,000 digital books without any user cost—including out-of-copyright works, university press titles, and recent works of academic interest—using controlled digital lending (CDL). CDL is a practice whereby libraries lend temporary digital copies of print books they own in a one-to-one ratio of “loaned to owned,” and where the print copy is removed from circulation while the digital copy is in use. CDL is a practice rooted in the fair use right of the US Copyright Act and recent judicial interpretations of that right. During the COVID-19 pandemic, many academic and research libraries have relied on CDL (including IA’s Open Library) to ensure academic and research continuity at a time when many physical collections have been inaccessible.
As ARL and our partner library associations acknowledge, many publishers (including some involved in the lawsuit) are contributing to academic continuity by opening more content during this crisis. As universities and libraries work to ensure scholars and students have the information they need, ARL looks forward to working with publishers to ensure open and equitable access to information. Continuing the litigation against IA for the purpose of recovering statutory damages and shuttering the Open Library would interfere with this shared mutual objective.
It would be nice if the publishers recognized this, but as we’ve said over and over again, these publishers would sue any library if libraries didn’t already exist. The fact that the Open Library looks just marginally different from a traditional library, means they’re unlikely to let go of this stupid, counterproductive lawsuit.
As Alexa, Google Home, Siri, and other voice assistants have become fixtures in millions of homes, privacy advocates have grown concerned that their near-constant listening to nearby conversations could pose more risk than benefit to users. New research suggests the privacy threat may be greater than previously thought.
The findings demonstrate how common it is for dialog in TV shows and other sources to produce false triggers that cause the devices to turn on, sometimes sending nearby sounds to Amazon, Apple, Google, or other manufacturers. In all, researchers uncovered more than 1,000 word sequences—including those from Game of Thrones, Modern Family, House of Cards, and news broadcasts—that incorrectly trigger the devices.
“The devices are intentionally programmed in a somewhat forgiving manner, because they are supposed to be able to understand their humans,” one of the researchers, Dorothea Kolossa, said. “Therefore, they are more likely to start up once too often rather than not at all.”
That which must not be said
Examples of words or word sequences that provide false triggers include
Alexa: “unacceptable,” “election,” and “a letter”
Google Home: “OK, cool,” and “Okay, who is reading”
Siri: “a city” and “hey jerry”
Microsoft Cortana: “Montana”
The two videos below show a GoT character saying “a letter” and Modern Family character uttering “hey Jerry” and activating Alexa and Siri, respectively.
Accidental Trigger #1 – Alexa – Cloud
Accidental Trigger #3 – Hey Siri – Cloud
In both cases, the phrases activate the device locally, where algorithms analyze the phrases; after mistakenly concluding that these are likely a wake word, the devices then send the audio to remote servers where more robust checking mechanisms also mistake the words for wake terms. In other cases, the words or phrases trick only the local wake word detection but not algorithms in the cloud.
Unacceptable privacy intrusion
When devices wake, the researchers said, they record a portion of what’s said and transmit it to the manufacturer. The audio may then be transcribed and checked by employees in an attempt to improve word recognition. The result: fragments of potentially private conversations can end up in the company logs.
The research paper, titled “Unacceptable, where is my privacy?,” is the product of Lea Schönherr, Maximilian Golla, Jan Wiele, Thorsten Eisenhofer, Dorothea Kolossa, and Thorsten Holz of Ruhr University Bochum and Max Planck Institute for Security and Privacy. In a brief write-up of the findings, they wrote:
Our setup was able to identify more than 1,000 sequences that incorrectly trigger smart speakers. For example, we found that depending on the pronunciation, «Alexa» reacts to the words “unacceptable” and “election,” while «Google» often triggers to “OK, cool.” «Siri» can be fooled by “a city,” «Cortana» by “Montana,” «Computer» by “Peter,” «Amazon» by “and the zone,” and «Echo» by “tobacco.” See videos with examples of such accidental triggers here.
In our paper, we analyze a diverse set of audio sources, explore gender and language biases, and measure the reproducibility of the identified triggers. To better understand accidental triggers, we describe a method to craft them artificially. By reverse-engineering the communication channel of an Amazon Echo, we are able to provide novel insights on how commercial companies deal with such problematic triggers in practice. Finally, we analyze the privacy implications of accidental triggers and discuss potential mechanisms to improve the privacy of smart speakers.
The researchers analyzed voice assistants from Amazon, Apple, Google, Microsoft, and Deutsche Telekom, as well as three Chinese models by Xiaomi, Baidu, and Tencent. Results published on Tuesday focused on the first four. Representatives from Apple, Google, and Microsoft didn’t immediately respond to a request for comment.
The full paper hasn’t yet been published, and the researchers declined to provide a copy ahead of schedule. The general findings, however, already provide further evidence that voice assistants can intrude on users’ privacy even when people don’t think their devices are listening. For those concerned about the issue, it may make sense to keep voice assistants unplugged, turned off, or blocked from listening except when needed—or to forgo using them at all.
How many government demands for user data has Zoom received? We won’t know until “later this year,” an updated Zoom blog post now says.
The video conferencing giant previously said it would release the number of government demands it has received by June 30. But the company said it’s missed that target and has given no firm new date for releasing the figures.
It comes amid heightened scrutiny of the service after a number of security issues and privacy concerns came to light following a massive spike in its user base, thanks to millions working from home because of the coronavirus pandemic.
In a blog post today reflecting on the company’s turnaround efforts, chief executive Eric Yuan said the company has “made significant progress defining the framework and approach for a transparency report that details information related to requests Zoom receives for data, records or content.”
“We look forward to providing the fiscal [second quarter] data in our first report later this year,” he said.
Transparency reports offer rare insights into the number of demands or requests a company gets from the government for user data. These reports are not mandatory, but are important to understand the scale and scope of government surveillance.
Zoom said last month it would launch its first transparency report after the company admitted it briefly suspended the Zoom accounts of two U.S.-based accounts and one Hong Kong activist at the request of the Chinese government. The users, who were not based in China, held a Zoom call commemorating the anniversary of the Tiananmen Square massacre, an event that’s cloaked in secrecy and censorship in mainland China.
Twenty consumer and citizen rights groups have published an open letter [PDF] urging regulators to pay closer attention to Google parent Alphabet’s planned acquisition of Fitbit.
The letter describes the pending purchase as a “game-changer” that will test regulators’ resolve to analyse how the vast quantities of health and location data slurped by Google would affect broader market competition.
“Google could exploit Fitbit’s exceptionally valuable health and location datasets, and data collection capabilities, to strengthen its already dominant position in digital markets such as online advertising,” the group warned.
Signatories to the letter include US-based Color of Change, Center for Digital Democracy and the Omidyar Network, the Australian Privacy Foundation, and BEUC – the European Consumer Organisation.
Google confirmed its intent to acquire Fitbit for $2.1bn in November. The deal is still pending, subject to regulator approval. Google has sought the green light from the European Commission, which is expected to publish its decision on 20 July.
The EU’s executive branch can either approve the buy (with or without additional conditions) or opt to start a four-month investigation.
The US Department of Justice has also started its own investigation, requesting documents from both parties. If the deal is stopped, Google will be forced to pay a $250m termination fee to Fitbit.
Separately, the Australian Competition and Consumer Choice Commission (ACCC) has voiced concerns that the Fitbit-Google deal could have a distorting effect on the advertising market.
“Buying Fitbit will allow Google to build an even more comprehensive set of user data, further cementing its position and raising barriers to entry for potential rivals,” said ACCC chairman Rod Sims last month.
“User data available to Google has made it so valuable to advertisers that it faces only limited competition.”
The Register has asked Google and Fitbit for comment. ®
Updated at 14:06 UTC 02/07/20 to add
A Google spokesperson told The Reg: “Throughout this process we have been clear about our commitment not to use Fitbit health and wellness data for Google ads and our responsibility to provide people with choice and control with their data.
“Similar to our other products, with wearables, we will be transparent about the data we collect and why. And we do not sell personal information to anyone.”
This latest device succeeds the previous Librem 13 laptop, which ran for four generations, and includes a slightly bigger display, a hexa-core Ice Lake Intel Core i7 processor, gigabit Ethernet, and USB-C. As the name implies, the Librem 14 packs a 14-inch, 1920×1080 IPS display. Purism said this comes without increasing the laptop’s dimensions thanks to smaller bezels. You can find the full specs here.
Crucially, it is loaded with the usual privacy features found in Purism’s kit such as hardware kill switches that disconnect the microphone and webcam from the laptop’s circuitry. It also comes with the firm’s PureBoot tech, which includes Purism’s in-house CoreBoot BIOS replacement, and a mostly excised Intel Management Engine (IME).
The IME is a hidden coprocessor included in most of Chipzilla’s chipsets since 2008. It allows system administrators to remotely manage devices using out-of-band communications. But it’s also controversial in the security community since it’s somewhat of a black box.
There is little by way of public documentation. Intel hasn’t released the source code. And, to add insult to injury, it’s also proven vulnerable to exploitation in the past.
The company said that it continued sharing user data with approximately 5,000 developers even after their application’s access expired.
The incident is related to a security control that Facebook added to its systems following the Cambridge Analytica scandal of early 2018.
Responding to criticism that it allowed app developers too much access to user information, Facebook added at the time a new mechanism to its API that prevented apps from accessing a user’s data if the user did not use the app for more than 90 days.
However, Facebook said that it recently discovered that in some instances, this safety mechanism failed to activate and allowed some apps to continue accessing user information even past the 90-day cutoff date.
[…]
“From the last several months of data we have available, we currently estimate this issue enabled approximately 5,000 developers to continue receiving [user] information,” Papamiltiadis said.
The company didn’t clarify how many users were impacted, and had their data made available to app developers even after they stopped using the app.
If I told you that my entire computer screen just got taken over by a new app that I’d never installed or asked for — it just magically appeared on my desktop, my taskbar, and preempted my next website launch — you’d probably tell me to run a virus scanner and stay away from shady websites, no?
But the insanely intrusive app I’m talking about isn’t a piece of ransomware. It’s Microsoft’s new Chromium Edge browser, which the company is now force-feeding users via an automatic update to Windows.
Seriously, when I restarted my Windows 10 desktop this week, an app I’d never asked for:
Immediately launched itself
Tried to convince me to migrate away from Chrome, giving me no discernible way to click away or say no
Pinned itself to my desktop and taskbar
Ignored my previous browser preference by asking me — the next time I launched a website — whether I was sure I wanted to use Chrome instead of Microsoft’s oh-so-humble recommendation.
A Windows 10 update forces a full screen @MicrosoftEdge window, which cannot be closed from the taskbar, or CTRL W, or even ALT F4. You must press “get started,” then the X, and even then it pops up a welcome screen. And pins itself to the taskbar. pic.twitter.com/mEhEbqpIc7
Did I mention that, as of this update, you can’t uninstall Edge anymore?
It all immediately made me think: what would the antitrust enforcers of the ‘90s, who punished Microsoft for bundling Internet Explorer with Windows, think about this modern abuse of Microsoft’s platform?
*wakes up and discovers they not only decided to install Edge on my computer without my consent but also pinned it to my taskbar* …no. NO
“We care about your privacy” Microsoft Edge says as it quietly installs on my computer, opens up in the morning, and once more reminds me that Windows 7 sucks and plz update to the other O/S.
But mostly, I’m surprised Microsoft would shoot itself in the foot by stooping so low, using tactics I’ve only ever seen from purveyors of adware, spyware, and ransomware. I installed this copy of Windows with a disk I purchased, by the way. Maybe I’m old-fashioned, but I like to think I still own my desktop and get to decide what I put there.
That’s especially true of owners of Windows 7 and Windows 8, I imagine, who are also receiving unwanted gift copies of the new Edge right now:
If windows 7 isn’t supported then why did my Work machine automatically install Microsoft EDGE last night 😐
— DJ_Uchuu – Silicon Dreams Comin’ 3rd July (@DjUchuu) June 30, 2020
The internet’s domain names have become potentially trademarkable following a decision by the US Supreme Court today that Booking.com can in fact be registered with America’s Patent and Trademark Office (PTO) – against officials’ objections.
The near-unanimous decision [PDF] – Justice Stephen Breyer was the sole rebel – went against the PTO’s legal arguments that adding “.com” to a generic term was like adding “company” to a word and so “conveys no additional meaning that would distinguish [one provider’s] services from those of other providers.”
The Supreme Court disagreed; at some length. It agreed with both the district court and the appeals court that “consumers do not in fact perceive the term ‘Booking.com’ that way.” It cited as a key piece of evidence a survey that showed 75 per cent of respondents thought ‘Booking.com’ was a brand name, whereas just 24 per cent believed it was a generic name.
It didn’t help that the PTO hasn’t followed its own argument in the past, with the court noting trademark registration #3,601,346 for Art.com and #2,580,467 for Dating.com. If the decision went against Booking.com, the Supreme Court reasoned, then existing approved trademarks would “be at risk of cancellation.” But it was also scathing in its assessment that “we discern no support for the PTO’s current view in trademark law or policy.”
The same survey that showed 75 per cent of people felt Booking.com was a brand however also revealed that only 33 per cent felt “Washingmachine.com” was a brand whereas 61 per cent though it was generic. And that subjective measurement is likely to prove to be a major headache for the PTO in deciding on what presumably will now be a rush of .com trademark applications.
Comcast has agreed to be the first home broadband internet provider to handle secure DNS-over-HTTPS queries for Firefox browser users in the US, Mozilla has announced.
This means the ISP, which has joined Moz’s Trusted Recursive Resolver (TRR) Program, will perform domain-name-to-IP-address lookups for subscribers using Firefox via encrypted HTTPS channels. That prevents network eavesdroppers from snooping on DNS queries or meddling with them to redirect connections to malicious webpages.
Last year Comcast and other broadband giants were fiercely against such safeguards, though it appears Comcast has had a change of heart – presumably when it figured it could offer DNS-over-HTTPS services as well as its plain-text DNS resolvers.
At some point in the near future, Firefox users subscribed to Comcast will use the ISP’s DNS-over-HTTPS resolvers by default, though they can opt to switch to other secure DNS providers or opt-out completely.
[…]
Incredibly, DNS-over-HTTPS was heralded as a way to prevent, among others, ISPs from snooping on and analyzing their subscribers’ web activities to target them with adverts tailored to their interests, or sell the information as a package to advertisers and industry analysts. And yet, here’s Comcast providing a DNS-over-HTTPS service for Firefox fans, allowing it to inspect and exploit their incoming queries if it so wishes. Talk about a fox guarding the hen house.
ISPs “have access to a stream of a user’s browsing history,” Marshall Erwin, senior director of trust and security at, er, Mozilla, warned in November. “This is particularly concerning in light of the rollback of the broadband privacy rules, which removed guardrails for how ISPs can use your data. The same ISPs are now fighting to prevent the deployment of DNS-over-HTTPS.”
Mozilla today insisted its new best buddy Comcast is going to play nice and follow the DNS privacy program’s rules.
Names, adresses and mobile numbers have been sold for fraud using WhatsApp. Most of these numbers come from callcentres, mainly those selling energy contracts. The fresher a lead is, the more they are worth: betwween 25 cents and 2 euros. The money is usually transferred through mules, who keep a percentage of the proceeds.
In the case of Firefox users, some discovered that the new default Windows 10 browser, which is shipped to their devices via Windows Update, sometimes imports the data from Mozilla’s application even if they don’t give their permission.
Some of these Firefox users decided to kill the initial setup process of Microsoft Edge, only to discover that despite the wizard shutting down prematurely, the browser still copied data stored by Mozilla’s browser.
Several users confirmed on reddit that this behavior happened on their computers too.
Silent data importing
“Love rebooting my computer to get treated to a forced tour of a browser I’m not going to use that I have to force close through the task manager to escape, and then finding out it’s been copying over my data from Firefox without permission,” one user explains.
“Unless you close it via task manager instead of doing the forced setup, in which case it copies your data anyway, and the worst part is most people will never know what it’s doing because they’ll never open it again. I only reopened it because I noticed it automatically signed me into the browser as it was closing and wanted to sign out before not touching it again, at which point I discovered it had already copied my Firefox data over despite the fact I didn’t go through the setup process,” someone else explains.
Microsoft has remained tight-lipped on this, so for the time being, it’s still not known why Edge imports Firefox data despite the initial wizard actually killed off manually by the user.
Users who don’t want to be offered the new Edge on Windows Update can turn to the dedicated toolkit that Microsoft released earlier this year, while removing the browser is possible by just uninstalling the update from the device.
Google has introduced “continuous match mode” for apps on its voice-powered Assistant platform, where it will listen to everything without pausing. At the same time it has debuted related developer tools, new features, and the ability to display web content on its Smart Display hardware using the AMP component framework.
The Chocolate Factory has big plans for its voice assistant. “We consider voice to be the biggest paradigm shift around us,” said director of product Baris Gultekin, speaking at the Voice Global summit, where the new features were introduced.
The goal is “ambient computing”, where you can interact with the big G anywhere at any time, so pervasively that you do not notice it. Voice interaction is a key part of this since it extends the ability to perform searches or run applications to scenarios where tapping a keyboard or touching a display are not possible.
Google Assistant exists in many guises such as on smartphones and watches, TVs, PCs, and also on dedicated hardware, such as the voice-only Google Home and Google Home Mini, or with “smart display” screens on the Google Nest Hub or devices from Lenovo and Harman. While assistant devices have been popular, Android phones (which nag you to set up the Assistant) must form the largest subset of users. Over all the device types, the company claims over 500 million active users.
[…]
Actions Builder will “replace DialogFlow as the preferred way to develop actions on the assistant,” said Shodjai.
Google’s new Action Builder at work
Trying out the new Action Builder, we discovered that running an action under development is impossible if you have the Web and App Activity permission, which lets Google keep a record of your actions, disabled. A dialog appears prompting you to enable it. It is a reminder of how Google Assistant is entwined with the notion that you give Google your data in return for personalised experiences.
[…]
“Sometimes you want to build experiences that enable the mic to remain open, to enable users to speak more naturally with your action, without waiting for a change in mic states,” said Shodjai at the summit and in the developer post.
“Today we are announcing an early access program for Continuous Match Mode, which allows the assistant to respond immediately to user’s speech enabling more natural and fluid experiences. This is done transparently, so that before the mic opens the assistant will announce, ‘the mic will stay open temporarily’, so users know they can now speak freely without waiting for additional prompts.”
The mode is not yet publicly documented. The demonstrated example was for a game with jolly cartoon pictures; but there may be privacy implications since in effect this setting lets the action continue to listen to everything while the mode is active.
Shodjai did not explain how users will end a Continuous Match Mode session but presumably this will be either after a developer-defined exit intent, or via a system intent as with existing actions. Until that happens, the action will be able to keep running.
Just as with personalisation via tracking and data collection, privacy and pervasive computing do not sit comfortably together, and with the new Continuous Match Mode a little more privacy slips away.
A popular website with a comprehensive database of repair manuals for ventilators and other medical devices has received a letter from a medical equipment company saying that its copyrights are being infringed.
Kyle Wiens, CEO of the repair website iFixit—which posts guides on how to repair anything from sewing machines to video game consoles—shared the letter on Twitter Thursday, sent to him by counsel for Steris Corporation, which makes sterilization and other medical equipment.
“It has come to my attention that you have been reproducing certain installation and maintenance manuals relating to our products, documentation which is protected by copyright law,” the letter said. The letter then went on to tell Wiens to remove all Steris copyrighted material from the iFixit website within 10 days of the letter.
As Motherboard reported in March, major manufacturers of medical devices have long made it difficult for their devices to be repaired through third party repair professionals. Manufacturers have often lobbied against right to repair legislation and many medical devices are controlled by artificial “software locks” that allow only those with authorization to make modifications.
As reported by VICE News last week, a repair technician contracted to repair ventilators for hospitals preparing for COVID-19 said he has struggled to get repair parts or manuals from manufacturers when he has made requests to them.
“I’m disappointed that Steris is resorting to legal threats to stop hospitals from having access to information about how to maintain critical sterilization equipment during a pandemic,” Wiens told Motherboard in an email.
Wiens said he got the idea to post service manuals for medical equipment on iFixit when he began seeing stories about ventilator shortages in Italy. When he saw how some people were using 3-D printers to create ventilator replacement valves, he said he was inspired to create the database of medical equipment guides as a way to help.
“No manufacturer should be stopping hospitals from repairing their equipment,” Wiens said. “The best way to ensure patient safety is to make sure that equipment is being maintained regularly using the manufacturer’s recommended procedures. The only way to do that is if hospitals have up to date manuals.”
With regards to the letter sent by Steris, Wiens said iFixit has not removed any material from its website.
“We explained to Steris that what we did is a lawful and protected fair use under the U.S. Copyright act,” Wiens said.
“iFixit is protected by Section 512 of the Digital Millennium Copyright Act, which allows online platforms to host content contributed by users provided they comply with the Act’s requirements, which iFixit does,” a letter to Steris from the Electronic Frontier Foundation on behalf of iFixit said.
European Union officials are preparing to bring antitrust charges against Amazon for abusing its dominance in internet commerce to box out smaller rivals, according to people with knowledge of the case.
Nearly two years in the making, the case is one of the most aggressive attempts by a government to crimp the power of the e-commerce giant, which has largely sidestepped regulation throughout its 26-year history.
The European Union regulators, who already have a reputation as the world’s most aggressive watchdogs of the technology industry, have determined that Amazon is stifling competition by unfairly using data collected from third-party merchants to boost its own product offerings, said the people, who spoke on the condition of anonymity because the deliberations were private.
The case against Amazon is part of a broader attempt in the United States and Europe to probe the business practices of the world’s largest technology companies, as authorities on both sides of the Atlantic see what they believe is a worrying concentration of power in the digital economy.
Margarethe Vestager, the European Commissioner who leads antitrust enforcement and digital policy, is also examining practices by Apple and Facebook. In Washington, the Justice Department, Federal Trade Commission and Congress are targeting Amazon, Apple, Facebook and Google.
William Kovacic, a law professor at George Washington University, said the tech industry was facing a “striking critical mass” of attention from governments around the world, including Australia, Brazil and India. He said that regulators in Brussels and Washington may deploy so-called interim measures against the companies, a rarely used tool that could force Amazon and other large tech platforms to halt certain practices while a case is litigated.
[…]
The case stems from Amazon’s treatment of third-party merchants who rely on its website to reach customers. Investigators have focused on Amazon’s dual role as both the owner of its online store and a seller of goods that compete with other sellers, creating a conflict of interest.
Authorities in Europe have concluded that Amazon abuses its position to give its own products preferential treatment. European officials have spent the past year interviewing merchants and others who depend on Amazon to better understand how it collects data to use to its advantage, including agreements that require them to share certain data with Amazon as a condition of selling goods on the platform.
Many merchants have complained that if they have a product that is selling well on Amazon, the company will then introduce its own product at a lower price, or give it more prominent placement on the website.
Back in March, the Internet Archive launched its National Emergency Library, a program that made roughly 1.4 million books available to the public without the usual waitlists. But on Wednesday, the organization announced it was ending the program two weeks early after four major publishers decided to sue Internet Archive for copyright infringement.
Internet Archive explained in a blog post that after June 16, it would revert to a controlled digital lending model, in which libraries lend patrons digitized copies of a physical book one at a time. “We moved up our schedule because, last Monday, four commercial publishers chose to sue Internet Archive during a global pandemic,” the non-profit said. “However, this lawsuit is not just about the temporary National Emergency Library. The complaint attacks the concept of any library owning and lending digital books, challenging the very idea of what a library is in the digital world.”
By eliminating waitlists, the National Emergency Library program effectively upended how publishers have thus far controlled how libraries distribute ebooks. Under the usual system, publishers sell two-year licenses that cost several times more than what you’d pay if you just bought the book outright. Internet Archive’s program basically made it so any number of people could temporarily download a single ebook an infinite number of times between March 24 and June 30, the original end date for the program.
In their complaint, Hachette, HarperCollins, Penguin Random House, and John Wiley & Sons allege that in addition to violating copyrights, Internet Archive’s free ebook program “grossly exceed legitimate library services” and “constitute willful digital piracy on an industrial scale.”
Before blasting Internet Archive for capitulating, this lawsuit has the ability to tank the organization—probably best known for its Wayback Machine web archiving tool—for good. Publishers could claim up to $150,000 in damages per title. When you multiply that by the 1.4 million works Internet Archive put up for free, the final number could be astronomical, and well beyond the nonprofit’s ability to pay. A win for publishers would put Internet Archive’s other projects at risk.
It appears that publishers aren’t just after Internet Archive’s temporary free ebook initiative. The complaint also contends that controlled digital lending is an “invented theory” and that its rules “have been concocted from whole cloth and continue to get worse.” It also contends that Internet Archive’s “one-to-one conflation of print and ebooks is fundamentally flawed.” Controlled digital lending, however, isn’t unique to Internet Archive. It’s a framework that’s been supported by several libraries over the years, including many university libraries like UC Berkeley Library. Publishers winning this lawsuit may potentially also put the kibosh on the entire controlled digital lending model.
It’s clear that Internet Archive’s decision was intended to appease publishers into dropping the suit. According to Internet Archive, some academic publishers who were initially displeased with the National Emergency Library eventually came around. That said, it’s unclear whether commercial publishers would do the same, as they have everything to gain by strengthening their hold over ebook copyrights.
Fed up with the DRM in a General Electric refrigerator that pushed the owner to buy expensive manufacturer-approved replacement water filters, an anonymous hacker went to the trouble of buying a domain name and setting up a website at gefiltergate.com to pen a screed about appliance digital rights restriction management (DRM) and how to bypass it.
The fridge in question required a GE RPWFE refrigerator water filter. It has an RFID chip, which the fridge uses to verify the authenticity of the part. The RPWFE filter costs much more than unapproved filters: about $50 compared to $13.
“Some ******* at GE thought it would be a good idea to include a ******* RFID DRM module in select refrigerators,” the unidentified individual wrote, without using the asterisks we’ve included because online profanity filters are awful.
The Register contacted GE to ask about this, and the American giant’s corporate communications director promptly replied that GE sold its appliance unit to China-based Haier in 2016, which continues to use its brand. Haier did not immediately respond to our inquiry.
The gefiltergate.com website, borrowing from a similar post on another website back in May, explains how to hack your Haier GE-brand fridge by affixing an RFID tag – stripped from a component for bypassing the water filter system – to the RFID sensor.
The GE website suggests that a water filter is a good idea to avoid exposure to unfiltered water and sediment, inadvertently offering a sad commentary on public water infrastructure and government funding priorities. It recommends its RFID water filter because the chip chats with the fridge to report leaks, and will shut off the water supply if a leak is detected.
But the appliance doesn’t require the RFID filter; fridge owners can use the bypass plug, and still get unfiltered water.
“Non-GE filters and counterfeit filters without this technology will not perform the same way in the event of a water leak,” the company’s website explains. “The refrigerator has the option to use a bypass plug should you not want to use a genuine GE Appliances water filter.”
That makes it sound as if fridge owners can use water filters from another vendor but that’s not the case – the bypass plug is just to silence the fridge display screen warnings coming from the filtration system’s RFID sensor. “The ID chip on the filter detects when a wrong or non-genuine GE Appliance part is used,” the GE Appliances website states. “If this happens, the dispenser will not work and the display may read ‘Leak Detected.'”
Hence the need to hack the fridge, which is something product owners evidently have been doing for years. The Amazon.com webpage for the bypass plug contains a string of user reviews indicating that customers only purchased the thing for its RFID chip. And complaints abound on discussion site Reddit.
In a phone interview with The Register, Gay Gordon-Byrne, executive director of The Repair Association, said product hacking of this sort is entirely legal, in America at least. The US Copyright Office, she said, included software-enabled appliance repair in its 2018 rulemaking [PDF], and patents are not an issue in this case. And the Magnuson-Moss Warranty Act guarantees that consumers can use parts not from the original manufacturer.
Asked whether such practices generate enough ill-will to make them unprofitable, Gordon-Byrne said they can, pointing to Keurig’s problems selling coffee makers with digital locks, but added that people have to be aware of the problem.
“It generates some ill will but not enough to offset the value of controlling the whole parts market,” she said. “But it’s a stupid, stupid thing to do. There’s no reason to do this.”
Right-to-repair legislation, which aims to ensure consumers have a legal right to repair products where product makers or laws deny that possibility, was being considered in about 20 US states last year. However, Gordon-Byrne said that progress has stalled due to the coronavirus outbreak. She expects repair bills will have to be reintroduced in January next year.
Current US Copyright Office exemptions, she said, should be renewed for 2021 and she expects to lobby for new exemptions for product categories where repairs that require breaking digital locks are still not allowed, like boats, medical equipment, and game consoles.
In an utterly heartless move, the Trump administration on Friday eliminated health care protections for transgender people during an ongoing global pandemic that has claimed more lives in the U.S. than in any other country.
It did this by finalizing a rule under Section 1557 of the Affordable Care Act (ACA), which prohibits health programs or activities from discriminating on the basis of race, color, national origin, sex, age, or disability. The Trump administration rule—announced on the fourth anniversary of the Pulse nightclub shooting and in the middle of Pride month—changes the definition of sex discrimination, eliminating protections due to gender identity, and considers the word “sex” to refer to “male or female and as determined by biology.”
[…]
The nondiscrimination provisions were established by the Obama administration in 2016. That year, the Obama administration issued a rule to implement Section 1557 that redefined sex discrimination to include gender identity, which it defined as, “an individual’s internal sense of gender, which may be male, female, neither, or a combination of male and female, and which may be different from an individual’s sex assigned at birth.”
Under the new rule, a transgender person could be refused care for a checkup at a doctor’s office, according to NPR. Other possible scenarios include a transgender man being denied treatment for ovarian cancer, or a hysterectomy not being covered by an insurer. Some experts say that the rule opens the door for medical providers to refuse to test someone for covid-19, the disease caused by the novel coronavirus, simply because they’re transgender.
When it comes to health insurance and health care, transgender people are vulnerable to being treated negatively by their insurance and health care providers. According to the (old broken link: 2015 U.S. Transgender Survey) 2015 US Transgender Survey (new link) carried out by the National Center for Transgender Equality, transgender people have been denied coverage for care related to their gender transition, for routine care because they were transgender, or for transition-related surgery.
The survey found that 23 percent of respondents reported not going to see a doctor when they needed to because of fear of being mistreated as a transgender person. Of those who did go see a healthcare provider, 33 percent reported that they had had at least one negative experience related to being transgender, such as being refused treatment, verbally harassed, or physically or sexually assaulted, among other horrible experiences.
So Trump is following in the illustrious footsteps of Hungary, whos president immediately used the emergency dictatorial powers bestowed upon him due to Covid to changes the “sex” category in official documents like birth certificates to “sex at birth,” which can never be changed.
The stance seems to be: If minister Grapperhaus tells a webhost to remove content, they should do it without the court system intervening.
As soon as they invoke kiddie porn you know that something totalitarian is being justified. Because once that is allowed, then they expand the powers to all content. And noboday can be seen to be against fighting kiddie porn, right?
The real Space Force may be going down in flames against the fictional Space Force: According to the Hollywood Reporter, the newly founded military branch appears to be losing a trademark battle with the Netflix comedy show of the same name.
Netflix “has outmaneuvered the U.S. government to secure trademark rights to ‘Space Force’ in Europe, Australia, Mexico and elsewhere,” according to the Reporter, while the Air Force—under which the Space Force is organized—simply has a pending application stateside. This mostly has ramifications for merch. Consumers won’t have trouble discerning between the military branch and Space Force when it comes to which one stars Steve Carrell, but they might not be able who is selling a line of Space Force shirts.
The U.S. Patent and Trademark Office relies on a “first-to-use” system when assigning rights, and Netflix has been submitting trademark applications for the Space Force across the globe since the start of 2019. On the other hand, the Air Force filed a trademark application on the basis of intent to use in March 2019, per Law & Crime, and the Space Force didn’t become an actual organization until December 2019. If it comes down to a legal battle, that means Netflix may be able to easily demonstrate it was actually using the Space Force branding first. (Even if Netflix lost the case, it would have a First Amendment right to continue selling Space Force merch on the grounds of satire and parody.)
If you’re a free Zoom user, and waiting for the company to roll out end-to-end encryption for better protection of your calls, you’re out of luck. Free calls won’t be encrypted, and law enforcement will be able to access your information in case of ‘misuse’ of the platform.
Zoom CEO Eric Yuan today said that the video conferencing app’s upcoming end-to-end encryption feature will be available to only paid users. After announcing the company’s financial results for Q1 2020, Yuan said the firm wants to keep this feature away from free users to work with law enforcement in case of the app’s misuse:
Free users, for sure, we don’t want to give that [end-to-end encryption]. Because we also want to work it together with FBI and local law enforcement, in case some people use Zoom for bad purpose.
In the past, platforms with end-to-end encryption, such as WhatsApp, have faced heavy scrutiny in manycountries because they were unable to trace the origins of problematic and misleading messages. Zoom likey wants to avoid being in such a position, and wants to comply with local laws to keep operating across the globe.
Alex Stamos, working as a security consultant with Zoom, said it wants to catch repeat offenders for hate speech or child exploitative content by not offering end-to-end encryption t0 free users.
Zoom is dealing with some serious safety issues. When people disrupt meetings (sometimes with hate speech, CSAM, exposure to children and other illegal behaviors) that can be reported by the host. Zoom is working with law enforcement on the worst repeat offenders.
In March, The Intercept published a report stating that the company doesn’t use end-to-end encryption, despite claiming that on its website and security white paper. Later, Zoom apologized and issued a clarification to specify it didn’t provide the feature at that time.
Last month, the company acquired Keybase.io, an encryption-based identity service, to build its end-to-end encryption offering. Yuan said today that the company got a lot of feedback from users on encryption, and it’s working out on executing it. However, he didn’t specify a release date for the feature.
According to the Q1 2020 results, the company grew 169% year-on-year in terms of revenue. Zoom has more than 300 million daily participants attending meetings through the platform.
The GSM Association, the body that represents mobile carriers and influences the development of standards, has suggested its members bake virus contact-tracing functionality into their own bundled software.
The body today popped out a paper [PDF] on contact-tracing apps. After some unremarkable observations about the need for and operations of such apps, plus an explanation of the centralised vs. centralised data storage debate, the paper offers members a section titled: “How the mobile industry can help.”
That section suggests carriers could help to improve the reach of and disseminate such apps with the following three tactics:
Integrate software into own apps (e.g. customer self-care app), if this is part of the national strategy
Pre-install on devices
Communicate to / educate subscribers
The first item may prove unworkable given Google and Apple have indicated they’ll only register coronavirus-related apps if they’re developed by governments and their health agencies. The two tech giants have also said they’ll only allow one app per jurisdiction to use their pro-privacy COVID-19 contact-tracing interface. The second suggestion also has potential pitfalls as contact-tracing apps are generally opt-in affairs. Carriers would need to be sensitive about how they are installed and the user experience offered if the apps ask for registration.
In one fell swoop, Facebook may have changed its mind about how the online news media will operate from here on out. Undermining a now age-old assumption, Facebook told Ars Technica on Thursday that embedding from Instagram may not shield news organizations from freely cross-posting on their sites. A spokesperson said:
While our terms allow us to grant a sub-license, we do not grant one for our embeds API. Our platform policies require third parties to have the necessary rights from applicable rights holders.
The dry statement could mean upheaval for online publishing, implying that a news organization (or anyone running a for-profit site) would have to obtain a license for an Instagram post directly from the poster before they can embed it. Some will worry that it bodes a future in which publications retroactively strike every Instagram embed from its archives in order to avoid lawsuits.
On one hand, it’s good news for professional photographers and artists who would otherwise be paid for the use of their work embedded on a personal website. Photographers like the ones who separately sued Mashable and Newsweek for embedding their Instagram posts, both after they explicitly declined to license the images to the respective publications. On the other hand, this might be the last gasp for Instagram commentary, the bread of the news, the spice of the tea blogs.
