Even by Amazon standards, this is extraordinarily sleazy: starting March 28, each Amazon Echo device will cease processing audio on-device and instead upload all the audio it captures to Amazon’s cloud for processing, even if you have previously opted out of cloud-based processing:

https://arstechnica.com/gadgets/2025/03/everything-you-say-to-your-echo-will-be-sent-to-amazon-starting-on-march-28/

It’s easy to flap your hands at this bit of thievery and say, “surveillance capitalists gonna surveillance capitalism,” which would confine this fuckery to the realm of ideology (that is, “Amazon is ripping you off because they have bad ideas”). But that would be wrong. What’s going on here is a material phenomenon, grounded in specific policy choices and by unpacking the material basis for this absolutely unforgivable move, we can understand how we got here – and where we should go next.

Start with Amazon’s excuse for destroying your privacy: they want to do AI processing on the audio Alexa captures, and that is too computationally intensive for on-device processing. But that only raises another question: why does Amazon want to do this AI processing, even for customers who are happy with their Echo as-is, at the risk of infuriating and alienating millions of customers?

For Big Tech companies, AI is part of a “growth story” – a narrative about how these companies that have already saturated their markets will still continue to grow.

[…]

every growth stock eventually stops growing. For Amazon to double its US Prime subscriber base, it will have to establish a breeding program to produce tens of millions of new Americans, raising them to maturity, getting them gainful employment, and then getting them to sign up for Prime. Almost by definition, a dominant firm ceases to be a growing firm, and lives with the constant threat of a stock revaluation as investors belief in future growth crumbles and they punch the “sell” button, hoping to liquidate their now-overvalued stock ahead of everyone else.

[…]

The hype around AI serves an important material need for tech companies. By lumping an incoherent set of poorly understood technologies together into a hot buzzword, tech companies can bamboozle investors into thinking that there’s plenty of growth in their future.

[…]

let’s look at the technical dimension of this rug-pull.

How is it possible for Amazon to modify your Echo after you bought it? After all, you own your Echo. It is your property. Every first year law student learns this 18th century definition of property, from Sir William Blackstone:

That sole and despotic dominion which one man claims and exercises over the external things of the world, in total exclusion of the right of any other individual in the universe.

If the Echo is your property, how come Amazon gets to break it? Because we passed a law that lets them. Section 1201 of 1998’s Digital Millennium Copyright Act makes it a felony to “bypass an access control” for a copyrighted work:

https://pluralistic.net/2024/05/24/record-scratch/#autoenshittification

That means that once Amazon reaches over the air to stir up the guts of your Echo, no one is allowed to give you a tool that will let you get inside your Echo and change the software back. Sure, it’s your property, but exercising sole and despotic dominion over it requires breaking the digital lock that controls access to the firmware, and that’s a felony punishable by a five-year prison sentence and a $500,000 fine for a first offense.

[…]

Giving a manufacturer the power to downgrade a device after you’ve bought it, in a way you can’t roll back or defend against is an invitation to run the playbook of the Darth Vader MBA, in which the manufacturer replies to your outraged squawks with “I am altering the deal. Pray I don’t alter it any further”

[…]

Amazon says that the recordings your Echo will send to its data-centers will be deleted as soon as it’s been processed by the AI servers. Amazon’s made these claims before, and they were lies. Amazon eventually had to admit that its employees and a menagerie of overseas contractors were secretly given millions of recordings to listen to and make notes on:

https://archive.is/TD90k

And sometimes, Amazon just sent these recordings to random people on the internet:

https://www.washingtonpost.com/technology/2018/12/20/amazon-alexa-user-receives-audio-recordings-stranger-through-human-error/

Fool me once, etc. I will bet you a testicle* that Amazon will eventually have to admit that the recordings it harvests to feed its AI are also being retained and listened to by employees, contractors, and, possibly, randos on the internet.

*Not one of mine

Source: Pluralistic: Amazon annihilates Alexa privacy settings, turns on continuous, nonconsensual audio uploading (15 Mar 2025) – Pluralistic: Daily links from Cory Doctorow

process called Android System SafetyCore – which arrived in a recent update for devices running Android 9 and later. It scans a user’s photo library for explicit images and displays content warnings before viewing them. Google says “the classification of content runs exclusively on your device and the results aren’t shared with Google.”

Naturally, it will also bring similar tech to Google Messages down the line to prevent certain unsolicited images from affecting a receiver.

Google started installing SafetyCore on user devices in November 2024, and there’s no way of opting out or managing the installation. One day, it’s just there.

Users have vented their frustrations about SafetyCore ever since and despite being able to uninstall and opt out of image scanning, the consent-less approach that runs throughout Android nevertheless left some users upset. It can be uninstalled on Android forks like Xiaomi’s MIUI using Settings>Apps>Android System SafetyCore>Uninstall or on Android using Apps/Apps & Notifications>Show System Apps>Show system apps>Locate SafetyCore>Uninstall or Disable. Reviewers report that in some cases the uninstall option is grayed out, and it can only be disabled, while others complain that it reinstalls on the next update.

The app’s Google Play page is littered with negative reviews, many of which cite its installation without consent.

“In short, it is spyware. We were not informed. It feels like the right to privacy is secondary to Google’s corporate interests,” one reviewer wrote.

Source: Google’s ‘consent-less’ Android tracking probed by academics • The Register

Research from a leading academic shows Android users have advertising cookies and other gizmos working to build profiles on them even before they open their first app.

Doug Leith, professor and chair of computer systems at Trinity College Dublin, who carried out the research, claims in his write up that no consent is sought for the various identifiers and there is no way of opting out from having them run.

He found various mechanisms operating on the Android system which were then relaying the data back to Google via pre-installed apps such as Google Play Services and the Google Play store, all without users ever opening a Google app.

One of these is the “DSID” cookie, which Google explains in its documentation is used to identify a “signed in user on non-Google websites so that the user’s preference for personalized advertising is respected accordingly.” The “DSID” cookie lasts for two weeks.

Speaking about Google’s description in its documentation, Leith’s research states the explanation was still “rather vague and not as helpful as it might be,” and the main issue is that there’s no consent sought from Google before dropping the cookie and there’s no opt-out feature either.

Leith says the DSID advertising cookie is created shortly after the user logs into their Google account – part of the Android startup process – with a tracking file linked to that account placed into the Google Play Service’s app data folder.

This DSID cookie is “almost certainly” the primary method Google uses to link analytics and advertising events, such as ad clicks, to individual users, Leith writes in his paper [PDF].

Another tracker which cannot be removed once created is the Google Android ID, a device identifier that’s linked to a user’s Google account and created after the first connection made to the device by Google Play Services.

It continues to send data about the device back to Google even after the user logs out of their Google account and the only way to remove it, and its data, is to factory-reset the device.

Leith said he wasn’t able to ascertain the purpose of the identifier but his paper notes a code comment, presumably made by a Google dev, acknowledging that this identifier is considered personally identifiable information (PII), likely bringing it into the scope of European privacy law GDPR – still mostly intact in British law as UK GDPR.

The paper details the various other trackers and identifiers dropped by Google onto Android devices, all without user consent and according to Leith, in many cases it presents possible violations of data protection law.

Leith approached Google for a response before publishing his findings, which he delayed allowing time for a dialogue.

[…]

The findings come amid something of a recent uproar about another process called Android System SafetyCore – which arrived in a recent update for devices running Android 9 and later. It scans a user’s photo library for explicit images and displays content warnings before viewing them. Google says “the classification of content runs exclusively on your device and the results aren’t shared with Google.”

Naturally, it will also bring similar tech to Google Messages down the line to prevent certain unsolicited images from affecting a receiver.

Google started installing SafetyCore on user devices in November 2024, and there’s no way of opting out or managing the installation. One day, it’s just there.

Users have vented their frustrations about SafetyCore ever since and despite being able to uninstall and opt out of image scanning, the consent-less approach that runs throughout Android nevertheless left some users upset. It can be uninstalled on Android forks like Xiaomi’s MIUI using Settings>Apps>Android System SafetyCore>Uninstall or on Android using Apps/Apps & Notifications>Show System Apps>Show system apps>Locate SafetyCore>Uninstall or Disable. Reviewers report that in some cases the uninstall option is grayed out, and it can only be disabled, while others complain that it reinstalls on the next update.

The app’s Google Play page is littered with negative reviews, many of which cite its installation without consent.

“In short, it is spyware. We were not informed. It feels like the right to privacy is secondary to Google’s corporate interests,” one reviewer wrote.

Source: Google’s ‘consent-less’ Android tracking probed by academics • The Register

On Wednesday we shared that we’re introducing a new Terms of Use (TOU) and Privacy Notice for Firefox. Since then, we’ve been listening to some of our community’s concerns with parts of the TOU, specifically about licensing. Our intent was just to be as clear as possible about how we make Firefox work, but in doing so we also created some confusion and concern. With that in mind, we’re updating the language to more clearly reflect the limited scope of how Mozilla interacts with user data.

Here’s what the new language will say:

You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content. 

In addition, we’ve removed the reference to the Acceptable Use Policy because it seems to be causing more confusion than clarity.

Privacy FAQ

We also updated our Privacy FAQ to better address legal minutia around terms like “sells.” While we’re not reverting the FAQ, we want to provide more detail about why we made the change in the first place.

TL;DR Mozilla doesn’t sell data about you (in the way that most people think about “selling data”), and we don’t buy data about you. We changed our language because some jurisdictions define “sell” more broadly than most people would usually understand that word. Firefox has built-in privacy and security features, plus options that let you fine-tune your data settings.

 

---

 

The reason we’ve stepped away from making blanket claims that “We never sell your data” is because, in some places, the LEGAL definition of “sale of data” is broad and evolving. As an example, the California Consumer Privacy Act (CCPA) defines “sale” as the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by [a] business to another business or a third party” in exchange for “monetary” or “other valuable consideration.”

[…]

Source: An update on our Terms of Use

So this legal definition rhymes with what I would expect “sell” to mean. Don’t transfer my data to a third party – even better, don’t collect my data at all.

It’s a shame, as Firefox is my preferred browser, it’s not based on Google’s browser. So I am looking at the Zen browser and the Floorp browser now.

A coalition of labor organizations representing federal workers and retirees has sued the Department of the Treasury to block it from giving the newly created Department of Government Efficiency, controlled by Elon Musk, access to the federal government’s sensitive payment systems.

After forcing out a security official who opposed the move, Treasury Secretary Scott Bessent granted DOGE workers access to the system last week, according to The New York Times. Despite its name, DOGE is not a government department but rather an ad-hoc group formed by President Trump purportedly tasked with cutting government spending.

The labor organizations behind the lawsuit filed Monday argue that Bessent broke federal privacy and tax confidentiality laws by giving unauthorized DOGE workers, including people like Musk who are not government employees, the ability to view the private information of anyone who pays taxes or receives money from federal agencies.

With access to the Treasury systems, DOGE representatives can potentially view the names, social security numbers, birth dates, mailing addresses, email addresses, and bank information of tens of millions of people who receive tax refunds, social security and disability payments, veterans benefits, or salaries from the federal government, according to the lawsuit.

“The scale of the intrusion into individuals’ privacy is massive and unprecedented,” according to the complaint filed by the Alliance for Retired Americans, the American Federation of Government Employees, and the Service Employees International Union.

[…]

In their lawsuit, the labor organizations argue that federal law prohibits the disclosure of taxpayer information to anyone except Treasury employees who require it for their official duties unless the disclosure is authorized by a specific law, which DOGE’s access to the system is not. DOGE’s access also violates the Privacy Act of 1974, which prohibits disclosure of personal information to unauthorized people and lays out strict procedures for changing those authorizations, which the Trump administration has not followed, according to the suit.

The plaintiffs have asked the Washington, D.C. district court to grant an injunction preventing unauthorized people from accessing the payment systems and to rule the Treasury’s actions unlawful.

Source: Unions Sue to Block Elon Musk’s Access to Americans’ Tax and Benefits Records

[…] While trying to fend off attacks on Section 215 collections (most of which are governed [in the loosest sense of the word] by the Third Party Doctrine), the NSA and its domestic-facing remora, the FBI, insisted collecting and storing massive amounts of phone metadata was no more a constitutional violation than it was a privacy violation.

Suddenly — thanks to the ongoing, massive compromising of major US telecom firms by Chinese state-sanctioned hackers — the FBI is getting hot and bothered about the bulk collection of its own phone metadata by (gasp!) a government agency. (h/t Kevin Collier on Bluesky)

FBI leaders have warned that they believe hackers who broke into AT&T Inc.’s system last year stole months of their agents’ call and text logs, setting off a race within the bureau to protect the identities of confidential informants, a document reviewed by Bloomberg News shows.

[…]

The data was believed to include agents’ mobile phone numbers and the numbers with which they called and texted, the document shows. Records for calls and texts that weren’t on the AT&T network, such as through encrypted messaging apps, weren’t part of the stolen data.

The agency (quite correctly!) believes the metadata could be used to identify agents, as well as their contacts and confidential sources. Of course it can.

[…]

The issue, of course, is that the Intelligence Community consistently downplayed this exact aspect of the bulk collection, claiming it was no more intrusive than scanning every piece of domestic mail (!) or harvesting millions of credit card records just because the Fourth Amendment (as interpreted by the Supreme Court) doesn’t say the government can’t.

There are real risks to real people who are affected by hacks like these. The same thing applies when the US government does it. It’s not just a bunch of data that’s mostly useless. Harvesting metadata in bulk allows the US government to do the same thing Chinese hackers are doing with it: identifying individuals, sussing out their personal networks, and building from that to turn numbers into adversarial actions — whether it’s the arrest of suspected terrorists or the further compromising of US government agents by hostile foreign forces.

The takeaway isn’t the inherent irony. It’s that the FBI and NSA spent years pretending the fears expressed by activists and legislators were overblown. Officials repeatedly claimed the information was of almost zero utility, despite mounting several efforts to protect this collection from being shut down by the federal government. In the end, the phone metadata program (at least as it applies to landlines) was terminated. But there’s more than a hint of egregious hypocrisy in the FBI’s sudden concern about how much can be revealed by “just” metadata.

Source: Phone Metadata Suddenly Not So ‘Harmless’ When It’s The FBI’s Data Being Harvested | Techdirt

Google is tracking your online behavior in the name of advertising, reintroducing a data collection process that ingests all of your online signals (from IP address to complex browser information) and pinpoints unique users or devices, also known as “digital fingerprinting.”

The company’s updated platform program policies include relaxed restrictions on advertisers and personalized ad targeting across a range of devices, an outcome of a larger “advertising ecosystem shift” and the advancement of privacy-enhancing technologies (PETs) like on-device processing and trusted execution environments, in the words of the company.

A departure from its longstanding pledge to user choice and privacy, Google argues these technologies offer enough protection for users while also creating “new ways for brands to manage and activate their data safely and securely.” The new feature will be available to advertisers beginning Feb. 16, 2025.

[…]

Contrary to other data collection tools like cookies, digital fingerprinting is difficult to spot, and thus even harder for even privacy-conscious users to erase or block. On Dec. 19, the UK’s Information Commissioner’s Office (ICO) — a data protection and privacy regulator — labeled Google “irresponsible” for the policy change, saying the shift to fingerprinting is an unfair means of tracking users, reducing choice and control over their personal information. The watchdog also warned that the move could encourage riskier advertiser behavior.

“Google itself has previously said that fingerprinting does not meet users’ expectations for privacy, as users cannot easily consent to it as they would cookies. This in turn means they cannot control how their information is collected. To quote Google’s own position on fingerprinting from 2019: ‘We think this subverts user choice and is wrong,'” wrote ICO executive director of regulatory risk Stephen Almond.

The ICO warned that it will intervene if Google cannot demonstrate existing legal requirements for such tech, including options to secure freely-given consent, ensure fair processing, and uphold the right to erasure: “Businesses should not consider fingerprinting a simple solution to the loss of third-party cookies and other cross-site tracking signals.”

Source: Google brings back digital fingerprinting to track users for advertising | Mashable

A federal judge this week rejected Google’s motion to throw out a class-action lawsuit alleging that it invaded the privacy of users who opted out of functionality that records a users’ web and app activities. A jury trial is scheduled for August 2025 in US District Court in San Francisco.

The lawsuit concerns Google’s Web & App Activity (WAA) settings, with the lead plaintiff representing two subclasses of people with Android and non-Android phones who opted out of tracking. “The WAA button is a Google account setting that purports to give users privacy control of Google’s data logging of the user’s web app and activity, such as a user’s searches and activity from other Google services, information associated with the user’s activity, and information about the user’s location and device,” wrote US District Judge Richard Seeborg, the chief judge in the Northern District Of California.

Google says that Web & App Activity “saves your activity on Google sites and apps, including associated info like location, to give you faster searches, better recommendations, and more personalized experiences in Maps, Search, and other Google services.” Google also has a supplemental Web App and Activity setting that the judge’s ruling refers to as “(s)WAA.”

“The (s)WAA button, which can only be switched on if WAA is also switched on, governs information regarding a user’s ‘[Google] Chrome history and activity from sites, apps, and devices that use Google services.’ Disabling WAA also disables the (s)WAA button,” Seeborg wrote.

Google sends data to developers

But data is still sent to third-party app developers through the Google Analytics for Firebase (GA4F), “a free analytical tool that takes user data from the Firebase kit and provides app developers with insight on app usage and user engagement,” the ruling said. GA4F “is integrated in 60 percent of the top apps” and “works by automatically sending to Google a user’s ad interactions and certain identifiers regardless of a user’s (s)WAA settings, and Google will, in turn, provide analysis of that data back to the app developer.”

Plaintiffs have brought claims of privacy invasion under California law. Plaintiffs “present evidence that their data has economic value,” and “a reasonable juror could find that Plaintiffs suffered damage or loss because Google profited from the misappropriation of their data,” Seeborg wrote.

[…]

In a proposed settlement of a different lawsuit, Google last year agreed to delete records reflecting users’ private browsing activities in Chrome’s Incognito mode.

[…]

Google contends that its system is harmless to users. “Google argues that its sole purpose for collecting (s)WAA-off data is to provide these analytic services to app developers. This data, per Google, consists only of non-personally identifiable information and is unrelated (or, at least, not directly related) to any profit-making objectives,” Seeborg wrote.

On the other side, plaintiffs say that Google’s tracking contradicts its “representations to users because it gathers exactly the data Google denies saving and collecting about (s)WAA-off users,” Seeborg wrote. “Moreover, Plaintiffs insist that Google’s practices allow it to personalize ads by linking user ad interactions to any later related behavior—information advertisers are likely to find valuable—leading to Google’s lucrative advertising enterprise built, in part, on (s)WAA-off data unlawfully retrieved.”

[…]

Google, as the judge writes, purports to treat user data as pseudonymous by creating a randomly generated identifier that “permits Google to recognize the particular device and its later ad-related behavior… Google insists that it has created technical barriers to ensure, for (s)WAA-off users, that pseudonymous data is delinked to a user’s identity by first performing a ‘consent check’ to determine a user’s (s)WAA settings.”

Whether this counts as personal information under the law is a question for a jury, the judge wrote. Seeborg pointed to California law that defines personal information to include data that “is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” Given the legal definition, “a reasonable juror could view the (s)WAA-off data Google collected via GA4F, including a user’s unique device identifiers, as comprising a user’s personal information,” he wrote.

[…]

Source: Google loses in court, faces trial for collecting data on users who opted out – Ars Technica

The advent of Bluetooth trackers has made it a lot easier to find your bag or keys when they’re lost, but it has also put inconspicuous tracking tools in the hands of people who might misuse them. Apple and Google have both implemented tracker alerts to let you know if there’s an unknown Bluetooth tracker nearby, and now as part of a new update, Google is letting Android users actually locate those trackers, too.

The feature is one of two new tools Google is adding to Find My Device-compatible trackers. The first, “Temporarily Pause Location” is what you’re supposed to enable when you first receive an unknown tracker notification. It blocks your phone from updating its location with trackers for 24 hours. The second, “Find Nearby,” helps you pinpoint where the tracker is if you can’t see it or easily hear it.

By clicking on an unknown tracker notification you’ll be able to see a map of where the tracker was last spotted moving with you. From there, you can play a sound to see if you can locate it (Google says the owner won’t be notified). If you can’t find it, Find Nearby will connect your phone to the tracker over Bluetooth and display a shape that fills in the closer you get to it.

The tool is identical to what Google offers for locating trackers and devices you actually own, but importantly, you don’t need to use Find My Device or have your own tracker to benefit. Like Google’s original notifications feature, any device running Android 6.0 and up can deal with unknown Bluetooth trackers safely.

Expanding Find Nearby seems like the final step Google needed to take to tamp down Bluetooth tracker misuse, something Apple already does with its Precision Finding tool for AirTags. The companies released a shared standard for spotting unknown Bluetooth trackers regardless of whether you use Android or iOS in May 2024, following the launch of Google’s Find My Device network in April. Both Google and Apple offered their own methods of dealing with unknown trackers before then to prevent trackers from being used for everything from robbery to stalking.

Source: Android will let you find unknown Bluetooth trackers instead of just warning you about them

Singapore’s Land Transport Authority (LTA) estimated last week that by tracking all vehicles with GPS it will be able to increase road capacity by 20,000 over the next few years.

The densely populated island state is moving from what it calls Electric Road Pricing (ERP) 1.0 to ERP 2.0. The first version used gantries – or automatic tolls – to charge drivers a fee through an in-car device when they used specific roadways during certain hours.

ERP 2.0 sees the vehicle instead tracked through GPS, which can tell where a vehicle is at all operating times.

“ERP 2.0 will provide more comprehensive aggregated traffic information and will be able to operate without physical gantries. We will be able to introduce new ‘virtual gantries,’ which allow for more flexible and responsive congestion management,” explained the LTA.

But the island’s government doesn’t just control inflow into urban areas through toll-like charging – it also aggressively controls the total number of cars operating within its borders.

Singapore requires vehicle owners to bid for a set number of Certificates of Entitlement – costly operating permits valid for only ten years. The result is an increase of around SG$100,000 ($75,500) every ten years, depending on that year’s COE price, on top of a car’s usual price. The high total price disincentivizes mass car ownership, which helps the government manage traffic and emissions.

[…]

Source: Singapore to increase road capacity by GPS tracking vehicles • The Register

The new terms come in on November 15th.

4.3 Generative AI Safety and Abuse. Google uses automated safety tools to detect abuse of Generative AI Services. Notwithstanding the “Handling of Prompts and Generated Output” section in the Service Specific Terms, if these tools detect potential abuse or violations of Google’s AUP or Prohibited Use Policy, Google may log Customer prompts solely for the purpose of reviewing and determining whether a violation has occurred. See the Abuse Monitoring documentation page for more information about how logging prompts impacts Customer’s use of the Services.

Source: Google Cloud Platform Terms Of Service

If you’ve ever opted to rent a movie through a Redbox kiosk, your private info is out there waiting for any tinkerer to get their hands on it. One programmer who reverse-engineered a kiosk’s hard drive proved the Redbox machines can cough up transaction histories featuring customers’ names, emails, and rentals going back nearly a decade. It may even have part of your credit card number stored on-device.

[…]

a California-based programmer named Foone Turing, managed to grab an unencrypted file from the internal hard drive containing a file that showed the emails, home addresses, and the rental history for either a fraction or the whole of those who previously used the kiosk.

[…]

Turing told Lowpass that the Redbox stored some financial information on those drives, including the first six and last four digits of each credit card used and “some lower-level transaction details.” The devices did apparently connect to a secure payment system through Redbox’s servers, but the systems stored financial information on a log in a different folder than the rental records. She told us that it’s likely the system only stored the last month of transaction logs.

[…]

Source: If You Ever Rented From Redbox, Your Private Info Is Up for Grabs

Which is a great illustration why there needs to be some regulations about what happens to personal data when a company is sold or goes bust.

The US government’s General Services Administration’s (GSA) facial matching login service is now generally available to the public and other federal agencies, despite its own recent report admitting the tech is far from perfect.

The GSA announced general availability of remote identity verification (RiDV) technology through login.gov, and the service’s availability to other federal government agencies yesterday. According to the agency, the technology behind the offering is “a new independently certified” solution that complies with the National Institute of Standards and Technology’s (NIST) 800-63 identity assurance level 2 (IAL2) standard.

IAL2 identity verification involves using either remote or in-person verification of a person’s identity via biometric data along with some physical element, like an ID photograph, access to a cellphone number, for example.

“This new IAL2-compliant offering adds proven one-to-one facial matching technology that allows Login.gov to confirm that a live selfie taken by a user matches the photo on a photo ID, such as a driver’s license, provided by the user,” the GSA said.

The Administration noted that the system doesn’t use “one-to-many” face matching technology to compare users to others in its database, and doesn’t use the images for any purpose other than verifying a user’s identity.

[…]

In a report issued by the GSA’s Office of the Inspector General in early 2023, the Administration was called out for saying it implemented IAL2-level identity verification as early as 2018, but never actually supporting the requirements to meet the standard.

“GSA knowingly billed customer agencies over $10 million for services, including alleged IAL2 services that did not meet IAL2 standards,” the report claimed.

[…]

Fast forward to October of last year, and the GSA said it was embracing facial recognition tech on login.gov with plans to test it this year – a process it began in April.  Since then, however, the GSA has published pre-press findings of a study it conducted of five RiDV technologies, finding that they’re still largely unreliable.

The study anonymized the results of the five products, making it unclear which were included in the final pool or how any particular one performed. Generally, however, the report found that the best-performing product still failed 10 percent of the time, and the worst had a false negative rate of 50 percent, meaning its ability to properly match a selfie to a government ID was no better than chance.

Higher rejection rates for people with darker skin tones were also noted in one product, while another was more accurate for people of AAPI descent, but less accurate for everyone else – hardly the equitability the GSA said it wanted in an RiDV product last year.

[…]

It’s unclear what solution has been deployed for use on login.gov. The only firm we can confirm has been involved though the process is LexisNexis, which previously acknowledged to The Register that it has worked with the GSA on login.gov for some time.

That said, LexisNexis’ CEO for government risk solutions told us recently that he’s not convinced the GSA’s focus on adopting IAL2 RiDV solutions at the expense of other biometric verification methods is the best approach.

“Any time you rely on a single tool, especially in the modern era of generative AI and deep fakes … you are going to have this problem,” Haywood “Woody” Talcove told us during a phone interview last month. “I don’t think NIST has gone far enough with this workflow.”

Talcove told us that facial recognition is “pretty easy to game,” and said he wants a multi-layered approach – one that it looks like GSA has declined to pursue given how quickly it’s rolling out a solution.

“What this study shows is that there’s a level of risk being injected into government agencies completely relying on one tool,” Talcove said. “We’ve gotta go further.”

Along with asking the GSA for more details about its chosen RiDV solution, we also asked for some data about its performance. We didn’t get an answer to that question, either.

Source: Face matching now available on GSA’s login.gov • The Register

[…] The one-and-done nature of Wiles’ experience is indicative of a core business problem with the once high-flying biotech company that is now teetering on the brink of collapse. Wiles and many of 23andMe’s 15 million other customers never returned. They paid once for a saliva kit, then moved on.

Shares of 23andMe are now worth pennies. The company’s valuation has plummeted 99% from its $6 billion peak shortly after the company went public in 2021.

As 23andMe struggles for survival, customers like Wiles have one pressing question: What is the company’s plan for all the data it has collected since it was founded in 2006?

[…]

Andy Kill, a spokesperson for 23andMe, would not comment on what the company might do with its trove of genetic data beyond general pronouncements about its commitment to privacy.

[…]

When signing up for the service, about 80% of 23andMe’s customers have opted in to having their genetic data analyzed for medical research.

[…]

The company has an agreement with pharmaceutical giant GlaxoSmithKline, or GSK, that allows the drugmaker to tap the tech company’s customer data to develop new treatments for disease.

Anya Prince, a law professor at the University of Iowa’s College of Law who focuses on genetic privacy, said those worried about their sensitive DNA information may not realize just how few federal protections exist.

For instance, the Health Insurance Portability and Accountability Act, also known as HIPAA, does not apply to 23andMe since it is a company outside of the health care realm.

[…]

According to the company, all of its genetic data is anonymized, meaning there is no way for GSK, or any other third party, to connect the sample to a real person. That, however, could make it nearly impossible for a customer to renege on their decision to allow researchers to access their DNA data.

“I couldn’t go to GSK and say, ‘Hey, my sample was given to you — I want that taken out — if it was anonymized, right? Because they’re not going to re-identify it just to pull it out of the database,” Prince said.

[…]

the patchwork of state laws governing DNA data makes the generic data of millions potentially vulnerable to being sold off, or even mined by law enforcement.

“Having to rely on a private company’s terms of service or bottom line to protect that kind of information is troubling — particularly given the level of interest we’ve seen from government actors in accessing such information during criminal investigations,” Eidelman said.

She points to how investigators used a genealogy website to identify the man known as the Golden State Killer, and how police homed in on an Idaho murder suspect by turning to similar databases of genetic profiles.

“This has happened without people’s knowledge, much less their express consent,” Eidelman said.

[…]

Last year, the company was hit with a major data breach that it said affected 6.9 million customer accounts, including about 14,000 who had their passwords stolen.

[…]

Some analysts predict that 23andMe could go out of business by next year, barring a bankruptcy proceeding that could potentially restructure the company.

[…]

Source: What happens to all of 23andMe’s genetic DNA data? : NPR

For more fun reading about about this clusterfuck of a company and why giving away DNA data is a spectacularly bad idea:

At 8:22 am on December 4 last year, a car traveling down a small residential road in Alabama used its license-plate-reading cameras to take photos of vehicles it passed. One image, which does not contain a vehicle or a license plate, shows a bright red “Trump” campaign sign placed in front of someone’s garage. In the background is a banner referencing Israel, a holly wreath, and a festive inflatable snowman.

Another image taken on a different day by a different vehicle shows a “Steelworkers for Harris-Walz” sign stuck in the lawn in front of someone’s home. A construction worker, with his face unblurred, is pictured near another Harris sign. Other photos show Trump and Biden (including “Fuck Biden”) bumper stickers on the back of trucks and cars across America.

[…]

These images were generated by AI-powered cameras mounted on cars and trucks, initially designed to capture license plates, but which are now photographing political lawn signs outside private homes, individuals wearing T-shirts with text, and vehicles displaying pro-abortion bumper stickers—all while recording the precise locations of these observations.

[…]

The detailed photographs all surfaced in search results produced by the systems of DRN Data, a license-plate-recognition (LPR) company owned by Motorola Solutions. The LPR system can be used by private investigators, repossession agents, and insurance companies; a related Motorola business, called Vigilant, gives cops access to the same LPR data.

[…]

those with access to the LPR system can search for common phrases or names, such as those of politicians, and be served with photographs where the search term is present, even if it is not displayed on license plates.

[…]

“I searched for the word ‘believe,’ and that is all lawn signs. There’s things just painted on planters on the side of the road, and then someone wearing a sweatshirt that says ‘Believe.’” Weist says. “I did a search for the word ‘lost,’ and it found the flyers that people put up for lost dogs and cats.”

Beyond highlighting the far-reaching nature of LPR technology, which has collected billions of images of license plates, the research also shows how people’s personal political views and their homes can be recorded into vast databases that can be queried.

[…]

Over more than a decade, DRN has amassed more than 15 billion “vehicle sightings” across the United States, and it claims in its marketing materials that it amasses more than 250 million sightings per month.

[…]

The system is partly fueled by DRN “affiliates” who install cameras in their vehicles, such as repossession trucks, and capture license plates as they drive around. Each vehicle can have up to four cameras attached to it, capturing images in all angles. These affiliates earn monthly bonuses and can also receive free cameras and search credits.

In 2022, Weist became a certified private investigator in New York State. In doing so, she unlocked the ability to access the vast array of surveillance software accessible to PIs. Weist could access DRN’s analytics system, DRNsights, as part of a package through investigations company IRBsearch. (After Weist published an op-ed detailing her work, IRBsearch conducted an audit of her account and discontinued it.

[…]

While not linked to license plate data, one law enforcement official in Ohio recently said people should “write down” the addresses of people who display yard signs supporting Vice President Kamala Harris, the 2024 Democratic presidential nominee, exemplifying how a searchable database of citizens’ political affiliations could be abused.

[…]

In 2022, WIRED revealed that hundreds of US Immigration and Customs Enforcement employees and contractors were investigated for abusing similar databases, including LPR systems. The alleged misconduct in both reports ranged from stalking and harassment to sharing information with criminals.

[…]

 

Source: License Plate Readers Are Creating a US-Wide Database of More Than Just Cars | WIRED

The Netherlands’ government and opposition are both against the latest version of the controversial EU regulation aimed at detecting online child sexual abuse material (CSAM), according to an official position and an open letter published on Tuesday (1 October).

The regulation, aimed at detecting online CSAM, has been criticised for potentially allowing the scanning of private messages on platforms such as WhatsApp or Gmail.

However, the latest compromise text, dated 9 September, limits detection to known material, among other changes. ‘Known’ material refers to content that has already been circulating and detected, in contrast to ‘new’ material that has not yet been identified.

The Hungarian presidency of the Council of the EU shared a partial general approach dated 24 September and seen by Euractiv, that mirrors the 9 September text but reduces the reevaluation period from five years to three for grooming and new CSAM.

Limiting detection to known material could hinder authorities’ ability to surveil massive amounts of communications, suggesting the change is likely an attempt to reconcile privacy concerns.

The Netherlands initially supported the proposal to limit detection to ‘known’ material but withdrew its support in early September, Euractiv reported.

On Tuesday (1 October), Amsterdam officially took a stance against the general approach, despite speculation last week suggesting the country might shift its position in favour of the regulation.

This is also despite the Dutch mostly maintaining that their primary concern lies with combating known CSAM – a focus that aligns with the scope of the latest proposal.

According to various statistics, the Netherlands hosts a significant amount of CSAM.

The Dutch had been considering supporting the proposal, or at least a “silent abstention” that might have weakened the blocking minority, signalling a shift since Friday (27 September), a source close to the matter told Euractiv.

While a change in the Netherlands’ stance could have affected the blocking minority in the EU Council, their current position now strengthens it.

If the draft law were to pass in the EU Council, the next stage would be interinstitutional negotiations, called trilogues, between the European Parliament, the Council of the EU, and the Commission to finalise the legislation.

Both the Dutch government and the opposition are against supporting the new partial general approach.

Opposition party GroenLinks-PvdA (Greens/EFA) published an open letter, also on Tuesday, backed by a coalition of national and EU-based private and non-profit organisations, urging the government to vote against the proposal.

According to the letter, the regulation will be discussed at the Justice and Home Affairs Council on 11 October, with positions coordinated among member states on 2 October.

Currently, an interim regulation allows companies to detect and report online CSAM voluntarily. Originally set to expire in 2024, this measure has been extended to 2026 to avoid a legislative gap, as the draft for a permanent law has yet to be agreed.

The Dutch Secret Service opposed the draft regulation because “introducing a scan application on every mobile phone” with infrastructure to manage the scans would be a complex and extensive system that would introduce risks to digital resilience, according to a decision note.

Source: Dutch oppose Hungary’s approach to EU child sexual abuse regulation – Euractiv

To find out more about how invasive the proposed scanning feature is, look through the articles here: https://www.linkielist.com/?s=csam

Resistance to the Hungarian presidency’s approach to the EU’s draft law to combat online child sexual abuse material (CSAM) was still palpable during a member states’ meeting on Wednesday (4 September).

The Hungarian presidency of the Council of the EU aims to secure consensus on the proposed law to combat online child sexual abuse material (CSAM) by October, according to an EU diplomat and earlier reports by Politico.

Hungary has prepared a compromise note on the draft law, also reported by Contexte.

The note, presented at a meeting of ambassadors on Wednesday, seeks political guidance to make progress at the technical level, the EU diplomat told Euractiv.

With the voluntary regime expiring in mid-2026, most member states agree that urgent action is needed, the diplomat continued.

But some member states are still resistant to the Hungarian’s latest approach.

The draft law to detect and remove online child sexual abuse material (CSAM) was removed from the agenda of Thursday’s (20 June) meeting of the Committee of Permanent Representatives (COREPER), who were supposed to vote on it.

Sources close to the matter told Euractiv, that Poland and Germany remain opposed to the proposal, with smaller member states also voicing concerns, potentially forming a blocking minority.

Although France and the Netherlands initially supported the proposal, the Netherlands has since withdrawn its support, and Italy has indicated that the new proposal is moving in the right direction.

As a result, no agreement was reached to move forward.

Currently, an interim regulation allows companies to voluntarily detect and report online CSAM. Originally set to expire in 2024, this measure has been extended to 2026 to avoid a legislative gap, as the draft for a permanent law has yet to be agreed.

Hungary is expected to introduce a concrete textual proposal soon. The goal is to agree on its general approach by October, the EU diplomat said, a fully agreed position among member states which serves as the basis for negotiations with the European Parliament.

Meanwhile, the European Commission is preparing to send a detailed opinion to Hungary regarding the draft law, expected by 30 September, Contexte reported on Wednesday.

[…]

In the text, the presidency also suggested extending the temporary exemption from certain provisions of the ePrivacy Directive, which governs privacy and electronic communications, for new CSAM and grooming.

[…]

Source: Resistance lingers to Hungarian presidency’s new push for child sexual abuse prevention regulation – Euractiv

See also:

The EU Commission’s Alleged CSAM Regulation ‘Experts’ giving them free reign to spy on everyone: can’t be found. OK then.

EU delays decision over continuous spying on all your devices *cough* scanning encrypted messages for kiddie porn

Signal, MEPs urge EU Council to drop law that puts a spy on everyone’s devices

European human rights court says backdooring encrypted comms is against human rights

EU Commission’s nameless experts behind its “spy on all EU citizens” *cough* “child sexual abuse” law

EU Trys to Implement Client-Side Scanning, death to encryption By Personalised Targeting of EU Residents With Misleading Ads