Policy

ever-heard-of-“llady-gaga”?-universal-files-piracy-suit-over-alleged-knockoffs.

Ever heard of “Llady Gaga”? Universal files piracy suit over alleged knockoffs.

Universal Music Group yesterday sued a music firm that allegedly distributes pirated songs on popular streaming services under misspelled versions of popular artists’ names—such as “Kendrik Laamar,” “Arriana Gramde,” “Jutin Biber,” and “Llady Gaga.” The UMG Recordings lawsuit against the French company Believe and its US-based subsidiary, TuneCore, alleges that “Believe is fully aware that its business model is fueled by rampant piracy” and “turned a blind eye to the fact that its music catalog was rife with copyright infringing sound recordings.”

Believe is a publicly traded company with about 2,020 employees in over 50 countries and reported $518 million (474.1 million euros) in revenue in the first half of 2024. Believe says its “mission is to develop independent artists and labels in the digital world.”

UMG alleges that Believe achieved “dramatic growth and profitability in recent years by operating as a hub for the distribution of infringing copies of the world’s most popular copyrighted recordings.” Believe has licensing deals with online platforms “including TikTok, YouTube, Spotify, Apple Music, Instagram and hundreds of others,” the lawsuit said.

UMG alleged that Believe distributes songs on these services “with full knowledge that many of the clients of its distribution services are fraudsters regularly providing infringing copies of copyrighted recordings.” Believe enters into “distribution contracts with anyone willing to sign one of its basic form agreements,” and its “client list is overrun with fraudulent ‘artists’ and pirate record labels who rely on Believe and its distribution network to seed infringing copies of popular sound recordings throughout the digital music ecosystem,” the lawsuit said, continuing:

Believe makes little effort to hide its illegal actions. Indeed, the names of its “artists” and recordings are often minor variants on the names of Plaintiffs’ famous recording artists and the titles of their most successful works. For example, Believe has distributed infringing tracks from infringers who call themselves “Kendrik Laamar” (a reference to Kendrick Lamar); “Arriana Gramde” (a reference to Ariana Grande); “Jutin Biber” (a reference to Justin Bieber); and “Llady Gaga” (a reference to Lady Gaga). Often, Believe distributes overtly infringing versions of original tracks by famous artists with notations that they are “sped up” or “remixed.”

The Rihanna song “S&M” was distributed as a remix by Believe under the name “Rihamna,” the lawsuit said. In other cases, names associated with allegedly infringing tracks were very different from the real artists’ names. The lawsuit said Lady Gaga’s “Bad Romance” and Billie Eilish’s “TV” were both distributed in sped-up form under the name “INDRAGERSN.”

Ever heard of “Llady Gaga”? Universal files piracy suit over alleged knockoffs. Read More »

facebook,-nvidia-push-scotus-to-limit-“nuisance”-investor-suits-after-scandals

Facebook, Nvidia push SCOTUS to limit “nuisance” investor suits after scandals


Facebook, Nvidia ask SCOTUS to narrow legal paths to retrieve investor losses.

The Supreme Court will soon weigh two cases that could potentially make it harder for misled investors to sue Big Tech companies after major scandals.

One case involves one of the largest tech scandals of all time, the Facebook-Cambridge Analytica data breach. In 2019, Facebook agreed to pay “more than $5 billion in civil penalties to settle charges by the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) that it had misled its users and investors over the privacy and security of user data on its platform,” a Supreme Court filing said.

The other case involves an allegation that Nvidia intentionally hid how much of its 2017–2018 GPU demand was due to a volatile cryptocurrency boom and not Nvidia’s core gaming business—allegedly misleading investors ahead of a crypto crash. After the bust, Nvidia suddenly had to slash half a billion dollars from its earnings projection, and market experts later estimated that the firm had understated its crypto-related revenue by more than a billion. In 2022, Nvidia paid a $5.5 million SEC penalty over the inadequate disclosures that one SEC chief said “deprived investors of critical information to evaluate the company’s business in a key market.”

Investors, however, have not yet settled their own legal challenges. In both cases, investors suing convinced the 9th Circuit that the companies were guilty of misleading investors. But now, the tech companies have appealed to the Supreme Court, hoping to reverse those rulings.

In case documents, each claimed that their investors have not satisfied high legal bars, which Nvidia argued Congress designed to prevent “frivolous” or “nuisance” lawsuits from going on “fishing expeditions” to claim securities “fraud by hindsight.” Both warned that SCOTUS upholding the 9th Circuit rulings risked flooding courts with frivolous suits, with Nvidia cautioning that such lawsuits can be “used to injure the entire US economy.”

The Supreme Court will hear arguments in the Facebook case on Wednesday, November 6, then the Nvidia case on November 13.

SCOTUS may be persuaded by tech companies still stuck coping with the aftermath of scandals. A former SEC lawyer, Andrew Feller, told Reuters that the Supreme Court’s conservative majority may continue its “recent track record of handing down business-friendly decisions that narrowed the authority of federal regulators” in these cases. Both cases give justices opportunities to “rein in the power of private plaintiffs to enforce federal rules aimed at punishing corporate misconduct,” Reuters reported.

Facebook defends describing risk as hypothetical

The Facebook case centers on an SEC disclosure where Facebook said that its business may be harmed by a data breach, posing that as a hypothetical, without mentioning the ongoing Cambridge Analytica data breach. Specifically, Facebook wrote, “[a]ny failure to prevent or mitigate . . . improper access to or disclosure of our data or user data . . . could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position.”

Investors felt misled, accusing Facebook of hiding the breach by only presenting the risk as a hypothetical that implied no breach had ever occurred in the past and certainly did not disclose the present risk.

However, in a SCOTUS filing, Facebook insisted that “no reasonable investor would interpret a risk disclosure using probabilistic, forward-looking language as impliedly representing that the specified triggering event had never occurred in the past.”

Facebook is now arguing that SCOTUS agreeing that the company should have disclosed the major data breach “would result in a regime under which companies would be required to disclose every previous material incident they have experienced—effectively creating a sweeping regime of omissions liability.”

According to Facebook, news broke about the Cambridge Analytica data breach in 2015, and its business wasn’t immediately harmed. Following that logic, the social media company hopes that SCOTUS will agree that Facebook was only required to disclose the data breach in its SEC filing if Facebook knew its business would likely be harmed from the ongoing breach.

By affirming the 9th Circuit ruling, Facebook alleged, SCOTUS would be “vastly expanding the circumstances in which risk disclosures are deemed false or misleading,” exposing to legal challenges “a wide range of previously immune forward-looking statements—revenue projections, future business plans or objectives, and the like.”

But investors suing argue that Facebook is still being misleading about the data scandal in its court filings.

“The only reason Facebook has ever given to explain why the misappropriation risked no harm was that the event was allegedly disclosed to the public in 2015 and no one cared,” investors’ SCOTUS brief said. But in 2015, a report exposing a data breach tied to a Ted Cruz campaign was denied by Cambridge Analytica and prompted a Facebook investigation that concluded no damage had been done.

“Facebook actively misled the public about its investigation, ‘represent[ing] that no misconduct had been discovered,'” investors alleged, and “Facebook’s deception extended to its public filings with the SEC.”

According to investors, the real damage was done when the true extent of the Cambridge Analytica scandal was exposed in 2018. That caused substantial revenue losses that Facebook likely understood it was risking while allegedly leaving investors blind to those risks for years.

Investors argue that disclosure should not be required of every data breach that hits Facebook, whether it harms its business or not, but that the Cambridge Analytica data breach was significant and should have been disclosed as a material risk. The 9th Circuit agreed, holding that “publicly treating such a material adverse event as a merely hypothetical prospect can be misleading even if the event has not yet produced follow-on business harm because the company has kept the truth from the public.”

They further argued that requiring so-called overdisclosure wouldn’t trigger unwarranted litigation, as Facebook suggests, because Congress has always “given considerable attention to concerns over abusive private litigation.”

If Facebook wins, investors alleged, SCOTUS risks giving any tech company “a license to intentionally mislead investors about the occurrence of hugely material events by describing those events as purely hypothetical prospects.” Siding with Facebook would allegedly give “companies an incentive to stuff their annual reports with boilerplate, generic warnings that reveal little about the company’s actual business and to cover up events that could give rise to corporate scandals, as Facebook did here.”

Facebook argued that if the SEC is concerned about specific disclosures connected to the data breach, “the SEC can invoke the rulemaking process to impose” a requirement that companies must disclose all “past material adverse events.”

Nvidia disputes expert’s crypto data

While the Facebook case involved a bigger scandal, the Nvidia case could have bigger legal implications if Nvidia wins.

In the Nvidia case, investors argued that Nvidia CEO Jensen Huang made public statements allegedly misleading investors by downplaying the high demand for GPUs tied to volatile crypto markets. To plead their case, investors relied on statements from Nvidia employees, internal documents like meeting slides, industry research, as well as an expert opinion crunching general market numbers and estimating that Nvidia “underreported its crypto revenues by $1.126 billion.”

Nvidia claimed it’s far more plausible that the company simply made an “honest miscalculation” while navigating a complex emerging market.

To defend against the suit, Nvidia is arguing that the Private Securities Litigation Reform Act (PSLRA) imposes “special burdens on plaintiffs seeking to bring federal securities fraud class actions” through “heightened pleading requirements” to deter frivolous lawsuits arguing fraud by hindsight.

According to Nvidia, the PSLRA requires investors to allege particular facts based on particular contents of internal Nvidia documents, which goes beyond relying on an expert opinion. The tech company has urged SCOTUS that the 9th Circuit “‘significantly erode[d]” the PSLRA requirements by allowing Plaintiffs to “simply” hire “an expert who manufactured data to fit their allegations.”

“They hired an expert to create data and then filed a class action alleging that Nvidia and its CEO committed securities fraud by failing to disclose the data invented by Plaintiffs’ expert,” Nvidia argued.

This allegedly “eviscerates the guardrails that Congress erected to protect the public from abusive securities litigation” and creates a “dangerous” and “easy-to-replicate ‘roadmap’ for plaintiffs to sidestep the PSLRA in this recurring context.”

“Far from serving Congress’s goal of guarding against fishing expeditions by vexatious litigants, the Ninth Circuit’s opinion declares it open season so long as a plaintiff has funding to hire an expert,” Nvidia alleged.

Investors are hoping SCOTUS will uphold the 9th Circuit’s judgment. Instead of seeing their suit as frivolous, they argued that the SEC fine over the same misconduct “undermines any suggestion that this is the type of frivolous suit that the PSLRA was meant to screen out.”

They’ve disputed Nvidia’s arguments that they’ve relied solely on a hired expert to support their claims, arguing that each fact was corroborated by employee witnesses and third-party reports.

If Nvidia wins, investors warned, the SCOTUS decision would risk harming a wide range of private securities litigation that Congress has found “‘is an indispensable tool’ for ‘defrauded investors’ to ‘recover their losses without having to rely upon government action.'”

Photo of Ashley Belanger

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

Facebook, Nvidia push SCOTUS to limit “nuisance” investor suits after scandals Read More »

elon-musk-turns-x’s-block-button-into-a-“glorified-mute-button”

Elon Musk turns X’s block button into a “glorified mute button”

X, formerly Twitter, is now letting blocked users see posts made by the people who blocked them.

“We’re starting to launch the block function update,” X’s engineering team wrote yesterday. X previously said that after the change, “If your posts are set to public, accounts you have blocked will be able to view them, but they will not be able to engage (like, reply, repost, etc.).”

To justify the change, X said the block functionality could previously be “used by users to share and hide harmful or private information about those they’ve blocked.” The change will allow people who are blocked “to see if such behavior occurs… allowing for greater transparency,” X said.

X owner Elon Musk argued last year that “blocking public posts makes no sense. It needs to be deprecated in favor of a stronger form of mute.”

There were many angry responses to the change, both yesterday and previously, when X said it would be coming soon. While some users may only use blocking to avoid seeing accounts that are annoying, some X users said the policy could be harmful for people who use blocking as a safety measure.

The new policy could help stalkers and other bad actors, some said. Blocked accounts could view, screenshot, and share content posted by the person who blocked them, some people pointed out. The block button is now “a glorified mute button,” one user said.

Blocked users can view and search for posts

Before the change, X’s support page on blocking accounts said blocked accounts cannot “view your posts when logged in on X (unless they report you, and your posts mention them,” “find your posts in search when logged in on X,” or “view a Moment you’ve created when logged in on X.”

Elon Musk turns X’s block button into a “glorified mute button” Read More »

starlink-enters-national-radio-quiet-zone—but-reportedly-cut-off-access-for-some

Starlink enters National Radio Quiet Zone—but reportedly cut off access for some


Starlink offered to 99.5% of zone, but locals say Roam product was disabled.

Starlink satellite dish. Credit: Starlink

Starlink’s home Internet service has come to the National Radio Quiet Zone after a multi-year engineering project that had the goal of minimizing interference with radio telescopes. Starlink operator SpaceX began “a one-year assessment period to offer residential satellite Internet service to 99.5% of residents within the NRQZ starting October 25,” the National Radio Astronomy Observatory and Green Bank Observatory announced last week.

“The vast majority of people within the areas of Virginia and West Virginia collectively known as the National Radio Quiet Zone (NRQZ) can now receive high speed satellite Internet service,” the announcement said. “The newly available service is the result of a nearly three-year collaborative engineering effort between the US National Science Foundation (NSF), SpaceX, and the NSF National Radio Astronomy Observatory (NSF NRAO), which operates the NSF Green Bank Observatory (NSF GBO) in West Virginia within the NRQZ.”

There’s a controversy over the 0.5 percent of residents who aren’t included and are said to be newly blocked from using the Starlink Roam service. Starlink markets Roam as a service for people to use while traveling, not as a fixed home Internet service.

The Pendleton County Office of Emergency Management last week issued a press release saying that “customers with the RV/Roam packages had been using Starlink for approximately two years throughout 100% of the NRQZ. Now, the 0.5% have lost coverage after having it for two years. This means that a large section of southeastern Pendleton County and an even larger section of northern Pocahontas will NOT be able to utilize Starlink.”

PCMag wrote that “Starlink is now live in 42 of the 46 cell areas around the Green Bank Observatory’s telescopes.” Pendleton County Emergency Services Coordinator Rick Gillespie told Ars today that Roam coverage was cut off in the remaining four cell areas.

“After the agreement, we all lost effective use within the four cells,” Gillespie told Ars in an email. Gillespie’s press release said that, “in many cases, Starlink was the only Internet provider option residents and emergency responders had. This is unacceptable.”

“The dark ages of communications systems”

Gillespie was quoted as saying in a WBOY article that the restrictions are “keeping a portion of Pendleton and Pocahontas counties in the dark ages of communications systems.”

We contacted SpaceX and the National Radio Astronomy Observatory about any limits imposed on Roam today and will update this article if we get any response.

Residents of the 13,000-square-mile National Radio Quiet Zone have limited Internet access due to restrictions on radio transmissions first put in place in 1958. In addition to scientific research at Green Bank in Pocahontas County, the National Radio Quiet Zone includes a National Security Agency facility at Sugar Grove Station in Pendleton County.

SpaceX and the NRAO collaborated on testing over the past few years and presumably concluded that the service could only be provided without interference in 99.5 percent of the zone. Chris De Pree, the NRAO deputy spectrum manager, said in the organization’s announcement that “working closely with SpaceX over the past three years has enabled NRAO and SpaceX to better understand each other’s systems and how to actively coexist in this part of the spectrum.”

In that time, “scientists and engineers performed multiple tests and analyses to determine the best way to maximize satellite internet service without hindering the missions within the NRQZ,” the announcement said. During the one-year assessment period for Starlink’s home Internet service, “scientists and engineers will monitor for interference issues and work to resolve them without interrupting Internet service.”

Starlink steers beams away from telescopes

Starlink said in August that it worked with the NRAO “to enable Starlink satellites to avoid transmissions into the line-of-sight of radio telescopes, leveraging our advanced phased array antenna technology to dynamically steer beams away from telescopes.”

Starlink published a summary noting that “direct transmissions from satellites towards the eye of radio telescopes may pose a significant risk of interference to astronomical research.” The technique for steering beams away from telescopes is “made possible by a real-time data sharing framework between radio astronomy observatories and Starlink that provides the Starlink network with a telescope’s planned observation schedule, including the telescope’s pointing direction (aka ‘boresight’) and its observed frequency band. With this information, the Starlink network can ensure that satellites passing near the boresight of a telescope dynamically redirect their beams away from the telescope.”

The redirection happens “in milliseconds” and “protects the telescope’s observations while ensuring Starlink service remains uninterrupted for customers near the telescope.” Starlink is also using the technology with NRAO’s Very Large Array in New Mexico.

Counties want quiet-zone rules scrapped

The quiet-zone rules should be scrapped, a number of local officials say. The Pendleton County press release said that 10 West Virginia counties and one Virginia county “have formally expressed their need for change regarding the National Radio Quiet Zone (NRQZ) through Resolutions and Letters of Support.” These counties have a combined 262,296 residents, the press release said.

“We do not seek the closure of these federal entities but rather their commitment to identifying and funding viable solutions that would enable our communication systems to operate effectively, similar to those in the majority of America,” Gillespie said in the press release.

Gillespie told Ars that local communities are hampered by “archaic 1950’s regulations. We are being left behind when it comes to the modern advancements in public safety and personal communications.” He said that “absent some relief in a timely fashion, we will explore taking our plight to the FCC seeking waivers.”

The Pendleton County Commission resolution approved in September called for dissolution of the quiet zone or “total waivers of any NRQZ restrictions imposed on Public Safety Radio Frequency Bands currently in use, as well as all the commercial cellular/wireless Bands, and commercial satellite Internet providers, such as Starlink.”

The county resolution said the quiet zone is effectively “an ever-growing unfunded federal mandate on our county emergency services/911 operation wherein it causes us to spend large amounts of funding building a larger number of tower sites than would be needed absent the NRQZ restrictions.” The restrictions have greatly diminished access to the AT&T FirstNet public safety network and other networks used by first responders and residents, the resolution said.

The Pocahontas County Commission issued a resolution in September calling for total waivers of restrictions imposed on public safety spectrum, or federal funding to offset costs associated with developing public safety communications systems under “the unique burden of NRQZ regulations.”

Limited fiber and cellular access

Starlink service wouldn’t be as necessary for home Internet access if the area had universal access to fiber broadband. Recent government grants could help, as one funded project is designed to subsidize Spruce Knob Seneca Rocks Telephone’s installation of fiber lines in Pocahontas and Pendleton counties.

Ideally, residents would have access to both fiber home Internet and strong cellular networks. But the NRAO still warns that cellular signals could threaten its scientific research.

“Optical fiber as a broadband solution is far better than service from space or via wireless or cellular links, which are less reliable and have the potential to undo much of the coordination work that has happened in the National Radio Quiet Zone over many decades,” Sheldon Wasik, Zone Regulatory Services Coordinator for the National Radio Astronomy Observatory, said in March 2024.

Photo of Jon Brodkin

Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.

Starlink enters National Radio Quiet Zone—but reportedly cut off access for some Read More »

rfk-jr.-claims-trump-promised-to-put-him-in-charge-of-nih,-cdc,-and-more

RFK Jr. claims Trump promised to put him in charge of NIH, CDC, and more

Earlier this week, Robert F. Kennedy, Jr. used a Zoom call to tell his supporters that Donald Trump had promised him “control” of the Department of Health and Human Services (HHS), the federal agency that includes the Centers for Disease Control, Food and Drug Administration, National Institutes of Health, as well as the Department of Agriculture. Given Kennedy’s support for debunked anti-vaccine nonsense, this represents a potential public health nightmare.

A few days after, Howard Lutnick, a co-chair of Trump’s transition team, appeared on CNN to deny that RFK Jr. would be put in charge of HHS. But he followed that with a long rant in which he echoed Kennedy’s spurious claims about vaccines. This provides yet another indication of how anti-vaccine activism has become deeply enmeshed with Republican politics, to the point where it may be just as bad even if Kennedy isn’t appointed.

Trump as Kennedy’s route to power

Kennedy has a long history of misinformation regarding health, with a special focus on vaccines. This includes the extensively debunked suggestion that there is a correlation between vaccinations and autism incidence, and it extends to a general skepticism about vaccine safety. That’s mixed with conspiracy theories regarding collusion between federal regulators and pharmaceutical companies.

While there is no evidence for any of this, and some of it is clearly wrong, the conspiracies have real-world consequences. An anti-vaccine activist in Samoa, aided by a visit from RFK Jr., helped pave the way for a measles outbreak that shut down the government and ultimately led to over 80 deaths.

Kennedy has long been interested in getting access to the agencies that regulate vaccines and other interests of his, such as food safety, under the assumption they are hiding the data that would vindicate his views. And, long before his recent presidential run, he viewed Trump as the route to that access. Shortly before Trump’s inauguration in 2017, Kennedy claimed that he would be appointed to head a vaccine safety commission that Trump would supposedly create once in office. Nothing ever came of that, and it was never clear whether that was due to Trump lying to him, Kennedy exaggerating his significance, or Trump simply telling him what he wanted to hear at the time and never following up.

RFK Jr. claims Trump promised to put him in charge of NIH, CDC, and more Read More »

colorado-scrambles-to-change-voting-system-passwords-after-accidental-leak

Colorado scrambles to change voting-system passwords after accidental leak


BIOS passwords on website

“The goal is to complete the password updates by this evening,” government says.

Colorado Secretary of State Jena Griswold holds press conference with Matt Crane, Executive Director of the Colorado County Clerks Association, at her office in Denver on Thursday, October 24, 2024. Credit: Getty Images | Hyoung Chang

The Colorado Department of State said it accidentally posted a spreadsheet containing “partial passwords” for voting systems. The department said there is no “immediate security threat” because two passwords are needed for each component, but it is trying to complete password changes by the end of today. There were reportedly hundreds of BIOS passwords accessible on the website for over two months before being removed last week.

A government statement issued Tuesday said the agency “is aware that a spreadsheet located on the Department’s website improperly included a hidden tab including partial passwords to certain components of Colorado voting systems. This does not pose an immediate security threat to Colorado’s elections, nor will it impact how ballots are counted.”

Secretary of State Jena Griswold told Colorado Public Radio that “we do not think there is an immediate security threat to Colorado elections, in part because partial passwords don’t get you anywhere. Two unique passwords are needed for every election equipment component. Physical access is needed. And under Colorado law, voting equipment is stored in secure rooms that require secure ID badges. There’s 24/7 video cameras. There’s restricted access to the secure ballot areas, strict chain of custody, and it’s a felony to access voting equipment without authorization.”

Griswold said her office learned about the spreadsheet upload at the end of last week and “immediately contacted federal partners and then we began our investigation.”

The department’s statement said the two passwords for each component “are kept in separate places and held by different parties” and that the “passwords can only be used with physical in-person access to a voting system.” Additionally, “clerks are required to maintain restricted access to secure ballot areas, and may only share access information with background-checked individuals. No person may be present in a secure area unless they are authorized to do so or are supervised by an authorized and background-checked employee.”

The department also cited “strict chain of custody requirements that track when a voting systems component has been accessed and by whom,” and it said that each “Colorado voter votes on a paper ballot, which is then audited during the Risk Limiting Audit to verify that ballots were counted according to voter intent.”

Goal is to change all passwords by this evening

Griswold described the upload as an accident and said the mistake was made by a civil servant who no longer works for the department. “Out of an abundance of caution, we have people in the field working to reset passwords and review access logs for affected counties,” she said.

Gov. Jared Polis and Griswold, who are both Democrats, issued a joint update about the password changes today. The Polis administration is providing support “to complete changes to all the impacted passwords and review logs to ensure that no tampering occurred.”

“The Secretary of State will deputize certain state employees, who have cybersecurity and technology expertise and have undergone appropriate background checks and training,” the statement said. “In addition to the Department of State Employees and in coordination with county clerks, these employees will only enter badged areas in pairs to update the passwords for election equipment in counties and will be directly observed by local elections officials from the county clerk’s office. The goal is to complete the password updates by this evening and verify the security of the voting components, which are secured behind locked doors by county clerks.”

Griswold said she is “thankful to the Governor for his support to quickly resolve this unfortunate mistake.” Griswold told Colorado Public Radio that her department has no reason to believe the passwords were posted with malicious intent, but said that “a personnel investigation will be conducted by an outside party to look into the particulars of how this occurred.”

GOP slams Griswold

The Colorado Republican Party criticized Griswold this week after receiving an affidavit from someone who said they accessed the BIOS passwords on the publicly available spreadsheet three times between August 8 and October 23. The file “contained over 600 BIOS passwords for voting system components in 63 of the state’s 64 counties” before being removed on October 24, the state GOP said.

The affidavit described how to reveal the passwords in the VotingSystemInventory.xlsx file. It said that right-clicking a worksheet tab and selecting “unhide” would reveal “a dialog box where the application user can select from one, several, or all four listed hidden worksheets contained in the file.” Three of these worksheets “appear to list Basic Input Output System (BIOS) passwords” for hundreds of individual voting system components, the affidavit said.

The state GOP accused Griswold of downplaying the security risk, saying that only one password is needed for BIOS access. “BIOS passwords are highly confidential, allowing broad access for knowledgeable users to fundamentally manipulate systems and data and to remove any trace of doing so,” the GOP said. The “passwords were not encrypted or otherwise protected,” the GOP said.

State GOP Chairman Dave Williams said the incident “represents significant incompetence and negligence, and it raises huge questions about password management and other basic security protocols at the highest levels within Griswold’s office.” He also claimed the breach could put “the entire Colorado election results for the vast majority of races, including the tabulation for the Presidential race in Colorado, in jeopardy unless all of the machines can meet the standards of a ‘Trusted Build’ before next Tuesday.”

US Rep. Lauren Boebert (R-Colo.) and other Republicans called on Griswold to resign. Griswold said she would stay on the job.

Griswold: “I’m going to keep doing my job”

Republicans in the state House “and Congresswoman Lauren Boebert are the same folks who have spread conspiracies and lies about our election systems over and over and over again,” Griswold told Colorado Public Radio. “Ultimately, a civil servant made a serious mistake and we’re actively working to address it.” Griswold added, “I have faced conspiracy theories from elected Republicans in this state, and I have not been stopped by any of their efforts and I’m going to keep on doing my job.”

Colorado previously had a voting-system breach orchestrated by former county clerk Tina Peters of Mesa County, who was sentenced to nine years in prison in early October. Peters, who promoted former President Donald Trump’s election conspiracy theories, oversaw a leak of voting-system BIOS passwords. Griswold said after the Peters conviction that “Tina Peters willfully compromised her own election equipment trying to prove Trump’s big lie.”

Testimony from the Peters case was cited in the GOP’s criticism of Griswold this week. “In the Tina Peters trial, a senior State official even testified that release of these passwords in a single county represented a grave threat. Here, they have been released for the whole state,” the state GOP said.

The Trump campaign called on Griswold to halt the processing of mail ballots and re-scan all mailed ballots that were already scanned.

Photo of Jon Brodkin

Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.

Colorado scrambles to change voting-system passwords after accidental leak Read More »

toxic-x-users-sabotage-community-notes-that-could-derail-disinfo,-report-says

Toxic X users sabotage Community Notes that could derail disinfo, report says


It’s easy for biased users to bury accurate Community Notes, report says.

What’s the point of recruiting hundreds of thousands of X users to fact-check misleading posts before they go viral if those users’ accurate Community Notes are never displayed?

That’s the question the Center for Countering Digital Hate (CCDH) is asking after digging through a million notes in a public X dataset to find out how many misleading claims spreading widely on X about the US election weren’t quickly fact-checked.

In a report, the CCDH flagged 283 misleading X posts fueling election disinformation spread this year that never displayed a Community Note. Of these, 74 percent were found to have accurate notes proposed but ultimately never displayed—apparently due to toxic X users gaming Community Notes to hide information they politically disagree with.

On X, Community Notes are only displayed if a broad spectrum of X users with diverse viewpoints agree that the post is “helpful.” But the CCDH found that it’s seemingly easy to hide an accurate note that challenges a user’s bias by simply refusing to rate it or downranking it into oblivion.

“The problem is that for a Community Note to be shown, it requires consensus, and on polarizing issues, that consensus is rarely reached,” the CCDH’s report said. “As a result, Community Notes fail precisely where they are needed most.”

Among the most-viewed misleading claims where X failed to add accurate notes were posts spreading lies that “welfare offices in 49 states are handing out voter registration applications to illegal aliens,” the Democratic party is importing voters, most states don’t require ID to vote, and both electronic and mail-in voting are “too risky.”

These unchecked claims were viewed by tens of millions of users, the CCDH found.

One false narrative—that Dems import voters—was amplified in a post from Elon Musk that got 51 million views. In the background, proposed notes sought to correct the disinformation by noting that “lawful permanent residents (green card holders)” cannot vote in US elections until they’re granted citizenship after living in the US for five years. But even these seemingly straightforward citations to government resources did not pass muster for users politically motivated to hide the note.

This appears to be a common pattern on X, the CCDH suggested, and Musk is seemingly a multiplier. In July, the CCDH reported that Musk’s misleading posts about the 2024 election in particular were viewed more than a billion times without any notes ever added.

The majority of the misleading claims in the CCDH’s report seemed to come from conservative users. But X also failed to check a claim that Donald Trump “is no longer eligible to run for president and must drop out of the race immediately.” Posts spreading that false claim got 1.4 million views, the CCDH reported, and that content moderation misstep could potentially have risked negatively impacting Trump’s voter turnout at a time when Musk is campaigning for Trump.

Musk has claimed that while Community Notes will probably never be “perfect,” the fact-checking effort aspires to “be by far the best source of truth on Earth.” The CCDH has alleged that, actually, “most Community Notes are never seen by users, allowing misinformation to spread unchecked.”

Even X’s own numbers on notes seem low

On the Community Notes X account, X acknowledges that “speed is key to notes’ effectiveness—the faster they appear, the more people see them, and the greater effect they have.”

On the day before the CCDH report dropped, X announced that “lightning notes” have been introduced to deliver fact-checks in as little as 15 minutes after a misleading post is written.

“Ludicrously fast? Now reality!” X proclaimed.

Currently, more than 800,000 X users contribute to Community Notes, and with the lightning notes update, X can calculate their scores more quickly. That efficiency, X said, will either spike the amount of content removals or reduce sharing of false or misleading posts.

But while X insists Community Notes are working faster than ever to reduce harmful content spreading, the number of rapidly noted posts that X reports seems low. On a platform with an estimated 429 million daily active users worldwide, only about 400 notes were displayed within the past two weeks in less than an hour of a post going live. For notes that took longer—which the CCDH suggested is the majority if the fact-check is on a controversial topic—only about 60 more notes were displayed in more than an hour.

In July, an international NGO that monitors human rights abuses and corruption, Global Witness, found 45 “bot-like accounts that collectively produced around 610,000 posts” in a two-month period this summer on X, “amplifying racist and sexualized abuse, conspiracy theories, and climate disinformation” ahead of the UK general election.

Those accounts “posted prolifically during the UK general election,” then moved “to rapidly respond to emerging new topics amplifying divisive content,” including the US presidential race.

The CCDH reported that even when misleading posts get fact-checked, the original posts on average are viewed 13 times more than the note is seen, suggesting the majority of damage is done in the time before the note is posted.

Of course, content moderators are often called out for moving too slowly to remove harmful content, a Bloomberg opinion piece praising Community Notes earlier this year noted. That piece pointed to studies showing that “crowdsourcing worked just as well” as professional fact checkers “when assessing the accuracy of news stories,” concluding that “it may be impossible for any social media company to keep up, which is why it’s important to explore other approaches.”

X has said that it’s “common to see Community Notes appearing days faster than traditional fact checks,” while promising that more changes are coming to get notes ranked as “helpful” more quickly.

X risks becoming an echo chamber, data shows

Data that the market intelligence firm Sensor Tower recently shared with Ars offers a potential clue as to why the CCDH is seeing so many accurate notes that are never voted as “helpful.”

According to Sensor Tower’s estimates, global daily active users on X are down by 28 percent in September 2024, compared to October 2022 when Elon Musk took over Twitter. While many users have fled the platform, those who remained are seemingly more engaged than ever—with global engagement up by 8 percent in the same time period. (Rivals like TikTok and Facebook saw much lower growth, up by 3 and 1 percent, respectively.)

This paints a picture of X risking becoming an echo chamber, as loyal users engage more with the platform where misleading posts can seemingly easily go unchecked and buried notes potentially warp discussion in Musk’s “digital town square.”

When Musk initially bought Twitter, one of his earliest moves was to make drastic cuts to the trust and safety teams chiefly responsible for content-moderation decisions. He then expanded the role of Twitter’s Community Notes to substitute for trust and safety team efforts, where before Community Notes was viewed as merely complementary to broader monitoring.

The CCDH says that was a mistake and that the best way to ensure that X is safe for users is to build back X’s trust and safety teams.

“Our social media feeds have no neutral ‘town square’ for rational debate,” the CCDH report said. “In reality, it is messy, complicated, and opaque rules and systems make it impossible for all voices to be heard. Without checks and balances, proper oversight, and well-resourced trust and safety teams in place, X cannot rely on Community Notes to keep X safe.”

More transparency is needed on Community Notes

X and the CCDH have long clashed, with X unsuccessfully suing to seemingly silence the CCDH’s reporting on hate speech on X, which X claimed caused tens of millions in advertising losses. During that legal battle, the CCDH called Musk a “thin-skinned tyrant” who could not tolerate independent research on his platform. And a federal judge agreed that X was clearly suing to “punish” and censor the CCDH, dismissing X’s lawsuit last March.

Since then, the CCDH has resumed its reporting on X. In the most recent report, the CCDH urged that X needed to be more transparent about Community Notes, arguing that “researchers must be able to freely, without intimidation, study how disinformation and unchecked claims spread across platforms.”

The research group also recommended remedies, including continuing to advise that advertisers “evaluate whether their budgets are funding the misleading election claims identified in this report.”

That could lead brands to continue withholding spending on X, which is seemingly already happening. Sensor Tower estimated that “72 out of the top 100 spending US advertisers on X from October 2022 have ceased spending on the platform as of September 2024.” And compared to the first half of 2022, X’s ad revenue from the top 100 advertisers during the first half of 2024 was down 68 percent.

Most drastically, the CCDH recommended that US lawmakers reform Section 230 of the Communications Decency Act “to provide an avenue for accountability” by mandating risk assessments of social media platforms. That would “expose the risk posed by disinformation” and enable lawmakers to “prescribe possible mitigation measures including a comprehensive moderation strategy.”

Globally, the CCDH noted, some regulators have the power to investigate the claims in the CCDH’s report, including the European Commission under the Digital Services Act and the UK’s Ofcom under the Online Safety Act.

“X and social media companies as an industry have been able to avoid taking responsibility,” the CCDH’s report said, offering only “unreliable self-regulation.” Apps like X “thus invent inadequate systems like Community Notes because there is no legal mechanism to hold them accountable for their harms,” the CCDH’s report warned.

Perhaps Musk will be open to the CCDH’s suggestions. In the past, Musk has said that “suggestions for improving Community Notes are… always… much appreciated.”

Photo of Ashley Belanger

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

Toxic X users sabotage Community Notes that could derail disinfo, report says Read More »

over-500-amazon-workers-decry-“non-data-driven”-logic-for-5-day-rto-policy

Over 500 Amazon workers decry “non-data-driven” logic for 5-day RTO policy

More than 500 Amazon workers reportedly signed a letter to Amazon Web Services’ (AWS) CEO this week, sharing their outrage over Amazon’s upcoming return-to-office (RTO) policy that will force workers into offices five days per week.

In September, Amazon announced that starting in 2025, workers will no longer be allowed to work remotely twice a week. At the time, Amazon CEO Andy Jassy said the move would make it easier for workers “to learn, model, practice, and strengthen our culture.”

Reuters reported today that it viewed a letter from a swath of workers sent to AWS chief Matt Garman on Wednesday regarding claims he reportedly made during an all-hands meeting this month. Garman reportedly told attendees that 9 out of 10 employees he spoke with support the five-day in-office work policy. The letter called the statements “inconsistent with the experiences of many employees” and “misrepresenting the realities of working at Amazon,” Reuters reported.

“We were appalled to hear the non-data-driven explanation you gave for Amazon imposing a five-day in-office mandate,’” the letter reportedly stated.

Employees banding together to protest against new, unfavorable work policies isn’t exclusive to Amazon. And the reported 500 workers who signed the letter represent just a fraction of Amazon’s worker base, which regulatory filings reported consisted of 1.5 million people in 2023. However, with the global conglomerate remaining firm about its stern policy thus far, eyes are on the Seattle firm’s HR approach, which could impact how other companies decide to implement RTO policies.

In the letter, hundreds of Amazon workers reportedly lamented what they believe was a lack of third-party data shared in making the RTO policy. It said that Garman’s statements “break the trust of your employees who have not only personal experience that shows the benefits of remote work but have seen the extensive data which supports that experience.”

Over 500 Amazon workers decry “non-data-driven” logic for 5-day RTO policy Read More »

russia-fines-google-an-impossible-amount-in-attempt-to-end-youtube-bans

Russia fines Google an impossible amount in attempt to end YouTube bans

Russia has fined Google an amount that no entity on the planet could pay in hopes of getting YouTube to lift bans on Russian channels, including pro-Kremlin and state-run news outlets.

The BBC wrote that a Russian court fined Google two undecillion rubles, which in dollar terms is $20,000,000,000,000,000,000,000,000,000,000,000. The amount “is far greater than the world’s total GDP, which is estimated by the International Monetary Fund to be $110 trillion.”

The fine is apparently that large because it was issued several years ago and has been repeatedly doubling. An RBC news report this week provided details on the court case from an anonymous source.

The Moscow Times writes, “According to RBC’s sources, Google began accumulating daily penalties of 100,000 rubles in 2020 after the pro-government media outlets Tsargrad and RIA FAN won lawsuits against the company for blocking their YouTube channels. Those daily penalties have doubled each week, leading to the current overall fine of around 2 undecillion rubles.”

The Moscow Times is an independent news organization that moved its operations to Amsterdam in 2022 in response to a Russian news censorship law. The news outlet said that 17 Russian TV channels filed legal claims against Google, including the state-run Channel One, the military-affiliated Zvezda broadcaster, and a company representing RT Editor-in-Chief Margarita Simonyan.

Kremlin rep: “I cannot even say this number”

Since Russia invaded Ukraine in 2022, Google has “blocked more than 1,000 YouTube channels, including state-sponsored news, and over 5.5 million videos,” Reuters wrote.

Russia fines Google an impossible amount in attempt to end YouTube bans Read More »

at&t-praises-itself-after-getting-caught-taking-too-much-money-from-fcc-program

AT&T praises itself after getting caught taking too much money from FCC program

AT&T improperly obtained money from a government-run broadband discount program by submitting duplicate requests and by claiming subsidies for thousands of subscribers who weren’t using AT&T’s service. AT&T obtained funding based on false certifications it made under penalty of perjury.

AT&T on Friday agreed to pay $2.3 million in a consent decree with the Federal Communications Commission’s Enforcement Bureau. That includes a civil penalty of $1,921,068 and a repayment of $378,922 to the US Treasury.

The settlement fully resolves the FCC investigation into AT&T’s apparent violations, the consent decree said. “AT&T admits for the purpose of this Consent Decree and for Commission civil enforcement purposes” that the findings described by the FCC “contain a true and accurate description of the facts underlying the Investigation,” the document said.

In addition to the civil penalty and repayment, AT&T agreed to a compliance plan designed to prevent further violations. AT&T last week reported quarterly revenue of $30.2 billion.

AT&T made the excessive reimbursement claims to the Emergency Broadband Benefit Program (EBB), which the US formed in response to the COVID-19 pandemic, and to the EBB’s successor program, the Affordable Connectivity Program (ACP). The FCC said its rules “are vital to protecting these Programs and their resources from waste, fraud, and abuse.”

AT&T praises itself for using federal program

We contacted AT&T today and asked for an explanation of what caused the violations. Instead, AT&T provided Ars with a statement that praised itself for participating in the federal discount programs.

“When the federal government acted during the COVID-19 pandemic to stand up the Emergency Broadband Benefit program, and then the Affordable Connectivity Program, we quickly implemented both programs to provide more low-cost Internet options for our customers. We take compliance with federal programs like these seriously and appreciate the collaboration with the FCC to reach a solution on this matter,” AT&T said.

The EBB provided monthly subsidies of $50 for eligible households, while the ACP offered $30 a month. Telecoms provided the discounts to subscribers directly and sought reimbursement from the programs. The ACP ended a few months ago after Congress did not provide additional funding.

AT&T praises itself after getting caught taking too much money from FCC program Read More »

tsa-silent-on-crowdstrike’s-claim-delta-skipped-required-security-update

TSA silent on CrowdStrike’s claim Delta skipped required security update


We’re all trying to find the guy who did this

CrowdStrike and Delta’s legal battle has begun. Will Microsoft be sued next?

Travelers sit with their luggage on the check-in floor of the Delta Air Lines terminal at Los Angeles International Airport (LAX) on July 23, 2024 in Los Angeles, California. Credit: Mario Tama / Staff | Getty Images News

Delta and CrowdStrike have locked legal horns, threatening to drag out the aftermath of the worst IT outage in history for months or possibly years.

Each refuses to be blamed for Delta’s substantial losses following a global IT outage caused by CrowdStrike suddenly pushing a flawed security update despite Delta and many other customers turning off auto-updates.

CrowdStrike has since given customers more control over updates and made other commitments to ensure an outage of that scale will never happen again, but Delta isn’t satisfied. The airline has accused CrowdStrike of willfully causing losses by knowingly deceiving customers by failing to disclose an unauthorized door into their operating systems that enabled the outage.

In a court filing last Friday, Delta alleged that CrowdStrike should be on the hook for the airline’s more than $500 million in losses—partly because CrowdStrike has admitted that it should have done more testing and staggered deployments to catch the bug before a wide-scale rollout that disrupted businesses worldwide.

“As a result of CrowdStrike’s failure to use a staged deployment and without rollback capabilities, the Faulty Update caused widespread and catastrophic damage to millions of computers, including Delta’s systems, crashing Delta’s workstations, servers, and redundancy systems,” Delta’s complaint said.

Delta has further alleged that CrowdStrike postured as a certified best-in-class security provider who “never cuts corners” while secretly designing its software to bypass Microsoft security certifications in order to make changes at the core of Delta’s computing systems without Delta’s knowledge.

“Delta would have never agreed to such a dangerous process had CrowdStrike disclosed it,” Delta’s complaint said.

In testimony to Congress, CrowdStrike executive Adam Meyers suggested that the faulty update did follow standard protocols. He explained that “CrowdStrike’s software code is certified by Microsoft” and that it’s “updated less frequently,” and “new configurations are sent with rapid occurrence to protect against threats as they evolve,” not to bypass security checks, as Delta alleged.

But by misleading customers about these security practices, Delta alleged, CrowdStrike put “profit ahead of protection and software stability.” As Delta sees it, CrowdStrike built in the unauthorized door so that it could claim to resolve security issues more quickly than competitors. And if a court agrees that CrowdStrike’s alleged failure to follow standard industry best practices does constitute, at the very least, “gross negligence,” Delta could win.

“While we aimed to reach a business resolution that puts customers first, Delta has chosen a different path,” CrowdStrike’s spokesperson told Ars. “Delta’s claims are based on disproven misinformation, demonstrate a lack of understanding of how modern cybersecurity works, and reflect a desperate attempt to shift blame for its slow recovery away from its failure to modernize its antiquated IT infrastructure. We have filed for a declaratory judgment to make it clear that CrowdStrike did not cause the harm that Delta claims and they repeatedly refused assistance from both CrowdStrike and Microsoft. Any claims of gross negligence and willful misconduct have no basis in fact.”

CrowdStrike sues to expose Delta’s IT flaws

In its court filing, however, CrowdStrike said there’s much more to the story than that. It has accused Delta of failing to follow laws, including best practices established by the Transportation Security Administration (TSA).

While many CrowdStrike customers got systems back up and running within a day of the outage, Delta’s issues stretched painfully for five days, disrupting travel for a million customers. According to CrowdStrike, the prolonged delay at Delta was not due to CrowdStrike failing to provide adequate assistance but allegedly to Delta’s own negligence to comply with TSA requirements designed to ensure that no major airline ever experiences prolonged system outages.

“Despite the immediate response from CrowdStrike, it was Delta’s own response and IT infrastructure that caused delays in Delta’s ability to resume normal operation, resulting in a longer recovery period than other major airlines,” CrowdStrike’s complaint said.

In March 2023, the TSA added a cybersecurity emergency amendment to its cybersecurity programs. The amendment required airlines like Delta to develop “policies and controls to ensure that operational technology systems can continue to safely operate in the event that an information technology system has been compromised,” CrowdStrike’s complaint said.

Complying with the amendment ensured that airlines could “timely” respond to any exploitation of their cybersecurity or operating systems, CrowdStrike explained.

CrowdStrike realized that Delta was allegedly non-compliant with the TSA requirement and other laws when its “efforts to help remediate the issues revealed” alleged “technological shortcomings and failures to follow security best practices, including outdated IT systems, issues in Delta’s active directory environment, and thousands of compromised passwords.”

TSA declined Ars’ request to comment on whether it has any checks in place to ensure compliance with the emergency amendment.

While TSA has made no indication so far that it intends to investigate CrowdStrike’s claims, the Department of Transportation (DOT) is currently investigating Delta’s seemingly inferior customer service during the outage. That probe could lead to monetary fines, potentially further expanding Delta’s losses.

In a statement, DOT Secretary Pete Buttigieg said, “We have made clear to Delta that they must take care of their passengers and honor their customer service commitments. This is not just the right thing to do, it’s the law, and our department will leverage the full extent of our investigative and enforcement power to ensure the rights of Delta’s passengers are upheld.”

On X (formerly Twitter), Buttigieg said that the probe was sparked after DOT received hundreds of complaints about Delta’s response. A few days later, Buttigieg confirmed that the probe would “ensure the airline is following the law and taking care of its passengers during continued widespread disruptions.” But DOT declined Ars’ request to comment on whether DOT was investigating Delta’s alleged non-compliance with TSA security requirements, only noting that “TSA is not part of DOT.”

Will Microsoft be sued next?

Delta has been threatening legal action over the CrowdStrike outage since August, when Delta confirmed in an SEC filing that the outage caused “approximately 7,000 flight cancellations over five days.” At that time, Delta CEO Ed Bastian announced, “We are pursuing legal claims against CrowdStrike and Microsoft to recover damages caused by the outage, which total at least $500 million.”

But Delta’s lawsuit Friday notably does not name Microsoft as a defendant.

Ars could not immediately reach Delta’s lawyer, David Boies, to confirm if another lawsuit may be coming or if that legal threat to Microsoft was dropped.

It could be that Microsoft dissuaded Delta from filing a complaint. Immediately in August, Microsoft bucked Delta’s claims that the tech giant was in any way liable for Delta’s losses, The Register reported. In a letter to Boies, Microsoft lawyer Mark Cheffo wrote that Microsoft “empathizes” with Delta, but Delta’s public comments blaming Microsoft for the outage are “incomplete, false, misleading, and damaging to Microsoft and its reputation.”

“The truth is very different from the false picture you and Delta have sought to paint,” Cheffo wrote, noting that Microsoft did not cause the outage and Delta repeatedly turned down Microsoft’s offers to help restore its systems. That includes one instance where a Delta employee allegedly responded to a Microsoft inquiry three days after the outage by saying that Delta was “all good.” Additionally, a message from Microsoft CEO Satya Nadella to Delta’s Bastian allegedly went unanswered.

Cheffo alleged that Delta was cagey about accepting Microsoft’s help because “the IT system it was most having trouble restoring—its crew-tracking and scheduling system—was being serviced by other technology providers, such as IBM, because it runs on those providers’ systems, and not Microsoft Windows or Azure.”

According to Cheffo, Microsoft was “surprised” when Delta threatened to sue since the issues seemed to be with Delta’s IT infrastructure, not Microsoft’s services.

“Microsoft continues to investigate the circumstances surrounding the CrowdStrike incident to understand why other airlines were able to fully restore business operations so much faster than Delta, including American Airlines and United Airlines,” Cheffo wrote. “Our preliminary review suggests that Delta, unlike its competitors, apparently has not modernized its IT infrastructure, either for the benefit of its customers or for its pilots and flight attendants.”

At that time, Cheffo told Boies that Microsoft planned to “vigorously defend” against any litigation. Additionally, Microsoft’s lawyer demanded that Delta preserve documents, including ones showing “the extent to which non-Microsoft systems or software, including systems provided and/or designed by IBM, Oracle, Amazon Web Services, Kyndryl or others, and systems using other operating systems, such as Linux, contributed to the interruption of Delta’s business operations between July 19 and July 24.”

It seems possible that Cheffo’s letter spooked Delta out of naming Microsoft as a defendant in the lawsuit over the outage, potentially to avoid a well-resourced opponent or to save public face if Microsoft’s proposed discovery threatened to further expose Delta’s allegedly flawed IT infrastructure.

Microsoft declined Ars’ request to comment.

CrowdStrike says TOS severely limits damages

CrowdStrike appears to be echoing Microsoft’s defense tactics, arguing that Delta struggled to recover due to its own IT failures.

According to CrowdStrike, even if Delta’s breach of contract claims are valid, CrowdStrike’s terms of service severely limit damages. At most, CrowdStrike’s terms stipulate, damages owed to Delta may be “two times the value of the fees paid to service provider for the relevant subscription services subscription term,” which is likely substantially less than $500 million.

And Delta wants much more than lost revenue returned. Beyond the $500 million in losses, the airline has asked a Georgia court to calculate punitive damages and recoup Delta for future revenue losses as its reputation took a hit due to public backlash from Delta’s lackluster response to the outage.

“CrowdStrike must ‘own’ the disaster it created,” Delta’s complaint said, alleging that “CrowdStrike failed to exercise the slight diligence or care of the degree that persons of common sense, however inattentive they may be, would use under the same or similar circumstances.”

CrowdStrike is hoping a US district court jury will agree that Delta was the one that dropped the ball the most as the world scrambled to recover from the outage. The cybersecurity company has asked the jury to declare that any potential damages are limited by CrowdStrike’s subscriber terms and that “CrowdStrike was not grossly negligent and did not commit willful misconduct in any way.”

This story was updated to include CrowdStrike’s statement.

Photo of Ashley Belanger

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

TSA silent on CrowdStrike’s claim Delta skipped required security update Read More »

google-accused-of-shadow-campaigns-redirecting-antitrust-scrutiny-to-microsoft

Google accused of shadow campaigns redirecting antitrust scrutiny to Microsoft

On Monday, Microsoft came out guns blazing, posting a blog accusing Google of “dishonestly” funding groups conducting allegedly biased studies to discredit Microsoft and mislead antitrust enforcers and the public.

In the blog, Microsoft lawyer Rima Alaily alleged that an astroturf group called the Open Cloud Coalition will launch this week and will appear to be led by “a handful of European cloud providers.” In actuality, however, those smaller companies were secretly recruited by Google, which allegedly pays them “to serve as the public face” and “obfuscate” Google’s involvement, Microsoft’s blog said. In return, Google likely offered the cloud providers cash or discounts to join, Alaily alleged.

The Open Cloud Coalition is just one part of a “pattern of shadowy campaigns” that Google has funded, both “directly and indirectly,” to muddy the antitrust waters, Alaily alleged. The only other named example that Alaily gives while documenting this supposed pattern is the US-based Coalition for Fair Software Licensing (CFSL), which Alaily said has attacked Microsoft’s cloud computing business in the US, the United Kingdom, and the European Union.

That group is led by Ryan Triplette, who Alaily said is “a well-known lobbyist for Google in Washington, DC, but Google’s affiliation isn’t disclosed publicly by the organization.” An online search confirms Triplette was formerly a lobbyist for Franklin Square Group, which Politico reported represented Google during her time there.

Ars could not immediately reach the CFSL for comment. Google’s spokesperson told Ars that the company has “been a public supporter of CFSL for more than two years” and has “no idea what evidence Microsoft cites that we are the main funder of CFSL.” If Triplette was previously a lobbyist for Google, the spokesperson said, “that’s a weird criticism to make” since it’s likely “everybody in law, policy, etc.,” has “worked for Google, Microsoft, or Amazon at some point, in some capacity.”

Google accused of shadow campaigns redirecting antitrust scrutiny to Microsoft Read More »