Policy

north-korean-hacker-got-hired-by-us-security-vendor,-immediately-loaded-malware

North Korean hacker got hired by US security vendor, immediately loaded malware

Teaching moment —

KnowBe4, which provides security awareness training, was fooled by stolen ID.

Two headshots of adult men. One is a real stock photograph while the other is an

Enlarge / On the left, a stock photo. On the right, an AI-enhanced image based on the stock photo. The AI-enhanced image was submitted to KnowBe4 by a job applicant.

KnowBe4, a US-based security vendor, revealed that it unwittingly hired a North Korean hacker who attempted to load malware into the company’s network. KnowBe4 CEO and founder Stu Sjouwerman described the incident in a blog post yesterday, calling it a cautionary tale that was fortunately detected before causing any major problems.

“First of all: No illegal access was gained, and no data was lost, compromised, or exfiltrated on any KnowBe4 systems,” Sjouwerman wrote. “This is not a data breach notification, there was none. See it as an organizational learning moment I am sharing with you. If it can happen to us, it can happen to almost anyone. Don’t let it happen to you.”

KnowBe4 said it was looking for a software engineer for its internal IT AI team. The firm hired a person who, it turns out, was from North Korea and was “using a valid but stolen US-based identity” and a photo that was “enhanced” by artificial intelligence. There is now an active FBI investigation amid suspicion that the worker is what KnowBe4’s blog post called “an Insider Threat/Nation State Actor.”

KnowBe4 operates in 11 countries and is headquartered in Florida. It provides security awareness training, including phishing security tests, to corporate customers. If you occasionally receive a fake phishing email from your employer, you might be working for a company that uses the KnowBe4 service to test its employees’ ability to spot scams.

Person passed background check and video interviews

KnowBe4 hired the North Korean hacker through its usual process. “We posted the job, received resumes, conducted interviews, performed background checks, verified references, and hired the person. We sent them their Mac workstation, and the moment it was received, it immediately started to load malware,” the company said.

Even though the photo provided to HR was fake, the person who was interviewed for the job apparently looked enough like it to pass. KnowBe4’s HR team “conducted four video conference based interviews on separate occasions, confirming the individual matched the photo provided on their application,” the post said. “Additionally, a background check and all other standard pre-hiring checks were performed and came back clear due to the stolen identity being used. This was a real person using a valid but stolen US-based identity. The picture was AI ‘enhanced.'”

The two images at the top of this story are a stock photo and what KnowBe4 says is the AI fake based on the stock photo. The stock photo is on the left, and the AI fake is on the right.

The employee, referred to as “XXXX” in the blog post, was hired as a principal software engineer. The new hire’s suspicious activities were flagged by security software, leading KnowBe4’s Security Operations Center (SOC) to investigate:

On July 15, 2024, a series of suspicious activities were detected on the user beginning at 9: 55 pm EST. When these alerts came in KnowBe4’s SOC team reached out to the user to inquire about the anomalous activity and possible cause. XXXX responded to SOC that he was following steps on his router guide to troubleshoot a speed issue and that it may have caused a compromise.

The attacker performed various actions to manipulate session history files, transfer potentially harmful files, and execute unauthorized software. He used a Raspberry Pi to download the malware. SOC attempted to get more details from XXXX including getting him on a call. XXXX stated he was unavailable for a call and later became unresponsive. At around 10: 20 pm EST SOC contained XXXX’s device.

“Fake IT worker from North Korea”

The SOC analysis indicated that the loading of malware “may have been intentional by the user,” and the group “suspected he may be an Insider Threat/Nation State Actor,” the blog post said.

“We shared the collected data with our friends at Mandiant, a leading global cybersecurity expert, and the FBI, to corroborate our initial findings. It turns out this was a fake IT worker from North Korea,” Sjouwerman wrote.

KnowBe4 said it can’t provide much detail because of the active FBI investigation. But the person hired for the job may have logged into the company computer remotely from North Korea, Sjouwerman explained:

How this works is that the fake worker asks to get their workstation sent to an address that is basically an “IT mule laptop farm.” They then VPN in from where they really physically are (North Korea or over the border in China) and work the night shift so that they seem to be working in US daytime. The scam is that they are actually doing the work, getting paid well, and give a large amount to North Korea to fund their illegal programs. I don’t have to tell you about the severe risk of this. It’s good we have new employees in a highly restricted area when they start, and have no access to production systems. Our controls caught it, but that was sure a learning moment that I am happy to share with everyone.

North Korean hacker got hired by US security vendor, immediately loaded malware Read More »

no-judge-with-tesla-stock-should-handle-elon-musk-cases,-watchdog-argues

No judge with Tesla stock should handle Elon Musk cases, watchdog argues

No judge with Tesla stock should handle Elon Musk cases, watchdog argues

Elon Musk’s fight against Media Matters for America (MMFA)—a watchdog organization that he largely blames for an ad boycott that tanked Twitter/X’s revenue—has raised an interesting question about whether any judge owning Tesla stock might reasonably be considered biased when weighing any lawsuit centered on the tech billionaire.

In a court filing Monday, MMFA lawyers argued that “undisputed facts—including statements from Musk and Tesla—lay bare the interest Tesla shareholders have in this case.” According to the watchdog, any outcome in the litigation will likely impact Tesla’s finances, and that’s a problem because there’s a possibility that the judge in the case, Reed O’Connor, owns Tesla stock.

“X cannot dispute the public association between Musk—his persona, business practices, and public remarks—and the Tesla brand,” MMFA argued. “That association would lead a reasonable observer to ‘harbor doubts’ about whether a judge with a financial interest in Musk could impartially adjudicate this case.”

It’s still unclear if Judge O’Connor actually owns Tesla stock. But after MMFA’s legal team uncovered disclosures showing that he did as of last year, they argued that fact can only be clarified if the court views Tesla as a party with a “financial interest in the outcome of the case” under Texas law—“no matter how small.”

To make those facts clear, MMFA is now arguing that X must be ordered to add Tesla as an interested person in the litigation, which a source familiar with the matter told Ars, would most likely lead to a recusal if O’Connor indeed still owned Tesla stock.

“At most, requiring X to disclose Tesla would suggest that judges owning stock in Tesla—the only publicly traded Musk entity—should recuse from future cases in which Musk himself is demonstrably central to the dispute,” MMFA argued.

Ars could not immediately reach X Corp’s lawyer for comment.

However, in X’s court filing opposing the motion to add Tesla as an interested person, X insisted that “Tesla is not a party to this case and has no interest in the subject matter of the litigation, as the business relationships at issue concern only X Corp.’s contracts with X’s advertisers.”

Calling MMFA’s motion “meritless,” X accused MMFA of strategizing to get Judge O’Connor disqualified in order to go “forum shopping” after MMFA received “adverse rulings” on motions to stay discovery and dismiss the case.

As to the question of whether any judge owning Tesla stock might be considered impartial in weighing Musk-centric cases, X argued that Judge O’Connor was just as duty-bound to reject an improper motion for recusal, should MMFA go that route, as he was to accept a proper motion.

“Courts are ‘reluctant to fashion a rule requiring judges to recuse themselves from all cases that might remotely affect nonparty companies in which they own stock,'” X argued.

Recently, judges have recused themselves from cases involving Musk without explaining why. In November, a prior judge in the very same Media Matters’ suit mysteriously recused himself, with The Hill reporting that it was likely that the judge’s “impartiality might reasonably be questioned” for reasons like a financial interest or personal bias. Then in June, another judge ruled he was disqualified to rule on a severance lawsuit raised by former Twitter executives without giving “a specific reason,” Bloomberg Law reported.

Should another recusal come in the MMFA lawsuit, it would be a rare example of a judge clearly disclosing a financial interest in a Musk case.

“The straightforward question is whether Musk’s statements and behavior relevant to this case affect Tesla’s stock price, not whether they are the only factor that affects it,” MMFA argued. ” At the very least, there is a serious question about whether Musk’s highly unusual management practices mean Tesla must be disclosed as an interested party.”

Parties expect a ruling on MMFA’s motion in the coming weeks.

No judge with Tesla stock should handle Elon Musk cases, watchdog argues Read More »

lawsuit:-t-mobile-must-pay-for-breaking-lifetime-price-guarantee

Lawsuit: T-Mobile must pay for breaking lifetime price guarantee

T-Mobile class action —

Class action filed over price hikes on plans with Un-contract price guarantee.

Then-CEO of T-Mobile John Legere speaking at an event, wearing a sports jacket and T-Mobile t-shirt.

Enlarge / John Legere, then-CEO of T-Mobile, at an event on March 26, 2013, in New York City.

Getty Images | John Moore

Angry T-Mobile customers have filed a class action lawsuit over the carrier’s decision to raise prices on plans that were advertised as having a lifetime price guarantee.

“Based upon T-Mobile’s representations that the rates offered with respect to certain plans were guaranteed to last for life or as long as the customer wanted to remain with that plan, each Plaintiff and the Class Members agreed to these plans for wireless cellphone service from T-Mobile,” said the complaint filed in US District Court for the District of New Jersey. “However, in May 2024, T-Mobile unilaterally did away with these legacy phone plans and switched Plaintiffs and the Class to more expensive plans without their consent.”

The complaint, filed on July 12, has four named plaintiffs who live in New Jersey, Georgia, Nevada, and Pennsylvania. They are seeking to represent a class of all US residents “who entered into a T-Mobile One Plan, Simple Choice plan, Magenta, Magenta Max, Magenta 55+, Magenta Amplified or Magenta Military Plan with T-Mobile which included a promised lifetime price guarantee but had their price increased without their consent and in violation of the promises made by T-Mobile and relied upon by Plaintiffs and the proposed class.”

The complaint seeks “restitution of all amounts obtained by Defendant as a result of its violation,” plus interest. It also seeks statutory and punitive damages, and an injunction to prevent further “wrongful, unlawful, fraudulent, deceptive, and unfair conduct.”

“T-Mobile will never change the price you pay”

The lawsuit’s allegations will be familiar to those who read our previous articles on the recent price hikes of up to $5 per line. In January 2017, T-Mobile issued a press release announcing the “Un-contract” promise for T-Mobile One plans. “Now, T-Mobile One customers keep their price until THEY decide to change it. T-Mobile will never change the price you pay for your T-Mobile One plan,” the company said at the time.

The price guarantee was also hyped by then-CEO John Legere at a press event in Las Vegas. But separately from the announcement, T-Mobile revealed a significant caveat that essentially nullified the promise. T-Mobile said in a FAQ on its website that the only guarantee was T-Mobile would pay your final month’s bill if the carrier raised the price and you decided to cancel.

Many customers saw the prominent lifetime price guarantee but not T-Mobile’s contradiction of that promise and signed up for plans thinking their prices would never be raised. The “Un-contract promise” was offered on certain plans between January 5, 2017, and April 27, 2022.

T-Mobile started offering a different guarantee called Price Lock on April 28, 2022. This was originally more ironclad than the Un-contract, and customers who snagged it were apparently not impacted by this year’s price increases.

But T-Mobile then created a confusing situation with Price Lock. The stronger version of Price Lock was offered from April 28, 2022, to January 17, 2024. It was replaced by a weaker version that is still called Price Lock but is basically the same as the Un-contract. Customers who signed up for Price Lock on or after January 18, 2024, don’t actually have a price lock—but they can get their final month’s bill covered if T-Mobile raises the price and they decide to cancel.

After the price hikes, several T-Mobile customers contacted Ars to express their displeasure. One of those customers said that he canceled and tried to get his final month’s bill covered, but T-Mobile refused to provide the refund. The Federal Communications Commission told us it had received about 1,600 consumer complaints about the price hikes as of late June.

Lawsuit: T-Mobile must pay for breaking lifetime price guarantee Read More »

appeals-court-denies-stay-to-states-trying-to-block-epa’s-carbon-limits

Appeals Court denies stay to states trying to block EPA’s carbon limits

You can’t stay here —

The EPA’s plan to cut carbon emissions from power plants can go ahead.

Cooling towers emitting steam, viewed from above.

On Friday, the US Court of Appeals for the DC Circuit denied a request to put a hold on recently formulated rules that would limit carbon emissions made by fossil fuel power plants. The request, made as part of a case that sees 25 states squaring off against the EPA, would have put the federal government’s plan on hold while the case continued. Instead, the EPA will be allowed to continue the process of putting its rules into effect, and the larger case will be heard under an accelerated schedule.

Here we go again

The EPA’s efforts to regulate carbon emissions from power plants go back all the way to the second Bush administration, when a group of states successfully sued the EPA to force it to regulate greenhouse gas emissions. This led to a formal endangerment finding regarding greenhouse gases during the Obama administration, something that remained unchallenged even during Donald Trump’s term in office.

Obama tried to regulate emissions through the Clean Power Plan, but his second term came to an end before this plan had cleared court hurdles, allowing the Trump administration to formulate a replacement that did far less than the Clean Power Plan. This took place against a backdrop of accelerated displacement of coal by natural gas and renewables that had already surpassed the changes envisioned under the Clean Power Plan.

In any case, the Trump plan was thrown out by the courts on the day before Biden’s administration, allowing his EPA to start with a clean slate. Biden’s original plan, which would have had states regulate emissions from their electric grids by regulating them as a single system, was thrown out by the Supreme Court, which ruled that emissions would need to be regulated on a per-plant basis in a decision termed West Virginia v. EPA.

So, that’s what the agency is now trying to do. Its plan, issued last year, would allow fossil-fuel-burning plants that are being shut down in the early 2030s to continue operating without restrictions. Others will need to either install carbon capture equipment, or natural gas plants could swap in green hydrogen as their primary fuel.

And again

In response, 25 states have sued to block the rule (you can check out this filing to see if yours is among them). The states also sought a stay that would prevent the rule from being implemented while the case went forward. In it, they argue that carbon capture technology isn’t mature enough to form the basis of these regulations (something we predicted was likely to be a point of contention). The suit also suggests that the rules would effectively put coal out of business, something that’s beyond the EPA’s remit.

The DC Court of Appeals, however, was not impressed, ruling that the states’ arguments regarding carbon capture are insufficient: “Petitioners have not shown they are likely to succeed on those claims given the record in this case.” And that’s the key hurdle for determining whether a stay is justified. And the regulations don’t pose a likelihood of irreparable harm, as the court notes that states aren’t even expected to submit a plan for at least two years, and the regulations won’t kick in until 2030 at the earliest.

Meanwhile, the states cited the Supreme Court’s West Virginia v. EPA decision to argue against these rules, suggesting they represent a “major question” that requires input from Congress. The Court was also not impressed, writing that “EPA has claimed only the power to ‘set emissions limits under Section 111 based on the application of measures that would reduce pollution by causing the regulated source to operate more cleanly,’ a type of conduct that falls well within EPA’s bailiwick.”

To respond to the states’ concerns about the potential for irreparable harm, the court plans to consider them during the 2024 term and has given the parties just two weeks to submit proposed schedules for briefings on the case.

Appeals Court denies stay to states trying to block EPA’s carbon limits Read More »

at&t-failed-to-test-disastrous-update-that-kicked-all-devices-off-network

AT&T failed to test disastrous update that kicked all devices off network

A large AT&T logo seen on the outside of its corporate offices.

A government investigation has revealed more detail on the impact and causes of a recent AT&T outage that happened immediately after a botched network update. The nationwide outage on February 22, 2024, blocked over 92 million phone calls, including over 25,000 attempts to reach 911.

As described in more detail later in this article, the FCC criticized AT&T for not following best practices, which dictate “that network changes must be thoroughly tested, reviewed, and approved” before implementation. It took over 12 hours for AT&T to fully restore service.

“All voice and 5G data services for AT&T wireless customers were unavailable, affecting more than 125 million devices, blocking more than 92 million voice calls, and preventing more than 25,000 calls to 911 call centers,” the Federal Communications Commission said yesterday. The outage affected all 50 states as well as Washington, DC, Puerto Rico, and the US Virgin Islands.

The outage also cut off service to public safety users on the First Responder Network Authority (FirstNet), the FCC report said. “Voice and 5G data services were also unavailable to users from mobile virtual network operators (MVNOs) and other wireless customers who were roaming on AT&T Mobility’s network,” the FCC said.

An incorrect process

AT&T previously acknowledged that the mobile outage was caused by a botched update related to a network expansion. The “outage was caused by the application and execution of an incorrect process used as we were expanding our network, not a cyber attack,” AT&T said.

The FCC report said the nationwide outage began three minutes after “AT&T Mobility implemented a network change with an equipment configuration error.” This configuration error caused the AT&T network “to enter ‘protect mode’ to prevent impact to other services, disconnecting all devices from the network, and prompting a loss of voice and 5G data service for all wireless users.”

While the network change was rolled back within two hours, full service restoration “took at least 12 hours because AT&T Mobility’s device registration systems were overwhelmed with the high volume of requests for re-registration onto the network,” the FCC found.

Outage reveals deeper problems at AT&T

Although a configuration error was the immediate cause of the outage, the FCC investigation revealed various problems in AT&T’s processes that increased the likelihood of an outage and made recovery more difficult than it should have been. The FCC Public Safety and Homeland Security Bureau analyzed network outage reports and written responses submitted by AT&T and interviewed AT&T employees. The bureau’s report said:

The Bureau finds that the extensive scope and duration of this outage was the result of several factors, all attributable to AT&T Mobility, including a configuration error, a lack of adherence to AT&T Mobility’s internal procedures, a lack of peer review, a failure to adequately test after installation, inadequate laboratory testing, insufficient safeguards and controls to ensure approval of changes affecting the core network, a lack of controls to mitigate the effects of the outage once it began, and a variety of system issues that prolonged the outage once the configuration error had been remedied.

At 2: 42 am CST on February 22, an AT&T “employee placed a new network element into its production network during a routine night maintenance window in order to expand network functionality and capacity,” the FCC said. The configuration “did not conform to AT&T’s established network element design and installment procedures, which require peer review.”

An adequate peer review should have prevented the network change from being approved and from being loaded onto the network, but this peer review did not take place, the FCC said. The configuration error was made by one employee, and the misconfigured network element was loaded onto the network by a second employee.

“The fact that the network change was loaded onto the AT&T Mobility network indicates that AT&T Mobility had insufficient oversight and controls in place to ensure that approval had occurred prior to loading,” the FCC said.

AT&T faces possible punishment

AT&T issued a statement saying it has “implemented changes to prevent what happened in February from occurring again. We fell short of the standards that we hold ourselves to, and we regret that we failed to meet the expectations of our customers and the public safety community.”

AT&T could eventually face some kind of punishment. The Public Safety and Homeland Security Bureau referred the matter to the FCC Enforcement Bureau for potential violations of FCC rules.

Verizon Wireless last month agreed to pay a $1,050,000 fine and implement a compliance plan because of a December 2022 outage in six states that lasted one hour and 44 minutes. The Verizon outage was similarly caused by a botched update, and the FCC investigation revealed systemic problems that made the company prone to such outages.

AT&T failed to test disastrous update that kicked all devices off network Read More »

meta-risks-sanctions-over-“sneaky”-ad-free-plans-confusing-users,-eu-says

Meta risks sanctions over “sneaky” ad-free plans confusing users, EU says

Under pressure —

Consumer laws may change Meta’s ad-free plans before EU’s digital crackdown does.

Meta risks sanctions over “sneaky” ad-free plans confusing users, EU says

The European Commission (EC) has finally taken action to block Meta’s heavily criticized plan to charge a subscription fee to users who value privacy on its platforms.

Surprisingly, this step wasn’t taken under laws like the Digital Services Act (DSA), the Digital Markets Act (DMA), or the General Data Protection Regulation (GDPR).

Instead, the EC announced Monday that Meta risked sanctions under EU consumer laws if it could not resolve key concerns about Meta’s so-called “pay or consent” model.

Meta’s model is seemingly problematic, the commission said, because Meta “requested consumers overnight to either subscribe to use Facebook and Instagram against a fee or to consent to Meta’s use of their personal data to be shown personalized ads, allowing Meta to make revenue out of it.”

Because users were given such short notice, they may have been “exposed to undue pressure to choose rapidly between the two models, fearing that they would instantly lose access to their accounts and their network of contacts,” the EC said.

To protect consumers, the EC joined national consumer protection authorities, sending a letter to Meta requiring the tech giant to propose solutions to resolve the commission’s biggest concerns by September 1.

That Meta’s “pay or consent” model may be “misleading” is a top concern because it uses the term “free” for ad-based plans, even though Meta “can make revenue from using their personal data to show them personalized ads.” It seems that while Meta does not consider giving away personal information to be a cost to users, the EC’s commissioner for justice, Didier Reynders, apparently does.

“Consumers must not be lured into believing that they would either pay and not be shown any ads anymore, or receive a service for free, when, instead, they would agree that the company used their personal data to make revenue with ads,” Reynders said. “EU consumer protection law is clear in this respect. Traders must inform consumers upfront and in a fully transparent manner on how they use their personal data. This is a fundamental right that we will protect.”

Additionally, the EC is concerned that Meta users might be confused about how “to navigate through different screens in the Facebook/Instagram app or web-version and to click on hyperlinks directing them to different parts of the Terms of Service or Privacy Policy to find out how their preferences, personal data, and user-generated data will be used by Meta to show them personalized ads.” They may also find Meta’s “imprecise terms and language” confusing, such as Meta referring to “your info” instead of clearly referring to consumers’ “personal data.”

To resolve the EC’s concerns, Meta may have to give EU users more time to decide if they want to pay to subscribe or consent to personal data collection for targeted ads. Or Meta may have to take more drastic steps by altering language and screens used when securing consent to collect data or potentially even scrapping its “pay or consent” model entirely, as pressure in the EU mounts.

So far, Meta has defended its model against claims that it violates the DMA, the DSA, and the GDPR, and Meta’s spokesperson told Ars that Meta continues to defend the model while facing down the EC’s latest action.

“Subscriptions as an alternative to advertising are a well-established business model across many industries,” Meta’s spokesperson told Ars. “Subscription for no ads follows the direction of the highest court in Europe and we are confident it complies with European regulation.”

Meta’s model is “sneaky,” EC said

Since last year, the social media company has argued that its “subscription for no ads” model was “endorsed” by the highest court in Europe, the Court of Justice of the European Union (CJEU).

However, privacy advocates have noted that this alleged endorsement came following a CJEU case under the GDPR and was only presented as a hypothetical, rather than a formal part of the ruling, as Meta seems to interpret.

What the CJEU said was that “users must be free to refuse individually”—”in the context of” signing up for services—”to give their consent to particular data processing operations not necessary” for Meta to provide such services “without being obliged to refrain entirely from using the service.” That “means that those users are to be offered, if necessary for an appropriate fee, an equivalent alternative not accompanied by such data processing operations,” the CJEU said.

The nuance here may matter when it comes to Meta’s proposed solutions even if the EC accepts the CJEU’s suggestion of an acceptable alternative as setting some sort of legal precedent. Because the consumer protection authorities raised the action due to Meta suddenly changing the consent model for existing users—not “in the context of” signing up for services—Meta may struggle to persuade the EC that existing users weren’t misled and pressured into paying for a subscription or consenting to ads, given how fast Meta’s policy shifted.

Meta risks sanctions if a compromise can’t be reached, the EC said. Under the EU’s Unfair Contract Terms Directive, for example, Meta could be fined up to 4 percent of its annual turnover if consumer protection authorities are unsatisfied with Meta’s proposed solutions.

The EC’s vice president for values and transparency, Věra Jourová, provided a statement in the press release, calling Meta’s abrupt introduction of the “pay or consent” model “sneaky.”

“We are proud of our strong consumer protection laws which empower Europeans to have the right to be accurately informed about changes such as the one proposed by Meta,” Jourová said. “In the EU, consumers are able to make truly informed choices and we now take action to safeguard this right.”

Meta risks sanctions over “sneaky” ad-free plans confusing users, EU says Read More »

can-the-solar-industry-keep-the-lights-on?

Can the solar industry keep the lights on?

Image of solar panels on a green grassy field, with blue sky in the background.

Founded in Dresden in the early 1990s, Germany’s Solarwatt quickly became an emblem of Europe’s renewable energy ambitions and bold plan to build a solar power industry.

Its opening of a new solar panel plant in Dresden in late 2021 was hailed as a small victory in the battle to wrestle market share from the Chinese groups that have historically supplied the bulk of panels used in Europe.

Now, Solarwatt is preparing to halt production at the plant and shift that work to China.

“It is a big pity for our employees, but from an economic point of view we could not do otherwise,” said Peter Bachmann, the company’s chief product officer.

Solarwatt is not alone. A global supply glut has pummelled solar panel prices over the past two years, leaving swaths of Europe’s manufacturers unprofitable, threatening US President Joe Biden’s ambition to turn America into a renewable energy force and even ricocheting back on the Chinese companies that dominate the global market.

“We are in a crisis,” said Johan Lindahl, secretary-general of the European Solar Manufacturing Council, the European industry’s trade body.

Yet as companies in Europe, the US, and China cut jobs, delay projects, and mothball facilities, an abundance of cheap solar panels has delivered one significant upside—consumers and businesses are installing them in ever greater numbers.

Electricity generated from solar power is expected to surpass that of wind and nuclear by 2028, according to the International Energy Agency.

The picture underlines the quandary confronting governments that have pledged to decarbonise their economies, but will find doing so harder unless the historic shift from fossil fuels is both affordable for the public and creates new jobs.

Governments face a “delicate and difficult balancing act,” said Michael Parr, director of trade group Ultra Low Carbon Solar Alliance. They must “maximize renewables deployment and carbon reductions, bolster domestic manufacturing sectors, keep energy prices low, and ensure energy security.”

The industry, which spans wafer, cell, and panel manufacturers, as well as companies that install panels, employed more than 800,000 people in Europe at the end of last year, according to SolarPower Europe. In the US almost 265,000 work in the sector, figures from the Interstate Renewable Energy Council show.

“There is overcapacity in every segment, starting with polysilicon and finishing with the module,” said Yana Hryshko, head of global solar supply chain research at the consultancy Wood Mackenzie.

According to BloombergNEF, panel prices have plunged more than 60 percent since July 2022. The scale of the damage inflicted has sparked calls for Brussels to protect European companies from what the industry says are state-subsidized Chinese products.

Europe’s solar panel manufacturing capacity has collapsed by about half to 3 gigawatts since November as companies have failed, mothballed facilities, or shifted production abroad, the European Solar Manufacturing Council estimates. In rough terms, a gigawatt can potentially supply electricity for 1mn homes.

The hollowing out comes as the EU is banking on solar power playing a major role in the bloc meeting its target of generating 45 percent of its energy from renewable sources by 2030. In the US, the Biden administration has set a target of achieving a 100 percent carbon pollution-free electricity grid by 2035.

Climate change is a global challenge, but executives said the solar industry’s predicament exposed how attempts to address it can quickly fracture along national and regional lines.

“There’s trade policy and then there’s climate policy, and they aren’t in sync,” said Andres Gluski, chief executive of AES, one of the world’s biggest developers of clean energy. “That’s a problem.”

Brussels has so far resisted demands to impose tariffs. It first levied them in 2012 but reversed that in 2018, partly in what proved a successful attempt to quicken the uptake of solar. Chinese imports now account for the lion’s share of Europe’s solar panels.

In May, the European Commission introduced the Net Zero Industry Act, legislation aimed at bolstering the bloc’s clean energy industries by cutting red tape and promoting a regional supply chain.

But Gunter Erfurt, chief executive of Switzerland-based Meyer Burger, the country’s largest solar panel maker, is skeptical it will be enough.

“You need to create a level playing field,” he said. Meyer Burger would benefit if the EU imposed tariffs because it has operations in Germany.

Can the solar industry keep the lights on? Read More »

apple-“clearly-underreporting”-child-sex-abuse,-watchdogs-say

Apple “clearly underreporting” child sex abuse, watchdogs say

Apple “clearly underreporting” child sex abuse, watchdogs say

After years of controversies over plans to scan iCloud to find more child sexual abuse materials (CSAM), Apple abandoned those plans last year. Now, child safety experts have accused the tech giant of not only failing to flag CSAM exchanged and stored on its services—including iCloud, iMessage, and FaceTime—but also allegedly failing to report all the CSAM that is flagged.

The United Kingdom’s National Society for the Prevention of Cruelty to Children (NSPCC) shared UK police data with The Guardian showing that Apple is “vastly undercounting how often” CSAM is found globally on its services.

According to the NSPCC, police investigated more CSAM cases in just the UK alone in 2023 than Apple reported globally for the entire year. Between April 2022 and March 2023 in England and Wales, the NSPCC found, “Apple was implicated in 337 recorded offenses of child abuse images.” But in 2023, Apple only reported 267 instances of CSAM to the National Center for Missing & Exploited Children (NCMEC), supposedly representing all the CSAM on its platforms worldwide, The Guardian reported.

Large tech companies in the US must report CSAM to NCMEC when it’s found, but while Apple reports a couple hundred CSAM cases annually, its big tech peers like Meta and Google report millions, NCMEC’s report showed. Experts told The Guardian that there’s ongoing concern that Apple “clearly” undercounts CSAM on its platforms.

Richard Collard, the NSPCC’s head of child safety online policy, told The Guardian that he believes Apple’s child safety efforts need major improvements.

“There is a concerning discrepancy between the number of UK child abuse image crimes taking place on Apple’s services and the almost negligible number of global reports of abuse content they make to authorities,” Collard told The Guardian. “Apple is clearly behind many of their peers in tackling child sexual abuse when all tech firms should be investing in safety and preparing for the rollout of the Online Safety Act in the UK.”

Outside the UK, other child safety experts shared Collard’s concerns. Sarah Gardner, the CEO of a Los Angeles-based child protection organization called the Heat Initiative, told The Guardian that she considers Apple’s platforms a “black hole” obscuring CSAM. And she expects that Apple’s efforts to bring AI to its platforms will intensify the problem, potentially making it easier to spread AI-generated CSAM in an environment where sexual predators may expect less enforcement.

“Apple does not detect CSAM in the majority of its environments at scale, at all,” Gardner told The Guardian.

Gardner agreed with Collard that Apple is “clearly underreporting” and has “not invested in trust and safety teams to be able to handle this” as it rushes to bring sophisticated AI features to its platforms. Last month, Apple integrated ChatGPT into Siri, iOS and Mac OS, perhaps setting expectations for continually enhanced generative AI features to be touted in future Apple gear.

“The company is moving ahead to a territory that we know could be incredibly detrimental and dangerous to children without the track record of being able to handle it,” Gardner told The Guardian.

So far, Apple has not commented on the NSPCC’s report. Last September, Apple did respond to the Heat Initiative’s demands to detect more CSAM, saying that rather than focusing on scanning for illegal content, its focus is on connecting vulnerable or victimized users directly with local resources and law enforcement that can assist them in their communities.

Apple “clearly underreporting” child sex abuse, watchdogs say Read More »

fcc-blasts-t-mobile’s-365-day-phone-locking,-proposes-60-day-unlock-rule

FCC blasts T-Mobile’s 365-day phone locking, proposes 60-day unlock rule

T-Mobile logo displayed in front of a stock market chart.

Getty Images | SOPA Images

Citing frustration with mobile carriers enforcing different phone-unlocking policies that are bad for consumers, the Federal Communications Commission is proposing a 60-day unlocking requirement that would apply to all wireless providers.

The industry’s “confusing and disparate cell phone unlocking policies” mean that “some consumers can unlock their phones with relative ease, while others face significant barriers,” Commissioner Geoffrey Starks said at yesterday’s FCC meeting. “It also means certain carriers are subject to mandatory unlocking requirements while others are free to dictate their own. This asymmetry is bad for both consumers and competition.”

The FCC is “proposing a uniform 60-day unlocking policy” so that “consumers can choose the carrier that offers them the best value,” Starks said. Unlocking a phone allows it to be used on a different carrier’s network as long as the phone is compatible.

The FCC approved the Notice of Proposed Rulemaking (NPRM) in a 5-0 vote. That begins a public comment period that could lead to a final rulemaking. A draft of the NPRM said the FCC “propose[s] to require all mobile wireless service providers to unlock handsets 60 days after a consumer’s handset is activated with the provider, unless within the 60-day period the service provider determines the handset was purchased through fraud.”

T-Mobile prepaid imposes 365-day lock

FCC Chairwoman Jessica Rosenworcel said that unlocking requirements have been imposed by the FCC in spectrum auctions and by the Department of Justice as a merger condition, but “restrictions on consumers unlocking their phones have persisted.”

“You bought your phone, you should be able to take it to any provider you want,” Rosenworcel said. “Some providers already operate this way. Others do not. In fact, some have recently increased the time their customers must wait until they can unlock their device by as much as 100 percent.”

Rosenworcel apparently was referring to a prepaid brand offered by T-Mobile. The NPRM draft said that “T-Mobile recently increased its locking period for one of its brands, Metro by T-Mobile, from 180 days to 365 days.” The 365-day rule brought Metro into line with other T-Mobile prepaid phones that already came with the year-long lock. We reached out to T-Mobile and will update this article if it provides a comment.

A merger condition imposed on T-Mobile’s purchase of Sprint merely requires that it unlock prepaid phones within one year. T-Mobile imposes different unlocking policies on prepaid and postpaid phones. For postpaid devices, T-Mobile says it will unlock phones that have been active for at least 40 days, but only if any associated financing or leasing agreement has been paid in full.

Exactly how the FCC’s proposed rules will apply to phones that haven’t been paid off is to be determined. The FCC will “seek comment on how our proposal might affect the incentive and ability of wireless providers to continue offering discounts on handsets, particularly in connection with extended payment plans, and lower prices on plans with minimum term commitments.”

One question asked in the draft NPRM suggests the FCC could require unlocking once a consumer with a device payment plan has made the first payment. The FCC asked:

Alternatively, should we require service providers to unlock handsets after a period shorter or longer than 60 days? For example, should we require all handsets to be unlocked by default upon activation? Or, should we require all handsets to be unlocked after the end of the handset’s return period or after the first payment on the handset has been processed? Would a standardized time period of a certain number of days be easier to implement and enforce than non-standardized time periods based on return periods or billing cycles? What is the minimum amount of time service providers need to protect themselves from handset fraud? Rather than locking handsets, are there other ways service providers can protect themselves from handset fraud that would allow the Commission to prohibit the locking of handsets altogether?

FCC blasts T-Mobile’s 365-day phone locking, proposes 60-day unlock rule Read More »

elon-musk’s-x-tests-letting-users-request-community-notes-on-bad-posts

Elon Musk’s X tests letting users request Community Notes on bad posts

Elon Musk’s X tests letting users request Community Notes on bad posts

Continuing to evolve the fact-checking service that launched as Twitter’s Birdwatch, X has announced that Community Notes can now be requested to clarify problematic posts spreading on Elon Musk’s platform.

X’s Community Notes account confirmed late Thursday that, due to “popular demand,” X had launched a pilot test on the web-based version of the platform. The test is active now and the same functionality will be “coming soon” to Android and iOS, the Community Notes account said.

Through the current web-based pilot, if you’re an eligible user, you can click on the “•••” menu on any X post on the web and request fact-checking from one of Community Notes’ top contributors, X explained. If X receives five or more requests within 24 hours of the post going live, a Community Note will be added.

Only X users with verified phone numbers will be eligible to request Community Notes, X said, and to start, users will be limited to five requests a day.

“The limit may increase if requests successfully result in helpful notes, or may decrease if requests are on posts that people don’t agree need a note,” X’s website said. “This helps prevent spam and keep note writers focused on posts that could use helpful notes.”

Once X receives five or more requests for a Community Note within a single day, top contributors with diverse views will be alerted to respond. On X, top contributors are constantly changing, as their notes are voted as either helpful or not. If at least 4 percent of their notes are rated “helpful,” X explained on its site, and the impact of their notes meets X standards, they can be eligible to receive alerts.

“A contributor’s Top Writer status can always change as their notes are rated by others,” X’s website said.

Ultimately, X considers notes helpful if they “contain accurate, high-quality information” and “help inform people’s understanding of the subject matter in posts,” X said on another part of its site. To gauge the former, X said that the platform partners with “professional reviewers” from the Associated Press and Reuters. X also continually monitors whether notes marked helpful by top writers match what general X users marked as helpful.

“We don’t expect all notes to be perceived as helpful by all people all the time,” X’s website said. “Instead, the goal is to ensure that on average notes that earn the status of Helpful are likely to be seen as helpful by a wide range of people from different points of view, and not only be seen as helpful by people from one viewpoint.”

X will also be allowing half of the top contributors to request notes during the pilot phase, which X said will help the platform evaluate “whether it is beneficial for Community Notes contributors to have both the ability to write notes and request notes.”

According to X, the criteria for requesting a note have intentionally been designed to be simple during the pilot stage, but X expects “these criteria to evolve, with the goal that requests are frequently found valuable to contributors, and not noisy.”

It’s hard to tell from the outside looking in how helpful Community Notes are to X users. The most recent Community Notes survey data that X points to is from 2022 when the platform was still called Twitter and the fact-checking service was still called Birdwatch.

That data showed that “on average,” users were “20–40 percent less likely to agree with the substance of a potentially misleading Tweet than someone who sees the Tweet alone.” And based on Twitter’s “internal data” at that time, the platform also estimated that “people on Twitter who see notes are, on average, 15–35 percent less likely to Like or Retweet a Tweet than someone who sees the Tweet alone.”

Elon Musk’s X tests letting users request Community Notes on bad posts Read More »

elon-musk’s-x-may-succeed-in-blocking-calif.-content-moderation-law-on-appeal

Elon Musk’s X may succeed in blocking Calif. content moderation law on appeal

Judgment call —

Elon Musk’s X previously failed to block the law on First Amendment grounds.

Elon Musk’s X may succeed in blocking Calif. content moderation law on appeal

Elon Musk’s fight defending X’s content moderation decisions isn’t just with hate speech researchers and advertisers. He has also long been battling regulators, and this week, he seemed positioned to secure a potentially big win in California, where he’s hoping to permanently block a law that he claims unconstitutionally forces his platform to justify its judgment calls.

At a hearing Wednesday, three judges in the 9th US Circuit Court of Appeals seemed inclined to agree with Musk that a California law requiring disclosures from social media companies that clearly explain their content moderation choices likely violates the First Amendment.

Passed in 2022, AB-587 forces platforms like X to submit a “terms of service report” detailing how they moderate several categories of controversial content. Those categories include hate speech or racism, extremism or radicalization, disinformation or misinformation, harassment, and foreign political interference, which X’s lawyer, Joel Kurtzberg, told judges yesterday “are the most controversial categories of so-called awful but lawful speech.”

The law would seemingly require more transparency than ever from X, making it easy for users to track exactly how much controversial content X flags and removes—and perhaps most notably for advertisers, how many users viewed concerning content.

To block the law, X sued in 2023, arguing that California was trying to dictate its terms of service and force the company to make statements on content moderation that could generate backlash. X worried that the law “impermissibly” interfered with both “the constitutionally protected editorial judgments” of social media companies, as well as impacted users’ speech by requiring companies “to remove, demonetize, or deprioritize constitutionally protected speech that the state deems undesirable or harmful.”

Any companies found to be non-compliant could face stiff fines of up to $15,000 per violation per day, which X considered “draconian.” But last year, a lower court declined to block the law, prompting X to appeal, and yesterday, the appeals court seemed more sympathetic to X’s case.

At the hearing, Kurtzberg told judges that the law was “deeply threatening to the well-established First Amendment interests” of an “extraordinary diversity of” people, which is why X’s complaint was supported by briefs from reporters, freedom of the press advocates, First Amendment scholars, “conservative entities,” and people across the political spectrum.

All share “a deep concern about a statute that, on its face, is aimed at pressuring social media companies to change their content moderation policies, so as to carry less or even no expression that’s viewed by the state as injurious to its people,” Kurtzberg told judges.

When the court pointed out that seemingly the law simply required X to abide by content moderation policies for each category defined in its own terms of service—and did not compel X to adopt any policy or position that it did not choose—Kurtzberg pushed back.

“They don’t mandate us to define the categories in a specific way, but they mandate us to take a position on what the legislature makes clear are the most controversial categories to moderate and define,” Kurtzberg said. “We are entitled to respond to the statute by saying we don’t define hate speech or racism. But the report also asks about policies that are supposedly, quote, ‘intended’ to address those categories, which is a judgment call.”

“This is very helpful,” Judge Anthony Johnstone responded. “Even if you don’t yourself define those categories in the terms of service, you read the law as requiring you to opine or discuss those categories, even if they’re not part of your own terms,” and “you are required to tell California essentially your views on hate speech, extremism, harassment, foreign political interference, how you define them or don’t define them, and what you choose to do about them?”

“That is correct,” Kurtzberg responded, noting that X considered those categories the most “fraught” and “difficult to define.”

Elon Musk’s X may succeed in blocking Calif. content moderation law on appeal Read More »

fcc-closes-“final-loopholes”-that-keep-prison-phone-prices-exorbitantly-high

FCC closes “final loopholes” that keep prison phone prices exorbitantly high

A telephone on a wall inside a prison.

Enlarge / A telephone in a prison.

The Federal Communications Commission today voted to lower price caps on prison phone calls and closed a loophole that allowed prison telecoms to charge high rates for intrastate calls. Today’s vote will cut the price of interstate calls in half and set price caps on intrastate calls for the first time.

The FCC said it “voted to end exorbitant phone and video call rates that have burdened incarcerated people and their families for decades. Under the new rules, the cost of a 15-minute phone call will drop to $0.90 from as much as $11.35 in large jails and, in small jails, to $1.35 from $12.10.”

The new rules are expected to take effect in January 2025 for all prisons and for jails with at least 1,000 incarcerated people. The rate caps would take effect in smaller jails in April 2025.

Worth Rises, a nonprofit group advocating for prison reform, said it “estimates that the new rules will impact 83 percent of incarcerated people (about 1.4 million) and save impacted families at least $500 million annually.”

New power over intrastate calls

The FCC has taken numerous votes to lower prison phone rates over the years, but today’s is particularly significant. While the FCC was previously able to cap prices of interstate calls, an attempt to set prices for intrastate calls was struck down in court in 2017.

Prison phone companies could sue again. But the FCC said it now has authority over intrastate prison phone prices because of the Martha Wright-Reed Just and Reasonable Communications Act, which was approved by Congress and signed by President Biden in January 2023. The new law “empowered the FCC to close the final loopholes in the communications system,” the commission said.

The 2023 law—named for a grandmother who campaigned for lower prison phone rates—”removes the principal statutory limitations that had prevented the Commission from setting comprehensive just and reasonable rates,” the FCC said. Specifically, the law removed “limits to the Commission’s ability to regulate rates for intrastate calls and video communications.”

More than half of prison audio call traffic is intrastate, with the calling and called parties both in the same state, according to data in a draft of the FCC order released before the meeting.

The FCC’s work to reduce prison phone rates “was not always embraced by the courts,” Chairwoman Jessica Rosenworcel said today. “We were told—over and over again—that the commission did not have the authority to address every aspect of these rates, because while interstate calls fell within our jurisdiction, intrastate calls did not.”

Previously, the FCC imposed price caps on interstate calls ranging from $0.14 to $0.21 per minute for audio calls, depending on the size of the facility. Going forward, a uniform set of price caps ranging from $0.06 to $0.12 per minute will apply to both interstate and intrastate calls.

FCC closes “final loopholes” that keep prison phone prices exorbitantly high Read More »