Policy – Page 38

After breach, senators ask why AT&T stores call records on “AI Data Cloud”

US senators want AT&T to explain why it stores massive amounts of call and text message records on a third-party analytics platform that bills itself as an “AI Data Cloud.”

AT&T revealed last week that “customer data was illegally downloaded from our workspace on a third-party cloud platform,” and that the breach “includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers.” The third-party platform is Snowflake, and AT&T is one of many Snowflake corporate customers that had data stolen. Ticketmaster is another notable company affected by the breach.

AT&T and Snowflake each got letters yesterday from US Sens. Richard Blumenthal (D-Conn.) and Josh Hawley (R-Mo.), the chair and ranking member of the Senate Judiciary Subcommittee on Privacy, Technology, and the Law. The senators asked AT&T CEO John Stankey to answer a series of questions, including this one:

Why had AT&T retained months of detailed records of customer communication for an extended amount of time and why had AT&T uploaded that sensitive information onto a third party analytics platform? What is AT&T policy, including timelines, concerning retaining and using such information?

AT&T’s disclosures to customers and to the Securities and Exchange Commission didn’t explain how Snowflake is used by AT&T. Snowflake’s website says the company’s cloud platform provides opportunities for collaborating and sharing data:

Powering the AI Data Cloud is Snowflake’s single platform. Its unique architecture connects businesses globally, at practically any scale to bring data and workloads together. Together with the Snowflake Marketplace which simplifies the sharing, collaborating, and monetizing of thousands of datasets, services, and entire data applications—this creates the active and growing AI Data Cloud.

AT&T a featured customer

There was already a public explanation for why AT&T uses Snowflake, but it’s written in marketing speak and isn’t likely to directly answer the senators’ questions. Sometime before the hacks, Snowflake posted a glowing case study on how AT&T lowered costs and gained “faster insights” by switching from internal systems to Snowflake.

Snowflake says it provides a telecom-focused AI Data Cloud service that helps firms like AT&T “improve customer experiences, maximize operational efficiency and increase profitability by reducing costs and monetizing new data products.” AT&T’s decision to move data to Snowflake apparently allowed it to abandon “complex on-premises systems, including Hadoop” that “were slowing down business.”

“The Snowflake Data Cloud has given us the power to harness and integrate data to create insights,” AT&T Chief Data Officer Andy Markus is quoted as saying in the promotional material. “With data at our fingertips, we are growing revenue, becoming more cost effective and, most importantly, improving the customer experience.”

Markus said the previous internal system made it hard to collaborate with other companies. “Prior to Snowflake, we had a very complex data environment on-premises,” Markus said. “That led to a more ineffective operating environment for our business partners, both from a speed and cost perspective.”

With Snowflake, AT&T is said to have “a powerful, easy-to-use data management system that efficiently processes hundreds of petabytes of data every day.” This makes it easier to share data.

“Using Hadoop for storage and processing, AT&T’s monolithic on-premises data warehouse hampered the team from collecting, storing, sharing and processing its vast stores of data,” the customer case study said. “By moving to the Snowflake Telecom Data Cloud, Markus and his team achieved their goal of democratizing data across the business.”

Snowflake boasted that because of its cloud platform, “this leading telecom provider uses data to advance innovation, create new revenue streams, optimize operations and, most importantly, better connect people to their world.”

AT&T said it uses “trusted” cloud providers

When contacted by Ars today, AT&T provided a statement in response to the senators’ questions about its use of Snowflake. “Like most companies that deal with large amounts of data, AT&T often uses specialized and trusted cloud services platforms for various functions. These platforms enable companies to work with large amounts of data in a centralized place. In this case, AT&T had put a copy of the data on the third-party platform for analysis related to our business,” AT&T told us.

AT&T added that it “analyzes historical customer data for uses that include network planning, capacity utilization, and developing new services and offers.”

AT&T did not provide specifics on how long it retains data. “We set our data retention periods depending on the type of personal information, how long it is needed to operate the business or provide our products and services, and whether it is subject to contractual or legal obligations. These obligations might be ongoing litigation, mandatory data retention laws, or government orders to preserve data for an investigation,” the company said today.

We also asked Snowflake for details on exactly how phone companies use its platform. A Snowflake spokesperson did not answer our question but told us that the company will respond directly to the senators.

After breach, senators ask why AT&T stores call records on “AI Data Cloud” Read More »

Meta tells court it won’t sue over Facebook feed-killing tool—yet

data protection, facebook, First Amendment, Meta, Online Privacy, Policy, Section 230, unfollow everything, user privacy / Mike M. / July 17, 2024

This week, Meta asked a US district court in California to toss a lawsuit filed by a professor, Ethan Zuckerman, who fears that Meta will sue him if he releases a tool that would give Facebook users an automated way to easily remove all content from their feeds.

Zuckerman has alleged that the imminent threat of a lawsuit from Meta has prevented him from releasing Unfollow Everything 2.0, suggesting that a cease-and-desist letter sent to the creator of the original Unfollow Everything substantiates his fears.

He’s hoping the court will find that either releasing his tool would not breach Facebook’s terms of use—which prevent “accessing or collecting data from Facebook ‘using automated means'”—or that those terms conflict with public policy. Among laws that Facebook’s terms allegedly conflict with are the First Amendment, section 230 of the Communications Decency Act, the Computer Fraud and Abuse Act (CFAA), as well as California’s Computer Data Access and Fraud Act (CDAFA) and state privacy laws.

But Meta claimed in its motion to dismiss that Zuckerman’s suit is too premature, mostly because the tool has not yet been built and Meta has not had a chance to review the “non-existent tool” to determine how Unfollow Everything 2.0 might impact its platform or its users.

“Besides bald assertions about how Plaintiff intends Unfollow Everything 2.0 to work and what he plans to do with it, there are no concrete facts that would enable this Court to adjudicate potential legal claims regarding this tool—which, at present, does not even operate in the real world,” Meta argued.

Meta wants all of Zuckerman’s claims to be dismissed, arguing that “adjudicating Plaintiff’s claims would require needless rulings on hypothetical applications of California law, would likely result in duplicative litigation, and would encourage forum shopping.”

At the heart of Meta’s defense is a claim that there’s no telling yet if Zuckerman will ever be able to release the tool, although Zuckerman said he was prepared to finish the build within six weeks of a court win. Last May, Zuckerman told Ars that because Facebook’s functionality could change while the lawsuit is settled, it’s better to wait to finish building the tool because Facebook’s design is always changing.

Meta claimed that Zuckerman can’t confirm if Unfollow Everything 2.0 would work as described in his suit precisely because his findings are based on Facebook’s current interface, and the “process for unfollowing has changed over time and will likely continue to change.”

Further, Meta argued that the original Unfollow Everything performed in a different way—by logging in on behalf of users and automatically unfollowing everything, rather than performing the automated unfollowing when the users themselves log in. Because of that, Meta argued that the new tool may not prompt the same response from Meta.

A senior staff attorney at the Knight Institute who helped draft Zuckerman’s complaint, Ramya Krishnan, told Ars that the two tools operate nearly identically, however.

“Professor Zuckerman’s tool and the original Unfollow Everything work in essentially the same way,” Krishnan told Ars. “They automatically unfollow all of a user’s friends, groups, and pages after the user installs the tool and logs in to Facebook using their web browser.”

Ultimately, Meta claimed that there’s no telling if Meta would even sue over the tool’s automated access to user data, dismissing Zuckerman’s fears as unsubstantiated.

Only when the tool is out in the wild and Facebook is able to determine “actual, concrete facts about how it works in practice” that “may prove problematic” will Meta know if a legal response is needed, Meta claimed. Without reviewing the technical specs, Meta argued, Meta has no way to assess the damages or know if it would sue over a breach of contract, as alleged, or perhaps over other claims not alleged, such as trademark infringement.

Meta tells court it won’t sue over Facebook feed-killing tool—yet Read More »

Craig Wright’s claim of inventing bitcoin may get him arrested for perjury

craig wright bitcoin, Policy / Kris Guyer / July 16, 2024

Not the real Satoshi —

UK judge refers Wright to prosecutors, suggests arrest warrant and extradition.

Jon Brodkin – Jul 16, 2024 6: 58 pm UTC

Craig Wright walking on the street, wearing a suit and tie. — Enlarge / Dr. Craig Wright arrives at the Rolls Building, part of the Royal Courts of Justice, on February 6, 2024, in London, England.

A British judge is referring self-proclaimed bitcoin inventor Craig Wright to the Crown Prosecution Service (CPS) to consider criminal charges of perjury and forgery. The judge said that CPS can decide whether Wright should be arrested and granted two injunctions that prohibit Wright from re-litigating his claim to be bitcoin inventor Satoshi Nakamoto.

“I have no doubt that I should refer the relevant papers in this case to the CPS for consideration of whether a prosecution should be commenced against Dr. Wright for his wholescale perjury and forgery of documents and/or whether a warrant for his arrest should be issued and/or whether his extradition should be sought from wherever he now is. All those matters are to be decided by the CPS,” Justice James Mellor of England’s High Court of Justice wrote in a ruling issued today.

If Wright actually believes he is Nakamoto, “he is deluding himself,” Mellor wrote.

Mellor previously found that Wright “lied repeatedly and extensively” and forged documents “on a grand scale” in a case related to Wright’s claim that he is Nakamoto. The case began when Wright was sued by the nonprofit Crypto Open Patent Alliance (COPA), which said its goal was to disprove Wright’s bitcoin-inventing claim and stop him from claiming intellectual property rights to the system.

Wright’s location unknown

Wright’s location is unknown, today’s ruling said. “The evidence shows that Dr. Wright has left his previous residence in Wimbledon, appears to have left the UK, has been said to be traveling and was last established to be in the time zone of UTC +7,” Mellor wrote.

COPA asked Mellor “to dispense with personal service of the final Order on Dr. Wright” because his whereabouts are a mystery. COPA told the court that “Dr. Wright may either be deliberately evading service or at least is peripatetic and is very difficult to locate.” Mellor wrote that COPA’s view “seems to me to be fully justified and warrants the order which COPA seeks as to service of my final Order on Dr. Wright at his solicitors.”

After the events of the trial, Mellor’s decision to refer Wright for a perjury prosecution was apparently an easy one. “As COPA submitted, if what happened in this case does not warrant referral to the CPS, it is difficult to envisage a case which would… In advancing his false claim to be Satoshi through multiple legal actions, Dr. Wright committed ‘a most serious abuse’ of the process of the courts of the UK, Norway and the USA,” Mellor wrote.

Anti-lawsuit injunction

Mellor also approved COPA’s request for injunctions that prohibit Wright from bringing certain kinds of lawsuits based on his bitcoin-inventing claim. As the Associated Press reported, the approved injunctions are intended to prevent Wright “from threatening to sue or filing lawsuits aimed at developers.”

The COPA requests approved by Mellor were for “an anti-suit injunction preventing Dr. Wright or the other Claimants in the related claims from pursuing further proceedings in this or other jurisdictions to re-litigate his claim to be Satoshi,” and “a related order preventing him from threatening such proceedings.”

Mellor declined to issue additional orders preventing Wright from asserting legal rights as Nakamoto, preventing re-publication of Wright’s fraudulent claims, and requiring him to delete previously published statements. The judge said there was some overlap between the injunction requests that were approved and those that were not. Moreover, Wright would have difficulty convincing anyone that he invented bitcoin without violating the two approved injunctions.

Although there is a slight risk that “certain people may start to change their minds or begin to believe that Dr. Wright is Satoshi… I am inclined to the view that the effect would be small. Right-thinking people are likely to regard those assertions as hot air or empty rhetoric, even faintly ridiculous,” Mellor wrote.

Similarly, an order to delete statements “would be disproportionate” and is unnecessary because “anyone with an interest in Bitcoin will have been aware of the COPA Trial and know of the outcome,” Mellor wrote. However, the judge decided that COPA can make the requests again if it turns out to be necessary.

“I accept that my assessment may turn out to be off the mark. Furthermore, the evidence shows that whilst Dr. Wright has modified his public statements following the outcome of the COPA Trial, that may well turn out to be temporary. Dr. Wright is perfectly capable, once the dust has settled, of ramping up his public pronouncements again,” Mellor wrote.

Because of that possibility, Mellor said COPA has “permission to apply, for a period of 2 years, for any further injunctive relief they consider they can establish to be required to protect the interests of the corporate entities they represent as well as the individuals in the Bitcoin community who have suffered due to Dr. Wright’s false claim to be Satoshi.”

Craig Wright’s claim of inventing bitcoin may get him arrested for perjury Read More »

Google’s $500M effort to wreck Microsoft EU cloud deal failed, report says

Amazon, Antitrust law, cloud infrastructure, cloud market, cloud service providers, European Union, Google, microsoft, Policy / Kris Guyer / July 16, 2024

Google tried to derail a Microsoft antitrust settlement over anticompetitive software licensing in the European Union by offering a $500 million alternative deal to the group of cloud providers behind the EU complaint, Bloomberg reported.

According to Bloomberg, Google’s offer to the Cloud Infrastructure Services Providers in Europe (CISPE) required that the group maintain its EU antitrust complaint. It came “just days” before CISPE settled with Microsoft, and it was apparently not compelling enough to stop CISPE from inking a deal with the software giant that TechCrunch noted forced CISPE to accept several compromises.

Bloomberg uncovered Google’s attempted counteroffer after reviewing confidential documents and speaking to “people familiar with the matter.” Apparently, Google sought to sway CISPE with a package worth nearly $500 million for more than five years of software licenses and about $15 million in cash.

But CISPE did not take the bait, announcing last week that an agreement was reached with Microsoft, seemingly frustrating Google.

CISPE initially raised its complaint in 2022, alleging that Microsoft was “irreparably damaging the European cloud ecosystem and depriving European customers of choice in their cloud deployments” by spiking costs to run Microsoft’s software on rival cloud services. In February, CISPE said that “any remedies and resolution must apply across the sector and to be accessible to all cloud customers in Europe.” They also promised that “any agreements will be made public.”

But the settlement reached last week excluded major rivals, including Amazon, which is a CISPE member, and Google, which is not. And despite CISPE’s promise, the terms of the deal were not published, apart from a CISPE blog roughly outlining central features that it claimed resolved the group’s concerns over Microsoft’s allegedly anticompetitive behaviors.

What is clear is that CISPE agreed to drop their complaint by taking the deal, but no one knows exactly how much Microsoft paid in a “lump sum” to cover CISPE legal fees for three years, TechCrunch noted. However, “two people with direct knowledge of the matter” told Reuters that Microsoft offered about $22 million.

Google has been trying to catch up with Microsoft and Amazon in the cloud market and has recently begun gaining ground. Last year, Google’s cloud operation broke even for the first time, and the company earned a surprising $900 million in profits in the first quarter of 2024, which bested analysts’ projections by more than $200 million, Bloomberg reported. For Google, the global cloud market has become a key growth area, Bloomberg noted, as potential growth opportunities in search advertising slow. Seemingly increasing regulatory pressure on Microsoft while taking a chunk of its business in the EU was supposed to be one of Google’s next big moves.

A CISPE spokesperson, Ben Maynard, told Ars that its “members were presented with alternative options to accepting the Microsoft deal,” while not disclosing the terms of the other options. “However, the members voted by a significant majority to accept the Microsoft offer, which, in their view, presented the best opportunity for the European cloud sector,” Maynard told Ars.

Neither Microsoft nor Google has commented directly on the reported counteroffer. A Google spokesperson told Bloomberg that Google “has long supported the principles of fair software licensing and that the firm was having discussions about joining CISPE, to fight anticompetitive licensing practices.” A person familiar with the matter told Ars that Google did not necessarily make the counteroffer contingent on dropping the EU complaint, but had long been exploring joining CISPE and would only do so if CISPE upheld its mission to defend fair licensing deals. Microsoft reiterated a past statement from its president, Brad Smith, confirming that Microsoft was “pleased” to resolve CISPE’s antitrust complaint.

For CISPE, the resolution may not have been perfect, but it “will enable European cloud providers to offer Microsoft applications and services on their local cloud infrastructures, meeting the demand for sovereign cloud solutions.” In 2022, CISPE Secretary-General Francisco Mingorance told Ars that although CISPE had been clear that it intended to force Microsoft to make changes allowing all cloud rivals to compete, “a key reason behind filing the complaint was to support” two smaller cloud service providers, Aruba and OVH.

Google’s $500M effort to wreck Microsoft EU cloud deal failed, report says Read More »

Record labels sue Verizon for not disconnecting pirates’ Internet service

music piracy, Policy, verizon / Mike M. / July 15, 2024

Music piracy —

Lawsuit: One user’s IP address was identified in 4,450 infringement notices.

Jon Brodkin – Jul 15, 2024 8: 30 pm UTC

Getty Images | Smith Collection/Gado

Major record labels sued Verizon on Friday, alleging that the Internet service provider violated copyright law by continuing to serve customers accused of pirating music. Verizon “knowingly provides its high-speed service to a massive community of online pirates,” said the complaint filed in US District Court for the Southern District of New York.

Universal, Sony, and Warner say they have sent over 340,000 copyright infringement notices to Verizon since early 2020. “Those notices identify specific subscribers on Verizon’s network stealing Plaintiffs’ sound recordings through peer-to-peer (‘P2P’) file-sharing networks that are notorious hotbeds for copyright infringement,” the lawsuit said.

Record labels allege that “Verizon ignored Plaintiffs’ notices and buried its head in the sand” by “continu[ing] to provide its high-speed service to thousands of known repeat infringers so it could continue to collect millions of dollars from them.” They say that “Verizon has knowingly contributed to, and reaped substantial profits from, massive copyright infringement committed by tens of thousands of its subscribers.”

The firms allege that Verizon is guilty of contributory and vicarious copyright infringement and should have to pay damages of up to $150,000 for each work infringed. Plaintiffs filed what they call a “non-exhaustive” list of infringed works that includes 17,335 titles. That would imply requested damages of over $2.6 billion.

Numerous lawsuits against ISPs

Record labels and movie studios have filed numerous copyright lawsuits against Internet providers. Perhaps the most significant ongoing case involves Cox Communications, which has been fighting a $1 billion jury verdict since 2019.

Cox received support from groups such as the Electronic Frontier Foundation, which warned that the big money judgment could cause broadband providers to disconnect people from the Internet based only on accusations of copyright infringement. The US Court of Appeals for the 4th Circuit overturned the $1 billion verdict in February 2024, rejecting Sony’s claim that Cox profited directly from copyright infringement committed by users of Cox’s cable broadband network.

While judges in the Cox case reversed a vicarious liability verdict, they affirmed the jury’s additional finding of willful contributory infringement and ordered a new damages trial.

Cox recently said it is seeking a Supreme Court review on the questions of “whether an Internet service provider materially contributes to copyright infringement by declining to disconnect an Internet account knowing someone is likely to use it to infringe,” and “whether a secondary infringer can be adjudged willful based merely on knowledge of another’s direct infringement.” There is a circuit split on both questions, Cox said.

4,450 notices about one IP address

In the Verizon case, record labels claim that thousands of Verizon subscribers “were the subject of 20 or more notices from Plaintiffs, and more than 500 subscribers were the subject of 100 or more notices. One particularly egregious Verizon subscriber was single-handedly the subject of 4,450 infringement notices from Plaintiffs alone.”

That Verizon subscriber’s IP address was identified in 4,450 infringement notices between March 2021 and August 2023, the lawsuit said. Two other subscribers were allegedly the subject of 2,703 and 2,068 infringement notices, respectively.

“Verizon acknowledged that it received these notices of infringement sent by Plaintiffs’ representatives,” the lawsuit said. “Yet rather than taking any steps to address its customers’ illegal use of its network, Verizon deliberately chose to ignore Plaintiffs’ notices, willfully blinding itself to that information and prioritizing its own profits over its legal obligations.”

The plaintiffs claim that “Verizon has gone out of its way not to take action against subscribers engaging in repeated copyright infringement,” and “failed to terminate or otherwise take any meaningful action against the accounts of repeat infringers of which it was aware.”

“It is well-established law that if a party materially assists someone it knows is engaging in copyright infringement, that party is fully liable for the infringement as if it had infringed directly,” the lawsuit said.

Complaint system too onerous, suit claims

The lawsuit also complains that Verizon hasn’t made it easier for copyright owners to file complaints about Internet users:

Through one channel, Verizon claims to allow copyright holders to send P2P notices through a so-called “Anti-Piracy Cooperation Program,” but it has attached such onerous conditions to participation that the program is rendered a nullity. Not only has Verizon required participants to pay burdensome fees for simple, automated processes like Internet Protocol (“IP”) address lookups and notice forwarding, but participants have been required to waive their copyright claims, broadly indemnify Verizon, and, tellingly, keep the terms of the program confidential. Verizon has also limited the number of notices it will forward pursuant to the program.

The lawsuit said Verizon also allows copyright owners to send email notices of infringement instead of using the channel described above. The email method apparently doesn’t require copyright owners to waive their copyright claims or make payments, but the lawsuit alleges that “Verizon does not forward these notices to subscribers or track the number of email notices sent regarding repeat infringing subscribers. Verizon also arbitrarily caps the number of notices permitted per copyright holder at this address—ironic, to say the least, given that Verizon ignored hundreds of thousands of Plaintiffs’ notices to this email inbox.”

We contacted Verizon about the lawsuit and will update this article if it provides a response.

Record labels sue Verizon for not disconnecting pirates’ Internet service Read More »

Dirty diaper resold on Amazon ruined a family business, report says

Amazon, amazon returns, amazon reviews, amazon sellers, consumer harms, e-commerce, false advertising, Policy / Mike M. / July 15, 2024

A feces-encrusted swim diaper tanked a family business after Amazon re-sold it as new, Bloomberg reported, triggering a bad review that quickly turned a million-dollar mom-and-pop shop into a $600,000 pile of debt.

Paul and Rachelle Baron, owners of Beau & Belle Littles, told Bloomberg that Amazon is supposed to inspect returned items before reselling them. But the company failed to detect the poop stains before reselling a damaged item that triggered a one-star review in 2020 that the couple says doomed their business after more than 100 buyers flagged it as “helpful.”

“The diaper arrived used and was covered in poop stains,” the review said, urging readers to “see pics.”

Because others marked the review as helpful, Amazon increased its visibility on the product page, just as the Barons “were executing a plan to triple their annual sales to $3 million in 2020.” No matter how many 5-star reviews were left, this one bad review blaming the seller for the issue continued to “haunt” the family business, the Barons said.

“Nothing could have been more disgusting!!” the review continued. “I am assuming someone returned it after using it and the company simply did not check the item and then shipped it to us as if it was brand new.”

Amazon says that it prohibits negative reviews that violate community guidelines, including by focusing on seller, order, or shipping feedback rather than on the item’s quality. Other one-star reviews for the same product that the Barons seemingly accept as valid comment on quality, leaving feedback like the diaper fitting too tightly or leaking. But the bad review focused on the dirty item being resold as new likely should have been removed, Bloomberg reported, since it “suggests the item had already been used.” The review also seemingly violated community guidelines by focusing on “the company” not checking the item before shipping, blaming the seller for Amazon’s return inspection process.

But Amazon ultimately declined to remove the bad review, Paul Baron told Bloomberg. The buyer who left the review, a teacher named Erin Elizabeth Herbert, told Bloomberg that the Barons had reached out directly to explain what happened, but she forgot to update the review and still has not as of this writing.

“I always meant to go back and revise my review to reflect that, and life got busy and I never did,” Herbert told Bloomberg.

Her review remains online, serving as a warning for parents to avoid buying from the family business.

“These were not small stains either,” Herbert’s review said. “I was extremely grossed out. Thank god I saw the stains and didn’t put it on my baby! I will be returning this ASAP, and I sure hope they check it out when they get it back, but I wouldn’t be surprised if they just ship it to some other unsuspecting parent.”

The Barons told Ars they think the buyer hasn’t updated the review because she doesn’t understand how damaging it has been to their business.

Ars could not immediately reach Amazon for comment, but a spokesperson, Maria Boschetti, seemed to suggest to Bloomberg that there was little the Barons could do to correct the issue now.

“We are sorry to hear that a seller feels their return was not evaluated correctly and resulted in a negative review,” Boschetti told Bloomberg. “We encourage selling partners to reach out with any concerns, and we listen to their feedback to help us continue improving the selling experience.”

On Amazon’s site, other sellers have complained about the company’s failure to remove reviews that clearly violate community guidelines. In one case, an Amazon support specialist named Danika acknowledged that the use of profanity in a review, for example, “seems particularly cut and dry as a violation,” promising to escalate the complaint. However, Danika appeared to abandon the thread after that, with the user commenting that the review remained up after the escalation.

The Barons are now selling enough inventory through Beau & Belle Littles to pay down their debt, but they are struggling to make a living after becoming a prominent Amazon success story after launching their business a decade ago. The couple told Bloomberg that a “loan secured by their home” has complicated “the prospect of filing for bankruptcy,” and both have taken on other jobs to make ends meet since the review was posted.

The Barons told Ars they’ve given up on resolving the issue with Amazon after a support specialist appeared demoralized, admitting that “it’s completely” Amazon’s “fault” but there was nothing he could do.

“The last four years have been an emotional train wreck,” Paul Baron told Bloomberg. “Shoppers might think returning a poopy diaper to Amazon is a victimless way to get their money back, but we’re a small, family business, and this is how we pay our mortgage.”

Dirty diaper resold on Amazon ruined a family business, report says Read More »

Net neutrality rules temporarily stayed as judges weigh impact of SCOTUS ruling

Net Neutrality, Policy / Rejus Almole / July 15, 2024

Net neutrality delay —

Court delays FCC rules until August 5, asks sides for briefs on Brand X.

Jon Brodkin – Jul 15, 2024 5: 13 pm UTC

FCC Chairwoman Jessica Rosenworcel and FCC Commissioner Brendan Carr stand next to each other in a Congressional hearing room before a hearing. — Enlarge / FCC Chairwoman Jessica Rosenworcel and FCC Commissioner Brendan Carr arrive to testify during a House committee hearing on March 31, 2022, in Washington, DC.

Getty Images | Kevin Dietsch

A federal court on Friday temporarily stayed enforcement of net neutrality regulations but has not decided on the merits of a telecom-industry request to block the rules on a longer-term basis.

The Federal Communications Commission’s revived net neutrality rules were scheduled to take effect on July 22. But the US Court of Appeals for the 6th Circuit needs more time to consider the industry motion to block the rules and wants the parties to file supplemental briefs. As a result, the FCC can’t enforce the rules until at least August 5.

“To provide sufficient opportunity to consider the merits of the motion to stay the FCC’s order, we conclude that an administrative stay is warranted. The FCC’s order is hereby temporarily stayed until August 5, 2024,” the court said on Friday.

The administrative stay is due in part to the 6th Circuit Court’s consideration of Supreme Court precedent. The Supreme Court’s decision last month in Loper Bright Enterprises v. Raimondo limited the regulatory authority of federal agencies by overturning the 40-year-old Chevron precedent. Chevron gave agencies leeway to interpret ambiguous laws as long as the agency’s conclusion was reasonable.

Briefs on Brand X

The telecom industry and FCC already filed briefs on the impact of Loper Bright. But the 6th Circuit wants supplemental briefs on a related topic.

Chevron deference was crucial in the 2005 Brand X ruling that has repeatedly played a role in cases over the FCC’s ability to regulate net neutrality. Brand X allowed the FCC to classify cable Internet as a lightly regulated information service. The precedent helped the FCC win court cases both when the Obama-era commission implemented net neutrality rules and when the Trump-era commission repealed those same rules.

On Friday, the 6th Circuit said the judges’ panel considering the present case “would be grateful for supplemental briefs by the parties with respect to the application of stare decisis and National Cable & Telecom. Ass’n v. Brand X Internet Servs., to this dispute, filed no later than July 19, 2024.” (Stare decisis is the “doctrine that courts will adhere to precedent in making their decisions.”)

The Supreme Court overturning Chevron doesn’t automatically nullify Brand X. The Supreme Court said in the Loper Bright ruling that “we do not call into question prior cases that relied on the Chevron framework. The holdings of those cases that specific agency actions are lawful—including the Clean Air Act holding of Chevron itself—are still subject to statutory stare decisis despite our change in interpretive methodology.”

The telecom industry and FCC briefs on Loper Bright both discussed Brand X, but the judges evidently want more on that topic. The 6th Circuit’s administrative stay was handed down by Chief Judge Jeffrey Sutton, Judge Eric Clay, and Judge Stephanie Dawkins Davis. Sutton was appointed by George W. Bush, while Clay is a Clinton appointee, and Davis was appointed by Biden.

FCC lost motion to move case

The administrative stay doesn’t necessarily signal anything about how the 6th Circuit judges will rule on the merits. But telcos did already win one ruling when the court rejected a motion to transfer the case.

Previous net neutrality cases were decided by the US Court of Appeals for the District of Columbia Circuit. This time, the 6th Circuit was randomly selected to hear the case in a multi-circuit lottery after telco lobby groups filed suit in seven circuits.

The FCC sought to transfer the current case to the DC Circuit, which ruled in the agency’s favor in the previous cases. The 6th Circuit denied the motion on June 28.

“When considering a motion to transfer a multi-circuit petition, we give considerable weight to our selection in the lottery. That lottery system would not mean much if a party disappointed by the luck of the draw could transfer the case to its preferred forum,” the court said.

Though the DC Circuit handled previous similar cases, the 6th Circuit said this is not merely a continuation of the earlier cases. The court also made a point of referring to the FCC repeatedly changing its position on whether broadband should be regulated as a common-carrier service.

“The DC Circuit has some familiarity with the legal classification of broadband through its consideration of prior FCC orders,” the 6th Circuit panel said. “But the FCC’s vacillating positions on the proper classification of broadband demonstrate that the prior orders do not represent the staggered implementation of a single undertaking. And, as the DC Circuit itself has explained, ‘general familiarity with the legal questions presented by a case is decidedly different from acquaintance with the proceedings that gave rise to the order in suit.'”

Net neutrality rules temporarily stayed as judges weigh impact of SCOTUS ruling Read More »

Elon Musk’s X faces big EU fines as paid checkmarks are ruled deceptive

elon musk digital services act, Policy / Kris Guyer / July 13, 2024

Blue checkmarks —

Paid “verification” deceives X users and violates Digital Services Act, EU says.

Jon Brodkin – Jul 12, 2024 2: 52 pm UTC

Getty Images | NurPhoto

Elon Musk’s overhaul of the Twitter verification system deceives users and violates the Digital Services Act, the European Commission said today in an announcement of preliminary findings that could lead to a big financial penalty.

The social media platform now called X “designs and operates its interface for the ‘verified accounts’ with the ‘Blue checkmark’ in a way that does not correspond to industry practice and deceives users,” the EU regulator said. “Since anyone can subscribe to obtain such a ‘verified’ status, it negatively affects users’ ability to make free and informed decisions about the authenticity of the accounts and the content they interact with. There is evidence of motivated malicious actors abusing the ‘verified account’ to deceive users.”

Blue checkmarks “used to mean trustworthy sources of information,” Commissioner for Internal Market Thierry Breton said. The EC said it “informed X of its preliminary view that it is in breach of the Digital Services Act (DSA) in areas linked to dark patterns, advertising transparency and data access for researchers.”

X will have an opportunity to respond in writing. If the preliminary finding is upheld, the EC said it would adopt a non-compliance decision that “could entail fines of up to 6 percent of the total worldwide annual turnover of the provider, and order the provider to take measures to address the breach.”

A non-compliance decision may also “trigger an enhanced supervision period to ensure compliance with the measures the provider intends to take to remedy the breach,” and “periodic penalty payments to compel a platform to comply.” X is allowed to “exercise its rights of defense by examining the documents in the Commission’s investigation file and by replying in writing to the Commission’s preliminary findings,” the announcement said.

We contacted X today and will update this article if the company provides a response to the EU findings.

Advertising and data access charges

As for the second alleged violation, the EC said that “X does not comply with the required transparency on advertising, as it does not provide a searchable and reliable advertisement repository, but instead put in place design features and access barriers that make the repository unfit for its transparency purpose towards users. In particular, the design does not allow for the required supervision and research into emerging risks brought about by the distribution of advertising online.”

Thirdly, the commission said it found that “X fails to provide access to its public data to researchers in line with the conditions set out in the DSA. In particular, X prohibits eligible researchers from independently accessing its public data, such as by scraping, as stated in its terms of service. In addition, X’s process to grant eligible researchers access to its application programming interface (API) appears to dissuade researchers from carrying out their research projects or leave them with no other choice than to pay disproportionately high fees.”

In December 2023, the EC announced that Musk’s X platform was subject to the first formal investigation into possible DSA violations. X said at the time that it “remains committed to complying with the Digital Services Act and is cooperating with the regulatory process. It is important that this process remains free of political influence and follows the law.”

With today’s announcement, X is the first company to face preliminary findings of DSA non-compliance.

“The DSA has transparency at its very core, and we are determined to ensure that all platforms, including X, comply with EU legislation,” said EC competition official Margrethe Vestager.

Elon Musk’s X faces big EU fines as paid checkmarks are ruled deceptive Read More »

Nearly all AT&T subscribers’ call records stolen in Snowflake cloud hack

at&t breach, Policy, Security / Kris Guyer / July 12, 2024

AT&T data breach —

Six months of call and text records taken from AT&T workspace on cloud platform.

Jon Brodkin – Jul 12, 2024 6: 42 pm UTC

Getty Images | SOPA Images

AT&T today said a breach on a third-party cloud platform exposed the call and text records of nearly all its cellular customers. The leaked data is said to include phone numbers that AT&T subscribers communicated with, but not names.

An AT&T spokesperson confirmed to Ars that the data was exposed in the recently reported attack on “AI data cloud” provider Snowflake, which also affected Ticketmaster and many other companies. As previously reported, Snowflake was compromised by a group that obtained login credentials through information-stealing malware.

“In April, AT&T learned that customer data was illegally downloaded from our workspace on a third-party cloud platform,” AT&T announced today. AT&T said it is working with law enforcement and “understands that at least one person has been apprehended.”

AT&T said it does not believe the stolen call data has been made publicly available. “The call and text records identify the phone numbers with which an AT&T number interacted during this period, including AT&T landline (home phone) customers. It also included counts of those calls or texts and total call durations for specific days or months,” AT&T said.

Records of “nearly all” AT&T customers

The data does not include the content of calls or text messages, AT&T said.

“Based on our investigation, the compromised data includes files containing AT&T records of calls and texts of nearly all of AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) using AT&T’s wireless network, as well as AT&T’s landline customers who interacted with those cellular numbers between May 1, 2022 – October 31, 2022. The compromised data also includes records from January 2, 2023, for a very small number of customers,” AT&T said.

The carrier said the breach does not include Social Security numbers, dates of birth, other personally identifiable information, or the time stamps for calls and texts. “While the data does not include customer names, there are often ways, using publicly available online tools, to find the name associated with a specific telephone number,” an AT&T filing with the Securities and Exchange Commission said.

AT&T’s SEC filing said the “records identify the telephone numbers with which an AT&T or MVNO wireless number interacted during these periods, including telephone numbers of AT&T wireline customers and customers of other carriers, counts of those interactions, and aggregate call duration for a day or month. For a subset of records, one or more cell site identification number(s) are also included.”

AT&T said it has “clos[ed] off the point of unlawful access” and is notifying current and former customers of the breach. AT&T’s current and former customers can obtain the data that was compromised, and details on how to make those data requests are available on this page.

FBI and FCC comment

The Federal Bureau of Investigation said AT&T and law enforcement agreed to delay public reporting of the incident when the investigation began in April. The FBI provided this statement to Ars:

Shortly after identifying a potential breach to customer data and before making its materiality decision, AT&T contacted the FBI to report the incident. In assessing the nature of the breach, all parties discussed a potential delay to public reporting under Item 1.05(c) of the SEC Rule, due to potential risks to national security and/or public safety. AT&T, FBI, and DOJ worked collaboratively through the first and second delay process, all while sharing key threat intelligence to bolster FBI investigative equities and to assist AT&T’s incident response work.

The FBI declined to provide any information on the person who was apprehended. The Federal Communications Commission said it has “an ongoing investigation into the AT&T breach and we’re coordinating with our law enforcement partners.”

An AT&T spokesperson told Ars that the Snowflake breach is unrelated to another recent leak involving the data of 73 million current and former subscribers.

Nearly all AT&T subscribers’ call records stolen in Snowflake cloud hack Read More »

Apple settles EU probe by opening up its mobile payments system

Apple, Apple Pay, Digital Markets Act, European Commission, European Union, Face ID, IPhone, mobile payments, mobile wallet, near field communication, NFC, NFC payment, Online Security, payments technology, Policy, touch and go / Mike M. / July 11, 2024

A small price to pay? —

iPhone users will get more choices to make “touch-and-go” payments in the EU.

Ashley Belanger – Jul 11, 2024 3: 47 pm UTC

In two weeks, iPhone users in the European Union will be able to use any mobile wallet they like to complete “tap and go” payments with the ease of using Apple Pay.

The change comes as part of a settlement with the European Commission (EC), which investigated Apple for potentially shutting out rivals by denying access to the “Near Field Communication” (NFC) technology on its devices that enables the “tap and go” feature. Apple did not develop this technology, which is free for developers, the EC said, and going forward, Apple agreed to not charge developers fees to provide the NFC functionality on its devices.

In a press release, the EC’s executive vice president, Margrethe Vestager, said that Apple’s commitments in the settlement address the commission’s “preliminary concerns that Apple may have illegally restricted competition for mobile wallets on iPhones.”

“From now on, Apple can no longer use its control over the iPhone ecosystem to keep other mobile wallets out of the market,” Vestager said. “Competing wallet developers, as well as consumers, will benefit from these changes, opening up innovation and choice, while keeping payments secure.”

Apple has until July 25 to follow through on three commitments that resolve the EC’s concerns that Apple may have “prevented developers from bringing new and competing mobile wallets to iPhone users.”

Arguably, providing outside developers access to NFC functionality on its devices is the biggest change. Rather than allowing developers to access this functionality through Apple’s hardware, Apple has borrowed a solution prevalent in the Android ecosystem, Vestager said, granting access through a software solution called “Host Card Emulation mode.”

This, Vestager said, provides “an equivalent solution in terms of security and user experience” and paves the way for other wallets to be more easily used on Apple devices.

An Apple spokesperson told CNBC that “Apple is providing developers in the European Economic Area with an option to enable NFC contactless payments and contactless transactions for car keys, closed loop transit, corporate badges, home keys, hotel keys, merchant loyalty/rewards, and event tickets from within their iOS apps using Host Card Emulation based APIs.”

To ensure that Apple Pay is on an equal playing field with other wallets, the EC said that Apple committed to improve contactless payments functionality for rival wallets. That means that “iPhone users will be able to double-click the side button of their iPhones to launch” their preferred wallet and “use Face ID, Touch ID and passcode to verify” their identities when using competing wallets.

Perhaps most critically for users attracted to Apple’s payment options convenience, Apple also agreed to allow rival wallets to be set as the default payment option.

These commitments will remain in force for 10 years, Vestager said.

Apple did not immediately respond to Ars’ request for comment. Apple’s spokesperson confirmed to CNBC that no changes would be made to Apple Pay or Apple Wallet as a result of the settlement.

Apple’s commitments go beyond the DMA

Before accepting Apple’s commitments, the EC spoke to “many banks, app developers, card issuers, and financial associations,” Vestager said, whose feedback helped improve Apple’s commitments.

According to Vestager, Apple’s changes go beyond the requirements of the EU’s strict antitrust law, the Digital Markets Act, which “requires gatekeepers to ensure effective interoperability with hardware and software features that they use within their ecosystems,” including “access to NFC technology for mobile payments.”

Beyond the DMA, Apple agreed to have its compliance with the settlement “ensured by a monitoring trustee,” as well as to provide “a fast dispute resolution mechanism, which will also allow for an independent review of Apple’s implementation.”

Vestager assured all stakeholders in the European Economic Area that these changes will prevent any potential harms caused by Apple seeming to shut other wallets out of its devices, which “may have had a negative impact on innovation.” By settling the yearslong probe, Apple avoided a potentially large fine. In March, the EC fined Apple nearly $2 billion for restricting “alternative and cheaper music subscription services” like Spotify in its app store, and the suspected anticompetitive behavior in Apple’s payments ecosystem seemed just as harmful, the EC found.

“This reduction in choice and innovation is harmful,” Vestager said, confirming that the settlement concluded the EC’s probe into Apple Pay. “It is harmful to consumers and it is illegal under EU competition rules.”

Apple settles EU probe by opening up its mobile payments system Read More »

Court ordered penalties for 15 teens who created naked AI images of classmates

AI, ai child sex images, ai deepfakes, AI image generators, Artificial Intelligence, child sexual abuse materials, csam, face swapping, fake AI images, generative ai, nudity apps, Policy / Paul Patrick / July 10, 2024

Real consequences —

Teens ordered to attend classes on sex education and responsible use of AI.

Ashley Belanger – Jul 10, 2024 8: 31 pm UTC

A Spanish youth court has sentenced 15 minors to one year of probation after spreading AI-generated nude images of female classmates in two WhatsApp groups.

The minors were charged with 20 counts of creating child sex abuse images and 20 counts of offenses against their victims’ moral integrity. In addition to probation, the teens will also be required to attend classes on gender and equality, as well as on the “responsible use of information and communication technologies,” a press release from the Juvenile Court of Badajoz said.

Many of the victims were too ashamed to speak up when the inappropriate fake images began spreading last year. Prior to the sentencing, a mother of one of the victims told The Guardian that girls like her daughter “were completely terrified and had tremendous anxiety attacks because they were suffering this in silence.”

The court confirmed that the teens used artificial intelligence to create images where female classmates “appear naked” by swiping photos from their social media profiles and superimposing their faces on “other naked female bodies.”

Teens using AI to sexualize and harass classmates has become an alarming global trend. Police have probed disturbing cases in both high schools and middle schools in the US, and earlier this year, the European Union proposed expanding its definition of child sex abuse to more effectively “prosecute the production and dissemination of deepfakes and AI-generated material.” Last year, US President Joe Biden issued an executive order urging lawmakers to pass more protections.

In addition to mental health impacts, victims have reported losing trust in classmates who targeted them and wanting to switch schools to avoid further contact with harassers. Others stopped posting photos online and remained fearful that the harmful AI images will resurface.

Minors targeting classmates may not realize exactly how far images can potentially spread when generating fake child sex abuse materials (CSAM); they could even end up on the dark web. An investigation by the United Kingdom-based Internet Watch Foundation (IWF) last year reported that “20,254 AI-generated images were found to have been posted to one dark web CSAM forum in a one-month period,” with more than half determined most likely to be criminal.

IWF warned that it has identified a growing market for AI-generated CSAM and concluded that “most AI CSAM found is now realistic enough to be treated as ‘real’ CSAM.” One “shocked” mother of a female classmate victimized in Spain agreed. She told The Guardian that “if I didn’t know my daughter’s body, I would have thought that image was real.”

More drastic steps to stop deepfakes

While lawmakers struggle to apply existing protections against CSAM to AI-generated images or to update laws to explicitly prosecute the offense, other more drastic solutions to prevent the harmful spread of deepfakes have been proposed.

In an op-ed for The Guardian today, journalist Lucia Osborne-Crowley advocated for laws restricting sites used to both generate and surface deepfake pornography, including regulating this harmful content when it appears on social media sites and search engines. And IWF suggested that, like jurisdictions that restrict sharing bomb-making information, lawmakers could also restrict guides instructing bad actors on how to use AI to generate CSAM.

The Malvaluna Association, which represented families of victims in Spain and broadly advocates for better sex education, told El Diario that beyond more regulations, more education is needed to stop teens motivated to use AI to attack classmates. Because the teens were ordered to attend classes, the association agreed to the sentencing measures.

“Beyond this particular trial, these facts should make us reflect on the need to educate people about equality between men and women,” the Malvaluna Association said. The group urged that today’s kids should not be learning about sex through pornography that “generates more sexism and violence.”

Teens sentenced in Spain were between the ages of 13 and 15. According to the Guardian, Spanish law prevented sentencing of minors under 14, but the youth court “can force them to take part in rehabilitation courses.”

Tech companies could also make it easier to report and remove harmful deepfakes. Ars could not immediately reach Meta for comment on efforts to combat the proliferation of AI-generated CSAM on WhatsApp, the private messaging app that was used to share fake images in Spain.

An FAQ said that “WhatsApp has zero tolerance for child sexual exploitation and abuse, and we ban users when we become aware they are sharing content that exploits or endangers children,” but it does not mention AI.

Court ordered penalties for 15 teens who created naked AI images of classmates Read More »

Republicans angry that ISPs receiving US grants must offer low-cost plans

Policy / Kris Guyer / July 10, 2024

Illustration of ones and zeroes overlaid on a US map. — Getty Images | Matt Anderson Photography

Republican lawmakers are fighting a Biden administration attempt to bring cheap broadband service to low-income people, claiming it is an illegal form of rate regulation. GOP leaders of the House Energy and Commerce Committee announced an investigation into the National Telecommunications and Information Administration (NTIA), which is administering the $42.45 billion Broadband Equity, Access, and Deployment (BEAD) program that was approved by Congress in November 2021.

“States have reported that the NTIA is directing them to set rates and conditioning approval of initial proposals on doing so. This undoubtedly constitutes rate regulation by the NTIA,” states a letter to the NTIA from Committee Chair Cathy McMorris Rodgers (R-Wash.), Subcommittee on Communications and Technology Chair Bob Latta (R-Ohio), and Subcommittee on Oversight and Investigations Chair Morgan Griffith (R-Va.).

As evidence, the letter points to a statement by Virginia that described feedback received from the NTIA. The federal agency told Virginia that “the low-cost option must be established in the Initial proposal as an exact price or formula.”

The Republicans said anecdotal evidence suggests “the NTIA may be evaluating initial proposals counter to Congressional intent and in violation of the law.” They asked the agency for all communications about the grants between NTIA officials and state broadband offices.

The US law that ordered NTIA to distribute the money requires that Internet providers receiving federal funds offer at least one “low-cost broadband service option for eligible subscribers.” But the law also says the NTIA may not “regulate the rates charged for broadband service.”

We’re following the law, agency says

An NTIA spokesperson told Ars that the agency is working to implement the law’s requirement that grant recipients offer an affordable service tier to qualifying low-income households. “We’ve received the letter and will respond through the appropriate channels. NTIA is working to implement BEAD in a manner that is faithful to the statute,” the agency said.

NTIA Administrator Alan Davidson tried to deflect Republican criticism of the low-cost requirements at a hearing in May. He said that requiring a low-cost option, as the law demands, is not the same as regulating broadband rates.

“The statute requires that there be a low-cost service option,” Davidson told Latta at the hearing, according to Broadband Breakfast. “We do not believe the states are regulating rates here. We believe that this is a condition to get a federal grant. Nobody’s requiring a service provider to follow these rates, people do not have to participate in the program.”

The NTIA needs to evaluate specific proposals to determine whether plans are low-cost, he said. “You have to be able to understand what is affordable,” Davidson was quoted as saying. “Every state has to submit a low-cost option that we can understand is affordable. When states do that, we will approve their plans.”

Republicans angry that ISPs receiving US grants must offer low-cost plans Read More »