For weeks Signal has been one of the three most-downloaded apps in the Netherlands, according to a local news site. And now "Higher education institutions in the Netherlands have been looking for an alternative," according to DUB (an independent news site for the Utrecht University community): Employees of the Utrecht University of Applied Sciences (HU) were recently advised to switch to Signal. Avans University of Applied Sciences has also been discussing a switch...The National Student Union is concerned about privacy. The subject was raised at last week's general meeting, as reported by chair Abdelkader Karbache, who said: "Our local unions want to switch to Signal or other open-source software."
Besides being open source, Signal is a non-commercial nonprofit, the article points out — though its proponents suggest there's another big difference. "HU argues that Signal keeps users' data private, unlike WhatsApp." Cybernews.com explains the concern: In an interview with the Dutch newspaper De Telegraaf, Meredith Whittaker [president of the Signal Foundation] discussed the pitfalls of WhatsApp. "WhatsApp collects metadata: who you send messages to, when, and how often. That's incredibly sensitive information," she says.... The only information [Signal] collects is the date an account was registered, the time when an account was last active, and hashed phone numbers... Information like profile name and the people a user communicates with is all encrypted... Metadata might sound harmless, but it couldn't be further from the truth. According to Whittaker, metadata is deadly. "As a former CIA director once said: 'We kill people based on metadata'."
WhatsApp's metadata also includes IP addresses, TechRadar noted last May: Other identifiable data such as your network details, the browser you use, ISP, and other identifiers linked to other Meta products (like Instagram and Facebook) associated with the same device or account are also collected... [Y]our IP can be used to track down your location. As the company explained, even if you keep the location-related features off, IP addresses and other collected information like phone number area codes can be used to estimate your "general location."

WhatsApp is required by law to share this information with authorities during an investigation...

[U]nder scrutiny is how Meta itself uses these precious details for commercial purposes. Again, this is clearly stated in WhatsApp's privacy policy and terms of use. "We may use the information we receive from [other Meta companies], and they may use the information we share with them, to help operate, provide, improve, understand, customize, support, and market our Services and their offerings," reads the policy. This means that yes, your messages are always private, but WhatsApp is actively collecting your metadata to build your digital persona across other Meta platforms...
The article suggests using a VPN with WhatsApp and turning on its "advanced privacy feature" (which hides your IP address during calls) and managing the app's permissions for data collection. "While these steps can help reduce the amount of metadata collected, it's crucial to bear in mind that it's impossible to completely avoid metadata collection on the Meta-owned app... For extra privacy and security, I suggest switching to the more secure messaging app Signal."

The article also includes a cautionary anecdote. "It was exactly a piece of metadata — a Proton Mail recovery email — that led to the arrest of a Catalan activist."

Thanks to long-time Slashdot reader united_notions for sharing the article.

Today long-time open source advocate/journalist Doc Searls revealed that years of work by consumer privacy groups has culminated in a proposed standard "that can vastly expand our agency in the digital world" — especially in a future world where agents surf the web on our behalf: Meet IEEE P7012 , which "identifies/addresses the manner in which personal privacy terms are proffered and how they can be read and agreed to by machines." It has been in the works since 2017, and should be ready later this year. (I say this as chair of the standard's working group.) The nickname for P7012 is MyTerms (much as the nickname for the IEEE's 802.11 standard is Wi-Fi).

The idea behind MyTerms is that the sites and services of the world should agree to your terms, rather than the other way around.
Basically your web browser proffers whatever agreement you've chosen (from a canonical list hosted at Customer Commons) to the web sites and other online services that you're visiting.

"Browser makers can build something into their product, or any developer can make a browser add-on or extension..." Searls writes. "On the site's side — the second-party side — CMS makers can build something in, or any developer can make a plug-in (WordPress) or a module (Drupal). Mobile app toolmakers can also come up with something (or many things)..." MyTerms creates a new regime for privacy: one based on contract. With each MyTerm you are the first party. Not the website, the service, or the app maker. They are the second party. And terms can be friendly. For example, a prototype term called NoStalking says "Just show me ads not based on tracking me." This is good for you, because you don't get tracked, and good for the site because it leaves open the advertising option. NoStalking lives at Customer Commons, much as personal copyrights live at Creative Commons. (Yes, the former is modeled on the latter.)
"[L]et's make this happen and show the world what agency really means," Searls concludes.

Another way to say it is they've created "a draft standard for machine-readable personal privacy terms." But Searl's article used a grander metaphor to explain its significance: When Archimedes said 'Give me a place to stand and I can move the world,' he was talking about agency. You have no agency on the Web if you are always the second party, agreeing to terms and policies set by websites.

You are Archimedes if you are the first party, setting your own terms and policies. The scale you get with those is One 2 World. The place you stand is on the Web itself — and the Internet below it.

Both were designed to make each of us an Archimedes.

Reuters reported this week that several U.S. national security agencies "have halted work on a coordinated effort to counter Russian sabotage, disinformation and cyberattacks..." The plan was led by the president's National Security Council (NSC) and involved at least seven national security agencies working with European allies to disrupt plots targeting Europe and the United States, seven former officials who participated in the working groups told Reuters... [S]ince Trump took office on January 20 much of the work has come to a standstill, according to eleven current and former officials, all of whom requested anonymity to discuss classified matters... Regular meetings between the National Security Council and European national security officials have gone unscheduled, and the NSC has also stopped formally coordinating efforts across U.S. agencies...

The FBI last month ended an effort to counter interference in U.S. elections by foreign adversaries including Russia and put on leave staff working on the issue at the Department of Homeland Security. The Department of Justice also disbanded a team that seized the assets of Russian oligarchs... Department of Homeland Security Assistant Secretary Tricia McLaughlin told Reuters the agency had placed on administrative leave personnel working on misinformation and disinformation on its election security team, without elaborating further.

NASA is considering "closing its headquarters and scattering responsibilities among the states," reports Politico, citing two people familiar with the plan. "The proposal could affect up to 2,500 jobs and redistribute critical functions, including who manages space exploration and organizes major science missions." While much of the day-to-day work occurs at NASA's 10 centers, the Washington office plays a strategic role in lobbying for the agency's priorities in Congress, ensuring the White House supports its agenda and partnering with foreign countries on critical space projects. Some of the headquarter's offices might remain in Washington, the people said, but it's not clear which ones those would be or who would keep their jobs...

One of the biggest fallouts is the damage it could do to coordination among NASA leadership on pressing issues... It would also limit cooperation with international partners on space, which is often done through embassies in Washington. NASA works with foreign partners on a range of projects, including the International Space Station and returning to the moon. The European Space Agency, for example, plans to provide modules for Gateway, a lunar space station that is central to NASA's Artemis program to land American astronauts back on the moon... The agency also helps coordinate support from foreign nations for the Artemis accords, which set goals for transparency and data sharing — and help create a level of trust in an unregulated part of the universe.

But the reallocation could have some benefits. Such a move would bring headquarters employees closer to the processes they manage. And it would give legislative liaison staff a chance to interact with lawmakers in their districts. "You're probably getting a lot more time with [lawmakers] at the local center or hosting events in the state or district," said Tom Culligan, a longtime space lobbyist,, the space industry lobbyist.

Hungary's Parliament not only voted to ban Pride events. They also voted to "allow authorities to use facial recognition software to identify attenders and potentially fine them," reports the Guardian. [The nationwide legislation] amends the country's law on assembly to make it an offence to hold or attend events that violate Hungary's contentious "child protection" legislation, which bars any "depiction or promotion" of homosexuality to minors under the age of 18. The legislation was condemned by Amnesty International, which described it as the latest in a series of discriminatory measures the Hungarian authorities have taken against LGBTQ+ people...

Organisers said they planned to go ahead with the march in Budapest, despite the law's stipulation that those who attend a prohibited event could face fines of up to 200,000 Hungarian forints [£425 or $549 U.S. dollars].

"Italy is using its Piracy Shield law to go after Google," reports Ars Technica, "with a court ordering the Internet giant to immediately begin poisoning its public DNS servers" to prevent people from reaching pirate streams of football games.

"Italy's communication regulator praises the ruling and hopes to continue sticking it to international tech firms." Spotted by TorrentFreak, AGCOM Commissioner Massimiliano Capitanio took to LinkedIn to celebrate the ruling, as well as the existence of the Italian Piracy Shield. "The Judge confirmed the value of AGCOM's investigations, once again giving legitimacy to a system for the protection of copyright that is unique in the world," said Capitanio. Capitanio went on to complain that Google has routinely ignored AGCOM's listing of pirate sites, which are supposed to be blocked in 30 minutes or less under the law. He noted the violation was so clear-cut that the order was issued without giving Google a chance to respond, known as inaudita altera parte in Italian courts.

"China is considering trying to blunt greater U.S. tariffs and other trade barriers," reports the Wall Street Journal, "by offering to curb the quantity of certain goods exported to the U.S., according to advisers to the Chinese government." Tokyo's adoption of so-called voluntary export restraints, or VERs, to limit its auto shipments to the U.S. in the 1980s helped prevent Washington from imposing higher import duties. A similar move from Beijing, especially in sectors of key concern to Washington, like electric vehicles and batteries, would mitigate criticism from the U.S. and others over China's "economic imbalances": heavily subsidized companies making stuff for slim profits but saturating global markets, to the detriment of other countries' manufacturers...

The Xi leadership has indicated a desire to cut a deal with the Trump administration to head off greater trade attacks... Similar to Japan, the Chinese advisers say, Beijing may also consider negotiating export restraints on EVs and batteries in return for investment opportunities in those sectors in the U.S. In some officials' views, they say, that might be an attractive offer to Trump, who at times has indicated an openness to more Chinese investment in the U.S. even though members of his administration firmly oppose it.
The article notes agreements like this are also hard to enforce, "particularly when Chinese companies export to the U.S. from third countries including Mexico and Vietnam."

The governments of Australia, Canada, Cyprus, Denmark, Israel, and Singapore "are likely customers of Israeli spyware maker Paragon Solutions," reports TechCrunch, "according to a new technical report by a renowned digital security lab." On Wednesday, The Citizen Lab, a group of academics and security researchers housed at the University of Toronto that has investigated the spyware industry for more than a decade, published a report about the Israeli-founded surveillance startup, identifying the six governments as "suspected Paragon deployments."

At the end of January, WhatsApp notified around 90 users that the company believed were targeted with Paragon spyware, prompting a scandal in Italy, where some of the targets live... Paragon's executive chairman John Fleming told TechCrunch that the company "licenses its technology to a select group of global democracies — principally, the United States and its allies." Israeli news outlets reported in late 2024 that U.S. venture capital AE Industrial Partners had acquired Paragon for at least $500 million upfront....

Among the suspected customer countries, Citizen Lab singled out Canada's Ontario Provincial Police (OPP), which specifically appears to be a Paragon customer given that one of the IP addresses for the suspected Canadian customer is linked directly to the OPP.
In a related development the Guardian reports that a prominent activist in Italy "has warned the international criminal court that his mobile phone was under surveillance" when he was providing them confidential information about torture victims in Libya.

Both articles submitted by long-time Slashdot reader ISayWeOnlyToBePolite.

Was the cutting of undersea cables part of a larger pattern? Russia and its proxies are accused by western officials of "staging dozens of attacks and other incidents across Europe since the invasion of Ukraine three years ago," reports the Associated Press.

That includes cyberattacks and committing acts of sabotage/vandalism/arson, as well as spreading propaganda and even plotting killings, according to the article. ("Western intelligence agencies uncovered what they said was a Russian plot to kill the head of a major German arms manufacturer that is a supplier of weapons to Ukraine...") The news agency documented 59 incidents "in which European governments, prosecutors, intelligence services or other Western officials blamed Russia, groups linked to Russia or its ally Belarus." [Western officials] allege the disruption campaign is an extension of Russian President Vladimir Putin's war, intended to sow division in European societies and undermine support for Ukraine... The incidents range from stuffing car tailpipes with expanding foam in Germany to a plot to plant explosives on cargo planes. They include setting fire to stores and a museum, hacking that targeted politicians and critical infrastructure, and spying by a ring convicted in the U.K. Richard Moore, the head of Britain's foreign intelligence service, called it a "staggeringly reckless campaign" in November...

The cases are varied, and the largest concentrations are in countries that are major supporters of Ukraine... In about a quarter of the cases, prosecutors have brought charges or courts have convicted people of carrying out the sabotage. But in many more, no specific culprit has been publicly identified or brought to justice.
Despite that, "more and more governments are publicly attributing attacks to Russia," the article points out.

This week a nonprofit, bipartisan think tank on global policy released a report which "found that Russian attacks in Europe quadrupled from 2022 to 2023 and then tripled again from 2023 to 2024," reports the New York Times. Prime Minister Donald Tusk of Poland noted in a social media post on Monday that Lithuanian officials had confirmed his assessment that Russia was responsible for a series of fires in shopping centers in Warsaw and Vilnius, the Lithuanian capital...

"I intend to sue the National Archives," said Joseph diGenova, an 80-year-old former Trump campaign lawyer (and a U.S. Attorney from 1983 to 1988). While releasing 63,000 unredacted pages about the 1963 assassination of President Kennedy, the U.S. government erroneously "made public the Social Security numbers and other sensitive personal information of potentially hundreds of former congressional staffers and other people," reports USA Today. ("It is virtually impossible to tell the scope of the breach because the National Archives put them online without a way to search them by keyword, some JFK files experts and victims of the information release told USA TODAY...")

Mark Zaid, a national security lawyer who represented current and former spies and other officials in cases against the government, told USA Today that he "saw a few names I know and I informed them of the breach... Hundreds were doxxed but of that number I don't know how many are still living." Zaid, who has fought for decades for the JFK records to be made public, said many of the thousands of investigative documents had been made public long ago with everything declassified and unredacted except for the personal information. Releasing that information now, he told USA TODAY, poses significant threats to those whose information is now public, including dates and places of birth, but especially their Social Security numbers. "The purpose of the release was to inform the public about the JFK assassination, not to help permit identity theft of those who actually investigated the events of that day," Zaid said. The Associated Press reported Thursday afternoon that government officials "said they are still screening the records to identify all the Social Security numbers that were released." One of the newly unredacted documents... discloses the Social Security numbers of more than two dozen people seeking security clearances in the 1990s to review JFK-related documents for the Assassination Records Review Board.

Two "groundbreaking research reports" on open source security were announced this week by the Linux Foundation in partnership with the Open Source Security Foundation (OpenSSF) and Linux Foundation Europe. The reports specifically address the EU's Cyber Resilience Act (or CRA) and "highlight knowledge gaps and best practices for CRA compliance."

"Unaware and Uncertain: The Stark Realities of CRA-Readiness in Open Source" includes a survey which found that when it comes to CRA requirements, 62% of respondents were either "not familiar at all" (36%) or "slightly familiar" (26%) — while 51% weren't sure about its deadlines. ("Only 28% correctly identified 2027 as the target year for full compliance," according to one infographic, which adds that CRA "is expected to drive a 6% average price increase, though 53% of manufacturers are still assessing pricing impacts.") Manufacturers, who bear primary responsibility, lack readiness — many [46%] passively rely on upstream security fixes, and only a small portion produce Software Bills of Materials (SBOMs). The report recommends that manufacturers take a more active role in open source security, that more funding and legal support is needed to support security practices, and that clear regulatory guidance is essential to prevent unintended negative impacts on open source development.
The research also provides "an in-depth analysis of how open collaboration can strengthen software security and innovation across global markets," with another report that "examines how three Linux Foundation projects are meeting the CRA's minimum compliance requirements" and "provides insight on the elements needed to ensure leadership in cybersecurity best practices." (It also includes CRA-related resources.)

"These two reports offer actionable conclusions for open source stakeholders to ready themselves for 2027, when the CRA comes into force," according to a Linux Foundation reserach executive cited in the announcement. "We hope that these reports catalyze higher levels of collaboration across the open source community."

Hollywood filmmaker Carl Erik Rinsch has been charged with defrauding Netflix of $11 million after allegedly misusing funds intended for an unfinished science fiction series, federal prosecutors said.

Rinsch, 47, was arrested in West Hollywood this week on charges of wire fraud, money laundering and unlawful monetary transactions that could result in decades of imprisonment if convicted. The FBI and Acting U.S. Attorney for the Southern District of New York allege Rinsch diverted funds meant for his series "Conquest" to speculate on cryptocurrency, stay in luxury hotels and purchase high-end items including five Rolls-Royces and a Ferrari.

Netflix had paid Rinsch $44 million between 2018 and 2019 for the science fiction project about an artificial humanlike species. Prosecutors say he then requested an additional $11 million but never completed the production. An arbitrator ruled in Netflix's favor last year, ordering Rinsch to pay the company $11.8 million. Rinsch appeared in federal court with shackles and posted a $100,000 bond.

Controversial facial recognition company Clearview AI attempted to purchase hundreds of millions of arrest records including social security numbers, mugshots, and even email addresses to incorporate into its product, 404 Media reports. From the report: For years, Clearview AI has collected billions of photos from social media websites including Facebook, LinkedIn and others and sold access to its facial recognition tool to law enforcement. The collection and sale of user-generated photos by a private surveillance company to police without that person's knowledge or consent sparked international outcry when it was first revealed by the New York Times in 2020.

New documents obtained by 404 Media reveal that Clearview AI spent nearly a million dollars in a bid to purchase "690 million arrest records and 390 million arrest photos" from all 50 states from an intelligence firm. The contract further describes the records as including current and former home addresses, dates of birth, arrest photos, social security and cell phone numbers, and email addresses. Clearview attempted to purchase this data from Investigative Consultant, Inc. (ICI) which billed itself as an intelligence company with access to tens of thousands of databases and the ability to create unique data streams for its clients. The contract was signed in mid-2019, at a time when Clearview AI was quietly collecting billions of photos off the internet and was relatively unknown at the time.

Federal authorities have broken up an international crime ring that stole thousands of iPhones from porches nationwide [non-paywalled link], arresting 13 people last month after a sophisticated operation that combined high-tech tools with old-fashioned bribery.

The thieves created software to scrape FedEx tracking numbers and paid AT&T store employees to provide customer order details and delivery addresses, according to WSJ, which cites prosecutors. Armed with this information, runners intercepted packages at doorsteps moments after delivery.

Demetrio Reyes Martinez, known online as "CookieNerd," developed code that circumvented FedEx limits on delivery-data requests, while AT&T employee Alejandro Then Castillo used his credentials to track hundreds of shipments and reportedly received up to $2,500 for recruiting other employees. Stolen devices were funneled through Wyckoff Wireless in Brooklyn, a store owned by Joel Suriel, who was already on supervised release from a previous wire-fraud conviction. The merchandise was then shipped overseas for sale and activation.

The abstract of a paper published on National Bureau of Economic Research: Ensuring broad access to the patent system is crucial for fostering innovation and promoting economic growth. To support this goal, the U.S. Patent and Trademark Office offers reduced fees for small and micro entities. This paper investigates whether fee rates affect the filing of applications by small and micro entities. Exploiting recent fee reforms, the study evaluates the relationship between fee changes and the number of new entrants, controlling for potential confounding factors such as legislative changes. The findings suggest that fee reductions alone are insufficient to significantly increase participation in the patent system among small and micro entities.

Trend Micro uncovered an eight-year-long spying campaign exploiting a Windows vulnerability involving malicious .LNK shortcut files, which attackers padded with whitespace to conceal commands. Despite being reported to Microsoft in 2023, the company considers it a UI issue rather than a security risk and has not prioritized a fix. The Register reports: The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads. Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher. "This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, told The Register. "We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."

After poring over malicious .LNK samples, the security shop said it found the vast majority of these files were from state-sponsored attackers (around 70 percent), used for espionage or information theft, with another 20 percent going after financial gain. Among the state-sponsored crews, 46 percent of attacks came from North Korea, while Russia, Iran, and China each accounted for around 18 percent of the activity.

The Dutch parliament approved motions urging the government to reduce reliance on U.S. software companies by developing a sovereign cloud platform and reconsidering contracts with American firms. Reuters reports: While such initiatives have foundered in the past due to a lack of viable European alternatives, lawmakers said changing relations with the United States under the presidency of Donald Trump have given the issue fresh urgency. "The question we as Europeans must ask ourselves is: do we feel comfortable with people like Trump, (Meta CEO Mark) Zuckerberg and (X owner Elon) Musk ruling over our data?" said Marieke Koekkoek of the pro-European Volt party, who authored one of the eight motions, in an email to Reuters.

In addition to launching a sovereign cloud services platform, the motions called on the government to re-examine a decision to use Amazon's web services for the Netherlands' internet domain hosting, and to develop alternatives to U.S. software and preferential treatment for European firms in public tenders. [...] Bert Hubert, a Dutch technology expert who has advocated for reducing dependency on the U.S., said: "This is only the first step in potentially doing something." But he said one important outcome would be forcing agencies to publicly report on risks related to their reliance on U.S. cloud firms. "With the advent of Trump 2.0, it has become clear that this is not something you can harmlessly sign off on," he said.

An anonymous reader quotes a report from Reuters: A federal appeals court in Washington, D.C., on Tuesday affirmed that a work of art generated by artificial intelligence without human input cannot be copyrighted under U.S. law. The U.S. Court of Appeals for the District of Columbia Circuit agreed with the U.S. Copyright Office that an image created by Stephen Thaler's AI system "DABUS" was not entitled to copyright protection, and that only works with human authors can be copyrighted.

Tuesday's decision marks the latest attempt by U.S. officials to grapple with the copyright implications of the fast-growing generative AI industry. The Copyright Office has separately rejected artists' bids for copyrights on images generated by the AI system Midjourney. The artists argued they were entitled to copyrights for images they created with AI assistance -- unlike Thaler, who said that his "sentient" system created the image in his case independently. [...]

U.S. Circuit Judge Patricia Millett wrote for a unanimous three-judge panel on Tuesday that U.S. copyright law "requires all work to be authored in the first instance by a human being." "Because many of the Copyright Act's provisions make sense only if an author is a human being, the best reading of the Copyright Act is that human authorship is required for registration," the appeals court said.

HR software provider Rippling has sued competitor Deel for allegedly planting a spy in its Dublin office to steal trade secrets, court documents [PDF] showed on Monday. Rippling claims the employee, identified as D.S., systematically searched internal Slack channels for competitor information, including sales leads and pitch decks.

The company discovered the alleged scheme through a "honeypot" trap -- a specially created Slack channel mentioned in a letter to Deel executives. When served with a court order to surrender his phone, D.S. locked himself in a bathroom before fleeing, according to the lawsuit. "We're all for healthy competition, but we won't tolerate when a competitor breaks the law," said Vanessa Wu, Rippling's general counsel. Both companies operate multibillion-dollar HR platforms, with Rippling valued at $13.5 billion and Deel at over $12 billion.

Long-time Slashdot reader chicksdaddy writes: A group of U.S. consumer advocacy groups on Wednesday proposed legislation to address the growing epidemic of "zombie" Internet of Things (IoT) devices that have had software support cut off by their manufacturer, Fight To Repair News reports.

The Connected Consumer Product End of Life Disclosure Act is a collaboration between Consumer Reports, US PIRG, the Secure Resilient Future Foundation (SRFF) and the Center for Democracy and Technology. It requires manufacturers of connected consumer products to disclose for how long they will provide technical support, security updates, or bug fixes for the software and hardware that are necessary for the product to operate securely.
The groups proposed legal requirements that manufacturers "must notify consumers when their devices are nearing the end of life and provide guidance on how to handle the device's end of life," while end-of-life notifications "must include details about features that will be lost, and potential vulnerabilities and security risks that may arise." And when an ISP-provided device (like a router) reaches its end of life, the ISP must remove them.

"The organizations are working with legislators at the state and federal level to get the model legislation introduced," according to Fight To Repair News.