U.S. law let's companies like Google and Amazon's Ring doorbell/security camera system "share user footage with police during emergencies without consent and without warrants," CNET reported this week. They add that after that revelation "came under renewed criticism from privacy activists this month after disclosing it gave video footage to police in more than 10 cases without users' consent thus far in 2022 in what it described as 'emergency situations'."

"That includes instances where the police didn't have a warrant." "So far this year, Ring has provided videos to law enforcement in response to an emergency request only 11 times," Amazon vice president of public policy Brian Huseman wrote. "In each instance, Ring made a good-faith determination that there was an imminent danger of death or serious physical injury to a person requiring disclosure of information without delay...." Of the 11 emergency requests Ring has complied with so far in 2022, the company said they include cases involving kidnapping, self-harm and attempted murder, but it won't provide further details, including information about which agencies or countries the requests came from.

We also asked Ring if it notified customers after the company had granted law enforcement access to their footage without their consent.

"We have nothing to share," the spokesperson responded.
CNET also supplies this historical context: It's been barely a year since Ring made the decision to stop allowing police to email users to request footage. Facing criticism that requests like those were subverting the warrant process and contributing to police overreach, Ring directed police instead to post public requests for assistance in the Neighbors app, where community members are free to view and comment on them (or opt out of seeing them altogether)... That post made no mention of a workaround for the police during emergency circumstances.
When CNET asked why that workaround wasn't mentioned, Amazon response was that law enforcement requests, "including emergency requests, are directed to Ring (the company), the same way a warrant or subpoena is directed to Ring (and not the customer), which is why we treat them entirely separately."

CNET notes there's also no mention of warrantless emergency requests without independent oversight in Ring's own transparency reports about law enforcement requests from past years.

CNET adds that it's not just Amazon. "Google, Ring and other companies that process user video footage have a legal basis for warrantless disclosure without consent during emergency situations, and it's up to them to decide whether or not to do so when the police come calling...." (Although Google told CNET that while it reserves the right to comply with warrantless requests for user data during emergencies, to date it has never actually done so.) The article also points out that "Others, most notably Apple, use end-to-end encryption as the default setting for user video, which blocks the company from sharing that video at all... Ring enabled end-to-end encryption as an option for users in 2021, but it isn't the default setting, and Ring notes that turning it on will break certain features, including the ability to view your video feed on a third-party device like a smart TV, or even Amazon devices like the Echo Show smart display."

The bottom line? [C]onsumers have a choice to make about what they're comfortable with... That said, you can't make informed choices when you aren't well-informed to begin with, and the brands in question don't always make it easy to understand their policies and practices. Ring published a blog post last year walking through its new, public-facing format for police footage requests, but there was no mention of emergency exceptions granted without user consent or independent oversight, the details of which only came to light after a Senate probe. Google describes its emergency sharing policies within its Terms of Service, but the language doesn't make it clear that those cases include instances where footage may be shared without a warrant, subpoena or court order compelling Google to do so.

"Today at the Electronic Frontier Foundation, we're celebrating 32 years of fighting for technology users around the world," reads a new announcement posted at EFF.org: If you were online back in the 90s, you might remember that it was pretty wild. We had bulletin boards, FTP, Gopher, and, a few years later, homespun websites. You could glimpse a future where anyone, anywhere in the world could access information, float new ideas, and reach each other across vast distances. It was exciting and the possibilities seemed endless.

But the founders of EFF also knew that a better future wasn't automatic. You don't organize a team of lawyers, technologists, and activists because you think technology will magically fix everything — you do it because you expect a fight.

Three decades later, thanks to those battles, the internet does much of what it promised: it connects and lifts up major grassroots movements for equity, civil liberties, and human rights and allows people to connect and organize to counteract the ugliness of the world.

But we haven't yet won that future we envisioned. Just as the web connects us, it also serves as a hunting ground for those who want to surveil and control our actions, those who wish to harass and spread hate, as well as others who seek to monetize our every move and thought. Information collected for one purpose is freely repurposed in ways that oppress us, rather than lift us up. The truth is that digital tools allow those with horrible ideas to connect with each other just as it does those with beautiful, healing ones.

EFF has always seen both the beauty and destructive potential of the internet, and we've always put our marker down on the side of justice, freedom, and innovation.

We work every day toward a future we want to live in, and we don't do it alone. Support from the public makes every one of EFF's activism campaigns, software projects, and court filings possible. Together, we anchor the movement for a better digital world, and ensure that technology supports freedom, justice, and innovation for all people of the world.

In fact, I invite every digital freedom supporter to join EFF during our summer membership drive. Right now, you can be a member for as little as $20, get some special new gear, and ensure that tech users always have a formidable defender in EFF.

So how does the EFF team celebrate this auspicious anniversary? EFF does what it does best: stand up for users and innovators in the courts, in the halls of power, in the public conversation. We build privacy-protecting tools, teach skills to community members, share knowledge with allies, and preserve the best aspects of the wild web.

In other words, we use every tool in our deep arsenal to fight for a better and brighter digital future for all. Thank you for standing with EFF when it counts.

An anonymous reader quotes a report from TorrentFreak: After causing outrage among online services including Cloudflare, the most aggressive pirate site injunction ever handed down in the US has undergone significant weight loss surgery. Now before the court is a heavily modified injunction that is most notable for everything that's been removed. It appears that Cloudflare drew a very clear line in the sand and refused to step over it. [...] The injunctions granted extreme powers, from residential ISP blocking to almost any other action the plaintiffs deemed fit to keep the sites offline. Almost immediately that led to friction with third-party service providers and the situation only worsened when a concerned Cloudflare found itself threatened with contempt of court for non-compliance. The CDN company fought back with support from Google and EFF and that led the parties back to the negotiating table. Filings in the case last week suggested an acceptance by the plaintiffs that the injunction cannot be enforced in its present form. The parties promised to work on a new injunction to address both sides' concerns and as a result, a new proposal now awaits the court's approval. [...]

With the contempt of court issue behind them, Cloudflare and the plaintiffs appear to have settled their differences. An entire section in the injunction dedicated to Cloudflare suggests that the CDN company is indeed prepared to help the video companies but they'll have to conform to certain standards. Before even contacting Cloudflare they'll first need to make "reasonable, good faith efforts to identify and obtain relief for the identified domains from hosting providers and domain name registries and registrars."

If the plaintiffs still need Cloudflare's assistance, Cloudflare will comply with requests against domain names listed in this injunction and future injunctions by preventing access to the following: "Pass-through security services, content delivery network (CDN) services, video streaming services, and authoritative DNS services, DNS, CDN, streaming services, and any related services." An additional note states that the plaintiffs acknowledge that Cloudflare's compliance "will not necessarily prevent the Defendants from providing users with access to Defendants' infringing services." Given the agreement on the terms, the amended injunction will likely be signed off by the court in the coming days. Service providers everywhere will breathe a sigh of relief while rightsholders will have a template for similar cases moving forward. The proposed amended injunction documents can be found here (1, 2, 3, 4, 5 pdf).

An anonymous reader quotes a report from the Electronic Frontier Foundation: Copyright law cannot be used as a shortcut around the First Amendment's strong protections for anonymous internet users, a federal trial court ruled on Tuesday. The decision by a judge in the United States District Court for the Northern District of California confirms that copyright holders issuing subpoenas under the Digital Millennium Copyright Act must still meet the Constitution's test before identifying anonymous speakers.

The case is an effort to unmask an anonymous Twitter user (@CallMeMoneyBags) who posted photos and content that implied a private equity billionaire named Brian Sheth was romantically involved with the woman who appeared in the photographs. Bayside Advisory LLC holds the copyright on those images, and used the DMCA to demand that Twitter take down the photos, which it did. Bayside also sent Twitter a DMCA subpoena to identify the user. Twitter refused and asked a federal magistrate judge to quash Bayside's subpoena. The magistrate ruled late last year that Twitter must disclose the identity of the user because the user failed to show up in court to argue that they were engaged in fair use when they tweeted Bayside's photos. When Twitter asked a district court judge to overrule the magistrate's decision, EFF and the ACLU Foundation of Northern California filed an amicus brief in the case, arguing that the magistrate's ruling sidestepped the First Amendment when it focused solely on whether the user's tweets constituted fair use of the copyrighted works. [...]

EFF is pleased with the district court's decision, which ensures that DMCA subpoenas cannot be used as a loophole to the First Amendment's protections. The reality is that copyright law is often misused to silence lawful speech or retaliate against speakers. For example, in 2019 EFF successfully represented an anonymous Reddit user that the Watchtower Bible and Tract Society sought to unmask via a DMCA subpoena, claiming that they posted Watchtower's copyrighted material. We are also grateful that Twitter stood up for its user's First Amendment rights in court.

BeerFartMoron shares a report from Motherboard: For the last five years, driverless car companies have been testing their vehicles on public roads. These vehicles constantly roam neighborhoods while laden with a variety of sensors including video cameras capturing everything going on around them in order to operate safely and analyze instances where they don't. While the companies themselves, such as Alphabet's Waymo and General Motors' Cruise, tout the potential transportation benefits their services may one day offer, they don't publicize another use case, one that is far less hypothetical: Mobile surveillance cameras for police departments.

"Autonomous vehicles are recording their surroundings continuously and have the potential to help with investigative leads," says a San Francisco Police department training document obtained by Motherboard via a public records request. "Investigations has already done this several times."

Privacy advocates say the revelation that police are actively using AV footage is cause for alarm. "This is very concerning," Electronic Frontier Foundation (EFF) senior staff attorney Adam Schwartz told Motherboard. He said cars in general are troves of personal consumer data, but autonomous vehicles will have even more of that data from capturing the details of the world around them. "So when we see any police department identify AVs as a new source of evidence, that's very concerning."

As companies continue to make public roadways their testing grounds for these vehicles, everyone should understand them for what they are -- rolling surveillance devices that expand existing widespread spying technologies," said Chris Gilliard, Visiting Research Fellow at Harvard Kennedy School Shorenstein Center. "Law enforcement agencies already have access to automated license plate readers, geofence warrants, Ring Doorbell footage, as well as the ability to purchase location data. This practice will extend the reach of an already pervasive web of surveillance."

Long-time Slashdot reader destinyland writes: He was the co-publisher of the first popular digital culture magazine, MONDO 2000, from 1989–1993. Now as R. U. Sirius approaches his 70th birthday, a San Francisco-based writer conducts a rollicking interview for the Berlin-based Spike Art Magazine. ("I wanted to speak with someone who had weathered the shakedown of history with art, humour, and a dose of healthy delusion. Or derision. Whatever arrived first...")

That interview itself was star-crossed. ("What came first, R.U.'s stroke or the Omicron surge? As I recovered from a bout of corona, R.U. fell ill with his own strain.. ") But eventually they did discuss the founding of that influential cyberculture magazine. (Editor Jude Milhon is credited with coining the word "cypherpunk" for an early crytography-friendly group co-founded by EFF pioneer John Gilmore.) Asked about the magazine's original vision, Sirius says "I was pretty much diverted by Timothy Leary and Robert Anton Wilson and their playful, hopeful futurisms, their whole shebang about evolutionary brain circuits being opened up by drugs and technology."


I needed something to get me out of bed at the end of the 1970s. I mean, punk was great – rock and roll was great – but it wasn't inspiring any action. I remember my friends stole some giant lettering from a sign at a gas station and some of it hung behind the couch in our living room where we took whatever drugs were around and tossed glib nihilisms back and forth. The letters read "ROT".... I couldn't sink any deeper into that couch, so there was nowhere to go except up into outer space.

The surrealism and so forth were influences that travelled with me when I moved to California to create this new thing based on psychedelics, technology, and incorrigible irreverence that eventually became Mondo 2000.


It's a funny interview. ("The 'R.U. a Cyberpunk' page from an issue of Mondo is the only thing most people below a certain age have ever seen from the magazine and we were taking the piss out of ourselves....") They scrupulously avoid mentioning Mondo's undeniable influence on the early days of Wired. But inevitaby the conversation comes back around to that seminal question: whither cyberpunk?


Q: The internet, which was a prime source of Mondo subject matter, is home to many eyes, rabbit holes, and agents of algorithmic manipulation. Where is cyberpunk culture alive and well in our contemporary moment? Are you still invested and engaged with cyberpunk as a means of exploring radical possibilities and ideas...?

RUS: [T]here's not really a cyberpunk movement... Surrealism was a movement for a number of years because an anguished control freak named André Breton maintained it in various formations. We didn't have that person, and if we had, he or she or they probably would have been laughed out of the sandbox for the attempt....

I'll remain influenced by playful spontaneity from ancient 20th-century moments not because of any dedication, but only because that's probably the only way I was ever going to be able to write or create. I lack rigor and once declared it a sign of death.


And Sirius jokes at the end that "usually my attitude is that the world today is bloated with people opinionizing so, this interview is a mistake!"

During a 92-minute presentation Wednesday on the state of the free software movement, Richard Stallman spoke at length on a wide variety of topics, including the need for freedom-respecting package systems.

But Stallman also shared his deepest thoughts on a topic dear to the hearts of Slashdot readers: privacy and currency: I won't order from online stores, because I can't pay them . For one thing, the payment services require running non-free JavaScript... [And] to pay remotely you've got to do it by credit card, and that's tracking people, and I want to resist tracking too.... This is a really serious problem for society, that you can't order things remotely anonymously.

But GNU Taler is part of the path to fixing that. You'll be able to get a Taler token from your bank, or a whole bunch of Taler tokens, and then you'll be able to use those to pay anonymously.

Then if the store can send the thing you bought to a delivery box in your neighborhood, the store doesn't ever have to know who you are.
But there's another issue Stallman touched on earlier in his talk: There is a proposed U.S. law called KOSA which would require mandatory age-verification of users -- which means mandatory identification of users, which is likely to mean via face recognition. And it would be in every commercial software application or electronic service that connects to the internet.... [It's] supposedly for protecting children. That's one of the favorite excuses for surveillance and repression: to protect the children. Whether it would actually protect anyone is dubious, but they hope that won't actually be checked.... You can always propose a completely useless method that will repress everyone....
So instead, Stallman suggests that age verification could be handled by.... GNU Taler: Suppose there's some sort of service which charges money, or even a tiny amount of money, and is only for people over 16, or people over 18 or whatever it is. Well, you could get from your bank a Taler token that says the person using this token is over 16. This bank has verified that.... So then the site only needs to insist on a 16-or-over Taler token, and your age is verified, but the site has no idea who you are.

Unfortunately that won't help if user-identifying age-tracking systems are legislated now. The code of Taler works, but it's still being integrated with a bank so that people could actually start to use it with real businesses.
Read on for Slashdot's report on Stallman's remarks on cryptocurrencies and encryption, or jump ahead to...

• Can GNU Taler accounts be frozen?
• Why cryptocurrency shouldn't replace banking
• The problem with VPN apps - and how interoperable encryption could protect your freedom

The non-profit Creative Commons (founded by Lawrence Lessig) opposes a new anti-piracy bill that "proposes to have the US Copyright Office mandate that all websites accepting user-uploaded material implement technologies to automatically filter that content." We've long believed that these kinds of mandates are overbroad, speech-limiting, and bad for both creators and reusers. (We're joined in this view by others such as Techdirt, Public Knowledge, and EFF, who have already stated their opposition.)

But one part of this attempt stands out to us: the list of "myths" Sen. Tillis released to accompany the bill. In particular, Tillis lists the concern that it is a "filtering mandate that will chill free speech and harm users" as a myth instead of a true danger to free expression-and he cites the existence of CC's metadata as support for his position.

Creative Commons is strongly opposed to mandatory content filtering measures. And we particularly object to having our work and our name used to imply support for a measure that undermines free expression which CC seeks to protect....

Limitations and exceptions are a crucial feature of a copyright system that truly serves the public, and filter mandates fail to respect them. Because of this, licensing metadata should not be used as a mandatory upload filter-and especially not CC license data. We do not support or endorse the measures in this bill, and we object to having our name used to imply otherwise.

A group of lawmakers have re-introduced the EARN IT Act, an incredibly unpopular bill from 2020 that "would pave the way for a massive new surveillance system, run by private companies, that would roll back some of the most important privacy and security features in technology used by people around the globe," writes Joe Mullin via the Electronic Frontier Foundation. "It's a framework for private actors to scan every message sent online and report violations to law enforcement. And it might not stop there. The EARN IT Act could ensure that anything hosted online -- backups, websites, cloud photos, and more -- is scanned." From the report: The bill empowers every U.S. state or territory to create sweeping new Internet regulations, by stripping away the critical legal protections for websites and apps that currently prevent such a free-for-all -- specifically, Section 230. The states will be allowed to pass whatever type of law they want to hold private companies liable, as long as they somehow relate their new rules to online child abuse. The goal is to get states to pass laws that will punish companies when they deploy end-to-end encryption, or offer other encrypted services. This includes messaging services like WhatsApp, Signal, and iMessage, as well as web hosts like Amazon Web Services. [...]

Separately, the bill creates a 19-person federal commission, dominated by law enforcement agencies, which will lay out voluntary "best practices" for attacking the problem of online child abuse. Regardless of whether state legislatures take their lead from that commission, or from the bill's sponsors themselves, we know where the road will end. Online service providers, even the smallest ones, will be compelled to scan user content, with government-approved software like PhotoDNA. If EARN IT supporters succeed in getting large platforms like Cloudflare and Amazon Web Services to scan, they might not even need to compel smaller websites -- the government will already have access to the user data, through the platform. [...] Senators supporting the EARN IT Act say they need new tools to prosecute cases over child sexual abuse material, or CSAM. But the methods proposed by EARN IT take aim at the security and privacy of everything hosted on the Internet.

The Senators supporting the bill have said that their mass surveillance plans are somehow magically compatible with end-to-end encryption. That's completely false, no matter whether it's called "client side scanning" or another misleading new phrase. The EARN IT Act doesn't target Big Tech. It targets every individual internet user, treating us all as potential criminals who deserve to have every single message, photograph, and document scanned and checked against a government database. Since direct government surveillance would be blatantly unconstitutional and provoke public outrage, EARN IT uses tech companies -- from the largest ones to the very smallest ones -- as its tools. The strategy is to get private companies to do the dirty work of mass surveillance.

NBC News writes: VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic. But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say. "Most commercial VPNs are snake oil from a security standpoint," said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. "They don't improve your security at all...."

Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people's internet habits, isn't feasible. It's not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said. "Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop," he said. "I don't know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS," he said in a text message.

There are still valid uses for VPNs. They're an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users' traffic and is widely praised by cybersecurity experts. VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they're a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services. But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people.

Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers' browsing history to data brokers, or by having poor cybersecurity.
The article credits the Electronic Frontier Foundation for popularizing encryption through browser extensions and web site certificates starting in 2010. "In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so.

"Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation's browser extension no longer necessary for most people."

Another 12 months gone by, and with it nearly 8,000 new Slashdot headlines — so which ones drew the most views?

Click here for lists of Slashdot's top 10 most-visited and most-commented stories of the year — and also the all-time top 10 lists since Slashdot's creation in 1997.

Here's some of 2021's highlights:

• Two of this year's most-visited stories involved Linus Torvalds. (Although one just reported Torvalds "Tells Anti-Vaxxer To Shut Up On Linux Mailing List.") Another story in April found Torvalds saying Rust was at least closer to use in Linux kernel development — while also calling C++ "a crap language."

• One of the biggest stories of the year was Richard Stallman's return to the Free Software Foundation. The third most-visited story of the year covered the pushback against his return from the EFF, the Tor Project, Mozilla, and the creator of Rust.

• Remember that big electrical outage that left millions of Texans without power in the middle of a winter storm? As the crisis was still raging, CNN asked the million-dollar question: who's actually to blame? This became Slashdot's 9th most-visited story of the year — and also the 7th most-commented.

• Two of the 10 most-visited stories of the year were "Ask Slashdot" technical questions: In April RockDoctor (Slashdot reader #15,477) asked whether a software RAID is better than a hardware RAID? And in January of 2020 Slashdot reader lsllll asked for suggestions on a a battery-powered wi-fi security camera supporting FTP/SMB
  
  Interestingly, one of the year's most-commented poll topics had asked whether bitcoin would break $100,000 before the end of 2021. 4,951 voters — a full 25% — had said "Yes" — and were off by more than half, with bitcoin actually tumbling 8% in the last week of 2021 to wind up somewhere near $46,371 as of late Friday afternoon.
  
  At the time of the poll — October 8th — the price of Bitcoin was already up to $53,963. One month later it had reached it's highest price of 2021 — $67,582 — before dropping 31.7% over the next 53 days.
  
  In the October poll asking whether bitcoin would reach $100,000 in the final 84 days of 2021 — another 14,687 Slashdot readers voted "No."

An unauthorized NFT drop celebrating infosec pioneers has collapsed into a mess of conflicting takedowns and piracy. From a report: Released on Christmas Day by a group called "ItsBlockchain," the "Cipher Punks" NFT package included portraits of 46 distinct figures, with ten copies of each token. Taken at their opening price, the full value of the drop was roughly $4,000. But almost immediately, the infosec community began to raise objections -- including some from the portrait subjects themselves. The portrait images misspelled several names -- including EFF speech activist Jillian York and OpenPGP creator Jon Callas -- and based at least one drawing on a copyright-protected photograph. More controversially, the list included some figures who have been ostracized for harmful personal behavior, including Jacob Appelbaum and Richard Stallman.

An anonymous reader quotes a report from the Electronic Frontier Foundation: On December 1, hours before Texas' social media law, HB 20, was slated to go into effect, a federal court in Texas blocked it for violating the First Amendment. Like a similar law in Florida, which was blocked and is now pending before the Eleventh Circuit Court of Appeals, the Texas law will go to the Fifth Circuit. These laws are retaliatory, obviously unconstitutional, and EFF will continue advocating that courts stop them. In October, EFF filed an amicus brief against HB 20 in Netchoice v. Paxton, a challenge to the law brought by two associations of tech companies. HB 20 prohibits large social media platforms from removing or moderating content based on the viewpoint of the user. We argued, and the federal court agreed, that the government cannot regulate the editorial decisions made by online platforms about what content they host. As the judge wrote, platforms' right under the First Amendment to moderate content "has repeatedly been recognized by courts." Social media platforms are not "common carriers" that transmit speech without curation.

Moreover, Texas explicitly passed HB 20 to stop social media companies' purported discrimination against conservative users. The court explained that this "announced purpose of balancing the discussion" is precisely the kind of government manipulation of public discourse that the First Amendment forbids. As EFF's brief explained, the government can't retaliate against disfavored speakers and promote favored ones. Moreover, HB 20 would destroy or prevent the emergence of even large conservative platforms, as they would have to accept user speech from across the political spectrum. HB 20 also imposed transparency requirements and user complaint procedures on large platforms. While these kinds of government mandates might be appropriate when carefully crafted -- and separated from editorial restrictions or government retaliation -- they are not here. The court noted that companies like YouTube and Facebook remove millions of pieces of user content a month. It further noted Facebook's declaration in the case that it would be "impossible" to establish a system by December 1 compliant with the bill's requirements for that many removals. Platforms would simply stop removing content to avoid violating HB 20 -- an impermissible chill of First Amendment rights.

Apple has quietly nixed all mentions of CSAM from its Child Safety webpage, suggesting its controversial plan to detect child sexual abuse images on iPhones and iPads may hang in the balance following significant criticism of its methods. From a report: Apple in August announced a planned suite of new child safety features, including scanning users' iCloud Photos libraries for Child Sexual Abuse Material (CSAM), Communication Safety to warn children and their parents when receiving or sending sexually explicit photos, and expanded CSAM guidance in Siri and Search. Following their announcement, the features were criticized by a wide range of individuals and organizations, including security researchers, the privacy whistleblower Edward Snowden, the Electronic Frontier Foundation (EFF), Facebook's former security chief, politicians, policy groups, university researchers, and even some Apple employees.

In a recent blog post from the Electronic Frontier Foundation, the digital rights group warns that Google Chrome's latest specification for building Chrome extensions, known as Manifest V3, "is outright harmful to privacy efforts." EFF technologist Daly Barnett writes: Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks. [...] It will restrict the capabilities of web extensions -- especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these -- like some privacy-protective tracker blockers -- will have greatly reduced capabilities. Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.

It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level... since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.

As for Chrome's other justification for Mv3 -- performance -- a 2020 study (PDF) by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance. The development specifications of web browser extensions may seem in the weeds, but the broader implications should matter to all internet citizens: it's another step towards Google defining how we get to live online. Considering that Google has been the world's largest advertising company for years now, these new limitations are paternalistic and downright creepy.

"The third time my 1999 Honda Civic was stolen, I had a plan," writes Washington Post technology reporter Heather Kelly. Specifically, it was a tile tracker hidden in the car, "quietly transmitting its approximate location over Bluetooth." Later that day, I was across town hiding down the block from my own car as police detained the surprised driver. When the Tile app pinged me with a last known location, I showed up expecting the car to be abandoned. I quickly realized it was still in use, with one person looking through the trunk and another napping in the passenger seat, so I called the police...

In April of this year, one month after my car was stolen, Apple released the $29 AirTag, bringing an even more effective Bluetooth tracking technology to a much wider audience. Similar products from Samsung and smaller brands such as Chipolo are testing the limits of how far people will go to get back their stolen property and what they consider justice. "The technology has unintended consequences. It basically gives the owner the ability to become a mini surveillance operation," said Andrew Guthrie Ferguson, a law professor at the American University Washington College of Law...

Apple has been careful to never say AirTags can be used to recover stolen property. The marketing for the device is light and wholesome, focusing on situations like lost keys between sofa cushions. The official tagline is "Lose your knack for losing things" and there's no mention of crime, theft or stealing in any of the ads, webpages or support documents. But in reality, the company has built a network that is ideal for that exact use case. Every compatible iPhone, iPad and Mac is being silently put to work as a location device without their owners knowing when it happens. An AirTag uses Bluetooth to send out a ping with its encrypted location to the closest Apple devices, which pass that information on to the Apple cloud. That spot is visible on a map in the Find My app. The AirTag owner can also turn on Lost Mode to get a notification the next time it's detected, as well as leave contact information in case it's found. Apple calls this the Find My network, and it also works for lost or stolen Apple devices and a handful of third-party products. The proliferation of compatible Apple devices — there are nearly a billion in the network around the world — makes Find My incredibly effective, especially in cities. (Apple device owners are part of the Find My network by default, but can opt out in settings, and the location information is all encrypted...)

All the tracker companies recommend contacting law enforcement first, which may sound logical until you find yourself waiting hours in a parking lot for officers to address a relatively low-priority crime, or having to explain to them what Bluetooth trackers are.
The Times shares stories of two people who tried using AirTags to track down their stolen property. One Seattle man tracked down his stolen electric bike — and ended up pedalling away furiously on the (now out of power) bicycle as the suspected thief chased after him.

And an Ohio man waited for hours in an unfamiliar drugstore parking lot for a response from the police, eventually travelling with them to the suspect's house — where his stolen laptop was returned to the police officer by a man holding two babies in his arms.

Some parents have even hidden them in their childrens' backpacks, and pet owners have hidden them in their pet's collars, the Times reports — adding that the EFF's director of cybersecurity sees another possibility. "The problem is it's impossible to build a tool that is designed to track down stolen items without also building the perfect tool for stalking."

76-year-old John Gilmore co-founded the EFF in 1990, and in the 31 years since he's "provided leadership and guidance on many of the most important digital rights issues we advocate for today," the EFF said in a statement Friday.

"But in recent years, we have not seen eye-to-eye on how to best communicate and work together," they add, announcing "we have been unable to agree on a way forward with Gilmore in a governance role." That is why the EFF Board of Directors has recently made the difficult decision to vote to remove Gilmore from the Board.

We are deeply grateful for the many years Gilmore gave to EFF as a leader and advocate, and the Board has elected him to the role of Board Member Emeritus moving forward. "I am so proud of the impact that EFF has had in retaining and expanding individual rights and freedoms as the world has adapted to major technological changes," Gilmore said. "My departure will leave a strong board and an even stronger staff who care deeply about these issues."

John Gilmore co-founded EFF in 1990 alongside John Perry Barlow, Steve Wozniak and Mitch Kapor, and provided significant financial support critical to the organization's survival and growth over many years. Since then, Gilmore has worked closely with EFF's staff, board, and lawyers on privacy, free speech, security, encryption, and more. In the 1990s, Gilmore found the government documents that confirmed the First Amendment problem with the government's export controls over encryption, and helped initiate the filing of Bernstein v DOJ, which resulted in a court ruling that software source code was speech protected by the First Amendment and the government's regulations preventing its publication were unconstitutional. The decision made it legal in 1999 for web browsers, websites, and software like PGP and Signal to use the encryption of their choice.

Gilmore also led EFF's effort to design and build the DES Cracker, which was regarded as a fundamental breakthrough in how we evaluate computer security and the public policies that control its use. At the time, the 1970s Data Encryption Standard (DES) was embedded in ATM machines and banking networks, as well as in popular software around the world. U.S. government officials proclaimed that DES was secure, while secretly being able to wiretap it themselves. The EFF DES Cracker publicly showed that DES was in fact so weak that it could be broken in one week with an investment of less than $350,000. This catalyzed the international creation and adoption of the much stronger Advanced Encryption Standard (AES), now widely used to secure information worldwide....

EFF has always valued and appreciated Gilmore's opinions, even when we disagree. It is no overstatement to say that EFF would not exist without him. We look forward to continuing to benefit from his institutional knowledge and guidance in his new role of Board Member Emeritus.
Gilmore also created the alt* hierarchy on Usenet, co-founded the Cypherpunks mailing list, and was one of the founders of Cygnus Solutions (according to his page on Wikipedia).

He's also apparently Slashdot user #35,813 (though he hasn't posted a comment since 2004).

EFF: The Utah Supreme Court is the latest stop in EFF's roving campaign to establish your Fifth Amendment right to refuse to provide your password to law enforcement. Yesterday, along with the ACLU, we filed an amicus brief in State v. Valdez, arguing that the constitutional privilege against self-incrimination prevents the police from forcing suspects to reveal the contents of their minds. That includes revealing a memorized passcode or directly entering the passcode to unlock a device.

In Valdez, the defendant was charged with kidnapping his ex-girlfriend after arranging a meeting under false pretenses. During his arrest, police found a cell phone in Valdez's pocket that they wanted to search for evidence that he set up the meeting, but Valdez refused to tell them the passcode. Unlike many other cases raising these issues, however, the police didn't bother seeking a court order to compel Valdez to reveal his passcode. Instead, during trial, the prosecution offered testimony and argument about his refusal. The defense argued that this violated the defendant's Fifth Amendment right to remain silent, which also prevents the state from commenting on his silence. The court of appeals agreed, and now the state has appealed to the Utah Supreme Court.

The Record reports: The Electronic Frontier Foundation said it is preparing to retire the famous HTTPS Everywhere browser extension after HTTPS adoption has picked up and after several web browsers have introduced HTTPS-only modes." "After the end of this year, the extension will be in 'maintenance mode' for 2022," said Alexis Hancock, Director of Engineering at the EFF. Maintenance mode means the extension will receive minor bug fixes next year but no new features or further development.

No official end-of-life date has been decided, a date after which no updates will be provided for the extension whatsoever.

Launched in June 2010, the HTTPS Everywhere browser extension is one of the most successful browser extensions ever released. The extension worked by automatically switching web connections from HTTP to HTTPS if websites had an HTTPS option available. At the time it was released, it helped upgrade site connections to HTTPS when users clicked on HTTP links or typed domains in their browser without specifying the "https://" prefix. The extension reached cult status among privacy advocates and was integrated into the Tor Browser and, after that, in many other privacy-conscious browsers. But since 2010, HTTPS is not a fringe technology anymore. Currently, around 86.6% of all internet sites support HTTPS connections. Browser makers such as Chrome and Mozilla previously reported that HTTPS traffic usually accounts for 90% to 95% of their daily connections.
From EFF's announcement: The goal of HTTPS Everywhere was always to become redundant. That would mean we'd achieved our larger goal: a world where HTTPS is so broadly available and accessible that users no longer need an extra browser extension to get it. Now that world is closer than ever, with mainstream browsers offering native support for an HTTPS-only mode.

With these simple settings available, EFF is preparing to deprecate the HTTPS Everywhere web extension as we look to new frontiers of secure protocols like SSL/TLS... We know many different kinds of users have this tool installed, and want to give our partners and users the needed time to transition.
The announcement also promises to inform users of browser-native HTTPS-only options before the day when the extension reaches its final sunsetting — and ends with instructions for how to activate the native HTTPS-only features in Firefox, Chrome, Edge, and Safari, "and celebrate with us that HTTPS is truly everywhere for users."

EFF.org has the story: For the last month, civil liberties and human rights organizations, researchers, and customers have demanded that Apple cancel its plan to install photo-scanning software onto devices. This software poses an enormous danger to privacy and security. Apple has heard the message, and announced that it would delay the system while consulting with various groups about its impact. But in order to trust Apple again, we need the company to commit to canceling this mass surveillance system.

The delay may well be a diversionary tactic. Every September, Apple holds one of its big product announcement events, where Apple executives detail the new devices and features coming out. Apple likely didn't want concerns about the phone-scanning features to steal the spotlight.

But we can't let Apple's disastrous phone-scanning idea fade into the background, only to be announced with minimal changes down the road. To make sure Apple is listening to our concerns, EFF turned to an old-school messaging system: aerial advertising.

During Apple's event, a plane circled the company's headquarters carrying an impossible-to-miss message: "Apple, don't scan our phones!" The evening before Apple's event, protestors also rallied nationwide in front of Apple stores. The company needs to hear us, and not just dismiss the serious problems with its scanning plan. A delay is not a cancellation, and the company has also been dismissive of some concerns, referring to them as "confusion" about the new features.

Apple's iMessage is one of the preeminent end-to-end encrypted chat clients. End-to-end encryption is what allows users to exchange messages without having them intercepted and read by repressive governments, corporations, and other bad actors. We don't support encryption for its own sake: we fight for it because encryption is one of the most powerful tools individuals have for maintaining their digital privacy and security in an increasingly insecure world.

Now that Apple's September event is over, Apple must reach out to groups that have criticized it and seek a wider range of suggestions on how to deal with difficult problems, like protecting children online...

The world, thankfully, has moved towards encrypted communications over the last two decades, not away from them, and that's a good thing. If Apple wants to maintain its reputation as a pro-privacy company, it must continue to choose real end-to-end encryption over government demands to read user's communication.

Privacy matters now more than ever. It will continue to be a selling point and a distinguishing feature of some products and companies. For now, it's an open question whether Apple will continue to be one of them.