Markos Moulitsas is the poll-watching founder of the political blog Daily Kos. Thursday he wrote that in 2021, future third-party presidential candidate RFK Jr. had sued their web site. "Things are not going well for him." Back in 2021, Robert F. Kennedy Jr. sued Daily Kos to unmask the identity of a community member who posted a critical story about his dalliance with neo-Nazis at a Berlin rally. I updated the story here, here, here, here, and here. To briefly summarize, Kennedy wanted us to doxx our community member, and we stridently refused. The site and the politician then continued fighting for more than three years. "Daily Kos lost the first legal round in court," Moulitsas posted in 2021, "thanks to a judge who is apparently unconcerned with First Amendment ramifications given the chilling effect of her ruling." But even then, Moulitsas was clear on his rights: Because of Section 230 of the Communications Decency Act, [Kennedy] cannot sue Daily Kos — the site itself — for defamation. We are protected by the so-called safe harbor. That's why he's demanding we reveal what we know about "DowneastDem" so they can sue her or him directly. Moulitsas also stressed that his own 2021 blog post was "reiterating everything that community member wrote, and expanding on it. And so instead of going after a pseudonymous community writer/diarist on this site, maybe Kennedy will drop that pointless lawsuit and go after me... consider this an escalation." (Among other things, the post cited a German-language news account saying Kennedy "sounded the alarm concerning the 5G mobile network and Microsoft founder Bill Gates..." Moulitsas also noted an Irish Times article which confirmed that at the rally Kennedy spoke at, "Noticeable numbers of neo-Nazis, kitted out with historic Reich flags and other extremist accessories, mixed in with the crowd.") So what happened? Moulitsas posted an update Thursday: Shockingly, Kennedy got a trial court judge in New York to agree with him, and a subpoena was issued to Daily Kos to turn over any information we might have on the account. However, we are based in California, not New York, so once I received the subpoena at home, we had a California court not just quash the subpoena, but essentially signal that if New York didn't do the right thing on appeal, California could very well take care of it. It's been a while since I updated, and given a favorable court ruling Thursday, it's way past time to catch everyone up. New York is one of the U.S. states that doesn't have a strict "Dendrite standard" law protecting anonymous speech. But soon the blog founder discovered he had allies: The issues at hand are so important that The New York Times, the E.W.Scripps Company, the First Amendment Coalition, New York Public Radio, and seven other New York media companies joined the appeals effort with their own joint amicus brief. What started as a dispute over a Daily Kos diarist has become a meaningful First Amendment battle, with major repercussions given New York's role as a major news media and distribution center. After reportedly spending over $1 million on legal fees, Kennedy somehow discovered the identity of our community member sometime last year and promptly filed a defamation suit in New Hampshire in what seemed a clumsy attempt at forum shopping, or the practice of choosing where to file suit based on the belief you'll be granted a favorable outcome. The community member lives in Maine, Kennedy lives in California, and Daily Kos doesn't publish specifically in New Hampshire. A perplexed court threw out the case this past February on those obvious jurisdictional grounds.... Then, last week, the judge threw out the appeal of that decision because Kennedy's lawyer didn't file in time — and blamed the delay on bad Wi-Fi... Kennedy tried to dismiss the original case, the one awaiting an appellate decision in New York, claiming it was now moot. His legal team had sued to get the community member's identity, and now that they had it, they argued that there was no reason for the case to continue. We disagreed, arguing that there were important issues to resolve (i.e., Dendrite), and we also wanted lawyer fees for their unconstitutional assault on our First Amendment rights... On Thursday, in a unanimous decision, a four-judge New York Supreme Court appellate panel ordered the case to continue, keeping the Dendrite issue alive and also allowing us to proceed in seeking damages based on New York's anti-SLAPP law, which prohibits "strategic lawsuits against public participation." Thursday's blog post concludes with this summation. "Kennedy opened up a can of worms and has spent millions fighting this stupid battle. Despite his losses, we aren't letting him weasel out of this."

Read more of this story at Slashdot.

samleecole writes: Utah set up an online form for people to accuse other citizens and public establishments of violating the state's recently-enacted transphobic "bathroom bill." The submission form is being flooded with memes and troll comments, and the auditor also left the submissions database open to the public -- without a password, authentication, or any other protections that would keep anyone from viewing other people's submissions. After 404 Media contacted the auditor's office for comment, they changed the permissions to require authentication. The form link has been posted to Twitter, and people have repeatedly posted screenshots of themselves uploading memes. In the database, those included photos of Barry Wood, characters from Bee Movie, and Shutterstock images of bull testicles. Twitter users have also found a link to the database that the form is connected to, which is hosted on a public Google cloud console bucket that as of Thursday, required no authentication to view. I tested the form, and found that my submission -- a photo of the yelling table cat meme -- appeared instantly in the Google Console bucket. The submission form offers anonymity with the option for the state auditor to contact submitters for more details. I haven't seen names and contact information shared in the database, but comments and image attachments were easily viewable.

Read more of this story at Slashdot.

An anonymous reader shares a report: Two months after hackers broke into Change Healthcare systems stealing and then encrypting company data, it's still unclear how many Americans were impacted by the cyberattack. Last month, Andrew Witty, the CEO of Change Healthcare's parent company UnitedHealth Group, said that the stolen files include the personal health information of "a substantial proportion of people in America." On Wednesday, during a House hearing, when Witty was pushed to give a more definitive answer, testifying that the breach impacted "I think, maybe a third [of Americans] or somewhere of that level."

Read more of this story at Slashdot.

Kaiser Permanente is the latest healthcare giant to report a data breach. Kaiser said 13.4 million current and former insurance members had their patient data shared with third-party advertisers, thanks to an improperly implemented tracking code the company used to see how its members navigated through its websites. Dark Reading reports: The shared data included names, IP addresses, what pages people visited, whether they were actively signed in, and even the search terms they used when visiting the company's online health encyclopedia. Kaiser has reportedly removed the tracking code from its sites, and while the incident wasn't a hacking event, the breach is still concerning from a security perspective, according to Narayana Pappu, CEO at Zendata. "The presence of third-party trackers belonging to advertisers, and the oversharing of customer information with these trackers, is a pervasive problem in both health tech and government space," he explains. "Once shared, advertisers have used this information to target ads at users for complementary products (based on health data); this has happened multiple times in the past few years, including at Goodrx. Although this does not fit the traditional definition of a data breach, it essentially results in the same outcome -- an entity and the use case the data was not intended for has access to it. There is usually no monitoring/auditing process to identify and prevent the issue."

Read more of this story at Slashdot.

The FTC is issuing more than $5.6 million in refunds to Ring customers as part of a privacy settlement. The Associated Press reports: In a 2023 complaint, the FTC accused the doorbell camera and home security provider of allowing its employees and contractors to access customers' private videos. Ring allegedly used such footage to train algorithms without consent, among other purposes. Ring was also charged with failing to implement key security protections, which enabled hackers to take control of customers' accounts, cameras and videos. This led to "egregious violations of users' privacy," the FTC noted. The resulting settlement required Ring to delete content that was found to be unlawfully obtained, establish stronger security protections and pay a hefty fine. The FTC says that it's now using much of that money to refund eligible Ring customers. According to a Tuesday notice, the FTC is sending 117,044 PayPal payments to impacted consumers who had certain types of Ring devices -- including indoor cameras -- during the timeframes that the regulators allege unauthorized access took place. Eligible customers will need to redeem these payments within 30 days, according to the FTC -- which added that consumers can contact this case's refund administrator, Rust Consulting, or visit the FTC's FAQ page on refunds for more information about the process.

Read more of this story at Slashdot.

General Motors (GM) has been selling data about the driving behavior of millions of people to insurance companies, leading to higher premiums for some drivers, according to a recent investigation. The affected drivers were not informed about the tracking, which was carried out through GM's OnStar connected services plan and the Smart Driver program. The New York Times reporter who broke the story discovered that her own driving data had been shared with data brokers working with the insurance industry, despite not being enrolled in the program. GM has since discontinued the Smart Driver product and stopped sharing data with LexisNexis and Verisk, following customer feedback and federal lawsuits filed by drivers across the country.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: The US Constitution's Fifth Amendment protection against self-incrimination does not prohibit police officers from forcing a suspect to unlock a phone with a thumbprint scan, a federal appeals court ruled yesterday. The ruling does not apply to all cases in which biometrics are used to unlock an electronic device but is a significant decision in an unsettled area of the law. The US Court of Appeals for the 9th Circuit had to grapple with the question of "whether the compelled use of Payne's thumb to unlock his phone was testimonial," the ruling (PDF) in United States v. Jeremy Travis Payne said. "To date, neither the Supreme Court nor any of our sister circuits have addressed whether the compelled use of a biometric to unlock an electronic device is testimonial." A three-judge panel at the 9th Circuit ruled unanimously against Payne, affirming a US District Court's denial of Payne's motion to suppress evidence. Payne was a California parolee who was arrested by California Highway Patrol (CHP) after a 2021 traffic stop and charged with possession with intent to distribute fentanyl, fluorofentanyl, and cocaine. There was a dispute in District Court over whether a CHP officer "forcibly used Payne's thumb to unlock the phone." But for the purposes of Payne's appeal, the government "accepted the defendant's version of the facts, i.e., 'that defendant's thumbprint was compelled.'" Payne's Fifth Amendment claim "rests entirely on whether the use of his thumb implicitly related certain facts to officers such that he can avail himself of the privilege against self-incrimination," the ruling said. Judges rejected his claim, holding "that the compelled use of Payne's thumb to unlock his phone (which he had already identified for the officers) required no cognitive exertion, placing it firmly in the same category as a blood draw or fingerprint taken at booking." "When Officer Coddington used Payne's thumb to unlock his phone -- which he could have accomplished even if Payne had been unconscious -- he did not intrude on the contents of Payne's mind," the court also said.

Read more of this story at Slashdot.

An anonymous reader quotes a report from the New York Times: Consumers have grown accustomed to the prospect that their personal data, such as email addresses, social contacts, browsing history and genetic ancestry, are being collected and often resold by the apps and the digital services they use. With the advent of consumer neurotechnologies, the data being collected is becoming ever more intimate. One headband serves as a personal meditation coach by monitoring the user's brain activity. Another purports to help treat anxiety and symptoms of depression. Another reads and interprets brain signals while the user scrolls through dating apps, presumably to provide better matches. ("'Listen to your heart' is not enough," the manufacturer says on its website.) The companies behind such technologies have access to the records of the users' brain activity -- the electrical signals underlying our thoughts, feelings and intentions. On Wednesday, Governor Jared Polis of Colorado signed a bill that, for the first time in the United States, tries to ensure that such data remains truly private. The new law, which passed by a 61-to-1 vote in the Colorado House and a 34-to-0 vote in the Senate, expands the definition of "sensitive data" in the state's current personal privacy law to include biological and "neural data" generated by the brain, the spinal cord and the network of nerves that relays messages throughout the body. "Everything that we are is within our mind," said Jared Genser, general counsel and co-founder of the Neurorights Foundation, a science group that advocated the bill's passage. "What we think and feel, and the ability to decode that from the human brain, couldn't be any more intrusive or personal to us." "We are really excited to have an actual bill signed into law that will protect people's biological and neurological data," said Representative Cathy Kipp, Democrat of Colorado, who introduced the bill.

Read more of this story at Slashdot.

An anonymous reader shares a report: A financially motivated criminal hacking group says it has stolen a confidential database containing millions of records that companies use for screening potential customers for links to sanctions and financial crime. The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March and are threatening to publish the data online. World-Check is a screening database used for "know your customer" checks (or KYC), allowing companies to determine if prospective customers are high risk or potential criminals, such as people with links to money laundering or who are under government sanctions.The hackers told TechCrunch that they stole the data from a Singapore-based firm with access to the World-Check database, but did not name the firm. A portion of the stolen data, which the hackers shared with TechCrunch, includes individuals who were sanctioned as recently as this year.

Read more of this story at Slashdot.

An anonymous reader quotes a report from The Guardian: Hospitals -- despite being places where people implicitly expect to have their personal details kept private -- frequently use tracking technologies on their websites to share user information with Google, Meta, data brokers, and other third parties, according to research published today. Academics at the University of Pennsylvania analyzed a nationally representative sample of 100 non-federal acute care hospitals -- essentially traditional hospitals with emergency departments -- and their findings were that 96 percent of their websites transmitted user data to third parties. Additionally, not all of these websites even had a privacy policy. And of the 71 percent that did, 56 percent disclosed specific third-party companies that could receive user information. The researchers' latest work builds on a study they published a year ago of 3,747 US non-federal hospital websites. That found 98.6 percent tracked and transferred visitors' data to large tech and social media companies, advertising firms, and data brokers. To find the trackers on websites, the team checked out each hospitals' homepage on January 26 using webXray, an open source tool that detects third-party HTTP requests and matches them to the organizations receiving the data. They also recorded the number of third-party cookies per page. One name in particular stood out, in terms of who was receiving website visitors' information. "In every study we've done, in any part of the health system, Google, whose parent company is Alphabet, is on nearly every page, including hospitals," [Dr Ari Friedman, an assistant professor of emergency medicine at the University of Pennsylvania] observed. "From there, it declines," he continued. "Meta was on a little over half of hospital webpages, and the Meta Pixel is notable because it seems to be one of the grabbier entities out there in terms of tracking." Both Meta and Google's tracking technologies have been the subject of criminal complaints and lawsuits over the years -- as have some healthcare companies that shared data with these and other advertisers. In addition, between 20 and 30 percent of the hospitals share data with Adobe, Friedman noted. "Everybody knows Adobe for PDFs. My understanding is they also have a tracking division within their ad division." Others include telecom and digital marketing companies like The Trade Desk and Verizon, plus tech giants Oracle, Microsoft, and Amazon, according to Friedman. Then there's also analytics firms including Hotjar and data brokers such as Acxiom. "And two thirds of hospital websites had some kind of data transfer to a third-party domain that we couldn't even identify," he added. Of the 71 hospital website privacy policies that the team found, 69 addressed the types of user information that was collected. The most common were IP addresses (80 percent), web browser name and version (75 percent), pages visited on the website (73 percent), and the website from which the user arrived (73 percent). Only 56 percent of these policies identified the third-party companies receiving user information. In lieu of any federal data privacy law in the U.S., Friedman recommends users protect their personal information via the browser-based tools Ghostery and Privacy Badger, which identify and block transfers to third-party domains.

Read more of this story at Slashdot.

DuckDuckGo, the privacy-focused web search and browser company, announced on today the launch of its first subscription service, Privacy Pro. The service, priced at $9.99 per month or $99.99 per year, includes a browser-based tool that automatically scans data broker websites for users' personal information and requests its removal. The service also includes DuckDuckGo's first VPN and an identity-theft-restoration service. Available initially only in the U.S.

Read more of this story at Slashdot.

Privacy startup Proton already offers an email app, a VPN tool, cloud storage, a password manager, and a calendar app. In April 2022, Proton acquired SimpleLogin, an open-source product that generates email aliases to protect inboxes from spam and phishing. Today, Proton acquired Standard Notes, advancing its already strong commitment to the open-source community. From a report: Standard Notes is an open-source note-taking app, available on both mobile and desktop platforms, with a user base of over 300,000. [...] Proton founder and CEO Andy Yen makes a point of stating that Standard Notes will remain open-source, will continue to undergo independent audits, will continue to develop new features and updates, and that prices for the app/service will not change. Standard Notes has three tiers: Free, which includes 100MB of storage, offline access, and unlimited device sync; Productivity for $90 per year, which includes features like markdown, spreadsheets with advanced formulas, Daily Notebooks, and two-factor authentication; and Professional for $120 per year, which includes 100GB of cloud storage, sharing for up to five accounts, no file limit size, and more.

Read more of this story at Slashdot.

"The San Francisco Giants are one of four teams in Major League Baseball this season offering fans a free shortcut through the gates into the ballpark," writes SFGate. "The cost? Signing up for the league's 'facial authentication' software through its ticketing app." The Giants are using MLB's new Go-Ahead Entry program, which intends to cut down on wait times for fans entering games. The pitch is simple: Take a selfie through the MLB Ballpark app (which already has your tickets on it), upload the selfie and, once you're approved, breeze through the ticketing lines and into the ballpark. Fans will barely have to slow down at the entrance gate on their way to their seats... The Philadelphia Phillies were MLB's test team for the technology in 2023. They're joined by the Giants, Nationals and Astros in 2024... [Major League Baseball] says it won't be saving or storing pictures of faces in a database — and it clearly would really like you to not call this technology facial recognition. "This is not the type of facial recognition that's scanning a crowd and specifically looking for certain kinds of people," Karri Zaremba, a senior vice president at MLB, told ESPN. "It's facial authentication. ... That's the only way in which it's being utilized." Privacy advocates "have pointed out that the creep of facial recognition technology may be something to be wary of," the article acknowledges. But it adds that using the technology is still completely optional. And they also spoke to the San Francisco Giants' senior vice president of ticket sales, who gushed about the possibility of app users "walking into the ballpark without taking your phone out, or all four of us taking our phones out."

Read more of this story at Slashdot.

Matthew Connatser reports via The Register: A study has concluded that Apple's privacy practices aren't particularly effective, because default apps on the iPhone and Mac have limited privacy settings and confusing configuration options. The research was conducted by Amel Bourdoucen and Janne Lindqvist of Aalto University in Finland. The pair noted that while many studies had examined privacy issues with third-party apps for Apple devices, very little literature investigates the issue in first-party apps -- like Safari and Siri. The aims of the study [PDF] were to investigate how much data Apple's own apps collect and where it's sent, and to see if users could figure out how to navigate the landscape of Apple's privacy settings. The lengths to which Apple goes to secure its ecosystem -- as described in its Platform Security Guide [PDF] -- has earned it kudos from the information security world. Cupertino uses its hard-earned reputation as a selling point and as a bludgeon against Google. Bourdoucen and Janne Lindqvist don't dispute Apple's technical prowess, but argue that it is undermined by confusing user interfaces. "Our work shows that users may disable default apps, only to discover later that the settings do not match their initial preference," the paper states. "Our results demonstrate users are not correctly able to configure the desired privacy settings of default apps. In addition, we discovered that some default app configurations can even reduce trust in family relationships." The researchers criticize data collection by Apple apps like Safari and Siri, where that data is sent, how users can (and can't) disable that data tracking, and how Apple presents privacy options to users. The paper illustrates these issues in a discussion of Apple's Siri voice assistant. While users can ostensibly choose not to enable Siri in the initial setup on macOS-powered devices, it still collects data from other apps to provide suggestions. To fully disable Siri, Apple users must find privacy-related options across five different submenus in the Settings app. Apple's own documentation for how its privacy settings work isn't good either. It doesn't mention every privacy option, explain what is done with user data, or highlight whether settings are enabled or disabled. Also, it's written in legalese, which almost guarantees no normal user will ever read it. "We discovered that the features are not clearly documented," the paper concludes. "Specifically, we discovered that steps required to disable features of default apps are largely undocumented and the data handling practices are not completely disclosed."

Read more of this story at Slashdot.

An Ethiopian bank has put up posters shaming customers it says have not returned money they gained during a technical glitch. From a report: Notices bearing their names and photos could be seen outside branches of the Commercial Bank of Ethiopia (CBE) on Friday. The bank says it has recovered almost three-quarters of the $14m it lost, its head said last week. He warned that those keeping money that is not theirs will be prosecuted. Last month, an hours-long glitch allowed customers at the CBE, Ethiopia's largest commercial bank, to withdraw or transfer more than they had in their accounts.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Jackson County, Missouri, has declared a state of emergency and closed key offices indefinitely as it responds to what officials believe is a ransomware attack that has made some of its IT systems inoperable. "Jackson County has identified significant disruptions within its IT systems, potentially attributable to a ransomware attack," officials wrote Tuesday. "Early indications suggest operational inconsistencies across its digital infrastructure and certain systems have been rendered inoperative while others continue to function as normal." The systems confirmed inoperable include tax and online property payments, issuance of marriage licenses, and inmate searches. In response, the Assessment, Collection and Recorder of Deeds offices at all county locations are closed until further notice. The closure occurred the same day that the county was holding a special election to vote on a proposed sales tax to fund a stadium for MLB's Kansas City Royals and the NFL's Kansas City Chiefs. Neither the Jackson County Board of Elections nor the Kansas City Board of Elections have been affected by the attack; both remain open. The Jackson County website says there are 654,000 residents in the 607-square-mile county, which includes most of Kansas City, the biggest city in Missouri. The response to the attack and the investigation into it have just begun, but so far, officials said they had no evidence that data had been compromised. Jackson County Executive Frank White, Jr. has issued (PDF) an executive order declaring a state of emergency. The County has notified law enforcement and retained IT security contractors to help investigate and remediate the attack. "The potential significant budgetary impact of this incident may require appropriations from the County's emergency fund and, if these funds are found to be insufficient, the enactment of additional budgetary adjustments or cuts," White wrote. "It is directed that all county staff are to take whatever steps are necessary to protect resident data, county assets, and continue essential services, thereby mitigating the impact of this potential ransomware attack."

Read more of this story at Slashdot.

Portugal's data regulator has ordered Sam Altman's iris-scanning project Worldcoin to stop collecting biometric data for 90 days, it said on Tuesday, in the latest regulatory blow to a venture that has raised privacy concerns in multiple countries. From a report: Worldcoin encourages people to have their faces scanned by its "orb" devices, in exchange for a digital ID and free cryptocurrency. More than 4.5 million people in 120 countries have signed up, according to Worldcoin's website. Portugal's data regulator, the CNPD, said there was a high risk to citizens' data protection rights, which justified urgent intervention to prevent serious harm. More than 300,000 people in Portugal have provided Worldcoin with their biometric data, the CNPD said.

Read more of this story at Slashdot.

In an interview Saturday, CNN first asked Steve Wozniak about Apple's "walled garden" approach — and whether there's any disconnect between Apple's stated interest in user security and privacy, and its own self-interest? Wozniak responded, "I think there are things you can say on all sides of it. "I'm kind of glad for the protection that I have for my privacy and for you know not getting hacked as much. Apple does a better job than the others. And tracking you — tracking you is questionable, but my gosh, look at what we're accusing TikTok of, and then go look at Facebook and Google... That's how they make their business! I mean, Facebook was a great idea. But then they make all their money just by tracking you and advertising. And Apple doesn't really do that as much. I consider Apple the good guy. So then CNN directly asked Wozniak's opinion about the proposed ban on TikTok in the U.S. "Well, one, I don't understand it. I don't see why. I mean, I get a lot of entertainment out of TikTok — and I avoid the social web. But I love to watch TikTok, even if it's just for rescuing dog videos and stuff. And so I'm thinking, well, what are we saying? We're saying 'Oh, you might be tracked by the Chinese'. Well, they learned it from us. I mean, look, if you have a principle — a person should not be tracked without them knowing it? It's kind of a privacy principle — I was a founder of the EFF. And if you have that principle, you apply it the same to every company, or every country. You don't say, 'Here's one case where we're going to outlaw an app, but we're not going to do it in these other cases.' So I don't like the hypocrisy. And that's always obviously common from a political realm.

Read more of this story at Slashdot.

An anonymous reader quotes a report from the New York Times: General Motors said Friday that it had stopped sharing details about how people drove its cars with two data brokers that created risk profiles for the insurance industry. The decision followed a New York Times report this month that G.M. had, for years, been sharing data about drivers' mileage, braking, acceleration and speed with the insurance industry. The drivers were enrolled -- some unknowingly, they said -- in OnStar Smart Driver, a feature in G.M.'s internet-connected cars that collected data about how the car had been driven and promised feedback and digital badges for good driving. Some drivers said their insurance rates had increased as a result of the captured data, which G.M. shared with two brokers, LexisNexis Risk Solutions and Verisk. The firms then sold the data to insurance companies. Since Wednesday, "OnStar Smart Driver customer data is no longer being shared with LexisNexis or Verisk," a G.M. spokeswoman, Malorie Lucich, said in an emailed statement. "Customer trust is a priority for us, and we are actively evaluating our privacy processes and policies."

Read more of this story at Slashdot.