The EU is taking a "Europe First" approach to technological standardization. From a report: The European Commission on Wednesday presented a plan to bolster its influence in creating global technology standards, as the bloc currently risks falling behind in global standardization organizations, where tech giants, government regulators and experts gather to set rules for how emerging technology works -- everything from the internet to batteries, connected devices and beyond. Faced with the U.S.' market dominance and China's aggressive attempts to rewrite global rules, the EU wants to raise its game. "We need to make sure we're not just a standard-taker. We need to be a standard-setter," said Thierry Breton, the EU's industry commissioner.

The new strategy comes at the start of a bumper year for standard-setting, which often happens out of the public eye, in industry-dominated groups packed with technical experts. Deals struck in organizations like the U.N.'s International Telecommunications Union (ITU) and the International Organization for Standardization (ISO) define how technology is implemented across the world. The ITU's flagship conference is scheduled for September in Budapest, when a new secretary-general will be named. Meanwhile, other international groups are working quickly to set standards for artificial intelligence, green technology and other major sectors, with companies and government officials tussling over which technologies will dominate the digital economy in the coming decade. The EU's plan follows its industrial strategy, released in March 2020, which already showed the bloc wants to set up competing policy initiatives to defend its companies against rivals from China and the U.S. that benefit from large-scale investment and subsidy schemes.

Earlier this month, a German court fined an unidentified website $110 for violating EU privacy law by importing a Google-hosted web font. The Register reports: The decision, by Landgericht Munchen's third civil chamber in Munich, found that the website, by including Google-Fonts-hosted font on its pages, passed the unidentified plaintiff's IP address to Google without authorization and without a legitimate reason for doing so. And that violates Europe's General Data Protection Regulation (GDPR). That is to say, when the plaintiff visited the website, the page made the user's browser fetch a font from Google Fonts to use for some text, and this disclosed the netizen's IP address to the US internet giant. This kind of hot-linking is normal with Google Fonts; the issue here is that the visitor apparently didn't give permission for their IP address to be shared. The website could have avoided this drama by self-hosting the font, if possible.

The decision says IP addresses represent personal data because it's theoretically possible to identify the person associated with an IP address, and that it's irrelevant whether the website or Google has actually done so. The ruling directs the website to stop providing IP addresses to Google and threatens the site operator with a fine of 250,000 euros for each violation, or up to six months in prison, for continued improper use of Google Fonts. Google Fonts is widely deployed -- the Google Fonts API is used by about 50m websites. The API allows websites to style text with Google Fonts stored on remote servers -- Google's or a CDN's -- that get fetched as the page loads. Google Fonts can be self-hosted to avoid running afoul of EU rules and the ruling explicitly cites this possibility to assert that relying on Google-hosted Google Fonts is not defensible under the law.

Meta Platforms' WhatsApp was given a month to answer European Union concerns over new terms and services that sparked outrage among consumers and privacy campaigners. From a report: WhatsApp must provide "concrete commitments" to address EU concerns about a possible lack of "sufficiently clear information" to users, or the exchange of user data between WhatsApp and third parties, the European Commission said Thursday. "WhatsApp must ensure that users understand what they agree to and how their personal data is used," EU Justice Commissioner Didier Reynders said in a statement. "I expect from WhatsApp to fully comply with EU rules that protect consumers and their privacy."

WhatsApp announced the policy changes a year ago, but was forced to delay their introduction until May after a backlash over what data the messaging service collects and how it shares that information with parent Facebook. European consumer association BEUC complained to the EU, saying the new terms and services were opaque. "WhatsApp bombarded users for months with persistent pop-up messages," BEUC said in reaction to the commission announcement. "WhatsApp has been deliberately vague about this, laying the ground for far-reaching data processing without valid consent from consumers."

Intel won a historic victory in its court fight over a record 1.06 billion-euro ($1.2 billion) competition fine, in a landmark ruling that upends one of the European Union's most important antitrust cases. From a report: The EU General Court ruled on Wednesday that regulators made key errors in a landmark 2009 decision over allegedly illegal rebates that the U.S. chip giant gave to PC makers to squeeze out rival Advanced Micro Devices (AMD). While the surprise ruling can be appealed one more time, it's a stinging defeat for the European Commission, which hasn't lost a big antitrust case in court for more than 20 years. The Luxembourg-based EU court said the commission provided an "incomplete" analysis when it fined Intel, criticizing it for failing to provide sufficient evidence to back up its findings of anti-competitive risks.

Hacktivists in Belarus said on Monday they had infected the network of the country's state-run railroad system with ransomware and would provide the decryption key only if Belarus President Alexander Lukashenko stopped aiding Russian troops ahead of a possible invasion of Ukraine. Ars Technica reports: Referring to the Belarus Railway, a group calling itself Cyber Partisans wrote on Telegram: "BelZhD, at the command of the terrorist Lukashenko, these days allows the occupying troops to enter our land. As part of the 'Peklo' cyber campaign, we encrypted the bulk of the servers, databases and workstations of the BelZhD in order to slow down and disrupt the operation of the road. The backups have been destroyed [...]." The group also announced the attack on Twitter.

A representative from the group said in a direct message that the Peklo cyber campaign targets specific entities and government-run companies with the goal of pressuring the Belarus government to release political prisoners and stop Russian troops from entering Belarus to use its ground for the attacks on Ukraine. "The government continues to suppress the free will of Belarusians, imprison innocent people, they continue to unlawfully keep... thousands of political prisoners," the representative wrote. "The major goal is to overthrow Lukashenko's regime, keep the sovereignty and build a democratic state with the rule of law, independent institutions and protection of human rights."

At the time this post went live, several services on the railway's website were unavailable. Online ticket purchases, for instance, weren't working [...]. The representative said that besides ticketing and scheduling being disrupted, the cyberattack also affected freight trains. According to reports, Russia has been sending military equipment and personnel by rail into Belarus, which shares a border with Ukraine. @belzhd_live, a group of Belarus Railway workers that tracks activity on the 5,512-km railway, said on Friday that in a week's time, more than 33 Russian military trains loaded with equipment and troops had arrived in Belarus for joint strategic exercises there. The worker group said at the time that it expected a total of 200 so-called echelons to arrive in the coming days.

"The European Union took a significant step Thursday toward passing legislation that could transform the way major technology companies operate," reports the Washington Post, "requiring them to police content on their platforms more aggressively and introducing new restrictions on advertising, among other provisions...."

"The legislation is the most aggressive attempt yet to regulate big tech companies as the industry comes under greater international scrutiny." The version approved Thursday would force companies to remove content that is considered illegal in the country where it is viewed, which could be Holocaust denials in Germany or racist postings in France. And it would significantly shape how companies interact with users, allowing Europeans to opt out of targeted advertising more easily and prohibiting companies from targeting advertisements at children.... The legislation would also ban companies from employing deceptive tactics known as dark patterns to lure users to sign up or pay for services and products. And it would allow users to ask companies which personal characteristics, such as age or other demographic information, led them to be targeted with certain advertisements.
The two legislation bodies of the 27-nation bloc "are expected to debate the contents of the legislation for months before voting on a final version," the Post adds. But they add this a vote on "initial approval" of the legislation passed "overwhelmingly". "With the [Digital Services Act] we are going to take a stand against the Wild West the digital world has turned into, set the rules in the interests of consumers and users, not just of Big Tech companies and finally make the things that are illegal offline illegal online too," said Christel Schaldemose, the center-left lawmaker from Denmark who has led negotiations on the bill.

The Post adds this quote from Gianclaudio Malgieri, an associate professor of technology and law at the EDHEC Business School in France. "For the first time, it will not be based on what Big Tech decides to do," he said. "It will be on paper."

In fact, the site Open Access Government reports there were 530 votes for the legislation, and just 78 against (with 80 abstentions). "The Digital Services Act could now become the new gold standard for digital regulation, not just in Europe but around the world," they quote Schaldemose as saying, also offering more details on the rest of the bill: Algorithm use should be more transparent, and researchers should also be given access to raw data to understand how online harms evolve. There is also a clause for an oversight structure, which would allow EU countries to essentially regulate regulation. Violations could in future be punished with fines of up to 6% of a company's annual revenue....

The draft Bill is one half of a dual-digital regulation package. The other policy is the Digital Markets Act (DMA), which would largely look at tackling online monopolies.
Thanks to long-time Slashdot reader UpnAtom for sharing the story.

The European Union is interested in building its own recursive DNS service that will be made available to EU institutions and the general public for free. From a report: The proposed service, named DNS4EU, is currently in a project planning phase, and the EU is looking for partners to help build a sprawling infrastructure to serve all its current 27 member states. EU officials said they started looking into an EU-based centrally-managed DNS service after observing consolidation in the DNS market around a small handful of non-EU operators. "The deployment of DNS4EU aims to address such consolidation of DNS resolution in the hands of few companies, which renders the resolution process itself vulnerable in case of significant events affecting one major provider," officials said in the DNS4EU infrastructure project revealed last week. But EU officials said that other factors also played a role in their decision to build DNS4EU, including cybersecurity and data privacy.

"As part of their growing battle against popular open source software tool youtube-dl, three major music labels are now suing Uberspace, the company that currently hosts the official youtube-dl homepage," reports TorrentFreak: According to plaintiffs Sony, Universal and Warner, youtube-dl circumvents YouTube's "rolling cipher" technology, something a German court found to be illegal in 2017.... While the RIAA's effort to take down youtube-dl from GitHub grabbed all the headlines, moves had already been underway weeks before that in Germany. Law firm Rasch works with several major music industry players and it was on their behalf that cease-and-desist orders were sent to local hosting service Uberspace. The RIAA complained that the company was hosting the official youtube-dl website although the tool itself was hosted elsewhere.

"The software itself wasn't hosted on our systems anyway so, to be honest, I felt it to be quite ridiculous to involve us in this issue anyway — a lawyer specializing in IT laws should know better," Jonas Pasche from Uberspace said at the time.

In emailed correspondence today Uberspace informed TorrentFreak that, following the cease-and-desist in October 2020, three major music labels are now suing the company in Germany... According to the labels, youtube-dl poses a risk to their business and enables users to download their artists' copyrighted works by circumventing YouTube's technical measures. As a result, Uberspace should not be playing a part in the tool's operations by hosting its website if it does not wish to find itself liable too....

The alleged illegality of youtube-dl is indeed controversial. While YouTube's terms of service generally disallow downloading, in Germany there is the right to make a private copy, with local rights group GEMA collecting fees to compensate for just that. Equally, when users upload content to YouTube under a Creative Commons license, for example, they agree to others in the community making use of that content. "Even if YouTube doesn't provide video download functionality right out of the box, the videos are not provided with copy protection," says former EU MP Julia Reda from the Society for Freedom Rights (GFF) to NetzPolitik. "Not only does YouTube pay license fees for music, we all pay fees for the right to private copying in the form of the device fee, which is levied with every purchase of smartphones or storage media," says Reda.

"Despite this double payment, Sony, Universal and Warner Music want to prevent us from exercising our right to private copying by saving YouTube videos locally on the hard drive."

Europol, the law enforcement agency of the European Union (EU), has been ordered to delete its massive database of information on EU citizens that it collected in recent years if the agency did not link subjects to any ongoing criminal activity. From a report: The decision was announced today by the European Data Protection Supervisor, an EU-independent supervisory authority whose primary objective is to monitor and ensure that European institutions and bodies respect the right to privacy and data protection. The EDPS said that Europol has one year to comply with its decision, during which time the law enforcement agency must filter its database and delete any information on EU citizens that are not part of criminal investigations. Europol will be allowed to process personal information as part of investigations, but the data on those not linked to crimes must be erased after six months. "This means that Europol will no longer be permitted to retain data about people who have not been linked to a crime or a criminal activity for long periods with no set deadline," the EDPS said in a press release on Monday.

Brussels Airlines has operated 3,000 flights without passengers this winter to avoid losing take-off and landing slots. From a report: The airline's parent company, Lufthansa Group, confirmed that 18,000 flights had been flown empty, including 3,000 Brussels Airlines services, reports The Bulletin. EU rules require that airlines operate a certain percentage of scheduled flights to keep their slots at major airports. Under these "use it or lose it" regulations, prior to the pandemic carriers had to utilise at least 80 per cent of their scheduled take-off and landing slots. This was revised to 50 per cent as coronavirus saw travel become increasingly difficult -- but airlines are still struggling to hit this target. As a result of Lufthansa Group's latest figures, the Belgian federal government has written to the European Commission, calling for a change to the rules on maintaining slots. It follows the news that European airlines are slashing their winter schedules amid a dampening of demand due to Omicron travel restrictions. Lufthansa Group, which owns the carriers Lufthansa, Swiss International Airlines, Austrian Airlines, and Eurowings in addition to Brussels Airlines, has already axed 33,000 flights in January and February.

An anonymous reader quotes a report from Gizmodo: Behind every TikTok, Zoom call, and cat meme is a data center that stores, processes, or reroutes that data around the world. The more we do online, the bigger these data centers and their energy footprint get. At full capacity, servers within a modern "hyperscale" (aka "massive") data center can use as much power as 80,000 households. Although the data center industry is global, places with the right combination of stable climate and friendly regulations attract outsized attention from data center developers. Ireland is one of these places. The island nation hosts 70 data centers and is now the fastest-growing data center market in Europe. Unfortunately, supplying the equivalent of several extra cities worth of electricity to servers that aid your doomscrolling is starting to take a toll on Ireland's power grid.

Data centers already use around 900 megawatts of electricity in Ireland. According to Paul Deane, an energy researcher working with the MaREI Environmental Research Institute in Ireland, this adds up to at least 11% of Ireland's total electricity supply at present, a situation he described "as a serious energy systems problem." As Deane outlined, meeting this demand is making Ireland's current energy crisis worse and its target of halving greenhouse emissions by 2030 harder to reach. And things are only getting more challenging. A recent report from Eirgrid, Ireland's state-owned grid operator, shows that data centers will consume almost 30% (PDF) of Ireland's annual electricity supply by 2029.

Although, as Deane pointed out, data centers are essential to modern life, a small country with little grid power to spare hosting so many of them puts the sustainability of Ireland's entire power supply at risk. Deane summed up Ireland's issue with data centers as being a mismatch in size. "Data centers are large power users, and our power system is small, so plugging more of them into a small grid will start to have an outsized impact," he said. In stark comparison, Germany, the EU's biggest data center market overall, will use less than 5% of its grid capacity to power data centers in the same period. As well as stoking fears that the industry's growth will create blackouts and power shortages for Irish consumers this winter, data centers may also derail Ireland's drive to reach net zero emissions by 2050.

Politico reports: When Ford announced that starting in 2023 its cars and trucks would come with Google Maps, Assistant and Play Store preinstalled, CEO Jim Farley called the partnership between his iconic U.S. automaker and the search giant a chance to "reinvent" the automobile — making it an office-on-wheels, with more connectivity than any phone or laptop. "We were spending hundreds and hundreds and hundreds of millions every year, keeping up with basically a generic experience that was not competitive to your cellphone," Farley crowed on CNBC, announcing the six-year deal with the tech giant.... But many tech-industry watchdogs looked at the Ford-Google car of the future with different eyes. They fear that tech companies will soon be doing to cars what they did to phones: Tying their exclusive operating systems to specific products to force out competitors and dominate a huge swath of the global economy.

Indeed, the smartphone wars are over, and Google and Apple won. Now they — and Amazon — are battling to control how you operate within your car. All three see autos as the next great opportunity to reach American consumers, who spend more time in the driver's seat than anywhere outside their home or workplace. And automakers, after years of floundering to incorporate cutting-edge technologies into cars on their own, are increasingly eager for Silicon Valley's help — hoping to adopt both its tech and its lucrative business models where consumers pay monthly for ongoing services instead of shelling out for a product just once. Now, having missed the boat as the tech giants cornered the market on smartphones, some policymakers and regulators believe the battle over connected cars represents a chance to block potential monopolies before they form.

State attorneys general who sued Google in 2020 for monopolizing online search highlighted concerns about the company's move into autonomous cars in their federal antitrust complaint. Meanwhile, in Europe, the EU's competition authority has opened a probe into Google's contracts related to connected cars... While Silicon Valley and automakers are thrilled about the future of connected and autonomous cars, regulators and privacy advocates are less so. "These companies have an amount of data on us that they shouldn't have, and they have a history of not using it in responsible ways," said Katharine Trendacosta of the digital civil liberties group Electronic Frontier Foundation. "They have a history of going back on promises they have made about that data."

She cited Google's pledge during the DoubleClick acquisition in 2008 — which it later reneged on — not to combine data from its consumer products with that from its advertising services.
The article quotes Tennessee Attorney General Herbert Slatery III, who last December complained that "When smartphones took off, Google made sure they controlled search on Apple's iPhone. They are doing the same thing on voice and connected cars. It's a similar playbook." And an executive at an automotive supplier that competes with Google tells Politico that Google is already "corralling everything through their system and controls what information is released downstream."

And Jim Heffner, a vice president at Cox Automotive Mobility, adds that "The ride is no longer the point. Data is the cornerstone. ... Apple and Google and others want to be at the epicenter of that."

The European Commission has approved Microsoft's $19.7 billion bid to buy Nuance Communications. Engadget reports: The regulator said on Tuesday the proposed acquisition "would raise no competition concerns" within the European Union. In analyzing the bid, it found that "Microsoft and Nuance offer very different products." Moreover, it believes the company will continue to face "strong" competition from other firms in the future. Before today, the US and Australia had both signed off on the purchase, but it's not yet a done deal. On December 13th, the UK's Competition and Markets Authority said it would investigate the transaction. With the regulator accepting public comments until January 10th, 2022, it's unlikely the deal will close by the end of 2021 as Microsoft had said it would when it first announced its intention to buy Nuance. In April, Microsoft agreed to acquire the speech-to-text software company, claiming the acquisition was about increasing its presence in the healthcare vertical.

Despite the European Union's highest court twice declaring that the United States does not offer sufficient protection for Europeans' data from American national security agencies, the social media giant's lawyers continue to disagree, according to internal documents seen by POLITICO. Their conclusion that the U.S. is safe for EU data is part of Facebook's legal argument for it to be able to continue shipping data across the Atlantic. From the report: In July 2020, the Court of Justice of the European Union (CJEU) struck down a U.S.-EU data transfer instrument called Privacy Shield. The court concluded Washington did not offer adequate protection for EU data shipped overseas because U.S. surveillance law was too intrusive for European standards. In the same landmark ruling, the Luxembourg-based court upheld the legality of another instrument used to export data out of Europe called Standard Contractual Clauses (SCCs). But it cast doubt on whether these complex legal instruments could be used to shuttle data to countries where EU standards cannot be met, including the U.S. The CJEU reached a similar conclusion in 2015, striking down the predecessor agreement to Privacy Shield because of U.S. surveillance law and practices. In both rulings, Europe's top judges categorically stated Washington did not have sufficiently high privacy standards. Still, Facebook -- the company at the heart of both cases -- thinks it shouldn't follow the court's reasoning.

The company's lawyers argue in the documents that the EU court ruling "should not be relied on" for the social media company's own assessment of data transfers to the U.S., because the judges' findings relate to Privacy Shield data pact, and not the Standard Contractual Clauses which Facebook uses to transfer data to the U.S. "The assessment of U.S. law (and practice) under Article 45 GDPR is materially different to the assessment of law and practice required under Article 46 GDPR," the document reads. That refers to the two different types of legal data transfer instruments under the EU's General Data Protection Regulation and indicates that assessment under SCCs is different to assessment under Privacy Shield. The company also says that changes to U.S. law and practices since the July 2020 ruling should be taken into account. As an example, it cites the U.S. Federal Trade Commission, a watchdog, "carrying out its role as a data protection agency with unprecedented force and vigour." Those arguments have been central to Washington's pitch during ongoing transatlantic negotiations over a new EU-U.S. data agreement. "Though companies have to take the EU court ruling into account when making their own assessments of third party country regimes, they can, in theory, diverge from the court's findings if they believe it is justified in a particular situation," notes Politico. "This means that companies like Facebook can, in theory, continue to ship data out of Europe if they can prove its sufficiently protected."

Controversial facial recognition company, Clearview AI, which has amassed a database of some 10 billion images by scraping selfies off the Internet so it can sell an identity-matching service to law enforcement, has been hit with another order to delete people's data. From a report: France's privacy watchdog said today that Clearview has breached Europe's General Data Protection Regulation (GDPR). In an announcement of the breach finding, the CNIL also gives Clearview formal notice to stop its "unlawful processing" and says it must delete user data within two months. The watchdog is acting on complaints against Clearview received since May 2020. The US company does not have an established base in the EU -- meaning its business is open to regulatory action across the EU, by any of the bloc's data protection supervisors. So while the CNIL's order only applies to data it holds on people from French territories -- which the CNIL estimates covers "several" tens of millions of Internet users -- more such orders are likely from other EU agencies.

Ukrainian law enforcement arrested 51 suspects believed to have been selling stolen personal data on hacking forums belonging to hundreds of millions worldwide, including Ukraine, the US, and Europe. BleepingComputer reports: "As a result of the operation, about 100 databases of personal data relevant for 2020-2021 were seized," the Cyberpolice Department of the National Police of Ukraine said. "The seized databases contained information on more than 300 million citizens of Ukraine, Europe and the United States."

Following this large-scale operation, Ukrainian police also shut down one of the largest sites used to sell personal information stolen from both Ukrainians and foreigners (the site's name was not revealed in the press release). On the now shutdown illegal marketplace, suspects were selling a wide range of stolen personal data, including telephone numbers, surnames, names, addresses, and, in some cases, vehicle registration info. "A total of 117 searches were conducted in different regions of Ukraine. As a result, more than 90,000 gigabytes of information were removed."

The European Commission has announced that it's adopting new rules around open source software which will see it release software under open source licenses. From a report: The decision follows a Commission study that found investment in open source software leads on average to four times higher returns. There has also been a push for this type of action from the Public Money, Public Code campaign. If you're wondering what sort of code the EC could offer to the world, it gave two examples. First, there's its eSignature, a set of free standards, tools, and services that can speed up the creation and verification of electronic signatures that are legally valid inside the EU. Another example is LEOS (Legislation Editing Open Software) which is used to draft legal texts.

Gig economy companies operating in the European Union, such as Uber and Deliveroo, must ensure workers get the minimum wage, access to sick pay, holidays and other employment rights, unless they use genuinely independent contractors, under plans for new laws to crack down on fake self-employment. From a report: Publishing long-awaited draft legislation on Thursday, the European Commission said the burden of proof on employment status would shift to companies, rather than the individuals that work for them. Until now, gig economy workers have had to go to court to prove they are employees, or risk being denied basic rights. Nicolas Schmit, EU commissioner for jobs and social rights, told the Guardian and other European newspapers that internet platforms "have used grey zones in our legislation [and] all possible ambiguities" to develop their business models, resulting in a "misclassification" of millions of workers.

An anonymous reader quotes a report from Reuters: Britain's Dyson, which makes bagless vacuum cleaners, on Wednesday lost its fight for $198.4 million in compensation from the European Commission for alleged losses due to EU energy labelling rules. Dyson had challenged the rules introduced by the EU executive in 2014, saying the labelling requirements on vacuum cleaners discriminated against its technology, misled customers about the efficiency of some vacuum cleaners and unfairly benefited its German rivals.

It won the backing of the Luxembourg-based General Court, which in its 2018 ruling scrapped the EU energy labelling rules. Dyson subsequently went back to the same court seeking 176 million euros in compensation for losses allegedly incurred due to the rules. The court dismissed its claim. "By using the standardized empty receptacle testing method, the Commission did not manifestly and gravely disregard the limits on its discretion or commit a sufficiently serious breach of the principles of equal treatment and sound administration," judges said. Dyson said it would appeal.

Criminals have been selling fake vaccine certificates online and may be able to fool an EU system designed to verify the certificates' validity, researchers warn. BankInfoSecurity reports: [A] report released last week, "COVID-19 Vaccination Certificates in the Dark Web," which has not yet been peer-reviewed, notes that some darknet markets continue to sell supposed vaccine certificates for use in multiple countries. Four researchers - Dimitrios Georgoulias, Jens Myrup Pedersen, Morten Falch, Emmanouil Vasilomanolakis - who are all part of the Cyber Security Group at Aalborg University in Copenhagen, Denmark, reviewed vaccination certificate offerings from 17 marketplaces and 10 vendor shops. The researchers found that at least one vendor appears to be selling digital certificates, registered in Italy, that are being read as valid by mobile COVID-19 certificate-checking apps developed by both France and Denmark.

The Aalborg University researchers, however, note that many darknet markets forbid any listing containing any items related to COVID-19. But others, they say, do allow both physical and digital vaccine certificates to be offered for sale, and in some cases also "yellow vaccination cards" or other vaccination record cards that can be used as proof of vaccination, albeit only inside the country in which they were supposedly issued. "The listings are heavily focused on European countries and the United States, but there are also listings from other continents and countries, such as Brazil, Canada, Mexico and Australia," as well as Russia, the researchers write. "The pricing differs greatly between the different listings, with the cheapest certificate starting at $39 and the highest price reaching almost $2,800, which included both a physical and a digital certificate, registered in the United Kingdom," they write. Most markets accept bitcoin and monero cryptocurrencies as payment, they add, while a smaller number also take such digital coins as ethereum, cardano, litecoin and zcash. [...] The Aalborg University researchers note that buying a fake digital certificate gives the seller ample opportunity to scam a buyer.

If these fake COVID-19 certificates can indeed pass for valid ones, then one unanswered question remains: How? Many of the sites claim to have access to the systems used to issue certificates, either by hacking into them remotely, or having insiders who work at a healthcare or other health organization, the researchers say. "In the specific case of a listing on the Russian marketplace Hydra, the description even mentioned the exact location and hospital that the system was accessed from," they say. Another possibility, however, is that criminals have somehow stolen one or more private keys for the European system, which were issued to participating health organizations. If so, it would be difficult to revoke these keys, the researchers say, since doing so would invalidate what might be a large quantity of legitimate certificates too.