An anonymous reader quotes the "Naked Security" blog of anti-virus company Sophos: Researchers have discovered another big database containing millions of European customer records left unsecured on Amazon Web Services (AWS) for anyone to find using a search engine. A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe.

Discovered by Comparitech's noted breach hunter Bob Diachenko, the AWS instance containing the MongoDB database became visible on 3 February, where it remained indexable by search engines for five days. Data in the records included names, shipping addresses, email addresses, phone numbers, items purchased, payments, order IDs, links to Stripe and Shopify invoices, and partially redacted credit cards...

A total of eight million records were involved, collected via marketplace and payment system APIs belonging to companies including Amazon, eBay, Shopify, PayPal, and Stripe.
The article calls it "simply the latest example of how easy it is to leave sensitive data sitting in an unsecured state on cloud storage platforms." They cite two more high-profile databases that Comparitech found exposed on Elasticsearch just in 2020:

• A database containing 309 million Facebook user IDs, phone numbers and names
• A total of 250 million Microsoft customer support records dating back to 2005

An anonymous reader quotes VentureBeat: Sweden's Data Protection Authority (DPA) has slapped Google with a 75 million kronor ($8 million) fine for "failure to comply" with Europe's General Data Protection Regulation (GDPR) after the internet giant reportedly failed to adequately remove search result links under right-to-be-forgotten requests. In a notable twist, the DPA also demanded that Google refrain from informing website operators their URLs will be de-indexed... Rather than asking website operators to remove a web page, Google — and other search engines — are required to hide the page from European search results.

Since the ruling took effect, Google has received millions of de-indexing requests, though it reports that fewer than 45% have been fulfilled... The crux of the Swedish DPA's complaint is that Google did not "properly remove" two search result listings after it was instructed to do so back in 2017. "In one of the cases, Google has done a too narrow interpretation of what web addresses needed to be removed from the search result listing," the DPA wrote in its statement. "In the second case, Google has failed to remove the search result listing without undue delay." But inadequate and tardy removals are only part of the issue, according to Sweden's DPA, which also argues that Google should keep website operators in the dark about removal requests...

If Google's latest fine is upheld — the company has three weeks to appeal — it would rank among the seven largest GDPR penalties of all time. Google confirmed to VentureBeat that it does indeed intend to file an appeal. "We disagree with this decision on principle and plan to appeal," the spokesperson said.

Europe has become the new epicenter of the COVID-19 pandemic as cases in China slow and the deadly coronavirus runs through Italy and nearby countries, World Health Organization officials said Friday. CNBC reports: "More cases are now being reported [in Europe] every day than were reported in China at the height of its epidemic," WHO Director-General Dr. Tedros Adhanom Ghebreyesus said at a news conference at the organization's Geneva headquarters. WHO officials declared COVID-19 a global pandemic on Wednesday as the virus spreads rapidly across the world from Asia to Europe, the Middle East and now parts of the United States.

"When the virus is out there, the population has no immunity and no therapy exists, then 60% to 70% of the population will be infected," German Chancellor Angela Merkel told a news conference in Berlin on Wednesday, according to Reuters. The country has a population of more than 82 million. Italy currently has the most cases outside of China with at least 15,113 infections, followed by Spain at 4,334, Germany at 3,156 and France at 2,882, according to data compiled by Johns Hopkins University. Other countries in Europe are seeing cases soar. Switzerland currently has 1,125 cases, followed by Sweden at 809, the Netherlands at 804 and Denmark at 788. The United States had at least 1,701 cases as of Friday morning, according to Hopkins.

A new study reports that iron rain likely falls through the thick, turbulent air of WASP-76 b, a bizarre "ultrahot Jupiter" that lies about 640 light-years from the sun, in the constellation Pisces. Space.com reports: WASP-76 b zips around its host star once every 1.8 Earth days, an orbit so tight that the gaseous planet is "tidally locked," always showing the star the same face. Temperatures on this dayside climb above 4,350 degrees Fahrenheit (2,400 degrees Celsius) -- hot enough to vaporize metals -- whereas the nightside is a much cooler (but still ridiculous) 2,730 F (1,500 C), researchers said. WASP-76 b was discovered in 2013. The alien planet is about as massive as Jupiter but nearly twice as wide, likely because the massive radiation loads the exoplanet receives from its host star puff up its atmosphere considerably. (And one quick note about the object's distance: Some sources say that WASP-76 b is about 390 light-years away, but that number is inaccurate, Ehrenreich said. He and his colleagues calculated WASP-76 b's distance using data from Europe's ultraprecise star-mapping spacecraft Gaia.)

The European Commission has set out a plan to move towards a 'right to repair' for electronics devices, such as mobile phones, tablets and laptops. From a report: More generally it wants to restrict single-use products, tackle "premature obsolescence" and ban the destruction of unsold durable goods -- in order to make sustainable products the norm. The proposals are part of a circular economy action plan that's intended to deliver on a Commission pledge to transition the bloc to carbon neutrality by 2050. By extending the lifespan of products, via measures which target design and production to encourage repair, reuse and recycling, the policy push aims to reduce resource use and shrink the environmental impact of buying and selling stuff. The Commission also wants to arm EU consumers with reliable information about reparability and durability -- to empower them to make greener product choices.

An anonymous reader quotes Business Insider: Airlines have wasted thousands of gallons of fuel running empty "ghost" flights during the coronavirus outbreak because of European rules saying operators can lose their flight slots if they keep their planes on the ground.

Demand for flights has collapsed across the globe amid growing fears about the outbreak. Under Europe's rules, airlines operating out of the continent must continue to run 80% of their allocated slots or risk losing them to a competitor. This has led to some operators flying empty planes into and out of European countries at huge costs, The Times of London reported.

An anonymous reader quotes CNN: French automaker Citroën has unveiled the Ami, a tiny electric car that's designed from the outset to be as cheap as possible. The car isn't very fast and it looks a bit like a washing machine, but it only costs €6,000, or the equivalent of about $6,600.

It would be hard to get a good used car at that price, but the two-seat Ami is barely a car. In fact, Citroën refers to it as a "non-conformist mobility object." It has a top speed of just 45 kilometers an hour, roughly equal to 28 miles per hour. It's powered by a 6 kilowatt, or 8 horsepower, electric motor. For that reason, though, the Ami can be driven by kids as young as 14 in France, or 16 in many other European countries, without a license. Under the laws of these countries, the Ami qualifies as a voiture sans permis (literally "car without license"), or quadricycle, a category of small and slow vehicle that, for purposes of regulation, is treated like a four-wheeled scooter...

The Ami is built using as few unique parts as possible. For instance, the body parts used for the front end are exactly like those used in the back. Also, the right door is exactly like the left door. That means the driver's side door hinge is at the front while the passenger side door hinge is at the back... Since it's a lightweight car with a small battery intended mostly for use in cities, the Ami has a range of only about 70 kilometers, or 43 miles, per charge. On the plus side, though, it can be fully charged in only three hours using a household electrical outlet...

Besides buying the car, shoppers will also have the option to lease it for €20, the equivalent of $22, per month.

IBM and Microsoft have signed an "ethical resolution" with the Vatican to develop AI in a way that will protect the planet and the rights of all people [Editor's note: the link may be paywalled; alternative source]. From a report: The pledge, called the "Rome Call for AI Ethics," will be presented on Friday morning to Pope Francis by Brad Smith, the president of Microsoft, and John Kelly, IBM's executive vice-president, as well as Vatican officials and Qu Dongyu, the Chinese director-general of the UN Food and Agriculture Organization. The two US tech companies lead the world in AI development, measured by the number of patents they have amassed. The document calls for AI to safeguard the rights of all humankind, particularly the weak and underprivileged, and for new regulations in fields such as facial recognition. It said that there must be a "duty of explanation" that would show not only how AI algorithms come to their decisions but also what their purpose and objectives are.

The European Commission has told its staff to start using Signal, an end-to-end-encrypted messaging app, in a push to increase the security of its communications. From a report: The instruction appeared on internal messaging boards in early February, notifying employees that "Signal has been selected as the recommended application for public instant messaging." The app is favored by privacy activists because of its end-to-end encryption and open-source technology. "It's like Facebook's WhatsApp and Apple's iMessage but it's based on an encryption protocol that's very innovative," said Bart Preneel, cryptography expert at the University of Leuven. "Because it's open-source, you can check what's happening under the hood," he added. Signal was developed in 2013 by privacy activists. It is supported by a nonprofit foundation that has the backing of WhatsApp founder Brian Acton, who had left the company in 2017 after clashing with Facebook's leadership.

Long-time Slashdot reader zoobab shares this update from the Foundation for a Free Information Infrastructure, a Munich-based non-profit opposing ratification of a "Unified Patent Court" by Germany. They argue such a court will "validate and expand software patents in Europe," and they've come up with a novel argument to stop it.

"Germany cannot ratify the current Unitary Patent due to Brexit..." The U.K. is now a "third state" within the meaning of AETR case-law, [which] makes clear that:

"Each time the Community, with a view to implementing a common policy envisaged by the Treaty, adopts provisions laying down common rules, whatever form they may take, the Member States no longer have the right, acting individually or even collectively, to undertake obligations with third countries which affect those rules or alter their scope..."

This practically means that the ratification procedure for the Agreement on the Unified Patent Court must now come to an end, as that Agreement no longer applies due to the current significant changes (i.e. Brexit) in the membership requirements of its own ratification rules.
The nonprofit also argues that the Unitary Patent "is a highly controversial and extreme issue, as it allows new international patent courts to have the last word on the development and application of patent law and industrial property monopolies including, more seriously, the validation and expansion of software patents, that is the key sector on which whole industries and markets depend."

We live in a world where billions of login credentials have been stolen, enabling the brute-force cyberattacks known as "credential stuffing", reports CSO Online. And it's being made easier by APIs: New data from security and content delivery company Akamai shows that one in every five attempts to gain unauthorized access to user accounts is now done through application programming interfaces (APIs) instead of user-facing login pages. According to a report released today, between December 2017 and November 2019, Akamai observed 85.4 billion credential abuse attacks against companies worldwide that use its services. Of those attacks, around 16.5 billion, or nearly 20%, targeted hostnames that were clearly identified as API endpoints.

However, in the financial industry, the percentage of attacks that targeted APIs rose sharply between May and September 2019, at times reaching 75%.

"API usage and widespread adoption have enabled criminals to automate their attacks," the company said in its report. "This is why the volume of credential stuffing incidents has continued to grow year over year, and why such attacks remain a steady and constant risk across all market segments."
APIs also make it easier to extract information automatically, the article notes, while security experts "have long expressed concerns that implementation errors in banking APIs and the lack of a common development standard could increase the risk of data breaches."

Yet the EU's "Payment Services Directive" included a push for third-party interoperability among financial institutions, so "most banks started implementing such APIs... Even if no similar regulatory requirements exist in non-EU countries, market forces are pushing financial institutions in the same direction since they need to innovate and keep up with the competition."

Sources told Reuters that Google is planning to move its British users' accounts out of the control of European Union privacy regulators, placing them under U.S. jurisdiction instead. From the report: The shift, prompted by Britain's exit from the EU, will leave the sensitive personal information of tens of millions with less protection and within easier reach of British law enforcement. The change was described to Reuters by three people familiar with its plans. Google intends to require its British users to acknowledge new terms of service including the new jurisdiction.

Ireland, where Google and other U.S. tech companies have their European headquarters, is staying in the EU, which has one of the world's most aggressive data protection rules, the General Data Protection Regulation. Google has decided to move its British users out of Irish jurisdiction because it is unclear whether Britain will follow GDPR or adopt other rules that could affect the handling of user data, the people said. If British Google users have their data kept in Ireland, it would be more difficult for British authorities to recover it in criminal investigations.

U.S. and Chinese firms hoping to deploy artificial intelligence and other technology in Europe will have to submit to a slew of new rules and tests, under a set of plans unveiled by the European Union to boost the bloc's digital economy. From a report: The legislative plans, outlined on Wednesday by the European Commission, the bloc's executive body, are designed to help Europe compete with the U.S. and China's technological power while still championing EU rights. The move is the latest attempt by the bloc to leverage the power of its vast, developed market to set global standards that companies around the world are forced to follow. Big U.S. companies, like Facebook and Alphabet's Google, won't get any reprieve from the Commission, which in its Digital Services Act plans to overhaul rules around legal liability for tech firms, and is also exploring legislation for 'gate-keeping' platforms that control their ecosystems. "It's not us that need to adapt to today's platforms. It's the platforms that need to adapt to Europe," European Industry Commissioner Thierry Breton said at a press conference in Brussels. If they can't find a way adapt to the bloc's standards, "then we will have to regulate and we are ready to do this in the Digital Services Act at the end of this year."

Alphabet's appeal against a multibillion-dollar fine for alleged anticompetitive behavior by its Google unit risks backfiring after a European Union court floated the prospect of increasing the fine (Warning: source paywalled; alternative source), rather than scrapping it. The Wall Street Journal reports: In a surprise twist Friday at the end of a three-day hearing, one of five judges on the panel said the EU's General Court has the power to increase the $2.6 billion fine, levied in 2017, if it finds that the sum was insufficient to deter the company from further anticompetitive behavior. "The fine of ~$2.6 billion was described as eye-catching, but it is a small amount of cash in your hands," Judge Colm Mac Eochaidh said in court. "Did that level of fine deter you from repeating your behavior?" he asked Google's counsel. Increasing a fine has only one precedent in the court's history, according to Mr. Mac Eochaidh, when German chemicals giant BASF SE was ordered to pay ~$58,000 in 2007 on top of an initial ~$38 million fine for participating in a chemicals cartel.

Christopher Thomas, a counsel for Google, dismissed the idea that the fine was warranted and said the company takes the entire antitrust process "with extreme seriousness." Google disputes the findings of the commission that it had willingly or negligently squeezed competitors out of its shopping searches. The prospect of raising the fine was described as theoretical by the panel's presiding judge. Still, it sent Google lawyers scrambling for arguments, with one sitting on the floor outside the courtroom frantically researching how to contest such a move. If Google loses the case, it has the right to appeal to the bloc's highest court, the European Court of Justice.

An anonymous reader quotes a report from TechCrunch: Facebook has been left red-faced after being forced to call off the launch date of its dating service in Europe because it failed to give its lead EU data regulator enough advanced warning -- including failing to demonstrate it had performed a legally required assessment of privacy risks. Yesterday, Ireland's Independent.ie newspaper reported that the Irish Data Protection Commission (DPC) -- using inspection and document seizure powers set out in Section 130 of the country's Data Protection Act -- had sent agents to Facebook's Dublin office seeking documentation that Facebook had failed to provide.

In a statement on its website, the DPC said Facebook first contacted it about the rollout of the dating feature in the EU on February 3. "We were very concerned that this was the first that we'd heard from Facebook Ireland about this new feature, considering that it was their intention to roll it out tomorrow, February 13," the regulator writes. "Our concerns were further compounded by the fact that no information/documentation was provided to us on February 3 in relation to the Data Protection Impact Assessment [DPIA] or the decision-making processes that were undertaken by Facebook Ireland." At the time of its U.S. launch, Facebook said dating would arrive in Europe by early 2020. It just didn't think to keep its lead EU privacy regulator in the loop, despite the DPC having multiple (ongoing) investigations into other Facebook-owned products at this stage. A Facebook spokesperson said in a statement: "It's really important that we get the launch of Facebook Dating right so we are taking a bit more time to make sure the product is ready for the European market. We worked carefully to create strong privacy safeguards, and complete the data processing impact assessment ahead of the proposed launch in Europe, which we shared with the IDPC when it was requested."

In a second statement, the Facebook spokesperson added: "We're under no legal obligation to notify the IDPC of product launches. However, as a courtesy to the Office of the Data Protection Commission, who is our lead regulator for data protection in Europe, we proactively informed them of this proposed launch two weeks in advance. We had completed the data processing impact assessment well in advance of the European launch, which we shared with the IDPC when they asked for it."

Facebook has been left red-faced after being forced to call off the launch date of its dating service in Europe because it failed to give its lead EU data regulator enough advanced warning -- including failing to demonstrate it had performed a legally required assessment of privacy risks. From a report: Late yesterday Ireland's Independent.ie newspaper reported that the Irish Data Protection Commission (DPC) had sent agents to Facebook's Dublin office seeking documentation that Facebook had failed to provide -- using inspection and document seizure powers set out in Section 130 of the country's Data Protection Act. In a statement on its website the DPC said Facebook first contacted it about the rollout of the dating feature in the EU on February 3. "We were very concerned that this was the first that we'd heard from Facebook Ireland about this new feature, considering that it was their intention to roll it out tomorrow, 13 February," the regulator writes. "Our concerns were further compounded by the fact that no information/documentation was provided to us on 3 February in relation to the Data Protection Impact Assessment [DPIA] or the decision-making processes that were undertaken by Facebook Ireland." Facebook announced its plan to get into the dating game all the way back in May 2018, trailing its Tinder-encroaching idea to bake a dating feature for non-friends into its social network at its F8 developer conference.

The Czech data protection authority has announced an investigation into antivirus company Avast, which was harvesting the browsing history of over 100 million users and then selling products based on that data to a slew of different companies including Google, Microsoft, and Home Depot. From a report: "On the basis of the information revealed describing the practices of Avast Software s.r.o., which was supposed to sell data on the activities of anti-virus users through its 'Jumpshot division' the Office initiated a preliminary investigation of the case," a statement from the Czech national data protection authority on its website reads. Under the European General Protection Regulation (GDPR) and national laws, the Czech Republic, like other EU states, has a data protection authority to enforce things like mishandling of personal data. With GDPR, companies can be fined for data abuses. "At the moment we are collecting information on the whole case. There is a suspicion of a serious and extensive breach of the protection of users' personal data. Based on the findings, further steps will be taken and general public will be informed in due time," added Ms Ivana Janu, President of the Czech Office for Personal Data Protection, in the statement. Avast is a Czech company.

French authorities on Friday said tech giant Apple has agreed to pay $27.4 million for failing to inform users that software updates to older iPhone models could slow down the device, according to French media. From a report: Le Parisien reported it was the highest fine for fraud ever imposed by the consumer watchdog. The crackdown comes two years after Apple admitted its iOS software slowed down the performance of older phones -- in particular, devices with shorter battery life.

Ireland's Data Protection Commission (DPC) has opened two separate GDPR investigations into Google and Tinder. Engadget reports: In the case of [Tinder], the agency says it will examine how the dating app handles people's data and whether it's been transparent about the process. The DPC says it will also look into whether Tinder has been properly meeting data requests from users. Under GDPR, Europeans have several options when it comes to how companies handle their data. They can, for instance, ask an app or service to delete their data. The law also allows people to request copies of their personal information. The investigation into Tinder comes after the Norwegian Consumer Council published a report that accused Tinder, alongside several other dating apps, for irresponsibly spreading sensitive user data. Notably, the DPC says it's opening its investigation into Tinder after it received complaints from people in both Ireland and other parts of the European Union.

As for Google, the DPC will investigate how the search giant handles and processes location data. Numerous European consumer rights groups started asking the agency to investigate Google shortly after the EU enacted GDPR. Both Tinder and Google have said they'll cooperate with the probes. CNET notes Google and Tinder could face fines of up to four percent of their total annual revenue in the previous year, if the two companies haven't been fully compliant with GDPR.

"The UK has officially left the European Union after 47 years of membership," reports the BBC. The historic moment, which happened at 23:00 GMT, was marked by both celebrations and anti-Brexit protests. Candlelit vigils were held in Scotland, which voted to stay in the EU, while Brexiteers partied in London's Parliament Square... Brexit parties were held in pubs and social clubs across the UK as the country counted down to its official departure.

Hundreds gathered in Parliament Square to celebrate Brexit, singing patriotic songs and cheering speeches from leading Brexiteers, including Nigel Farage... In Northern Ireland, the campaign group Border Communities Against Brexit staged a series of protests in Armagh, near to the border with the Republic of Ireland.

At 2300 GMT, Scotland's First Minister Nicola Sturgeon tweeted a picture of the EU flag, adding: "Scotland will return to the heart of Europe as an independent country."

The U.K. flag was removed from European Union institutions in Brussels, the BBC notes. And they also quote U.K. Prime Minister Boris Johnson as saying "For all its strengths and for all its admirable qualities, the EU has evolved over 50 years in a direction that no longer suits this country."

"The most important thing to say tonight is that this is not an end but a beginning..."