The Almighty Buck

Trump Names Cryptocurrencies for 'Digital Asset Stockpile' in Social Media Post (cnbc.com) 156

Despite a January announcement that America would explore the idea of a national digital asset stockpile, the exact cryptocurrecies weren't specified. Today on social media the president posted that it would include bitcoin, ether, XRP, Solana's SOL token and Cardano's ADA, reports CNBC — prompting a Sunday rally in cryptocurrencies trading. XRP surged 33% after the announcement while the token tied to Solana jumped 22%. Cardano's coin soared more than 60%. Bitcoin rose 10% to $94,425.29, after dipping to a three-month low under $80,000 on Friday. Ether, which has suffered some of the biggest losses in crypto year-to-date, gained 12%... This is the first time Trump has specified his support for a crypto "reserve" versus a "stockpile." While the former assumes actively buying crypto in regular installments, a stockpile would simply not sell any of the crypto currently held by the U.S. government.
"The total cryptocurrency market has risen about 10%," reports Reuters, "or more than $300 billion, in the hours since Trump's announcement, according to CoinGecko, a cryptocurrency data and analysis company."

"A U.S. Crypto Reserve will elevate this critical industry..." the president posted, promising to "make sure the U.S. is the Crypto Capital of the World," reports The Hill: His announcement comes just after the White House announced it would be welcoming cryptocurrency industry professionals on March 7 in a first-of-its-kind summit... It's unclear what exactly Trump's crypto reserve would look like, and while he previously dismissed crypto as a scam, he's embraced the industry throughout his most recent campaign.
Piracy

Malicious PyPI Package Exploited Deezer's API, Orchestrates a Distributed Piracy Operation (socket.dev) 24

A malicious PyPi package effectively turned its users' systems "into an illicit network for facilitating bulk music downloads," writes The Hacker News.

Though the package has been removed from PyPI, researchers at security platform Socket.dev say it enabled "coordinated, unauthorized music downloads from Deezer — a popular streaming service founded in France in 2007." Although automslc, which has been downloaded over 100,000 times, purports to offer music automation and metadata retrieval, it covertly bypasses Deezer's access restrictions... The package is designed to log into Deezer, harvest track metadata, request full-length streaming URLs, and download complete audio files in clear violation of Deezer's API terms... [I]t orchestrates a distributed piracy operation by leveraging both user-supplied and hardcoded Deezer credentials to create sessions with Deezer's API. This approach enables full access to track metadata and the decryption tokens required to generate full-length track URLs.

Additionally, the package routinely communicates with a remote server... to update download statuses and submit metadata, thereby centralizing control and allowing the threat actor to monitor and coordinate the distributed downloading operation. In doing so, automslc exposes critical track details — including Deezer IDs, International Standard Recording Codes, track titles, and internal tokens like MD5_ORIGIN (a hash used in generating decryption URLs) — which, when collected en masse, can be used to reassemble full track URLs and facilitate unauthorized downloads...

Even if a user pays for access to the service, the content is licensed, not owned. The automslc package circumvents licensing restrictions by enabling downloads and potential redistribution, which is outside the bounds of fair use...

"The malicious package was initially published in 2019, and its popularity (over 100,000 downloads) indicates wide distribution..."
Government

Utah Could Become America's First State To Ban Fluoride In Public Water (nbcnews.com) 233

NBC News reports that Utah could make history as America's first state to ban fluoride in public water systems — even though major medical associations supporting water fluoridation: If signed into law [by the governor], HB0081 would prevent any individual or political subdivision from adding fluoride "to water in or intended for public water systems..." A report published recently in JAMA Pediatrics found a statistically significant association between higher fluoride exposure and lower children's IQ scores — but the researchers did not suggest that fluoride should be removed from drinking water. According to the report's authors, most of the 74 studies they reviewed were low-quality and done in countries other than the United States, such as China, where fluoride levels tend to be much higher, the researchers noted.

An Australian study published last year found no link between early childhood exposure to fluoride and negative cognitive neurodevelopment. Researchers actually found a slightly higher IQ in kids who consistently drank fluoridated water. The levels in Australia are consistent with U.S. recommendations.

Major public health groups, including the American Academy of Pediatrics, the American Dental Association and the CDC — which says drinking fluoridated water keeps teeth strong and reduces cavities — support adding fluoride to water.

The article notes that since 2010 over 150 U.S. towns or counties have voted to keep fluoride out of public water systems or to stop adding it to their water (according to the anti-fluoride group "Fluoride Action Network"). But this week the American Dental Association (representing 159,000 members) urged Utah's governor not to become " the only state to end this preventive health practice that has been in place for over three quarters of a century."

Thanks to Slashdot reader fjo3 for sharing the news.
Firefox

Mozilla Revises Firefox's Terms of Use, Clarifies That They Don't Own Your Data (theverge.com) 68

"We need a license to allow us to make some of the basic functionality of Firefox possible," Mozilla explained Wednesday in a clarification a recent Terms of Use update. "Without it, we couldn't use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice."

But Friday they went further, and revised those new Terms of Use "to more clearly reflect the limited scope of how Mozilla interacts with user data," according to a Mozilla blog post. More details from the Verge: The particular language that drew criticism was:

"When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox."

That language has been removed. Now, the language in the terms says:

"You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content...."

Friday's post additionally provides some context about why the company has "stepped away from making blanket claims that 'We never sell your data.'" Mozilla says that "in some places, the LEGAL definition of 'sale of data' is broad and evolving," and that "the competing interpretations of do-not-sell requirements does leave many businesses uncertain about their exact obligations and whether or not they're considered to be 'selling data.'" Mozilla says that "there are a number of places where we collect and share some data with our partners" so that Firefox can be "commercially viable," but it adds that it spells those out in its privacy notice and works to strip data of potentially identifying information or share it in aggregate.

The Courts

Apple Accused of Misleading Consumers With Apple Watch 'Carbon Neutral' Claims (theverge.com) 11

Apple is facing a class action lawsuit alleging it misled consumers by falsely claiming certain Apple Watches were carbon neutral, as the carbon offset projects it relied on did not effectively reduce greenhouse gas emissions. The Verge reports: Apple said in 2023 that "select case and band combinations" of its Apple Watch Series 9, Apple Watch Ultra 2, and Apple Watch SE would be the company's first carbon neutral devices. The suit was filed on behalf of anyone who bought those watches. It alleges that the products were not really carbon neutral because they relied on faulty offset projects that didn't actually reduce the company's greenhouse gas pollution. [...]

The company's carbon neutral claims were false, and the seven plaintiffs would not have purchased the Apple Watches or paid as much for them had they known that, the lawsuit alleges. "Apple's false advertising may lead [consumers] to choose its products over genuinely sustainable alternatives," the complaint (PDF) filed in a California federal court on Wednesday says.

Apple is standing by its assertions. "We are proud of our carbon neutral products, which are the result of industry-leading innovation in clean energy and low-carbon design," Apple spokesperson Sean Redding said in an email. Redding says the company reduced Apple Watch emissions by more than 75 percent. The company focused on cutting pollution from materials, electricity, and transportation used to make the watches, in part by getting more of its suppliers to switch to clean energy. To deal with the remaining pollution, Redding says Apple invests in "nature-based projects to remove hundreds of thousands of metric tons of carbon from the air." That's where the new lawsuit finds problems.

To offset their emissions, many companies buy carbon credits from forestry projects that represent tons of planet-heating carbon dioxide that trees and soil naturally trap. Apple primarily purchased credits from the Chyulu Hills project in Kenya and the Guinan Project in China, the suit says. It alleges that neither of the projects met a basic standard for carbon offsets, which is that they capture additional CO2 that would not otherwise have been sequestered had Apple not paid to support the project.

GNU is Not Unix

An Appeals Court May Kill a GNU GPL Software License (theregister.com) 74

The Ninth Circuit Court of Appeals is set to review a California district court's ruling in Neo4j v. PureThink, which upheld Neo4j's right to modify the GNU AGPLv3 with additional binding terms. If the appellate court affirms this decision, it could set a precedent allowing licensors to impose unremovable restrictions on open-source software, potentially undermining the enforceability of GPL-based licenses and threatening the integrity of the open-source ecosystem. The Register reports: The GNU AGPLv3 is a free and open source software (FOSS) license largely based on the GNU GPLv3, both of which are published by the Free Software Foundation (FSF). Neo4j provided database software under the AGPLv3, then tweaked the license, leading to legal battles over forks of the software. The AGPLv3 includes language that says any added restrictions or requirements are removable, meaning someone could just file off Neo4j's changes to the usage and distribution license, reverting it back to the standard AGPLv3, which the biz has argued and successfully fought against in that California district court.

Now the matter, the validity of that modified FOSS license, is before an appeals court in the USA. "I don't think the community realizes that if the Ninth Circuit upholds the lower court's ruling, it won't just kill GPLv3," PureThink's John Mark Suhy told The Register. "It will create a dangerous legal precedent that could be used to undermine all open-source licenses, allowing licensors to impose unexpected restrictions and fundamentally eroding the trust that makes open source possible."

Perhaps equally concerning is the fact that Suhy, founder and CTO of PureThink and iGov (the two firms sued by Neo4j), and presently CTO of IT consultancy Greystones Group, is defending GPL licenses on his own, pro se, without the help of the FSF, founded by Richard Stallman, creator of the GNU General Public License. "I'm actually doing everything pro se because I used up all my savings to fight it in the lower court," said Suhy. "I'm surprised the Free Software Foundation didn't care too much about it. They always had an excuse about not having the money for it. Luckily the Software Freedom Conservancy came in and helped out there."

Firefox

Mozilla's Updated ToS: We Own All Info You Put Into Firefox 142

UPDATE (3/1/2025): "We need a license to allow us to make some of the basic functionality of Firefox possible," Mozilla explained Wednesday in a clarification a recent Terms of Use update. "Without it, we couldn't use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice."

But Friday they went further, and revised those new Terms of Use "to more clearly reflect the limited scope of how Mozilla interacts with user data," according to a Mozilla blog post. ("You give Mozilla the rights necessary to operate Firefox... This does not give Mozilla any ownership in that content.")

Slashdot's original post below...

New submitter SharkByte writes: Mozilla just updated its Terms of Use and Privacy Policy for Firefox with a very disturbing "You Give Mozilla Certain Rights and Permissions" clause:

When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox.

H/T to reader agristin as well, who also wrote about this.

Privacy

Apple's Find My Network Exploit Lets Hackers Silently Track Any Bluetooth Device 22

Researchers at George Mason University discovered a vulnerability in Apple's Find My network that allows hackers to silently track any Bluetooth device as if it were an AirTag, without the owner's knowledge. 9to5Mac reports: Although AirTag was designed to change its Bluetooth address based on a cryptographic key, the attackers developed a system that could quickly find keys for Bluetooth addresses. This was made possible by using "hundreds" of GPUs to find a key match. The exploit called "nRootTag" has a frightening success rate of 90% and doesn't require "sophisticated administrator privilege escalation."

In one of the experiments, the researchers were able to track the location of a computer with an accuracy of 10 feet, which allowed them to trace a bicycle moving through the city. In another experiment, they reconstructed a person's flight path by tracking their game console. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this," said one of the researchers.
Apple has acknowledged the George Mason researchers for discovering a Bluetooth exploit in its Find My network but has yet to issue a fix. "For now, they advise users to never allow unnecessary access to the device's Bluetooth when requested by apps, and of course, always keep their device's software updated," reports 9to5Mac.
Social Networks

Apple Launches 'Age Assurance' Tech As US States Mull Social Media Laws (reuters.com) 53

Apple announced a new feature allowing parents to share a child's age with app developers without exposing sensitive information, as lawmakers debate age-verification laws for social media and apps. Reuters reports: States, such as Utah and South Carolina, are currently debating laws that would require app store operators such as Apple and Alphabet's Google to check the ages of users. That has set up a conflict in the tech industry over which party should be responsible for checking ages for users under 18 -- app stores, or each individual app. Meta, for instance, has long argued in favor of legislation requiring app stores to check ages when a child downloads an app.

Apple on Thursday said it does not want to be responsible for collecting sensitive data for those age verifications. "While only a fraction of apps on the App Store may require age verification, all users would have to hand over their sensitive personally identifying information to us -- regardless of whether they actually want to use one of these limited set of apps," Apple wrote in a whitepaper on its website.

Privacy

Thousands of Exposed GitHub Repositories, Now Private, Can Still Be Accessed Through Copilot (techcrunch.com) 19

An anonymous reader quotes a report from TechCrunch: Security researchers are warning that data exposed to the internet, even for a moment, can linger in online generative AI chatbots like Microsoft Copilot long after the data is made private. Thousands of once-public GitHub repositories from some of the world's biggest companies are affected, including Microsoft's, according to new findings from Lasso, an Israeli cybersecurity company focused on emerging generative AI threats.

Lasso co-founder Ophir Dror told TechCrunch that the company found content from its own GitHub repository appearing in Copilot because it had been indexed and cached by Microsoft's Bing search engine. Dror said the repository, which had been mistakenly made public for a brief period, had since been set to private, and accessing it on GitHub returned a "page not found" error. "On Copilot, surprisingly enough, we found one of our own private repositories," said Dror. "If I was to browse the web, I wouldn't see this data. But anyone in the world could ask Copilot the right question and get this data."

After it realized that any data on GitHub, even briefly, could be potentially exposed by tools like Copilot, Lasso investigated further. Lasso extracted a list of repositories that were public at any point in 2024 and identified the repositories that had since been deleted or set to private. Using Bing's caching mechanism, the company found more than 20,000 since-private GitHub repositories still had data accessible through Copilot, affecting more than 16,000 organizations. Lasso told TechCrunch ahead of publishing its research that affected organizations include Amazon Web Services, Google, IBM, PayPal, Tencent, and Microsoft. [...] For some affected companies, Copilot could be prompted to return confidential GitHub archives that contain intellectual property, sensitive corporate data, access keys, and tokens, the company said.

The Courts

Automattic's 'Nuclear War' Over WordPress Access Sparks Potential Class Action (arstechnica.com) 15

An anonymous reader shares a report: The company behind WordPress, Automattic Inc., and its founder, Matt Mullenweg, continue to face backlash over a "nuclear war" started with WP Engine (WPE) that allegedly messed with maintenance and security of hundreds of thousands of websites.

In a proposed class action lawsuit filed this weekend, a WPE customer, Ryan Keller, accused Automattic and Mullenweg of "deliberately abusing their power and control over the WordPress ecosystem to purposefully, deliberately, and repeatedly disrupt contracts" -- all due to a supposed trademark infringement claim. If granted, the class would include "all persons in the United States who had ongoing active WPE WordPress Web Hosting Plans on or before September 24, 2024 through December 10, 2024."

WPE had previously sued Automattic and Mullenweg, alleging that the attack on WPE was actually an attempt to extort what Keller alleged was "tens of millions of dollars" in payments from WPE for using the WordPress trademark. Mullenweg made it clear that the value of the payments was "based on what he thought WPE could afford, rather than what the value of the trademark actually was," Keller's complaint alleged. Automattic's "poorly disguised attempt to extort WPE," Keller alleged, was lobbed "against the threat of making it virtually impossible for WPE (and its customers) to conduct its ordinary business."

Privacy

Google Is Making It Easier To Remove Personal Info On Search (engadget.com) 6

Google has updated its Results About You tool with a redesigned hub, easier removal requests directly from Search, and the ability to refresh outdated results. Engadget reports: Today, the tech giant is announcing the latest changes, including a redesigned hub and the ability to update outdated search results to reflect the latest changes.

The redesign isn't only for show. You can now submit removal requests directly from Search with fewer actions by clicking or tapping the three dots beside a search result. If you manage to have content about you deleted or changed from a website but Google Search hasn't caught up, you can refresh the search, which will "recrawl the page and obtain the latest information." In other words, you can always see the most up-to-date results about you.

Crime

To Identify Suspect In Idaho Killings, FBI Used Restricted Consumer DNA Data (nytimes.com) 99

An anonymous reader quotes a report from the New York Times: As investigators struggled for weeks to find who might have committed the brutal stabbings of four University of Idaho students in the fall of 2022, they were focused on a key piece of evidence: DNA on a knife sheath that was found at the scene of the crime. At first they tried checking the DNA with law enforcement databases, but that did not provide a hit. They turned next to the more expansive DNA profiles available in some consumer databases in which users had consented to law enforcement possibly using their information, but that also did not lead to answers.

F.B.I. investigators then went a step further, according to newly released testimony, comparing the DNA profile from the knife sheath with two databases that law enforcement officials are not supposed to tap: GEDmatch and MyHeritage. It was a decision that appears to have violated key parameters of a Justice Department policy that calls for investigators to operate only in DNA databases "that provide explicit notice to their service users and the public that law enforcement may use their service sites."

It also seems to have produced results: Days after the F.B.I.'s investigative genetic genealogy team began working with the DNA profiles, it landed on someone who had not been on anyone's radar:Bryan Kohberger, a Ph.D. student in criminology who has now been charged with the murders. The case has shown both the promise and the unregulated power of genetic technology in an era in which millions of people willingly contribute their DNA profiles to recreational databases, often to hunt for relatives. In the past, law enforcement officials would need to find a direct match between DNA at the crime scene and that of a specific suspect. Now, investigators can use consumer DNA data to build family trees that can zero in on a person of interest -- within certain policy limits.

AI

Chegg To Initiate Business Review Amid AI-Shift in Education Tech (cnbc.com) 31

Online-education company Chegg said it is conducting a business review and exploring alternatives such as selling the company or taking it private as it continues to lose subscribers to artificial-intelligence-enabled rivals. From a report: Chegg and other virtual-learning companies have ceded ground to generative-AI companies such as ChatGPT, which provides free alternatives to the homework help that Chegg charges $19.95 for to its subscribers. Although Chegg built its own AI products, the company has faced scores of canceled subscriptions. The business review comes as the company swung to a loss in the fourth quarter, with revenue falling 24%, and guided for lower-than-expected revenue for the first quarter. In November, Chegg said it would cut its workforce by an additional 21%. Chegg's shares have fallen 99% since its peak in 2021.
United States

All 50 States Have Now Introduced Right to Repair Legislation 46

All 50 U.S. states have now introduced some form of right to repair legislation, marking a significant milestone that "shows the power of the grassroots political movement," reports 404 Media. From the report: Thursday, Wisconsin became the final state in the country to introduce a right to repair bill. So far, right to repair laws have been passed in Massachusetts, New York, Minnesota, Colorado, California, and Oregon. Another 20 states are formally considering right to repair bills during this current legislative session. The rest have previously introduced bills that have not passed; so far we have seen that many states take several years to move a given right to repair bill through the legislative process. iFixit's Kyle Wiens said covering the entire map is a "tipping point" for the movement: "We've gone from a handful of passionate advocates to a nationwide call for repair autonomy. People are fed up with disposable products and locked-down devices. Repair is the future, and this moment proves it."
Encryption

VPN Providers Consider Exiting France Over 'Dangerous' Blocking Demands (torrentfreak.com) 44

An anonymous reader quotes a report from TorrentFreak: In France, rightsholders have taken legal action to compel large VPN providers to support their pirate site blocking program. The aim is to reinforce existing blocking measures, but VPN providers see this as a dangerous move, leading to potential security issues and overblocking. As a result, some are considering leaving France altogether if push comes to shove. [...] Earlier this month, sports rightsholders Canal+ and LFP requested blocking injunctions that would require popular VPNs to start blocking pirate sites and services. The full requests are not public, but the details available show that Cyberghost, ExpressVPN, NordVPN, ProtonVPN, and Surfshark are listed as respondents. [...]

The blocking request has yet to be approved and several of the targeted VPN providers have reserved detailed commentary, for now. That said, the VPN Trust Initiative (VTI), which includes ExpressVPN, NordVPN and Surfshark as members, has been vocal in its opposition. VTI is part of the i2Coalition and while it doesn't speak directly for any of the members, the coalition's Executive Director Christian Dawson has been in regular discussions with VPN providers. From this, it became clear that VPN providers face difficult decisions. If VPN providers are ordered to block pirate sites, some are considering whether to follow in the footsteps of Cisco, which discontinued its OpenDNS service in the country, to avoid meddling with its DNS resolver.

Speaking with TorrentFreak, VTI's Dawson says that VPNs have previously left markets like India and Pakistan in response to restrictive requirements. This typically happens when privacy or security principles are at risk, or if the technical implementation of blocking measures is infeasible. VTI does not rule out that some members may choose to exit France for similar reasons, if required to comply with blocking measures. "We've seen this before in markets like India and Pakistan, where regulatory requirements forced some VPN services to withdraw rather than compromise on encryption standards or log-keeping policies," Dawson says. "France's potential move to force VPN providers to block content could put companies in a similar position -- where they either comply with measures that contradict their purpose or leave the market altogether."
"This case in France is part of a broader global trend of regulatory overreach, where governments attempt to control encrypted services under the guise of content regulation. We've already seen how China, Russia, Myanmar, and Iran have imposed VPN restrictions as part of broader censorship efforts."

"The best path forward is for policymakers to focus on targeted enforcement measures that don't undermine Internet security or create a precedent for global Internet fragmentation," concludes Dawson. "As seen in other cases, blanket blocking measures do not effectively combat piracy but instead create far-reaching consequences that disrupt the open Internet."
The Courts

Google's AI Previews Erode the Internet, Edtech Company Says In Lawsuit (reuters.com) 38

Chegg has filed a lawsuit against Google, accusing the tech giant of using AI-generated overviews to undermine publishers by reducing site traffic and eroding financial incentives for original content. Chegg claims this practice violates antitrust laws and threatens the integrity of the online information ecosystem. Reuters reports: This will eventually lead to a "hollowed-out information ecosystem of little use and unworthy of trust," the company said. The Santa Clara, California-based company has said Google's AI overviews have caused a drop in visitors and subscribers. Chegg was trading at around $1.63 on Monday, down more than 98% from its peak price in 2021.

The company announced it would lay off 21% of its staff in November. Nathan Schultz, CEO of Chegg, said on Monday that Google is profiting off the company's content for free. "Our lawsuit is about more than Chegg -- it's about the digital publishing industry, the future of internet search, and about students losing access to quality, step-by-step learning in favor of low-quality, unverified AI summaries," he said.

Publishers allow Google to crawl their websites to generate search results, which Google monetizes through advertising. In exchange, the publishers receive search traffic to their sites when users click on the results, Chegg said. But Google has started coercing publishers to let it use the information for AI overviews and other features that result in fewer site visitors, the company said. Chegg argued the conduct violates a law against conditioning the sale of one product on the customer selling or giving its supplier another product.

AI

Angry Workers Use AI to Bombard Businesses With Employment Lawsuits (telegraph.co.uk) 36

An anonymous reader shared this report from the Telegraph: Workers with an axe to grind against their employer are using AI to bombard businesses with costly and inaccurate lawsuits, experts have warned.

Frustration is growing among employment lawyers who say they are seeing a trend of litigants using AI to help them run their claims, which they say is generating "inconsistent, lengthy, and often incorrect arguments" and causing a spike in legal fees... Ailie Murray, an employment partner at law firm Travers Smith, said AI submissions are produced so rapidly that they are "often excessively lengthy and full of inconsistencies", but employers must then spend vast amounts of money responding to them. She added: "In many cases, the AI-generated output is inaccurate, leading to claimants pleading invalid claims or arguments.

"It is not an option for an employer to simply ignore such submissions. This leads to a cycle of continuous and costly correspondence. Such dynamics could overburden already stretched tribunals with unfounded and poorly pleaded claims."

There's definitely been a "significant increase" in the number of clients using AI, James Hockin, an employment partner at Withers, told the Telegraph. The danger? "There is a risk that we see unrepresented individuals pursuing the wrong claims in the UK employment tribunal off the back of a duff result from an AI tool."
Advertising

Will Consumer Data Collection Lead to Algorithm-Adjusted 'Surveillance Pricing'? (msn.com) 104

An anonymous reader shared this report from the Washington Post's "Tech Brief": Last fall, reports that Kroger was considering bringing facial recognition technology into its stores sparked outcry from lawmakers and customers. They worried personalized data could be used to charge different prices for different customers based on their shopping habits, financial circumstances or appearance. Kroger, the country's largest supermarket chain, had already been using digital price tags in its stores.

Kroger told lawmakers that it doesn't use facial recognition to help it set prices, a stance the company reiterated to the Tech Brief on Thursday. Still, the uproar helped to spark a push by consumer advocates who warn that the threat of invasive, personalized pricing schemes is real. Now, Democratic lawmakers in several states are working to ban so-called "surveillance pricing" — when businesses charge customers more or less for the same item based on their personal information.

Besides a bill in California, three more bill were introduced this month in Colorado, Georgia, and Illinois that also ban "surveillance wages," which the article defines as employers adjusting wages based on how much data an employee collects. "Both surveillance pricing and surveillance wages really disrupt fundamental ideals of fairness," University of California, Irvine law professor Veena Dubal tells the Washington Post.

Dubal is one of the consumer advocates behind a new report which notes information released last month by America's consumer-protecting FTC that "suggests that surveillance pricing tools are being actively developed and marketed across a range of industries, including consumer-facing businesses like 'grocery stores, apparel retailers, health and beauty retailers, home goods and furnishing stores, convenience stores, building and hardware stores, and general merchandise retailers such as department or discount stores." The consumer advocates (which include the Electronic Privacy Information Center) put it this way.

"Imagine walking into a grocery store and seeing a price for milk that's higher than what the next shopper pays because an algorithm calculated that you're willing to spend more..."
Privacy

California Sues Data-Harvesting Company NPD, Enforcing Strict Privacy Law (msn.com) 6

California sued to fine a data-harvesting company, reports the Washington Post, calling it "a rare step to put muscle behind one of the strongest online privacy laws in the United States." Even when states have tried to restrict data brokers, it has been tough to make those laws stick. That has generally been a problem for the 19 states that have passed broad laws to protect personal information, said Matt Schwartz, a policy analyst for Consumer Reports. He said there has been only 15 or so public enforcement actions by regulators overseeing all those laws. Partly because companies aren't held accountable, they're empowered to ignore the privacy standards. "Noncompliance is fairly widespread," Schwartz said. "It's a major problem."

That's why California is unusual with a data broker law that seems to have teeth. To make sure state residents can order all data brokers operating in the state to delete their personal records [with a single request], California is now requiring brokers to register with the state or face a fine of $200 a day. The state's privacy watchdog said Thursday that it filed litigation to force one data broker, National Public Data, to pay $46,000 for failing to comply with that initial phase of the data broker law. NPD declined to comment through an attorney... This first lawsuit for noncompliance, Schwartz said, shows that California is serious about making companies live up to their privacy obligations... "If they can successfully build it and show it works, it will create a blueprint for other states interested in this idea," he said.

Last summer NPD "spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online," according to the blog Krebs on Security, adding that another NPD data broker sharing access to the same consumer records "inadvertently published the passwords to its back-end database in a file that was freely available from its homepage..."

California's attempt to regulate the industry inspired the nonprofit Consumer Reports to create an app called Permission Slip that reveals what data companies collect and, for people in U.S. states, will "work with you to file a request, telling companies to stop selling your personal information."

Other data-protecting options suggested by The Washington Post:
  • Use Firefox, Brave or DuckDuckGo, "which can automatically tell websites not to sell or share your data. Those demands from the web browsers are legally binding or will be soon in at least nine states."
  • Use Privacy Badger, an EFF browser extension which the EFF says "automatically tells websites not to sell or share your data including where it's required by state law."

Slashdot Top Deals