Apple does not plan to comply with India's mandate to preload its smartphones with a state-owned cyber safety app that cannot be disabled. According to Reuters, the order "sparked surveillance concerns and a political uproar" after it was revealed on Monday. From the report: In the wake of the criticism, India's telecom minister Jyotiraditya M. Scindia on Tuesday said the app was a "voluntary and democratic system," adding that users can choose to activate it and can "easily delete it from their phone at any time." At present, the app can be deleted by users. Scindia did not comment on or clarify the November 28 confidential directive that ordered smartphone makers to start preloading it and ensure "its functionalities are not disabled or restricted."

Apple however does not plan to comply with the directive and will tell the government it does not follow such mandates anywhere in the world as they raise a host of privacy and security issues for the company's iOS ecosystem, said two of the industry sources who are familiar with Apple's concerns. They declined to be named publicly as the company's strategy is private. "Its not only like taking a sledgehammer, this is like a double-barrel gun," said the first source.

An anonymous reader quotes a report from 404 Media: Flock, the automatic license plate reader and AI-powered camera company, uses overseas workers from Upwork to train its machine learning algorithms, with training material telling workers how to review and categorize footage including images people and vehicles in the United States, according to material reviewed by 404 Media that was accidentally exposed by the company. The findings bring up questions about who exactly has access to footage collected by Flock surveillance cameras and where people reviewing the footage may be based. Flock has become a pervasive technology in the US, with its cameras present in thousands of communities that cops use every day to investigate things like carjackings. Local police have also performed numerous lookups for ICE in the system.

Companies that use AI or machine learning regularly turn to overseas workers to train their algorithms, often because the labor is cheaper than hiring domestically. But the nature of Flock's business -- creating a surveillance system that constantly monitors US residents' movements -- means that footage might be more sensitive than other AI training jobs. [...] Broadly, Flock uses AI or machine learning to automatically detect license plates, vehicles, and people, including what clothes they are wearing, from camera footage. A Flock patent also mentions cameras detecting "race." It included figures on "annotations completed" and "annotator tasks remaining in queue," with annotations being the notes workers add to reviewed footage to help train AI algorithms. Tasks include categorizing vehicle makes, colors, and types, transcribing license plates, and "audio tasks." Flock recently started advertising a feature that will detect "screaming." The panel showed workers sometimes completed thousands upon thousands of annotations over two day periods. The exposed panel included a list of people tasked with annotating Flock's footage. Taking those names, 404 Media found some were located in the Philippines, according to their LinkedIn and other online profiles.

Many of these people were employed through Upwork, according to the exposed material. Upwork is a gig and freelance work platform where companies can hire designers and writers or pay for "AI services," according to Upwork's website. The tipsters also pointed to several publicly available Flock presentations which explained in more detail how workers were to categorize the footage. It is not clear what specific camera footage Flock's AI workers are reviewing. But screenshots included in the worker guides show numerous images from vehicles with US plates, including in New York, Michigan, Florida, New Jersey, and California. Other images include road signs clearly showing the footage is taken from inside the US, and one image contains an advertisement for a specific law firm in Atlanta.

An anonymous reader quotes a report from TechCrunch: South Korean e-commerce platform Coupang over the weekend said nearly 34 million Korean customers' personal information had been leaked in a data breach that had been ongoing for more than five months. The company said it first detected the unauthorized exposure of 4,500 user accounts on November 18, but a subsequent investigation revealed that the breach had actually compromised about 33.7 million customer accounts in South Korea. The breach affected customers' names, email addresses, phone numbers, shipping addresses, and certain order histories, per Coupang. More sensitive data like payment information, credit card numbers, and login credentials was not compromised and remains secure, the company said. [...] Police have reportedly identified at least one suspect, a former Chinese Coupang employee now abroad, after launching an investigation following a November 18 complaint.

An anonymous reader quotes a report from PCMag: Four new features are coming to Google Maps, including a way to hide your identity in reviews. Maps will soon let you use a nickname and select an alternative profile picture for online reviews, so you can rate a business without linking it to full name and Google profile photo. Google says it will monitor for "suspicious and fake reviews," and every review is still associated with an account on Google's backend, which it believes will discourage bad actors.

Look for a new option under Your Profile that says Use a custom name & picture for posting. You'll then be able to pick an illustration to represent you and add a nickname. Google didn't explain why it is introducing anonymous reviews; it pitched the idea as a way to be a business's "Secret Santa." Some users are nervous to publicly post reviews for local businesses as it may be used to track their location or movements. It may encourage more people to contribute honest feedback to its platform, for better or worse. Further reading: Gemini AI To Transform Google Maps Into a More Conversational Experience

Poland has launched a new antitrust investigation into Apple's App Tracking Transparency rules, questioning whether Apple misled users about privacy while giving its own apps a competitive advantage over third-party developers. AppleInsider reports: On November 25, Poland's UOKiK has started another investigation into App Tracking Transparency, and whether Apple had restricted competition in mobile advertising. Reuters reports that, to the anti-monopoly regulator, ATT may have limited advertisers' ability to collect user data for advertising purposes while simultaneously favoring Apple's ad program. On November 25, Poland's UOKiK has started another investigation into App Tracking Transparency, and whether Apple had restricted competition in mobile advertising. Reuters reports that, to the anti-monopoly regulator, ATT may have limited advertisers' ability to collect user data for advertising purposes while simultaneously favoring Apple's ad program.

This is not the first time that Poland has looked into ATT rules. In December 2021, the regulator held a similar probe following criticism from advertisers. It's not clear what that complaint determined, or if it is still ongoing. Regardless, in the new complaint, the logic is that Apple had a competitive advantage since its own apps were not subject to ATT rules, but third-party apps did have to deal with ATT. Since Apple didn't visibly ask for consent for its first-party apps in the same way, there is a presumption that Apple's rules only applied to other companies.

This is despite Apple's repeated insistence that it doesn't use the same kinds of collected data in its own apps and services for marketing purposes, as well as its stance on privacy in general. In short, Apple apps don't use the data, so it doesn't pop up a dialog box asking the user if the app can use the data. There is also the argument that, in setting up an account with Apple, users are providing blanket consent to the company. Implementing ATT on its own apps would therefore be a waste of time, since that consent was already granted. Apple said that it will work with the regulator on the matter, but warned that it could force them to withdraw the feature "to the detriment of European consumers."

An anonymous reader shares a report: CISA has warned that state-backed snoops and cyber-mercenaries are actively abusing commercial spyware to break into Signal and WhatsApp accounts, hijack devices, and quietly rummage through the phones of what the agency calls "high-value" users.

In an alert published Monday, the US government's cyber agency said it's tracking multiple miscreants that are using a mix of phishing, bogus QR codes, malicious app impersonation, and, in some cases, full-blown zero-click exploits to compromise messaging apps which most people assume are safe.

The agency says the activity it's seeing suggests an increasing focus on "high-value" individuals -- everyone from current and former senior government, military, and political officials to civil society groups across the US, the Middle East, and Europe. In many of the campaigns, attackers delivered spyware first and asked questions later, using the foothold to deploy more payloads and deepen their access.

An anonymous reader quotes a report from Ars Technica: Some members of the maker community are distraught about Arduino's new terms of service (ToS), saying that the added rules put the company's open source DNA at risk. Arduino updated its ToS and privacy policy this month, which is about a month after Qualcomm announced that it's acquiring the open source hardware and software company. Among the most controversial changes is this addition: "User shall not: translate, decompile or reverse-engineer the Platform, or engage in any other activity designed to identify the algorithms and logic of the Platform's operation, unless expressly allowed by Arduino or by applicable license agreements ..."

In response to concerns from some members of the maker community, including from open source hardware distributor and manufacturer Adafruit, Arduino posted a blog on Friday. Regarding the new reverse-engineering rule, Arduino's blog said: "Any hardware, software or services (e.g. Arduino IDE, hardware schematics, tooling and libraries) released with Open Source licenses remain available as before. Restrictions on reverse-engineering apply specifically to our Software-as-a-Service cloud applications. Anything that was open, stays open."

But Adafruit founder and engineer Limor Fried and Adafruit managing editor Phillip Torrone are not convinced. They told Ars Technica that Arduino's blog leaves many questions unanswered and said that they've sent these questions to Arduino without response. "Why is reverse-engineering prohibited at all for a company built on openly hackable systems?" Fried and Torrone asked in a shared statement. There are also concerns about the ToS' broad new AI-monitoring powers, which offer little clarity on what data is collected, who can access it, or how long it's retained. On top of that, the update introduces an unusual patent clause that bars users from using the platform to identify potential infringement by Arduino or its partners, along with sweeping, perpetual rights over user-generated content. This could allow Arduino, and potentially Qualcomm, to republish, modify, monetize, or redistribute user uploads indefinitely.

An anonymous reader shares a report: Google is pushing back on viral social media posts and articles like this one by Malwarebytes, claiming Google has changed its policy to use your Gmail messages and attachments to train AI models, and the only way to opt out is by disabling "smart features" like spell checking.

But Google spokesperson Jenny Thomson tells The Verge that "these reports are misleading -- we have not changed anyone's settings, Gmail Smart Features have existed for many years, and we do not use your Gmail content for training our Gemini AI model."

A California judge has shut down a decade-long surveillance program in which Sacramento's utility provider shared granular smart-meter data on 650,000 residents with police to hunt for cannabis grows. The EFF reports: The Sacramento County Superior Court ruled that the surveillance program run by the Sacramento Municipal Utility District (SMUD) and police violated a state privacy statute, which bars the disclosure of residents' electrical usage data with narrow exceptions. For more than a decade, SMUD coordinated with the Sacramento Police Department and other law enforcement agencies to sift through the granular smart meter data of residents without suspicion to find evidence of cannabis growing. EFF and its co-counsel represent three petitioners in the case: the Asian American Liberation Network, Khurshid Khoja, and Alfonso Nguyen. They argued that the program created a host of privacy harms -- including criminalizing innocent people, creating menacing encounters with law enforcement, and disproportionately harming the Asian community.

The court ruled that the challenged surveillance program was not part of any traditional law enforcement investigation. Investigations happen when police try to solve particular crimes and identify particular suspects. The dragnet that turned all 650,000 SMUD customers into suspects was not an investigation. "[T]he process of making regular requests for all customer information in numerous city zip codes, in the hopes of identifying evidence that could possibly be evidence of illegal activity, without any report or other evidence to suggest that such a crime may have occurred, is not an ongoing investigation," the court ruled, finding that SMUD violated its "obligations of confidentiality" under a data privacy statute. [...]

In creating and running the dragnet surveillance program, according to the court, SMUD and police "developed a relationship beyond that of utility provider and law enforcement." Multiple times a year, the police asked SMUD to search its entire database of 650,000 customers to identify people who used a large amount of monthly electricity and to analyze granular 1-hour electrical usage data to identify residents with certain electricity "consumption patterns." SMUD passed on more than 33,000 tips about supposedly "high" usage households to police. [...] Going forward, public utilities throughout California should understand that they cannot disclose customers' electricity data to law enforcement without any "evidence to support a suspicion" that a particular crime occurred.

A magician who implanted an RFID chip in his hand lost access to it after forgetting the password, leaving him effectively locked out of the tech embedded in his own body. The Register reports: "It turns out," said [said magician Zi Teng Wang], "that pressing someone else's phone to my hand repeatedly, trying to figure out where their phone's RFID reader is, really doesn't come off super mysterious and magical and amazing." Then there are the people who don't even have their phone's RFID reader enabled. Using his own phone would, in Zi's words, lack a certain "oomph."

Oh well, how about making the chip spit out a Bitcoin address? "That literally never came up either." In the end, Zi rewrote the chip to link to a meme, "and if you ever meet me in person you can scan my chip and see the meme." It was all suitably amusing until the Imgur link Zi was using went down. Not everything on the World Wide Web is forever, and there is no guarantee that a given link will work indefinitely. Indeed, access to Imgur from the United Kingdom was abruptly cut off on September 30 in response to the country's age verification rules.

Still, the link not working isn't the end of the world. Zi could just reprogram the chip again, right? Wrong. "When I went to rewrite the chip, I was horrified to realize I forgot the password that I had locked it with." The link eventually started working again, but if and when it stops, Zi's party piece will be a little less entertaining. He said: "Techie friends I've consulted with have determined that it's too dumb and simple to hack, the only way to crack it is to strap on an RFID reader for days to weeks, brute forcing every possible combination." Or perhaps some surgery to remove the offending hardware.

The International Association of Cryptologic Research (IACR) was forced to cancel its leadership election after a trustee lost their portion of the Helios voting system's decryption key, making it impossible to reveal or verify the final results. Ars Technica reports: The IACR said Friday that the votes were submitted and tallied using Helios, an open source voting system that uses peer-reviewed cryptography to cast and count votes in a verifiable, confidential, and privacy-preserving way. Helios encrypts each vote in a way that assures each ballot is secret. Other cryptography used by Helios allows each voter to confirm their ballot was counted fairly. "Unfortunately, one of the three trustees has irretrievably lost their private key, an honest but unfortunate human mistake, and therefore cannot compute their decryption share," the IACR said. "As a result, Helios is unable to complete the decryption process, and it is technically impossible for us to obtain or verify the final outcome of this election."

The IACR will switch to a two-of-three private key system to prevent this sort of thing from happening again. Moti Yung, the trustee responsible for the incident, has resigned and is being replaced by Michael Abdalla.

An Ohio IT contractor pleaded guilty to breaking into his former employer's network after being fired, impersonating another worker and using a PowerShell script to reset 2,500 passwords -- an act that locked out thousands of employees and caused more than $862,000 in damage. He faces up to 10 years in prison. The Register reports: Maxwell Schultz, 35, impersonated another contractor to gain access to the company's network after his credentials were revoked. Announcing the news, US attorney Nicholas J. Ganjei did not specify the company in question, which is typical in these malicious insider cases, although local media reported it to be Houston-based Waste Management.

The attack took place on May 14, 2021, and saw Schultz use the credentials to reset approximately 2,500 passwords at the affected organization. This meant thousands of employees and contractors across the US were unable to access the company network. Schultz admitted to running a PowerShell script to reset the passwords, searching for ways to delete system logs to cover his tracks -- in some cases succeeding -- and clearing PowerShell window events, according to the Department of Justice.

Prosecutors said the attack caused more than $862,000 worth of damage related to employee downtime, a disrupted customer service function, and costs related to the remediation of the intrusion. Schultz is set to be sentenced on Jan 30, 2026, and faces up to ten years in prison and a potential maximum fine of $250,000.

Mozilla is officially ending its partnership with Onerep after more than a year of controversy over the company's founder secretly running people-search and data-broker sites. Monitor Plus will be discontinued by December 2025, existing subscribers will receive prorated refunds, and Mozilla says it will focus on privacy tools it fully controls. KrebsOnSecurity reports: In a statement published Tuesday, Mozilla said it will soon discontinue Monitor Plus, which offered data broker site scans and automated personal data removal from Onerep. "We will continue to offer our free Monitor data breach service, which is integrated into Firefox's credential manager, and we are focused on integrating more of our privacy and security experiences in Firefox, including our VPN, for free," the advisory reads.

Mozilla said current Monitor Plus subscribers will retain full access through the wind-down period, which ends on Dec. 17, 2025. After that, those subscribers will automatically receive a prorated refund for the unused portion of their subscription. "We explored several options to keep Monitor Plus going, but our high standards for vendors, and the realities of the data broker ecosystem made it challenging to consistently deliver the level of value and reliability we expect for our users," Mozilla statement reads.

The EU's cookie consent policies have been an annoying and unavoidable part of browsing the web in Europe since their introduction in 2018. But the cookie nightmare is about to crumble thanks to some big proposed changes announced by the European Commission today. From a report: Instead of having to click accept or reject on a cookie pop-up for every website you visit in Europe, the EU is preparing to enforce rules that will allow users to set their preferences for cookies at the browser level. "People can set their privacy preferences centrally -- for example via the browser -- and websites must respect them," says the EU. "This will drastically simplify users' online experience."

This key change is part of a new Digital Package of proposals to simplify the EU's digital rules, and will initially see cookie prompts change to be a simplified yes or no single-click prompt ahead of the "technological solutions" eventually coming to browsers. Websites will be required to respect cookie choices for at least six months, and the EU also wants website owners to not use cookie banners for "harmless uses" like counting website visits, to lessen the amount of pop-ups.

MI5 has warned U.K. lawmakers that Chinese intelligence operatives are using LinkedIn and recruitment fronts to target them for information gathering and long-term cultivation. PBS reports: Writing to lawmakers, House of Commons Speaker Lindsay Hoyle said a new MI5 "espionage alert" warned that Chinese nationals were "using LinkedIn profiles to conduct outreach at scale" on behalf of the Chinese Ministry of State Security. "Their aim is to collect information and lay the groundwork for long-term relationships, using professional networking sites, recruitment agents and consultants acting on their behalf," he said. MI5 issued the alert because the activity was "targeted and widespread," he added.

The MI5 alert cited LinkedIn profiles of two women, Amanda Qiu and Shirly Shen, and said other similar recruiters' profiles were acting as fronts for espionage. Home Office Minister Dan Jarvis said that apart from parliamentary staff, others including economists, think tank consultants and government officials have been similarly targeted. Jarvis said the government is rolling out a series of measures to tackle the risk, including investing 170 million pounds ($224 million) to renew encrypted technology used by civil servants to safeguard sensitive work. Opposition parties say authorities are not doing enough and are too wary of jeopardizing trade ties with China.

Mexico has finally lifted its long-running Tor ban for the main government portal, allowing privacy-focused users, journalists, and activists to access gob.mx again after more than a decade of blocking. That said, the open data portal and the former Tor-compatible whistleblower system remain inaccessible. CyberInsider reports: The development follows a long period of digital censorship that spanned two full six-year presidential terms, those of Enrique Pena Nieto and Andres Manuel Lopez Obrador, and continued into the early months of Claudia Sheinbaum Pardo's current administration. Research conducted by Jacobo Najera and Miguel Trujillo, published in October 2023, documented that 21 federal government agencies were blocking traffic from the Tor network, effectively excluding privacy-conscious users from vital public resources and services.

A NordPass analysis found that Gen Z is actually worse at password security than older generations, with "12345" topping their list while "123456" dominates among everyone else. The Register reports: And while there were a few more "skibidis" among the Zoomer dataset compared to those who came before them, the trends were largely similar. Variants on the "123456" were among the most common for all age groups, with that exact string proving to be the most common among all users -- the sixth time in seven years it holds the undesirable crown.

Some of the more adventurous would stretch to "1234567," while budding cryptologists shored up their accounts by adding an 8 or even a 9 to the mix. However, according to Security.org's password security checker, a computer could crack any of these instantly. Most attackers would not even need to expend the resources required to reveal the password, given how commonly used they are. They could just spray a list of known passwords at an authentication API and secure a quick win.

An anonymous reader shares a report: Lawyers from the American Civil Liberties Union (ACLU) and Electronic Frontier Foundation (EFF) sued the city of San Jose, California over its deployment of Flock's license plate-reading surveillance cameras, claiming that the city's nearly 500 cameras create a pervasive database of residents movements in a surveillance network that is essentially impossible to avoid.

The lawsuit was filed on behalf of the Services, Immigrant Rights & Education Network and Council on American-Islamic Relations, California, and claims that the surveillance is a violation of California's constitution and its privacy laws. The lawsuit seeks to require police to get a warrant in order to search Flock's license plate system. The lawsuit is one of the highest profile cases challenging Flock; a similar lawsuit in Norfolk, Virginia seeks to get Flock's network shut down in that city altogether.

"San Jose's ALPR [automatic license plate reader] program stands apart in its invasiveness," ACLU of Northern California and EFF lawyers wrote in the lawsuit. "While many California agencies run ALPR systems, few retain the locations of drivers for an entire year like San Jose. Further, it is difficult for most residents of San Jose to get to work, pick up their kids, or obtain medical care without driving, and the City has blanketed its roads with nearly 500 ALPRs."

An anonymous reader shares a report: The IRS accessed a database of hundreds of millions of travel records, which show when and where a specific person flew and the credit card they used, without obtaining a warrant, according to a letter signed by a bipartisan group of lawmakers and shared with 404 Media. The country's major airlines, including Delta, United Airlines, American Airlines, and Southwest, funnel customer records to a data broker they co-own called the Airlines Reporting Corporation (ARC), which then sells access to peoples' travel data to government agencies.

The IRS case in the letter is the clearest example yet of how agencies are searching the massive trove of travel data without a search warrant, court order, or similar legal mechanism. Instead, because the data is being sold commercially, agencies are able to simply buy access. In the letter addressed to nine major airlines, the lawmakers urge them to shut down the data selling program. Update: after this piece was published, ARC said it already planned to shut down the program.

"Disclosures made by the IRS to Senator Wyden confirm that it did not follow federal law and its own policies in purchasing airline data from ARC," the letter reads. The letter says the IRS "confirmed that it did not conduct a legal review to determine if the purchase of Americans' travel data requires a warrant."

Researchers at the University of Vienna extracted phone numbers for 3.5 billion WhatsApp users by systematically checking every possible number through the messaging service's contact discovery feature. The technique yielded profile photos for 57% of those accounts and profile text for 29 percent. The researchers checked roughly 100 million numbers per hour using WhatsApp's browser-based app.

The team warned Meta in April and deleted their data. The company implemented stricter rate-limiting by October to prevent such mass enumeration. Meta called the exposed information "basic publicly available information" and said it found no evidence of malicious exploitation. The vulnerability had been identified before. In 2017, Dutch researcher Loran Kloeze published a blog post detailing the same enumeration technique. Meta responded then that WhatsApp's privacy settings were functioning as designed and denied him a bug bounty reward. The researchers collected 137 million U.S. phone numbers. In India, they found nearly 750 million numbers. They also discovered 2.3 million Chinese numbers and 1.6 million Myanmar numbers, despite WhatsApp being banned in both countries. The researchers analyzed the cryptographic keys and found some accounts used duplicate keys. They speculate this resulted from unauthorized WhatsApp clients rather than a platform flaw.