An anonymous reader quotes a report from Ars Technica: The US Constitution's Fifth Amendment protection against self-incrimination does not prohibit police officers from forcing a suspect to unlock a phone with a thumbprint scan, a federal appeals court ruled yesterday. The ruling does not apply to all cases in which biometrics are used to unlock an electronic device but is a significant decision in an unsettled area of the law. The US Court of Appeals for the 9th Circuit had to grapple with the question of "whether the compelled use of Payne's thumb to unlock his phone was testimonial," the ruling (PDF) in United States v. Jeremy Travis Payne said. "To date, neither the Supreme Court nor any of our sister circuits have addressed whether the compelled use of a biometric to unlock an electronic device is testimonial."

A three-judge panel at the 9th Circuit ruled unanimously against Payne, affirming a US District Court's denial of Payne's motion to suppress evidence. Payne was a California parolee who was arrested by California Highway Patrol (CHP) after a 2021 traffic stop and charged with possession with intent to distribute fentanyl, fluorofentanyl, and cocaine. There was a dispute in District Court over whether a CHP officer "forcibly used Payne's thumb to unlock the phone." But for the purposes of Payne's appeal, the government "accepted the defendant's version of the facts, i.e., 'that defendant's thumbprint was compelled.'" Payne's Fifth Amendment claim "rests entirely on whether the use of his thumb implicitly related certain facts to officers such that he can avail himself of the privilege against self-incrimination," the ruling said. Judges rejected his claim, holding "that the compelled use of Payne's thumb to unlock his phone (which he had already identified for the officers) required no cognitive exertion, placing it firmly in the same category as a blood draw or fingerprint taken at booking." "When Officer Coddington used Payne's thumb to unlock his phone -- which he could have accomplished even if Payne had been unconscious -- he did not intrude on the contents of Payne's mind," the court also said.

An anonymous reader quotes a report from the New York Times: Consumers have grown accustomed to the prospect that their personal data, such as email addresses, social contacts, browsing history and genetic ancestry, are being collected and often resold by the apps and the digital services they use. With the advent of consumer neurotechnologies, the data being collected is becoming ever more intimate. One headband serves as a personal meditation coach by monitoring the user's brain activity. Another purports to help treat anxiety and symptoms of depression. Another reads and interprets brain signals while the user scrolls through dating apps, presumably to provide better matches. ("'Listen to your heart' is not enough," the manufacturer says on its website.) The companies behind such technologies have access to the records of the users' brain activity -- the electrical signals underlying our thoughts, feelings and intentions.

On Wednesday, Governor Jared Polis of Colorado signed a bill that, for the first time in the United States, tries to ensure that such data remains truly private. The new law, which passed by a 61-to-1 vote in the Colorado House and a 34-to-0 vote in the Senate, expands the definition of "sensitive data" in the state's current personal privacy law to include biological and "neural data" generated by the brain, the spinal cord and the network of nerves that relays messages throughout the body. "Everything that we are is within our mind," said Jared Genser, general counsel and co-founder of the Neurorights Foundation, a science group that advocated the bill's passage. "What we think and feel, and the ability to decode that from the human brain, couldn't be any more intrusive or personal to us." "We are really excited to have an actual bill signed into law that will protect people's biological and neurological data," said Representative Cathy Kipp, Democrat of Colorado, who introduced the bill.

An anonymous reader shares a report: A financially motivated criminal hacking group says it has stolen a confidential database containing millions of records that companies use for screening potential customers for links to sanctions and financial crime. The hackers, which call themselves GhostR, said they stole 5.3 million records from the World-Check screening database in March and are threatening to publish the data online.

World-Check is a screening database used for "know your customer" checks (or KYC), allowing companies to determine if prospective customers are high risk or potential criminals, such as people with links to money laundering or who are under government sanctions.The hackers told TechCrunch that they stole the data from a Singapore-based firm with access to the World-Check database, but did not name the firm. A portion of the stolen data, which the hackers shared with TechCrunch, includes individuals who were sanctioned as recently as this year.

An anonymous reader quotes a report from The Hill: The House on Wednesday approved a bill that would limit how the government can purchase data from third parties — legislation that scored a vote after negotiations with a group of GOP colleagues who briefly tanked a vote on warrantless spy powers. Dubbed the Fourth Amendment is Not For Sale, the legislation passed 219-199. It requires law enforcement and other government entities to get a warrant before buying information from third-party data brokers who purchase information gleaned from apps. [...] Senior administration officials said the measure would blind U.S. intelligence outfits from getting information easily purchased by foreign intelligence operations.

"In practice, these standards make it impossible for the [intelligence community], law enforcement to acquire a whole host of readily available information that they currently rely on," an administration official said. "Covered customer records as defined in the bill is very broad and includes records pertaining to any U.S. person or indeed any foreigner inside the United States. And as a practical matter, there's often no way to establish whether a particular individual was in the U.S. at a particular time a piece of data was created. Unless you did one thing, which is paradoxically to intrude further into their privacy just to figure out whether you could obtain some data." "It can be impossible to know what's in a data set before one actually obtains a data set," the official continued. "So you'd be barred from getting that which you don't even know."

404 Media: An online service is scraping Discord servers en masse, archiving and tracking users' messages and activity across servers including what voice channels they join, and then selling access to that data for as little as $5. Called Spy Pet, the service's creator says it scrapes more than ten thousand Discord servers, and besides selling access to anyone with cryptocurrency, is also offering the data for training AI models or to assist law enforcement agencies, according to its website.

The news is not only a brazen abuse of Discord's platform, but also highlights that Discord messages may be more susceptible to monitoring than ordinary users assume. Typically, a Discord user's activity is spread across disparate servers, with no one entity, except Discord itself, able to see what messages someone has sent across the platform more broadly. With Spy Pet, third-parties including stalkers or potentially police can look up specific users and see what messages they've posted on various servers at once. "Have you ever wondered where your friend hangs out on Discord? Tired of basic search tools like Discord.id? Look no further!" Spy Pet's website reads. It claims to be tracking more than 14,000 servers, 600 million users, and includes a database of more than 3 billion messages.

According to Bloomberg's Mark Gurman, Apple's initial set of AI-related features in iOS 18 "will work entirely on device," and won't connect to cloud services. AppleInsider reports: In practice, these AI features would be able to function without an internet connection or any form of cloud-based processing. AppleInsider has received information from individuals familiar with the matter that suggest the report's claims are accurate. Apple is working on an in-house large language model, or LLM, known internally as "Ajax." While more advanced features will ultimately require an internet connection, basic text analysis and response generation features should be available offline. [...] Apple will reveal its AI plans during WWDC, which starts on June 10.

The United States Senate is poised to vote on legislation this week that, for the next two years at least, could dramatically expand the number of businesses that the US government can force to eavesdrop on Americans without a warrant. From a report: Some of the nation's top legal experts on a controversial US spy program argue that the legislation, known as the Reforming Intelligence and Securing America Act (RISAA), would enhance the US government's spy powers, forcing a variety of new businesses to secretly eavesdrop on Americans' overseas calls, texts, and email messages. Those experts include a handful of attorneys who've had the rare opportunity to appear before the US government's secret surveillance court.

The Section 702 program, authorized under the Foreign Intelligence Surveillance Act, or FISA, was established more than a decade ago to legalize the government's practice of forcing major telecommunications companies to eavesdrop on overseas calls in the wake of the September 11, 2001, terrorist attacks. On the one hand, the government claims that the program is designed to exclusively target foreign citizens who are physically located abroad; on the other, the government has fiercely defended its ability to access wiretaps of Americans' emails and phone conversations, often years after the fact and in cases unrelated to the reasons the wiretaps were ordered in the first place.

The 702 program works by compelling the cooperation of US businesses defined by the government as "electronic communications service providers" -- traditionally phone and email providers such as AT&T and Google. Members of the House Intelligence Committee, whose leaders today largely serve as lobbyists for the US intelligence community in Congress, have been working to expand the definition of that term, enabling the government to force new categories of businesses to eavesdrop on the government's behalf.

Roku has made two-factor authentication (2FA) mandatory for all users following two credential stuffing attacks that compromised approximately 591,000 customer accounts and led to unauthorized purchases in fewer than 400 cases. The Register reports: Credential stuffing and password spraying are both fairly similar types of brute force attacks, but the former uses known pairs of credentials (usernames and passwords). The latter simply spams common passwords at known usernames in the hope one of them leads to an authenticated session. "There is no indication that Roku was the source of the account credentials used in these attacks or that Roku's systems were compromised in either incident," it said in an update to customers. "Rather, it is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials."

All accounts now require 2FA to be implemented, whether they were affected by the wave of compromises or not. Roku has more than 80 million active accounts, so only a minority were affected, and these have all been issued mandatory password resets. Compromised or not, all users are encouraged to create a strong, unique password for their accounts, consisting of at least eight characters, including a mix of numbers, symbols, and letter cases. [...] Roku also asked users to remain vigilant to suspicious activity regarding its service, such as phishing emails or clicking on dodgy links to rest passwords -- the usual stuff. "In closing, we sincerely regret that these incidents occurred and any disruption they may have caused," it said. "Your account security is a top priority, and we are committed to protecting your Roku account."

An anonymous reader quotes a report from Wired: A controversial US wiretap program days from expiration cleared a major hurdle on its way to being reauthorized. After months of delays, false starts, and interventions by lawmakers working to preserve and expand the US intelligence community's spy powers, the House of Representatives voted on Friday to extend Section 702 (PDF) of the Foreign Intelligence Surveillance Act (FISA) for two years. Legislation extending the program -- controversial for being abused by the government -- passed in the House in a 273-147 vote. The Senate has yet to pass its own bill.

Section 702 permits the US government to wiretap communications between Americans and foreigners overseas. Hundreds of millions of calls, texts, and emails are intercepted by government spies each with the "compelled assistance" of US communications providers. The government may strictly target foreigners believed to possess "foreign intelligence information," but it also eavesdrops on the conversations of an untold number of Americans each year. (The government claims it is impossible to determine how many Americans get swept up by the program.) The government argues that Americans are not themselves being targeted and thus the wiretaps are legal. Nevertheless, their calls, texts, and emails may be stored by the government for years, and can later be accessed by law enforcement without a judge's permission. The House bill also dramatically expands the statutory definition for communication service providers, something FISA experts, including Marc Zwillinger -- one of the few people to advise the Foreign Intelligence Surveillance Court (FISC) -- have publicly warned against.

The FBI's track record of abusing the program kicked off a rare detente last fall between progressive Democrats and pro-Trump Republicans -- both bothered equally by the FBI's targeting of activists, journalists, anda sitting member of Congress. But in a major victory for the Biden administration, House members voted down an amendment earlier in the day that would've imposed new warrant requirements on federal agencies accessing Americans' 702 data. The warrant amendment was passed earlier this year by the House Judiciary Committee, whose long-held jurisdiction over FISA has been challenged by friends of the intelligence community. Analysis by the Brennan Center this week found that 80 percent of the base text of the FISA reauthorization bill had been authored by intelligence committee members.

An anonymous reader quotes a report from The Guardian: Hospitals -- despite being places where people implicitly expect to have their personal details kept private -- frequently use tracking technologies on their websites to share user information with Google, Meta, data brokers, and other third parties, according to research published today. Academics at the University of Pennsylvania analyzed a nationally representative sample of 100 non-federal acute care hospitals -- essentially traditional hospitals with emergency departments -- and their findings were that 96 percent of their websites transmitted user data to third parties. Additionally, not all of these websites even had a privacy policy. And of the 71 percent that did, 56 percent disclosed specific third-party companies that could receive user information.

The researchers' latest work builds on a study they published a year ago of 3,747 US non-federal hospital websites. That found 98.6 percent tracked and transferred visitors' data to large tech and social media companies, advertising firms, and data brokers. To find the trackers on websites, the team checked out each hospitals' homepage on January 26 using webXray, an open source tool that detects third-party HTTP requests and matches them to the organizations receiving the data. They also recorded the number of third-party cookies per page. One name in particular stood out, in terms of who was receiving website visitors' information. "In every study we've done, in any part of the health system, Google, whose parent company is Alphabet, is on nearly every page, including hospitals," [Dr Ari Friedman, an assistant professor of emergency medicine at the University of Pennsylvania] observed. "From there, it declines," he continued. "Meta was on a little over half of hospital webpages, and the Meta Pixel is notable because it seems to be one of the grabbier entities out there in terms of tracking."

Both Meta and Google's tracking technologies have been the subject of criminal complaints and lawsuits over the years -- as have some healthcare companies that shared data with these and other advertisers. In addition, between 20 and 30 percent of the hospitals share data with Adobe, Friedman noted. "Everybody knows Adobe for PDFs. My understanding is they also have a tracking division within their ad division." Others include telecom and digital marketing companies like The Trade Desk and Verizon, plus tech giants Oracle, Microsoft, and Amazon, according to Friedman. Then there's also analytics firms including Hotjar and data brokers such as Acxiom. "And two thirds of hospital websites had some kind of data transfer to a third-party domain that we couldn't even identify," he added. Of the 71 hospital website privacy policies that the team found, 69 addressed the types of user information that was collected. The most common were IP addresses (80 percent), web browser name and version (75 percent), pages visited on the website (73 percent), and the website from which the user arrived (73 percent). Only 56 percent of these policies identified the third-party companies receiving user information. In lieu of any federal data privacy law in the U.S., Friedman recommends users protect their personal information via the browser-based tools Ghostery and Privacy Badger, which identify and block transfers to third-party domains.

OpenTable's restaurant pages still feature a lot of reviews left by anonymous diners at the moment, but that will not be the case starting next month. From a report: The online restaurant reservation service is changing its policy around reviews so that they're not as anonymous -- and it's even applying the new rule retroactively. As BleepingComputer reports, it told users in an email that starting on May 22, it "will begin displaying diner first names and profile photos on all diner reviews." Further, "this update will also apply to past reviews."

"We've heard from you, our diners, that trust and transparency are important when looking at reviews," the company also said in its letter, insinuating that it's changing the way reviews work based on user feedback. As BleepingComputer says, it'll be easy to match a bad review with customer reservation records based on the user's first name and when the post was made. While that's not nearly as bad as Glassdoor publishing people's names alongside their employer reviews without consent, it could still be very uncomfortable for people who wanted to talk about bad experiences without the fear of not being welcomed back into a particular establishment.

An anonymous reader shares a report: If you're -- apparently, one of the few people -- using the VPN service that comes with Google One, we've got bad news for you. In an email you're going to receive from Google if you haven't gotten it yet, it revealed that it's phasing out the perk sometime later this year. The company rolled out Google One's VPN feature back in 2020, but you could only access it then if you're paying for a plan with at least 2TB of storage, which costs at least $10 a month. Last year, the company expanded its availability across all One plans, including the basic $2-per-month option, making it more affordable than before.

Scientists from Oxford University Physics have developed a breakthrough in cloud-based quantum computing that could allow it to be harnessed by millions of individuals and companies. The findings have been published in the journal Physical Review Letters. Phys.Org reports: In the new study, the researchers use an approach dubbed "blind quantum computing," which connects two totally separate quantum computing entities -- potentially an individual at home or in an office accessing a cloud server -- in a completely secure way. Importantly, their new methods could be scaled up to large quantum computations. "Using blind quantum computing, clients can access remote quantum computers to process confidential data with secret algorithms and even verify the results are correct, without revealing any useful information. Realizing this concept is a big step forward in both quantum computing and keeping our information safe online," said study lead Dr. Peter Drmota, of Oxford University Physics.

The researchers created a system comprising a fiber network link between a quantum computing server and a simple device detecting photons, or particles of light, at an independent computer remotely accessing its cloud services. This allows so-called blind quantum computing over a network. Every computation incurs a correction that must be applied to all that follow and needs real-time information to comply with the algorithm. The researchers used a unique combination of quantum memory and photons to achieve this. The results could ultimately lead to commercial development of devices to plug into laptops, to safeguard data when people are using quantum cloud computing services. "We have shown for the first time that quantum computing in the cloud can be accessed in a scalable, practical way which will also give people complete security and privacy of data, plus the ability to verify its authenticity," said Professor David Lucas, who co-heads the Oxford University Physics research team and is lead scientist at the UK Quantum Computing and Simulation Hub, led from Oxford University Physics.

An anonymous reader quotes a report from Ars Technica: Hardware sold for years by the likes of Intel and Lenovo contains a remotely exploitable vulnerability that will never be fixed. The cause: a supply chain snafu involving an open source software package and hardware from multiple manufacturers that directly or indirectly incorporated it into their products. Researchers from security firm Binarly have confirmed that the lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. The researchers, however, went on to warn that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI or Taiwan-based AETN are also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. BMCs provide what's known in the industry as "lights-out" system management. AMI and AETN are two of several makers of BMCs. For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open source software known as lighttpd. Lighttpd is a fast, lightweight web server that's compatible with various hardware and software platforms. It's used in all kinds of wares, including in embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests. [...] "All these years, [the lighttpd vulnerability] was present inside the firmware and nobody cared to update one of the third-party components used to build this firmware image," Binarly researchers wrote Thursday. "This is another perfect example of inconsistencies in the firmware supply chain. A very outdated third-party component present in the latest version of firmware, creating additional risk for end users. Are there more systems that use the vulnerable version of lighttpd across the industry?"

The vulnerability makes it possible for hackers to identify memory addresses responsible for handling key functions. Operating systems take pains to randomize and conceal these locations so they can't be used in software exploits. By chaining an exploit for the lighttpd vulnerability with a separate vulnerability, hackers could defeat this standard protection, which is known as address space layout randomization. The chaining of two or more exploits has become a common feature of hacking attacks these days as software makers continue to add anti-exploitation protections to their code. Tracking the supply chain for multiple BMCs used in multiple server hardware is difficult. So far, Binarly has identified AMI's MegaRAC BMC as one of the vulnerable BMCs. The security firm has confirmed that the AMI BMC is contained in the Intel Server System M70KLP hardware. Information about BMCs from ATEN or hardware from Lenovo and Supermicro aren't available at the moment. The vulnerability is present in any hardware that uses lighttpd versions 1.4.35, 1.4.45, and 1.4.51. "A potential attacker can exploit this vulnerability in order to read memory of Lighttpd Web Server process," Binarly researchers wrote in an advisory. "This may lead to sensitive data exfiltration, such as memory addresses, which can be used to bypass security mechanisms such as ASLR." Advisories are available here, here, and here.

DuckDuckGo, the privacy-focused web search and browser company, announced on today the launch of its first subscription service, Privacy Pro. The service, priced at $9.99 per month or $99.99 per year, includes a browser-based tool that automatically scans data broker websites for users' personal information and requests its removal. The service also includes DuckDuckGo's first VPN and an identity-theft-restoration service. Available initially only in the U.S.

Zack Whittaker and Carly Page report via TechCrunch: Microsoft has resolved a security lapse that exposed internal company files and credentials to the open internet. Security researchers Can Yoleri, Murat Ozfidan and Egemen Kochisarli with SOCRadar, a cybersecurity company that helps organizations find security weaknesses, discovered an open and public storage server hosted on Microsoft's Azure cloud service that was storing internal information relating to Microsoft's Bing search engine. The Azure storage server housed code, scripts and configuration files containing passwords, keys and credentials used by the Microsoft employees for accessing other internal databases and systems. But the storage server itself was not protected with a password and could be accessed by anyone on the internet.

Yoleri told TechCrunch that the exposed data could potentially help malicious actors identify or access other places where Microsoft stores its internal files. Identifying those storage locations "could result in more significant data leaks and possibly compromise the services in use," Yoleri said. The researchers notified Microsoft of the security lapse on February 6, and Microsoft secured the spilling files on March 5. It's not known for how long the cloud server was exposed to the internet, or if anyone other than SOCRadar discovered the exposed data inside.

An anonymous reader quotes a report from Ars Technica: Starting today, home Internet and mobile broadband providers in the US are required to display consumer labels with information on prices, speeds, and data allowances. "Today's nationwide launch of the Broadband Consumer Labels means internet service providers are now required to display consumer-friendly labels at the point of sale," the Federal Communications Commission said (PDF). "Labels are required for all standalone home or fixed Internet service or mobile broadband plans. Providers must display the label -- not simply an icon or link to the label -- in close proximity to an associated plan's advertisement."

The labels are required now for providers with at least 100,000 subscribers, while ISPs with fewer customers have until October 10, 2024, to comply. "If a provider is not displaying their labels or has posted inaccurate information about its fees or service plans, consumers can file a complaint with the FCC Consumer Complaint Center," an agency webpage says. The October 10 date will also bring an additional requirement that providers "make the labels machine-readable to enable third parties to more easily collect and aggregate data for the purpose of creating comparison-shopping tools for consumers," the FCC said.

The FCC issued a consumer advisory telling broadband users what to look for in the labels. Labels should include the monthly price, state whether it is an introductory rate, the amount of time that an introductory rate applies, and the price after any introductory rate expires. The labels must include any additional monthly charges, one-time fees, early termination fees, and taxes. Speed information should include typical download speed, upload speed, and latency. For data caps, the labels should state how much data is included with the monthly price and how much consumers have to pay for additional usage. Labels should also include links to information on discounts and service bundles, network management practices, and privacy policies.

An anonymous reader quotes a report from Reuters: Independent browser companies in the European Union are seeing a spike in users in the first month after EU legislation forced Alphabet's Google, Microsoft and Apple to make it easier for users to switch to rivals, according to data provided to Reuters by six companies. The early results come after the EU's sweeping Digital Markets Act, which aims to remove unfair competition, took effect on March 7, forcing big tech companies to offer mobile users the ability to select from a list of available web browsers from a "choice screen." [...]

Cyprus-based Aloha Browser said users in the EU jumped 250% in March -- one of the first companies to give monthly growth numbers since the new regulations came in. Founded in 2016, Aloha, which markets itself as a privacy focused alternative to browsers owned by big tech, has 10 million monthly average users and earns money through paid subscriptions, rather than selling ads by tracking users. "Before, EU was our number four market, right now it's number two," Aloha CEO Andrew Frost Moroz said in an interview. Norway's Vivaldi, Germany's Ecosia and U.S.-based Brave have also seen user numbers rise following the new regulation. U.S.-based DuckDuckGo, which has about 100 million users, and its bigger rival, Norway-based Opera (OPRA.O), opens new tab are also seeing growth in users, but said the choice screen rollout is still not complete. "We are experiencing record user numbers in the EU right now," said Jan Standal, vice president at Opera, which counts over 324 million global users.

Under the new EU rules, mobile software makers are required to show a choice screen where users can select a browser, search engine and virtual assistant as they set up their phones. Previously, tech companies such as Apple and Google loaded phones with default settings that included their preferred services, such as the voice assistant Siri for iPhones. Changing these settings required a more complicated process. Apple is now showing up to 11 browsers in addition to Safari in the choice screens curated for each of the 27 countries in the EU, and will update those screens once every year for each country. While DuckDuckGo and Opera are offered in Apple's list, opens new tab in all 27 countries, Aloha is in 26 countries, Ecosia is in 13 and Vivaldi in 8. Google is currently showing browser choices on devices made by the company and said new devices made by other companies running Android operating system will also display choice screen in the coming months. A Google spokesperson said they do not have data on choice screens to share yet.

It appears that a nearly eight-year-long battle by the FCC to require internet companies to display information on the costs, fees, and speeds of their broadband services is finally over. From a report: Starting on Wednesday, all but the smallest ISPs will be required to publish broadband "nutrition labels" on all of their plans, the regulator announced. [...] Each label will include monthly broadband prices, introductory rate details, data allowances, broadband speeds, and links to find out about any available discounts or service bundles. Links to network management practices and privacy policies should be listed as well.

Privacy startup Proton already offers an email app, a VPN tool, cloud storage, a password manager, and a calendar app. In April 2022, Proton acquired SimpleLogin, an open-source product that generates email aliases to protect inboxes from spam and phishing. Today, Proton acquired Standard Notes, advancing its already strong commitment to the open-source community. From a report: Standard Notes is an open-source note-taking app, available on both mobile and desktop platforms, with a user base of over 300,000. [...] Proton founder and CEO Andy Yen makes a point of stating that Standard Notes will remain open-source, will continue to undergo independent audits, will continue to develop new features and updates, and that prices for the app/service will not change. Standard Notes has three tiers: Free, which includes 100MB of storage, offline access, and unlimited device sync; Productivity for $90 per year, which includes features like markdown, spreadsheets with advanced formulas, Daily Notebooks, and two-factor authentication; and Professional for $120 per year, which includes 100GB of cloud storage, sharing for up to five accounts, no file limit size, and more.