UPDATE (3/1/2025): "We need a license to allow us to make some of the basic functionality of Firefox possible," Mozilla explained Wednesday in a clarification a recent Terms of Use update. "Without it, we couldn't use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice."

But Friday they went further, and revised those new Terms of Use "to more clearly reflect the limited scope of how Mozilla interacts with user data," according to a Mozilla blog post. ("You give Mozilla the rights necessary to operate Firefox... This does not give Mozilla any ownership in that content.")

Slashdot's original post below...

New submitter SharkByte writes: Mozilla just updated its Terms of Use and Privacy Policy for Firefox with a very disturbing "You Give Mozilla Certain Rights and Permissions" clause:

H/T to reader agristin as well, who also wrote about this.

Researchers at George Mason University discovered a vulnerability in Apple's Find My network that allows hackers to silently track any Bluetooth device as if it were an AirTag, without the owner's knowledge. 9to5Mac reports: Although AirTag was designed to change its Bluetooth address based on a cryptographic key, the attackers developed a system that could quickly find keys for Bluetooth addresses. This was made possible by using "hundreds" of GPUs to find a key match. The exploit called "nRootTag" has a frightening success rate of 90% and doesn't require "sophisticated administrator privilege escalation."

In one of the experiments, the researchers were able to track the location of a computer with an accuracy of 10 feet, which allowed them to trace a bicycle moving through the city. In another experiment, they reconstructed a person's flight path by tracking their game console. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this," said one of the researchers. Apple has acknowledged the George Mason researchers for discovering a Bluetooth exploit in its Find My network but has yet to issue a fix. "For now, they advise users to never allow unnecessary access to the device's Bluetooth when requested by apps, and of course, always keep their device's software updated," reports 9to5Mac.

Apple announced a new feature allowing parents to share a child's age with app developers without exposing sensitive information, as lawmakers debate age-verification laws for social media and apps. Reuters reports: States, such as Utah and South Carolina, are currently debating laws that would require app store operators such as Apple and Alphabet's Google to check the ages of users. That has set up a conflict in the tech industry over which party should be responsible for checking ages for users under 18 -- app stores, or each individual app. Meta, for instance, has long argued in favor of legislation requiring app stores to check ages when a child downloads an app.

Apple on Thursday said it does not want to be responsible for collecting sensitive data for those age verifications. "While only a fraction of apps on the App Store may require age verification, all users would have to hand over their sensitive personally identifying information to us -- regardless of whether they actually want to use one of these limited set of apps," Apple wrote in a whitepaper on its website.

An anonymous reader quotes a report from TechCrunch: Security researchers are warning that data exposed to the internet, even for a moment, can linger in online generative AI chatbots like Microsoft Copilot long after the data is made private. Thousands of once-public GitHub repositories from some of the world's biggest companies are affected, including Microsoft's, according to new findings from Lasso, an Israeli cybersecurity company focused on emerging generative AI threats.

Lasso co-founder Ophir Dror told TechCrunch that the company found content from its own GitHub repository appearing in Copilot because it had been indexed and cached by Microsoft's Bing search engine. Dror said the repository, which had been mistakenly made public for a brief period, had since been set to private, and accessing it on GitHub returned a "page not found" error. "On Copilot, surprisingly enough, we found one of our own private repositories," said Dror. "If I was to browse the web, I wouldn't see this data. But anyone in the world could ask Copilot the right question and get this data."

After it realized that any data on GitHub, even briefly, could be potentially exposed by tools like Copilot, Lasso investigated further. Lasso extracted a list of repositories that were public at any point in 2024 and identified the repositories that had since been deleted or set to private. Using Bing's caching mechanism, the company found more than 20,000 since-private GitHub repositories still had data accessible through Copilot, affecting more than 16,000 organizations. Lasso told TechCrunch ahead of publishing its research that affected organizations include Amazon Web Services, Google, IBM, PayPal, Tencent, and Microsoft. [...] For some affected companies, Copilot could be prompted to return confidential GitHub archives that contain intellectual property, sensitive corporate data, access keys, and tokens, the company said.

Google has updated its Results About You tool with a redesigned hub, easier removal requests directly from Search, and the ability to refresh outdated results. Engadget reports: Today, the tech giant is announcing the latest changes, including a redesigned hub and the ability to update outdated search results to reflect the latest changes.

The redesign isn't only for show. You can now submit removal requests directly from Search with fewer actions by clicking or tapping the three dots beside a search result. If you manage to have content about you deleted or changed from a website but Google Search hasn't caught up, you can refresh the search, which will "recrawl the page and obtain the latest information." In other words, you can always see the most up-to-date results about you.

U.S. Director of National Intelligence Tulsi Gabbard has condemned a British order requiring Apple to break its encrypted storage worldwide as an "egregious" violation of American rights that could breach the CLOUD Act facilitating cross-border investigations. In a letter [PDF] to Senator Ron Wyden and Representative Andy Biggs, Gabbard revealed she has directed a legal review of the secret order, which she learned about through media reports.

"This would be a clear and egregious violation of Americans' privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors," Gabbard wrote. The UK Home Office, under the Investigatory Powers Act, prohibited Apple from disclosing the order to Congress or U.S. regulators. The directive would have forced Apple to compromise its Advanced Data Protection encryption, enabling officials to access individual data. Apple refused compliance, instead withdrawing the secure storage option from UK customers while maintaining it elsewhere globally. Despite Apple's pullback, the UK demand for backdoor creation remains. Gabbard pledged to ensure UK actions protect American privacy rights "consistent with the CLOUD Act and other applicable laws."

British iPhone users have shown minimal reaction to Apple's decision to disable end-to-end encryption for UK iCloud customers, challenging the company's assumption about privacy priorities, a Bloomberg columnist notes. Rather than create a government-accessible backdoor demanded under Britain's Investigatory Powers Act, Apple chose to eliminate its Advanced Data Protection feature entirely for UK customers, effectively giving both authorities and potential hackers easier access to stored emails, photos and documents.

The near absence of public outcry from British consumers points to what researchers call the "privacy paradox," where stated concerns about data security rarely translate to action. According to cited research, while 92% of American consumers believe they should control their online information, only 16% have stopped using services over data misuse. The quiet reception suggests Apple's principled stand against backdoors may have limited impact if customers don't understand or value encrypted protection, potentially undermining privacy's effectiveness as a marketing differentiator for the tech giant.

An anonymous reader quotes a report from TorrentFreak: In France, rightsholders have taken legal action to compel large VPN providers to support their pirate site blocking program. The aim is to reinforce existing blocking measures, but VPN providers see this as a dangerous move, leading to potential security issues and overblocking. As a result, some are considering leaving France altogether if push comes to shove. [...] Earlier this month, sports rightsholders Canal+ and LFP requested blocking injunctions that would require popular VPNs to start blocking pirate sites and services. The full requests are not public, but the details available show that Cyberghost, ExpressVPN, NordVPN, ProtonVPN, and Surfshark are listed as respondents. [...]

The blocking request has yet to be approved and several of the targeted VPN providers have reserved detailed commentary, for now. That said, the VPN Trust Initiative (VTI), which includes ExpressVPN, NordVPN and Surfshark as members, has been vocal in its opposition. VTI is part of the i2Coalition and while it doesn't speak directly for any of the members, the coalition's Executive Director Christian Dawson has been in regular discussions with VPN providers. From this, it became clear that VPN providers face difficult decisions. If VPN providers are ordered to block pirate sites, some are considering whether to follow in the footsteps of Cisco, which discontinued its OpenDNS service in the country, to avoid meddling with its DNS resolver.

Speaking with TorrentFreak, VTI's Dawson says that VPNs have previously left markets like India and Pakistan in response to restrictive requirements. This typically happens when privacy or security principles are at risk, or if the technical implementation of blocking measures is infeasible. VTI does not rule out that some members may choose to exit France for similar reasons, if required to comply with blocking measures. "We've seen this before in markets like India and Pakistan, where regulatory requirements forced some VPN services to withdraw rather than compromise on encryption standards or log-keeping policies," Dawson says. "France's potential move to force VPN providers to block content could put companies in a similar position -- where they either comply with measures that contradict their purpose or leave the market altogether." "This case in France is part of a broader global trend of regulatory overreach, where governments attempt to control encrypted services under the guise of content regulation. We've already seen how China, Russia, Myanmar, and Iran have imposed VPN restrictions as part of broader censorship efforts."

"The best path forward is for policymakers to focus on targeted enforcement measures that don't undermine Internet security or create a precedent for global Internet fragmentation," concludes Dawson. "As seen in other cases, blanket blocking measures do not effectively combat piracy but instead create far-reaching consequences that disrupt the open Internet."

On Wednesday Mozilla president Mark Surman "announced plans to tackle what he says are 'major headwinds' facing the company's ability to grow, make money, and remain relevant," reports the blog OMG Ubuntu: "Mozilla's impact and survival depend on us simultaneously strengthening Firefox AND finding new sources of revenue AND manifesting our mission in fresh ways," says Surman... It will continue to invest in privacy-respecting advertising; fund, develop and push open-source AI features in order to retain 'product relevance'; and will go all-out on novel new fundraising initiatives to er, get us all to chip in and pay for it!

Mozilla is all-in on AI; Surman describes it as Mozilla's North Star for the work it will do over the next few years. I wrote about its new 'Orbit' AI add-on for Firefox recently...

Helping to co-ordinate, collaborate and come up with ways to keep the company fixed and focused on these fledgling effort is a brand new Mozilla Leadership Council.
The article argues that without Mozilla the web would be "a far poorer, much ickier, and notably less FOSS-ier place..." Or, as Mozilla's blog post put it Wednesday, "Mozilla is entering a new chapter — one where we need to both defend what is good about the web and steer the technology and business models of the AI era in a better direction.

"I believe that we have the people — indeed, we ARE the people — to do this, and that there are millions around the world ready to help us. I am driven and excited by what lies ahead."

An anonymous reader shared this report from the Washington Post's "Tech Brief": Last fall, reports that Kroger was considering bringing facial recognition technology into its stores sparked outcry from lawmakers and customers. They worried personalized data could be used to charge different prices for different customers based on their shopping habits, financial circumstances or appearance. Kroger, the country's largest supermarket chain, had already been using digital price tags in its stores.

Kroger told lawmakers that it doesn't use facial recognition to help it set prices, a stance the company reiterated to the Tech Brief on Thursday. Still, the uproar helped to spark a push by consumer advocates who warn that the threat of invasive, personalized pricing schemes is real. Now, Democratic lawmakers in several states are working to ban so-called "surveillance pricing" — when businesses charge customers more or less for the same item based on their personal information.
Besides a bill in California, three more bill were introduced this month in Colorado, Georgia, and Illinois that also ban "surveillance wages," which the article defines as employers adjusting wages based on how much data an employee collects. "Both surveillance pricing and surveillance wages really disrupt fundamental ideals of fairness," University of California, Irvine law professor Veena Dubal tells the Washington Post.

Dubal is one of the consumer advocates behind a new report which notes information released last month by America's consumer-protecting FTC that "suggests that surveillance pricing tools are being actively developed and marketed across a range of industries, including consumer-facing businesses like 'grocery stores, apparel retailers, health and beauty retailers, home goods and furnishing stores, convenience stores, building and hardware stores, and general merchandise retailers such as department or discount stores." The consumer advocates (which include the Electronic Privacy Information Center) put it this way.

"Imagine walking into a grocery store and seeing a price for milk that's higher than what the next shopper pays because an algorithm calculated that you're willing to spend more..."

California sued to fine a data-harvesting company, reports the Washington Post, calling it "a rare step to put muscle behind one of the strongest online privacy laws in the United States." Even when states have tried to restrict data brokers, it has been tough to make those laws stick. That has generally been a problem for the 19 states that have passed broad laws to protect personal information, said Matt Schwartz, a policy analyst for Consumer Reports. He said there has been only 15 or so public enforcement actions by regulators overseeing all those laws. Partly because companies aren't held accountable, they're empowered to ignore the privacy standards. "Noncompliance is fairly widespread," Schwartz said. "It's a major problem."

That's why California is unusual with a data broker law that seems to have teeth. To make sure state residents can order all data brokers operating in the state to delete their personal records [with a single request], California is now requiring brokers to register with the state or face a fine of $200 a day. The state's privacy watchdog said Thursday that it filed litigation to force one data broker, National Public Data, to pay $46,000 for failing to comply with that initial phase of the data broker law. NPD declined to comment through an attorney... This first lawsuit for noncompliance, Schwartz said, shows that California is serious about making companies live up to their privacy obligations... "If they can successfully build it and show it works, it will create a blueprint for other states interested in this idea," he said.
Last summer NPD "spilled hundreds of millions of Americans' Social Security Numbers, addresses, and phone numbers online," according to the blog Krebs on Security, adding that another NPD data broker sharing access to the same consumer records "inadvertently published the passwords to its back-end database in a file that was freely available from its homepage..."

California's attempt to regulate the industry inspired the nonprofit Consumer Reports to create an app called Permission Slip that reveals what data companies collect and, for people in U.S. states, will "work with you to file a request, telling companies to stop selling your personal information."

Other data-protecting options suggested by The Washington Post:

• Use Firefox, Brave or DuckDuckGo, "which can automatically tell websites not to sell or share your data. Those demands from the web browsers are legally binding or will be soon in at least nine states."

• Use Privacy Badger, an EFF browser extension which the EFF says "automatically tells websites not to sell or share your data including where it's required by state law."

WinRAR 7.10 now lets users remove potentially sensitive metadata from downloaded files while preserving core Windows security features. The file compression tool's latest release introduces a "Zone value only" setting that strips download locations and IP addresses from Windows' Mark-of-the-Web security flags during file extraction.

The new privacy control, enabled by default, maintains only the basic security zone identifier that triggers Windows' safety prompts for downloaded files. This change prevents recipients of shared archives from accessing metadata that could reveal where files originated. The update from win.rar GmbH, whose compression software claims 500 million users worldwide, also adds performance improvements through larger memory page support and introduces a dark mode interface.

Apple is removing its most advanced, end-to-end encrypted security feature for cloud data in the United Kingdom [alternative source], in a stunning development after the government ordered the company to build a backdoor for accessing user data. From a report: The company said Friday that Advanced Data Protection, an optional feature that adds end-to-end encryption to a wide assortment of user data is no longer available in the UK for new users.

This layer of security covers iCloud data storage, device backups, web bookmarks, voice memos, notes, photos, reminders and text message backups. "We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy," the company said in a statement. "ADP protects iCloud data with end-to-end encryption, which means the data can only be decrypted by the user who owns it, and only on their trusted devices."

Microsoft will strip several features from Windows 11's File Explorer for European users to comply with privacy regulations, the company says. The changes, affecting Entra ID accounts in the European Economic Area, remove Recent, Favorites, Details Pane, and Recommended content sections that previously tracked user activity.

These features relied on collecting user data to display recently accessed files and personalized recommendations. The privacy-focused update, part of Windows 11 preview build 26120.3281, results in a streamlined File Explorer interface.

Murena has launched the Murena Pixel Tablet, a de-Googled version of the Pixel Tablet that removes Google's apps and services to enhance user privacy. Priced at $549, it offers /e/OS, an alternative app store, and privacy-focused productivity tools, but lacks Google's speaker dock and direct access to the Play Store. The Verge reports: First announced last December, the Murena Pixel Tablet is available now through the company's online store for $549. That's a steep premium given Google currently sells the same 128GB version of the Pixel Tablet for $399, or $479 as part of a bundle with the charging speaker dock that Murena isn't including. Part of Murena's de-Googling of the Pixel Tablet includes the removal of the Google Play Store. You can still download apps through /e/OS' App Lounge which acts as a front-end for the Play Store allowing you to browse and get free apps anonymously without Google knowing who you are. However, downloading paid apps requires a login to a Google account. Google's various productivity apps aren't included, but the Murena Pixel Tablet comes with privacy-minded alternatives for messaging, email, maps, browsing the web, calendar, contacts, notes, and even voice recordings. In 2022, Murena launched its first smartphone with no Google apps, Google Play Services, or even the Google Assistant.

A recently patched Palo Alto Networks vulnerability (CVE-2025-0108) is being actively exploited alongside two older flaws (CVE-2024-9474 and CVE-2025-0111), allowing attackers to gain root access to unpatched firewalls. The Register reports: This story starts with CVE-2024-9474, a 6.9-rated privilege escalation vulnerability in Palo Alto Networks PAN-OS software that allowed an OS administrator with access to the management web interface to perform actions on the firewall with root privileges. The company patched it in November 2024. Dark web intelligence services vendor Searchlight Cyber's Assetnote team investigated the patch for CVE-2024-9474 and found another authentication bypass.

Palo Alto (PAN) last week fixed that problem, CVE-2025-0108, and rated it a highest urgency patch as the 8.8/10 flaw addressed an access control issue in PAN-OS's web management interface that allowed an unauthenticated attacker with network access to the management web interface to bypass authentication "and invoke certain PHP scripts." Those scripts could "negatively impact integrity and confidentiality of PAN-OS."

The third flaw is CVE-2025-0111 a 7.1-rated mess also patched last week to stop authenticated attackers with network access to PAN-OS machines using their web interface to read files accessible to the "nobody" user. On Tuesday, US time, Palo A lot updated its advisory for CVE-2025-0108 with news that it's observed exploit attempts chaining CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. The vendor's not explained how the three flaws are chained but we understand doing so allows an attacker to gain more powerful privileges and gain full root access to the firewall. PAN is urging users to upgrade their PAN-OS operating systems to versions 10.1, 10.2, 11.0, 11.1, and 11.2. A general hotfix is expected by Thursday or sooner, notes the Register.

Apps offering lifetime subscriptions may pose risks despite potential cost savings, according to cybersecurity experts and analysts. While some lifetime plans can pay off quickly - like dating app Bumble's $300 premium subscription that breaks even in five months - others require years of use to justify hefty upfront costs. Meditation app Waking Up charges $1,500 for lifetime access, requiring over 11 years of use to recoup the investment.

Security researchers warn against lifetime subscriptions for services with high recurring costs like VPNs and cloud storage. Such providers may compromise user privacy or cut corners on infrastructure to offset losses, said Trevor Hilligoss, senior vice president at cybercrime research group SpyCloud Labs.

Ten years after publishing his influential book on data privacy, security expert Bruce Schneier warns that surveillance has only intensified, with both government agencies and corporations collecting more personal information than ever before. "Nothing has changed since 2015," Schneier told The Register in an interview. "The NSA and their counterparts around the world are still engaging in bulk surveillance to the extent of their abilities."

The widespread adoption of cloud services, Internet-of-Things devices, and smartphones has made it nearly impossible for individuals to protect their privacy, said Schneier. Even Apple, which markets itself as privacy-focused, faces limitations when its Chinese business interests are at stake. While some regulation has emerged, including Europe's General Data Protection Regulation and various U.S. state laws, Schneier argues these measures fail to address the core issue of surveillance capitalism's entrenchment as a business model.

The rise of AI poses new challenges, potentially undermining recent privacy gains like end-to-end encryption. As AI assistants require cloud computing power to process personal data, users may have to surrender more information to tech companies. Despite the grim short-term outlook, Schneier remains cautiously optimistic about privacy's long-term future, predicting that current surveillance practices will eventually be viewed as unethical as sweatshops are today. However, he acknowledges this transformation could take 50 years or more.

Today Seoul's Personal Information Protection Commission "said DeepSeek would no longer be available for download until a review of its personal data collection practices was carried out," reports AFP. A number of countries have questioned DeepSeek's storage of user data, which the firm says is collected in "secure servers located in the People's Republic of China"... This month, a slew of South Korean government ministries and police said they blocked access to DeepSeek on their computers. Italy has also launched an investigation into DeepSeek's R1 model and blocked it from processing Italian users' data. Australia has banned DeepSeek from all government devices on the advice of security agencies. US lawmakers have also proposed a bill to ban DeepSeek from being used on government devices over concerns about user data security.
More details from the Associated Press: The South Korean privacy commission, which began reviewing DeepSeek's services last month, found that the company lacked transparency about third-party data transfers and potentially collected excessive personal information, said Nam Seok [director of the South Korean commission's investigation division]... A recent analysis by Wiseapp Retail found that DeepSeek was used by about 1.2 million smartphone users in South Korea during the fourth week of January, emerging as the second-most-popular AI model behind ChatGPT.

Most virtual meeting platforms these days include AI-powered notetaking tools or bots that join meetings as guests, transcribe discussions, and/or summarize key points. "The tech companies behind them might frame it as a step forward in efficiency, but the technology raises troubling questions around etiquette and privacy and risks undercutting the very communication it's meant to improve (paywalled; alternative source)," writes Chris Stokel-Walker in a Weekend Essay for Bloomberg. From the article: [...] The push to document every workplace interaction and utterance is not new. Having a paper trail has long been seen as a useful thing, and a record of decisions and action points is arguably what makes a meeting meaningful. The difference now is the inclusion of new technology that lacks the nuance and depth of understanding inherent to human interaction in a meeting room. In some ways, the prior generation of communication tools, such as instant messaging service Slack, created its own set of problems. Messaging that previously passed in private via email became much more transparent, creating a minefield where one wrong word or badly chosen emoji can explode into a dispute between colleagues. There is a similar risk with notetaking tools. Each utterance documented and analyzed by AI includes the potential for missteps and misunderstandings.

Anyone thinking of bringing an AI notetaker to a meeting must consider how other attendees will respond, says Andrew Brodsky, assistant professor of management at the McCombs School of Business, part of the University of Texas at Austin. Colleagues might think you want to better focus on what is said without missing out on a definitive record of the discussion. Or they might think, "You can't be bothered to take notes yourself or remember what was being talked about," he says. For the companies that sell these AI interlopers, the upside is clear. They recognize we're easily nudged into different behaviors and can quickly become reliant on tools that we survived without for years. [...] There's another benefit for tech companies getting us hooked on AI notetakers: Training data for AI systems is increasingly hard to come by. Research group Epoch AI forecasts there will be a drought of usable text possibly by next year. And with publishers unleashing lawsuits against AI companies for hoovering up their content, the tech firms are on the hunt for other sources of data. Notes from millions of meetings around the world could be an ideal option.

For those of us who are the source of such data, however, the situation is more nuanced. The key question is whether AI notetakers make office meetings more useless than so many already are. There's an argument that meetings are an important excuse for workers to come together and talk as human beings. All that small talk is where good ideas often germinate -- that's ostensibly why so many companies are demanding staff return to the office. But if workers trade in-person engagement for AI readbacks, and colleagues curb their words and ideas for fear of being exposed by bots, what's left? If the humans step back, all that remains is a series of data points and more AI slop polluting our lives.