An anonymous reader tipped us off to a proposed new U.S. policy which would require banks, credit unions and other financial companies to submit reports on most of their accounts to the tax-collectors at America's Internal Revenue Service (IRS). The reports "would break down the numbers to include physical-cash transactions per account, any transactions with a foreign account and transactions between accounts held by the same owner," according to the Arizona Republic newspaper. "The IRS wouldn't receive details on individual transactions but, rather, gross yearly totals."

America's treasury secretary reiterated that what's being proposed "is not reporting of individual transactions or anything of the like. And it would be a simple thing for banks and other payment providers to provide along with the other information they're already providing."

But the Arizona Republic notes the proposal is drawing some concerns — partly because it's been suggested it would cover any account with more than $600: Critics say this would burden financial institutions with new requirements and expose consumers and businesses to privacy incursions and possible data breaches. Supporters contend bank customers would face no new obligations while giving the IRS more information to pursue tax cheats, primarily among the wealthy. They hope to close a tax gap estimated at around $600 billion annually...

The $600 figure isn't set in stone. Some media reports have indicated it could be increased to, say, $10,000 — the level at which banks report transactions in an effort to combat money laundering. A Treasury summary of the plan indicated there would be no further recordkeeping or reporting requirements for individuals or businesses and that taxpayers wouldn't face any burdens at all. The Treasury also noted banks and other financial providers already have access to this information and already report interest income above $10...

About 15% of the money owed the federal government isn't collected, according to Natasha Sarin, a deputy assistant secretary at the Treasury Department... Just knowing the IRS would have access to some bank-account details might convince more taxpayers to pay what they owe.
The deputy assistant secretary argues there's a direct relationship between the information the IRS has and a taxpayer's voluntary compliance rate. "For ordinary wage and salary income, compliance with income tax liabilities is nearly perfect (1 percent noncompliance rate). In stark contrast, for opaque income sources that accrue disproportionately to higher earners...noncompliance can reach 55 percent...."

"Today's tax code contains two sets of rules: one for regular wage and salary workers who report virtually all the income they earn; and another for wealthy taxpayers"

"October 5 marks the official release of Windows 11, a new version of the operating system that doesn't do anything at all to counteract Windows' long history of depriving users of freedom and digital autonomy," writes Free Software Foundation campaigns manager Greg Farough.

"While we might have been encouraged by Microsoft's vague, aspirational slogans about community and togetherness, Windows 11 takes important steps in the wrong direction when it comes to user freedom." Microsoft claims that "life's better together" in their advertising for this latest Windows version, but when it comes to technology, there is no surer way of keeping users divided and powerless than nonfree softwarechoosing to create an unjust power structure, in which a developer knowingly keeps users powerless and dependent by withholding information. Increasingly, this involves not only withholding the source code itself, but even basic information on how the software works: what it's really doing, what it's collecting, and how often it's snitching on users. "Snitching" may sound dramatic, but Windows 11 will now require a Microsoft account to be connected to every user account, granting them the ability to correlate user behavior with one's personal identity. Even those who think they have nothing to hide should be wary of sharing potentially all of their computing activity with any company, much less one with a track record of abuse like Microsoft...

We expect Microsoft to use its tighter control on cryptography that happens in Windows as a way to impose more severe Digital Restrictions Management (DRM) onto media and applications, and as a way to ensure that no application can run in Windows without Microsoft's approval. In cases like these, it's no longer appropriate to call a machine running Windows a "personal" computer, as it obeys Microsoft more than it does its user. Indeed, it's bitterly ironic that Microsoft is calling the program that verifies a system's compatibility with Windows 11 a "PC Health Check." We counter that a healthy PC is one that respects its user's wishes, runs free software, and doesn't purposefully restrict them through treacherous computing. It would also never send the user's encryption keys back to its corporate overlords. Intrepid users will likely find a way around this requirement, yet it doesn't change the fact that the majority of Windows users will be forced into a treacherous computing scheme...

Sometimes, Microsoft realizes that it can't be quite so overtly antisocial. We've commented many times before on the hypocrisy involved in saying that Microsoft "loves open source" and "loves Linux," two ways of mentioning free software without reference to freedom. At the same time, Microsoft employees do make contributions to free software, contributions which benefit many others. Yet they do not extend this philosophy to their operating system, and in the last few years, they've made an attempt to impair the ways free software makes "life better together" further by making critical functions of Microsoft GitHub rely on nonfree JavaScript and directing users toward Service as a Software Substitute (SaaSS) platforms. By attacking user freedom through Windows, and the free software community directly by means of nonfree JavaScript, Microsoft proves that it has no plans to loosen its grip on users.

No program that you're forbidden to copy, modify, or share can truly bring people "together" in the way that Microsoft claims.

Thankfully, and right outside the window, there's a true community of users you and your loved ones can join...

Let's stop falling for the trap of chasing short-term, superficial improvements in proprietary software that may seem to make life better, and instead opt for free software, the only software that can support the best versions of ourselves.
The post urges readers to sign (or renew!) their pledge not to use Windows and to help a friend install GNU/Linux, "sending Microsoft the strong message that software that subjugates its users has no place in Windows.... If you don't feel ready to take the plunge and switch entirely, you can use our resources like the Free Software Directory to find programs you can use as starting points for your free software journey."

The post also has harsh words for TPM, warning that "when it's deployed by a proprietary software company, its relationship to the user isn't one based on trust, but based on treachery. When fully controlled by the user, TPM can be a useful way to strengthen encryption and user privacy, but when it's in the hands of Microsoft, we're not optimistic."

And when it comes to Microsoft teams, "it seems that no Windows user can avoid it any longer.... we hope Teams' unpopularity and its newfound, unwanted place in Windows will encourage users to seek out conferencing programs that they themselves can control."

An anonymous reader quotes a report from How-To Geek: Firefox now sends more data than you might think to Mozilla. To power Firefox Suggest, Firefox sends the keystrokes you type into your address bar, your location information, and more to Mozilla's servers. Here's exactly what Firefox is sharing and how to control it. This change was made as part of the introduction of Firefox Suggest in Firefox 93, released on October 5, 2021. As part of Firefox Suggest, Firefox is getting ads in your search bar -- but that's not the only thing that will be news to longtime Firefox users. According to Mozilla, "Firefox Suggest acts as a trustworthy guide to the better web, surfacing relevant information and sites to help people accomplish their goals." In reality, what that means is, when you start typing in your address bar, you won't just see the standard search suggestions from Google or your current search default engine. You'll also see "Firefox Suggest" results pointing to web pages. Some of them are sponsored ads, but you can disable the ads.

Firefox Suggest is on by default. Mozilla's blog post on the subject says Firefox Suggest is an "opt-in experience," which was the case in September 2021 -- but it's now enabled by default in Firefox 93. However, as of Firefox 93's release in October 2021, Firefox Suggest is only enabled in the USA -- for now. It's worth noting that, for many years, Firefox and other web browsers have had search suggestions in their address bar. So, when you start typing "win" in your address bar, you may see suggestions for "Windows 11" and "Window repair." This is accomplished by sending keystrokes to your default search engine as you type in the search bar, as Mozilla's support site explains. Mozilla is also providing contextual suggestions, for which it needs more data, including the city you're located in and whether you're clicking its suggestions.

You can disable Firefox's suggested results, if you like. This will stop Mozilla from collecting the data you type in your search bar, and it will also disable the suggested results and ads. To do so, open Firefox and click menu [and then] Settings. Select "Privacy [and] Security" in the left pane, and scroll down to "Address Bar -- Firefox Suggest." Disable "Contextual suggestions" and "Include occasional sponsored suggestions" to stop Firefox from sending data to Mozilla.

An anonymous reader quotes a report from Tom's Guide: A new survey has reached a startling conclusion: iPhone apps tend to violate your privacy just as often as Android apps do. "Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied," say the academic paper entitled "Are iPhones Really Better for Privacy?" and presented by researchers from the University of Oxford. "While it has been argued that the choice of smartphone architecture might protect user privacy, no clear winner between iOS and Android emerges from our analysis," the paper adds. "Data sharing for tracking purposes was common on both platforms." There's one big caveat regarding the new study: It was conducted before the introduction of iOS 14.5 in April 2021, which made opt-in to tracking and app privacy labels mandatory on iPhones.

The researchers analyzed the code, permissions and network traffic of 12,000 randomly selected free apps from each platform that had been updated or released in 2018 or later. Each app was run on a real device, either a first-generation iPhone SE running iOS 14.2 or a Google Nexus 5 running Android 7 Nougat. They found that nearly all (89%) of the Android apps contained at least one tracking library, which was almost always Google Play Services. The numbers weren't much lower on iOS, where 79% of apps had at least one tracking library, most likely Apple's own SKADNetwork, which tracks which ads a user clicks on. However, 62% of iOS apps also ran Google's AdMob ad tracking library, followed by 54% of iOS apps (and 58% of Android apps) running Google Firebase. Facebook trackers were in 28% of Android apps and 26% of iOS ones. In fact, most apps on either platforms -- 90% of Android apps and more than 60% of iOS -- shared data with tracking companies owned by Google. Almost all tracking companies observed were based in the U.S. About 9.5% of iOS apps and 5% of Android ones used Chinese-based trackers; 7.5% of iOS apps and 2% of Android ones used Indian trackers. The team commended Apple for making it possible for iPhone users to block the temporary advertising IDs that flag your phone to advertisers, but the team also saw an ulterior motive on Apple's part. "Apple's crackdown on Ad ID use could be interpreted as an attempt to divert revenue from Google and other advertising providers, and motivate the use of alternative monetization models -- which are more lucrative for Apple," the Oxford research paper states. "Apple has arguably placed a larger emphasis on privacy, seeking to gain a competitive advantage by appealing to privacy-concerned consumers."

A developer who made a tool that let people automatically unfollow friends and groups on Facebook says he's been banned permanently from the social networking site. From a report: Louis Barclay was the creator of "Unfollow Everything," a browser extension that allowed Facebook users to essentially delete their News Feed by unfollowing all their connections at once. Facebook allows users to individually unfollow friends, groups, and pages, which removes their content from the News Feed, the algorithmically-controlled heart of Facebook. Barclay's tool automated this process, instantly wiping users' News Feed.

[...] In response, Facebook sent Barclay a cease-and-desist letter earlier this year, saying he'd violated the site's terms of service by creating software that automated user interactions. Barclay says the company then "permanently disabled my Facebook and Instagram accounts" and "demanded that I agree to never again create tools that interact with Facebook or its other services."

Apple says that as of January 31st, 2022, all applications will need to offer people a method of deleting their accounts. This applies to all iOS, iPadOS and macOS apps. Engadget reports: The company announced this requirement alongside other App Store guideline changes at the Apple Worldwide Developers Conference in June as part of a push to give users more control over their data. As The Verge notes, Apple is only requiring developers to let people "initiate deletion of their account from within the app," so apps might send you to a website or even a chat with an agent before you can actually close your account.

An unknown individual has leaked the source code and business data of video streaming platform Twitch via a torrent file posted on the 4chan discussion board earlier today. From a report: The leaker said they shared the data as a response to the recent "hate raids" --coordinated bot attacks posting hateful and abusive content in Twitch chats -- that have plagued the platform's top streamers over the summer. "Their community is [...] a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories," the leaker said earlier today. The leaker claims that the leak contains the "entirety of twitch.tv, with commit history going back to its early beginnings, mobile, desktop and video game console Twitch clients, various proprietary SDKs and internal AWS services used by Twitch, every other property that Twitch owns including IGDB and CurseForge, an unreleased Steam competitor from Amazon Game Studios, and Twitch SOC internal red teaming tools."

Twitch has confirmed the breach. In a tweet it said, "We can confirm a breach has taken place. Our teams are working with urgency to understand the extent of this. We will update the community as soon as additional information is available."

In a significant departure from previous years, Google today rolled out Android 12 to AOSP but did not launch any devices, including Pixel phones. "Today we're pushing the source to the Android Open Source Project (AOSP) and officially releasing the latest version of Android," [said Dave Burke, VP of Engineering, in a blog post. "Keep an eye out for Android 12 coming to a device near you starting with Pixel in the next few weeks and Samsung Galaxy, OnePlus, Oppo, Realme, Tecno, Vivo, and Xiaomi devices later this year." 9to5Google reports: Traditionally, the AOSP launch of the next version of Android coincides with day one availability for Google phones. That is not the case this year, with Google only revealing that Pixel phones can expect an update in the "next few weeks." Google says over 225,000 people tested Android 12 over the course of the developer previews and betas. [...] Google officially highlights four Android 12 tentpoles for developers as part of today's AOSP availability. This starts with a "new UI for Android" that incorporates Material You (referred to today as "Material Design 3"), redesigned widgets, Notification UI updates, and App launch splash screens.

In terms of "Performance," Google says it has "reduced the CPU time used by core system services by 22% and the use of big cores by 15%." We've also improved app startup times and optimized I/O for faster app loading, and for database queries we've improved CursorWindow by as much as 49x for large windows. "More responsive notifications" are achieved by restricting notification trampolines, with Google Photos launching 34% faster after this change. Other changes include Optimized foreground services, Performance classes for devices, and Faster machine learning. "Privacy" is led by the new Settings Dashboard, the ability to only grant apps Approximate location, and a new Nearby devices permission for setting up wearables and other smart home accessories without granting location access. There are also the microphone and camera indicators/toggles. Developers can take advantage of "Better user experience tools" like new APIs to better support rounded screen corners, rich content insertion, AVIF images, enhanced haptics, and new camera/sensor effects. There's also Compatible media transcoding, better debugging, and an Android 12 for Games push.

Clearview AI has stoked controversy by scraping the web for photos and applying facial recognition to give police and others an unprecedented ability to peer into our lives. Now the company's CEO wants to use artificial intelligence to make Clearview's surveillance tool even more powerful. From a report: It may make it more dangerous and error-prone as well. Clearview has collected billions of photos from across websites that include Facebook, Instagram, and Twitter and uses AI to identify a particular person in images. Police and government agents have used the company's face database to help identify suspects in photos by tying them to online profiles. The company's cofounder and CEO, Hoan Ton-That, tells WIRED that Clearview has now collected more than 10 billion images from across the web -- more than three times as many as has been previously reported. Ton-That says the larger pool of photos means users, most often law enforcement, are more likely to find a match when searching for someone. He also claims the larger data set makes the company's tool more accurate.

Clearview combined web-crawling techniques, advances in machine learning that have improved facial recognition, and a disregard for personal privacy to create a surprisingly powerful tool. Ton-That demonstrated the technology through a smartphone app by taking a photo of the reporter. The app produced dozens of images from numerous US and international websites, each showing the correct person in images captured over more than a decade. The allure of such a tool is obvious, but so is the potential for it to be misused. Clearview's actions sparked public outrage and a broader debate over expectations of privacy in an era of smartphones, social media, and AI. [...] The pushback has not deterred Ton-That. He says he believes most people accept or support the idea of using facial recognition to solve crimes. "The people who are worried about it, they are very vocal, and that's a good thing, because I think over time we can address more and more of their concerns," he says.

Some of Clearview's new technologies may spark further debate. Ton-That says it is developing new ways for police to find a person, including "deblur" and "mask removal" tools. The first takes a blurred image and sharpens it using machine learning to envision what a clearer picture would look like; the second tries to envision the covered part of a person's face using machine learning models that fill in missing details of an image using a best guess based on statistical patterns found in other images. These capabilities could make Clearview's technology more attractive but also more problematic. It remains unclear how accurately the new techniques work, but experts say they could increase the risk that a person is wrongly identified and could exacerbate biases inherent to the system.

This week the Free Software Foundation (FSF) announced JShelter, "an anti-malware Web browser extension to mitigate potential threats from JavaScript, including fingerprinting, tracking, and data collection."

The browser add-on — supported by NLnet Foundation's Next Generation Internet (NGI) Zero Privacy & Trust Enhancing Technologies fund — is currently "in development and the first release is available." This browser add-on will limit the potential for JavaScript programs to do harmful actions by restricting default behavior and adding a layer of control... Accessing cookies, performing fingerprinting to track users across multiple sites, revealing the local network address, or capturing the user's input before they submit a form are some examples of JavaScript's capabilities that can be used in harmful ways. JShelter adds a safety layer that allows the user to choose if a certain action should be forbidden on a site, or if it should be allowed with restrictions, such as reducing the accuracy of geolocation to the city area. This layer can also aid as a countermeasure against attacks targeting the browser, operating system, or hardware levels... [The extension] will ask — globally or per site — if specific native functions provided by the JavaScript engine and the Document Object Model (DOM) are allowed by the user. It will also link to an explanatory page for each function, to raise awareness of related threats. Depending on the function being addressed, the user will have the option to allow it, block it, or have it return a custom value...

"Our browsers have become perhaps the most critical of tools we depend on, and yet the browser environment is far from healthy," says Michiel Leenaars, director of strategy at NLnet Foundation and coordinator of NGI Zero. "Dominant corporate behavior from a small amount of actors has been aggressively reshaping the evolution of the Web, and that is starting to wreak havoc. Despite an enormous systemic dependency, we as users have very little control over what browsers allow and share — leading to significant risk as the most powerful tools in the shed are essentially left unprotected for every casual Web site to abuse. JShelter is a great initiative to help empower us all, to help us gain better understanding and to better safeguard ourselves from obvious and otherwise unavoidable harm."

The effort is part of a larger, multi-year campaign from FSF on JavaScript on the Web started in 2013, which among others includes the development of GNU LibreJS and outreach to users and developers about nonfree software inside the browser. The GNU LibreJS extension detects JavaScript web labels and assists users with running only JavaScript distributed under a free software license, according to their ethical convictions and individual preferences.
"JShelter will help protect users from critical threats now, and contribute significantly to progress on the necessary longer-term cultural shift of moving away from nonfree JavaScript," said Ruben Rodriguez, former FSF chief technology officer.

"This is a project I've been looking forward to for years, tired of dealing with all kinds of potential antifeatures in the browsers I use and distribute, and having to figure out some countermeasure for them with configuration changes, patches or extensions. Being able to wrap the JavaScript engine in a layer of protection is a game changer."

"American luxury retailer Neiman Marcus Group has just disclosed a major data breach impacting approximately 4.6 million customers," reports Ars Technica.

"The breach occurred sometime in May 2020 after 'an unauthorized party' obtained the personal information of some Neiman Marcus customers from their online accounts." Neiman Marcus is working with law enforcement agencies and has selected cybersecurity company Mandiant to assist with the investigation. Thursday, Neiman Marcus disclosed that its 2020 data breach impacted about 4.6 million customers with Neiman Marcus online accounts. The personal information of these customers was potentially compromised during the incident. The bits of information include:

- Names, addresses, contact information

- Usernames and passwords of Neiman Marcus online accounts

- Payment card numbers and expiration dates (although no CVV numbers)

- Neiman Marcus virtual gift card numbers (without PINs)

- Security questions of Neiman Marcus online accounts
"Although the data breach occurred over a year ago, Neiman Marcus states it became aware of the incident this September."

ZDNet reports: Some of the world's largest tech giants — Amazon, Google, Microsoft, IBM, Salesforce/Slack, Atlassian, SAP, and Cisco — have joined forces to establish the Trusted Cloud Principles in what they are claiming is their commitment to protecting the rights of their customers... Some of the specific principles that have been founded by the signatories include governments should seek data directly from enterprise customers first, rather than cloud providers, other than in "exceptional circumstances"; customers should have a right to notice when governments seek to access customer data directly from cloud service providers; and there should be a clear process for cloud providers to challenge government access requests for customers' data, including notifying relevant data protection authorities, to protect customers' interests.

Also outlined in the principles is the point that governments should create mechanisms to raise and resolve conflicts with each other such that cloud service providers' legal compliance in one country does not amount to a violation of law in another; and governments should support cross-border data flows. At the same time, the cloud service providers acknowledge that under the principles they recognise international human rights law enshrines a right to privacy, and the importance of customer trust and customers' control and security of their data. The signatories also said they commit to supporting laws that allow governments to request data through a transparent process that abides by human right standards; international legal frameworks to resolve conflicting laws related to data access, privacy, and sovereignty; and improved rules and regulations at the national and international levels that protect the safety, privacy, and security of cloud customers and their ownership of data...

The Trusted Cloud Principles come days after a separate data cloud framework was stood up between Amazon Web Services, Google, IBM, Microsoft and other major tech giants, plus the EDM Council, a cross-industry trade association for data management and analytics. Under the Cloud Data Management Capabilities (CDMC) framework there are six components, 14 capabilities, and 37 sub-capabilities that sets out cloud data management capabilities, standards, and best practices for cloud, multi-cloud, and hybrid-cloud implementations while also incorporating automated key controls for protecting sensitive data.

samleecole shares a report from Motherboard: Some former OnlyFans support staff employees still had access to users' data -- including sensitive financial and personal information -- even after they stopped working for the company used by sex workers to sell nudes and porn videos. According to a former OnlyFans employee who asked to remain anonymous because they feared retaliation, some ex-employees still had access to Zendesk, a popular customer service software used by many companies including OnlyFans, to track and respond to customer support tickets, long after leaving the company. OnlyFans uses Zendesk to respond to both users who post content and those who just pay to view that content. According to the source and OnlyFans users who spoke to Motherboard, depending on what a user is seeking help with, support tickets may contain their credit card information, drivers' licenses, passports, full names, addresses, bank statements, how much they have earned on OnlyFans or spent, Know Your Customer (KYC) selfies where the creator holds up an ID next to their face for verification, and model release forms. "It's a shame that they have this large company and feel they can play with people's lives like this," the former employee said. "There are already so many things they are in trouble for and privacy should not be one of them. Everyone on that platform, especially sex workers, need to have their information be safe and it isn't."

AltMachine writes: U.S. Commerce Secretary Raimondo wants the U.S. to work with Europe to slow China's innovation rate, while at the same time accusing China of ripping of western intellectual properties. "America is most effective when we work with our allies," Raimondo told CNBC's Kayla Tausche in an exclusive interview. "If we really want to slow down China's rate of innovation, we need to work with Europe. They're ripping off our IP, they are not playing by the rules. It's not a level playing field. And so we need to hold their feet to the fire to make sure that they do that." Raimondo invokes the ideological divide to justify the push. "We don't want autocratic governments like China, writing the rules of the road. We together with our allies, who care about privacy, freedom, individual rights, individual protection, we need to write the rules of the road," Raimondo said.

Similar to innovation history of the U.S. which evolved from apprehending IPs of other countries before turning into a technological innovation powerhouse, China has in recent years greatly accelerated its R&D spendings and fortified IP protections. Of the more than 1,600 cases analyzed, IP owners won more than 80% of the time and permanent injunctions were issued by the Chinese courts in more than 90% of the cases. As noted by Judge Gang Feng of the Beijing IP Court in 2016, foreign corporations had a 100% win rate before that court in 2015. "We have to work with our European allies to deny China the most advanced technology so that they can't catch up in critical areas like semiconductors," Raimondo added. "We want to work with Europe, to write the rules of the road for technology, whether it's TikTok or artificial intelligence or cyber."

Further reading: China's Growing Power Crunch Threatens More Global Supply Chain Chaos

The Federal Trade Commission is considering strengthening online privacy protections, including for children, in an effort to bypass legislative logjams in Congress. WSJ: The rules under consideration could impose significant new obligations on businesses across the economy related to how they handle consumer data, people familiar with the matter said. The early talks are the latest indication of the five-member commission's more aggressive posture under its new chairwoman, Lina Khan, a Democrat who has been a vocal critic of big business, particularly large technology companies. Congressional efforts to assist the FTC in tackling perceived online privacy problems will also be the focus of a Senate Commerce Committee hearing Wednesday. If the agency chooses to move forward with an initiative, any broad new rule would likely take years to implement.

In writing new privacy rules, the FTC could follow several paths, the people said: It could look to declare certain business practices unfair or deceptive, using its authority to police such conduct. It could also tap a less-used legal authority that empowers the agency to go after what it considers unfair methods of competition, perhaps by viewing certain businesses' data-collection practices as exclusionary. The agency could also address privacy protections for children by updating its rules under the 1998 Children's Online Privacy Protection Act. And it could use its enforcement powers to target individual companies, as some privacy advocates urge.

When America's law enforcement investigators serve tech companies with subpoenas or search warrants,"the target of the investigation has no idea their data is being seized," the Washington Post pointed out this weekend.

It's becoming surprisingly common in the U.S. "And if investigators obtain a gag order, the records must be handed over without the person's knowledge or consent — depriving the person of an opportunity to challenge the seizure in court." Every year, Facebook, Google and other technology companies receive hundreds of thousands of orders from law enforcement agencies seeking data people stash online: private messages, photos, search histories, calendar items — a potentially rich trove for criminal investigators. Often, those requests are accompanied by secrecy orders, also known as nondisclosure or gag orders, that require the tech companies to keep their customers in the dark, potentially for years...

In the last six months of 2020, Facebook received 61,262 government requests for user data in the United States, said spokesman Andy Stone. Most — 69 percent — came with secrecy orders. Meanwhile, Microsoft has received between 2,400 and 3,500 secrecy orders from federal law enforcement each year since 2016 — or seven to 10 per day — according to congressional testimony by vice president of customer security and trust Tom Burt. Google and Apple declined to disclose the number of gag orders they've received. But in the first half of 2020, Google said U.S. law enforcement made 39,536 requests for information about 84,662 accounts — with many of the requests targeting multiple accounts. Apple said it received 11,363 requests...

Under the 1986 Electronic Communications Privacy Act, federal prosecutors are required to seek digital information from tech companies, not their customers. Since then, prosecutors have routinely used gag orders to prevent the companies from spilling the beans to suspects who might destroy evidence, go into hiding or threaten someone's life. But the practice has mushroomed over the past two decades, part of a broader surveillance ramp-up following the Sept. 11, 2001, terrorist attacks, lawyers said. As the orders have proliferated, privacy advocates and the tech companies themselves have become increasingly concerned. Some tech company officials have accused prosecutors of reflexively requesting gag orders for routine investigations, regardless of whether the cases actually require such secrecy. And an array of company officials and legal experts argue that the practice robs tech company customers of their constitutional protections against unreasonable search and seizure.

"Across all the rest of society, it's understood that government doesn't get to take your stuff, doesn't get to come in and into your house, doesn't get to break into your file folders or your lock box at the bank without a warrant. And you get to know about that warrant and you get to exercise your legal rights," Microsoft's Burt said in an interview. "Someone cannot exercise their Fourth Amendment rights when their data has been taken in secret."
U.S. lawmakers are considering changes, the article points out. One idea? Require tech companies "to preserve digital files that are the subject of court orders and permit customers to challenge the orders in court before the information is turned over to prosecutors."

Senator Ron Wyden of Oregon points out that's how wiretaps currently work — and is also drafting a measure that would finally require federal courts to publish statistics on the number of surveillance and secrecy orders they've issued.

The Record reports: The Electronic Frontier Foundation said it is preparing to retire the famous HTTPS Everywhere browser extension after HTTPS adoption has picked up and after several web browsers have introduced HTTPS-only modes." "After the end of this year, the extension will be in 'maintenance mode' for 2022," said Alexis Hancock, Director of Engineering at the EFF. Maintenance mode means the extension will receive minor bug fixes next year but no new features or further development.

No official end-of-life date has been decided, a date after which no updates will be provided for the extension whatsoever.

Launched in June 2010, the HTTPS Everywhere browser extension is one of the most successful browser extensions ever released. The extension worked by automatically switching web connections from HTTP to HTTPS if websites had an HTTPS option available. At the time it was released, it helped upgrade site connections to HTTPS when users clicked on HTTP links or typed domains in their browser without specifying the "https://" prefix. The extension reached cult status among privacy advocates and was integrated into the Tor Browser and, after that, in many other privacy-conscious browsers. But since 2010, HTTPS is not a fringe technology anymore. Currently, around 86.6% of all internet sites support HTTPS connections. Browser makers such as Chrome and Mozilla previously reported that HTTPS traffic usually accounts for 90% to 95% of their daily connections.
From EFF's announcement: The goal of HTTPS Everywhere was always to become redundant. That would mean we'd achieved our larger goal: a world where HTTPS is so broadly available and accessible that users no longer need an extra browser extension to get it. Now that world is closer than ever, with mainstream browsers offering native support for an HTTPS-only mode.

With these simple settings available, EFF is preparing to deprecate the HTTPS Everywhere web extension as we look to new frontiers of secure protocols like SSL/TLS... We know many different kinds of users have this tool installed, and want to give our partners and users the needed time to transition.
The announcement also promises to inform users of browser-native HTTPS-only options before the day when the extension reaches its final sunsetting — and ends with instructions for how to activate the native HTTPS-only features in Firefox, Chrome, Edge, and Safari, "and celebrate with us that HTTPS is truly everywhere for users."

Epik's massive data breach is already affecting lives. Today the Washington Post describes a real estate agent in Pompano Beach who urged buyers on Facebook to move to "the most beautiful State." His name and personal details "were found on invoices suggesting he had once paid for websites with names such as racisminc.com, whitesencyclopedia.com, christiansagainstisrael.com and theholocaustisfake.com". The real estate brokerage where he worked then dropped him as an agent. The brokerage's owner told the Post they didn't "want to be involved with anyone with thoughts or motives like that."

"Some users appear to have relied on Epik to lead a double life," the Post reports, "with several revelations so far involving people with innocuous day jobs who were purportedly purveyors of hate online." (Alternate URL here.) Epik, based outside Seattle, said in a data-breach notice filed with Maine's attorney general this week that 110,000 people had been affected nationwide by having their financial account and credit card numbers, passwords and security codes exposed.... Heidi Beirich, a veteran researcher of hate and extremism, said she is used to spending weeks or months doing "the detective work" trying to decipher who is behind a single extremist domain. The Epik data set, she said, "is like somebody has just handed you all the detective work — the names, the people behind the accounts..."

Many website owners who trusted Epik to keep their identities hidden were exposed, but some who took additional precautions, such as paying in bitcoin and using fake names, remain anonymous....

Aubrey "Kirtaner" Cottle, a security researcher and co-founder of Anonymous, declined to share information about the hack's origins but said it was fueled by hackers' frustrations over Epik serving as a refuge for far-right extremists. "Everyone is tired of hate," Cottle said. "There hasn't been enough pushback, and these far-right players, they play dirty. Nothing is out of bounds for them. And now ... the tide is turning, and there's a swell moving back in their direction."
Earlier in the week, the Post reported: Since the hack, Epik's security protocols have been the target of ridicule among researchers, who've marveled at the site's apparent failure to take basic security precautions, such as routine encryption that could have protected data about its customers from becoming public... The hack even exposed the personal records from Anonymize, a privacy service Epik offered to customers wanting to conceal their identity.

"Harassment and abuse are all too common on the modern internet," writes the New York Times. "Yet it was supposed to be different in Germany." In 2017, the country enacted one of the world's toughest laws against online hate speech. It requires Facebook, Twitter and YouTube to remove illegal comments, pictures or videos within 24 hours of being notified about them or risk fines of up to 50 million euros, or $59 million. Supporters hailed it as a watershed moment for internet regulation and a model for other countries. But an influx of hate speech and harassment in the run-up to the German election, in which the country will choose a new leader to replace Angela Merkel, its longtime chancellor, has exposed some of the law's weaknesses...

Some critics of the law say it is too weak, with limited enforcement and oversight. They also maintain that many forms of abuse are deemed legal by the platforms, such as certain kinds of harassment of women and public officials. And when companies do remove illegal material, critics say, they often do not alert the authorities or share information about the posts, making prosecutions of the people publishing the material far more difficult. Another loophole, they say, is that smaller platforms like the messaging app Telegram, popular among far-right groups, are not subject to the law. Free-expression groups criticize the law on other grounds. They argue that the law should be abolished not only because it fails to protect victims of online abuse and harassment, but also because it sets a dangerous precedent for government censorship of the internet.

To address concerns that companies were not alerting the authorities to illegal posts, German policymakers this year passed amendments to the law. They require Facebook, Twitter and YouTube to turn over data to the police about accounts that post material that German law would consider illegal speech. The Justice Ministry was also given more powers to enforce the law... Facebook and Google have filed a legal challenge to block the new rules, arguing that providing the police with personal information about users violates their privacy.
An activist for the Electronic Frontier Foundation in Berlin tells the Times the law could encourage companies to remove offensive-but-legal speech. And Twitter shared a statement with additional concerns. "Threats, abusive content and harassment all have the potential to silence individuals. However, regulation and legislation such as this also has the potential to chill free speech by emboldening regimes around the world to legislate as a way to stifle dissent and legitimate speech."

Yet Germany's experience may ultimately influence policy across Europe, the Times points out, since German officials "are playing a key role in drafting one of the world's most anticipated new internet regulations, a European Union law called the Digital Services Act, which will require Facebook and other online platforms to do more to address the vitriol, misinformation and illicit content on their sites."

EFF.org has the story: For the last month, civil liberties and human rights organizations, researchers, and customers have demanded that Apple cancel its plan to install photo-scanning software onto devices. This software poses an enormous danger to privacy and security. Apple has heard the message, and announced that it would delay the system while consulting with various groups about its impact. But in order to trust Apple again, we need the company to commit to canceling this mass surveillance system.

The delay may well be a diversionary tactic. Every September, Apple holds one of its big product announcement events, where Apple executives detail the new devices and features coming out. Apple likely didn't want concerns about the phone-scanning features to steal the spotlight.

But we can't let Apple's disastrous phone-scanning idea fade into the background, only to be announced with minimal changes down the road. To make sure Apple is listening to our concerns, EFF turned to an old-school messaging system: aerial advertising.

During Apple's event, a plane circled the company's headquarters carrying an impossible-to-miss message: "Apple, don't scan our phones!" The evening before Apple's event, protestors also rallied nationwide in front of Apple stores. The company needs to hear us, and not just dismiss the serious problems with its scanning plan. A delay is not a cancellation, and the company has also been dismissive of some concerns, referring to them as "confusion" about the new features.

Apple's iMessage is one of the preeminent end-to-end encrypted chat clients. End-to-end encryption is what allows users to exchange messages without having them intercepted and read by repressive governments, corporations, and other bad actors. We don't support encryption for its own sake: we fight for it because encryption is one of the most powerful tools individuals have for maintaining their digital privacy and security in an increasingly insecure world.

Now that Apple's September event is over, Apple must reach out to groups that have criticized it and seek a wider range of suggestions on how to deal with difficult problems, like protecting children online...

The world, thankfully, has moved towards encrypted communications over the last two decades, not away from them, and that's a good thing. If Apple wants to maintain its reputation as a pro-privacy company, it must continue to choose real end-to-end encryption over government demands to read user's communication.

Privacy matters now more than ever. It will continue to be a selling point and a distinguishing feature of some products and companies. For now, it's an open question whether Apple will continue to be one of them.