security meets culture
You Won't Believe What Apple just Announced
Controversial FISA Spying Law Expires Tonight - The Spying
will Continue
Jon Brodkin for Ars Technica
Section 702 of FISA to expire tonight, but certification lasts until March 2027.
Section 702 of FISA to expire tonight, but certification lasts until March 2027.
Credit: Getty Images | Richard Drury
Title VII of the Foreign Intelligence Surveillance Act (FISA) is set to expire at midnight tonight after Congress failed to pass an extension of the controversial spying law. But that doesn't mean the government's spying powers will disappear.
Surveillance under Section 702 of FISA "operates under yearlong certifications approved by the FISA Court," the Brennan Center for Justice at New York University School of Law explained this week. The current certification will remain in place until March 2027 under the yearlong certification issued by the Foreign Intelligence Surveillance Court on March 17, 2026.
"In order to pressure members to accept a bill without meaningful reforms, surveillance hawks are claiming that Section 702 surveillance will 'go dark' on June 12 if Congress hasn't renewed the law," the Brennan Center said. "Contrary to that claim, Congress planned for potential lapses and made very clear that Section 702 surveillance may continue under existing certifications even if the statute sunsets. Members must not be fearmongered into passing a reauthorization without protecting Americans from warrantless government access to their private communications."
The Cato Institute concurs, with senior fellow Patrick Eddington writing that "Section 702 operates under annual programmatic certifications approved by the Foreign Intelligence Surveillance Court (FISC), together with the directives served on providers under them. Under the FISA Amendments Act's transition provision, acquisitions authorized by certifications and directives in effect at the moment of sunset may continue until those certifications expire."
Rep. Jamie Raskin (D-Md.) said that "government surveillance activities will continue unchanged" after Friday, according to CBS News. "Everything that's already been authorized and certified is already in motion, and current FISA authorizations will continue unaffected, at least through March 17, 2027," he said.
Americans' messages swept up in FISA surveillance
Title VII, including Section 702, was added to the FISA law in 2008. It was last reauthorized in 2024 when President Biden signed a bill to continue and expand warrantless surveillance under Section 702.
"FISA Section 702 allows US intelligence agencies to spy on foreign targets without a warrant, but the practice constantly sweeps up the communications of Americans who are in contact with people outside of the country," the Electronic Privacy Information Center (EPIC) said yesterday. "It's a loophole that government agencies have increasingly exploited to surveil Americans without having to obtain permission from the court."
In March, 2 Democrats and two Republicans opposed to the law's broad spying authority introduced a bill to limit the government's ability to obtain Americans' private communications without a warrant. This week, lawmakers failed to pass even a short-term extension of FISA amid disputes over proposed surveillance reforms and President Trump choosing Bill Pulte as acting director of national intelligence. Pulte has no experience in national security; he previously led the Federal Housing Finance Agency and used the post to accuse Trump critics of mortgage fraud.
While some Republicans have sought reforms of FISA, House Majority Leader Steve Scalise (R-La.) told Politico that "anybody who votes ‘no' is casting a dangerous vote to put American lives at risk."
Arguments that surveillance efforts could suffer from the law's expiration even before March 2027 require some speculation. As NPR writes, electronic communications service providers "will still be legally required to turn over material to intelligence agencies. Still, some lawmakers worry that the companies compelled to turn over communications may attempt to challenge the law in court, possibly leading to an indeterminately long window during which they stop providing intel."
FISA not the only US spying authority
House members left for a recess after yesterday's attempts to extend the law. No further House votes are expected until June 23. While there's plenty of time between now and March 2027 to finalize a FISA extension, the Electronic Frontier Foundation points out that the government has other spying authority it can use even if no deal is struck.
"If Section 702 does stay expired past March 2027, the United States government will likely revert to using other programs and authorities to justify the surveillance of overseas national security targets, namely 12333, a shadowy executive order from the 1980s that gives the US government nearly unlimited power to spy on people overseas," the EFF said.
Executive Order 12333 isn't merely an alternative spying power, wrote Eddington, who focuses on homeland security and civil liberties at the Cato Institute. The order accounts for more intelligence than Section 702, he wrote.
"The overwhelming bulk of overseas signals intelligence never depended on Section 702 in the first place," Eddington wrote. "It runs under Executive Order 12333, the daily operating charter for the executive branch's intelligence components, which requires no statute and no FISC order. A Title VII lapse removes not one 12333 collection platform."
Surveillance under Section 702 of FISA "operates under yearlong certifications approved by the FISA Court," the Brennan Center for Justice at New York University School of Law explained this week. The current certification will remain in place until March 2027 under the yearlong certification issued by the Foreign Intelligence Surveillance Court on March 17, 2026.
"In order to pressure members to accept a bill without meaningful reforms, surveillance hawks are claiming that Section 702 surveillance will 'go dark' on June 12 if Congress hasn't renewed the law," the Brennan Center said. "Contrary to that claim, Congress planned for potential lapses and made very clear that Section 702 surveillance may continue under existing certifications even if the statute sunsets. Members must not be fearmongered into passing a reauthorization without protecting Americans from warrantless government access to their private communications."
The Cato Institute concurs, with senior fellow Patrick Eddington writing that "Section 702 operates under annual programmatic certifications approved by the Foreign Intelligence Surveillance Court (FISC), together with the directives served on providers under them. Under the FISA Amendments Act's transition provision, acquisitions authorized by certifications and directives in effect at the moment of sunset may continue until those certifications expire."
Rep. Jamie Raskin (D-Md.) said that "government surveillance activities will continue unchanged" after Friday, according to CBS News. "Everything that's already been authorized and certified is already in motion, and current FISA authorizations will continue unaffected, at least through March 17, 2027," he said.
Americans' messages swept up in FISA surveillance
Title VII, including Section 702, was added to the FISA law in 2008. It was last reauthorized in 2024 when President Biden signed a bill to continue and expand warrantless surveillance under Section 702.
"FISA Section 702 allows US intelligence agencies to spy on foreign targets without a warrant, but the practice constantly sweeps up the communications of Americans who are in contact with people outside of the country," the Electronic Privacy Information Center (EPIC) said yesterday. "It's a loophole that government agencies have increasingly exploited to surveil Americans without having to obtain permission from the court."
In March, 2 Democrats and two Republicans opposed to the law's broad spying authority introduced a bill to limit the government's ability to obtain Americans' private communications without a warrant. This week, lawmakers failed to pass even a short-term extension of FISA amid disputes over proposed surveillance reforms and President Trump choosing Bill Pulte as acting director of national intelligence. Pulte has no experience in national security; he previously led the Federal Housing Finance Agency and used the post to accuse Trump critics of mortgage fraud.
While some Republicans have sought reforms of FISA, House Majority Leader Steve Scalise (R-La.) told Politico that "anybody who votes ‘no' is casting a dangerous vote to put American lives at risk."
Arguments that surveillance efforts could suffer from the law's expiration even before March 2027 require some speculation. As NPR writes, electronic communications service providers "will still be legally required to turn over material to intelligence agencies. Still, some lawmakers worry that the companies compelled to turn over communications may attempt to challenge the law in court, possibly leading to an indeterminately long window during which they stop providing intel."
FISA not the only US spying authority
House members left for a recess after yesterday's attempts to extend the law. No further House votes are expected until June 23. While there's plenty of time between now and March 2027 to finalize a FISA extension, the Electronic Frontier Foundation points out that the government has other spying authority it can use even if no deal is struck.
"If Section 702 does stay expired past March 2027, the United States government will likely revert to using other programs and authorities to justify the surveillance of overseas national security targets, namely 12333, a shadowy executive order from the 1980s that gives the US government nearly unlimited power to spy on people overseas," the EFF said.
Executive Order 12333 isn't merely an alternative spying power, wrote Eddington, who focuses on homeland security and civil liberties at the Cato Institute. The order accounts for more intelligence than Section 702, he wrote.
"The overwhelming bulk of overseas signals intelligence never depended on Section 702 in the first place," Eddington wrote. "It runs under Executive Order 12333, the daily operating charter for the executive branch's intelligence components, which requires no statute and no FISC order. A Title VII lapse removes not one 12333 collection platform."
Your WiFi Router can 'See' You Move, even Behind Walls
- No Camera Required
By Kim Komando
That box on your shelf isn't just sending you Netflix. New WiFi sensing reads how your body bends the signals bouncing around your home, accurately enough to track movement through walls. Here's how it works, and why nobody asked your permission.
That box on your shelf isn't just sending you Netflix. New WiFi sensing reads how your body bends the signals bouncing around your home, accurately enough to track movement through walls. Here's how it works, and why nobody asked your permission.
ChatGPT/Kim Komando
Here's something you never thought the boring little box blinking on a shelf, aka your router, could do.
It knows when you walk across a room. Which room you're in. Whether you're standing or lying down. All without a single camera.
How a 'dumb' box learned to watch
Your router fills your home with invisible radio waves. Every time you move, your body blocks, bends and bounces those signals, like your hand throwing a shadow across a flashlight beam. Software reads the shadows. Walls don't stop it. WiFi sails right through drywall, so it "sees" you in the next room.
The tech doesn't catch you only when you're walking. Researchers have used ordinary WiFi to detect the tiny rise and fall of your chest and even estimate your heart rate. Lying still under a blanket in the dark? The signal still knows you're there, breathing.
In September 2025, the industry made WiFi sensing an official standard, baking it into the chips. Most newer routers got it.
Then in February 2026, security giant ADT paid $170 million for a WiFi sensing startup. Comcast and Linksys already sell motion features, and they don't rely on the router alone.
Your stationary gadgets, like mesh nodes and smart speakers, work as extra sensing points. More devices, fewer blind spots.
One more thing: Researchers in Germany identified specific people with near-perfect accuracy by how they disturbed the signal. Not "someone's home"-- but you.
The part that bugs me
Cameras have a lens you can cover. Microphones have a light. WiFi sensing has nothing. No glow, no shutter, no notification, no law saying anyone has to tell you it's on.
Sold as a perk, it sounds lovely. Know if Grandma fell. But who's home and when and where they sleep are the kind of map a burglar, a stalker or a nosy company would love.
Open your router and security apps today and hunt for anything labeled motion or WiFi sensing. If you didn't turn it on, turn it off.
If you rent a router from your internet provider, they control the firmware, not you. Buy your own. I like this $70 ASUS. You ditch the monthly rental fee, and you own the off switch.
Your router used to bring the world into your home. Don't let it send reports of what happens inside back out. You don't know who is buying this data.
It knows when you walk across a room. Which room you're in. Whether you're standing or lying down. All without a single camera.
How a 'dumb' box learned to watch
Your router fills your home with invisible radio waves. Every time you move, your body blocks, bends and bounces those signals, like your hand throwing a shadow across a flashlight beam. Software reads the shadows. Walls don't stop it. WiFi sails right through drywall, so it "sees" you in the next room.
The tech doesn't catch you only when you're walking. Researchers have used ordinary WiFi to detect the tiny rise and fall of your chest and even estimate your heart rate. Lying still under a blanket in the dark? The signal still knows you're there, breathing.
In September 2025, the industry made WiFi sensing an official standard, baking it into the chips. Most newer routers got it.
Then in February 2026, security giant ADT paid $170 million for a WiFi sensing startup. Comcast and Linksys already sell motion features, and they don't rely on the router alone.
Your stationary gadgets, like mesh nodes and smart speakers, work as extra sensing points. More devices, fewer blind spots.
One more thing: Researchers in Germany identified specific people with near-perfect accuracy by how they disturbed the signal. Not "someone's home"-- but you.
The part that bugs me
Cameras have a lens you can cover. Microphones have a light. WiFi sensing has nothing. No glow, no shutter, no notification, no law saying anyone has to tell you it's on.
Sold as a perk, it sounds lovely. Know if Grandma fell. But who's home and when and where they sleep are the kind of map a burglar, a stalker or a nosy company would love.
Open your router and security apps today and hunt for anything labeled motion or WiFi sensing. If you didn't turn it on, turn it off.
If you rent a router from your internet provider, they control the firmware, not you. Buy your own. I like this $70 ASUS. You ditch the monthly rental fee, and you own the off switch.
Your router used to bring the world into your home. Don't let it send reports of what happens inside back out. You don't know who is buying this data.
Medical Devices in Your Home are Quietly Reporting on You
to Your Insurer - which can Cost You More
By Kim Komando
That CPAP machine? It tells your insurance company whether you used it enough. And it's not the only device in your house keeping score. Here's what's phoning home while you sleep and what you can do about it.
That CPAP machine? It tells your insurance company whether you used it enough. And it's not the only device in your house keeping score. Here's what's phoning home while you sleep and what you can do about it.
ChatGPT/Kim Komando
Thirty million Americans sleep with a CPAP breath catching machines. It's a lifesaver. It's also ratting you out.
Use it or lose it
Most insurers demand compliance. The common rule: at least four hours a night, on 70% of nights in a 30-day stretch. Fall short, even because the mask hurt or you're still adjusting, and they can stop paying. Some people get a return notice and a bill for the full cost, often around $2,500.
And the machine tells on you by itself. Newer models like ResMed's AirSense have a cellular modem built in. No WiFi needed. It beams your hours, mask leaks and breathing events to the cloud after every session.
How'd they get the right? You gave it to them. When insurance pays, you almost always sign a data release buried in the fine print. Tracking isn't a bug. It's the deal.
Here's what stings. A study presented in May at the American Thoracic Society found over a third of patients who missed the compliance cutoff kept using their machines anyway and got healthier. The rules yank coverage from people still benefiting.
The whole bedroom is keeping score
CPAPs are the loud ones. Blood glucose monitors collect your sugar levels, and insurers often want a month of data before they reimburse. Pacemakers and implanted defibrillators log your heart rhythm 24/7 and transmit automatically. Your cardiologist sees it. Your insurer may, too. Even hearing aids track how many hours you wear them.
FYI, turning the data off usually means losing coverage. That's not an accident.
Lock it down
Use it or lose it
Most insurers demand compliance. The common rule: at least four hours a night, on 70% of nights in a 30-day stretch. Fall short, even because the mask hurt or you're still adjusting, and they can stop paying. Some people get a return notice and a bill for the full cost, often around $2,500.
And the machine tells on you by itself. Newer models like ResMed's AirSense have a cellular modem built in. No WiFi needed. It beams your hours, mask leaks and breathing events to the cloud after every session.
How'd they get the right? You gave it to them. When insurance pays, you almost always sign a data release buried in the fine print. Tracking isn't a bug. It's the deal.
Here's what stings. A study presented in May at the American Thoracic Society found over a third of patients who missed the compliance cutoff kept using their machines anyway and got healthier. The rules yank coverage from people still benefiting.
The whole bedroom is keeping score
CPAPs are the loud ones. Blood glucose monitors collect your sugar levels, and insurers often want a month of data before they reimburse. Pacemakers and implanted defibrillators log your heart rhythm 24/7 and transmit automatically. Your cardiologist sees it. Your insurer may, too. Even hearing aids track how many hours you wear them.
FYI, turning the data off usually means losing coverage. That's not an accident.
Lock it down
- Call your equipment supplier and ask: What does my device transmit, and who sees it?
- Ask if a removable data card model is an option, so your doctor confirms compliance, not a faceless algorithm.
- Traveling or camping off the grid? Turn on airplane mode in your machine's settings. It stores up to a year of data internally and uploads when you're back in coverage, so a camping trip doesn't read as quitting.
- Read the data consent form before you sign. The buried paragraph is always the one that matters.
- If privacy is more important to you than the discount, check the cost of buying the device yourself. You'll control the off switch.
A Private Company has 80,000 Cameras Logging Where Your Car Goes - Now it's Adding Drones
By Kim Komando
Those little cameras on the poles in your neighborhood quietly record every car that passes, then feed one giant searchable map. You never agreed to it, and the company behind them started flying drones that read your plate from 2,000 feet. Here's what's really happening.
Those little cameras on the poles in your neighborhood quietly record every car that passes, then feed one giant searchable map. You never agreed to it, and the company behind them started flying drones that read your plate from 2,000 feet. Here's what's really happening.
ChatGPT/Kim Komando
On my way to work, I pass 6 Flock cameras. And every one of them knows my car better than half my neighbors do.
Here's the thing. Somewhere between your house and the grocery store this morning, a camera photographed your car. It logged your plate, the time, your make, your model and the exact spot you passed. You didn't see it. You never agreed to it. And it dropped a fresh dot on a map of everywhere you've been.
That camera almost certainly belongs to a company called Flock. What Flock has built should stop you cold.
80,000 cameras, and one clocked you
Flock makes those small license plate readers bolted to poles in neighborhoods, business parks and parking lots. They snap every car that rolls past. The company runs roughly 80,000 cameras across 5,000 communities in 49 states, scanning more than 20 billion vehicles a month.
It started as an anti-car-theft tool. Reasonable enough. But the cameras don't sit only with police. HOAs run them. Malls run them. Retailers run them. All that data pools into one searchable system.
One city's cameras were quietly switched to "nationwide" sharing, opening the door to 600,000 searches by 250-plus agencies that never signed a single agreement. In another city, out-of-state agencies queried the database 1.6 million times in seven months. Your daily drive, searchable by strangers with a badge far away. No warrant required.
Now the cameras can fly
The poles were just the start. Flock's newest product is a drone called the Alpha. It reads a plate from 2,000 feet up, hits 60 mph and arrives in 85 seconds. Often before any officer.
A police lieutenant described it like this: An operator watches a plate-reader alert pop, taps a screen and a drone launches from the same software. It follows the vehicle in real time. Flock sells these to private companies coast to coast, hovering over malls and warehouses.
The cameras record where you've been. The drone watches where you're going. Together they create something this country has never seen: an automatic, always-on record of how a free person moves through their own town.
You can't opt out of a pole camera. You're not powerless, though. If your HOA or city is installing these, show up. Demand it in writing: a strict data-retention limit and zero outside sharing.
Find every camera watching your street
Go to https://maps.deflock.org/.
I tested this myself. Type in your address. You'll be surprised how many devices are already watching your neighborhood.
They say a camera adds 10 pounds. With plate readers on every pole and a drone overhead, I must be under some seriously heavy surveillance.
Here's the thing. Somewhere between your house and the grocery store this morning, a camera photographed your car. It logged your plate, the time, your make, your model and the exact spot you passed. You didn't see it. You never agreed to it. And it dropped a fresh dot on a map of everywhere you've been.
That camera almost certainly belongs to a company called Flock. What Flock has built should stop you cold.
80,000 cameras, and one clocked you
Flock makes those small license plate readers bolted to poles in neighborhoods, business parks and parking lots. They snap every car that rolls past. The company runs roughly 80,000 cameras across 5,000 communities in 49 states, scanning more than 20 billion vehicles a month.
It started as an anti-car-theft tool. Reasonable enough. But the cameras don't sit only with police. HOAs run them. Malls run them. Retailers run them. All that data pools into one searchable system.
One city's cameras were quietly switched to "nationwide" sharing, opening the door to 600,000 searches by 250-plus agencies that never signed a single agreement. In another city, out-of-state agencies queried the database 1.6 million times in seven months. Your daily drive, searchable by strangers with a badge far away. No warrant required.
Now the cameras can fly
The poles were just the start. Flock's newest product is a drone called the Alpha. It reads a plate from 2,000 feet up, hits 60 mph and arrives in 85 seconds. Often before any officer.
A police lieutenant described it like this: An operator watches a plate-reader alert pop, taps a screen and a drone launches from the same software. It follows the vehicle in real time. Flock sells these to private companies coast to coast, hovering over malls and warehouses.
The cameras record where you've been. The drone watches where you're going. Together they create something this country has never seen: an automatic, always-on record of how a free person moves through their own town.
You can't opt out of a pole camera. You're not powerless, though. If your HOA or city is installing these, show up. Demand it in writing: a strict data-retention limit and zero outside sharing.
Find every camera watching your street
Go to https://maps.deflock.org/.
I tested this myself. Type in your address. You'll be surprised how many devices are already watching your neighborhood.
They say a camera adds 10 pounds. With plate readers on every pole and a drone overhead, I must be under some seriously heavy surveillance.
Your Sensitive Files Really Shouldn't be in Google Drive
By Tashreef Shareef / MakeUseOf
Credit: Tashreef Shareef / MakeUseOf
Anyone who uses Gmail or an Android device, in all likelihood, uses Google Drive to store contacts or a WhatsApp backup, at least. Others use it as a 1-stop cloud storage solution, holding everything from gallery files and wedding videos to their most sensitive documents. Since Google Drive integrates so tightly with Google's services, that shouldn't come as a surprise.
But should you store your most sensitive documents in Google Drive? Is it safe enough? In theory and practice, it's as secure as any other popular cloud storage service, so the answer is yes. But should you trust the Big G with your private documents? For privacy-conscious individuals, the answer is no, you should not, and there's a good reason why. If you keep banking statements, passport scans, or contracts in your Drive, you may want to consider encrypting that data before it leaves your computer.
Google Drive is encrypted, but Google holds the keys - Server-side encryption isn't the same as end-to-end
As I said earlier, Google Drive is safe enough to protect your files against external threats like hackers, and it uses industry-standard security to guard your data. The weakest link is usually end-user error. Even then, you can set up a passkey or 2-factor authentication to keep the account secured on your end, and your files are private by default.
Google encrypts your data in transit using TLS, and data at rest is protected with AES-128 encryption. That sounds reasonable until you notice the data isn't end-to-end encrypted. In other words, Google holds the encryption keys and can access the files in your Drive whenever it needs to.
When you upload a file, Google encrypts it with a unique data encryption key, then encrypts that key with another key it controls, and stores both on its servers. To read the file, Google's systems unwrap the keys on the fly. With true end-to-end encryption, only your device holds the key, so even the service provider sees nothing but scrambled bytes. Google's setup doesn't meet that bar.
That's the practical difference. External attackers can't easily read your files, but Google can. And so can anyone Google is legally compelled to share them with.
Google has access to your data - Key custody changes the threat model
Make Use Of
Because Google holds the keys, your files aren't private from Google itself. Drive scans content for automated policy enforcement, including hash-matching for known child sexual abuse material and other terms-of-service violations. Google says it doesn't read Drive content to target you with ads, but the company can still suspend accounts when its automated systems flag a file. People have lost their entire Google account, including years of email and photos, after a single false positive on a Drive file.
There's also the matter of legal compliance. Google is a US company subject to US law, which means it can be served with subpoenas, search warrants, and national security letters that compel it to hand over your files. The company can do this because it holds the decryption keys. With end-to-end encryption, even a court order can't force a provider to produce something it cannot read.
Then there's the AI factor. Google has been integrating Gemini deeper into Workspace, with smart features turned on by default in many regions. The company says Drive files aren't used to train its general AI models, but Gemini still needs access to your files to summarize them or pull context for you. That's a much wider attack surface than the old "files sit on a server" model.
This doesn't mean Google is malicious or will snoop on you. It means the threat model is different from what most people assume. You're not just trusting Google to fend off hackers; you're trusting it never to read, mishandle, or be compelled to share your data.
The fix is to encrypt the files yourself - Client-side encryption before the upload
Make Use Of
The cleanest fix is to encrypt files on your computer before they ever touch Drive. That way, Google stores ciphertext it can't read, and your encryption keys stay with you. The simplest tool for this is Cryptomator, a free, open-source app that creates an encrypted vault inside your Drive folder. You unlock the vault locally with a password, drop files in, and Cryptomator handles the rest. Drive only ever sees scrambled blobs. There are also other encryption apps for Windows, like VeraCrypt, that work well for creating encrypted containers you can sync to any cloud.
If you'd rather not bolt encryption onto Drive, switch to a service that bakes it in. Proton Drive and Tresorit both offer end-to-end encryption by default, and neither provider holds the keys to your files. Proton Drive's free tier gives you 5GB, and the paid plans are reasonable if you already pay for Proton Mail or VPN. Sync.com is another strong option if you want zero-knowledge storage without leaving the mainstream provider feel.
The trade-off is convenience. Encrypted files can't be previewed in the browser, searched by content, or opened by Google Docs collaboratively. You also have to manage your own recovery, because if you lose the password, the provider genuinely cannot help you. For most sensitive documents, that's a fair price.
You can also skip the cloud for a few files. Keeping tax returns, passport scans, and legal documents on an external drive at home, or on a self-hosted Nextcloud setup you control, works fine for files you rarely need to access on the go.
Keep Drive for convenience and lock down the rest
Google Drive isn't unsafe in the everyday sense. It's encrypted, it's well-defended against intruders, and it's perfectly fine for the routine stuff like meeting notes, shared documents, and family photos. I still use it for most of those things because the convenience is genuinely hard to beat.
The privacy story shifts when you start storing things that would hurt to lose to a stranger, a Google reviewer, or a court order. For those files, the answer isn't to abandon Drive but to stop treating it as a vault. Encrypt sensitive documents before you upload, or move them to a service that can't read them at all. The few minutes of friction are worth knowing that the most personal pieces of your life aren't sitting on a server with someone else's keys.
This Should Frighten Every Person Watching
California Sues 23andMe, alleging it Failed to Protect User Data
in 2023 Breach
By Jaime Ding for Associated Press
23andme.com
California's attorney general sued the genetic testing company formerly known as 23andMe on Thursday, alleging it failed to protect sensitive user data in a 2023 breach that affected nearly 7 million people across the country.
Attorney General Rob Bonta filed the lawsuit against Chrome Holding Co., which 23andMe rebranded under after filing for bankruptcy last March. 23andme is known for its direct-to-consumer DNA test kits that provided customers information on their ancestry and genetic predispositions for certain health conditions.
The lawsuit calls for various civil penalties against 23andMe and injunctions blocking the company from further violations of California's privacy protection laws.
The company has acknowledged that it suffered a major security breach in 2023 that resulted in about 14,000 accounts accessed, through which they were able to steal the data of nearly 7 million customers. The cyberattack utilized "credential stuffing," which takes advantage of customers' tendency to use weak or common passwords or reuse passwords between multiple accounts.
Bonta's office said this was a well-known attack that businesses should know to guard against. The attackers used stolen user account credentials including ones from a massive data breach in October 2017 that affected MyHeritage, one of 23andMe's former partners. After that breach, 23andMe did not take common protocols such as asking customers to reset their passwords or use multifactor authentication.
23andMe did not immediately respond to an emailed request for comment.
"23andMe's security measures were so lax that the threat actor was able to operate undetected within 23andMe's systems for over 5 months, and remarkably, 23andMe only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom," prosecutors said in the complaint.
In October 2023, the stolen data appeared for sale on the dark web, with the poster specifically touting that about 1.1 million consumers' data belonged to Asian-Pacific Islander and Ashkenazi Jewish users.
"The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence," Bonta said in a press release. "This is disturbing and incredibly dangerous."
Some of the data stolen included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives.
The lawsuit says that after notifying the public about the breach, 23andMe continued to mislead consumers about the severity of the breach and the company's role in it.
The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a "suspicious spike in user login attempts" in July and a Reddit post discussing a possible breach and sale of user data in August.
Genetic data requires "one of the highest levels of protection" and California law "mandates a heightened legal obligation" to protect it, the lawsuit said.
Bonta also intervened to ensure customers' genetic data wouldn't be mishandled during 23andMe's Chapter 11 bankruptcy and asset sale, arguing that California's Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.
In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most US customer claims and received final approval in January by a federal judge overseeing 23andMe's bankruptcy.
Attorney General Rob Bonta filed the lawsuit against Chrome Holding Co., which 23andMe rebranded under after filing for bankruptcy last March. 23andme is known for its direct-to-consumer DNA test kits that provided customers information on their ancestry and genetic predispositions for certain health conditions.
The lawsuit calls for various civil penalties against 23andMe and injunctions blocking the company from further violations of California's privacy protection laws.
The company has acknowledged that it suffered a major security breach in 2023 that resulted in about 14,000 accounts accessed, through which they were able to steal the data of nearly 7 million customers. The cyberattack utilized "credential stuffing," which takes advantage of customers' tendency to use weak or common passwords or reuse passwords between multiple accounts.
Bonta's office said this was a well-known attack that businesses should know to guard against. The attackers used stolen user account credentials including ones from a massive data breach in October 2017 that affected MyHeritage, one of 23andMe's former partners. After that breach, 23andMe did not take common protocols such as asking customers to reset their passwords or use multifactor authentication.
23andMe did not immediately respond to an emailed request for comment.
"23andMe's security measures were so lax that the threat actor was able to operate undetected within 23andMe's systems for over 5 months, and remarkably, 23andMe only began investigating after the threat actor offered the stolen user data for sale on the dark web and reached out to 23andMe to demand a ransom," prosecutors said in the complaint.
In October 2023, the stolen data appeared for sale on the dark web, with the poster specifically touting that about 1.1 million consumers' data belonged to Asian-Pacific Islander and Ashkenazi Jewish users.
"The sale of this data on the dark web took place amidst a period of mounting anti-Asian American and Pacific Islander and antisemitic hate and violence," Bonta said in a press release. "This is disturbing and incredibly dangerous."
Some of the data stolen included raw genetic data, health reports, DNA shared with other relatives, and locations and birth years of relatives.
The lawsuit says that after notifying the public about the breach, 23andMe continued to mislead consumers about the severity of the breach and the company's role in it.
The company has said it only found out about the breach in October 2023 when the stolen data was posted for sale on the dark web. However, the lawsuit said the company failed to properly investigate red flags that appeared months earlier, such as a "suspicious spike in user login attempts" in July and a Reddit post discussing a possible breach and sale of user data in August.
Genetic data requires "one of the highest levels of protection" and California law "mandates a heightened legal obligation" to protect it, the lawsuit said.
Bonta also intervened to ensure customers' genetic data wouldn't be mishandled during 23andMe's Chapter 11 bankruptcy and asset sale, arguing that California's Genetic Information Privacy Act required companies to obtain opt-in consent from customers before selling their genetic information to third parties. However, the sale was allowed to proceed.
In 2024, 23andMe agreed to pay a $30 million settlement in a class-action lawsuit accusing the company of failing to protect customers whose personal information was exposed in the breach. The amount was raised to $50 million to resolve most US customer claims and received final approval in January by a federal judge overseeing 23andMe's bankruptcy.
You Think You're Using Your Phone - It's Using You Back
/Science Quickly Podcast
Websites have a New Way to Spy on Visitors: Analyzing their SSD Activity
Dan Goodin for Ars Technica
Telltale SSD activity can be measured in the browser using simple JavaScript.By
Telltale SSD activity can be measured in the browser using simple JavaScript.By
Credit: Getty Images
Over the decades, there has been no shortage of sites using clever techniques to covertly track visitors' browsing histories, device fingerprints, and keystrokes and mouse movements in real time. Even Meta and Yandex were recently caught joining in the privacy-invasive free-for-all.
Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST-- fingerprinting remotely using OPFS-based SSD timing-- allows sites to monitor other sites a visitor is viewing and what apps are open on their devices.
A side channel based on contention
The technique, laid out in a research paper, exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.
The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using-- or competing for-- a given resource. By measuring the timing of certain I/O-- input-output-- operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs-- even on other browsers-- and the apps that were open on the visitor's device. FROST requires no interaction from the visitor other than opening the site hosting the attack.
"Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications," the paper authors wrote. "Companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser." The authors went on to note: "While these features enhance the capabilities of web applications and allow completely novel use cases, they also increase the browser's attack surface, and some have already been shown to introduce new vulnerabilities."
Unlike previous contention side-channel attacks on SSDs, FROST runs exclusively in the browser. It uses JavaScript that interacts with the OPFS-- origin private file system-- an allocated storage space that's reserved for a specific site to run code needed to complete a given task. Websites can create one with no interaction required by the visitor.
While each file system is sandboxed, meaning it's isolated from other websites and from the device system itself, the JavaScript can measure the I/O interactions. Then, by running those interactions through a pretrained convolutional neural network-- a system that uses deep learning to analyze text, audio, and images-- the attacker can deduce various apps and websites open on the device.
"The attacker continuously measures SSD contention by performing random reads from a large OPFS file," the researchers explained. "SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model."
The technique has its limitations. First, the OPFS file must be extremely large-- likely a gigabyte or more. That requirement means that attacks at scale would inevitably be detected by many users. Additionally, the OPFS file must be stored on the same SSD the visitor is using. This isn't usually a problem for tracking open websites, since the OPFS file is stored in the browser's default location. In the event apps are using a separate SSD drive for apps, those apps couldn't be detected by FROST.
One of the best ways to prevent FROST attacks is to close tabs as soon as they're no longer needed. More savvy users can monitor the creation and size of OPFS files allocated by unknown websites. The researchers proposed ways for browser makers to shut down the side channel. One such method is to limit the maximum size of such files that are allowed. There are no indications FROST attacks have been performed in the wild.
The researchers performed the full Frost attack on an M2 Mac. On Linux, they showed that the underlying primitive-- measuring SSD access latency traces from JavaScript-- works, but didn't run the full attack.
"However, since the performance of the primitive is similar between macOS and Linux, we expect similar performance for the full classification," Hannes Weissteiner, one of the co-authors, wrote in an email. "In principle, it would be possible to train a model on any system activity that reliably generates SSD accesses."
The researchers did not test Windows.
The paper linked above provides many more technical details. The research is scheduled to be presented at the DIMVA conference in July.
Now sites have a new way to spy on their visitors: measuring subtle interactions with their solid-state drives. The technique, named FROST-- fingerprinting remotely using OPFS-based SSD timing-- allows sites to monitor other sites a visitor is viewing and what apps are open on their devices.
A side channel based on contention
The technique, laid out in a research paper, exploits a side channel, a form of leak resulting from physical manifestations such as electromagnetic emanations, data caches, or the time required to complete a task. By measuring the manifestations, attackers can decrypt encrypted traffic and infer other confidential data.
The attack that FROST uses is known as a contention side channel, which measures the interaction of various processes all using-- or competing for-- a given resource. By measuring the timing of certain I/O-- input-output-- operations of the SSD a visitor is using, the researchers were able to determine the websites open in other tabs-- even on other browsers-- and the apps that were open on the visitor's device. FROST requires no interaction from the visitor other than opening the site hosting the attack.
"Web browsers have evolved from simple document viewers into complex platforms capable of running sophisticated applications," the paper authors wrote. "Companies like Google, Microsoft, and Adobe have developed full-fledged office suites, photo- and video editors, or even integrated development environments (IDEs) that run entirely within the browser." The authors went on to note: "While these features enhance the capabilities of web applications and allow completely novel use cases, they also increase the browser's attack surface, and some have already been shown to introduce new vulnerabilities."
Unlike previous contention side-channel attacks on SSDs, FROST runs exclusively in the browser. It uses JavaScript that interacts with the OPFS-- origin private file system-- an allocated storage space that's reserved for a specific site to run code needed to complete a given task. Websites can create one with no interaction required by the visitor.
While each file system is sandboxed, meaning it's isolated from other websites and from the device system itself, the JavaScript can measure the I/O interactions. Then, by running those interactions through a pretrained convolutional neural network-- a system that uses deep learning to analyze text, audio, and images-- the attacker can deduce various apps and websites open on the device.
"The attacker continuously measures SSD contention by performing random reads from a large OPFS file," the researchers explained. "SSD contention caused by user activity causes measurable latency differences for these read operations. By training a convolutional neural network (CNN) on these traces, the attacker can fingerprint user activity on the host system by classifying new traces using the trained model."
The technique has its limitations. First, the OPFS file must be extremely large-- likely a gigabyte or more. That requirement means that attacks at scale would inevitably be detected by many users. Additionally, the OPFS file must be stored on the same SSD the visitor is using. This isn't usually a problem for tracking open websites, since the OPFS file is stored in the browser's default location. In the event apps are using a separate SSD drive for apps, those apps couldn't be detected by FROST.
One of the best ways to prevent FROST attacks is to close tabs as soon as they're no longer needed. More savvy users can monitor the creation and size of OPFS files allocated by unknown websites. The researchers proposed ways for browser makers to shut down the side channel. One such method is to limit the maximum size of such files that are allowed. There are no indications FROST attacks have been performed in the wild.
The researchers performed the full Frost attack on an M2 Mac. On Linux, they showed that the underlying primitive-- measuring SSD access latency traces from JavaScript-- works, but didn't run the full attack.
"However, since the performance of the primitive is similar between macOS and Linux, we expect similar performance for the full classification," Hannes Weissteiner, one of the co-authors, wrote in an email. "In principle, it would be possible to train a model on any system activity that reliably generates SSD accesses."
The researchers did not test Windows.
The paper linked above provides many more technical details. The research is scheduled to be presented at the DIMVA conference in July.
Every Color Laser Printer in America secretly Encodes your Identity on every Page you Print - Here's What those Dots Say
By Kim Komando
The Secret Service asked printer companies to embed invisible tracking dots on every page, starting in the 1980s. The dots reveal your printer's serial number, the date and exact time of printing. The program never stopped.
The Secret Service asked printer companies to embed invisible tracking dots on every page, starting in the 1980s. The dots reveal your printer's serial number, the date and exact time of printing. The program never stopped.
ChatGPT/Kim Komando
Look closely at the image for this story. See those tiny yellow dots, arranged in a faint grid?
They're on every page you've ever printed using a color laser printer. And they contain more than most people ever knew to look for.
If you hold a blue LED flashlight over that page in a dim room, a pattern emerges. These are called Machine Identification Codes. Printer manufacturers started embedding them in the 1980s at the direct request of the US Secret Service.
The goal was to catch counterfeiters. If someone printed fake currency, investigators could trace the bills back to the specific machine. It worked. And it never stopped.
What those dots reveal
The yellow dot pattern encodes your printer's serial number, the date the page was printed and the time down to the minute. Invisible to the naked eye. Fully readable by investigators with the right tools. In 2004, the Electronic Frontier Foundation reverse-engineered the code and published a complete decoding guide.
Their work confirmed every major brand participates. HP, Canon, Xerox, Brother, Epson. If you've printed anything on a color laser printer since the early 1990s, those pages carry an invisible fingerprint tied back to your machine.
Law enforcement uses it. In 2017, NSA contractor Reality Winner was identified after leaking a classified document to a news outlet. Investigators traced the printout back to her specific machine, using those embedded yellow dots.
What you can do
Inkjet printers don't use this system. Only color laser printers. You can test this yourself tonight. Print any page on a color laser printer.
Hold a blue LED flashlight over the blank white areas in a dim room. Look for a faint grid of yellow dots. You'll find them.
Your printer has been quietly filing reports on you for decades. You never got a copy.
They're on every page you've ever printed using a color laser printer. And they contain more than most people ever knew to look for.
If you hold a blue LED flashlight over that page in a dim room, a pattern emerges. These are called Machine Identification Codes. Printer manufacturers started embedding them in the 1980s at the direct request of the US Secret Service.
The goal was to catch counterfeiters. If someone printed fake currency, investigators could trace the bills back to the specific machine. It worked. And it never stopped.
What those dots reveal
The yellow dot pattern encodes your printer's serial number, the date the page was printed and the time down to the minute. Invisible to the naked eye. Fully readable by investigators with the right tools. In 2004, the Electronic Frontier Foundation reverse-engineered the code and published a complete decoding guide.
Their work confirmed every major brand participates. HP, Canon, Xerox, Brother, Epson. If you've printed anything on a color laser printer since the early 1990s, those pages carry an invisible fingerprint tied back to your machine.
Law enforcement uses it. In 2017, NSA contractor Reality Winner was identified after leaking a classified document to a news outlet. Investigators traced the printout back to her specific machine, using those embedded yellow dots.
What you can do
Inkjet printers don't use this system. Only color laser printers. You can test this yourself tonight. Print any page on a color laser printer.
Hold a blue LED flashlight over the blank white areas in a dim room. Look for a faint grid of yellow dots. You'll find them.
Your printer has been quietly filing reports on you for decades. You never got a copy.
How Stores Use Your Phone to Track You
FBI seeks US-wide Access to License Plate Cameras, wants 'Data in Near Real Time'
By Jon Brodkin for Ars Technica
FBI will pay vendors to help it track and search for vehicles nationwide.
FBI will pay vendors to help it track and search for vehicles nationwide.
Flock license plate reader and camera with solar panel in Pleasant Hill, California on April 16, 2026. Credit: Getty Images | Smith Collection/Gado
The Federal Bureau of Investigation announced plans to buy nationwide access to a network of license plate readers, saying it will award contracts to one or more vendors that can offer "near real time" information from cameras across the US. The proposed contract is for the FBI Directorate of Intelligence.
"To evaluate and manage threats to personal safety, property, and law enforcement, the FBI requires professional service firms that can provide License Plate Readers (LPRs) for tracking subjects on roads and highways over the US and its territories," the FBI said in a Request for Proposals (RFP) published on May 14. The FBI said the winning bidder or bidders "must provide law enforcement and/or commercial license plate reader data provided through the Contractor's existing platform." The system must cover 75% of locations, the FBI said.
The system must offer the ability to search for license plate information "and other descriptive data such as vehicle description information, time/date criteria, and geo-location criteria," the FBI said. "Additionally, the system must provide search result notifications. The Contractor system must have the ability to access and/or query cameras across the United States and its territories. The Contractor system must be capable of providing this data in near real time."
Contractors have to be able "to share/create maps depicting camera coverage-- i.e. heat mapping"-- and "provide the FBI the source of information-- i.e. red-light cameras, repossession vendors, speed cameras, etc."-- the FBI said. The FBI said it needs to be able to search the database for partial or full plate numbers, plate states, addresses, locations where a plate was scanned, and vehicle makes and models.
Flock and Motorola Solutions potential bidders
The RFP divides the proposal into 6 regions covering the continental US, Hawaii, Alaska, Puerto Rico, and territories such as Guam and the US Virgin Islands. The FBI said it may award contracts to 1 or 2 vendors in each region. The deals can be for up to 5 years, with all deals combined potentially worth $36 million. The FBI said a contractor's system has to be available to FBI users via a website.
Flock and Motorola Solutions are well-positioned to bid on the contract, as 404 Media noted yesterday. Both companies could win part of the job, as the FBI said it may award contracts to multiple vendors to achieve its desired level of access.
Flock's Automated License Plate Readers (ALPRs) are sold to local police departments. The company boasts of having deals with "over 12,000 public safety customers including cities, towns, counties, and business partners." Motorola Solutions sells license plate reader cameras that can be installed on busy roadways or mounted on police cars.
License plate reader cameras have raised concerns about privacy, data security, and errors in plate number recognition systems leading to wrongful arrests. 404 Media reported last year that local police departments performed searches of the Flock license plate reader system for US Immigration and Customs Enforcement (ICE), "giving federal law enforcement side-door access to a tool that it currently does not have a formal contract for."
The FBI already "runs a License Plate Reader program to facilitate LPR information sharing with and between its law enforcement partners," a Congressional Research Service report says. The US agency "maintains a hot list of vehicle data against which law enforcement agencies can compare their LPR data."
The FBI intelligence division's plan to obtain direct access to an extensive network of cameras could help expand that information sharing. As the FBI notes, its intelligence division shares information with a variety of federal, state, local, and tribal law enforcement agencies.
Flock: Sharing is 'opt-in' for local police
Flock itself temporarily provided access to Customs and Border Protection, Homeland Security Investigations, the Secret Service, and Naval Criminal Investigative Service as part of a pilot last year. Flock confirmed the pilot to the office of Sen. Ron Wyden (D-Ore.), according to Wyden. Flock says it has federal customers "including National Parks, Veterans Affairs hospitals, and military bases," but that it does not work with ICE.
Federal attempts to access data could be limited by company policies. Flock says that communities using its cameras may grant data access to federal agencies, but that sharing with federal agencies is disabled by default. In March, Flock said it was "defining a new relationship with federal law enforcement," including conditions to maintain local control over the sharing of data.
"Flock data belongs to the agency that owns the cameras. There is no backdoor into Flock. Any access is explicitly permission-based and opt-in by the local agency," the company said.
We contacted Flock and Motorola Solutions and will update this article if they provide any comment.
There are also state laws limiting data access. California prohibits state and local agencies from sharing ALPR camera data with out-of-state or federal law enforcement agencies. The Electronic Frontier Foundation (EFF) said in January 2024 that dozens of California law enforcement agencies violated the law by sharing ALPR information with out-of-state agencies.
A Virginia law enacted last year imposed similar limits. The FBI's request for proposals said contractors must identify the location of servers where data is stored to verify compliance with state and local laws on license plate reader data.
"To evaluate and manage threats to personal safety, property, and law enforcement, the FBI requires professional service firms that can provide License Plate Readers (LPRs) for tracking subjects on roads and highways over the US and its territories," the FBI said in a Request for Proposals (RFP) published on May 14. The FBI said the winning bidder or bidders "must provide law enforcement and/or commercial license plate reader data provided through the Contractor's existing platform." The system must cover 75% of locations, the FBI said.
The system must offer the ability to search for license plate information "and other descriptive data such as vehicle description information, time/date criteria, and geo-location criteria," the FBI said. "Additionally, the system must provide search result notifications. The Contractor system must have the ability to access and/or query cameras across the United States and its territories. The Contractor system must be capable of providing this data in near real time."
Contractors have to be able "to share/create maps depicting camera coverage-- i.e. heat mapping"-- and "provide the FBI the source of information-- i.e. red-light cameras, repossession vendors, speed cameras, etc."-- the FBI said. The FBI said it needs to be able to search the database for partial or full plate numbers, plate states, addresses, locations where a plate was scanned, and vehicle makes and models.
Flock and Motorola Solutions potential bidders
The RFP divides the proposal into 6 regions covering the continental US, Hawaii, Alaska, Puerto Rico, and territories such as Guam and the US Virgin Islands. The FBI said it may award contracts to 1 or 2 vendors in each region. The deals can be for up to 5 years, with all deals combined potentially worth $36 million. The FBI said a contractor's system has to be available to FBI users via a website.
Flock and Motorola Solutions are well-positioned to bid on the contract, as 404 Media noted yesterday. Both companies could win part of the job, as the FBI said it may award contracts to multiple vendors to achieve its desired level of access.
Flock's Automated License Plate Readers (ALPRs) are sold to local police departments. The company boasts of having deals with "over 12,000 public safety customers including cities, towns, counties, and business partners." Motorola Solutions sells license plate reader cameras that can be installed on busy roadways or mounted on police cars.
License plate reader cameras have raised concerns about privacy, data security, and errors in plate number recognition systems leading to wrongful arrests. 404 Media reported last year that local police departments performed searches of the Flock license plate reader system for US Immigration and Customs Enforcement (ICE), "giving federal law enforcement side-door access to a tool that it currently does not have a formal contract for."
The FBI already "runs a License Plate Reader program to facilitate LPR information sharing with and between its law enforcement partners," a Congressional Research Service report says. The US agency "maintains a hot list of vehicle data against which law enforcement agencies can compare their LPR data."
The FBI intelligence division's plan to obtain direct access to an extensive network of cameras could help expand that information sharing. As the FBI notes, its intelligence division shares information with a variety of federal, state, local, and tribal law enforcement agencies.
Flock: Sharing is 'opt-in' for local police
Flock itself temporarily provided access to Customs and Border Protection, Homeland Security Investigations, the Secret Service, and Naval Criminal Investigative Service as part of a pilot last year. Flock confirmed the pilot to the office of Sen. Ron Wyden (D-Ore.), according to Wyden. Flock says it has federal customers "including National Parks, Veterans Affairs hospitals, and military bases," but that it does not work with ICE.
Federal attempts to access data could be limited by company policies. Flock says that communities using its cameras may grant data access to federal agencies, but that sharing with federal agencies is disabled by default. In March, Flock said it was "defining a new relationship with federal law enforcement," including conditions to maintain local control over the sharing of data.
"Flock data belongs to the agency that owns the cameras. There is no backdoor into Flock. Any access is explicitly permission-based and opt-in by the local agency," the company said.
We contacted Flock and Motorola Solutions and will update this article if they provide any comment.
There are also state laws limiting data access. California prohibits state and local agencies from sharing ALPR camera data with out-of-state or federal law enforcement agencies. The Electronic Frontier Foundation (EFF) said in January 2024 that dozens of California law enforcement agencies violated the law by sharing ALPR information with out-of-state agencies.
A Virginia law enacted last year imposed similar limits. The FBI's request for proposals said contractors must identify the location of servers where data is stored to verify compliance with state and local laws on license plate reader data.
5 Signs Someone Might be Taking Advantage of Your Security Goodness
Not everyone in a security department is acting in good faith, and they'll do what they can to bypass those who do. Here's how to spot them.
zwolafasola / stock.adobe - darkreading
Wikipedia defines "good faith" as "a sincere intention to be fair, open, and honest, regardless of the outcome of the interaction." A person who acts in good faith must be truthful and forthcoming with information, even if it affects the end state of a negotiation or transaction. In other words, lying and withholding information, by their very nature, make an interaction anything but good faith.
For many security professionals, good faith is the only way they know how to operate. Unfortunately, the security profession, like any profession, has its share of bad faith actors, too. For example, consider a co-worker who is underperforming and introducing unnecessary risk into the security organization. In certain cases, underperformers will look to sabotage others rather than improve the quality of their work. Or, as another example, consider a bad faith actor who is out to gain competitive intelligence or other information that can be used for any number of purposes, including social engineering.
How can good faith security practitioners identify bad actors and understand when they're being taken advantage of? Here are 5 signs.
1. Information hoarding: Ever had a conversation, meeting, chat correspondence, or email exchange that feels more like an interrogation than a two-way exchange information? This is a well-known trick-- and sign of-- a bad faith actor. By the time most good faith actors catch on to the fact that the information flow is entirely 1-way, they've already given the bad faith actor a wealth of information.
2. My way or the highway: As a generally rational bunch, good faith actors understand that life is a give and take. But bad faith actors know only how to take, making it difficult to negotiate. Their only concern is what they want, and they will employ a variety of tactics to get what they want while offering little to nothing in return. Unfortunately, good faith actors often fall for this approach, as they would rather disengage and get back to constructive activities than get dirty wrestling in the mud with a bad actor.
3. False generosity: When bad faith actors seek to manipulate people or situations, they will sometimes make what appears to be a generous offer. Conversely, these offers often come at a tremendous cost. How so? If a good faith actor takes a bad faith actor up on an offer, it could be used against them in the future. The bad faith actor could also attempt to convince others of their "good nature" and "generosity" by pointing to a good faith actor who took the offer.
4. Bait and switch: Bait and switch is one of the oldest tricks in the book. As the Latin phrase so aptly states, caveat emptor: Buyer beware. Bad faith actors will often make promises of something they have absolutely no intention of giving to extract what they want from good actors. Once they have what they were after, they go quiet or become evasive. The chances of a good faith actor ever seeing what they wanted are very slim.
5. Promoting a narrative: One way bad faith actors seek out, persuade, and take advantage of new victims is by surrounding themselves with a chorus of approvers. This "posse," of sorts, may consist of witting and/or unwitting accomplices. In some cases, accomplices were recruited via lies or manipulation. In other cases, the accomplices may have their own motivations for why they wish to partake in certain bad faith activities. In any event, bad faith actors will often promote a narrative to help convince new audiences they can be believed. This can be difficult to navigate and often catches good faith actors by surprise.
In the end, a heaping dose of awareness-- and even a bit of healthy cynicism-- of misleading behaviors can stop bad faith actors from taking advantage and achieving their goals.
For many security professionals, good faith is the only way they know how to operate. Unfortunately, the security profession, like any profession, has its share of bad faith actors, too. For example, consider a co-worker who is underperforming and introducing unnecessary risk into the security organization. In certain cases, underperformers will look to sabotage others rather than improve the quality of their work. Or, as another example, consider a bad faith actor who is out to gain competitive intelligence or other information that can be used for any number of purposes, including social engineering.
How can good faith security practitioners identify bad actors and understand when they're being taken advantage of? Here are 5 signs.
1. Information hoarding: Ever had a conversation, meeting, chat correspondence, or email exchange that feels more like an interrogation than a two-way exchange information? This is a well-known trick-- and sign of-- a bad faith actor. By the time most good faith actors catch on to the fact that the information flow is entirely 1-way, they've already given the bad faith actor a wealth of information.
2. My way or the highway: As a generally rational bunch, good faith actors understand that life is a give and take. But bad faith actors know only how to take, making it difficult to negotiate. Their only concern is what they want, and they will employ a variety of tactics to get what they want while offering little to nothing in return. Unfortunately, good faith actors often fall for this approach, as they would rather disengage and get back to constructive activities than get dirty wrestling in the mud with a bad actor.
3. False generosity: When bad faith actors seek to manipulate people or situations, they will sometimes make what appears to be a generous offer. Conversely, these offers often come at a tremendous cost. How so? If a good faith actor takes a bad faith actor up on an offer, it could be used against them in the future. The bad faith actor could also attempt to convince others of their "good nature" and "generosity" by pointing to a good faith actor who took the offer.
4. Bait and switch: Bait and switch is one of the oldest tricks in the book. As the Latin phrase so aptly states, caveat emptor: Buyer beware. Bad faith actors will often make promises of something they have absolutely no intention of giving to extract what they want from good actors. Once they have what they were after, they go quiet or become evasive. The chances of a good faith actor ever seeing what they wanted are very slim.
5. Promoting a narrative: One way bad faith actors seek out, persuade, and take advantage of new victims is by surrounding themselves with a chorus of approvers. This "posse," of sorts, may consist of witting and/or unwitting accomplices. In some cases, accomplices were recruited via lies or manipulation. In other cases, the accomplices may have their own motivations for why they wish to partake in certain bad faith activities. In any event, bad faith actors will often promote a narrative to help convince new audiences they can be believed. This can be difficult to navigate and often catches good faith actors by surprise.
In the end, a heaping dose of awareness-- and even a bit of healthy cynicism-- of misleading behaviors can stop bad faith actors from taking advantage and achieving their goals.
© vocalbits.com