Policy

republicans-in-congress-try-to-kill-fcc’s-broadband-discrimination-rules

Republicans in Congress try to kill FCC’s broadband discrimination rules

broadband discrimination, digital discrimination, Policy, republicans fcc / /
US Rep. Andrew Clyde (R-Ga.) speaks at a podium with a microphone at an outdoor event.

Enlarge / US Rep. Andrew Clyde (R-Ga.) speaks to the press on June 13, 2023, in Washington, DC.

Getty Images | Michael McCoy

More than 65 Republican lawmakers this week introduced legislation to nullify rules that prohibit discrimination in access to broadband services.

The Federal Communications Commission approved the rules in November despite opposition from broadband providers. The FCC’s two Republicans dissented in the 3-2 vote. While the FCC was required by Congress to issue anti-discrimination rules, Republicans argue that the agency’s Democratic majority wrote rules that are too broad.

On Tuesday this week, US House Republications submitted a resolution of disapproval that would use Congressional Review Act authority to kill the anti-discrimination rules. “Under the guise of ‘equity,’ the Biden administration is attempting to radically expand the federal government’s control of all Internet services and infrastructure,” lead sponsor Rep. Andrew Clyde (R-Ga.) said.

Clyde alleged that the “FCC’s so-called ‘digital discrimination’ rule hands bureaucrats unmitigated regulatory authority that will undoubtedly impede innovation, burden consumers, and generate censorship concerns,” and that it is an “unconstitutional power grab.”

Bill co-sponsor Rep. Buddy Carter (R-Ga.) complained about what he called “the FCC’s totalitarian overreach,” which he said “goes against the very core of free market capitalism.”

Clyde and Carter said their resolution is supported by telecom industry trade groups USTelecom and CTIA, and various conservative advocacy groups. The lawmakers’ press releases included a quote from Americans for Tax Reform President Grover Norquist, who said the resolution is “an opportunity to reverse the FCC’s takeover of the Internet.”

Lawsuits more likely to block rules

In 2017, Republicans used the same Congressional Review Act authority to block broadband-privacy rules. But this time, they essentially have no chance of success.

While Republicans currently have a majority in the House, they’d be unlikely to get the new resolution approved in both chambers because of the Senate’s Democratic majority. Congressional Review Act resolutions of disapproval can also be vetoed by the president.

A more likely path to getting the rules blocked is through the courts. The US Chamber of Commerce sued the FCC this week in an attempt to block the rules, arguing that the FCC exceeded its legal authority.

The lawsuit was filed in the US Court of Appeals for the 5th Circuit, which is generally considered to be one of the most conservative US appeals courts. The Chamber has argued that the FCC rules “micromanag[e] broadband providers through price controls, terms of service requirements, and counterproductive labor provisions.”

ISPs are suing the FCC, too. The Texas Cable Association joined the Chamber of Commerce lawsuit. Separate lawsuits were filed in the 8th and 11th Circuit appeals courts by the Minnesota Telecom Alliance and Florida Internet & Television Association.

Republicans in Congress try to kill FCC’s broadband discrimination rules Read More »

cops-arrest-17-year-old-suspected-of-hundreds-of-swattings-nationwide

Cops arrest 17-year-old suspected of hundreds of swattings nationwide

California, fbi, Florida, Policy, serial swatter, serial swatting, SWATting / /

Coordinated effort —

Police traced swatting calls to teen’s home IP addresses.

Booking photo of Alan Filion, charged with multiple felonies connected to a

Enlarge / Booking photo of Alan Filion, charged with multiple felonies connected to a “swatting” incident at the Masjid Al Hayy Mosque in Sanford, Florida.

Police suspect that a 17-year-old from California, Alan Filion, may be responsible for “hundreds of swatting incidents and bomb threats” targeting the Pentagon, schools, mosques, FBI offices, and military bases nationwide, CNN reported.

Swatting occurs when fraudulent calls to police trigger emergency response teams to react forcefully to non-existent threats.

Recently extradited to Florida, Filion was charged with multiple felonies after the Seminole County Sheriff’s Office (SCSO) traced a call where Filion allegedly claimed to be a mass shooter entering the Masjid Al Hayy Mosque in Sanford, Florida. The caller played “audio of gunfire in the background,” SCSO said, while referencing Satanism and claiming he had a handgun and explosive devices.

Approximately 30 officers responded to the call in May 2023, then determined it was a swatting incident after finding no shooter and confirming that mosque staff was safe. In a statement, SCSO Sheriff Dennis Lemma said that “swatting is a perilous and senseless crime, which puts innocent lives in dangerous situations and drains valuable resources” by prompting a “substantial law enforcement response.”

Seminole County authorities coordinated with the FBI and Department of Justice to track the alleged “serial swatter” down, ultimately arresting Filion on January 18. According to SCSO, police were able to track down Filion after he allegedly “created several accounts on websites offering swatting services” that were linked to various IP addresses connected to his home address. The FBI then served a search warrant on the residence and found “incriminating evidence.”

Filion has been charged as an adult for a variety of offenses, including making a false report while facilitating or furthering an act of terrorism. He is currently being detained in Florida, CNN reported.

Earlier this year, Sen. Rick Scott (R-Fla.) introduced legislation to “crack down” on swattings after he became a target at his home in December. If passed, the Preserving Safe Communities by Ending Swatting Act would impose strict penalties, including a maximum sentence of 20 years in prison for any swatting that lead to serious injuries. If death results, bad actors risk a lifetime sentence. That bill is currently under review by the House Judiciary Committee.

“We must send a message to the cowards behind these calls—this isn’t a joke, it’s a crime,” Scott said.

Last year, Sen. Chuck Schumer (D-NY) warned that an “unprecedented wave” of swatting attacks in just two weeks had targeted 11 states, including more than 200 schools across New York. In response, Schumer called for over $10 million in FBI funding to “specifically tackle the growing problem of swatting.”

Schumer said it was imperative that the FBI begin tracking the incidents more closely, not just to protect victims from potentially deadly swattings, but also to curb costs to law enforcement and prevent unnecessary delays of emergency services tied up by hoax threats.

As a result of Schumer’s push, the FBI announced it would finally begin tracking swatting incidents nationwide. Hundreds of law enforcement agencies and police departments now rely on an FBI database to share information on swatting incidents.

Coordination appears to be key to solving these cases. Lemma noted that SCSO has an “unwavering dedication” to holding swatters accountable, “regardless of where they are located.” His office confirmed that investigators suspect that Filion may have also been behind “other swatting incidents” across the US. SCSO said that it will continue coordinating with local authorities investigating those incidents.

“Make no mistake, we will continue to work tirelessly in collaboration with our policing partners and the judiciary to apprehend swatting perpetrators,” Lemma said. “Gratitude is extended to all agencies involved at the local, state, and federal levels, and this particular investigation and case stands as a stern warning: swatting will face zero tolerance, and measures are in place to identify and prosecute those responsible for such crimes.”

Cops arrest 17-year-old suspected of hundreds of swattings nationwide Read More »

fcc-to-declare-ai-generated-voices-in-robocalls-illegal-under-existing-law

FCC to declare AI-generated voices in robocalls illegal under existing law

AI robocalls, Policy / /

AI and robocalls —

Robocalls with AI voices to be regulated under Telephone Consumer Protection Act.

Illustration of a robot wearing a headset for talking on the phone.

Getty Images | Thamrongpat Theerathammakorn

The Federal Communications Commission plans to vote on making the use of AI-generated voices in robocalls illegal. The FCC said that AI-generated voices in robocalls have “escalated during the last few years” and have “the potential to confuse consumers with misinformation by imitating the voices of celebrities, political candidates, and close family members.”

FCC Chairwoman Jessica Rosenworcel’s proposed Declaratory Ruling would rule that “calls made with AI-generated voices are ‘artificial’ voices under the Telephone Consumer Protection Act (TCPA), which would make voice cloning technology used in common robocalls scams targeting consumers illegal,” the commission announced yesterday. Commissioners reportedly will vote on the proposal in the coming weeks.

A recent anti-voting robocall used an artificially generated version of President Joe Biden’s voice. The calls told Democrats not to vote in the New Hampshire Presidential Primary election.

An analysis by the company Pindrop concluded that the artificial Biden voice was created using a text-to-speech engine offered by ElevenLabs. That conclusion was apparently confirmed by ElevenLabs, which reportedly suspended the account of the user who created the deepfake.

FCC ruling could help states crack down

The TCPA, a 1991 US law, bans the use of artificial or prerecorded voices in most non-emergency calls “without the prior express consent of the called party.” The FCC is responsible for writing rules to implement the law, which is punishable with fines.

As the FCC noted yesterday, the TCPA “restricts the making of telemarketing calls and the use of automatic telephone dialing systems and artificial or prerecorded voice messages.” Telemarketers are required “to obtain prior express written consent from consumers before robocalling them. If successfully enacted, this Declaratory Ruling would ensure AI-generated voice calls are also held to those same standards.”

The FCC has been thinking about revising its rules to account for artificial intelligence for at least a few months. In November 2023, it launched an inquiry into AI’s impact on robocalls and robotexts.

Rosenworcel said her proposed ruling will “recognize this emerging technology as illegal under existing law, giving our partners at State Attorneys General offices across the country new tools they can use to crack down on these scams and protect consumers.

“AI-generated voice cloning and images are already sowing confusion by tricking consumers into thinking scams and frauds are legitimate,” Rosenworcel said. “No matter what celebrity or politician you favor, or what your relationship is with your kin when they call for help, it is possible we could all be a target of these faked calls.”

FCC to declare AI-generated voices in robocalls illegal under existing law Read More »

elon-musk-proposes-tesla-move-to-texas-after-delaware-judge-voids-$56-billion-pay

Elon Musk proposes Tesla move to Texas after Delaware judge voids $56 billion pay

elon musk tesla, Policy / /

Don’t mess with Tesla —

Musk is sick of Delaware judges, says shareholders will vote on move to Texas.

Elon Musk speaks at an event while wearing a cowboy hat, sunglasses, and T-shirt.

Enlarge / Tesla CEO Elon Musk speaks at Tesla’s “Cyber Rodeo” on April 7, 2022, in Austin, Texas.

Getty Images | AFP/Suzanne Cordeiro

Tesla CEO Elon Musk has had enough of Delaware after a state court ruling voided his $55.8 billion pay package. Musk said last night that Tesla will hold a shareholder vote on transferring the electric carmaker’s state of incorporation to Texas.

Musk had posted a poll on X (formerly Twitter) asking whether Tesla should “change its state of incorporation to Texas, home of its physical headquarters.” After over 87 percent of people voted yes, Musk wrote, “The public vote is unequivocally in favor of Texas! Tesla will move immediately to hold a shareholder vote to transfer state of incorporation to Texas.”

Tesla was incorporated in 2003 before Musk joined the company. Its founders chose Delaware, a common destination because of the state’s low corporate taxes and business-friendly legal framework. The Delaware government says that over 68 percent of Fortune 500 companies are registered in the state, and 79 percent of US-based initial public offerings in 2022 were registered in Delaware.

One reason for choosing Delaware is the state’s Court of Chancery, where cases are decided not by juries but by judges who specialize in corporate law. On Tuesday, Court of Chancery Judge Kathaleen McCormick ruled that Musk’s $55.8 billion pay package was unfair to shareholders and must be rescinded.

McCormick’s ruling in favor of the plaintiff in a shareholder lawsuit said that most of Tesla’s board members “were beholden to Musk or had compromising conflicts.” McCormick also concluded that the Tesla board gave shareholders inaccurate and misleading information in order to secure approval of Musk’s “unfathomable” pay plan.

Musk a fan of Texas and Nevada

Musk yesterday shared a post claiming that McCormick’s ruling “is another clear example of the Biden administration and its allies weaponizing the American legal system against their political opponents.”

McCormick previously oversaw the Twitter lawsuit that forced Musk to complete a $44 billion purchase despite his attempt to break a merger agreement. After Musk became Twitter’s owner, he merged the company into X Corp., which is registered in Nevada.

“Never incorporate your company in the state of Delaware,” Musk wrote in a post after the Delaware court ruling. “I recommend incorporating in Nevada or Texas if you prefer shareholders to decide matters,” he also wrote.

Last year, Texas enacted a law to create business courts that will hear corporate cases. The courts are slated to begin operating on September 1, 2024. Musk is clearly hoping the new Texas courts will be more deferential to Tesla on executive pay if the company is sued again after his next pay plan is agreed on.

Tesla shareholders who will be asked to vote on a corporate move to Texas “need to take a hard look at how transitioning out of Delaware might impact their rights and the company’s governance,” Reuters quoted business adviser Keith Donovan as saying.

Reuters quoted AJ Bell investment analyst Dan Coatsworth as saying that “Elon Musk’s plan to change Tesla’s state of incorporation from Delaware to Texas is typical behavior for the entrepreneur who always looks for an alternative if he can’t get what he wants.”

Elon Musk proposes Tesla move to Texas after Delaware judge voids $56 billion pay Read More »

cops-bogged-down-by-flood-of-fake-ai-child-sex-images,-report-says

Cops bogged down by flood of fake AI child sex images, report says

AI image generators, Artificial Intelligence, child sexual abuse materials, child sexual exploitation, csam, cse, fake AI child sex images, generative ai, Policy / /

“Particularly heinous” —

Investigations tied to harmful AI sex images will grow “exponentially,” experts say.

Cops bogged down by flood of fake AI child sex images, report says

Law enforcement is continuing to warn that a “flood” of AI-generated fake child sex images is making it harder to investigate real crimes against abused children, The New York Times reported.

Last year, after researchers uncovered thousands of realistic but fake AI child sex images online, quickly every attorney general across the US called on Congress to set up a committee to squash the problem. But so far, Congress has moved slowly, while only a few states have specifically banned AI-generated non-consensual intimate imagery. Meanwhile, law enforcement continues to struggle with figuring out how to confront bad actors found to be creating and sharing images that, for now, largely exist in a legal gray zone.

“Creating sexually explicit images of children through the use of artificial intelligence is a particularly heinous form of online exploitation,” Steve Grocki, the chief of the Justice Department’s child exploitation and obscenity section, told The Times. Experts told The Washington Post in 2023 that risks of realistic but fake images spreading included normalizing child sexual exploitation, luring more children into harm’s way, and making it harder for law enforcement to find actual children being harmed.

In one example, the FBI announced earlier this year that an American Airlines flight attendant, Estes Carter Thompson III, was arrested “for allegedly surreptitiously recording or attempting to record a minor female passenger using a lavatory aboard an aircraft.” A search of Thompson’s iCloud revealed “four additional instances” where Thompson allegedly recorded other minors in the lavatory, as well as “over 50 images of a 9-year-old unaccompanied minor” sleeping in her seat. While police attempted to identify these victims, they also “further alleged that hundreds of images of AI-generated child pornography” were found on Thompson’s phone.

The troubling case seems to illustrate how AI-generated child sex images can be linked to real criminal activity while also showing how police investigations could be bogged down by attempts to distinguish photos of real victims from AI images that could depict real or fake children.

Robin Richards, the commander of the Los Angeles Police Department’s Internet Crimes Against Children task force, confirmed to the NYT that due to AI, “investigations are way more challenging.”

And because image generators and AI models that can be trained on photos of children are widely available, “using AI to alter photos” of children online “is becoming more common,” Michael Bourke—a former chief psychologist for the US Marshals Service who spent decades supporting investigations into sex offenses involving children—told the NYT. Richards said that cops don’t know what to do when they find these AI-generated materials.

Currently, there aren’t many cases involving AI-generated child sex abuse materials (CSAM), The NYT reported, but experts expect that number will “grow exponentially,” raising “novel and complex questions of whether existing federal and state laws are adequate to prosecute these crimes.”

Platforms struggle to monitor harmful AI images

At a Senate Judiciary Committee hearing today grilling Big Tech CEOs over child sexual exploitation (CSE) on their platforms, Linda Yaccarino—CEO of X (formerly Twitter)—warned in her opening statement that artificial intelligence is also making it harder for platforms to monitor CSE. Yaccarino suggested that industry collaboration is imperative to get ahead of the growing problem, as is providing more resources to law enforcement.

However, US law enforcement officials have indicated that platforms are also making it harder to police CSAM and CSE online. Platforms relying on AI to detect CSAM are generating “unviable reports” gumming up investigations managed by already underfunded law enforcement teams, The Guardian reported. And the NYT reported that other investigations are being thwarted by adding end-to-end encryption options to messaging services, which “drastically limit the number of crimes the authorities are able to track.”

The NYT report noted that in 2002, the Supreme Court struck down a law that had been on the books since 1996 preventing “virtual” or “computer-generated child pornography.” South Carolina’s attorney general, Alan Wilson, has said that AI technology available today may test that ruling, especially if minors continue to be harmed by fake AI child sex images spreading online. In the meantime, federal laws such as obscenity statutes may be used to prosecute cases, the NYT reported.

Congress has recently re-introduced some legislation to directly address AI-generated non-consensual intimate images after a wide range of images depicting fake AI porn of pop star Taylor Swift went viral this month. That includes the Disrupt Explicit Forged Images and Non-Consensual Edits Act, which creates a federal civil remedy for any victims of any age who are identifiable in AI images depicting them as nude or engaged in sexually explicit conduct or sexual scenarios.

There’s also the “Preventing Deepfakes of Intimate Images Act,” which seeks to “prohibit the non-consensual disclosure of digitally altered intimate images.” That was re-introduced this year after teen boys generated AI fake nude images of female classmates and spread them around a New Jersey high school last fall. Francesca Mani, one of the teen victims in New Jersey, was there to help announce the proposed law, which includes penalties of up to two years imprisonment for sharing harmful images.

“What happened to me and my classmates was not cool, and there’s no way I’m just going to shrug and let it slide,” Mani said. “I’m here, standing up and shouting for change, fighting for laws, so no one else has to feel as lost and powerless as I did on October 20th.”

Cops bogged down by flood of fake AI child sex images, report says Read More »

comcast-reluctantly-agrees-to-stop-its-misleading-“10g-network”-claims

Comcast reluctantly agrees to stop its misleading “10G Network” claims

comcast 10g, Policy, Xfinity 10G Network / /

10G or not 10G —

Comcast said it will drop “Xfinity 10G Network” brand name after losing appeal.

A Comcast router/modem gateway.

Comcast

Comcast has reluctantly agreed to discontinue its “Xfinity 10G Network” brand name after losing an appeal of a ruling that found the marketing term was misleading. It will keep using the term 10G in other ways, however.

Verizon and T-Mobile both challenged Comcast’s advertising of 10G, a term used by cable companies since it was unveiled in January 2019 by industry lobby group NCTA-The Internet & Television Association. We wrote in 2019 that the cable industry’s 10G marketing was likely to confuse consumers and seemed to be a way of countering 5G hype generated by wireless companies.

10G doesn’t refer to the 10th generation of a technology. It is a reference to potential 10Gbps broadband connections, which would be much faster than the actual speeds on standard cable networks today.

The challenges lodged against Comcast marketing were filed with the advertising industry’s self-regulatory system run by BBB National Programs. BBB’s National Advertising Division (NAD) ruled against Comcast in October 2023, but Comcast appealed to the National Advertising Review Board (NARB).

The NARB announced its ruling today, agreeing with the NAD that “Comcast should discontinue use of the term 10G, both when used in the name of the service itself (‘Xfinity 10G Network’) as well as when used to describe the Xfinity network. The use of 10G in a manner that is not false or misleading and is consistent with the panel decision is not precluded by the panel recommendations.”

“Comcast will discontinue brand name”

Comcast agreed to make the change in an advertiser’s statement that it provided to the NARB. “Although Comcast strongly disagrees with NARB’s analysis and approach, Comcast will discontinue use of the brand name ‘Xfinity 10G Network’ and will not use the term ’10G’ in a manner that misleadingly describes the Xfinity network itself,” Comcast said.

Comcast said it disagrees with “the recommendation to discontinue the brand name” because the company “makes available 10Gbps of Internet speed to 98 percent of its subscribers upon request.” But those 10Gbps speeds aren’t available in Comcast’s typical service plans and require a fiber-to-the-home connection instead of a standard cable installation.

The Comcast “Gigabit Pro” fiber connection that provides 10Gbps speeds costs $299.95 a month plus a $19.95 modem lease fee. It also requires a $500 installation charge and a $500 activation charge.

Comcast said it may still use 10G in ways that are less likely to confuse consumers. “Consistent with the panel’s recommendation… Comcast reserves the right to use the term ’10G’ or ‘Xfinity 10G’ in a manner that does not misleadingly describe the Xfinity network itself,” the company said.

When contacted by Ars, a Comcast spokesperson said, “We disagree with the decision but are pleased that we have confirmed our continued use of 10G in advertising.”

Comcast claims “not supported”

The NARB said the “recent availability of 10G speeds through [the Gigabit Pro] service tier does not support the superior speed claim (or a 10Gbps claim) for the Xfinity network as a whole.” As the NARB noted, there is an “absence” of data showing how many Comcast customers actually use that service.

The NARB also said that 10G is misleading because of the implied comparison to 5G wireless networks. “The NARB panel concluded that 10G expressly communicates at a minimum that users of the Xfinity network will experience significantly faster speeds than are available on 5G networks,” the announcement of the ruling said. “This express claim is not supported because the record does not contain any data comparing speeds experienced by Xfinity network users with speeds experienced by subscribers to 5G networks.”

As the NAD has previously stated, 10G is more of an “aspirational” term rather than something that’s offered over today’s cable networks. Over the past five years, the NCTA has been using the term 10G to describe just about any improvement to cable networks, regardless of the actual speeds.

The NCTA coincidentally issued a press release yesterday hailing the fifth anniversary of its first 10G announcement. “Five years on, the future is even closer… Here in 2024, the promise of 10G is becoming more and more of a reality,” the NCTA said.

The announcement listed some examples of multi-gigabit (but not 10-gigabit) cable speeds, some of which were only achieved in lab testing or demos. NCTA claimed that “10G can change lives” and that the “10G platform will facilitate the next great technological advancements in the coming decades, ensuring fast, reliable, and safe networks continue to power the American economy.”

For all of you cable broadband users, just remember to ignore “10G” in cable-company marketing and check the actual speeds you’re paying for.

Comcast reluctantly agrees to stop its misleading “10G Network” claims Read More »

lawsuit:-citibank-refused-to-reimburse-scam-victims-who-lost-“life-savings”

Lawsuit: Citibank refused to reimburse scam victims who lost “life savings”

citibank fraud, Policy / /

Online banking fraud —

Citibank’s poor security helped scammers steal millions, NY AG’s lawsuit says.

A large Citibank logo on the outside of a bank building.

Enlarge / The Citibank logo on a bank in New York City in January 2024.

Citibank has illegally refused to reimburse scam victims who lost money due partly to Citibank’s poor online security practices, New York Attorney General Letitia James alleged in a lawsuit filed today in US District Court for the Southern District of New York.

“The lawsuit alleges that Citi does not implement strong online protections to stop unauthorized account takeovers, misleads account holders about their rights after their accounts are hacked and funds are stolen, and illegally denies reimbursement to victims of fraud,” James’ office said in a press release.

The AG’s office alleged that Citi customers “have lost their life savings, their children’s college funds, or even money needed to support their day-to-day lives as a result of Citi’s illegal and deceptive acts and practices.”

“Defendant Citi has not deployed sufficiently robust data security measures to protect consumer financial accounts, respond appropriately to red flags, or limit theft by scam,” the lawsuit said. “Instead, Citi has overpromised and underdelivered on security, reacted ineffectively to fraud alerts, misled consumers, and summarily denied their claims. Citi’s illegal and deceptive practices have cost New Yorkers millions.”

Citi approved large wire transfers

Describing the case of a New York woman who lost $35,000 to a scammer in July 2022, the AG’s press release stated:

She was reviewing her online account and found a message that her account had been suspended and was instructed to call a phone number. She called the number provided and a scammer told her that he would send her Citi codes to verify recent suspicious activity. The scammer then transferred all of the money in the customer’s three savings accounts into her checking account, changed her online passwords, and attempted a $35,000 wire transfer.

Citi attempted to verify the wire transfer by calling the customer, but she was working and did not see the call at the time. Less than an hour later, the scammer attempted another $35,000 wire transfer, which Citi approved without ever having made direct contact with the customer. She lost nearly everything she had saved, and Citi refused to reimburse her.

In an October 2021 incident, a customer clicked a link in a scammer’s message “but did not provide additional information” and then “called her local branch to report the suspicious activity but was told not to worry about it,” the AG’s office said.

“Three days later, the customer discovered that a scammer changed her banking password, enrolled in online wire transfers, transferred $70,000 from her savings to her checking account, and then electronically executed a $40,000 wire transfer, none of which was consistent with her past account activity,” the AG’s office said. “For weeks, the customer continued to contact the bank and submit affidavits, but in the end, she was told that her claim for fraud was denied.”

Citi: No refunds when people “follow criminals’ instructions”

Citi defended its security and refund practices in a statement provided to Ars.

“Citi closely follows all laws and regulations related to wire transfers and works extremely hard to prevent threats from affecting our clients and to assist them in recovering losses when possible. Banks are not required to make clients whole when those clients follow criminals’ instructions and banks can see no indication the clients are being deceived,” the company said.

Citi acknowledged that there has been an “industry-wide surge in wire fraud during the last several years,” and said it has “taken proactive steps to safeguard our clients’ accounts with leading security protocols, intuitive fraud prevention tools, clear insights about the latest scams, and driving client awareness and education. Our actions have reduced client wire fraud losses significantly, and we remain committed to investing in fraud prevention measures to help our clients secure their accounts against emerging threats.”

James’ lawsuit argues that Citibank must provide reimbursement under the Electronic Fund Transfer Act (EFTA), a US law passed in 1978. “As with credit cards, so long as consumers promptly alert banks to unauthorized activity, the EFTA limits losses and requires reimbursement of stolen funds. These consumer protections cannot be waived or modified by contract… Under the EFTA, Citi’s electronic debits of consumers’ accounts are unauthorized and Citi must reimburse all debited amounts,” the lawsuit said.

The lawsuit seeks a permanent injunction against Citibank, an accounting of customer losses over the last six years, payment of restitution and damages to harmed consumers, and civil penalties.

Lawsuit: Citibank refused to reimburse scam victims who lost “life savings” Read More »

sim-swapping-ring-stole-$400m-in-crypto-from-a-us-company,-officials-allege

SIM-swapping ring stole $400M in crypto from a US company, officials allege

Cryptocurrency, cryptocurrency scam, cryptocurrency scheme, cryptocurrency wallets, device fraud, Identity theft, mobile device security, Policy, sim swap, sim swapping, wire fraud / /

Undetected for years —

Scheme allegedly targeted Apple, AT&T, Verizon, and T-Mobile stores in 13 states.

SIM-swapping ring stole $400M in crypto from a US company, officials allege

The US may have uncovered the nation’s largest “SIM swap” scheme yet, charging a Chicago man and co-conspirators with allegedly stealing $400 million in cryptocurrency by targeting over 50 victims in more than a dozen states, including one company.

A recent indictment alleged that Robert Powell—using online monikers “R,” “R$,” and “ElSwapo1″—was the “head of a SIM swapping group” called the “Powell SIM Swapping Crew.” He allegedly conspired with Indiana man Carter Rohn (aka “Carti” and “Punslayer”) and Colorado woman Emily Hernandez (allegedly aka “Em”) to gain access to victims’ devices and “carry out fraudulent SIM swap attacks” between March 2021 and April 2023.

SIM-swap attacks occur when someone fraudulently induces a wireless carrier to “reassign a cell phone number from the legitimate subscriber or user’s SIM card to a SIM card controlled by a criminal actor,” the indictment said. Once the swap occurs, the bad actor can defeat multi-factor authentication protections and access online accounts to steal data or money.

Powell’s accused crew allegedly used identification card printers to forge documents, then posed as victims visiting Apple, AT&T, Verizon, and T-Mobile retail stores in Minnesota, Illinois, Indiana, Utah, Nebraska, Colorado, Florida, Maryland, Massachusetts, Texas, New Mexico, Tennessee, Virginia, and the District of Columbia.

According to the indictment, many of the alleged victims did not suffer financial losses, but those that did were allegedly hit hard. The hardest hit appears to be an employee of a company whose AT&T device was allegedly commandeered at a Texas retail store, resulting in over $400 million being allegedly transferred from the employee’s company to co-conspirators’ financial accounts. Other individual victims allegedly lost cryptocurrency valued between $15,000 and more than $1 million.

Co-conspirators are accused of masking stolen funds, sometimes by allegedly hiding transfers in unhosted or self-hosted virtual currency wallets. If convicted, all stolen funds must be forfeited, the indictment said.

Powell has been charged with conspiracy to commit wire fraud and conspiracy to commit aggravated identity theft and access device fraud, Special Agent Brent Bledsoe said in the indictment. This Friday, Powell faces a detention hearing, where he has been ordered by the US Marshals Service to appear in person.

Powell’s attorney, Gal Pissetzky, told Ars that Powell has no comment on the indictment at this time.

SIM swaps escalating in US?

When Powell’s alleged scheme began in 2021, the FBI issued a warning, noting that criminals were increasingly using SIM-swap attacks, fueling total losses that year of $68 million.

Since then, US law enforcement has made several arrests, but none of the uncovered schemes come close to the alleged losses from the thefts Powell’s crew are being accused of.

In 2022, a Florida man, Nicholas Truglia, was sentenced to 18 months for stealing more than $20 million from a single victim. On top of forfeiting the stolen funds, Truglia was also ordered to forfeit more than $900,000 as a criminal penalty. According to security blogger Brian Krebs, Truglia was connected to a group that allegedly stole $100 million using SIM-swap attacks.

Last year, there were a few notable arrests. In October, the Department of Justice sentenced a hacker, Jordan Dave Persad, to 30 months for stealing nearly $1 million from “dozens of victims.” And in December, four Florida men received sentences between eight and 27 months for stealing more than $509,475 in SIM-swap attacks.

Ars could not find any FBI warnings since 2021 raising awareness that losses from SIM-swap attacks may be further increasing to amounts as eye-popping as the alleged losses in Powell’s case.

A DOJ official was unable to confirm if this is the biggest SIM-swapping scheme alleged in the US, directing Ars to another office. Ars will update this report with any new information the DOJ provides.

US officials seem aware that some bad actors attempting SIM-swap attacks appear to be getting bolder. Earlier this year, the Securities and Exchange Commission was targeted in an attack that commandeered the agency’s account on X, formerly known as Twitter. That attack led to a misleading X post falsely announcing the approval of bitcoin exchange-traded funds, causing a brief spike in bitcoin’s price.

To protect consumers from SIM-swap attacks, the Federal Communications Commission announced new rules last year to “require wireless providers to adopt secure methods of authenticating a customer before redirecting a customer’s phone number to a new device or provider. The new rules require wireless providers to immediately notify customers whenever a SIM change or port-out request is made on customers’ accounts and take additional steps to protect customers from SIM swap and port-out fraud.” But an Ars review found these new rules may be too vague to be effective.

In 2021, when European authorities busted a SIM-swapping ring allegedly targeting high-profile individuals worldwide, Europol advised consumers to avoid becoming targets. Tips included using multifactor authentication, resisting associating sensitive accounts with mobile phone numbers, keeping devices updated, avoiding replying to suspicious emails or callers requesting sensitive information, and limiting personal data shared online. Consumers can also request the highest security settings possible from mobile carriers and are encouraged to always use stronger, longer security PINs or passwords to protect devices.

SIM-swapping ring stole $400M in crypto from a US company, officials allege Read More »

japan-government-accepts-it’s-no-longer-the-’90s,-stops-requiring-floppy-disks

Japan government accepts it’s no longer the ’90s, stops requiring floppy disks

floppy disks, Japan, Policy, Tech / /

“war on floppy disks” —

Government amends 34 ordinances to no longer require diskettes.

A pile of floppy disks

The Japanese government is finally letting go of floppy disks and CD-ROMs. It recently announced amendments to laws requiring the use of the physical media formats for submissions to the government for things like alcohol business, mining, and aircraft regulation.

Japan’s minister for Digital Transformation, Taro Kono, announced the “war on floppy discs” in August 2022. Before the recent law changes, about 1,900 government procedures required the use of obsolete disk formats, including floppy disks, CDs, and MiniDiscs, for submissions from citizens and businesses.

Kono announced intentions to amend regulations to support online submissions and cloud data storage, changing requirements that go back several decades, as noted recently by Japanese news site SoraNews24.

On January 22, Japan’s Ministry of Economy, Trade and Industry (METI) announced that it changed 34 ordinances to eradicate the requirements of floppy disks. As per a Google translation of a January 23 article from the Japanese tech website PC Watch, the ministry has deleted requirements of floppy disks and CD-ROMs for various ordinances, including some pertaining to quarrying, energy, and weapons manufacturing regulations.

METI’s announcement, as per a Google translation, highlighted the Japanese government’s “many provisions stipulating the use of specific recording media such as floppy disks regarding application and notification methods,” as well as “situations that are hindering the online implementation of procedures.”

Floppy disks first became commercially available in 1971 through IBM. They evolved through the decades, including with the release of the 3.5-inch floppy in 1983 via Sony. With usage growing and peaking in the ’80s and ’90s, the floppy disk couldn’t compete with the likes of CD-ROMs, USB thumb drives, and other more advanced forms of storage made available by the late ’90s. Sony, the last floppy disk manufacturer standing, stopped making floppies in 2011.

Floppy disks aren’t equipped for many of today’s technological needs, with storage capacity maxing at 1.44MB. Still, government bodies in Japan have been using them regularly, leading, at times, to complications. For example, in 2021, it was reported that Tokyo police lost a pair of floppy disks that had information about 38 public housing applicants.

Japan’s reliance on dated tech is something METI is tackling, but reports have noted resistance from some government bodies. This includes local governments and the Ministry of Justice resisting moving to cloud-based admin systems, per the Japan News newspaper. Japan is ranked number 32 out of 64 economies in the Institute for Management Development’s (IMD’s) 2023 World Digital Competitiveness Ranking, which the IMD says “measures the capacity and readiness of 64 economies to adopt and explore digital technologies as a key driver for economic transformation in business, government, and wider society.”

Some have attributed Japan’s sluggish movement from older technologies to its success in establishing efficiencies with analog tech. Governmental bureaucracy has also been listed as a factor.

Japan isn’t the only entity holding on to the floppy, though. Despite a single photo these days being enough to overfill a floppy disk, various industries—like embroidery, medical devices, avionics, and plastic molding—still rely on them. Even the US Air Force stopped using 8-inch floppy disks in its missile launch control system in 2019. And last year, we reported on an Illinois Chuck E. Cheese using a 3.5-inch floppy for its animatronics system.

US-based Floppydisk.com told The Register that Japan’s rule changes shouldn’t endanger the business. Its Japanese customers are “mostly hobbyists and private parties that have machines or musical equipment that continue to use floppy disks,” Tom Persky, who runs the site, said. Floppydisk.com also sells data-transfer services but told The Register in 2022 that the bulk of revenue is from blank floppy disk sales. At the time, Persky said he expected the company to last until at least 2026.

Japan government accepts it’s no longer the ’90s, stops requiring floppy disks Read More »

boeing-withdraws-bid-for-safety-exemption-as-details-on-missing-bolts-emerge

Boeing withdraws bid for safety exemption as details on missing bolts emerge

Boeing, boeing 737 max 9, boeing door plug, Policy / /

Missing bolts —

Boeing workers apparently failed to replace bolts after reinstalling door plug.

Tarp-like material covers a large opening in the side of a Boeing airplane.

Enlarge / A hole is covered where a door plug blew off a Boeing 737 Max 9 plane used by Alaska Airlines.

Getty Images

Boeing is withdrawing an application for a safety exemption related to its 737 Max 7 aircraft as more details emerge on the cause of a near-disaster involving a 737 Max 9 plane used by Alaska Airlines.

While initial inspections of Alaska Airlines’ fleet of Boeing 737 Max 9s turned up “many” loose bolts, a Wall Street Journal report yesterday said it now appears that “bolts needed to secure part of an Alaska Airlines jet that blew off in midair appear to have been missing when the plane left Boeing’s factory.”

“Boeing and other industry officials increasingly believe the plane maker’s employees failed to put back the bolts when they reinstalled a 737 Max 9 [door plug] after opening or removing it during production, according to people familiar with the matter,” the article said.

In the incident on January 5, a Boeing 737 Max 9 lost a passenger door plug while in flight, causing decompression of the passenger cabin and forcing an emergency landing (a door plug is used instead of an emergency exit door in some planes). The Federal Aviation Administration subsequently grounded 171 Boeing planes and informed Boeing that the agency “will not grant any production expansion of the Max, including the 737-9 Max.”

737 Max 7 application withdrawn

With the 737 Max 9 investigation continuing, Boeing confirmed this week that it withdrew an application for a safety exemption for the 737 Max 7. Boeing was facing pressure from US Sen. Tammy Duckworth (D-Ill.), who chairs a subcommittee on aviation safety and operations. Duckworth last week urged the FAA to reject Boeing’s request for “an exemption from safety standards to prematurely allow the 737 Max 7 to enter commercial service.”

“The exemption Boeing seeks involves an anti-ice system that can overheat and cause the engine nacelle to break apart and fall off,” Duckworth wrote. “This could generate fuselage-penetrating debris, which could endanger passengers in window seats behind the wing and/or result in a loss of control of the aircraft.”

Even though a permanent fix is not expected until 2026, Boeing “is asking the FAA to allow the Max 7 to fly with merely a warning to flight crews to remember to manually turn off the anti-ice system when the aircraft emerges from icy conditions,” Duckworth wrote. “This is a request for the FAA to certify a commercial aircraft with a single point of failure subject to human error with potentially catastrophic consequences.”

In a statement provided to Ars and other media outlets, Boeing said it is withdrawing the request for an exemption. “We have informed the FAA that we are withdrawing our request for a time-limited exemption relating to the engine inlet deicing system on the 737-7,” Boeing said. “While we are confident that the proposed time-limited exemption for that system follows established FAA processes to ensure safe operation, we will instead incorporate an engineering solution that will be completed during the certification process.

“As always, the FAA will determine the timing of certification and we will follow their lead every step of the way,” Boeing added. “We’re committed to being transparent, listening to all our stakeholders and taking action to strengthen safety and quality at Boeing.”

Duckworth also met Thursday with Boeing CEO Dave Calhoun. “After this bold-face attempt to put profits over the safety of the flying public with the Max 7 and this month’s horrific Alaska Airlines incident aboard the Max 9, I am as committed as ever to doing everything I can to ensure Boeing aircraft meet all safety standards—and I made that clear in today’s meeting,” Duckworth said.

Details suggest missing bolts on Max 9

The Wall Street Journal report about the Max 9 investigation said that an “apparent absence of markings” on the door plug is one factor suggesting that bolts were missing when the plane left Boeing’s factory. The WSJ said its sources “also pointed to paperwork and process lapses at Boeing’s Renton, Wash., factory.”

“The National Transportation Safety Board has been conducting metallurgical analysis of the [door plug] but hasn’t released the results of the testing. Laboratory tests might show whether the bolts were in place or not there at all,” the article said.

When contacted by Ars today, the NTSB said the agency’s preliminary report is slated to be released on Wednesday and “will include all of the factual information that we have developed at this point in the investigation.” (Update at 3: 38pm ET: The NTSB now says the report will not be issued on Wednesday, and a new date for its release has not been set.)

Boeing said it was unable to comment on the probe because “only the US National Transportation Safety Board can release information about the investigation.”

Boeing withdraws bid for safety exemption as details on missing bolts emerge Read More »

apple-warns-proposed-uk-law-will-affect-software-updates-around-the-world

Apple warns proposed UK law will affect software updates around the world

Apple, apple security updates, end to end encryption, Government surveillance, investigatory powers act, Online Privacy, Online Security, Policy, Security Updates, united kingdom / /

Heads up —

Apple may leave the UK if required to provide advance notice of product updates.

Apple warns proposed UK law will affect software updates around the world

Apple is “deeply concerned” that proposed changes to a United Kingdom law could give the UK government unprecedented power to “secretly veto” privacy and security updates to its products and services, the tech giant said in a statement provided to Ars.

If passed, potentially this spring, the amendments to the UK’s Investigatory Powers Act (IPA) could deprive not just UK users, but all users globally of important new privacy and security features, Apple warned.

“Protecting our users’ privacy and the security of their data is at the very heart of everything we do at Apple,” Apple said. “We’re deeply concerned the proposed amendments” to the IPA “now before Parliament place users’ privacy and security at risk.”

The IPA was initially passed in 2016 to ensure that UK officials had lawful access to user data to investigate crimes like child sexual exploitation or terrorism. Proposed amendments were announced last November, after a review showed that the “Act has not been immune to changes in technology over the last six years” and “there is a risk that some of these technological changes have had a negative effect on law enforcement and intelligence services’ capabilities.”

The proposed amendments require that any company that fields government data requests must notify UK officials of any updates they planned to make that could restrict the UK government’s access to this data, including any updates impacting users outside the UK.

UK officials said that this would “help the UK anticipate the risk to public safety posed by the rolling out of technology by multinational companies that precludes lawful access to data. This will reduce the risk of the most serious offenses such as child sexual exploitation and abuse or terrorism going undetected.”

According to the BBC, the House of Lords will begin debating the proposed changes on Tuesday.

Ahead of that debate, Apple described the amendments on Monday as “an unprecedented overreach by the government” that “if enacted” could allow the UK to “attempt to secretly veto new user protections globally, preventing us from ever offering them to customers.”

In a letter last year, Apple argued that “it would be improper for the Home Office to act as the world’s regulator of security technology.”

Apple told the UK Home Office that imposing “secret requirements on providers located in other countries” that apply to users globally “could be used to force a company like Apple, that would never build a backdoor, to publicly withdraw critical security features from the UK market, depriving UK users of these protections.” It could also “dramatically disrupt the global market for security technologies, putting users in the UK and around the world at greater risk,” Apple claimed.

The proposed changes, Apple said, “would suppress innovation, stifle commerce, and—when combined with purported extraterritorial application—make the Home Office the de facto global arbiter of what level of data security and encryption are permissible.”

UK defends proposed changes

The UK Home Office has repeatedly stressed that these changes do not “provide powers for the Secretary of State to approve or refuse technical changes,” but “simply” requires companies “to inform the Secretary of State of relevant changes before those changes are implemented.”

“The intention is not to introduce a consent or veto mechanism or any other kind of barrier to market,” a UK Home Office fact sheet said. “A key driver for this amendment is to give operational partners time to understand the change and adapt their investigative techniques where necessary, which may in some circumstances be all that is required to maintain lawful access.”

The Home Office has also claimed that “these changes do not directly relate to end-to-end encryption,” while admitting that they “are designed to ensure that companies are not able to unilaterally make design changes which compromise exceptional lawful access where the stringent safeguards of the IPA regime are met.”

This seems to suggest that companies will not be allowed to cut off the UK government from accessing encrypted data under certain circumstances, which concerns privacy advocates who consider end-to-end encryption a vital user privacy and security protection. Earlier this month, civil liberties groups including Big Brother Watch, Liberty, Open Rights Group and Privacy International filed a joint brief opposing the proposed changes, the BBC reported, warning that passing the amendments would be “effectively transforming private companies into arms of the surveillance state and eroding the security of devices and the Internet.”

“We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption, but this cannot come at a cost to public safety,” a UK government official told the BBC.

The UK government may face more opposition to the amendments than from tech companies and privacy advocates, though. In Apple’s letter last year, the tech giant noted that the proposed changes to the IPA could conflict with EU and US laws, including the EU’s General Data Protection Regulation—considered the world’s strongest privacy law.

Under the GDPR, companies must implement measures to safeguard users’ personal data, Apple said, noting that “encryption is one means by which a company can meet” that obligation.

“Secretly installing backdoors in end-to-end encrypted technologies in order to comply with UK law for persons not subject to any lawful process would violate that obligation,” Apple argued.

Apple warns proposed UK law will affect software updates around the world Read More »

nsa-finally-admits-to-spying-on-americans-by-purchasing-sensitive-data

NSA finally admits to spying on Americans by purchasing sensitive data

data brokers, Department of Defense, Government surveillance, Location Data, National Security Agency, NSA, Online Privacy, Policy / /

Leaving Americans in the dark —

Violating Americans’ privacy “not just unethical but illegal,” senator says.

NSA finally admits to spying on Americans by purchasing sensitive data

The National Security Agency (NSA) has admitted to buying records from data brokers detailing which websites and apps Americans use, US Senator Ron Wyden (D-Ore.) revealed Thursday.

This news follows Wyden’s push last year that forced the FBI to admit that it was also buying Americans’ sensitive data. Now, the senator is calling on all intelligence agencies to “stop buying personal data from Americans that has been obtained illegally by data brokers.”

“The US government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical but illegal,” Wyden said in a letter to Director of National Intelligence (DNI) Avril Haines. “To that end, I request that you adopt a policy that, going forward,” intelligence agencies “may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

Wyden suggested that the intelligence community might be helping data brokers violate an FTC order requiring that Americans are provided “clear and conspicuous” disclosures and give informed consent before their data can be sold to third parties. In the seven years that Wyden has been investigating data brokers, he said that he has not been made “aware of any company that provides such a warning to users before collecting their data.”

The FTC’s order came after reaching a settlement with a data broker called X-Mode, which admitted to selling sensitive location data without user consent and even to selling data after users revoked consent.

In his letter, Wyden referred to this order as the FTC outlining “new rules,” but that’s not exactly what happened. Instead of issuing rules, FTC settlements often serve as “common law,” signaling to marketplaces which practices violate laws like the FTC Act.

According to the FTC’s analysis of the order on its site, X-Mode violated the FTC Act by “unfairly selling sensitive data, unfairly failing to honor consumers’ privacy choices, unfairly collecting and using consumer location data, unfairly collecting and using consumer location data without consent verification, unfairly categorizing consumers based on sensitive characteristics for marketing purposes, deceptively failing to disclose use of location data, and providing the means and instrumentalities to engage in deceptive acts or practices.”

The FTC declined to comment on whether the order also applies to data purchases by intelligence agencies. In defining “location data,” the FTC order seems to carve out exceptions for any data collected outside the US and used for either “security purposes” or “national security purposes conducted by federal agencies or other federal entities.”

NSA must purge data, Wyden says

NSA officials told Wyden that not only is the intelligence agency purchasing data on Americans located in the US but that it also bought Americans’ Internet metadata.

Wyden warned that the former “can reveal sensitive, private information about a person based on where they go on the Internet, including visiting websites related to mental health resources, resources for survivors of sexual assault or domestic abuse, or visiting a telehealth provider who focuses on birth control or abortion medication.” And the latter “can be equally sensitive.”

To fix the problem, Wyden wants intelligence communities to agree to inventory and then “promptly” purge the data that they allegedly illegally collected on Americans without a warrant. Wyden said that this process has allowed agencies like the NSA and the FBI “in effect” to use “their credit card to circumvent the Fourth Amendment.”

X-Mode’s practices, the FTC said, were likely to cause “substantial injury to consumers that are not outweighed by countervailing benefits to consumers or competition and are not reasonably avoidable by consumers themselves.” Wyden’s spokesperson, Keith Chu, told Ars that “the data brokers selling Internet records to the government appear to engage in nearly identical conduct” to X-Mode.

The FTC’s order also indicates “that Americans must be told and agree to their data being sold to ‘government contractors for national security purposes’ for the practice to be allowed,” Wyden said.

DoD defends shady data broker dealings

In response to Wyden’s letter to Haines, the Under Secretary of Defense for Intelligence & Security, Ronald Moultrie, said that the Department of Defense (DoD) “adheres to high standards of privacy and civil liberties protections” when buying Americans’ location data. He also said that he was “not aware of any requirement in US law or judicial opinion” forcing the DoD to “obtain a court order in order to acquire, access, or use” commercially available information that “is equally available for purchase to foreign adversaries, US companies, and private persons as it is to the US government.”

In another response to Wyden, NSA leader General Paul Nakasone told Wyden that the “NSA takes steps to minimize the collection of US person information” and “continues to acquire only the most useful data relevant to mission requirements.” That includes some commercially available information on Americans “where one side of the communications is a US Internet Protocol address and the other is located abroad,” data which Nakasone said is “critical to protecting the US Defense Industrial Base” that sustains military weapons systems.

While the FTC has so far cracked down on a few data brokers, Wyden believes that the shady practice of selling data without Americans’ informed consent is an “industry-wide” problem in need of regulation. Rather than being a customer in this sketchy marketplace, intelligence agencies should stop funding companies allegedly guilty of what the FTC has described as “intrusive” and “unchecked” surveillance of Americans, Wyden said.

According to Moultrie, DNI Haines decides what information sources are “relevant and appropriate” to aid intelligence agencies.

But Wyden believes that Americans should have the opportunity to opt out of consenting to such invasive, secretive data collection. He said that by purchasing data from shady brokers, US intelligence agencies have helped create a world where consumers have no opportunity to consent to intrusive tracking.

“The secrecy around data purchases was amplified because intelligence agencies have sought to keep the American people in the dark,” Wyden told Haines.

NSA finally admits to spying on Americans by purchasing sensitive data Read More »