Privacy and data protection Archives | Page 318 of 329

Illinois judge dismisses lawsuit against X over social media photo scanning

A federal judge in Illinois dismissed a class action lawsuit against the social network X, ruling that the photos it collected did not constitute biometric data under the state’s Biometric Information Privacy Act (BIPA). The lawsuit alleged that X violated BIPA by using Microsoft’s PhotoDNA software to scan for offensive images without proper disclosure and consent.

The judge concluded that the plaintiff failed to prove that the PhotoDNA tool involved facial geometry scanning or could identify specific individuals. Instead, the software analysed uploaded photos to detect nudity or pornographic content, which did not qualify as a scan of facial geometry under BIPA.

The ruling mirrors a recent case involving Facebook, where allegations of illegally collecting biometric data were dismissed. Both cases clarified that a digital signature generated from a photograph, known as a ‘hash’ or face signature, did not violate BIPA’s definition of biometric identifiers.

The judge emphasised that BIPA aims to regulate specific biometric identifiers like retina scans or fingerprints, excluding photographs to avoid an overly broad scope. Applying BIPA to any face geometry scan that cannot identify individuals would contradict the law’s purpose of ensuring notice and consent.

BIPA’s private right of action has been a significant deterrent for biometrics companies, allowing users to sue for damages in cases of non-compliance.

EU faces controversy over proposed AI scanning law

The EU is facing significant controversy over a proposed law that would require AI scanning of users’ photos and videos on messaging apps to detect child sexual abuse material (CSAM). Critics, including major tech companies like WhatsApp and Signal, argue that this law threatens privacy and encryption, undermining fundamental rights. They also warn that the AI detection systems could produce numerous false positives, overwhelming law enforcement.

A recent meeting among the EU member states’ representatives failed to reach a consensus on the proposal, leading to further delays. The Belgian presidency had hoped to finalise a negotiating mandate, but disagreements among member states prevented progress. The ongoing division means that discussions on the proposal will likely continue under Hungary’s upcoming EU Council presidency.

Opponents of the proposal, including Signal President Meredith Whittaker and Proton founder Andy Yen, emphasise the dangers of mass surveillance and the need for more targeted approaches to child protection. Despite the current setback, there’s concern that efforts to push the law forward will persist, necessitating continued vigilance from privacy advocates.

Cyberattack on London hospitals leads to data leak

Cybercriminals claiming responsibility for the recent hack on London hospitals have reportedly released stolen data from the incident. England’s National Health Service (NHS) acknowledged the publication of this data, allegedly belonging to Synnovis, the pathology provider targeted in the 3 June attack. NHS officials are working closely with Synnovis, the National Cyber Security Centre, and other partners to verify the content of these files swiftly. Their focus includes determining if the data originates from Synnovis systems and if it pertains to NHS patients.

According to reports, the hackers have disclosed nearly 400GB of data on their darknet website and Telegram channel. The published information supposedly includes patient names, dates of birth, NHS numbers, and descriptions of blood tests, alongside financial spreadsheets. However, the NHS has not confirmed whether medical test results are part of the exposed data.

The attack has been attributed to the Russian-speaking hacker group Qilin, which has demanded a $50 million ransom to halt further disclosures. Synnovis, a provider jointly operated by Synlab UK & Ireland and NHS trusts, is crucial in delivering lab testing services to healthcare facilities in London and Kent. The breach has severely impacted its blood transfusion and testing capabilities, leading to the postponement of over 1,000 operations and more than 2,000 appointments at affected hospital units.

US DoJ to file lawsuit against TikTok for alleged children’s privacy violations

TikTok will be sued again by the US Department of Justice (DoJ) in a consumer protection lawsuit against ByteDance’s TikTok later this year, focusing on alleged children’s privacy violations. The incentive for the legal move comes on behalf of the Federal Trade Commission (FTC), but the DoJ will not pursue allegations that TikTok misled US consumers about data security, specifically dropping claims that the company failed to inform users that China-based employees could access their personal and financial information.

The decision suggests that the primary focus will now be on how TikTok handles children’s privacy. The FTC had referred to the DoJ a complaint against TikTok and its parent, ByteDance, concerning potential violations of children’s privacy, stating that it investigated TikTok and found evidence suggesting they may be breaking the Children’s Online Privacy Protection Act. The federal act requires apps and websites aimed at kids to get parental consent before collecting personal information from children under 13.

Simultaneously, TikTok and ByteDance are challenging a US law that aims to ban the popular short video app in the United States starting from 19 January next year.

Ukrainian student’s identity misused by AI on Chinese social media platforms

Olga Loiek, a 21-year-old University of Pennsylvania student from Ukraine, experienced a disturbing twist after launching her YouTube channel last November. Her image was hijacked and manipulated through AI to create digital alter egos on Chinese social media platforms. These AI-generated avatars, such as ‘Natasha,’ posed as Russian women fluent in Chinese, promoting pro-Russian sentiments and selling products like Russian candies. These fake accounts amassed hundreds of thousands of followers in China, far surpassing Loiek’s own online presence.

Loiek’s experience highlights a broader trend of AI-generated personas on Chinese social media, presenting themselves as supportive of Russia and fluent in Chinese while selling various products. Experts reveal that these avatars often use clips of real women without their knowledge, aiming to appeal to single Chinese men. Some posts include disclaimers about AI involvement, but the followers and sales figures remain significant.

Why does it matter?

These events underscore the ethical and legal concerns surrounding AI’s misuse. As generative AI systems like ChatGPT become more widespread, issues related to misinformation, fake news, and copyright violations are growing.

In response, governments are starting to regulate the industry. China proposed guidelines to standardise AI by 2026, while the EU’s new AI Act imposes strict transparency requirements. However, experts like Xin Dai from Peking University warn that regulations struggle to keep pace with rapid AI advancements, raising concerns about the unchecked proliferation of AI-generated content worldwide.

ByteDance challenges US TikTok ban in court

ByteDance and its subsidiary company TikTok are urging a US court to overturn a law that would ban the popular app in the USA by 19 January. The new legal act, signed by President Biden in April, demands ByteDance divest TikTok’s US assets or face a ban, which the company argues is impractical on technological, commercial, and legal grounds.

ByteDance contends that the law, driven by concerns over potential Chinese access to American data, violates free speech rights and unfairly targets TikTok while ‘ignores many applications with substantial operations in China that collect large amounts of US user data, as well as the many US companies that develop software and employ engineers in China.’ They argue that the legislation represents a substantial departure from the US tradition of supporting an open internet and sets a dangerous precedent.

The US Court of Appeals for the District of Columbia will hear oral arguments on this case on 16 September, a decision that could shape the future of TikTok in the US. ByteDance claims lengthy negotiations with the US government, which ended abruptly in August 2022, proposed various measures to protect US user data, including a ‘kill switch’ for the government to suspend TikTok if necessary. Additionally, the company made public a 100-plus page draft national security agreement to protect US TikTok user data and claims it has spent more than $2 billion on the effort. However, they believe the administration prefers to shut down the app rather than finalise a feasible agreement.

The Justice Department, defending the law, asserted that it addresses national security concerns appropriately. Moreover, the case follows a similar attempt by former President Trump to ban TikTok, which was blocked by the courts in 2020. This time, the new law would prohibit app stores and internet hosting services from supporting TikTok unless ByteDance divests it.

Key player in semiconductor industry targeted in major data breach

The infamous threat actor Intelbroker has purportedly masterminded a data breach targeting Advanced Micro Devices (AMD), a prominent player in the semiconductor industry. The alleged breach of AMD’s systems was disclosed on BreachForums alongside detailed information about the intrusion and various data samples.

In response to these claims, AMD officials have issued a statement acknowledging the reported data breach by a cybercriminal group. The company stated that it is collaborating with law enforcement authorities and a third-party hosting partner to investigate the alleged breach and assess the nature and impact of the compromised data.

Intelbroker asserts that the leaked AMD data includes a wide range of sensitive information stolen from AMD’s databases. The data includes technical specifications, product details, and internal communications allegedly sourced from AMD’s secure servers. These disclosures not only point towards the possible extent of the breach but also raise concerns about potential vulnerabilities within AMD’s cybersecurity infrastructure.

The following incident is not the first cybersecurity challenge faced by AMD. In 2022, the company reportedly fell victim to the RansomHouse hacking group. Following the 2022 breach and the current incident, AMD initiated thorough investigations to evaluate the breach’s implications and in turn enhance its defences against cyber threats. These disclosures can potentially compromise AMD’s competitive edge and raise concerns about intellectual property theft and corporate espionage.

Who is Intelbroker?

Intelbroker, the alleged perpetrator behind the recent AMD data breach, has a track record of targeting critical infrastructure, major tech companies, and government contractors. The hacker operates as a lone wolf and employs sophisticated tactics to exploit vulnerabilities and access sensitive information. Previous breaches include infiltrations at Los Angeles International Airport (LAX) and US federal agencies via Acuity, emphasising the widespread impact of their activities.

The motives driving Intelbroker’s cyber campaigns range from financial gain through the sale of stolen data on dark web platforms to potential geopolitical agendas aimed at disrupting critical infrastructure and corporate operations.

US Justice Department to investigate TikTok over child privacy complaint

The US Federal Trade Commission (FTC) has referred a complaint against TikTok and its parent company, ByteDance, to the Justice Department over potential violations of children’s privacy. The move follows an investigation that suggested the companies might be breaking the law and deemed it in the public interest to proceed with the complaint. The following investigation stems from allegations that TikTok failed to comply with a 2019 agreement to safeguard children’s privacy.

TikTok has been discussing with the FTC for over a year to address the agency’s concerns. The company expressed disappointment over the FTC’s decision to pursue litigation rather than continue negotiations, arguing that many of the FTC’s allegations are outdated or incorrect. TikTok remains committed to resolving the issues and believes it has already addressed many concerns.

Separately, TikTok is facing scrutiny from US Congress regarding the potential misuse of data from its 170 million US users by the Chinese government, a claim TikTok denies. Additionally, TikTok is preparing to file a legal brief challenging a recent law that mandates its parent company, ByteDance, to divest TikTok’s US assets by 19 January or face a ban.

G7 Italy summit unveils AI action plan to balance AI risks and opportunities

Adopted on June 14, 2024, at the G7 Summit in Apulia, Italy, the Group of Seven (G7) Leaders’ Communiqué, expresses the wealthiest nations’ common pledges and actions to address multiple global issues. A portion of the Group of Seven (G7) declaration closing the Italian summit focuses on AI and other digital matters.

G7 leaders called for an action plan to manage AI’s risks and benefits, including developing and implementing an International Code of Conduct for organisations developing advanced AI systems, as unveiled last October under the Japanese G7 presidency. To maximise the advantages of AI while mitigating its threats, G7 nations commit to deepening their cooperation.

An action plan for the use of AI in the workplace was announced, together with the creation of a brand to promote the implementation and use of the International Code of Conduct for advanced AI systems, in cooperation with OECD. G7 leaders stressed the importance of global partnership to bridge the digital divide and ensure that people around the world have access to the benefits of AI and other technologies. The goal is to advance science, improve public health, accelerate the clean energy transition, promote sustainable development goals, etc.

Why does it matter?

The G7 is encouraging global collaboration within the group of countries, with the OECD, with other initiatives such as the Global Partnership on AI (GPAI), and towards the developing world, to facilitate the equitable distribution of the benefits of AI and other emerging technologies while minimising any threats. G7 leaders aim to mend technological gaps and address AI’s impact on workers. G7 labor ministers are tasked with designing measure to capitalize on AI’s potential, promote quality employment, and empower people, while also tackling potential barriers and risks to workers and labour markets.

G7 leaders agreed to intensify efforts to promote AI safety and enhance interoperability between diverse approaches to AI governance and risk management. That means strengthening collaboration between AI Safety Institutes in the US, UK, and equivalent bodies in other G7 nations and beyond, to improve global standards for AI development and implementation. The G7 also formed a ‘Semiconductors Point of Contact Group’ to strengthen cooperative efforts on addressing challenges affecting this critical industry that drives the AI ecosystem.

G7 nation’s commitments are consistent with the recent Seoul AI safety summit efforts and align with the intended goals of the upcoming United Nations Summit of the Future. Echoing the UN General Assembly landmark resolution on ‘seizing the opportunities of safe, secure, and trustworthy AI systems for sustainable development’ and Pope Francis’s historic address to the G7 leaders, the communiqué reflects the group’s unified stance on AI safety and the need for a framework for AI’s responsible development and use in the military.

UnitedHealth discloses potential theft of data from one-third of Americans

The Centres for Medicare and Medicaid Services have announced the discontinuation of a program designed to assist Medicare providers and suppliers impacted by disruptions at UnitedHealth’s technology division, Change Healthcare.

Initiated in response to a hack at Change Healthcare on February 21st by threat actor ‘BlackCat’, the program will now cease accepting new applications as of July 12. It has distributed over $2.55 billion in expedited payments to 4,200 providers such as hospitals and $717.18 million to suppliers including doctors, non-physician practitioners and durable medical equipment suppliers, with a significant portion of these funds already recovered. Providers are now able to effectively submit claims to Medicare.

The cyber incident in February affected a key player in processing medical claims. The US Change Healthcare handles approximately half of all medical claims in the United States, serving about 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories, adding to the growing cyber threat posed to the healthcare industry.