Software flaws were allegedly hidden from lawyers of wrongly convicted UK postal workers.

Fujitsu software bugs that helped send innocent postal employees to prison in the UK were known "right from the very start of deployment," a Fujitsu executive told a public inquiry today.

"All the bugs and errors have been known at one level or not, for many, many years. Right from the very start of deployment of the system, there were bugs and errors and defects, which were well-known to all parties," said Paul Patterson, co-CEO of Fujitsu's European division.

That goes back to 1999, when the Horizon software system was installed in post offices by Fujitsu subsidiary International Computers Limited. From 1999 to 2015, Fujitsu's faulty accounting software aided in the prosecution and conviction of more than 900 sub-postmasters and postmistresses who were accused of theft or fraud when the software wrongly made it appear that money was missing from their branches.

Some innocent people went to prison, while others were forced to make payments to the UK Post Office to cover the supposed shortfalls. So far, "only 93 convictions have been overturned and thousands of people are still waiting for compensation settlements," a BBC report said.

Post Office Lawyers Allegedly Rewrote Fujitsu Witness Statements

During the prosecutions, courts hearing cases against postal employees "were not told of 29 bugs identified as early as 1999 in the system it built," _The Guardian_ wrote in a summary of Patterson's testimony today. The article said:

> "When bugs were acknowledged, witness statements from Fujitsu staff due to be heard in court were then edited by the Post Office as it sought to maintain the line that the system was working well as it pursued innocent people through the courts.
> 
> Paul Patterson agreed that both organizations had failed the accused. "I am surprised that that detail was not included in the witness statements given by Fujitsu staff to the Post Office and I have seen some evidence of editing witness statements by others," he said.
> 
> Asked by the lead counsel of the public inquiry, Jason Beer KC, whether he agreed that this was shameful, Patterson, who has worked at the company for 14 years, said: “That would be one word I would use. Shameful and appalling. My understanding of how our laws work in this country, is that all of the evidence should have been put in front of the subpostmasters that the Post Office was relying on to prosecute them.”

A Financial Times article said that the public inquiry "heard in December last year that the Post Office's lawyers had rewritten Fujitsu witness statements."

The FT article also said the Post Office, which used prosecution powers available to private corporations in the UK, obtained 700 of the 900 convictions. The other convictions came in cases brought by Scottish prosecutors. The scandal may lead to reforms of the private prosecution system that lets organizations take people to court.

Bugs Were Understood “Way Back to 1999”

Earlier this week, Patterson told UK Parliament members that "Fujitsu would like to apologize for our part in this appalling miscarriage of justice. We were involved from the very start. We did have bugs and errors in the system and we did help the Post Office in their prosecutions of the sub-postmasters. For that we are truly sorry."

Patterson also told Parliament members that Fujitsu has "a moral obligation" to contribute to the compensation for victims.

Patterson testified today in a different setting, answering questions from lawyers representing victims. One of those lawyers, Flora Page, asked Patterson, "Did nobody historically make that pretty obvious connection between very poor code going out into operation and then very poor data coming out and through the litigation support service?"

Patterson answered, "Whether people made that connection or not, what is very evident... is that that connection and understanding about what was going on and where was it, was understood by certainly Fujitsu and certainly understood by Post Office way back to 1999. It's all about what you do with that information... that is a question for this inquiry."

Post Office Minister Kevin Hollinrake, the MP for Thirsk and Malton, told the BBC that his "number one priority" is to "try and get compensation and get answers for people."

"You've had marriages fail, people commit suicide, an horrendous impact on people's lives," he said. "It's perfectly reasonable that the public should demand people are held to account and that should mean criminal prosecutions wherever possible." The UK government also has plans for a new law to "swiftly exonerate and compensate" people who were falsely convicted.

_This story originally appeared on_ _Ars Technica._

Fujitsu Bugs That Sent Innocent People to Prison Were Known ‘From the Start’

Plus: Microsoft says attackers accessed employee emails, Walmart fails to stop gift card fraud, “pig butchering” scams fuel violence in Myanmar, and more.

A major coordinated disclosure this week called attention to the importance of prioritizing security in the design of graphics processing units (GPUs). Researchers published details about the “LeftoverLocals” vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could be exploited to steal sensitive data, such as responses from AI systems. Meanwhile, new findings from the cryptocurrency tracing firm Chainalysis show how stablecoins that are tied to the value of the US dollar were instrumental in cryptocurrency-based scams and sanctions evasion last year.

The US Federal Trade Commission reached a settlement earlier this month with the data broker X-Mode (now Outlogic) over its sale of location data gathered from phone apps to the US government and other clients. While the action was hailed by some as a historic privacy win, it also illustrates the limitations of the FTC and the US government's data privacy enforcement power and the ways in which many companies can avoid scrutiny and consequences for failing to protect consumers' data.

The US internet provider Comcast Xfinity may gather data about customers' personal lives for personalized ads, including information about their political beliefs, race, and sexual orientation. If you're a customer, we've got advice for opting out—to the extent that's possible. And if you need a good long read for the weekend, we have the story of how a 27-year-old cryptography graduate student systematically debunked the myth that bitcoin transactions are anonymous. The piece is an excerpt from WIRED writer Andy Greenberg's nonfiction thriller _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_, out this week in paperback.

And there's more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

On Friday, the US Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring federal agencies to patch two vulnerabilities that are being actively exploited in the popular VPN appliances Ivanti Connect Secure and Policy Secure. CISA's executive assistant director, Eric Goldstein, told reporters that CISA has notified every federal agency that is running a version of the products, amounting to “around” 15 agencies that have applied mitigations. “We are not assessing a significant risk to the federal enterprise, but we know that risk is not zero,” Goldstein said. He added that investigations are ongoing into whether any federal agencies have been compromised in the attackers' mass exploitation spree.

Analysis indicates that multiple actors have been hunting for and exploiting vulnerable Ivanti devices to gain access to organizations' networks around the world. The activity began in December 2023, but it has ramped up in recent days as word of the vulnerabilities and a proof of concept have emerged. Researchers from the security firm Volexity say that at least 1,700 Connect Secure devices have been compromised overall. Both Volexity and Mandiant see evidence that at least some of the exploitation activity is motivated by espionage. CISA's Goldstein said on Friday that the US government has not yet attributed any of the exploitation activity to particular actors, but that “exploitation of these products would be consistent with what we have seen from PRC \[People's Republic of China\] actors like Volt Typhoon in the past.”

Ivanti Connect Secure is a rebrand of the Ivanti product series known as Pulse Secure. Vulnerabilities in that VPN platform were notoriously exploited in a rash of high-profile digital breaches in 2021 carried out by Chinese state-backed hackers.

Microsoft said on Friday that it detected a system intrusion on January 12 that it is attributing to the Russian state-backed actor known as Midnight Blizzard or APT 29 Cozy Bear. The company says it has fully remediated the breach, which began in November 2023 and used “password spraying” attacks to compromise historic system test accounts that, in some cases, then allowed the attacker to infiltrate “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” With this access, Cozy Bear hackers were then able to exfiltrate “some emails and attached documents.” Microsoft notes that the attackers appeared to be seeking information about Microsoft's investigations into the group itself. “The attack was not the result of a vulnerability in Microsoft products or services,” the company wrote. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”

Gift card scams in which attackers trick victims into purchasing gift cards for them are a long-standing issue, but new reporting from ProPublica shows how Walmart has been particularly remiss in addressing the problem. For a decade, the retailer has skirted pressure from both regulators and law enforcement to more closely scrutinize gift card sales and money transfers and expand employee training that could save customers from being tricked and exploited by bad actors. ProPublica conducted dozens of interviews and reviewed internal documents, court filings, and public records in its analysis.

“They were concerned about the bucks. That’s all,” Nick Alicea, a former fraud team leader for the US Postal Inspection Service, told ProPublica. Walmart defended its efforts, claiming that it has stopped more than $700 million in suspicious money transfers and refunded $4 million to victims of gift card fraud. “Walmart offers these financial services while working hard to keep our customers safe from third-party fraudsters,” the company said in a statement. “We have a robust anti-fraud program and other controls to help stop scammers and other criminals who may use the financial services we offer to harm our customers.”

As rebel groups in Myanmar violently oppose the country's military government, the human trafficking and abuse fueling pig butchering scams is exacerbating the conflict. The scams have exploded in recent years, carried out not just by bad actors, but by a workforce of forced laborers who have often been kidnapped and are being held against their will. In one case this fall, a collection of rebel groups in Myanmar known as the Three Brotherhood Alliance took control of 100 military outposts in the country's northern Shan state and seized several towns along the border with China, vowing to "eradicate telecom fraud, scam dens and their patrons nationwide, including in areas along the China-Myanmar border.”

The UN estimates that there may be as many as 100,000 people held in scam centers in Cambodia and 120,000 in Myanmar. “I’ve worked in this space for over 20 years and to be honest, we’ve never seen anything like what we’re seeing now in Southeast Asia in terms of the sheer numbers of people,” Rebecca Miller, regional program director for human trafficking at the UN Office on Drugs and Crime told Vox.

In a new investigation, _Consumer Reports_ and The Markup crowdsourced three years of archived Facebook data from 709 users of the social network to assess which data brokers and other organizations are tracking and monitoring them. In analyzing the data, reporters found that a total of 186,892 companies sent data about the 709 individuals to Facebook. On average, each of those users had information sent to Facebook about them by 2,230 companies. The number varied, though. Some users had less than the average while others had more than 7,000 companies tracking them and providing information to the social network.

US Agencies Urged to Patch Ivanti VPNs That Are Actively Being Hacked

One of America’s largest internet providers may collect data about your political beliefs, race, and sexual orientation to serve personalized ads.

Your internet service provider could have a good idea of who you’re planning to vote for in the 2024 election as well as the gender of the last person you slept with—and it’s saving that information for later. Major internet providers, like Comcast’s Xfinity, stockpile more revealing data than users might initially realize.

For example, Xfinity customers are automatically opted in to allow the company to store sensitive personal information. This could include your “race, ethnicity, political affiliations, or philosophical beliefs,” according to Xfinity’s website. Your sexual orientation, immigration status, biometric info, and precise location are also considered to be sensitive data. While Comcast does not sell this info, the company does use sensitive data in a variety of ways, like to serve up personalized ads and recommendations.

There are many reasons to be anxious about this kind of data collection. Xfinity itself was recently hacked; the personal data of over 30 million customers was stolen in October of last year, yet the breach was revealed by the company to users two months after the fact. (Definitely change your Xfinity password right now, and turn on two factor-authentication if you haven’t already.)

The good news is that you can take steps to opt out of Comcast’s data storage—although there are limitations on how far the privacy options go. Also, if you live in a state with supplemental privacy legislation, then you might have the right to request and receive more details about your collected data.

How to Change Your Sensitive Personal Information Settings

You don’t have to log in to the Xfinity website with your username and password to make this settings change, but be forewarned: You will be asked to fork over your email, phone number, and location.

Start by visiting Xfinity’s Privacy Center and scrolling down to **Review your privacy preferences**. Then, click on **Manage your information** and skim through all the available options to get a better grasp on your choices. Find the **Sensitive personal information preferences** section, and choose **Review settings**.

This next step was sometimes quite slow to load during my testing, so a little patience might be necessary. When it eventually pops up, fill out the form and click **Continue**. You may be asked to confirm the provided address. Finally, after all that clicking, locate the toggle labeled **Storage and usage of sensitive personal information** that appears on the last page and switch it off.

It’s worth pointing out a crucial caveat from Comcast about how the setting works. The catch is that this toggle impacts the use of your personal data only in Comcast’s advertising, marketing, and recommendations systems. “Even when off, we may still use your sensitive personal information for certain purposes, including to provide your Services, security purposes, and fraud monitoring,” reads a disclaimer right below the toggle. While some data collection may be necessary to operate basic services, the lack of accessible, granular control over what’s stored is disappointing.

Depending on where you live in the US, you can learn more about what Comcast stores and scrub it. In the following five states, you have the right to receive more details about the data Xfinity collects about you: California, Colorado, Connecticut, Utah, and Virginia. By residing here, you have the right to receive details about the gathered data and have personal info deleted. Your right to correct inaccurate info is codified in all of these states as well, except for Utah.

Anyone can technically fill out the form and make the request regardless of location, but you might not receive a real answer if you live somewhere without the legal protections. Even in the states where you are legally covered, be prepared to wait. Comcast may take up to a month to process requests from Xfinity customers, and will notify you if the process ends up stretching out even longer.

How to Opt Out of Comcast’s Xfinity Storing Your Sensitive Data

A new report from Chainalysis finds that stablecoins like Tether, tied to the value of the US dollar, were used in the vast majority of crypto-based scam transactions and sanctions evasion in 2023.

Stablecoins, cryptocurrencies pegged to a stable value like the US dollar, were created with the promise of bringing the frictionless, border-crossing fluidity of Bitcoin to a form of digital money with far less volatility. That combination has proved to be wildly popular, rocketing the total value of stablecoin transactions since 2022 past even that of Bitcoin itself.

It turns out, however, that as stablecoins have become popular among legitimate users over the past two years, they were even more popular among a different kind of user: those exploiting them for billions of dollars of international sanctions evasion and scams.

As part of its annual crime report, cryptocurrency-tracing firm Chainalysis today released new numbers on the disproportionate use of stablecoins for both of those massive categories of illicit crypto transactions over the last year. By analyzing blockchains, Chainalysis determined that stablecoins were used in fully 70 percent of crypto scam transactions in 2023, 83 percent of crypto payments to sanctioned countries like Iran and Russia, and 84 percent of crypto payments to specifically sanctioned individuals and companies. Those numbers far outstrip stablecoins' growing overall use—including for legitimate purposes—which accounted for 59 percent of all cryptocurrency transaction volume in 2023.

In total, Chainalysis measured $40 billion in illicit stablecoin transactions in 2022 and 2023 combined. The largest single category of that stablecoin-enabled crime was sanctions evasion. In fact, across all cryptocurrencies, sanctions evasion accounted for more than half of the $24.2 billion in criminal transactions Chainalysis observed in 2023, with stablecoins representing the vast majority of those transactions.

The attraction of stablecoins for both sanctioned people and countries, argues Andrew Fierman, Chainalysis' head of sanctions strategy, is that it allows targets of sanctions to circumvent any attempt to deny them a stable currency like the US dollar. “Whether it's an individual located in Iran or a bad guy trying to launder money—either way, there's a benefit to the stability of the US dollar that people are looking to obtain,” Fierman says. “If you're in a jurisdiction where you don't have access to the US dollar due to sanctions, stablecoins become an interesting play.”

As examples, Fierman points to Nobitex, the largest cryptocurrency exchange operating in the sanctioned country of Iran, as well as Garantex, a notorious exchange based in Russia that has been specifically sanctioned for its widespread criminal use. Stablecoin usage on Nobitex outstrips bitcoin by a 9:1 ratio, and on Garantex by a 5:1 ratio, Chainalysis found. That's a stark difference from the roughly 1:1 ratio between stablecoins and bitcoins on a few nonsanctioned mainstream exchanges that Chainalysis checked for comparison.

Chainalysis's chart showing the growth in stablecoins as a fraction of the value of total illicit crypto transactions over time.

COURTESY OF CHAINALYSIS

Chainalysis concedes that the analysis in its report excludes some cryptocurrencies like Monero and Zcash that are designed to be harder or impossible to trace with blockchain analysis. It also says it based its numbers on the type of cryptocurrency sent directly to an illicit actor, which may leave out other currencies used in money laundering processes that repeatedly swap one type of cryptocurrency for another to make tracing more difficult.

Chainalysis's findings come on the heels of another report released earlier this week by United Nations researchers on the outsize role of stablecoins in illegal gambling and scam operations across East and Southeast Asia. While Chainalysis declined to break out the value of any particular stablecoin in its findings, the UN report singles out Tether, the most popular stablecoin. The report describes Tether sent through the TRON blockchain-based payment network as the “preferred choice for regional cyberfraud operations and money launderers alike due to its stability and the ease, anonymity, and low fees of its transactions.”

“Pig butchering” scams—cons in which scammers typically trick users into sending funds into fraudulent investments—consistently use Tether as the means of bilking victims, says Erin West, a deputy district attorney for California's Santa Clara County and a member of the REACT High Tech Task Force, who has long focused on crypto crime. “It’s always, always, always Tether. I’ve never heard of pig butchering that _isn’t_ Tether,” says West. “These scammers can’t risk the volatility of any of the other coins like bitcoin or ether. All they want is to move assets from the victims' hands to their own in the cheapest, easiest way possible.”

West says that the high proportion of stablecoin use in sanctions evasion also represents a disturbing trend, given that it undermines a system meant to hold specific countries, individuals, and companies accountable for criminal behavior and violations of international law. “It's so dangerous,” West says. “It enables them to have access to the very units of currency that we’re trying to prevent them from accessing. This is exactly what sanctions are meant to stop, and they’re able to bypass it.”

Chainalysis's chart showing how stablecoins dominated cryptocurrency-based sanctions evasion and scams in 2023.

COURTESY OF CHAINALYSIS

When WIRED reached out to Tether Holdings—the company that issues the stablecoin that shares its name—it responded in a statement following publication of this article that “Tether proactively collaborates with global law enforcement agencies to identify and prevent illicit use of” its cryptocurrency, adding that its “commitment to the highest standards of compliance is evident in our efforts to eliminate various forms of criminal activity.”

Tether argued further that it has contributed to freezing the assets of users involved in scams or found to be violating the US Treasury's sanctions lists, and noted that all of its transactions, like many cryptocurrencies, can be publicly observed on blockchains—in other words, the observability that made Chainalysis's report possible. “Between our active and direct engagement with law enforcement and leveraging the transparent nature of blockchain transactions, individuals attempting to conceal their illicit financial activities face significant risks, as every transaction can be easily traced,” the company's statement reads.

Tether Holdings has more flatly denied other reports of Tether's use in crime and sanctions evasion. It wrote that an October _Wall Street Journal_ article on the subject was based on “highly erroneous interpretations of data”—though in that case, the company pointed to Chainalysis findings as a more accurate accounting. “There is simply no evidence that Tether has violated Sanctions laws or the Bank Secrecy Act through inadequate customer due diligence or screening practices,” Tether Holdings wrote in an October 26 blog post addressing the _WSJ_ article.

In contrast to most cryptocurrencies, Tether does have the capability to freeze user funds, and it said in the October blog post that since its launch in 2014, it had frozen $835 million in funds deemed to be tied to illicit activities. “Tether's ethos revolves around transparency, compliance, and proactive collaboration with relevant authorities worldwide,” the company wrote.

Chainalysis' Fierman says that Tether's efforts to freeze criminal funds are having an impact, and more enforcement could help end stablecoins' exploitation by criminals. “Just as we’ve seen with compliant exchanges dominating more and more of total transaction volumes, illicit activity gets pushed to the fringes,” Fierman says.

Despite Tether's ability to freeze funds, Chainalysis' data suggests that illicit use of stablecoins has so far dwarfed those seizures. West, the prosecutor, notes that most Tether associated with crime is cashed out for another currency long before anyone identifies it. That means Tether hasn't yet come close to solving the underlying problem.

“I applaud it. I'm all for it,” West says of Tether's efforts to freeze criminal assets. “But when we're talking about billions and billions of dollars in assets moving, I just think this is one piece of one piece of the puzzle. There are so many more pieces. And the bad actors are so far ahead of us.”

_Updated at 9:45 am ET, January 18, 2024, to correctly identify prosecutor Erin West's professional title and at 2:45 pm ET with a statement from Tether Holdings._

‘Stablecoins’ Enabled $40 Billion in Crypto Crime Since 2022

Once, drug dealers and money launderers saw cryptocurrency as perfectly untraceable. Then a grad student named Sarah Meiklejohn proved them all wrong—and set the stage for a decade-long crackdown.

How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin’s Anonymity

Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult.

As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could allow an attacker to steal large quantities of data from a GPU’s memory.

The silicon industry has spent years refining the security of central processing units, or CPUs, so they don’t leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven’t been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York–based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern.

“There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, tells WIRED. “We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.”

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others’ data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn’t be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response.

In their proof of concept, as seen in the GIF below, the researchers demonstrate an attack where a target—shown on the left—asks the open source LLM Llama.cpp to provide details about WIRED magazine. Within seconds, the attacker’s device—shown on the right—collects the majority of the response provided by the LLM by carrying out a LeftoverLocals attack on vulnerable GPU memory. The attack program the researchers created uses less than 10 lines of code.

An attacker (right) exploits the LeftoverLocals vulnerability to listen to LLM conversationsVideo: Trail of Bits

Last summer, the researchers tested 11 chips from seven GPU makers and multiple corresponding programming frameworks. They found the LeftoverLocals vulnerability in GPUs from Apple, AMD, and Qualcomm, and launched a far-reaching coordinated disclosure of the vulnerability in September in collaboration with the US-CERT Coordination Center and the Khronos Group, a standards body focused on 3D graphics, machine learning, and virtual and augmented reality.

The researchers did not find evidence that Nvidia, Intel, or Arm GPUs contain the LeftoverLocals vulnerability, but Apple, Qualcomm, and AMD all confirmed to WIRED that they are impacted. This means that well-known chips like the AMD Radeon RX 7900 XT and devices like Apple’s iPhone 12 Pro and M2 MacBook Air are vulnerable. The researchers did not find the flaw in the Imagination GPUs they tested, but others may be vulnerable.

An Apple spokesperson acknowledged LeftoverLocals and noted that the company shipped fixes with its latest M3 and A17 processors, which it unveiled at the end of 2023. This means that the vulnerability is seemingly still present in millions of existing iPhones, iPads, and MacBooks that depend on previous generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a number of Apple devices. They found that Apple’s M2 MacBook Air was still vulnerable, but the iPad Air 3rd generation A12 appeared to have been patched.

A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data

The FTC forced a data broker to stop selling “sensitive location data.” But most companies can avoid such scrutiny by doing the bare minimum, exposing the lack of protections Americans truly have.

The US Federal Trade Commission (FTC) reached a settlement last week with an American data broker known to sell location data gathered from hundreds of phone apps to the US government, among others. According to the agency, the company ignored in some cases the requests of consumers not to do so, and more broadly failed to ensure that users were notified of how their harvested data would be used.

News that the settlement requires the company, formerly known as X-Mode, to stop selling people's “sensitive location data” was met with praise from politicians calling the outcome “historic” and reporters who deemed the settlement a “landmark” win for the American consumer. This “major privacy win,” as one outlet put it, will further require the company, rebranded as Outlogic after its activities were exposed, to delete all of the data it has illicitly gathered so far.

Outlogic, for its part, offered a drastically different take, denying any wrongdoing and vowing that the FTC order would “not require any significant changes” to its practices or products. While the company is potentially downplaying the cost to its business, it is certainly true that any ripples from the settlement will be imperceptible to consumers and Outlogic's industry at large—one which profits by selling Americans' secrets to spy agencies, police, and the US military, helping the government to dodge the supervision of the courts and all its pesky warrant requirements.

The FTC's crackdown on X-Mode's activities may indeed be historic, but from a consumer standpoint, it’s for all the wrong reasons. First, it's important to understand that the order concerns what the FTC is calling “sensitive location data,” a term of art impressively deluding and redundant at the same time. Any data that exhaustively chronicles a person’s physical presence—every moment of every day—is inherently sensitive.

There is no question that persistently tracking people’s whereabouts reveals political, religious, and even sexual associations. The act of collecting this data is a sweeping form of surveillance no matter the target. While it is easier, perhaps, to imagine how guests of “medical and reproductive health clinics, places of religious worship and domestic abuse shelters” are especially vulnerable to commercial forms of stalking, there are myriad ways in which people's whereabouts, once exposed, can endanger or ruin their lives.

Location data is inherently sensitive—so says society, an overwhelming consensus of privacy experts, and the highest court in the land.

One need only look to Congress to understand the level of fear that this precise form of surveillance inspires in those who’ve never been battered, stalked, or unhoused. Members of the House Intelligence Committee—most of whom lack an internal reproductive system—are vying at this very moment to shield federal lawmakers alone from this invasive and omnipresent tracking.

Given the current political climate, it’s not hard to imagine why politicians are afraid of surrendering their location data, leaving it accessible to virtually anyone on the cheap. But they are relatively few in number, and hardly any of them fall into the category of “most at-risk” for violence or discrimination. Unlike those who do, members of Congress have the unique power to change the law and protect themselves. Given the opportunity, that’s precisely what many have opted to do—just as they did a year earlier for federal judges.

Protection against persistent tracking is something we can definitively say is being sought after by a privileged few. But citing law enforcement needs and nebulous national security concerns, protecting anyone other than themselves is a matter that apparently demands more discussion, more caution, and more delay.

If America is creating a new protected class to shield federal lawmakers alone from surveillance, then it must accept that, unlike the vast majority of citizens who’ve never been accused of a crime, this class would be historically replete with criminals. US lawmakers have faced charges and convictions for bribery, perjury, and felony theft, not to mention obstruction of justice, withholding evidence of secret arms sales, and the possession of child sexual abuse material.

The FTC's victory in the Outlogic case is even more piddling in light of the commission today being led by one of the most vocal privacy protection advocates it has ever had, chairperson Lina Khan. That the company is still in business and touting how little the settlement matters underscores how truly underpowered and ill-equipped the FTC is for the job it's been asked to perform. It is not actually armed to protect Americans from being relentlessly surveilled, nor is that even technically its mission. Under the current regime, the agency is permitted at best to hold surveillants to a standard of “notice and choice,” one both illusory and enabling corporations (and the US government by proxy) to right now track Americans’ whereabouts at any time, all of the time, with no real legal concern.

The FTC’s principle regulatory weapon in privacy cases is known as Section Five, and it largely targets companies in privacy cases for lying. The case against Outlogic, for example, is based in part on its failure to disclose how people’s location data would ultimately be used. It did not, the FTC says, notify users that their data might be sold to government agencies for “national security purposes.” Here, the FTC's job is to ensure consumers receive “notice” of how their data is being used. But the job is a sham, and everyone who's ever clicked “I agree” on a privacy policy knows it.

Before the Outlogic case, only a small number of Americans even knew the company existed. An even smaller number had ever glanced at its terms of service, and even fewer—we’re now approaching zero—could be said to have actually read and understood what it said. Commissioners at the agency have long acknowledged as much.

“It is no wonder,” Commissioner Rebecca Slaughter said in 2019, that “98 percent” of people in one study clicked “I agree” to privacy policies that “disclosed sharing with the NSA and paying for the service by signing away your first-born child.”

The same study, out of York University, labeled the “notice” aspect of privacy regulation “the biggest lie on the internet,” detailing how research showed over 75 percent of users opted to skip reading privacy policies altogether. Those who didn’t, on average, spent roughly a minute skimming policies that would’ve taken an ordinary person 15-17 minutes to actually read, let alone comprehend.

Famously, a decade ago, researchers out of Carnegie Mellon determined that it would take an average person roughly 76 working days to consume all of the privacy policies they encounter in a year. The use of “gotcha clauses” has also been repeatedly used to demonstrate that people _do not read_ the terms of service. To wit, in July 2010, it was reported that more than 7,500 people had unknowingly sold their souls to a video game company.

These facts demonstrate unequivocally that the crime for which Outlogic is accused—failing to give consumers notice of how their data would be used—is not one of greed or opportunity, but sheer stupidity. The law is all but performative, so companies have nothing to lose by complying. Users can be counted on to agree to basically anything (up to and including being enslaved for all eternity).

People cannot “consent” to something they do not understand, just as consent cannot really be called “consent” when it involves a metaphorical gun to the head.

The truth is that even if users were strapped to a chair and forced to spend the 600 hours a year it would take to devour all of the purposely dense legal terms they agree to, many of those agreements are patently coerced, as the Supreme Court has said. So ubiquitous now is the technology tracking our movements, in “no meaningful sense” are people voluntarily accepting the risks of allowing companies to access and share that information. It is a matter of participating in society or not; of being employed or not.

It is also the FTC’s job to protect consumers from harm. But the definition of “harm”—like “notify” and “consent”—is watered down to the point of creating a serious gap between what it means and how most people actually use it. Companies are effectively free to harm people anyway, so long as it’s deemed "reasonably" avoidable by the agency and beneficial to competition on the whole.

Should the FTC fail to act, consumers have little recourse but to sit and suffer. It is nearly impossible for an individual to obtain standing in federal court to sue a corporation after their privacy is violated, assuming they can even afford to try. Merely exposing personal information is not enough. A test created by two recent Supreme Court rulings requires victims to demonstrate “concrete harm” to bring a case, even if tying any one company to an act of identity theft, harassment, or financial loss is, in nearly every instance, a fantastical objective.

Congress's last big push to pass a comprehensive privacy bill—the American Data Privacy and Protection Act of 2022—ironically would have exempted Outlogic’s activities altogether. Fearful of fighting a war on two fronts, its authors choose to purposefully avoid going after companies contracting with intelligence and law enforcement agencies. But there is one bill floating in Congress right now aimed at ending the government’s ongoing practice of buying location data from Outlogic-like companies and circumventing the courts.

The Fourth Amendment Is Not For Sale Act was introduced and passed by the House Judiciary Committee last month as part of a bigger package aiming to reauthorize and reform the problematic US intelligence program known as Section 702. The bill is slated to be taken up again this year, likely in February, sparking one of the fiercest fights over US privacy law Americans have seen in years.

Outlawing a pervasive practice that helped transform domestic surveillance into a windfall industry is a move that would be actually historic—for all the right reasons.

The Sad Truth of the FTC's Location Data Privacy Settlement

Plus: Chinese officials tracked people using AirDrop, Stuxnet mole’s identity revealed, AI chatbot hacking, and more.

“EBay's actions against us had a damaging and permanent impact on us—emotionally, psychologically, physically, reputationally, and financially—and we strongly pushed federal prosecutors for further indictments to deter corporate executives and board members from creating a culture where stalking and harassment is tolerated or encouraged,” Ina and David Steiner say in a victim statement published online. The couple also highlighted that EcommerceBytes has filed a civil lawsuit against eBay and its former employees that is set to be heard in 2025.

China’s Judicial Bureau has claimed a privately run research institution, the Beijing Wangshendongjian Judicial Appraisal Institute, has created a way to identify people using Apple’s AirDrop tool, including determining phone numbers, email addresses, and device names. Police have been able to identify suspects using the technique, according to reports and a post from the Institute. Apple’s wireless AirDrop communication and file-sharing method has previously been used in China to protest the leadership of President Xi Jinping, and Apple introduced a 10-minute time limit sharing period in China, before later rolling it out globally.

In a blog post analyzing the incident, Johns Hopkins University cryptographer Matthew Green says the attack was initially discovered by researchers at Germany’s Technical University of Darmstadt in 2019. In short, Green says, Apple doesn’t use a secure private set intersection that can help mask people’s identity when communicating with other phones using AirDrop. It’s unclear if Apple plans to make any changes to stop AirDrop being abused in the future.

It’s been more than 15 years since the Stuxnet malware was smuggled into Iran’s Natanz uranium enrichment plant and destroyed hundreds of centrifuges. Despite the incident happening over a decade ago, there are still plenty of details that remain unknown about the attack, which is believed to have been coordinated by the US and Israel. That includes who may have delivered the Stuxnet virus to the nuclear facility—a USB thumb drive was used to install the worm into the nuclear plant’s air-gapped networks. In 2019, it was reported that Dutch intelligence services had recruited an insider to help with the attack. This week, the Dutch publication _Volkskrant_ claimed to identify the mole as Erik van Sabben. According to the report, van Sabben was recruited by Dutch intelligence service AIVD in 2005, and politicians in the Netherlands did not know about the operation. Van Sabben is said to have left Iran shortly after the sabotage began. However, he died two weeks later, on January 16, 2009, after being involved in a motorcycle accident in Dubai.

The rapid advances in generative AI systems, which use machine learning to create text and produce images, has seen companies scrambling to incorporate chatbots or similar technologies into their products. Despite the progress, traditional cybersecurity practices of locking down systems from unauthorized access and making sure apps can’t access too much data still apply. This week, 404 Media reported that Chattr, a company creating an “AI digital assistant” to help with hiring, exposed data through an incorrect Firebase configuration and also revealed how its systems work. This includes the AI appearing to have the ability to “accept or deny job applicants.” The pseudonymous security researcher behind the finding, MrBruh, shared a video with 404 Media showing the chatbot appearing to automatically make decisions about job applications. Chattr secured the exposed systems after being contacted by the researchers but did not comment on the incident.

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

The US Securities and Exchange Commission and security firm Mandiant both had their X accounts breached, possibly due to changes to X’s two-factor authentication settings. Here’s how to fix yours.

This week, the United States Securities and Exchange Commission (SEC) suffered an embarrassing—and market-moving—breach in which a hacker gained access to its X social media account and published fake information about a highly anticipated SEC announcement related to bitcoin. The agency regained control of its account and deleted the post in under an hour, but the situation is troubling, especially given that the prominent and well-respected security firm Mandiant, which is owned by Google, had its X account compromised in a similar incident last week.

Details are still emerging about exactly what happened in each case, but there are common threads that made the account takeovers possible—and there are ways to protect yourself.

Crucially, both accounts had the digital protection known as “two-factor authentication” disabled at the time of the takeovers. Also known as 2FA, the defense requires a rotating numeric code or physical dongle in addition to a person's login credentials, so everything isn't resting on just a username and password. The SEC has not yet said whether it had two-factor turned off accidentally as a result of X's February 2023 policy change, which made it so only accounts paying for a Blue subscription would have access to two-factor codes sent via text message. Mandiant implied on Wednesday that this change was the reason it did not have the protection turned on for its X account, saying, “Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected.”

Mandiant said hackers were able to guess the password protecting its X account in “a brute force” attack. X itself said on Tuesday that the SEC account hack was the result of “an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.”

The two incidents lay out a punch list of the most important steps you can take to lock down your X account. First, ensure that your account is protected by a strong, unique password. Second, turn on two-factor for your account or, if you think you already have it on, check to make sure. X’s move to make people pay for a basic form of two-factor is problematic. It also created confusion because the company prompted free users to switch away from SMS two-factor, but then seemingly simply turned off the protection altogether for those who didn’t. This likely left a group of users in a situation where they think they have two-factor authentication on, but actually don’t.

To confirm that you have two-factor on, or to enable it for the first time, log into your X account, go to **Settings and privacy**, then **Security and account access**, **Security**, and then **Two-factor authentication**. (You can also click here if you're already logged into X). On that screen, you can choose between using two-factor authentication with a code-generating app or a physical security key. You can also generate backup codes for your account to log in to X even if you lose access to your second factor.

Finally, check that there isn't a phone number linked to your X account that can be used for account recovery. Twitter uses phone numbers to “verify” high-profile accounts and also offers a feature called “Additional password protection,” through which “you must provide either the phone number or email address associated with your account in order to reset your password.” It seems, though, that by having a phone number associated with its X account, the SEC was putting itself at greater risk, because attackers could gain control of the account by first taking over the associated phone number using an attack known as a SIM swap.

“Remove your phone number from Twitter altogether to ensure you avoid the SIM-swap threat with Twitter's risky text-message-based password reset flow,” says Rachel Tobac, a longtime account compromise researcher and CEO of SocialProof Security. She adds that X users should “turn on 2FA—I recommend app-based at the very least—and ensure you have a strong password on the account."

Though X has made it more convoluted to enable strong account security, it’s worth learning from the SEC and Mandiant’s mistakes.

How to Stop Your X Account From Getting Hacked Like the SEC's

Crypto tracing firm Chainalysis found that sellers of child sexual abuse materials are successfully using “mixers” and “privacy coins” like Monero to launder their profits and evade law enforcement.

For those who trade in child sexual exploitation images and videos in the darkest recesses of the internet, cryptocurrency has been both a powerful tool and a treacherous one. Bitcoin, for instance, has allowed denizens of that criminal underground to buy and sell their wares with no involvement from a bank or payment processor that might reveal their activities to law enforcement. But the public and surprisingly traceable transactions recorded in Bitcoin's blockchain have sometimes led financial investigators directly to pedophiles’ doorsteps.

Now, after years of evolution in that grim cat-and-mouse game, new evidence suggests that online vendors of what was once commonly called “child porn” are learning to use cryptocurrency with significantly more skill and stealth—and that it's helping them survive longer in the internet's most abusive industry.

Today, as part of an annual crime report, cryptocurrency tracing firm Chainalysis revealed new research that analyzed blockchains to measure the changing scale and sophistication of the cryptocurrency-based sale of child sexual abuse materials, or CSAM, over the past four years. Total revenue from CSAM sold for cryptocurrency has actually gone down since 2021, Chainalysis found, along with the number of new CSAM sellers accepting crypto. But the sophistication of crypto-based CSAM sales has been increasing. More and more, Chainalysis discovered, sellers of CSAM are using privacy tools like “mixers” and “privacy coins” that obfuscate their money trails across blockchains.

Perhaps because of that increased savvy, the company found that CSAM vendors active in 2023 persisted online—and evaded law enforcement—for a longer time than in any previous year, and about 57 percent longer than even in 2022. “Growing sophistication makes identification harder. It makes tracing harder, it makes prosecution harder, and it makes rescuing victims harder,” says Eric Jardine, the researcher who led the Chainalysis study. “So that sophistication dimension is probably the worst one you could see increasing over time.”

Better Stealth, Longer Criminal Lifespans

Scouring blockchains, Chainalysis researchers analyzed around 400 cryptocurrency wallets of CSAM sellers and more than 10,000 buyers who sent funds to them over the past four years. Their most disturbing finding in that broad economic study was that crypto-based CSAM sellers seem to have a longer lifespan online than ever, suggesting a kind of relative impunity. On average, CSAM vendors who were active in 2023 remained online for 884 days, compared with 560 days for those active in 2022 and just 112 days in 2020.

To explain that new longevity for some of the most harmful actors on the internet, Chainalysis points to how CSAM vendors are increasingly laundering their proceeds with cryptocurrency mixers—services that blend users' funds to make tracing more difficult—such as ChipMixer and Sinbad. (US and German law enforcement shut down ChipMixer in March 2023, but Sinbad remains online despite facing US sanctions for money laundering.) In 2023, Chainalysis found that about 46 percent of CSAM vendors used mixers, up from around 22 percent in 2020.

Chainalysis also found that CSAM vendors are increasingly using “instant exchanger” services that often collect little or no identifying information on traders and allow them to swap bitcoin for cryptocurrencies like Monero and Zcash—"privacy coins" designed to obfuscate or encrypt their blockchains to make tracing their cash-outs of profits far more difficult. Chainalysis’ Jardine says that Monero in particular seems to be gaining popularity among CSAM purveyors. In the company's investigations, Chainalysis has seen it used repeatedly by CSAM sellers laundering funds through instant exchangers, and in multiple cases it has also seen CSAM forums post Monero addresses to solicit donations. While the instant exchangers did offer other cryptocurrencies, including the privacy coin Zcash, Chainalysis’ report states that “we believe Monero to be the currency of choice for laundering via instant exchangers.”

Chainalysis’s chart of how long CSAM vendors who were active in each year had persisted online, suggesting that their resilience to takedown has steadily increased over time.

Chainalysis

The CSAM adoption curve for those instant exchangers—and, Chainalysis suggests, the privacy coins they offer—is steep: Chainalysis found that 52 percent of CSAM vendors active in 2023 sent money to instant exchangers that let users trade bitcoins for Monero, up from around 17 percent in 2020. Two CSAM vendors that Chainalysis tracked, for example, each received about $100,000 worth of cryptocurrency payments since 2020 and over the past four years almost entirely shifted from cashing out those funds at traditional cryptocurrency exchanges to trading them on instant exchangers that offered Monero. (To avoid disrupting any ongoing law enforcement investigations, Chainalysis declined to name those vendors, other CSAM sellers, or any of the instant exchangers they've used.)

Chainalysis’ researchers went so far as to correlate CSAM vendors’ use of instant exchangers offering Monero to those sellers’ increased survival rates online: After a thousand days, about one out of five CSAM vendors who used the Monero-friendly instant exchangers were still active versus just one in 25 CSAM sellers who didn't. “The data suggests that Monero helps CSAM vendors stay in business longer,” Chainalysis’ report reads.

Fewer Agents of Exploitation—and Smarter Ones

Even as the resilience of CSAM sellers who used crypto grew in 2023, Chainalysis says the overall scale of the problem may be declining by some measures. While the company found that the number of CSAM-related cryptocurrency transactions was up 89 percent since 2019, it dropped by 22 percent from 2022 to 2023. Chainalysis also counted only 43 new vendors selling CSAM for cryptocurrency in 2023, compared to 112 the previous year.

The company's researchers speculate that the decline may be due in part to the CSAM underground's increased awareness that cryptocurrency can be traced. In the highly publicized case of the Welcome to Video dark web site, one of the biggest-ever online repositories of CSAM videos, Bitcoin tracing allowed law enforcement to identify and arrest 337 men around the world and to remove 23 children from exploitative situations. (As an example of the publicity around the case, WIRED detailed the investigation in a 2022 magazine cover story.) “It's possible that the Welcome to Video case was a wake-up call for a lot of people,” says Sasha Plotnikova, a cybercrime researcher at Chainalysis.

The Internet Watch Foundation, a UK-based anti-CSAM organization that Chainalysis consulted in its research, says it has seen a similar trend in its own analysis of cryptocurrency's use by CSAM sellers. Over the past half-decade, the IWF has seen a “steady increase” in online offers of CSAM in exchange for cryptocurrency, one of the foundation's analysts told WIRED. That trend peaked in 2022, however, with the IWF recording 1,025 instances of CSAM sellers offering to accept crypto that year, just 11 more than in 2021.

At the same time, the analyst for the IWF, who asked to remain unnamed due to the sensitivity of their work, echoed Chainalysis’ finding that Monero is now being used in the CSAM industry. “We've definitely seen cases of sites asking for payment in Monero,” the analyst told WIRED.

Apex Predators

Beyond Monero's common perception as being untraceable, to what degree Monero really _does_ protect CSAM vendors remains a subject of debate and secrecy. Chainalysis has long maintained public silence on whether it offers Monero-tracing capabilities to its customers. But a leaked slide from one of the company's presentations to Italian police in 2021 claimed that Chainalysis can provide a “usable lead” in 65 percent of cases in which it worked with law enforcement to trace Monero and could identify the likely sender, but not the recipient, in another 20 percent of cases.

On that same leaked slide, Chainalysis also referred to a case in which “customers of a CSAM website in Asia were identified from transactions with the administrator's seized Monero wallet.”

Chainalysis declined to answer WIRED's questions on Monero tracing. But its report hints that law enforcement might “consider investment in specialized blockchain analysis services that can make Monero tracing possible,” as well as calling for instant exchangers to build safeguards that prevent their abuse by CSAM sellers.

Taken together, the study suggests a form of complex and messy natural selection playing out in the internet's exploitation economy. The sellers of child abuse images and videos who once naively believed that simply using cryptocurrency would protect them from law enforcement are disappearing. They're being replaced by a new generation of surviving CSAM sellers who are far more careful in their cryptocurrency transactions. But in an ecosystem where cryptocurrency tracers like Chainalysis remain the real apex predators, even those more resilient members of the digital child abuse industry may not be as safe as they think.

_Updated at 11 am ET, January 11, 2024, with more complete historical data from the Internet Watch Foundation._

Source

Wired