Fifty years ago, a fire ripped through the National Personnel Records Center. It set off a massive project to save crucial pieces of American history—including, I hoped, my grandfather’s.

The Night 17 Million Precious Military Records Went Up in Smoke

With a poor track record on tech regulation, do lawmakers stand a chance?

While negotiations started with Young and Schumer, they didn’t end there. Rather, the pair heard input from other congressional committees and worked that into the final package.

“That was the most utilization I’ve seen of the committee process since I’ve been in Congress, and I think this has an opportunity to be even more inclusive,” Young says. “Senator Schumer and I started off with legislation, but then we drew extensively from different committees of jurisdiction. I think that this effort will be even more decentralized.”

While many senators will introduce their own AI measures, Young says the bipartisan effort is aimed at getting lawmakers on the same page.

“So some of us may have bills, but the real point of emphasis here will be on crowding in ideas from others, so I think this will be more committee-focused,” Young says.

Schumer’s Democratic partner in the AI talks is Heinrich, the New Mexico Democrat, who says the closed-door meetings in the Senate are meant to help strengthen the Senate’s long-standing committees.

“I think where we are right now is encouraging everyone through the normal processes,” Heinrich says. “Different committees are going to have very different jurisdictions.”

And there are a lot of committees and many AI-related issues to tackle. For example, the Judiciary Committee will need to sort out copyright questions, the Armed Services Committee will handle questions of war, peace, and nuclear Armageddon (concerns Senator Ed Markey, a Massachusetts Democrat, has raised). And the Education Committee will handle AI’s potential impact on public education.

Lawmakers—and their staffs—also have to pore over today’s laws to see which work and which need a reboot, like copyright law in the AI era. “Some of that, the existing law is adequate, and in other places, it’s not,” Heinrich says.

Counting Critics

For now, the AI talks have largely remained above the partisan fray. Last week, a bipartisan and bicameral group unveiled a new proposal to erect a national AI commission—comprising 10 Democrats and 10 Republicans—to address AI in a more dispassionate manner than we’ve come to expect from Congress. Even so, pro-industry critics are starting to voice their concerns over what they see as a rush to regulate.

“Putting the federal government in charge of the granular development of AI is a strategy certain to ensure that China beats us in every respect in the development of AI—and that would be catastrophic,” says Senator Ted Cruz.

Cruz is the top Republican on the Senate’s Commerce, Science & Transportation Committee, which has sweeping jurisdiction over the economy. The junior senator from Texas fears Congress is going to overstep and crush innovation in the name of digital protectionism.

“I think that’s foolhardy. Very few members of Congress have any idea what AI is, much less how to regulate it. There are—no doubt, there are risks and risks we need to take seriously, but there are also enormous potential productivity gains. And the last thing we want to do is turn technology innovation into the Department of Motor Vehicles,” Cruz says.

Like his 99 colleagues, Cruz will get his say in due time. While the bipartisan AI working group isn’t focused on producing a massive, catch-all AI bill, its members know that such legislation could be the final outcome, following on the heels of the CHIPS and Science Act of 2022.

If that happens, it will be legislation the likes of which the Senate has never seen, in part because AI appears to be all-encompassing.

“It’s going to be big. It’s going to be big, and our hope is that all of the relevant committees do the hard work of figuring out where those things are,” Heinrich says. “Hopefully, we can get on the same page on a number of those things and then package that together.”

The US Senate Wants to Reign In AI. Good Luck With That

Make sure your chats are kept as private as you want them to be.

The actual number of chat messages sent each day is hard to come by, but with WhatsApp alone accounting for billions of users, you can imagine the sheer volume of ongoing conversations.

Not all of those messages involve anything particularly sensitive or private, but a lot of them do—and you don’t want those chats to be seen by anyone other than the intended recipients.

Good messaging hygiene might involve changing apps or tweaking a setting, but it’s important that you don’t neglect it. These five recommendations can get you started.

Switch to End-to-End Encryption

When instant messenger chats are end-to-end encrypted, they’re essentially turned into impenetrable blocks of data. Only the devices of the person (or people) you’re chatting with have the codes to unlock that data, which ensures no one else can read your messages while they’re in transit.

Not even the developers behind the software you’re using can unlock that data, so if an unscrupulous employee wanted to take a peek at your chats, they wouldn’t be able to. If law enforcement requested copies of the conversations, there wouldn’t be anything useful to hand over to them.

Some instant messengers use end-to-end encryption, but not all of them do. End-to-end encryption is deployed by default for Signal, WhatsApp (for personal chats,) iMessage, and Google Messages (with RCS enabled.) It’s also available as an option on Facebook Messenger and Telegram. If you’re using anything else, check the provider’s policies and consider switching to something more secure.

Facebook Messenger lets you set messages to disappear.

Facebook via David Nield

Turn On Disappearing Messages

We mentioned that Facebook Messenger has the option of end-to-end encryption: To enable it, you need to make a conversation “secret” by tapping the info (“i”) button at the top of a chat in the mobile app, then choosing **Go to secret conversation**.

Once you’re in that secret conversation, another feature becomes available: Disappearing messages. Tap the info button again and pick **Disappearing messages**, then choose how long messages should stick around after being read. This way of tidying up after yourself protects you against someone reading through your chats if they gain access to them or physical access to your device.

Facebook Messenger isn’t the only app that offers this functionality: You can also find disappearing messages in WhatsApp, Signal, and Telegram, among others. On iPhones, you can delete older conversations in the Messages app after choosing **Messages** and **Keep Messages** from Settings.

Lock Individual Conversations

To avoid an unwelcome visitor gaining access to your phone and all of your chats, one of the best things you can do is lock some or all of those chats behind a passcode or other lock—like the protection on your phone’s lock screen.

WhatsApp makes this simple. You can lock the entire app via the **Privacy** menu in the app settings, or you can lock individual chats: Open the chat, tap the conversation name at the top of the screen, and then pick **Chat lock**. The options here will depend on the options on your phone (such as fingerprint lock and face recognition).

Other apps offer the ability to lock all of your chats, including Signal, Facebook Messenger, and Telegram, though for the moment the option to lock individual conversations is exclusive to WhatsApp.

Check Your Contact Options

Most instant messenger and social media apps let you control which other users are allowed to follow you, send friendship requests, communicate with you via direct messages, and so on. Tightening up these settings is another way to limit your exposure to the wider world and maximize the security of your chats.

Take Telegram, for example. Head to **Privacy and Security** in Settings, and you can control who is allowed to see your online status, your profile photo, the groups and channels you’re in, and more. Other apps have similar options, so make sure you know what they are and what they do.

Also, think about the temporary photo and video posts commonly known as stories if your app supports them (a lot now do). These stories have their own visibility settings and may well be public by default.

Setting visibility options in Telegram.

Telegram via David Nield

Know Where Your Chat Backups Are

You want to keep backups of some conversations, otherwise you risk losing all of those records, and all that history, if something should happen to your smartphone.

But it’s important to know what you’re backing up and where those backups live. Backups are another potential route for anyone trying to access your messages without authorization, so you should keep them as well protected and secure as anything that’s actually on your phone. Some apps back up your conversations locally, and few encrypt them, so make sure to check your favorite app’s settings.

As a final precaution, you also need to think about other devices and locations where you’re logged in—Gmail can lead to Google Chat, for example—as well as places any external backups might be stored and how these are protected (take WhatsApp on Android, which can save chat backups to Google Drive).

5 Ways to Make Your Instant Messaging More Secure

Plus: Discord has a child predator problem, fears rise of China spying from Cuba, and hackers try to blackmail Reddit.

Apple says the patches fix a memory corruption that allowed an app to execute arbitrary code and a WebKit vulnerability that enabled malicious code execution through web content. The attacks have been seen only on devices running versions of iOS released before iOS 15.7, according to the company. Even if you’re an unlikely target for spyware, now’s a good time to update your iPhone.

This week, an alarming investigation by NBC News found that Discord, a social media popular with gamers, has become a popular venue for child sexual exploitation. NBC News identified 35 cases over the past six years in which adults have faced charges of kidnapping, grooming, or sexual assault that were allegedly facilitated by Discord. Nearly half of these cases resulted in guilty pleas or verdicts, while many others are still under investigation.

NBC News’ review of cases is likely a vast undercount, the report says, as these numbers represent only reported cases where charges were brought. Victims generally face significant challenges when it comes to reporting, investigations, and prosecution. Stephen Sauer, the director of the tip line at the Canadian Centre for Child Protection, told NBC News, “What we see is only the tip of the iceberg.”

According to experts interviewed by NBC News, while online child exploitation is not exclusive to Discord, the platform's decentralized moderation system and its young user base have likely made it an appealing environment for those seeking to exploit children.

The investigation comes as a _Washington Post_ report found that thousands of AI-generated child sexual abuse images have been found on forums across the dark web.

According to _The Wall Street Journal_, US officials have been monitoring the activities of employees working for Chinese telecom companies Huawei Technologies and ZTE at suspected spy facilities in Cuba. The news comes amid a push to restrict the use of Huawei and ZTE mobile infrastructure across the West.

Earlier this month, the _Journal_ reported that China has been operating a spy base in Cuba since at least 2019 and that the two countries jointly maintain four additional eavesdropping stations on the island. Officials from the Biden administration caution that these facilities could potentially intercept electronic signals from US military bases.

According to representative Mike Gallagher, the chairman of the US House Select Committee on the Chinese Communist Party, Huawei and ZTE have had regular business presence in Cuba while working to modernize the island’s internet infrastructure. In a letter Gallagher sent to director of national intelligence Avril Haines, which the _Journal_ viewed, Gallagher wrote that any enhancement of China’s intelligence capabilities in Cuba “is likely” to be aided by Chinese telecommunications companies.

In a statement, Huawei described the report as "groundless accusations" and emphasized its commitment to full compliance with applicable laws and regulations in the regions they operate. Similarly, ZTE dismissed the _Journal_'s reporting as "baseless."

The recent Reddit protest over changes to its business that threaten third-party apps was messy enough without hackers getting involved. The ransomware gang BlackCat is threatening to release some 80 GB of data that the company says was stolen earlier this year through a “highly targeted” phishing attack.

Reddit says it doesn’t believe the hackers stole user data like passwords, but BlackCat says the files contain “confidential” information. The group is demanding Reddit pay $4.5 million and cancel its plans to charge app developers exorbitant fees for access to its application programming interface, or API. Otherwise the group says, it will release the data ahead of the company’s planned IPO.

Update Your iPhone Right Now to Fix 2 Apple Zero Days

The gray market for abortifacient sales to the US is evolving alongside a shifting legal landscape.

If you search for the phrase “abortion pills” on the messaging service Telegram, an array of public channels and groups pop up. Some have names like “Buy Abortion Pills” or “Abortion pills Mifepristone Misoprostol” while others offer advice on symptoms and best practices “after the pregnancy comes out.” On May 3, a post on “ABORTION PILLS MARKET” included a photo of a blister pack labeled as abortion pills, alongside the caption, “We are legit.”

There are currently more than 200 public groups and channels on Telegram that explicitly mention selling abortion pills in their name or description, a WIRED investigation found. At the end of May, the last month for which we have complete data, 57 of the 211 groups we uncovered were active, with at least one message sent in that month.

Activity found on the platform related to selling abortion pills traces back to at least 2016, and many of the channels and groups cater to customers around the world. In the year since the US Supreme Court overturned _Roe v. Wade_ in June 2022, though, there’s a new focus on marketing to people in the United States, according to WIRED’s review of roughly 47,000 public messages scraped from these channels. And in general, public activity on Telegram related to abortion pills has been exploding since last summer.

Telegram did not immediately return WIRED's request for comment about the sale of abortifacients or other drugs on the platform.

Shady drug sellers and scams are nothing new on digital platforms. A nearly universal experience of the early consumer internet, after all, was receiving spam emails claiming to offer penis enlargement pills. And in the decades since, dark web markets have fueled illegal distribution of drugs globally. Like other prescription drugs, though, abortifacients are legal in some countries but not others. Furthermore, in some places they can be prescribed for certain purposes but not others, leaving patients to potentially seek ways to fill in the gaps for their own care. In the US, access to reproductive care, including abortifacients, varies widely from state to state.

Despite the clear uptick in activity on Telegram related to abortion pills, researchers say that they don’t see evidence of a massive new movement to illegally sell abortifacients to Americans. Kat Green, an abortion access researcher and founder of the online data analysis platform Endora, says that illegal sales of abortifacients, and corresponding questions about legitimacy and safety, aren’t currently central topics in US abortion access work. In part, this is likely because it’s still legal in many US states for patients to get abortion pills by mail. And prescribed use of these pills, also known as medication abortion, is markedly on the rise in the US. But as new and pending legal challenges threaten to further curtail access, illicit sales could eventually expand.

Analysis of frequently used phrases in the Telegram message trove WIRED collected shows that a large number of these groups and channels don’t just claim to sell abortion pills. Phrases like “weight loss,” “muscle mass,” and “erection pill” were among the 10 most popular two-word phrases that appeared in the data set. And thousands of additional messages mentioned “benzos,” “painkillers,” “Xanax,” “weed,” “coke,” and “guns.” In all, at least a quarter of the channels appear to be hawking more than just abortifacients.

Hundreds of messages from the data that contained pricing information indicate that the average cost of purchasing a purported pack of abortion pills on Telegram is currently $135.

WIRED’s investigation also indicates that the abortion pill ecosystem on Telegram is likely a small world. Analysis of the members and administrators who send messages in the groups and channels shows that many of the accounts are likely controlled by the same individuals. For example, a user going by the name Dr. Pooja Gupta has sent 1,500 messages across nine channels or groups advertising the sale of abortion pills. Dr. Pooja uses a WhatsApp number that is referenced by administrators in 14 additional channels. And some of them use similar names like Doctor Jain and Doctor Reenu. Many of these messages also referenced the same website.

After joining several of Dr. Pooja Gupta’s channels, WIRED reporters received a private Telegram message from a user known as Manisha Gupta offering medication abortion for $90. When WIRED reporters expressed interest in making a purchase, a person prepared the order and sent an image showing a blister pack of pills, and an envelope with that day's date as well as the address WIRED provided for shipment. The return address written on the envelope was a location in Mumbai, India.

Still messaging on Telegram, a person then sent account information for Punjab National Bank and directed WIRED to submit payment through a service called Remitly. WIRED reporters did not complete the transaction. When asked whether they have had more US-based customers in recent months, the person said, “since new laws I am send to America much more.”

Some groups on Telegram have US-specific names or descriptions, like “Abortion Pills in Republican States,” but most have more generic names and claim to deliver to dozens of countries. For instance, one of the largest and most active channels in the data set dates from August 2021 and is apparently specifically geared toward delivering abortion pills to Dubai, Kuwait, Qatar, and the Philippines—all countries where legal access to abortion is restricted.

Last June, researchers from the security firm DarkOwl noticed a sharp increase in discussions on the dark web about connecting abortion-seekers in the US with abortifacients and other resources. Some vendors that already sold illegal drugs said they would begin selling medication abortion as well. At the time, though, the researchers said that they didn’t actually see abortion pills widely available for sale on most dark web markets, but that “they are available for purchase via threads in discussion forums, as well as classified-style advertisements on transient paste services.”

Ian Gray, director of analysis and research at the security firm Flashpoint, says that turning points like the Covid-19 pandemic or the fall of _Roe_ for the US can spark trends in digital scams and illicit online sales. But a survey Gray conducted for WIRED of dark web advertising targeted at the US over the last year did not reveal a dramatic spike in content related to abortifacients.

“At a high level, it's difficult to identify a significant increase in chatter related to abortion pills due to _Roe v Wade_ being overturned last year,” Gray says. He notes, though, that “there are a limited number of posts within the past year in marketplaces, which may indicate demand. Most posts, at least on Twitter and some within Telegram, are in Brazilian Portuguese, likely due to a ban on abortion pills.”

As with many medical procedures, the stakes are extremely high in medication abortion. But the patchwork of laws and access in the US could make the landscape particularly fraught for patients in need who may eventually turn to illicit markets out of desperation.

Inside the Illicit Market for Abortion Pills on Telegram

Newly released documents highlight the bureau's continued secrecy around cell-site simulators—spying tech that everyone already assumes exists.

United States government records recently obtained by the American Civil Liberties Union show that state and local police authorities are continuing to trade silence for access to sophisticated phone-tracking technologies loaned out by the Federal Bureau of Investigation. To protect the secrets of the technology, documents show, police departments will routinely agree, if necessary, to drop charges against suspects who've been accused of violent crimes.

The documents, handed over by the FBI under the Freedom of Information Act, include copies of nondisclosure agreements signed by police departments requesting access to portable devices known as cell-site simulators, otherwise known by the generic trademark “Stingray” after an early model developed by the Harris Corporation. The FBI requires the NDAs to be signed before agreeing to aid police in tracking suspects using the devices. Stipulations in the contracts include withholding information about the devices, they're functionality, and deployment from defendants and their lawyers in the event the cases prove justiciable.

Legal experts at the ACLU, Laura Moraff and Nathan Wessler, say the secrecy requirements interfere with the ability of defendants to challenge the legality of surveillance and keep judges in the dark as to how the cases before their court unfold. “We deserve to know when the government is using invasive surveillance technologies that sweep up information about suspects and bystanders alike," Moraff says. “The FBI needs to stop forcing law enforcement agencies to hide these practices.”

A key function of cell-site simulators is to masquerade as a cell tower in order to identify nearby networked devices. This hack works by weaponizing a common power-saving feature of most phones: connecting by default to the closest cell tower emitting the strongest signal. Once the “handshake” between the device and a phone begins, there are a variety of authentication protocols the device must overcome. Tricking modern phones into connecting with the simulator has grown increasingly complicated since the earliest versions of the device were strapped to planes and used to intercept communications on US battlefields.

Cell-site simulators used by police today come with additional modes and equipment to target individual phones in an area and can be used narrow their locations to a single home or apartment. 

Multiple variants of the device are known to exist and some are capable of launching attacks more sophisticated and invasive than others. Some allow operators to eavesdrop on calls, or will force devices to execute unauthenticated commands that disable encryption or downgrade the connection to a lower and less secure network. One command sent by a phone, for example, can cause nearby cell towers to reject the device, rendering it incapable of network use. 

Whether US government entities have ever employed some of these advanced features domestically is unknown. Certain models used by the federal government are known to come with software capable of intercepting communications; a mode in which the device executes a man-in-the-middle attack on an individual phone rather than be used to identify crowds of them. Manufacturers internationally have marketed newer simulators capable of being concealed on the body and have advertised its use for public events and demonstrations. It is widely assumed the most invasive features remains off-limits to local police departments. Hackers, meanwhile, have proven its possible to assemble devices capable of these feats for under $1,000. 

Contractual language obtained by the ACLU shows police are required to use any “reasonably available” means to restrict the device from doing anything more than “recording or decoding electronic or other impulse to the dialing, routing, addressing and signaling information utilized in the processing and transmitting of wire or electronic communications.”

Other records show cell-site simulators are listed as defense articles on the United States Munitions List, meaning trade in the technology is ultimately regulated by the State Department. This designation is used by the FBI, however, in order to compel secrecy from state and local agencies requesting its aid, as unauthorized disclosures about defense technology is considered an arms control violation punishable by up to 20 years in prison and $1 million in fines. 

Due to their interference with domestic cellular networks, use of the device for law enforcement purposes is authorized by the Federal Communications Commission.

Since the _US v. Carpenter_ decision, in which the Supreme Court held that cellular data containing location data is shielded by the Fourth Amendment, the Department of Justice (DOJ) has required federal agencies to obtain warrants before activating cell-site simulators. This extends to police departments borrowing the technology from the FBI. The DOJ crafts the language used by police in these interactions with courts to control the amount of legal scrutiny that falls on the device. It does this by conflating cell-site simulators with decades-old police technologies like the “trap and trace” and “pen registers,” names for devices and programs capable of identifying incoming and outgoing calls, respectively, but which do not gather location data. 

When police use the devices to locate a suspect on the loose or gather evidence of a crime, they are generally required by the FBI not to disclose it in court. In some cases, this leads police to launder evidence using a technique known as parallel construction, whereby the method used to collect evidence is concealed by using a different method to collect the same information again after the fact. The practice is legally controversial, particularly when undisclosed in court, as it prevents evidentiary hearings from weighing the legality of actual police conduct. 

Documents show police are advised to pursue “additional and independent investigative means and methods” to obtain evidence collected through use of a cell-site simulator, though suggestions provided by the FBI on how this could be accomplished were redacted by the bureau. 

The power of judges to toss evidence seized in contravention of a defendant’s rights is, the Supreme Court wrote in 1968, the only true defense Americans have against police misconduct. Without it, then-chief justice Earl Warren wrote, “the constitutional guarantee against unreasonable searches and seizures would be a mere ‘form of words.’”

Under the US system, Warren wrote,  “evidentiary rulings provide the context in which the judicial process of inclusion and exclusion approves some conduct as comporting with constitutional guarantees and disapproves other actions by state agents.” Allowing police and prosecutors to authenticate their own evidence, he added, would make the courts essentially party to “lawless invasions” of American's privacy. Withholding information from judges about the ways in which evidence is collected, therefore, may easily interfere with one of the court’s most sacred duties; forestalling at the same time any scrutiny as to the constitutionality of the state’s conduct.

The FBI, meanwhile, argues that secrecy is necessary, as revealing information about such devices would enable criminals to “diminish or thwart law enforcement efforts.” Information about them is therefore designated “law enforcement sensitive” or “protected homeland security information,” terms that describe unclassified information the government deems “for official use only.” These designations generally prevent documents from being disclosed to the public and may exempt from use in legal proceedings.

The FBI employs a “jigsaw” or patchwork theory of disclosure, documents show, to keep even minor details about cell-site simulators hidden from the public. It argues that details, no matter how small, may “like a jigsaw puzzle,” eventually combine to reveal critical information about the technology. Because the devices are used in counterterrorism cases and in a counterintelligence capacity, the FBI further argues that revealing information about cell-site simulators would have a “significant detrimental impact on the national security of the United States.”

The idea of prosecutors dropping cases merely to protect word from spreading about the use of an already well-known device is particularly concerning due to the gravity of crimes typically involved in cases where police bother to deploy them. Documents obtained by the ACLU show, for example, that police requested technical assistance from the FBI in May 2020 during a manhunt for a gang-affiliated suspect wanted of multiple murders. “This is a serious crime and a good use of our assistance abilities,” an FBI official wrote in response to the request. Though redacted to protect the privacy of the individuals involved,  the document indicates the suspect had recently attacked a female victim leaving her greatly injured. 

The arguments compelling all this secrecy is difficult to square with the reality that, in the year 2023, both innocent people and criminals alike are far from naïve about how much like a tracking device cell phones actually are. The controversy around “stingrays” is so old that the tactical advantage they once offered exclusively to military spies works far more efficiently today as a commercial capability. To wit, finding a phone is now a standard feature on nearly all phones.

Whether everyday people comprehend that their phones are constantly broadcasting their locations is a question best answered by the man who was caught stowing his phone in a potato chip bag so he could play golf instead of work—a trick so effective (or possibly unnecessary) that, in the end, it took an office snitch to bring him down. It’s hard to imagine the crime spree the man might’ve pulled off had he only applied this advanced telecommunications mastery toward some more felonious endeavor.

While the golfer was hailed widely as a “MacGyver” in the press, the trick he used to deceive his employer was first popularized in the 1998 thriller _Enemy of the State._ Early in the film, Gene Hackman’s character grabs and stuffs Will Smith’s phone into a potato chip bag (screaming at him, meanwhile, that the NSA can “read the time off your fucking watch.”) The film is worth mentioning because cell phones were essentially new at the time—which is to say, the knowledge, or belief, that law enforcement can track people’s movements based on their cellphones entered the mainstream back when fewer than 25 percent of Americans owned one.

A man buying his counter surveillance from a snack machine to avoid work doesn't care how the trick works, though anybody who has ever lost a radio signal in parking garage is equipped to solve that mystery. The FBI can track cell phones. Unscrupulous golfers know it. Bank robbers and terrorists are presumably also clued in on this now. And no amount of silence that police or prosecutors ever agree to is going to diminish that.

Docs Show FBI Pressures Cops to Keep Phone Surveillance Secrets

Vehicles from Toyota, Honda, Ford, and more can collect huge volumes of data. Here’s what the companies can access.

Privacy4Cars results say it is unclear how Honda uses biometric data, which is information about your body. Honda’s Martin says no Acura or Honda models in the US have systems that transfer biometrics to the company. The airbag system within the car may collect weight and body position information, Martin says, but this is stored on the onboard computer and is only accessible by a physical connection, with state and federal laws outlining who can access it.

Honda’s connected product privacy notice says it is possible to opt out of many forms of data collection, pointing to its apps and owners manuals.

Ford (F150)

Only one Ford model, the F150 truck, appears in recent lists of best-sellers, but it's often the most popular across all categories. Like most manufacturers, Ford collects information about who owns the vehicle, including names, location details, and driving license data. Privacy4Cars analyzed four Ford documents, which run to around 50,000 words, when looking at the data the company can collect.

Alan Hall, director of technology communications at Ford, says its Connected Vehicle Privacy Notice provides people with the most information about what its cars collect. This includes vehicle data, such as tire pressure, information about how parts are performing, and vehicle charging information if a vehicle is electric.

The company also can collect driving data and characteristics, such as your speed, how you push the pedals, and seat-belt-related data. Information about your travel direction, precise location, speed, and local weather can be gathered from the vehicle.

Voice recognition systems in some of its vehicles can gather information when they are listening. Its “media analytics” involves capturing information about what you listen to in your car, including “radio presets, volume, channels, media sources, title, artist, and genre.”

The section of Ford’s privacy policy that is specific to California, which has stricter data laws than across the US, also provides extra data about what can be collected. “We utilize connected vehicle data to improve quality, minimize environmental impact, and make our vehicles safer and more enjoyable to drive and own,” Hall says.

Chevrolet (Silverado)

Chevrolet, which is owned by General Motors, collects both information about you and what you do with your vehicle, as all manufacturers we analyzed do. A company spokesperson says its privacy statement is the fullest documentation of what the company collects. This document also links to its specific privacy document for connected services, including its cars. We ran the Chevrolet Silverado through the privacy tool.

As a starter, GM collects people’s identifiers, such as names, postal addresses, and email addresses. Chevrolet’s documents say it can collect information about your vehicle, such as its battery, ignition, and window data, gear status, and diagnostic information. It can also collect, among other things, your location, route history, your speed, and “braking and swerving/cornering events.”

The documents also say data “from camera images and sensor data, voice command information, stability control or anti-lock events, security/theft alerts, and infotainment (including radio and rear-seat infotainment) system and Wi-Fi data usage” can be collected. The company can also receive “information about your home energy usage,” which relates to the charging and discharging of electric vehicles.

Jeep and Ram (Grand Cherokee and Ram Pickups)

The Jeep Grand Cherokee and the Ram Pickup are two of the most popular vehicles in the US. Both the Jeep and Ram brands are owned by Stellantis, a firm that was created when Fiat Chrysler Automobiles and the Peugeot group merged in 2021. As a result, they largely use the same connected services privacy policy and terms of service, which can also cover Chrysler, Dodge, and Fiat. (Ram was a line of Dodge trucks until it became its own brand starting in 2010.)

Stellantis can collect your name, address, phone number, email, Social Security number, and driving license number. The driving data the company collects, according to its documents, includes the dates and times you use it, your speed, acceleration and braking data, details of the trip (including location, weather, route taken), and, among other things, cruise control data. Like other manufacturers, it also collects data about the status of your car, including “refueling activity,” battery levels, images from cameras, and error codes that are generated. Your face and fingerprint data may be collected if you use services, such as digital keys, that need this kind of information to operate, the documents say.

Privacy4Cars tool says the company is “silent” in its documents on whether data from synched phones is collected. Mark Silk, the head of software data analytics at Stellantis, says data is not collected from synched phones in vehicles, but the company does collect data from its “branded mobile remote apps.”

Silk says that for the majority of its new vehicles, there are three ways for people to manage their personal data. “The ability to turn off and on the collection of geo-location data at any time from within the vehicle, the ability to opt-in/out and consent to specific uses of their personal data via our digital channels, and the ability to request the ‘right to be forgotten’ at any time—again this can be requested via digital channels,” Silk says, adding the company is rolling out more privacy tools in the future.

How the Most Popular Cars in the US Track Drivers

The AI era promises a flood of disinformation, deepfakes, and hallucinated “facts.” Psychologists are only beginning to grapple with the implications.

Artificial intelligence is arguably the most rapidly advancing technology humans have ever developed. A year ago you wouldn’t often hear AI come up in a regular conversation, but today it seems there’s constant talk about how generative AI tools like ChatGPT and DALL-E will affect the future of work, the spread of information, and more. A major question that has thus far been almost entirely unexamined is how this AI-dominated future will affect people’s minds.

There’s been some research into how using AI in their jobs will affect people mentally, but there isn’t yet an understanding of how simply living amongst so much AI-generated content and systems will affect people’s sense of the world. How is AI going to change individuals and society in the not-too-distant future?

AI will obviously make it easier to produce disinformation—from fake images to deepfakes to fake news. That will affect people’s sense of trust as they’re scrolling on social media. AI can also allow someone to imitate your loved ones, which further erodes people’s general ability to trust what was once unquestionable. That may also affect how they think about identity.

Your own identity can be threatened by deepfakes, too, if people are creating images or videos of you doing things you never actually did. In the US, people often identify with their jobs, and those could soon be threatened. Will AI make people more reliant on and distracted by technology at a time when that’s already a major issue? There are countless ways AI could reshape how people operate in the world. But researchers are only just beginning to grapple with the implications of an AI-saturated existence.

Larry Rosen, a professor emeritus of psychology at California State University, Dominguez Hills, says he worries that AI will make people more reliant on technology. Humans like things to be as simple and easy as possible, to avoid stress, he says, so people might start automating every aspect of their life that they can.

In the same way you might use Google Maps to get everywhere and not know how to get there otherwise, AI might cause people to stop learning things they would have otherwise had to learn. Ironically, though, Rosen thinks this could cause _more_ stress as people are inundated with AI and constantly shifting gears and not seeing anything quite clearly.

“I get concerned about the fact that we just blindly believe the GPS. We don’t question it. Are we just going to blindly believe the AI?” Rosen says. “As it is, we’re overwhelmed. We’re so overwhelmed that we can’t make ourselves do a simple task and see it to completion. Anxiety is just going to ratchet up as we’re faced with this unknown thing in our world.”

Michael Graziano, a professor of psychology and neuroscience at Princeton University, says he thinks AI could create a “post-truth world.” He says it will likely make it significantly easier to convince people of false narratives, which will be disruptive in many ways.

“Reality has become pixels, and pixels are now infinitely inventable,” Graziano says. “We can create them any way we want to.”

That being said, Graziano also wonders if AI could help us with the loneliness epidemic, which is a big strain on mental health. Perhaps people will think of AI as a friend? But what happens then? We don’t yet know, Graziano says.

“We don’t actually know what kind of impact this technology will have,” Graziano says.

Michal Kosinski, a computational psychologist and associate professor of organizational behavior at Stanford University, says AI could have an interesting impact on how people think about their work. He says AI will be better at doing many tasks that humans do today, so people will rely on it, and they could essentially become the human face of the work the AI is doing.

“Increasingly, not only medical doctors but politicians and judges and teachers will become interfaces for algorithms,” Kosinki says. “When you go to a doctor, a doctor will still give you a diagnosis, but this diagnosis will just be printed out of a computer that analyzed your vital signs and symptoms and told the doctor to give you this medicine.”

AI is going to have an impact on almost every aspect of human life, and Graziano says much more research is needed into how this will affect people’s minds. If social media can have such a major impact on society, there’s no telling what consequences a rapidly advancing technology like AI could precipitate.

“I would like to see people collect actual data on people’s psychological state, personalities, their mental health as a function of their engagement with AI,” Graziano says. “What does that do? Does it actually improve things in some ways and harm things in other ways? Is it dependent on the particular personality or particular socio-economic status of a person? There’s this giant area that isn’t studied.”

Kosinki says people are just starting to see how quickly these AI systems are advancing, and they’re just going to keep becoming more complex and capable of more things. The world might look a lot different in just a year, and there’s no saying what it will look like further down the road.

“We are sliding, very quickly, towards an AI-controlled and AI-dominated world,” Kosinki says.

Humans Aren’t Mentally Ready for an AI-Saturated ‘Post-Truth World’

Plus: The arrest of an alleged Lockbit ransomware hacker, the wild tale of a problematic FBI informant, and one of North Korea’s biggest crypto heists.

Prison surveillance is now much more than skin deep. A jail in Atlanta, Georgia, has begun rolling out a new tracking system that monitors everything from inmates’ locations to their literal heartbeats, according to documents WIRED obtained through a public records request. Made by Talitrix, the system uses hundreds of sensors installed around a jail that link to a Fitbit-like wristband worn by inmates. Georgia prison officials say the surveillance tech will improve safety inside and help mitigate the impacts of staffing shortages. Privacy experts say it’s the latest erosion of inmates’ rights.

If privacy is virtually nonexistent in jail, it may not be much better before you’re even convicted of a crime. Just ask a family in Indiana’s Monroe County, who are being monitored by probation officers through an app called Covenant Eyes. The app records everything a person does on their device, taking screenshots at least once per minute as well as monitoring network requests, all of which are sent to an “ally.” (The allies, in this case, are two probation officers.) The father, who has been charged with possession of child sexual abuse material, is in jail awaiting trial after the app alerted officers that someone had attempted to visit Pornhub, which would have been a violation of his bond. But thanks to shortcomings in the app, the whole thing may have been a mistake.

Beyond potentially unconstitutional surveillance, there are many other ways government data collection can hurt your privacy. Millions of people in India may have had their data exposed thanks to an alleged breach of CoWIN, India’s vaccination-tracking app. The Indian health ministry says reports of a breach are “without any basis,” and independent security researchers say the breach may not be as widespread as some believed. The government is now investigating.

In the US, a newly declassified report commissioned by the Office of the Director of National Intelligence reveals that spy agencies have been compiling a “large” trove of data about virtually every American simply by purchasing the information from commercial sources, like data brokers. Privacy advocates say the practice is a potential end run around constitutional protections.

Earlier this month, a former intelligence officer publicly claimed the US government has an “intact” craft made by a “non-human” entity, among other extraterrestrial allegations. The claims have caught the attention US Congress members, several of whom are planning investigations. Given the openness some lawmakers have to conspiratorial thinking, this issue may finally fly out of the shadows.

A more pressing concern for the US government may come from right here on Earth. Encryption chips made by a subsidiary of a company on the US Commerce Department’s so-called Entity List are being used by a slew of government bodies, including the US Navy, NATO, and NASA. The company, Hualan, landed on the Entity List thanks to its close ties to China’s military. But this “red flag” hasn’t stopped these agencies and others from purchasing the encryption chips from Initio, a Hualan subsidiary, raising concerns over a potential backdoor. Initio says it doesn’t have the ability to implement a backdoor in its chips, and several agencies told WIRED that they take the necessary precautions to ensure the security of the tech they use. Given how difficult it is to find a backdoor in these chips, however, these assurances may do little to assuage experts’ fears.

Finally, the Russia-based ransomware gang Clop went on a hacking spree that hit US government agencies and international companies including Shell and British Airways. Clop hackers carried out their cybercriminal campaign by exploiting a vulnerability in the file-transfer service MOVEit. The flaw has since been patched, but the full extent of the stolen data and list of targets remains unclear.

But that's not all. Each week, we round up the biggest security and privacy stories we weren't able to cover in depth ourselves. Click on the headlines to read the full stories, and stay safe out there.

As Russia has carried out its unprecedented cyberwar in Ukraine over nearly a decade, its GRU military intelligence hackers have taken center stage. The notorious GRU hacker groups Sandworm and APT28 have triggered blackouts, launched countless destructive cyberattacks, released the NotPetya malware, and even attempted to spoof results in Ukraine’s 2014 presidential election. Now, according to Microsoft, there’s a new addition to that hyper-aggressive agency’s cyberwar-focused bench.

Microsoft this week named a new group of GRU hackers that it’s calling Cadet Blizzard, and has been tracking since just before Russia’s full-scale invasion of Ukraine in February 2022. Redmond’s cybersecurity analysts now blame Cadet Blizzard for the destructive malware known as WhisperGate, which hit an array of government agencies, nonprofits, IT organizations, and emergency services in Ukraine in January 2022, just a month before Russia’s invasion began. Microsoft also attributes to Cadet Blizzard a series of web defacements and a hack-and-leak operation known as Free Civilian that dumped the data of several Ukrainian hacking victim organizations online while loosely impersonating hacktivists, another of the GRU’s trademarks.

Microsoft assesses that Cadet Blizzard appears to have the help of at least one private sector Russian firm in its hacking campaign but that it’s neither as prolific nor as sophisticated as previously known GRU groups plaguing Ukraine. But as Russia has switched up the tempo of its cyberwar, focusing on quantity rather than quality of attacks, Cadet Blizzard may play a key role in that brutal cadence of chaos.

You might think that in 2023, Russian hackers would have learned not to travel to countries with US extradition treaties—not to mention a US state. But one allegedly prolific ransomware extortionist associated with the notorious Lockbit group was arrested this week in Arizona, the Department of Justice announced. Ruslan Magomedovich Astamirov, a 20-year-old man living in Russia’s Chechen Republic, carried out at least five ransomware attacks against victims in Florida, Tokyo, Virginia, France, and Kenya, according to prosecutors. And in one case, he allegedly pocketed 80 of the bitcoin ransom personally. Astamirov’s arrest represents a relatively rare instance of US officials laying hands on a ransomware hacker, most of whom typically stay on Russian soil and evade arrest. It’s not yet clear why Astamirov made the mistake of traveling, but here’s hoping it’s a trend. Lots of other US-extradition countries are lovely this time of year.

File this one under “complicated headlines”: According to a search warrant unearthed by _Forbes_, the FBI used information stolen by a hacker from a dark-web assassination market to investigate a person going by the pseudonym Bonfire—whom the FBI believes is a Louisiana hairdresser named Julie Coda—to commission the murder of her niece’s father. In fact, Bonfire was being scammed by a fake murder-for-hire service, as is almost always the case with such dark-web deals. And to compound her problems, her alleged attempted murder-for-hire was revealed to the FBI by a hacker working as an informant to the US Department of Homeland Security. To further complicate this dark, strange story, that hacker appears to have been a foreign national flipped by the DHS and convicted of possessing child sexual abuse materials.

Last week it came to light that Estonia-based cryptocurrency wallet service Atomic Wallet had been breached by hackers apparently based in North Korea who stole tens of millions of dollars. Crypto analysts at Elliptic have now uncovered the larger picture of that heist and found that the hackers’ haul was in fact in the nine figures, making it one of North Korea’s biggest crypto heists in recent years. According to Elliptic, a large tranche of the funds have flowed to the Russian exchange Garantex, which was sanctioned by the US Treasury Department last year but continues to operate.

A Newly Named Group of GRU Hackers is Wreaking Havoc in Ukraine

The ransomware gang Clop exploited a vulnerability in a file transfer service. The flaw is now patched, but the damage is still coming into focus.

United States cybersecurity officials said yesterday that a “small number” of government agencies have suffered data breaches as part of a broad hacking campaign that is likely being carried out by the Russia-based ransomware gang Clop. The cybercriminal group has been on a tear in exploiting a vulnerability in the file transfer service MOVEit to grab valuable data from victims including Shell, British Airways, and the BBC. But hitting US government targets will only increase global law enforcement's scrutiny of the cybercriminals in the already high-profile hacking spree.

Progress Software, which owns MOVEit, patched the vulnerability at the end of May, and the US Cybersecurity and Infrastructure Security Agency released an advisory with the Federal Bureau of Investigation on June 7 warning about Clop's exploitation and the urgent need for all organizations, both public and private, to patch the flaw. A senior CISA official told reporters yesterday that all US government MOVEit instances have now been updated. 

CISA officials declined to say which US agencies are victims of the spree, but they confirmed that the Department of Energy notified CISA that it is among them. CNN, which first reported the attacks on US government agencies, further reported today that the hacking spree impacted Louisiana and Oregon state driver's license and identification data for millions of residents. Clop has previously also claimed credit for attacks on the state governments of Minnesota and Illinois.

“We are currently providing support to several federal agencies that have experienced intrusions affecting their MOVEit applications,” CISA director Jen Easterly told reporters on Thursday. “Based on discussions we have had with industry partners in the Joint Cyber Defense Collaborative, these intrusions are not being leveraged to gain broader access, to gain persistence into targeted systems, or to steal specific high-value information—in sum, as we understand it, this attack is largely an opportunistic one.”

Easterly added that CISA has not seen Clop threaten to release any data stolen from the US government. And the senior CISA official, who spoke to reporters on the condition that they not be named, said that CISA and its partners do not currently see evidence that Clop is coordinating with the Russian government. For its part, Clop has maintained that it is focused on targeting businesses and will delete any data from governments or law enforcement.

Clop emerged in 2018 as a standard ransomware actor that would encrypt a victim's systems and then demand payment to provide the decryption key. The ransomware gang is also known for finding and exploiting vulnerabilities in widely used software and equipment to steal information from a variety of businesses and institutions and then launch data extortion campaigns against them. 

Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware, says that Clop was “moderately successful” with the ransomware approach. It eventually differentiated itself, though, by moving away from encryption-based ransomware and toward its current model of developing exploits for vulnerabilities in enterprise software and then using them to carry out mass data theft.

And while there may not be direct coordination between the Kremlin and Clop, research has repeatedly shown ties between the Russian government and ransomware groups. Under the arrangement, these syndicates can operate from Russia with impunity so long as they don't target victims within the country and defer to the Kremlin's influence. So is Clop really deleting data it gathers, even incidentally, from government victims?

“We don’t think US government agencies were specifically targeted. Clop simply hit any vulnerable server running the software,” Liska says of the MOVEit campaign. “But it is highly likely that any information Clop collected from the US government or other interesting targets was shared with the Kremlin.”

Source

Wired