Jeff Bezos’ girlfriend shared compromising texts with her brother, who sold them, WSJ reports

New York prosecutors have evidence suggesting that Jeff Bezos’ girlfriend, Lauren Sanchez, shared compromising texts about her affair with Bezos to her brother, Michael Sanchez, The Wall Street Journal reports. Michael then reportedly sold those photos to the National Enquirer, which then published a story about Lauren and Bezos’ affair last January. The WSJ says its reporters have seen the texts themselves.

Bezos’ affair returned to the limelight this week when The Guardian reported that it was “highly probable” that Saudi Arabia hacked Jeff Bezos’ phone in May 2018. According to this theory, Bezos’ phone was compromised when he received a WhatsApp message with a malicious video file from the crown prince of Saudi Arabia, Mohammed bin Salman (MBS).

After Bezos apparently tapped on the video, an awful lot of data “were exfiltrated from Bezos’s phone within hours,” The Guardian reported, based on an account from an anonymous source. This theory was supported by a report about the hack published by security forensics firm FTI Consulting that was obtained by Vice.

That report also included an apparent screenshot of a misogynistic meme sent by MBS to Bezos in November 2018 with a picture of a woman who looks similar to Lauren Sanchez, and the report suggests that the image means MBS may have had knowledge of the affair before it was public in early 2019.

Both the Guardian’s story and FTI’s report would seem to back up the original accusations of Bezos’ security consultant Gavin De Becker, who initially published a story in The Daily Beast that not only claimed Saudi Arabia had hacked the Amazon founder’s phone, but strongly suggested there might be a link to the Enquirer’s story.

However, some security professionals felt that FTI’s report didn’t prove that Saudi Arabia hacked Bezos’ phone. It’s primarily based on coincidences, not evidence that Bezos’ data flowed back to Saudi Arabia. And although Bezos also hinted in an earlier Medium article that there is a connection between Saudi Arabia and the National Enquirer, it doesn’t appear that either Bezos or his security consultant have evidence linking anything from the apparent hack by Saudi Arabia to the National Enquirer’s story about Bezos’ affair.

Since the story first came to light, American Media, owner of the National Enquirer, has maintained that it received information about the affair from Michael Sanchez, not from Saudi Arabia, and reiterated that position in a statement published yesterday in The New York Times.

It seems likely that Michael Sanchez is the primary source for the National Enquirer’s story. It’s also possible that Saudi Arabia may have hacked Bezos’ phone, though that’s not a certainty. Both might be true. Right now, though, there isn’t hard evidence that Saudi Arabia was a source for the National Enquirer’s story about the affair.

Controversial facial recognition firm Clearview AI facing legal claims after damning NYT report

Clearview AI, an artificial intelligence firm providing facial recognition technology to US law enforcement, may be overstating how effective its services are in catching terrorist suspects and preventing attacks, according to a report from BuzzFeed News.

The company, which gained widespread recognition from a New York Times story published earlier this month, claims it was instrumental in identifying a New York suspect from video footage who had placed three rice cookers disguised as explosive devices around New York City last August, creating panic and setting off a citywide manhunt. BuzzFeed News found via a public records request that Clearview AI has been claiming in promotional material that law enforcement linked the suspect to an online profile in only five seconds using its database. But city police now say this is simply false.

“The NYPD did not use Clearview technology to identify the suspect in the August 16th rice cooker incident,” an NYPD spokesperson told BuzzFeed News. “The NYPD identified the suspect using the Department’s facial recognition practice where a still image from a surveillance video was compared to a pool of lawfully possessed arrest photos.”

The NYPD now says it has no formal relationship with Clearview, despite the company’s claims otherwise both in the promotional material it’s using to pitch its technology around the country and even publicly on its website. Clearview CEO Hoan Ton-That now says the NYPD is using its technology “on a demo basis,” BuzzFeed reports.

In a blog post published on Thursday responding to criticism, Clearview claims it has rejected the idea it produce a public, consumer-facing facial recognition app that could be accessed by anyone.

“Clearview’s app is not available to the public. While many people have advised us that a public version would be more profitable, we have rejected the idea,” the post reads. “Clearview exists to help law enforcement agencies solve the toughest cases, and our technology comes with strict guidelines and safeguards to ensure investigators use it for its intended purpose only.”

Clearview has quickly risen to the forefront of the national conversation around facial recognition technology — in particular, growing concern among activists and politicians over how it may be used to violate civil rights and whether it’s being adopted too quickly based on false or misleading claims about its effectiveness. Amazon, which makes a cloud-based facial recognition product called Rekognition, has also faced similar criticism for selling its technology to law enforcement despite repeated concerns from academics and activists who say it is flawed when used to try to identity darker-skinned and female individuals.

Clearview is also facing challenges from platforms in the wake of the NYT report. Twitter has sent Clearview a cease-and-desist letter demanding that the company stop scraping its platform for photos to include in its database. Twitter also demanded the company delete any existing data it may have obtained from the platform because using it to fill out a third-party database without user consent is against Twitter’s policies. Clearview has acknowledged publicly that it built out its database in part by scraping social media profiles.

Additionally, the New Jersey Office of the Attorney General has barred the state’s police departments from using Clearview, and sent a cease-and-desist to Clearview on Friday after the Department of Law and Public Safety discovered that a photo fo New Jersey AG Gurbir S. Grewal was being used on Clearview’s website to falsely promote its product as having been used in a 2019 child predator sting.

Members of Congress are also expressing concerns over the product. Sen. Ed Markey (D-MA), a vocal critic of Silicon Valley privacy practices and overreach, also sent a letter to Ton-That earlier this month demanding the company provide crucial information about its practices and technology. The list of questions includes information on which law enforcement agencies Clearview is working with, results of internal bias and accuracy tests if there are any, whether the company plans to market its technology to individuals or third-party companies beyond law enforcement, and its child privacy protections, among other info.

“The ways in which this technology could be weaponized are vast and disturbing. Using Clearview’s technology, a criminal could easily find out where someone walking down the street lives or works. A foreign adversary could quickly gather information about targeted individuals for blackmail purposes,” reads Markey’s letter. “Clearview’s product appears to pose particularly chilling privacy risks, and I am deeply concerned that it is capable of fundamentally dismantling Americans’ expectation that they can move, assemble, or simply appear in public without being identified.”

In one particularly dystopian twist, The New York Times reported that Clearview had identified and reached out to police officers who may have been talking with journalists by checking logs of which officers uploaded photos of those journalists into Clearview’s app. “It’s extremely troubling that this company may have monitored usage specifically to tamp down on questions from journalists about the legality of their app,” Sen. Ron Wyden (D-OR) tweeted last Sunday.

Update January 25th, 2:30PM ET: Added new information regarding a cease-and-desist from the New Jersey Attorney General’s Office, and that New Jersey police have been barred from using the app.

23andMe just laid off 100 employees

Home DNA-testing company 23andMe is laying off 100 employees, which is around 14 percent of its workforce. The layoffs primarily affect the operations team, according to a CNBC report that was published on Thursday.

The downsizing reflects a shrinking market for DNA kits. Illumina, which makes genetic-sequencing technologies and counts 23andMe among its customers, reported that sales were down across the industry in an earnings call last summer. Genome-sequencing company Veritas Genetics also nixed its US operation last year and laid off around 50 employees after struggling to raise capital.

23andMe CEO Anne Wojcicki told CNBC that customers might be reluctant to pay for pricey genetic tests if they fear economic downturn. Wojcicki also suggested that rising consumer privacy concerns could be a reason for the downturn in sales.

Privacy has been a huge issue for genetics testing companies like 23andMe. In 2018, 23andMe and other ventures promised not to share data without consent. But advances in data analysis and growing databases have raised consumer worries over genetic privacy. Last December, the Pentagon advised military members to avoid DNA kits, citing unspecified security concerns that could risk military missions.

CNBC reports that the company recently hired a new security officer to focus on consumer privacy, and said they plan to redirect focus from their “clinical studies arm” to their direct-to-consumer and therapeutics side of the business.

Read the report that concluded Saudi Arabia hacked Jeff Bezos’ phone

This week, The Guardian posted a huge story reporting that Saudi Arabia hacked Jeff Bezos’ phone in May 2018 after he received a message from Saudi Arabia’s Crown Prince Mohammed bin Salman. A report published by the security forensics firm FTI Consulting concluded with “medium to high confidence” that was the case.

If you want to read the report yourself, you can do so right here, thanks to Vice, which obtained the report in its entirety exclusively on Wednesday.

Some security professionals don’t think that FTI went far enough with its analysis, as reported by CyberScoop. Facebook’s former chief security officer Alex Stamos, for example, said that there was “no smoking gun” in the report. Some researchers said that FTI should have been able to analyze the encrypted file that the crown prince sent Bezos which reportedly hacked his phone. And one said he didn’t see evidence in the report to suggest that Bezos’ phone was hacked.

Today, the White House also commented for the first time on the situation:

Right now, this is a story with a lot of twists and turns, but I highly recommend reading my colleague Casey Newton’s analysis of the situation, where he gives the salient advice to never open a WhatsApp message from the crown prince of Saudi Arabia.

Yahoo parent Verizon promises it won’t track you with OneSearch, its new privacy-focused search engine

Verizon and its subsidiaries, including Yahoo, have become known for massive data breaches, privacy blunders, and oddly named web entities, but now the internet service provider has launched a whole new search engine without Yahoo branding, one that it says will definitely not share your search results with advertisers or tailor results based on your search history.

On its ad-supported OneSearch platform, users can “search the internet with increased confidence, knowing your personal and search data isn’t being tracked, stored, or shared with advertisers,” according to a statement from Michael Albers, head of consumer product at Verizon Media.

Ads on OneSearch will be generated based on keywords, not cookies, and there will be a self-destruct option for search results to be purged after a certain period. Search results will be generated by Microsoft’s Bing browser.

As consumers tire of having their every move tracked online, there are a growing number of browsers that claim to preserve users’ privacy, including Brave and DuckDuckGo, and ad- and tracker-blocking extensions like Ghostery.

If Verizon’s track record with search and privacy wasn’t so spotty, this might be a welcome addition to the growing field of privacy-based browsers. When it combined AOL and Yahoo into Oath in 2017, Verizon was clear about its plans to use its network to target ads. And in 2016, the company paid a $1.3 million fine to the Federal Communications Commission for its use of “super cookies” that tracked users on their networks via their cellphones without asking for permission or providing an opt-out option. And don’t forget Yahoo’s famous hack, where all 3 billion of its customers’ accounts were breached in 2013.

Why Verizon is introducing a new search engine brand when it already owns Yahoo is not clear, but as VentureBeat notes, Yahoo owned the “oneSearch” name long before it became part of Verizon.

According to the OneSearch privacy policy, search results will only be personalized based on location, which it will collect from IP addresses. OneSearch says that it will separate IP addresses from users and their search results.

Grindr shares personal data with ad companies in violation of GDPR, complaint alleges

Grindr is sharing personal user data in violation of the EU’s GDPR data protection legislation, a new series of complaints is alleging. The app shares data including location and device information with more than a dozen companies, according to The New York Times. The Norwegian Consumer Council has filed three complaints against Grindr, as well as five adtech companies that received personal data through the app.

Grindr describes itself as “the world’s largest social networking app for gay, bi, trans, and queer people,” and so just sharing the fact that a user has the app installed on their device can give an indication of their sexual orientation. Associating this information with an advertising ID then makes the user identifiable to third-party advertisers and across services, according to the report from the Norwegian Consumer Council.

The Norwegian Consumer Council’s report notes that Grindr’s privacy policy discloses that it shares user and device data such as a user’s advertising ID with third parties. However, the report claims the app isn’t clear about the legal basis for how it processes this personal data, and that the scale of Grindr’s adtech network makes it difficult for a user to understand, and therefore properly consent, to their data being collected.

“The extent of tracking and complexity of the adtech industry is incomprehensible to consumers, meaning that individuals cannot make informed choices about how their personal data is collected, shared and used,” the report says.

One of the adtech companies that Grindr shares data with is Twitter-owned MoPub, which says that it may share user data with over 180 of its partners, according to The New York Times. The company told Bloomberg that it has disabled Grindr’s MoPub account while it investigates.

The Norwegian Consumer Council has filed its GDPR complaint with the Norwegian Data Protection Authority, and the privacy group NOYB has said that it intends to file a complaint of its own with the Austrian Data Protection Authority in the coming weeks.

It’s worth noting that the research focused on the service’s Android app. The report said this was because of Android’s larger user base worldwide, but it noted that Android’s data flows are generally easier to observe and that Google has a closer relationship with the adtech industry than Apple does.

Beyond Grindr, the research also raised concerns about the data sharing practices of other dating apps. Match Group’s OkCupid and Tinder, for example, were found to be sharing data with each other, including information on their users’ sexualities, drug use, and political views, according to Bloomberg. The report says this may break GDPR’s purpose limitation rules.

While it declined to comment on the specifics of the report, Grindr told the NYT that it valued users’ privacy and that it safeguards their personal information. Match Group said it only shared user data that’s necessary for providing its services, and added that it complies with privacy laws.

This isn’t the first time Grindr has faced complaints over the data it collects about its users. In 2018, a separate Norwegian nonprofit discovered that the service was sharing its users’ HIV status with two outside companies. Shortly after the report became public, Grindr said it had put an end to the practice.

Apple rejects AG Barr’s claim that it didn’t assist with Pensacola shooting probe

Attorney General William Barr today requested Apple’s help in unlocking two iPhones connected to last month’s shooting at a Pensacola naval base, and said that Apple has provided no “substantive assistance” unlocking the phones. It’s a characterization that Apple rejects. The FBI requested Apple’s help unlocking the same phones last week.

In his remarks today, Barr said that the FBI had received court authorization to search both iPhones, one of which had been shot at by the shooter and the other which had been damaged. Barr said the FBI was able to fix the phones, but stated that the phones are “engineered to make it virtually impossible to unlock without the password,” which is why the FBI needs Apple’s help to unlock them. He called on both Apple and other tech companies to “help us find a solution so that we can better protect the lives of American people and prevent future attacks.”

In an emailed statement, Apple said it rejects Barr’s characterization that it has not provided substantive assistance in the Pensacola investigation. It also shared some details about its responses to the FBI’s requests for help.

Here is how the company says it responded to the FBI’s requests in December:

Within hours of the FBI’s first request on December 6th, we produced a wide variety of information associated with the investigation. From December 7th through the 14th, we received six additional legal requests and in response provided information including iCloud backups, account information and transactional data for multiple accounts.

We responded to each request promptly, often within hours, sharing information with FBI offices in Jacksonville, Pensacola and New York. The queries resulted in many gigabytes of information that we turned over to investigators. In every instance, we responded with all of the information that we had.

Apple also said that the FBI only recently asked for more assistance — presumably to help unlock the phones:

The FBI only notified us on January 6th that they needed additional assistance — a month after the attack occurred. Only then did we learn about the existence of a second iPhone associated with the investigation and the FBI’s inability to access either iPhone. It was not until January 8th that we received a subpoena for information related to the second iPhone, which we responded to within hours.

Apple’s statement noted that the company’s engineering teams recently had a call with the FBI to “provide additional technical assistance,” but it’s unclear what sort of technical assistance that might refer to.

Apple is able to provide law enforcement iCloud device backups that are on its servers, as it says it has in this investigation, but it cannot unlock someone’s iPhone without the user’s passcode, like the FBI wants the company to do in this case. The company has said in the past that it’s technically impossible to do so without making a backdoor that could compromise the security of every iPhone owner. It reiterated that position in its statement today, saying:

We have always maintained there is no such thing as a backdoor just for the good guys. Backdoors can also be exploited by those who threaten our national security and the data security of our customers.

In 2016, Apple refused a similar request from the FBI to unlock an iPhone linked to the San Bernardino shooting, which led to a months-long and very public legal fight. The FBI wanted Apple to make an encryption-free version of iOS that could be installed on that phone so that the FBI could access what was on the device. The FBI eventually found a vendor that could help it unlock the phone and withdrew its case.

Update January 13th, 10:59PM ET: Added statements and information shared by Apple.

‘Black Book’ suggests the feds have some unexpected surveillance tools, including a gravestone camera

Today, Vice published an article about some, um, unconventional spying products marketed by a surveillance vendor that works with US government agencies. The vendor, the Special Services Group, offers many surveillance products that look like everyday items, but are actually equipped to be surveillance tools.

Here are just a few of the products marketed in a Special Services Group brochure (ominously called the “Black Book”):

  • A child’s carseat that has “everything you need to quickly and covertly deploy a drop car for video surveillance”
  • The Tombstone Cam, which has the ability to “conduct remote surveillance operations from cemeteries”
  • Small rubber rock and tree lookalikes that can conceal cameras
  • A microphone and speaker system that you can put entirely in your mouth that connects to a Bluetooth device such as a mobile phone or a recorder
  • The Shop-Vac Covert DVR Recording System, which houses a camera, DVR, and battery in a Shop Vac vacuum cleaner
  • A clock radio that can capture and record audio and video and transmit that audio and video over a secure Wi-Fi signal (apparently, “up to 10 investigators” can watch and listen to the live audio and video recorded by the clock by connecting to its Wi-Fi signal)

The Black Book was obtained as part of a public records request filed with the Irvine Police Department, and you can read the brochure here starting on page 93. (The rest of the documents at this link are part of the records request.)

You probably won’t be able to buy any of the equipment for yourself, as Special Services Group says on its barebones website that it “supplies technical solutions for law enforcement, military, government, and select clients.” The company says it doesn’t put product information on its website “due to the critical missions of our customers.”

Special Services Group seemingly wants to keep its product information as secret as possible, as Vice says that Special Services Group threatened both it and MuckRock (a group that had obtained the brochure) with legal action before Vice published its story.

According to Vice, in one statement, Special Services Group’s lawyer “claimed that the brochure was protected under the International Traffic in Arms Regulations.” In an email to MuckRock, the lawyer apparently said that “the release of the information could result in very serious jeopardy to the lives of law enforcement and military users of the technology RIGHT NOW IN PARTICULAR DUE TO RECENT WORLD EVENTS.”

Vice is likely in the clear, though: Before the whole tranche of documents made its way into the world, a law firm hired by the Irvine Police Department apparently found that the Special Services Group’s Black Book was safe to be released to the public.

‘Eraser button’ for children’s data gains support in the House

Over the past year, there’s been a renewed sense of urgency among lawmakers to rewrite parts of the Children’s Online Privacy Protection Act, or COPPA — a little-known law that protects children’s privacy online. COPPA has become increasingly important after high-profile cases against YouTube and TikTok, but the law is over 20 years old and lawmakers argue it needs a huge revamp to keep children safe on the internet as it is today.

On Thursday, a pair of bipartisan House lawmakers announced that they’d be introducing their own bill that would give parents the right to delete the data that companies have on their children and extend COPPA’s protections to older minors. The bill is called the “Preventing Real Online Threats Endangering Children Today,” or the PROTECT Kids Act, and was introduced by Reps. Tim Walberg (R-MI) and Bobby Rush (D-IL), as first reported by Axios.

The bill would make big updates to the law that’s already brought enormous changes to YouTube and TikTok and infuriated creators. In its settlement with YouTube, the FTC fined the company over $170 million and prohibited the company from running targeted ads on videos the agency could deem child-friendly. Many critics argued that this settlement didn’t go far enough, and if the PROTECT Kids Act was approved, YouTube and other online platforms would be under a lot more pressure than they already are to ensure children’s data remains safe online.

Under current law, COPPA only prohibits platforms from collecting the data of children under the age of 13. Under the PROTECT Kids Act, that age would be increased to 16. COPPA also doesn’t include precise geolocation and biometric information as part of its definition of “personal information.” This House bill would ban platforms from collecting those sensitive pieces of information from children as well. And if a parent wanted to remove their children’s data from a website, the company would have to provide some kind of delete feature for them to use.

The bill mirrors many of the protections offered under a Senate measure led by Sens. Josh Hawley (R-MO) and Ed Markey (D-MA). The most significant difference is how the bills identify whether a platform knows that it’s collecting children’s data. The Markey-Hawley measure would revise COPPA’s “actual knowledge” standard. Under COPPA in its current form, companies can only be found in violation of the law if they’re proven to have known that children were using their app or site. The senators have sought to change that “actual knowledge standard” to a “constructive” one, basically saying that if a platform is operating under due diligence, they should know whether children access it.

The PROTECT Kids Act doesn’t go that far. If the bill is approved, it would instruct the FTC to conduct its own study on the “actual knowledge” standard and determine whether changes need to be made.

ProtonMail just added an encrypted calendar to its encrypted Gmail competitor

ProtonMail just launched an encrypted calendar beta to let users manage their schedules privately. It’s the latest tool from a company known for its encrypted email services, and could help users who are looking to wean themselves off Google.

The tool, called ProtonCalendar, is currently available for all users with a paid ProtonMail plan. In the future, the company plans to launch the calendar for all users. “We believe everyone has the right to plan dinner with friends without announcing to Google who will attend,” the company writes in a blog post.

Google has faced growing scrutiny over how it collects and stores user data. This year, fifty state attorneys general opened an antitrust probe into the tech giant, then expanded it to include data privacy. The company also faced backlash from its own employees who worried it was using a new browser extension to spy on them. (The company denied these allegations).

Even for users who aren’t also Google employees, breaking up with the tech giant is hard. The company’s apps work in tandem, which makes adding calendar invites from Gmail incredibly easy. There can be some unwanted side effects, like when spammy emails began populating peoples’ calendars with unwanted calendar invites. But most of the time it’s convenient.

While Google stopped scanning peoples’ emails for targeted advertising in 2017, ProtonMail claims that some companies still use your private calendar to target their ads. “For the longest time, to easily organize these events, you had to let large corporations monitor these special moments. These companies snoop on your calendar and use that information to inform their advertising,” ProtonMail writes in its blog post. “A calendar is more than just a tool. It’s a record of the moments that make up your life.”

While ProtonMail seems to be suggesting that Google is the one spying on your calendar, a Google spokesperson tells The Verge that it is not currently scanning calendars to target ads. The Verge asked whether the company ever did this in the past and is currently waiting to hear back.

ProtonMail says the new calendar is still in early beta. While the current version is rather basic, the company plans to launch additional features that will allow users to share their calendar to other ProtonMail users and send calendar invites to non-ProtonMail users as well.

Update January 6th, 12:57AM ET: This story has been updated to include Google’s statement.