Google's Latest Attack on FOSS

Show Video

Google tried to quietly kill open source apps. It's a pretty crazy story. Signal is fighting back against Microsoft's recall feature in a really clever way. New Orleans set a new record in dystopian surveillance and a lot more from the last two weeks. Welcome to Surveillance Report 226, where we're here to give you the privacy and security news.

I'm Henry from Techware. I'm Nathan from The New Oil. And today we want to welcome our brand new sponsor, Proton Pass. We're both a big fan of Proton Pass.

They are from the same team, as you all know, from ProtonMail and ProtonVPN. And they have become a must-have in my privacy toolkit. And it's something that I use on a daily basis across all my devices. What I really love about it is the Hide My Email feature. So if you ever use Simple Login, it actually integrates with Simple Login.

So you can view all of your Proton Pass aliases in Simple Login. And that way, it's all under the same suite. But it also monitors everything on a dark web for you. So you can check if you're caught in the data breaches that we talk about automatically. It has an integrated 2FA authenticator, which allows you to keep your TOTP codes all in one place.

And it syncs on every major device and every major browser. The really cool thing about Proton is they don't have any venture capitalists. And so they just have their own revenue models. And they're able to do things like sponsor this podcast.

And the premium plan is very affordable. At $249 a month, they also have different plans that you can get as part of their broader Proton suite. And that's less than a coffee for actual peace of mind. And it's very easy to import from anything else like Bitwarden or KeePass if you're looking to try something inside the Proton ecosystem. So if you want to get started with a password manager that we both really enjoy, check out down below proton.me slash surveillance

report. And we'll leave that down below. And you'll also get 50% off for a limited time if you go through that link. We want to give a big thank you to Proton for sponsoring this video and helping everyone stay a little bit more private in what I think is probably the most usable password manager experience to date.

[MUSIC PLAYING] And now we're going to go into the highlight story, which we've kind of merged a couple related stories, starting with this really weird thing that happened, especially with Next Cloud. So this is a quote from Next Cloud that they said, Google wanted that. And what they're saying is that they described Android's permissions as gatekeeping. So Next Cloud states that it had read and write access to all file types since its first Android app. In September 2024, a Next Cloud Android update with all file access was refused out of the blue with the request that the app use a more privacy aware replacement. Next Cloud states that it had provided background and explanations but received the same copy and paste answers or links to documentation from Google.

Now Next Cloud eventually issued an update of its app and restricted uploads to media files. Downloading and sideloading Next Cloud app from the F-Droid external store and granting the app necessary permissions restores the ability to upload any files to a Next Cloud instance. The company told the register that it had more than 800,000 Android users. So that's the story. But just to kind of recap what happened there, there are different ways to get files on your system. And Next Cloud was, for all intents and purposes, using it for the correct purposes.

They wanted the full broad permission to just have access to all of your files on your phone so you can actually use Next Cloud as it's a file storage program that probably wants access to a lot more things than just a specific folder or a specific file on your system. But Google kept rejecting this for really no reason and giving typical Google support that you might expect, which is probably just AI or just copy and pasted responses from someone on the other side of the keyboard. So this is what really frustrates me about this stuff, is that it feels like Next Cloud was very patient. If you're keeping track of the dates, this happened in September of 2024, which means they've been dealing with this for months now. And they were halfway through 2025 at this point.

And it wasn't until, as far as I can tell from the timeline, Next Cloud came forward and made this public, and there started to be press coverage around this, that Google finally said, OK, we'll fix it, and now it's going to be fixed. And Next Cloud is working on an update that they hope to have live within the next week. So a lot of little takeaways here.

One, you are at the whim of Google and Apple when you're on centralized app stores. And so this is why things like F-Droid, things like even Optanium, are a really cool way to get apps. And we really want to see Apple open up the app store so that we get more sideloading outside of Europe, so that we see those similar options exist on iOS. If you're already on Android, you can already start taking advantage of this, because as far as I can tell, this permission did exist outside of the Google Play Store variant of Next Cloud.

So you always had a better version of Next Cloud if Google wasn't managing the app, which is a bit ironic. So those are kind of my takeaways. And I'll let Nate speak to this before we touch on positive Google and Android news right after that.

Now, you pretty much nailed it. Real quick, I actually did look up Next Cloud in the Play Store. And it has over a million downloads. So it says they have over 800,000 Android users.

A good chunk of those are probably downloading directly from the Play Store. It does say it was updated on May 19th, and it says it brings back the managed external storage permission. So that should be live now if any of you are using Next Cloud from the Play Store.

And then you kind of hit my other thing. There's people who-- we've talked about this before. We did a Q&A about app stores and whether it's best to use the app store, like FDroid or Obtanium. And we kind of said that there's pros and cons to each. In different ones, you're trusting different people with different features and different motivations.

And I think this really makes it clear, because there are people out there who would say, for example, never ever use FDroid. It's not safe. Only use the Play Store. And even if you subscribe to that, well, FDroid's really not safe. If you believe that, OK, fine. But there's Obtanium.

There's-- I don't think it's on a crescent. But there are other ways to do this stuff. And yeah, you kind of hit that on the head is be aware.

And we've seen this with like IVPN. They had to remove some functionality because it blocked ads. And-- That's a great example. Thanks for bringing that one up.

For those who don't know, they had this really hardcore anti-Google feature in IVPN that blocked all Google domains, and Google wouldn't approve it. It was all big tech, not just Google. It was like meta, Amazon. It is very hardcore.

They are not exaggerating. Yeah, so just like you said, it's just be aware. You know, there may be pros to Google. We mentioned they're tightening up their Play integrity and scanning the apps and stuff.

But at the same time, they might force developers to remove permissions that are useful or you may want. So-- Yeah, and I mean on that note, on the topic of locking down, Android 16 on the more positive front is expanding their advanced protection with device level security. So specifically, in this-- I'm quoting a lot of the article here.

They're activating verified boot and runtime integrity checks, strong sandboxing, USB port lockdown, app isolation, automatic device reboots when idle for 72 hours, and Google Play Protect with enhanced app scanning. It also eliminates the ability to turn off or weaken core security settings and enforces secure settings across Google Apps like Chrome, messages, and phone, as well as third party apps that opt into the integration, which should be interesting to see how people utilize that. Finally, it introduces new protections like intrusion logging and blocking auto reconnects to insecure networks. So intrusion logging is a new system that logs device events in a privacy preserving, tamper-proof, cloud-stored log, which is useful for investigating compromises.

And the data will only be accessible by the user and protected with end-to-end encryption. Auto reconnection blocks concerns over weak Wi-Fi networks that don't require passwords or use WEP, which is essentially cracked at this point and is all practically like having nothing, mitigating the risk of passive surveillance or captive portal attacks. So we just had a back and forth because we wanted to clarify and make sure we got it right that this is, in fact, referring to Google's advanced protection program. So this is an expansion of that program. This isn't specifically an Android thing, but it seems like Android is essentially getting more security hardening if you are integrated into that program, which is a program that if you have to use a Google account for anything, we do both highly recommend utilizing. It does lock down your Google account significantly, and it gives you cool security benefits.

But you're only going to see these benefits that we're talking about if you're using something like stock Android, but you can find some of those benefits on other custom ROMs as well. So it's kind of this messy situation, and you have a lot of ways of using this information. My guess, actually, is that this is supposed to be competing against Apple's lockdown mode, and they're trying to have more of these integrations on the local side of things on Android to compete against Apple's lockdown mode, is my guess. So apart from just the advanced protection, there are some other things in Android 16, which is to protect users from phone scammers and malware apps. Google is releasing something called Key Verifier, which is a mechanism in the Messages app, which is designed to fight text-based fraud and impersonation by verifying the identity of the other party with public encryption keys associated with contacts, which also sounds kind of similar to the way that maybe I'm misinterpreting the feature here, but it sounds similar to Apple's contact key verification. And then Google also improved theft protection features by turning Find My Device into Find Hub, which is a feature that also covers lost items and works with Bluetooth tags and with the partnership of multiple airlines.

There's a couple others, but those are the main ones related to privacy and security, and it sounds like Google is just trying to match a lot of Apple's features that they've been baking in the last several years for their privacy and security. So it's kind of cool to see Google release those. Most of these are nothing but good if you end up using them. And I guess if you're already going to be on a stock Android device and you already are putting your trust in Google, then there's no reason that I can find not to enable this if you're not already looking at the alternatives. Just one thing that was in the article is that it is important to note that the availability for some of the features depends on the manufacturer and the type of device and will present later this year.

So in other words, if you're on certain phone manufacturers who shall remain nameless from Asia, who are notorious for removing perfectly good security features for no reason that makes sense, you may not get any of these protections. That's one more reason we're a fan of going with pixels if you decide to go the Android route. I would love to know, but my guess is a lot of this will probably be pixel only just based on history and how much these features actually find themselves in other manufacturers.

With that, we'll move into data breaches. And we have a ton, as you would expect from two weeks. So we're going to do that thing where we just kind of pick the biggest ones that likely impact the most people. And then the rest of them will be abbreviated.

So the first one comes to the UK. It says, "Marx and Spencer confirms customer data stolen in cyber attack and forces password resets." There was a cyber attack last month that I think we mentioned.

I've definitely seen it popping up in my news feed, but we didn't really directly discuss it because at the time, we didn't know for sure if it was a data breach or just a cyber attack. But now we know it was a data breach. So the attack occurred on April 22nd in 2025. There is no evidence that the information has been shared and it does not include usable card or payment details or account passwords. So there is no need for customers to take any action according to Marx and Spencer. They said that despite these assurances, all customers with active accounts will be prompted to reset their password next time they attempt to log in.

And the data that was stolen includes full name, email address, home address, phone number, date of birth, online order history, household information, whatever that means, SPARKs pay reference numbers, and masked payment card details, as in the last four of your card number. Next article is from Coinbase. This was a big one.

Coinbase is probably the most popular exchange out there in the cryptocurrency ecosystem. And there is a data breach that exposed customer information and government IDs. This was a pretty sophisticated attack. Essentially what happened is a group of people were in some way bribed because they outsourced their customer support. And so they started just sending over user data that that customer support had access to. Now, they fired those insiders after they were detected while accessing systems without authorization, but not before they exfiltrated information from the devices.

So this included names, addresses, phone numbers, email addresses, last four social security numbers, partial bank account numbers, and some bank account identifiers, government ID images, account data, balance and transaction history, and limited corporate data related to Coinbase. There was this whole video posted from the CEO of Coinbase, where he was like, we're not going to pay $20 million ransom because that's what the attackers were asking for. Instead, we're going to put a $20 million reward fund for any leads that can help find the attackers who coordinated the attack.

They said that no passwords, private keys, or funds were exposed and Coinbase Prime accounts are untouched. We'll reimburse customers who are tricked into sending funds to the attacker. And the updated story says the number of people impacted is almost 70,000. I'm going to go ahead and group the next several data breaches. The UK legal aid agency confirms applicant data was stolen in a data breach. The Australian Human Rights Commission was leaking documents to search engines, and Nova Scotia Power confirmed that attackers stole customer data in a cyber attack.

OK, and then I'm also going to group up the next few here. So a mysterious database of 184 million records exposes a vast array of login credentials. And actually, the credentials are from some serious companies. So among the exposed accounts are ones linked to dozens of governments as well. Twilio has denied a breach following a leak of alleged Steam 2FA codes.

Cocos by stalkerware apps go offline after data breach. Broadcom employee data stolen by ransomware crooks following hit on payroll provider. Fashion giant Dior has disclosed a cyber attack in warns of data breach and SK Telecom, South Korea, I assume, says malware breach lasted three years, impacted 27 million numbers. We're trying to keep it short this week. So if you want to follow up on any of those stories, we have more in the show notes down below.

Next, we'll go into the companies. And we're going to start off with Meta. So first up, Meta is making users who opted out of AI training opt out again. So this comes from Noib, who have sent a cease and desist to Meta on Wednesday, threatening to pursue a potentially billion dollar class action to block Meta's AI training, which starts soon in the European Union. In the letter, Noib notes that Meta only recently notified EU users on its platforms that they had until May 27th to opt their public posts out of Meta's AI training data sets. According to Noib, Meta is also requiring users who already opted out in 2024 to opt out again, or forever lose the opportunity to keep their data opted out of Meta's models.

That's a seeming violation of the GDPR, Noib alleges, and they said that this lack of clarity for users who opt out makes it harder to trust that users can ever truly opt out. The letter accused Meta of further deceptions like planning to seize data that users may not consider public, such as disappearing stories. Noib said that differs significantly from AI crawlers scraping information posted on a public website.

According to Noib, there would be no issue with WhatsApp's AI training if Meta would use a consent-based model rather than requiring rushed opt outs. Meta is claiming legitimate interest for collecting this data. Next one, Meta threatens to pull Facebook and Instagram out of Nigeria over $290 million fine. This comes from Slashdot who is summarizing tech dirt. They said, "As with earlier EU fines imposed on the company, the sticking point is Meta's refusal to comply with local privacy laws.

Meta's current revenues in Nigeria are relatively small, but its market shares are high. Facebook alone reaches about 51.2 million users as of May 2024, which is more than a fifth of the population.

Instagram had 12.6 million Nigerian users as of November, 2023, while WhatsApp had about 51 million users making Nigeria the 10th largest market globally for the messaging app. Since many Nigerians depend on Meta's platform, the company might be hoping that there will be public pressure on the government not to impose the fine in order to avoid a shutdown of the services, but it's hard to see Meta carrying out its threat to walk away from a country expected to be the third most populous nation in the world by 2050." And then the last one, Meta's to start selling its Ray-Ban smart glasses in India on May 19th. So that date came and went. Meta said that its smart glasses would be available for sale in India starting in May at a starting price of 29,990, I believe rupees is what they use in India.

I'm not gonna fact check myself and hope that the comments don't string me up, which is about 353 US dollars. The smart glasses are currently available for pre-order on Ray-Ban site and would be stocked in Ray-Ban stores at launch. Meta said the glasses launching in India will support Meta AI. It can answer questions about what's in front of you, translate audio and video, send messages via your phone, make calls and more. The glasses currently support live translation for English, French, Italian, and Spanish, even when users are offline, but notably it hasn't added support for Indian languages yet. License plate reader company Flock is building a massive people lookup tool.

This is an ALPR company, which is Automatic License Plate Readers. And these cameras are installed in more than 5,000 communities in the US. And it's building a product that will use people lookup tools, data brokers, and data breaches to jump just from a license plate reader to a person, allowing police to much more easily identify and track the movements of specific people around a country without a warrant or court order. They actually obtained a meeting audio where a Flock employee talked about where they source data.

The first is data breaches. One example the employee pointed to was a 2021 data breach impacting users of Park Mobile, which is an app that allows users to pay for parking without physically going to the parking meter or in some lots where meters no longer exist. The data included license plate numbers with the owner's associated email addresses, phone numbers, and in some cases, mailing addresses. The second was commercially available data with the employee explicitly naming credit bureaus like Equifax and TransUnion. The third is public records such as marriage licenses, property records, and campaign finance records.

Typically, police officers do not obtain a warrant before using Flock or other companies' ALPR systems. This is part of the retraction to law enforcement, which is private companies installing cameras around a country so that they can essentially bypass all of the things that they're not supposed to be bypassing, like needing to get a warrant for basic human information. I'm gonna take the next two because they're both Microsoft. So first up, New South Wales Education Department caught unaware after Microsoft Teams began collecting students' biometric data.

So late last year, Microsoft announced that it would enable data collection by default, commencing in March for a Teams feature known as voice and face enrollment. In Teams, this creates a voice and face profile, quote unquote profile, for each participant in Teams' meeting, which the company said improves the audio quality, reduces background noise, and enables the software to tell who is speaking in meetings. The data is also fed into Microsoft's LLM co-pilot to improve accuracy and transcription or summaries when that is enabled in those meetings. Guardian Australia revealed that when enrollment for Teams was switched on in March, the department was caught unaware for a month. The feature was switched off in April and the profiles were deleted within 24 hours of the department becoming aware, but the Education Department did not answer questions about the number of students or staff who had biometric data collected on them, or if those affected had been informed.

Microsoft retains a copy of the data while a user is enrolled and a user can choose to delete the profile at any point. If a user deletes their Teams account, Microsoft states on its website that it deletes biometric data within 90 days. And then the second story is about Windows 11.

I think this came from Ars Technica. It said, "Windows 11's most important new feature is post-quantum cryptography. Here's why. For those who don't know, post-quantum cryptography is necessary, it is, I wouldn't say it's necessary yet, but it will likely become necessary in the future and it's basically the next step in cybersecurity. So basically Microsoft is updating Windows 11 with a new set of encryption algorithms that can withstand future attacks from quantum computers. For context, the article says that RSA and elliptic curve encryption keys, which are currently the standard, securing web connections would require millions of years to be cracked by today's computers.

A quantum computer could crack the same keys in a matter of hours or even minutes. So at Microsoft's Build 2025 conference on Monday, the company announced that the availability of quantum resistant algorithms to SimCrypt, the core cryptographic code in the library in Windows, the updated library is available in Build 27852 and higher versions of Windows 11. Additionally, Microsoft has updated SimCrypt OpenSSL, which is its open source project that allows the widely used OpenSSL library to use SimCrypt for cryptographic operations.

So basically it has gone with MLKEM and MLDSA, which are approved by NIST currently. These are the current standards that everybody has decided to go all in on for cybersecurity. They were previously known as crystals kyber and crystals dilithium. Telegram gave authorities data on more than 22,000 users. So this actually comes full circle because Nate and I did this whole thing way back in a day where we were like, look, they say they have a transparency page, but if you go to their transparency page, it doesn't say they've ever disclosed any information despite there being verifiable data that they have. So here's a crazy update to that.

Turns out that that Telegram bot gives you data where your IP address is coming from. So it was only giving us transparency data in the US. I'm pretty sure it was still lying though, because 404 put out a story.

It might've still been lying, but what we said back then, it wasn't actually legit because what we said was, we have this verifiable data that they gave to the Indian government, to the Brazilian government, and this is factual, but we're going on their bot and it's saying they never handed over data. But technically we were accessing it from the US. Anyway, it's just a super untransparent way of doing things.

It doesn't make any sense. So this website that they link in the show notes that you should check out is a GitHub page. It's open source that actually compiles all this data globally so you can see it without needing to open Telegram. It's all open source and it's all on GitHub and you can see the raw data of the amount of data they give out to all these countries. I just said data a lot of times.

It's just in the first few months that that number was reported and it's a massive jump from the same period in 2024 where Telegram saw only 5,826 of its users where they only handed over that much data. And the last story in the company section is just a quick update. Regeneron Pharmaceuticals is going to buy 23andMe and its data for $256 million. The deal is still subject to approval by the US bankruptcy court for the Eastern District of Missouri pending approval. It is expected to close in the third quarter of this year.

They did say we're gonna abide by 23andMe's privacy policy. We don't know what they're gonna do with this data. We don't know if they're gonna spend 23andMe back up and keep trying to collect data. We don't know anything. All right, I got a big story here in the research section. So researchers scraped 2 billion with a B, Discord messages and published them all online.

So this is a massive database of more than 2 billion Discord messages and they scraped this using Discord's public API. It was pulled from over 3,000 servers and covers posts made between 2015 and 2024. The researchers claim they've anonymized the data, but it's hard to imagine anyone is comfortable with almost a decade of their Discord messages sitting in a public JSON file online.

That's from the article. Separately, a different programmer released a Discord tool called Searchcord based on a different data set that shows non-anonymized chat histories. A team of 15 researchers at the Federal University of Minas Gerais. It was part of their research project and it's part of a paper that was called Discord Unveiled, a comprehensive data set of public communication, which they say was created so that other teams of researchers could have a database of online discussions to use when studying mental health and politics or training bots. The amount of data is massive.

There's over 2 billion messages from over 4 million users across 3,167 servers, approximately 10% of the servers listed in Discord's Discovery tab. These are user generated, it can be set to public or private and newcomers can find the public servers using it. They replaced the user names with generated pseudonyms, hashed and truncated users and message IDs and removed other identifying features entirely. And they said that all data collection adhered strictly to Discord's API guidelines and anonymization techniques were applied to ensure compliance with privacy standards. The paper also pointed out that all these messages were scraped from public spaces. All data was sourced from groups that are explicitly considered public according to Discord's terms of use, whichever user agrees to upon signing up.

Even with the pains taken to anonymize the data, the scrape appears to be against Discord's terms of service. A Discord developer policy which covers the use of its API is clear. Do not mine or scrape any data, content or information available on or through Discord services. Some form of this prohibition against scraping has been in place since at least 2020.

Next up, we have some good news actually. Bluetooth 6.1 enhances privacy with randomized RPA timing. I'm just gonna condense this one. RPA is resolvable private address and basically, let's see, currently RPA's are updated at fixed intervals, usually every 15 minutes, which introduces a level of predictability. This predictability can be exploited in correlation attacks making long-term tracking possible.

Bluetooth 6.1 will randomize it between eight and 15 minutes by default, but you can also, I'm assuming this is developers and not end users, you can also set custom values ranging between one second and one hour. 6.1 has made exciting steps forward,

but it's important to understand that the actual support and hardware and firmware may take years to arrive. The first wave of chips with 6.1 should not realistically be expected before 2026. And even then, early implementations may not immediately expose all newly available features as testing and validation may be required. A new Intel CPU flaw leaks sensitive data from privileged memory. So this is called branch privilege injection is the kind of flaw and it's an all modern Intel CPUs and it allows attackers to leak data from memory regions allocated to privileged software like the operating system kernel.

Typically, these are populated with information like passwords, cryptographic keys, memory of other processes and kernel data structures. So protecting these from leakage is pretty important. There's a lot more details in the article. This is really technical stuff. So they tested this and they found that everything back from like the seventh gen Kaby Lake all the way to more modern CPUs are impacted.

And they did not test older generations at this time, but since they do not support enhanced indirect branch restricted speculation, which is EIBRS for short, they're less relevant to the specific exploit. So although the attack was demonstrated on Linux, the flaw is present on the hardware level. So it's exploitable on windows too. The researchers reported their findings to Intel in September of 2024 and the tech giant released micro code updates that mitigate this on impacted models. The firmware mitigations introduced a 2.7% performance overhead while software mitigations have a performance impact between 1.6% and 8.3%

depending on the CPU. The risk is low for regular users and attacks have multiple strong prerequisites to open up realistic exploitation scenarios. That being said applying the latest BIOS or UEFI and OS updates is recommended. ETH Zurich will present the full details of their exploit in a technical paper at the upcoming use next security 2025. O2 UK patches bug leaking mobile user location from call metadata. So O2 UK is a British telecom service provider owned by Virgin media.

As of March, 2025, they report having nearly 23 million mobile customers and 5.8 million broadband clients across the UK, making them one of the major providers in the country. In March, 2017, they launched a service called IP multimedia subsystem branded as 4G calling for better audio quality and line reliability during calls. However, a researcher discovered while analyzing the traffic of a call that signaling messages and the SIP headers specifically exchange between the communication parties were far too verbose and revealing including IMSI, IMEI and cell location data. For those who don't know those first two are basically unique identifiers.

I think technically they can be spoofed, but also in some places I know that's illegal. Using the network signal guru app on a rooted Google pixel eight, the researcher intercepted the raw IMS signaling messages exchanged during a call and decoded the cell ID to find the last cell tower the call recipient connected to. Then he used public tools that provide cell tower maps to find the geographic coordinates of the tower. For urban areas where the coverage is dense, the accuracy would reach a hundred square meters.

In rural areas, geolocating would get less precise but could still be revealing for the target. The researcher found the trick also worked when the target was abroad as he located a test subject in Denmark. A Virgin media spokesperson confirmed that the fix had been implemented, noting that customers do not have to take any action to protect themselves. Bleeping computer asked O2 whether this flaw was known to be exploited and if they plan to inform customers accordingly but did not receive an answer. Okay, Windows 11 and Red Hat Linux were hacked on their first day of Pwn to Own.

And we cover this every year. There's always some exploits that come out of this. And there were two vulnerabilities in Red Hat Linux, three in Windows 11, one in VirtualBox and one in NVIDIA Triton Interface Server. While the 2024 Tesla Model 3 and the 2025 Tesla Model Y bench top units were also available as targets, no attempts have been registered before the competition started.

So during the second day of Pwn to Own in Berlin 2025, competitors earned over 400 grand after exploiting zero-day bugs and multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux and Mozilla Firefox. And then day three on the third day team and then reverse tactics again, the hacked VMware's Hypervisor software using an exploit chain abusing an integer overflow and an uninitialized variable bug to earn $112,500 and take third place in the ranks. Now we'll go into the politics section and we'll try to keep these quick. The first one, so the headline says Trump signs controversial law targeting non-consensual sexual content. Basically things like deepfakes, revenge porn, anything that depicts a real person without their consent can be taken down. It is nicknamed the Take It Down Act.

It requires platforms to remove non-consensual instances of intimate visual depiction within 48 hours of receiving a request. Companies that take longer or don't comply at all could be subject to penalties to roughly $50,000 per violation. The law will go into effect within the next year and enforcement will be left up to the Federal Trade Commission or FTC.

Free speech advocates are concerned at a lack of guardrails. For example, the law is modeled after the Digital Millennium Copyright Act or DMCA, which is currently the most effective way to take down content, which basically says this is copyrighted material, you need to take it down. Companies can be held financially liable for ignoring valid requests of the DMCA, which has motivated many firms to err on the side of caution and preemptively remove content before a copyright dispute has been resolved.

For years, fraudsters have abused the DMCA takedown to get content censored for reasons that have nothing to do with the infringements. The DMCA does include provisions that allow fraudsters to be held financially liable when they make false claims. Take it down could be a less risky pathway for fraudsters. It does not include robust deterrence provisions requiring only the takedown requesters exercise, quote unquote, good faith without

2025-05-27 17:10

Show Video

Other news

Closed captions on DVDs are getting left behind 2025-05-28 19:46

Data Analysis for LinkedIn Success: Leveraging Metrics to Grow Your Network 2025-05-27 19:06

Nvidia CEO Slams US Chip Rules, Trump’s AI Action Plan | Bloomberg Technology 2025-05-26 20:00