The suit filed on behalf of 16 clients alleges an array of harms from copyright violations to wiretapping due to Open AI’s data collection practices, adding to a growing list of legal challenges against companies repurposing or reusing images, personal information, code and other data for their own purposes.

Last November, coders sued GitHub along with its parent company Microsoft and partner OpenAI over a tool known as CoPilot that uses AI to generate code. The coders argued the companies violated the licensing agreements for the code. In February, Getty Images sued Stability AI for allegedly infringing the copyright of more than 12 million images.

As the lawsuit notes, AI companies deploy data scraping technology at a massive scale. The race between every major tech company and a growing pack of startups to develop new AI technologies, experts say, has also accelerated not just the scale of web scraping but the potential harms that come with it. Experts note that while web scraping can have benefits to society, such as business transparency and academic research, it can also come with harms, such as cybersecurity risks and scammers harvesting sensitive information for fraud.

“The volume with which they’re going out across the web and scraping code and scraping data and using that to train their algorithms raises an array of legal issues,” said Lee Tiedrich, distinguished faculty fellow in ethical technology at Duke University. “Certainly, to the extent that privacy and other personally identifiable information are involved, it raises a whole host of privacy issues.”

Those privacy concerns are the centerpiece of the recent California lawsuit, which accuses OpenAI of scraping the web to steal “private information, including personally identifiable information, from hundreds of millions of internet users, including children of all ages, without their informed consent or knowledge.”

“They’re taking personal data that has been shared for one purpose and using it for a completely different purpose without the consent of those who shared the data,” said Timothy Edgar, professor of practice of computer science at Brown University. “It is by definition, a privacy violation, or at least an ethical violation, and it might be a legal violation.”

The ways that AI companies may use that data to train their models could lead to unforeseen consequences for those whose privacy has been violated, such as having that information surface in a generated response, said Edgar. And it will be very hard for those whose privacy has been violated to claw back that data.

“It’s going to become a whack-a-mole situation where people are trying to go after each company collecting our information to try to do something about it,” said Megan Iorio, senior counsel at Electronic Privacy Information Center. “It will be a very similar to a situation we have with data brokers where it’s just impossible to control your information.”

Data scraping cases have a long history in the U.S. and go all the way up to the Supreme Court. In November 2022, the court heard a six-year-long case from LinkedIn accusing data company HiQ Labs of violating the Computer Fraud and Abuse Act by scraping profiles from the networking website to build its product. The high court denied the claim that the scraping amounted to hacking and sent the case back to a lower court where it was eventually resolved. ClearView AI, a facial recognition company, has been sued for violating privacy laws in Europe and the state of Illinois for its practice of trawling the web to build its database of more than 20 billion images. It settled the ACLU’s lawsuit in Illinois in May 2022 by promising to stop selling the database to private companies.

Now, LinkedIn’s parent company Microsoft is on the other side of the courtroom, named as a plaintiff in three different related lawsuits against OpenAI. “The whole issue of data scraping and code scraping was like a crescendo that kept getting louder. It kept growing and growing,” said Tiedrich, who called the AI lawsuit “inevitable.”

The California suit against OpenAI combines the arguments of many of these lawsuits in a whopping 157-page document. Tiedrich says that while there have been recent court cases weighing in on fair use of materials, something relevant to the copyright aspects of the OpenAI lawsuit, the legality of data scraping is full of grey areas for courts and lawmakers to resolve.

“A lot of the big AI companies are doing data scraping, but data scraping has been around. There are cases, going back 20 years ago, to scraping airline information,” said Tiedrich. “So I think it’s fair to say that the decision could have broader implications than just if it gets to a judicial decision than just AI.”

The OpenAI lawsuit’s privacy arguments might be even more difficult to uphold. Iorio, who with EPIC filed a friend of the court brief in the LinkedIn case, said the plaintiffs suing OpenAI are in a better position to show those harms since they are individuals, not a company. However, the limitation of federal privacy laws makes it hard to bring a data scraping case on those grounds, she said. Of the three privacy statutes cited by the lawsuit, only the Illinois privacy law covers publicly available information of all users. (The lawsuit also cites the Children’s Online Privacy Protection Rule, which protects users under 13.)

That leaves scrapers, whether they are tech giants or cyber criminals, with a lot of leeway. “Without a comprehensive privacy law that does not have a blanket exemption for publicly available data, we have the danger here of this country becoming a safe haven for malicious web scrapers,” said Edgar.

The post OpenAI lawsuit reignites privacy debate over data scraping appeared first on CyberScoop.

Some of those fears have been realized. After the Supreme Court’s Dobbs decision overturning a constitutional right to abortion, news surfaced that Nebraska police served Facebook’s parent company Meta a search warrant for messages that turned out to be related to an illegal abortion. In March, a Texas man filed a civil lawsuit against three women he alleges helped his wife obtain an abortion. The lawsuit cited unencrypted text messages.

But even though the ruling ushered in urgent pleas from advocacy groups and many lawmakers for legislation to safeguard reproductive health data that can be easily obtained by data brokers or law enforcement, there remains little movement in Washington to pass legislation to strengthen U.S. privacy protections.

“I do think that there is a greater awareness now,” Rep. Sara Jacobs, D-Calif., told CyberScoop.  “As a young person, I think it’s taken Congress too long to catch up with the American people in understanding these vulnerabilities.”

Jacobs, who introduced the “My Body My Data Act” last year is one of the lawmakers who has led the conversation about reproductive and sexual health privacy in the wake of Dobbs. The legislation limits the reproductive and sexual health data that entities can collect and protects personal data such as cellphone data and search engine history not currently covered by the landmark health data protection law, the Health Insurance Portability and Accountability Act of 1996.

Jacobs reintroduced the legislation in May with 91 cosponsors in the House and 13 sponsors in the Senate. She is still seeking privacy-minded Republicans to co-sponsor the legislation but acknowledged the difficulty in getting bipartisan support.

“The fact of the matter is this isn’t just about abortion,” said Jacobs. “It’s all sexual and reproductive health data. So if you’re a 70-year-old, Republican man who doesn’t want your wife to know you’re searching about gonorrhea on Google this does protect you, too.”

Rep. Anna Eshoo, D-Calif., a co-sponsor of the bill, said that while Republicans aren’t going to take up the bill “it’s important to build support for these policies so that the minute that we take over the majority that we’re ready to go.”

The legislation has gained the support of a number of civil liberties and reproductive rights groups. “With the GOP dead set on criminalizing abortion, it is critical that we do everything we can to protect the data and privacy of those seeking and providing care. We’ve seen our champions at the federal and state levels spring into action to do so, including U.S. Representative Sara Jacobs … or California state Assemblymember Rebecca Bauer-Kahan’s AB 254—which ensures the privacy of individuals when they use apps and websites that provide reproductive health services,” NARAL Pro-Choice America Communications Director Ally Boguhn wrote to CyberScoop in an email.

Where Washington has seen more success in protecting reproductive health data is in regulatory action helmed by the White House. For instance, President Biden last summer signed an executive order tasking the Federal Trade Commission and the Department of Health and Human Services with protecting abortion services. In April, HHS proposed a rule that would strengthen existing privacy protections under the Health Insurance Portability and Accountability Act by prohibiting healthcare providers from disclosing reproductive healthcare data investigating an individual for a legal abortion. Last week, 24 state attorneys general threw their support behind the proposed rule.

States with pro-choice leadership have also pushed through a cohort of laws around reproductive health, such as shield laws in New York, Washington and California barring entities from sharing data about legal abortions with states conducting criminal investigations into the behavior. California lawmakers are also seeking to ban reverse search warrants that could ensnare abortion seekers, as CyberScoop first reported.

“So far, we haven’t seen indicators that these types of shield laws have actually proved necessary… but we expect it is certainly just a matter of time before they do,” said Jake Laperruque, deputy director at the Security and Surveillance Project for the Center For Democracy & Technology.

Experts note that there could be several reasons there haven’t been more high-profile cases of digital evidence showing up in abortion criminal cases. One is that companies that receive law enforcement requests are often subject to an initial gag order. Secondly, abortion-related investigations may not be explicitly labeled and may instead be charged as a crime like murder or child endangerment.

Even with some strides by states and the Biden administration, without Congress to codify abortion and privacy rights, many state and agency protections fall short. For instance, the HIPAA rulemaking only applies to states where abortion is legal. Applying the protections all states would take an act of Congress. Rep. Jacobs and Eshoo’s Secure Access for Essential Reproductive (SAFER) Health Act, which served as a model for the HIPAA rule, would apply to all reproductive health information regardless of local laws.

Democrats in both chambers are expected to force a vote on legislation protecting access to abortion nationally ahead of the Dobbs anniversary.

Moreover, legislative solutions tailored to health data ignore a world of data that can also be used to incriminate abortion-seekers, such as private messages and geolocation history. Protecting other forms of metadata requires more comprehensive federal privacy legislation. After Dobbs, many civil society groups redoubled support of the American Data Privacy and Protection Act, comprehensive privacy legislation that passed out of its House committee last summer but has yet to be reintroduced this year. Eshoo and Rep. Zoe Lofgren, D-Calif., introduced their own comprehensive privacy legislation, the Online Privacy Act, in April.

“ADPPA would go a long way to not only raise the bar for protections around sensitive data, including health data,” Andrew Crawford, senior policy counsel on the Privacy and Data Project at CDT, told CyberScoop. “Our approach to data privacy burdens the consumer far too much and does not place much of a burden requirement on companies to act as responsible stewards.”

Crawford, who recently released with CDT a guide for best practices for companies to protect reproductive health data, says that the private sector also plays an important role in protecting consumers. Concerns about reproductive health privacy have put pressure on companies to take steps to reduce harm. For instance, Google last summer promised to stop collecting users’ location data for visit to reproductive health clinics. Fertility and reproductive tracking apps at the center of new fears also responded with new privacy modes, such as Flo’s anonymous mode which allows users to track on the app without sharing data like their name or IP address.

Crawford emphasized that any company that collects information like location data could find itself on the receiving end of a law enforcement request and that the kinds of protections that CDT is pushing apply to every company.

“We would like folks to embrace these best practices right now and they don’t necessarily need legislation to do it,” said Crawford.

Lawmakers aren’t giving up, however. “I think together with my colleagues we have built legislative products that are worthy of the support of members but most importantly they would be laws that would fully protect women in our country given the Dobbs decision,” Eshoo told CyberScoop. “It’s a different era. It’s a different time.”

The post A year after Dobbs, federal privacy legislation to protect abortion seekers remains stalled appeared first on CyberScoop.

Such clinics rely on university students to provide free cybersecurity services to local institutions. By deploying students to community organizations to improve digital defenses, university cybersecurity clinics aim to give students cybersecurity experience, improve local defensive capacity and steer students toward work in cybersecurity.

“This investment that Google’s made today recognizes the value of experiential training. This is not only important for national security but for economic opportunities and national innovation,” Kemba Walden, the acting national cyber director, said at Thursday’s event announcing the funding. “Cyber clinics provide an on-ramp to cyber careers by enabling students from different backgrounds and majors to learn cyber skills.”

Google will partner with the Consortium of Cybersecurity Clinics to distribute the funding. Consortium members include Stillman College and the University of Texas system, who partnered with Google at the event.

Walden noted that the office’s forthcoming workforce strategy will focus on collaborative efforts to build cybersecurity capacity at a time when large numbers of cybersecurity jobs remain unfilled in the United States.

The international cybersecurity nonprofit ISC2 estimates that there are approximately half a million open cybersecurity jobs in the United States, which is a 17% jump from 2022 despite an 11% increase in new entrants to the field.

Google’s announcement dovetails with growing interest in Congress to invest in and expand the U.S. cyber workforce. “Other countries are starting to do cybersecurity as well or perhaps even better than the United States,” Rep. Jay Obernolte, R-Calif., said at Thursday’s event. “We need to incentivize students to pursue careers in fields like cybersecurity to reverse that trend.”

In announcing the funding, Google CEO Sundar Pichai said that cyberattacks pose a growing risk to the U.S. economy, costing billions of dollars over the past few years, and that the increased use of AI in security contexts has the potential to make digital systems more secure.

“Just as technology can create new threats it can also help us fight them,” said Pichai, who met with White House officials and members of Congress to discuss AI while in Washington. “AI can also profoundly change how security professionals do their jobs, with better tools for detecting and resolving threats.”

Google’s investment in cyber clinics is the latest in a series aimed at boosting the cybersecurity workforce. Earlier this month, the company announced a $12 million research program with universities in New York. In May, Google announced a cybersecurity certificate addition to its Google Career training program.

At a hearing Thursday before the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, representatives of ISC2 and other cybersecurity organizations testified about the need for Congress and federal agencies to be more proactive in training America’s future cyber workforce.

“It is clear that the shortage of talent and burnout are issues that both the public and private sector face therefore it is an issue we must tackle together,” Andrew Garbarino, R-N.Y., said in his opening statement. “Our nation’s cyber workforce challenges are widespread and must be addressed through a strategic cross-cutting approach that avoids duplication.”

With reporting from Christian Vasquez.

The post Google announces $20 million investment for cyber clinics appeared first on CyberScoop.

The FTC alleges that the California-based 1health previously known as Vitagene, deceived customers about its privacy policy, retroactively changed that policy and misled customers about its process for deleting data. The company will pay $75,000 to the FTC for consumer refunds as part of a settlement with the agency.

“Companies that try to change the rules of the game by re-writing their privacy policy are on notice,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC Act prohibits companies from unilaterally applying material privacy policy changes to previously collected data.”

Vitagene’s DNA test kits provide reports that include personal information such as ancestry and level of risk for certain health problems, such as high triglycerides and obesity. According to its website, 1health provides testing to corporate and government clients.

According to the complaint, Vitagene stored nearly 2,400 records belonging to at least 227 consumers in publicly accessible data buckets on Amazon Web Services, exposing sensitive consumer and raw genetic data, some of which was tied to consumers’ names. Vitagene claimed that it did not store DNA results connected with identifying information.

According to the FTC, Vitagene was warned three times that the unencrypted health and user data was publicly accessible but only fixed the issue and notified customers in 2019 after a security researcher shared their findings with the media.

The FTC accused the company of deceiving customers by failing to follow through with its promises to customers that they could delete their data at any time. The company later began sharing customer information with third parties without notifying customers of the change.

As part of the proposed order, 1health will be prohibited from sharing health data with third parties without obtaining affirmative customer consent. It must also implement a new security program to address the security concerns in the complaint and notify the FTC about any incidents of unauthorized disclosures of consumer health data. 1health will be required to destroy all DNA samples retained for more than 180 days.

The proposed agreement will be made available for public comment for 30 days before the agency reaches a final settlement.

1health CEO Mehdi Maghsoodnia called the FTC investigation a “case of extraordinary government overreach.”

In a statement, Maghsoodnia said the company first learned in July 2019 that a “small number of customer files had been inadvertently stored in a publicly accessible location” but that the company has no evidence they were “improperly accessed.”

“In response, the FTC launched an investigation which has now dragged on for nearly four years,” Maghsoodnia said. “Ultimately, we disagree with many of the FTC’s conclusions. But we look forward to finally putting this matter behind us.”

Updated June 16, 2023: To include comment from 1health.

The post FTC accuses genetic testing company of exposing sensitive health data appeared first on CyberScoop.

The creation of the task force comes as the agency confronts a number of data protection issues facing customers of U.S. telecoms, such as the sharing of sensitive consumer data, the collection of geolocation data and repeat data breaches at major carriers. Rosenworcel said that the new task force will lead the agency’s recently proposed efforts to modernize its 15-year-old data breach rule.

The task force — which will be led by Loyaan Egal, the agency’s enforcement chief — will also coordinate the FCC’s rulemaking efforts aimed at preventing SIM swapping and creating standards for carriers to authenticate a customer before transferring a number to a new device or a new carrier.

“This kind of fraud demonstrates how powerful these forces are and how privacy is so important for communications and digital age trust,” Rosenworcel said about SIM-swapping, a kind of attack in which cybercriminals use a victim’s personal information to steal their phone number and swap it into a scammer-controlled device.

During her remarks on Tuesday at the Center for Democracy and Technology, a Washington think tank, Rosenworcel said she has serious concerns about how mobile carriers collect and share users’ private data, such as geolocation data. Queries from the FCC found last year that ten of the top 15 mobile carriers in the United States collect geolocation data and provide consumers no way to opt-out.

Rosenworcel said that the agency is carrying out a follow-up investigation about how to address the collection of geolocation data that has now been delegated to the new task force.

Rosenworcel also noted concerns about carriers selling sensitive user data and called on her fellow FCC commissioners to finalize $200 million in proposed fines brought in 2020 against AT&T, Sprint, T-Mobile and Verizon for sharing customer location data without their consent, penalties that won’t come into effect until the agency votes to approve them.

During her speech, Rosenworcel hinted at an upcoming “enforcement action against two companies that have put the security of communications customers at risk.”

“I can’t say more right now, but I can say this right out of the gate: We are showing that this task force means business,” said Rosenworcel.

The post New FCC privacy task force takes aim at data breaches, SIM-swaps appeared first on CyberScoop.

Representatives of the Justice Department and FBI made the case that the long history of abuses linked to Section 702 of the Foreign Intelligence Surveillance Act are already being addressed by significant new reforms instituted in the last two years. But several members of the Judiciary Committee questioned whether these reforms go far enough and pressed witnesses about potentially more serious reforms, including a warrant requirement for using the sensitive intelligence data.

“I will only support the reauthorization of Section 702 if there are significant, significant reforms. And that means first and foremost, addressing the warrantless surveillance of Americans in violation of the Fourth Amendment,” Senate Judiciary Chair Dick Durbin, D-Ill., said in his opening statement.

The hearing sets up what is an uphill battle for the Biden administration to get Congress to renew the authority without changes. The administration and its surrogates insist that failing to renew the law would have grave national security consequences. Ahead of Tuesday’s hearing, Biden administration officials detailed several newly declassified examples of Section 702’s usefulness in combating cyber operations and narcotics trafficking.

But that argument has so far failed to gain traction on the Hill. Lawmakers at Tuesday’s hearing were largely united in opposing a clean reauthorization, arguing that the intelligence community hasn’t shown that it can self-correct a history of serious abuses or show that current systems don’t merit greater reforms.

“Why should we ever trust the FBI and the DOJ again to police themselves under FISA, when they’ve shown us repeatedly, for more than a decade, that they cannot be trusted to do so?” asked Sen. Mike Lee, R-Utah.

The Judiciary Committee members aired a variety of reform proposals, including a warrant requirement for Section 702, adding an “adversarial” process to the FISA system and assigning amicus curiae to targeted individuals who can otherwise not challenge their surveillance — all proposals that Tuesday’s witnesses opposed.

At the heart of lawmakers’ concerns is the FBI’s use of Section 702, which is designed to collect data belonging to foreign intelligence targets whose communications transit U.S. communications infrastructure, to query data incidentally collected on Americans. Committee members raised concerns about the FBI’s history of abusing incidental collection, citing a court ruling declassified last month that showed that the FBI misused the powerful surveillance tool more than 278,000 times.

The Justice Department’s Assistant Attorney General for National Security Matt Olsen said that these abuses predate reforms undertaken by the agency in 2021 and 2022 and that the bureau’s policies would prevent them from recurring.

These reforms include requiring agents to opt-in to search data, something that was a driving factor in reducing U.S. person queries more than 90% between 2021 and 2022, Olsen said. The Foreign Intelligence Surveillance Court is currently carrying out a declassification process for a 2023 opinion that identifies “some additional improvements in FBI compliance,” Olsen said.

On Tuesday, FBI Deputy Director Paul Abbate announced a pair of new compliance measures that the agency is putting forward as it tries to reduce FISA abuse. The first is a three-strike policy for query-related incidents that could lead to an agent’s dismissal. The second involves evaluations that can affect performance ratings and promotions for agency leaders monitoring 702 compliance in their divisions.

Abbate told Sen. John Cornyn, R-Texas, that the bureau would welcome codifying reforms already in place into law.

Civil liberties advocates said these reforms fail to address the surveillance abuses — including the collection of data belonging to racial justice protesters and political donors — committed under Section 702.

“The new items the FBI touted at the hearing are wholly inadequate, and out of touch with how serious these abuses are,” said Jake Laperruque, the director of the Security and Surveillance Project at the Center for Democracy and Technology, a group that is calling for FISA reforms.

Tuesday’s hearing previews what is likely to be a significant clash between the Biden administration and Congress over the possibility of a warrant requirement for U.S. person queries of Section 702 data. The reform is one that both lawmakers at the hearing largely supported but the administration has opposed. On Monday a senior administration official said a warrant requirement would have “very serious national security costs.”

Intelligence agency officials testifying in front of Congress shared those concerns. “The reason for not requiring a warrant is that this is lawfully collected information that is in the FBI holdings,” said the Justice Department’s Olsen.

But lawmakers expressed skepticism about the FBI’s argument.

“The U.S .person query aspect of this is really concerning to the Congress,” said Sen. Jon Ossoff, D-Georgia. “I don’t think you’ve effectively made the case that there shouldn’t be a warrant requirement whether or not it is constitutionally required.”

The post Congress and intelligence officials spar over surveillance reforms appeared first on CyberScoop.

Monday’s briefing with reporters came ahead of a hearing Tuesday before the Senate Judiciary Committee that will feature a collection of senior U.S. intelligence officials and will consider the controversial surveillance tool, which sunsets at the end of this year.

According to Biden administration officials who briefed reporters ahead of that hearing on condition of anonymity, Section 702 of the Foreign Intelligence Surveillance Act allowed the U.S. government to recover the majority of the $4.4 million ransom paid by Colonial Pipeline to the hackers. In another example newly made public, Section 702 data helped the U.S. government to identify and mitigate a 2022 Iranian ransomware attack against a nonprofit, allowing the organization to recover without paying the ransom.

This newly declassified intelligence is just some of what the U.S. intelligence officials testifying on Tuesday are expected to describe in making the case to a deeply skeptical Congress to renew the law.

Since appealing to lawmakers in February to renew the tool, the Biden administration has argued that Section 702 is vital to combat an array of national security threats to the homeland and that it plays an especially vital role in combating cyber threats. A senior FBI adviser recently told CyberScoop that a “plurality” of Section 702 searches by the agency pertain to investigations into nation-state cyberattacks.

Section 702 allows intelligence agencies to collect the communications of non-U.S. persons abroad whose communications transit U.S. telecommunications systems. However, the program’s incidental collection of Americans’ data, which can then be searched by the FBI, has raised oversight concerns from civil liberties advocates and many lawmakers.

In a letter released Monday, a coalition of 19 civil liberties groups called for substantial reforms to Section 702 and urged Congress not to reauthorize the law without a warrant requirement.

Senior administration officials stressed on Monday that the White House has “heard loud and clear” a desire for conversations around reform and that “those conversations are underway.” Reform proposals under consideration include codifying recent reforms by the FBI in how it limits access to 702 information, such as requiring agents to opt-in to search the 702 database and requiring high-level approvals for some searches.

Requiring a warrant for Section 702 searches “would have very serious national security costs,” according to a senior administration official. “They would essentially lead us the government to turn a blind eye to information lawfully in the U.S. government’s possession, including in situations where that information could provide critical protections to victims of malicious foreign activity,” the official said.

Another senior administration official noted that U.S. person queries against Section 702 allowed the FBI to identify where Chinese hackers had attempted to infiltrate the network of a U.S. transportation firm. U.S. person queries also allowed the FBI to identify that Iranian hackers had “conducted extensive research on the former head of a federal department” and allowed agents to warn the department to take precautions against the threat.

Outside of cyber, Section 702 intelligence has been used to gain insights into the activities of foreign adversaries, including Russia’s actions in Ukraine and China’s tracking of dissidents. It has also played a key role in law enforcement efforts targeting narcotics trafficking, according to a senior administration official.

In seeking Section 702’s renewal, the Biden administration faces an uphill fight in Congress, where members of both parties have made it clear that they won’t consider reauthorization without serious reforms.

“This authority should not be renewed without significant reforms to safeguard Americans’ privacy and constitutional rights,” Senate Judiciary Chairman Dick Durbin, D-Ill., tweeted in May after unsealed court documents showed wrongful FBI uses of the database.

In addition to their public testimony on Tuesday, intelligence officials will also provide a classified briefing on Section 702 to Senate Judiciary members. Testifying at Tuesday’s hearing will be officials from the CIA, NSA, FBI, Office of the Director of National Intelligence and Department of Justice.

The post Section 702 data helped take down Colonial Pipeline hacker, Biden administration says appeared first on CyberScoop.

Alexey Bilyuchenko, 43, and Aleksandr Verner, 29, allegedly gained unauthorized access in 2011 to a server holding wallets belonging to the exchange and continued to launder funds through 2017. At the time, Mt. Gox was the largest cryptocurrency exchange in existence, handling a majority of bitcoin transactions globally.

The theft — valued at some $450 million — was the biggest ever suffered by the cryptocurrency industry at that point and led to Mt. Gox’s bankruptcy in 2014.

“Alexey Bilyuchenko and Aleksandr Verner thought they could outsmart the law by using sophisticated hacks to steal and launder massive amounts of cryptocurrency, a novel technology at the time, but the charges unsealed demonstrate our ability to tenaciously pursue these alleged criminals, no matter how complex their schemes, until they are brought to justice,” Damian Williams, the U.S. attorney for the Southern District of New York, said in a statement.

As part of the money laundering scheme, prosecutors allege that Bilyuchenko and Verner entered into a fraudulent contract with a bitcoin brokerage service in the Southern District of New York to liquidate and transfer more than $6.6 million to overseas bank accounts.

Prosecutors allege that Bilyuchenko used proceeds from Mt. Gox to conspire with Russian national Alexander Vinnik to operate BTC-e, one of the world’s largest cryptocurrency exchanges and a key money laundering hub for cybercriminals. Vinnik was arrested in Greece in 2017 on a 21-count indictment related to BTC-e, which allegedly helped launder more than $4 billion in criminal proceeds.

Between 2011 to 2017 BTC-e served more than one million users worldwide and received criminal proceeds of “numerous computer intrusions and hacking incidents, ransomware events, identity theft schemes, corrupt public officials, and narcotics distribution rings,” according to the U.S. Justice Department.

Vinnik was extradited to the United States in August and has recently lobbied to be a part of a prisoner swap between Russia and the United States that might include the imprisoned U.S. journalist Evan Gershkovich.

On Friday, the Northern District of California also charged Bilyuchenko with money laundering conspiracy and operating an unlicensed money services business that prosecutors allege was used to enable criminal activity, including ransomware attacks and malicious hacking.

“Bilyuchenko and his co-conspirators will learn that the Department of Justice has long arms and an even longer memory for crimes that harm our communities,” Ismail J. Ramsey, the U.S. attorney for the Northern District of California said in a statement.

The post DOJ charges two Russian nationals with historic Mt. Gox hack appeared first on CyberScoop.

Google’s suite of products such as maps and search also prompt users to give up this kind of information. But privacy experts caution that the request from its AI chatbot represents a growing creep in data collection by large language models that could lead to an array of potential privacy harms.

“There’s a whole host of reasons to be concerned about the security of location data and its implications for the privacy of users of the system,” said Sarah Myers West, managing director at the AI Now Institute, a research institute that studies the social implications of AI.

That includes the potential subpoenaing of that data by law enforcement, a concern that has become especially pronounced in connection to growing worries about how law enforcement may access geolocation data in cases criminalizing access to abortion. The abuse or breach of geolocation data can also lead to other harms, such as stalking.

Concerns about sharing location data with AI models speak to the “wild west” nature of a rapidly growing industry that is beholden to few regulations and largely opaque to consumers and lawmakers. Consumer technologies such as Bard are less than a year old, making it largely unclear what repercussions they could have for privacy down the line.

The rapid growth in the industry has left regulators in the U.S. and abroad sorting out how the technology exists under current privacy regulations. OpenAI, a leader in the field, landed in hot water in Italy earlier this year after the country’s data protection authority accused it of violating the EU’s data protection rules. More recently, U.S. regulators have warned AI companies “sprinting” to train their models on more and more data that existing consumer protections still apply and failing to heed them could lead to enforcement.

According to Google’s privacy policy for Bard, Google uses the data it collects — including information about locations — “to provide, improve, and develop Google products and services and machine learning technologies, including Google’s enterprise products such as Google Cloud.”

“Bard activity is stored by default for up to 18 months, which a user can change to 3 or 36 months at any time on their My Activity page,” Google said in a statement. Google’s privacy policy says it may share data with third parties including law enforcement.

OpenAI’s privacy policy said that it may share geolocation data with law enforcement, but it’s not clear in ChatGPT’s user policy if or in what circumstances ChatGPT collects this data. OpenAI did not respond to a request for clarification.

Precise geolocation data isn’t the only form of location data that companies collect. For instance, Bard as well as its competitor OpenAI’s ChatGPT also collects IP address data, which reveals geolocation information but not precise physical locations.

However, detailed geolocation data is “substantially more sensitive,” because it can be used to track your exact movements, explains Ben Winters, senior counsel at the Electronic Privacy Information Center, a nonprofit advocacy group.

Location data is considered so sensitive that some members of Congress have sought to ban the sale of location data to data brokers. In the wake of the Dobbs decision that overturned Roe v. Wade, Google itself pledged to wipe location data from Maps users’ visits to reproductive health clinics though recent reporting shows deletions have been inconsistent.

Sharing any form of personal data with generative AI models can be risky, experts say. In March, OpenAI took ChatGPT offline to fix a bug that allowed users to view prompts from other user’s chats and, in some cases, payment-related information of subscribers. It’s also unclear in many cases where data used for training large language models could end up or if it might be regurgitated to other users down the road.

Major companies including Apple and Samsung have restricted their employees’ use of the tools over fear that it could result in the leak of trade secrets. Leading lawmakers have also pressed AI companies on what steps they take to secure sensitive user data from misuse and breaches.

“This technology is fairly nascent,” said Myers West from the AI Now Institute. “And I just don’t think that they themselves have fully dialed in the privacy-preserving capabilities.”

In response to some of these concerns, OpenAI in April introduced data control features for users, including allowing them to turn off chat history. Google Bard also gives users the option to review and delete their chat history.

Experts note that Google’s grab at geolocation data also plays into competition concerns around the AI industry in that big tech companies will be able to use the burgeoning generative AI market to even further bulk up data collection on consumers to get a competitive edge.

“I think that there is a trend toward increased density of data collection,” said Winters, noting that Google’s move could give the rest of the industry a reason to ramp up data collection.

Winters said users should be cautious about models that collect anything beyond their input and account information and those that say they use the data for any purposes beyond providing an output or potentially improving the model.

While regulations around large language models are still nascent, some regulators have already issued warning shots to the industry to heed.

The post AI chatbots want your geolocation data. Privacy experts say beware. appeared first on CyberScoop.

Officials have made broad and general declarations, pointing to wide-ranging applications that include thwarting multiple ransomware attacks against U.S. critical infrastructure, finding out a foreign adversary had hacked sensitive information related to the American military and uncovering a cyberattack against critical federal systems.

Yet, 15 years into Section 702’s history, declassified examples of thwarting cyberattacks are sparse. In the little over three months that the Biden administration has been publicly advocating for the renewal of Section 702, it hasn’t mentioned a single specific public incident where Section 702 was used, despite a term marked by both ample cyber attacks and well-publicized takedowns of foreign hackers.

That lack of transparency and specificity doesn’t appear to be helping the Biden administration in what will likely be an uphill battle for Congress to reauthorize the authority before it sunsets in December. Even some of the authority’s greatest supporters have expressed frustration.

“Whether it’s helping to identify victims so they can be notified of the attack or helping to identify ransomware actors, 702 has been invaluable over the past several years,” Sen. Mark Warner, D-Va., told CyberScoop in an email. “However, I am frustrated that more of these compelling examples have not yet been made public.”

Warner’s office confirmed that the intelligence community has shared examples of the tool’s cyber significance in classified settings but declined to elaborate.

“While it’s important that we do not risk sources and methods, it is also critical that we explain to the American people what will be lost and how they would be increasingly vulnerable to cybercriminals and foreign governments if this authority were allowed to expire,” the Senate Intelligence chairman wrote.

Adam Hickey, former assistant attorney general of the Justice Department’s national security division, echoed Warner’s concerns. “I think they’re fighting with one hand behind their back,” said Hickey, now a partner at the law firm Mayer Brown. “On the one hand, you don’t want the very people who pose a threat to understand your capabilities, because they will work around them … On the other hand, you don’t want to be so careful to avoid that risk that you lose the very authority itself.”

The reticence also isn’t helping the civil liberties community, either, who have challenged the intelligence community’s persistent claims that any reforms to Section 702 that slow down investigators would imperil America’s national security.

“If that’s what the FBI is going to say — not only is it useful for cyber, but it’s useful in this preventive way, this very rapid way — I think this claim needs to be able to be backed up with some examples,” said Jake Laperruque, deputy director at the Security and Surveillance Project for the Center For Democracy & Technology.

Section 702 was first passed in 2008 as an amendment to FISA, pitched initially as a key tool in America’s fight against terrorism. The authority allows the U.S. government to collect the U.S.-based communications of non-Americans outside the country. The collection of the data of U.S. citizens using Section 702 is prohibited, but such data is often swept up in the surveillance in “incidental collection.” This data can be searched by the FBI under certain statutory requirements.

While the amount of FBI searches of 702 data has fluctuated over time, the amount of those searches related to cybersecurity has steadily increased. In a recent interview with CyberScoop, a senior FBI adviser confirmed that “about half” or a “plurality” of Section 702 database searches made by the agency today relate to the investigation of malicious, state-sponsored cyber attacks. While the adviser couldn’t say how much of an increase that was from previous years, they said it was reflective of an overall shift in the agency’s work toward more cyber investigations.

“Our use of the authority in the FBI and across the intelligence community is weighted a lot more heavily towards cyber now than it was five years ago,” the senior FBI adviser said. “Part of that use of this authority is reflective of its value, and the fact that we are just doing more work in this field and we’re seeing cyber threats increase over time.”

While the FBI adviser couldn’t share any specific examples, there is some limited data about how Section 702 data has shown up in cyber investigations. For instance, in its 2022 annual transparency report the ODNI wrote that of the 3.4 million searches made by the FBI in 2021, nearly two million were related to an investigation into an alleged attempt by Russian hackers to break into critical infrastructure. The searches helped to identify potential victims, officials said at the time.

The number of FBI searches declined dramatically in 2022, in part due to a new methodology used by the FBI to count searches.

“Cyberattacks happen at a larger scale. And therefore, the amount of information collected and queried on cyber attacks is just proportionately larger,” said Tom Bossert, the former United State Homeland Security adviser under the Trump administration. “You can imagine hundreds of thousands of attempted cyber attacks in any given period of time, and perhaps only five terrorist phone calls in that same period.”

In its early days, Section 702 was branded as a powerful counter-terrorism tool, reflecting the intelligence community’s focus at the time. In fact, some of the program’s biggest declassified successes involve foiling terrorist plots and taking down their leaders. Most recently, last summer Section 702 intelligence led to a successful operation against al-Qaeda leader Ayman al-Zawahiri.

It was only in 2017 amidst the last renewal debate that cybersecurity began to take a more leading role, with examples of thwarted ransomware attempts eclipsing references to ISIS and other terrorist cells. Now, it often takes top billing when discussing the threats that nation-states pose to the homeland. In its 2023 annual threats assessment, the Office of the Director of National Intelligence put China, Russia, North Korea and Iran and their cyber capabilities among the leading threats to the nation.

Bossert, who was in charge of the Trump administration’s efforts to secure a reauthorization in 2017, sees the new strategy in part as reflective of the national security community’s shifting focus. “I think a lot of people will perceive the cyber threat to be real and ever-present. And fewer people find the terrorist threat to be as urgent,” he said. “And I’d like to think that’s because we’ve spent 20 years confronting that problem and putting controls in place.”

Officials say part of the reason Section 702 has become so valuable in thwarting foreign actors is the complicated nature of cyberattacks. In the majority of cases, attackers use U.S. infrastructure as a lily pad into domestic targets. Intelligence officials have often pointed to this as a challenge when trying to follow the activity of foreign actors onto domestic soil, noting it as a “blind spot” that contributed to the failure to detect Russian hackers during the SolarWinds attack.

Section 702, they say, fills restores that visibility. “It is an authority that lets us do collection against a known foreign entity who chooses to use U.S. infrastructure,” NSA director of cybersecurity Rob Joyce told a crowd at the RSA Conference in April. “And so it makes sure that we don’t afford the same protections to those foreign malicious actors who are on our infrastructure as we do the Americans who live here.”

“I can’t do cybersecurity at the scope and scale we do it today without that authority,” he added.

The FBI and NSA aren’t alone in praising the tool. This week a senior state department official spoke about how the tool is instrumental in informing the work of U.S. diplomats, including cybersecurity issues such as North Korean IT fraud.

One potential stakeholder the Biden administration has yet to seriously court in the fight to renew Section 702 is industry. The senior FBI adviser stressed how failure to renew the authority would hurt its ability to advise chief information security officers, inundated with warnings about vulnerabilities, about which specific threats are most urgent.

“This is one of those things that lets us reach out to specific sectors and even specific companies to say, look, this specific vulnerability is one you want to take care of right now because we’re seeing certain types of actors targeting companies, companies like you, using that,” the senior FBI adviser said. “We’re going to have a severely constricted optic in all those things if we’re forced to rely solely on other tools.”

Former general counsel of the National Security Agency Stewart Baker has made the case that the intelligence community should do more to demonstrate to industry how they can benefit from Section 702. “If I were a CISO, I’d want to weigh in on the kinds of warnings, the kinds of uses of this intelligence in real-time, that would be particularly useful to me.”

Businesses need to understand that if Section 702 goes away, so does that intelligence, says Bossert. “They shouldn’t just think of this as a national security threat. They should think of this as an enterprise threat to their company. And they should view the US government as a potential partner,” he said. “If they expect the US government to continue to be a reliable partner…they have to understand that the underlying information that they have to share is in the government’s holdings because of authorities like 702.”

The senior FBI adviser told CyberScoop that the agency is looking at ways to increase industry engagement on the subject. “There’s a variety of different stakeholders here. And industry, particularly when we’re talking about cyber, is a very important one,” the senior FBI adviser said “So that is something that we are going to take a look at going forward about how we can start getting them engaged now that this is really starting to bubble up to the top of the public conversation as well as the conversation on Capitol Hill and in other stakeholder constituencies.”

Even if there were more examples, it’s unclear if Section 702’s purported value in preventing these attacks can overcome the program’s many criticisms, both from lawmakers wielding the power to reauthorize it and civil liberties groups seeking to reform the program. Most of the political pushback against the authority centers around concerns about well-documented abuses of America’s civil liberties, public examples of which have nothing to do with ransomware or foreign actors infiltrating critical infrastructure.

For instance, a recently declassified 2022 U.S. court ruling found that the FBI had improperly searched for information on Americans in the FISA database 278,000 times, including to spy on political campaigns and protesters. The report sparked outrage from both leading Democrats and Republicans who insist that the program can’t be reauthorized without reforms.

(The FBI argues that it has implemented new compliance measures since those searches occurred to cut down on misuse.)

Officials advocating for Section 702’s reauthorization have been vague about what reforms they would be willing to discuss, instead emphasizing that changes should not diminish the tool’s effectiveness. The reforms sought by advocates and lawmakers may do just that, at least in the eyes of the intelligence community. For instance, the senior FBI adviser said a warrant requirement, one of the top asks from reformers, would make it difficult for the agency to act swiftly to notify ransomware victims.

CDT’s Laperruque noted that courts have long recognized emergency exceptions to the warrant process. Reforms such as adding a warrant requirement to Section 702, which CDT and other groups are advocating for, wouldn’t change that.

“That’s not going to stop Section 702 from being used for cyber,” said Laperruque. “It’s going to stop 702 from being used on Black Lives Matter and members of Congress, which is what we’ve seen 702 used for in recent years.”

The post The White House says Section 702 is critical for cybersecurity, yet public evidence is sparse appeared first on CyberScoop.