“Tor” evokes an image of the dark web; a place to hire hitmen or buy drugs that, at this point, is overrun by feds trying to catch you in the act. The reality, however, is a lot more boring than that — but it’s also more secure.

The Onion Router, now called Tor, is a privacy-focused web browser run by a nonprofit group. You can download it for free and use it to shop online or browse social media, just like you would on Chrome or Firefox or Safari, but with additional access to unlisted websites ending in .onion. This is what people think of as the “dark web,” because the sites aren’t indexed by search engines. But those sites aren’t an inherently criminal endeavor.

“This is not a hacker tool,” said Pavel Zoneff, director of strategic communications at The Tor Project. “It is a browser just as easy to use as any other browser that people are used to.”

That’s right, despite common misconceptions, Tor can be used for any internet browsing you usually do. The key difference with Tor is that the network hides your IP address and other system information for full anonymity. This may sound familiar, because it’s how a lot of people approach VPNs, but the difference is in the details.

VPNs are just encrypted tunnels hiding your traffic from one hop to another. The company behind a VPN can still access your information, sell it or pass it along to law enforcement. With Tor, there’s no link between you and your traffic, according to Jed Crandall, an associate professor at Arizona State University. Tor is built in the “higher layers” of the network and routes your traffic through separate tunnels, instead of a single encrypted tunnel. While the first tunnel may know some personal information and the last one may know the sites you visited, there is virtually nothing connecting those data points because your IP address and other identifying information are bounced from server to server into obscurity.

In simpler terms: using regular browsers directly connects you and your traffic, adding a VPN routes that information through an encrypted tunnel so that your internet service provider can’t see it and Tor scatters your identity and your search traffic until it becomes almost anonymous, and very difficult to identify.

Accessing unindexed websites adds extra perks, like secure communication. While a platform like WhatsApp offers encrypted conversations, there could be traces that the conversation happened left on the device if it’s ever investigated, according to Crandall. Tor's communication tunnels are secure and much harder to trace that the conversation ever happened.

Other use cases may include keeping the identities of sensitive populations like undocumented immigrants anonymous, trying to unionize a workplace without the company shutting it down, victims of domestic violence looking for resources without their abuser finding out or, as Crandall said, wanting to make embarrassing Google searches without related targeted ads following you around forever.

Still, with added layers of security can come some additional hiccups, like lag or longer loading times. That could be true for some users depending on what they do online, but anecdotally it's gotten a lot faster in recent years, and users have said they barely notice a difference compared to other browsers. Sameer Patil, associate professor at the School of Computing at the University of Utah, studied this by having students and staff try out Tor as their main browser. “I was personally very surprised at how many sites and things just work fine in the Tor browser. So not only did they work as intended, but they also were fast enough,” Patil said.

But even if online privacy isn’t your main concern personally, using Tor can help support industries that heavily rely on it. By using the anonymous and secure browser, you’re supporting activists, journalists and everyone else’s privacy because the more people that use it, the more secure it gets, according to Patil. If only certain sensitive groups use it, it’ll be easier to deanonymize and ultimately track down identities. When you’re one in a billion using it, that task becomes nearly impossible.

ExpressVPN has become a household name – or at least as close to one as a VPN is likely to get – taking over mainstream advertisements on sites like YouTube. On our roundup of the nine top providers in June, it came out tops for streaming services, frequent travel and gaming. But, notably, it wasn’t the overall best, falling short on areas like security and user friendliness.

There are three main VPN use cases on top of general security: geoblocking, streaming and gaming. That means my tests looked like watching Shrek on the clock, by using a VPN to access Canadian Netflix from my US-based home office, where the ogre movie isn’t currently available.

ExpressVPN was easy to sign up for, download and use, but compared to the other services, it didn't wow me. Competitors like ProtonVPN, for example, had easier ways to sign in across platforms. But an ExpressVPN subscription does come with a password manager to store and autofill credentials across websites. That’s a plus in a world where complex passwords are crucial to keeping your accounts secure.

The best VPNs stay out of your way and you'll barely even notice they’re running. But one oddity was that ExpressVPN internet speeds outperformed our baseline internet speed measures. The service is likely circumventing traffic shaping by the internet service provider or a similar anomaly because every other VPN will hurt internet speed in some way. But it did successfully mask the IP address, and pass the DNS and WebRTC leak tests as privacy measures.

ExpressVPN

It was also easy to access geo-blocked content using ExpressVPN, with little-to-no buffering. There were some loading delays that only lasted a few seconds when I tried to stream the news on YouTube using ExpressVPN, but no lag came up after that. Finally, ExpressVPN passed the gaming test by avoiding lag and maintaining a normal loading time. Although, it was a pretty basic test where I logged into online game Slither.io from a UK-based VPN to play the worm-eating competition with international users. Surfing the web with ExpressVPN was just as easy as being online without it. With ExpressVPN, a ping test measured how long data takes to travel from the computer to the server and back at 100 milliseconds, versus 16 milliseconds with no VPN turned on.

ExpressVPN’s biggest perk is that it supports up to five devices at once. That means I could conduct all tests simultaneously and still had no slowdown. That’s great for sharing it with a family, or folks that like to game, watch TV and scroll on their phone at the same time. It’s the main reason ExpressVPN landed as our top choice for streaming and gaming. The connectivity was solid, it had a wide range of servers in 94 countries and provided clear instructions on configuration for any device.

But security-wise, I found myself wanting more. ExpressVPN is based in the British Virgin Islands, which the company touts because the territory lacks any foreign intelligence operations and does not participate in 14 Eyes intelligence-sharing agreements. But it is owned by Kape Technologies, which also owns competitor CyberGhost, and Kape has a problematic history that includes spreading malware. Not only that, in 2021, the Department of Justice charged ExpressVPN CIO Daniel Gericke for cyberspying activities on behalf of the UAE. ExpressVPN stood by the CIO in a blog post.

But it’s not all bad. ExpressVPN publicly shared security audits of its mobile apps, protocol and desktop apps last year. That’s a win for security transparency. Still, a 2021 Consumer Reports study found that ExpressVPN didn’t support multifactor authentication, did not meet brute force mitigation checks and retained some data even after an account was terminated. ExpressVPN did, however, exceed industry standards in protections against unauthorized access, implement a vulnerability disclosure program and said it would not pursue legal action against security researchers. That means when it comes to security standards and practices, ExpressVPN as a company has a few too many misses and not enough hits.

I recommended ExpressVPN as our top choice for gamers, frequent travelers and heavy users of streaming services because it lets users access a wide range of locations from a variety of devices with high speed connections and no lag. With options to configure directly to routers and gaming consoles, it’s a solid choice for people that put a lot of strain on their ISPs. Still, there are better VPNs for the security-minded or those who want something more affordable.

Passkeys promise a future without passwords, where we access our accounts as easily as we unlock our phones, with a much higher level of security. Pick your big tech poison, like Apple, Google or Microsoft, and you’ve probably seen it announce a passkey takeover. While a full-on passkey revolution may be a bit away, you may be asked to set one up for your accounts soon.

The username and password approach to logins dates back to the 1960s. Ever since then, it's been hackable. Passwords are guessable or phishable, especially if you fail to meet industry standards for a complex, strong password. For a while, the solution seemed to be multi-factor authentication, or a way to verify your identity at login via text message, app, hardware key or other methods. But passkey proponents are saying that solving login security problems means reinventing the first step, not adding on additional processes.

“It's the closest to something that can be scaled to get rid of passwords that we've ever seen,” said Megan Shamas, senior director of marketing at industry association FIDO Alliance. A passkey is a digital authentication credential that is securely stored on your device. Instead of what Shamas called a “shared secret” method of passwords, passkeys are a unique key pair for every online service you use bound to the domain. So, if you create one for your online banking account, and a spoofed website prompts you to sign in, the passkey won’t work.

It also prevents phishing attacks because you can’t give away your passkey like you can with a password or MFA phrase. We can’t call it “unphishable,” said Derek Hanson, vice president of solutions architecture and alliances at security authentication company Yubico, but it certainly thwarts the common attack vectors used today. At the very least, it makes it much more costly and difficult for a hacker to get in, making the hackers likely to move on to weaker targets.

For the user, they’re meant to be easier, too. Instead of trying to keep track of nearly 100 passwords or more, the passkey is stored on your device and connects automatically to the service. Similar to unlocking your phone, you’ll need to enter a pin, fingerprint, face scan or other simple authentication to log in. It seems too good to be true, and it sort of is, because it's still a fragmented space. While the big names have made passkeys trend recently, they could also be holding back widespread use.

Currently, using a passkey locks you into a certain service provider, according to Sayonnha Mandal, Ph.D., lecturer at University of Nebraska Omaha. You can’t, for example, log in to websites on an Android phone with a passkey stored on a MacBook. It’s the kind of lock-in these companies tend to favor because it keeps customers loyal to their brand. So, it’ll take cooperation and “in the absence of a government industrial standard that everybody mandatorily has to adhere to, I don't think by themselves, the companies would.”

But Shamas says that cross-platform accessibility is coming, as companies sign on to FIDO’s industry standards for passkey development. “The deep investment across the industry (including Apple, Google, and Microsoft) to develop and evangelize the passkey technology speaks to the broad belief in its promise,” said a Google spokesperson. At the time of publication, Google Chrome on Mac and Windows only stores passkeys on the local device.

For now, if a website offers you a passkey login option, you should probably sign up. At least for your most sensitive accounts like online banking, make the switch to passkeys as soon as it's offered for an added layer of protection on those accounts, Mandal said. But, if passkeys do take over, it will be a slow transition. Services will likely still offer password options because it’s what consumers are used to, and passkeys still don’t have wide enough support.

In the meantime, it’s a good reminder to stay on top of your security settings. If passkeys aren’t available, make sure MFA is set up and your password is strong instead of just avoiding the security reminder pop-ups at log in.

Apple gave a look at its latest accessibility updates during its annual WWDC on Monday, including new voice and and assistive tech features, that will launch with iOS 17. 

For iOS users with cognitive disabilities, Apple's new Assistive Access features lets people customize apps with high contrast buttons and large text labels to meet their individual needs. Apple also added Live Speech and Personal Voice for people who are unable to speak, have trouble speaking or may lose their voice over time. 

With Live Speech, you can type what you want to say and have it spoken out loud to others on a phone or FaceTime call or jot down commonly used phrases to select during conversation to avoid any delay that comes with typing out in the moment. Personal Voice creates a voice that sounds like you by recording 15 minutes of random phrases. As an example, Apple wrote in a May release that people with ALS or other conditions that impact speech can save their voice to their device to use with Live Speech and other assistive tech as their condition progresses. Other new accessibility updates include a Point and Speak feature to read the text on household object aloud.

Follow all of the news from Apple's WWDC 2023 right here.

This is a developing story. Please check back for updates.

Apple gave a look at features targeted at reducing eye strain for kids during its annual WWDC on Monday. The feature comes after Apple initially previewed more health and accessibility features for Global Accessibility Awareness Day in May.

Myopia, commonly known as nearsightedness, usually develops in childhood and affects about 30% of the US population, according to the American Optometric Association. At WWDC, Apple said spending more time outdoors and in the daylight can help reduce a child's risk of developing nearsightedness. A new Apple Watch feature will use the ambient light sensor to measure how much time the wearer spends outside. That data will show up in the Health app, and in Health Sharing for families, to keep track of how much time is spent outside. 

Follow all of the news from Apple's WWDC 2023 right here.

This is a developing story. Please check back for updates.

Whatever YouTube rabbit hole you’ve spiraled down lately — gaming playthroughs, political commentary, niche eight-hour video essays — you’ve encountered an ad for virtual private network, or VPN, services. The influencers promise military grade encryption and streaming content from anywhere as long as you use code FOLLOWME10 at checkout so that they get their cut.

It’s not just anecdotal that VPN ads are everywhere on YouTube. Since the beginning of 2016, VPN companies have collectively sponsored about 247,000 YouTube videos, according to Daniel Conn, co-founder of influencer marketing consulting firm ThoughtLeaders. Almost none came up before then, signaling rapid growth as both influencer marketing and VPN companies took off.

For the YouTubers, it’s a lucrative and consistent way to fund their aspirations; for VPN providers, it’s helping to bring the obscure security product into the mainstream. But for the casual viewer, the sharp spike in VPN ads adds to the confusion and jargon around cybersecurity — and it could be misleading us on how secure we really are.

“If you do think of it like education, it might be the most pervasive form of security education out there,” said Dave Levin, assistant professor in computer science at the University of Maryland.

Researchers at the University of Maryland took a random sample of those hundreds of thousands of ads to better understand what these influencers are saying about security. While not explicitly inaccurate, most of the ads featured vague or exaggerated claims on what VPNs could do, according to Michelle Mazurek, also an associate professor in computer science at the university.

All a VPN can really do is mask your IP address and the identity of your computer on the network by creating an encrypted "tunnel" that prevents your internet service provider from accessing data about your browsing history. They can’t keep your identity secret, protect from financial exploitation, offer “military-grade encryption” or other marketing terms these companies use. Military-grade encryption refers to AES-256, but that’s become an industry standard, and won’t protect you from security threats like phishing attacks. 

Still, it’s sold as a one-step security solution, when it’s really just the start of what you can do to protect yourself online. The companies and the ads are “overselling what a functional one could do,” Omer Akgul, the PhD student at University of Maryland who led the research paper on VPN advertising, said. “It's problematic that users think they're getting protections where they really aren't.”

Most advertising comes with these caveats, but in a field as high risk and difficult to understand as security, the exaggerated claims can be damaging. If a YouTuber sells you on a new electric toothbrush, you can get first-hand experience deciding whether it’s worth your money. You can feel whether it leaves your teeth feeling clean, see real results when you go in for your next dentist appointment and easily compare it to other options on the market. But security isn’t tangible. One VPN service might be more user friendly than the next, but we rely on recommendations from others to tell us whether or not one is “more secure.”

The power behind influencer marketing lies in those recommendations. We trust the people we follow as we build parasocial relationships and see them advertise the same services over and over again. According to the UMD research, influencers use this to tailor their approaches to VPN ads. A far-right conspiracy channel will tout a VPN’s privacy protections from government snooping because, while a movie reviewer will say the VPN can help you access streaming platforms in different countries, Akgul said, “because YouTubers know who their audiences are, they can frame it in such a way that their audience would be interested or understand.”

Influencers tend to be tight-lipped about these advertising relationships because it can put future earnings in jeopardy. But according to Conn, the influencers he’s encountered generally like working with VPN providers because they can be so lucrative. And for VPNs, the competition is fierce to secure top converters, and includes exclusivity periods to prevent top YouTubers from working with competitors. They’re also actively recruiting with companies like Surfshark, NordVPN and ExpressVPN all touting open calls for influencers to sell their services.

“It's a battleground,” Conn said. “Because of these exclusivity causes, it's a race between them to scoop up in inventory because effectively you're blocking your competitor from the advertising space as well with those clauses. It’s a very aggressive market for VPNs.”

If you’re looking to hide your internet data from your ISP, want to stream Netflix abroad or are connecting to an untrusted public network, a VPN would be a worthwhile investment. But just because you’ve seen more ads online, doesn’t mean the use cases for VPNs have changed. Plus, as it becomes a more lucrative way for influencers to make money online, it probably means you should be even more skeptical of both the advertisements and the provider themselves.

You might’ve seen password managers in the news recently because of the breach affecting LastPass customers. We need to trust that all of our logins, banking credentials and other sensitive information has been neatly locked away, only accessible by us when we need it. But most tech is fallible, and the benefits of unique, strong passwords across your online presence outweigh the risks. Password managers remain a great way to securely store all of the credentials you need on a regular basis. We tested out nine of the best password managers available now to help you choose the right one for your needs.

How do password managers work?

Think of password managers like virtual safe deposit boxes. They hold your valuables, in this case usually online credentials, in a section of the vault only accessible to you by security key or a master password. Most of these services have autofill features that make it convenient to log in to any site without needing to remember every password you have, and they keep your credit card information close for impulse purchases.

But given that passwords are one of the top ways to keep your online identity secure, the real value of password managers is staying safe online. “It's just not possible without a password manager to have unique, long and hard-to-guess passwords,” Florian Schaub, an associate professor of information and of electrical engineering and computer science at the University of Michigan, said.

Common guidance states that passwords should be unique, with the longest number of characters allowed and uppercase letters, lowercase letters, numbers and special characters. This is the exact opposite of using the same password everywhere, with minor variations depending on a site’s requirements. Think of how many sites you have credentials on — it’s an impossible task to remember it all without somewhere to store them safely (no, a sticky note on your desk won’t cut it). Password managers are more readily accessible and offer the benefit of filling in those long passwords for you.

Are password managers safe?

It seems counterintuitive to store all your sensitive information in one place. One hack could mean you lose it all to an attacker and struggle for months or even years to rebuild your online presence, not to mention you may have to cancel credit cards and other accounts. But most experts in the field agree that password managers are a generally secure and safe way to keep track of your data, and the benefits of strong, complex passwords outweigh the possible risks.

The mechanics of keeping those passwords safe differs slightly from provider to provider. Generally, you have a lengthy, complex “master password” that safeguards the rest of your information. In some cases, you might also get a “security key” to enter when you log in to new devices. This is a random string of letters, numbers and symbols that the company will send you at sign up. Only you know this key, and because it’s stored locally on your device or printed out on paper, it’s harder for hackers to find.

These multiple layers of security make it difficult for an attacker to get into your vault even if your password manager provider experiences a breach. But the company should also follow a few security basics. A “zero-knowledge” policy means that the company keeps none of your data on file, so in the event of an attack, there’s nothing for hackers to find. Regular pentests and security audits keep the company up to par on best practices, and other efforts like bug bounty programs or hosting on an open source website encourage constant vigilance for security flaws. Most password managers now also offer some level of encryption falling under the Advanced Encryption Standard (AES). AES 256-bit is the strongest, because there are the most number of possible combinations, but AES 128-bit or 192-bit are still good.

Who are password managers for?

Given their universal benefit, pretty much everyone could use a password manager. They’re not just for the tech-savvy people or businesses anymore because so much sensitive information ends up online behind passwords, from our bank accounts to our Netflix watch history.

That’s the other perk of password managers: safe password sharing. Families, friends or roommates can use them to safely access joint accounts. Texting a password to someone isn’t secure, and you can help your family break the habit by starting to use one yourself, Lisa Plaggemier, executive director at National Cyber Security Alliance, said. Streaming is the obvious use case, but consider the shared bills, file storage and other sites you share access with the people around you as well.

Are password managers worth it?

You likely already use a password manager, even if you wouldn’t think to call it that. Most phones and web browsers include a log of saved credentials on the device, like the “passwords” keychain in the settings of an iPhone. That means you’ve probably seen the benefits of not having to memorize passwords or even type them out already.

While that’s a great way in, the downfall of these built-in options are that they tend to be device specific. If you rely on an Apple password manager, for example, that works if you’re totally in the Apple ecosystem — but you become limited once you get an Android tablet, Lujo Bauer, professor of electrical and computer engineering, and of computer science, at Carnegie Mellon University, said. If you use different devices for work and personal use and want a secure way to share passwords with others, or just don’t want to be tied to one brand forever, a third-party password manager is usually worth it.

How we tested

We tested password managers by downloading each of the nine contenders on iPhone, Android, Safari, Chrome and Firefox. That helped us better understand what platforms each manager was available on, and see how support differs across operating systems and browsers.

As we got set up with each, we took note of how they iterated on the basic features of autofill and password generators. Nearly all password managers have these features, but some place limits on how much you can store while others give more control over creating easy-to-type yet complex passwords. From there, we looked at extra features like data-breach monitoring to understand which managers offered the most for your money.

Finally, we reviewed publicly available information about security specs for each. This includes LastPass, which more experts are shying away from recommending after the recent breach. For the sake of this review, we’ve decided not to recommend LastPass at this time as fallout from the breach still comes to light (The company disclosed a second incident earlier this year where an unauthorized attack accessed the company’s cloud storage, including sensitive data).

Password managers we tested

• 1Password

• LastPass

• Bitwarden

• Dashlane

• Keeper

• NordPass

• Enpass

• Norton password manager

• LogMeOnce

Best password manager: 1Password

Many security experts trust 1Password with their private information and, after testing it out, it’s clear why. The service includes industry standard encryption, a “secret key” that only you know on top of your master password, a zero-knowledge policy that means it keeps no data, and other security features like frequent audits and a bug bounty program.

Plus, it has a pretty intuitive feel. A tutorial at download helps you import passwords from other managers onto 1Password so that you don’t feel like you’re starting over from scratch. It also clearly rates the strength of each password and has an “open and fill” option in the vault so that you can get into your desired site even more quickly. We also liked the option to scan a set up code to easily connect your account to your mobile devices without too much tedious typing.

At $3 per month, the individual subscription comes with unlimited passwords, items and one gigabyte of document storage for your vault. It also lets you share passwords, credit card information and other saved credentials. If you upgrade to the family plan for $5 each month, you’ll get to invite up to five people (plus more for $1 each per month) to be a part of the vault.

• Number of tiers: 4

• Pricing: $3/month for Individual, $5/month for Families, $20/month for Teams Starter Pack, $8/month per user for Business

Best free password manager: Bitwarden

Bitwarden’s free plan includes unlimited passwords on an unlimited number of devices, which is more than we’ve seen from some of its competitors. There are drawbacks like you can only share vault items with one other user, but we think that’s a fair tradeoff.

Bitwarden is based on open-source code, meaning anyone on GitHub can audit it, which is a good measure of security. On a personal level, it includes security audits of your information, like a data breach report, that can keep you in the know about when your passwords have been leaked and when it's time to change them. Plus, it’s widely available across the platforms we tested with a level of customization, options to access your vault and more.

Bitwarden may be the best free password manager, but it does have a paid version and we do think it’s worth it. At $10 annually for individuals or $40 for families, you unlock encrypted file storage, emergency access, unlimited sharing and more. But the free version comes with the basics that can get anyone set up on password management easily.

• Number of tiers: 3

• Pricing: Free, $3/month per user for Teams Organization, $5/month per user for Enterprise Organization

Best cross-platform availability: NordPass

Across password managers we tested, cross-platform availability was relatively similar. Most are widely available across web browsers and different operating systems, including our other top picks on this list. But we wanted to give a nod to NordPass here because of how easy the service makes it to access your vault from any platform.

NordPass has a free option with unlimited passwords and syncs across devices. A $2-per-month premium subscription keeps you logged in when switching devices, comes with security notifications and allows for item sharing. A family subscription comes with six premium accounts and only costs $4 per month. This makes it a pretty good budget option as well. Besides the pairing code to connect accounts, NordPass is a pretty standard password manager. Scanning a code gets me from my laptop to mobile device to work computer super easily. If you’re constantly switching devices and those extra few seconds save your sanity, it’s worth considering.

• Number of tiers: 3

• Pricing: Free, $2/per month for Premium, $4/month for Family

Best for shared access: Dashlane

Dashlane has four subscription options: A free user gets access to one device with unlimited passwords; an advanced user pays $3 per month to get upgraded to unlimited devices and dark web monitoring; for $5 per month, a premium user also gets VPN access and an $7.49-per-month family plan includes access for up to 10 people.

It met all the criteria we looked for, but with a clear emphasis on sharing credentials. Dashlane highlights “secure sharing” starting at its free level, which is a feature that some competitors keep behind a paywall. Access for up to 10 members in a family plan is one of the bigger plans we’ve seen as well. While we were testing it, password sharing seemed front of mind with a tab dedicated to it in Dashlane’s browser extension. Arguably the biggest caveat here, though, is lack of Linux support.

• Number of tiers: 4

• Pricing: Free, $3/month for Advanced, $5/month for Premium, $7/month for Friends and Family

Android updates to its "Find My Device" network will alert users to unknown trackers, even if they aren't Google branded, the company announced at Google I/O 2023 on Wednesday. The updates will come in summer 2023, but the company did not give a specific date. 

Unknown tracker alerts happen when the network detects a Bluetooth tracker, such as an Apple AirTag or Tile device, registered to another user following you around. In the past, these alerts have been limited by brand. With this Android update, any tracker compatible with the Find My Device network will show up. 

Other updates to the Find My Device app include a feature that pings compatible devices if you can't find them, ways to view location of those devices even if they're offline and new support for Tile, Chipolo, Pebblebee, Sony and JBL devices. 

The Android announcement comes after Google and Apple partnered up earlier this month to address unwanted tracking across devices. The companies submitted best practices and instructions to allow unauthorized tracking notifications across iOS and Android devices. Other companies like Tile and Samsung have shown support for the effort. 

This is a developing story. Please check back for updates.

Follow all of the news from Google I/O 2023 right here.

Google announced new features to its image search function to make it easier to spot altered content, the company announced at Google I/O 2023 on Wednesday. Photos on the search engine will soon include an "about this image" option that tells users when the image and ones like it were first indexed by Google, where it may have appeared first and other places the image has been posted online. That information could help users figure out whether something they're seeing was generated by AI, according to Google. 

The new feature will show up by clicking the three dots on an image in Google Image results. Google did not say exactly when the new feature will be available, besides that it'll be first available in the United States in the "coming months." Vice president of search Cathy Edwards told Engadget that the tool doesn't currently tell you if an image has been edited or manipulated, though the company is researching effective ways of detecting such tweaks.

Meanwhile, Google also began rolling out images generated by AI. Those images will include a markup in the original file to add context about its creation wherever its used. Image publishers like Midjourney and Shutterstock will also include the markup. Google's efforts to clarify to users where its search results come from started earlier this year with efforts like"About this result."

This is a developing story. Please check back for updates.

Follow all of the news from Google I/O 2023 right here.

Data breaches and security failures happen everyday. There’s little we can do about that if we want to participate in modern society, except maybe switch out the companies we interact with for their competitors if we presume one to be more secure. There’s one service that we don’t have a choice on whether to interact with, no matter how high profile its security incidents become: the federal government.

A breach of the Office of Personnel Management announced in 2015 it had leaked background investigation records, impacting 21.5 million individuals, according to the agency. The highly publicized Solarwinds hack discovered in 2020 exposed government and business records to Russian insiders. Earlier this year, the US Marshals Service division of the Department of Justice became a target, when hackers stole personal information about investigation targets, personnel and more.

The attacks were targeted, usually seeking out some type of sensitive state information. But we all have sensitive information stored throughout federal agencies like our social security numbers or home addresses. Probably even more information is at stake if you utilize federal services like Medicare, student loans or SNAP benefits. We have no choice but to give the federal government access to our personal information in exchange for certain services, unless you’re reading this while living off grid.

“If we want to live in the information age, and we're using some of these systems, we are inherently giving up control,” Kevin Cleary, clinical assistant professor of management science and systems at University at Buffalo, told Engadget. “You have to trust that agency has put forward all the best controls and practices.”

In response, the federal government has developed agencies like the Cybersecurity and Infrastructure Security Agency to lead better security initiatives across departments. In part, this is intended to help you feel a little bit better about storing your data within federal servers by setting higher standards for how it safeguards your data. According to Michael Duffy, associate director of the cybersecurity division at CISA, since the agency’s establishment in 2018, it’s spearheaded the most progress he’s seen in his federal cybersecurity career.

So, things are improving, and you can probably trust the federal government to keep your data safe in the same way you trust the companies you interact with everyday. What makes the government so different, though, is that it’s a high profile target. Adversarial countries want in on state secrets while, at the same time, it’s hard to prioritize spending on security measures. Getting tax-payer funds to fill a pothole on your local highway is hard enough when the damage is tangible and obvious, while security is hard to quantify the benefits of until an attack occurs. In other words, the value of security investments aren’t proven until it’s already too late.

This has gotten better. Security investments in the federal government largely trend upwards. Still, it’s not enough. “Sometimes their budgets don't allow them to take every step or to everything that they would like to do, because you just simply don't have the money,” Marisol Cruz Cain, director of information technology and cybersecurity at GAO, said.

But the reason why the federal government may appear less secure is because of its obligation for transparency. There’s a responsibility to share lessons learned after an incident, and make sure citizens know what happened. That’s actually a big part of CISA’s job. “We are really looking at ways that we are making it more acceptable to raise the hand and say this is the way that we were attacked or an incident occurred,” Duffy said.

The government also interacts with a ton of outside businesses. So, say a government contractor experiences a breach or security incident, that means that data held in federal tech could be exposed. This opens up a slew of new attack vectors, and possibilities for malpractice.

You can actually see how secure certain agencies are thanks to the Government Accountability Office (GAO) and legislation like the Federal Information Technology Acquisition Reform Act. The latter documents tech modernization efforts across major agencies, including cyber readiness. GAO, for its part, audits cybersecurity efforts and develops privacy impact assessments that are publicly available descriptions about what information the agency collects, how they use it and more.

But with all these audits come a relatively bleak conclusion. Agencies aren’t evaluating their policies and procedures to make sure that high profile incidents don’t happen on a regular basis, Cruz Cain said. Your information will be on those servers whether you like it or not.