The White House has announced an investigation into cars built in China and other unnamed "countries of concern." The Biden administration notes that cars are "constantly connecting" with drivers' phones, other vehicles, American infrastructure and their manufacturers, and that newer models use tech such as driver assist systems.

"Connected vehicles collect large amounts of sensitive data on their drivers and passengers; regularly use their cameras and sensors to record detailed information on US infrastructure; interact directly with critical infrastructure; and can be piloted or disabled remotely," the White House said in a statement. Officials are concerned that "new vulnerabilities and threats" could arise from connected vehicles if foreign governments are able to access data from them. They are especially wary that said countries of concern could use such information in ways that put national security at risk.

The Department of Commerce will lead the investigation. "We need to understand the extent of the technology in these cars that can capture wide swaths of data or remotely disable or manipulate connected vehicles, so we are soliciting information to determine whether to take action under our ICTS [information and communications technology and services] authorities," Commerce Secretary Gina Raimondo said.

Through its advance notice of proposed rulemaking [PDF], the agency is looking for feedback from the public to help determine "the technologies and market participants that may be most appropriate for regulation." The investigation will help the Commerce Department decide whether to take action. It's the first time that the agency's Bureau of Industry and Security is carrying out an investigation under Trump-era Executive Orders "focused on protecting domestic information and communications technology and services supply chains from national security threats," the White House said.

"China is determined to dominate the future of the auto market, including by using unfair practices. China’s policies could flood our market with its vehicles, posing risks to our national security. I’m not going to let that happen on my watch," President Joe Biden said. "Connected vehicles from China could collect sensitive data about our citizens and our infrastructure and send this data back to the People’s Republic of China. These vehicles could be remotely accessed or disabled."

As The Washington Post points out, cars built in China aren't especially common on US roads as yet, but they're becoming an increasingly familiar sight in other markets, such as Europe. While many of the vehicles that are causing concerns are EVs, its cars' cameras, sensors and software that are the focus of the probe.

It's not the first time that the US has investigated Chinese companies over concerns that they pose security risks to the country's infrastructure. A few years ago, it banned the import and sale of telecom networking equipment made by Huawei and ZTE (after stopping government employees from using the companies' phones). The government also required telecoms to remove and replace Huawei and ZTE gear in existing infrastructure at great expense.

The two primary fears around AI are that the information these systems produce is gibberish, and that it'll unjustly take jobs away from people who won't make such sloppy mistakes. But the UK's current government is actively promoting the use of AI to do the work normally done by civil servants, including drafting responses to parliamentary inquiries, the Financial Times reports.

UK Deputy Prime Minister Oliver Dowden is set to unveil a "red box" tool that can allegedly absorb and summarize information from reputable sources, like the parliamentary record. A separate instrument is also being trialed that should work similarly but with individual responses to public consultations. While it's unclear how quickly the AI tool can perform this work, Dowden claims it takes three months with 25 civil servants. However, the drafts would allegedly always be double-checked by a human and include sourcing. 

The Telegraph quoted Dowden arguing that implementing AI technology is critical to cutting civil service jobs — something he wants to do. "It really is the only way, I think, if we want to get on a sustainable path to headcount reduction. Remember how much the size of the Civil Service has grown as a result of the pandemic and, and EU exit preparedness. We need to really embrace this stuff to drive the numbers down." Dowden's statement aligns with hopes from his boss, Prime Minister Rishi Sunak, to use technology to increase government productivity — shockingly, neither person has offered to save money by giving AI their job. 

Dowden does show some restraint against having AI do everything. In a pre-speech briefing, he noted that the government wouldn't use AI for any "novel or contentious or highly politically sensitive areas." At the same time, the Cabinet Office's AI division is set to grow from 30 to 70 employees and to get a new budget of £110 million ($139.1 million), up from £5 million ($6.3 million).

In a followup to a tentative ruling made in December, a federal judge has ordered Elon Musk to comply with the U.S. Securities and Exchange Commission's (SEC) subpoena and testify again in its probe of his Twitter takeover, Reuters reports. Per the order, which was filed Saturday night in a California court, Musk and the SEC now have a week to work out a time and place for his appearance or it will be decided for them. The SEC has been investigating Musk’s purchase of Twitter, now X, since 2022 over concerns about his lateness in disclosing his stake in Twitter.

The order comes after Musk failed to appear for a testimony in September and later refused to attend a rescheduled interview, prompting the SEC to sue. US Magistrate Judge Laurel Beeler sided with the SEC after Musk tried to challenge its subpoena, which he claims is seeking irrelevant information and is harassment, as he’s already been interviewed twice. But, the SEC says it has obtained new documents in relation to the probe and has further questions for the X owner. Musk also argued that it exceeds the SEC’s authority because the subpoena was issued by an SEC staff member appointed by the SEC’s Director of Enforcement. Beeler struck these arguments down, ruling that the subpoena is valid. 

Even NASA is not immune to layoffs. The agency says it's cutting around 530 employees from its Jet Propulsion Laboratory (JPL) in California amid budget uncertainty. That's eight percent of the facility's workforce. JPL is laying off about 40 contractors too, just weeks after imposing a hiring freeze and canning 100 other contractors. Workers are being informed of their fates today.

"After exhausting all other measures to adjust to a lower budget from NASA, and in the absence of an FY24 appropriation from Congress, we have had to make the difficult decision to reduce the JPL workforce through layoffs," NASA said in a statement spotted by Gizmodo. "The impacts will occur across both technical and support areas of the Lab. These are painful but necessary adjustments that will enable us to adhere to our budget allocation while continuing our important work for NASA and our nation."

Uncertainty over the final budget that Congress will allocate to NASA for 2024 has played a major factor in the cuts. It's expected that the agency will receive around $300 million for Mars Sample Return (MSR), an ambitious mission in which NASA plans to launch a lander and orbiter to the red planet in 2028 and bring back soil. In its 2024 budget proposal, NASA requested just under $950 million for the project.

“While we still do not have an FY24 appropriation or the final word from Congress on our Mars Sample Return (MSR) budget allocation, we are now in a position where we must take further significant action to reduce our spending,” JPL Director Laurie Leshin wrote in a memo. "In the absence of an appropriation, and as much as we wish we didn’t need to take this action, we must now move forward to protect against even deeper cuts later were we to wait."

NASA has yet to provide a full cost estimate for MSR, though an independent report pegged the price at between $8 billion and $11 billion. In its proposed 2024 budget, the Senate Appropriations subcommittee ordered NASA to submit a year-by-year funding plan for MSR. If the agency does not do so, the subcommittee warned that the mission could be canceled.

That's despite MSR having enjoyed success so far. The Perseverance rover has dug up some soil samples that contain evidence of organic matter and would warrant closer analysis were NASA able to bring them back to Earth. The samples could help scientists learn more about Mars, such as whether the planet ever hosted life.

The CEOs of Meta, Snap, Discord, X and TikTok testified at a high-stakes Senate Judiciary Committee hearing on child exploitation online. During the hearing, Mark Zuckerberg, Evan Spiegel, Jason Citron, Linda Yaccarino and Shou Chew spent hours being grilled by lawmakers about their records on child safety. 

The hearing was the first time Spiegel, Citron and Yaccarino testified to Congress. Notably, all three were subpoenaed by the committee after refusing to appear voluntarily, according to lawmakers. Judiciary Committee Chair Senator Dick Durbin noted that Citron “only accepted services of his subpoena after US Marshals were sent to Discord’s headquarters at taxpayers’ expense.”

The hearing room was filled with parents of children who had been victims of online exploitation on social media. Many members of the audience silently held up photos of their children as the CEOs entered the room, and Durbin kicked off the hearing with a somber video featuring victims of child exploitation and their parents.

“Discord has been used to groom, abduct and abuse children,” Durbin said. “Meta’s Instagram helped connect and promote a network of pedophiles. Snapchat’s disappearing messages have been co-opted by criminals who financially extort young victims. TikTok has become a quote platform of choice for predators to access, engage and groom children for abuse. And the prevalence of CSAM on X has grown as the company has gutted its trust and safety workforce.”

During the hearing, many of the senators shared personal stories of parents whose children had died by suicide after being exploited online. "Mr. Zuckerberg, you and the companies before us — I know you don't mean it to be so — but you have blood on your hands," Senator Lindsey Graham said in his opening remarks. The audience applauded. 

While years of similar hearings have so far failed to produce any new laws, there is growing bipartisan support in Congress for new safety regulations. As Tech Policy Press points out, there are currently more than half a dozen bills dealing with children's online safety that have been proposed by senators. These include the Kids Online Safety Act (KOSA), which would require platforms to create more parental control and safety features and submit to independent audits, and COPPA 2.0, a revised version of the 1998 Children and Teens' Online Privacy Protection Act, which would bar companies from collecting or monetizing children’s data without consent.

Senators have also proposed a number of bills to address child exploitation, including the EARN IT Act, currently in its third iteration since 2020, and the STOP CSAM Act. None of these have advanced to the Senate floor for a vote. Many of these bills have faced intense lobbying from the tech industry, though some companies in attendance said they are open to some aspects of the legislation.

Zuckerberg suggest a different approach, saying he supported age verification and parental control requirements at the app store level, which would effectively shift the burden to Apple and Google. Meta has come under particular pressure in recent months following a lawsuit from 41 states for harming teens’ mental health. Court documents from the suit allege that Meta turned a blind eye to children under 13 using its service, did little to stop adults from sexually harassing teens on Facebook and that Zuckerberg personally intervened to stop an effort to ban plastic surgery filters on Instagram.

Developing...

A Microsoft manager claims OpenAI’s DALL-E 3 has security vulnerabilities that could allow users to generate violent or explicit images (similar to those that recently targeted Taylor Swift). GeekWire reported Tuesday the company’s legal team blocked Microsoft engineering leader Shane Jones’ attempts to alert the public about the exploit. The self-described whistleblower is now taking his message to Capitol Hill.

“I reached the conclusion that DALL·E 3 posed a public safety risk and should be removed from public use until OpenAI could address the risks associated with this model,” Jones wrote to US Senators Patty Murray (D-WA) and Maria Cantwell (D-WA), Rep. Adam Smith (D-WA 9th District), and Washington state Attorney General Bob Ferguson (D). GeekWire published Jones’ full letter.

Jones claims he discovered an exploit allowing him to bypass DALL-E 3’s security guardrails in early December. He says he reported the issue to his superiors at Microsoft, who instructed him to “personally report the issue directly to OpenAI.” After doing so, he claims he learned that the flaw could allow the generation of “violent and disturbing harmful images.”

Jones then attempted to take his cause public in a LinkedIn post. “On the morning of December 14, 2023 I publicly published a letter on LinkedIn to OpenAI’s non-profit board of directors urging them to suspend the availability of DALL·E 3),” Jones wrote. “Because Microsoft is a board observer at OpenAI and I had previously shared my concerns with my leadership team, I promptly made Microsoft aware of the letter I had posted.”

OpenAI

Microsoft’s response was allegedly to demand he remove his post. “Shortly after disclosing the letter to my leadership team, my manager contacted me and told me that Microsoft’s legal department had demanded that I delete the post,” he wrote in his letter. “He told me that Microsoft’s legal department would follow up with their specific justification for the takedown request via email very soon, and that I needed to delete it immediately without waiting for the email from legal.”

Jones complied, but he says the more fine-grained response from Microsoft’s legal team never arrived. “I never received an explanation or justification from them,” he wrote. He says further attempts to learn more from the company’s legal department were ignored. “Microsoft’s legal department has still not responded or communicated directly with me,” he wrote.

Engadget reached out to Microsoft and OpenAI, but neither company responded immediately. We’ll update this article if we hear back.

The whistleblower says the pornographic deepfakes of Taylor Swift that circulated on X last week are one illustration of what similar vulnerabilities could produce if left unchecked. 404 Media reported Monday that Microsoft Designer, which uses DALL-E 3 as a backend, was part of the deepfakers’ toolset that made the video. The publication claims Microsoft, after being notified, patched that particular loophole.

“Microsoft was aware of these vulnerabilities and the potential for abuse,” Jones concluded. It isn’t clear if the exploits used to make the Swift deepfake were directly related to those Jones reported in December.

Jones urges his representatives in Washington, DC, to take action. He suggests the US government create a system for reporting and tracking specific AI vulnerabilities — while protecting employees like him who speak out. “We need to hold companies accountable for the safety of their products and their responsibility to disclose known risks to the public,” he wrote. “Concerned employees, like myself, should not be intimidated into staying silent.”

The National Security Agency’s director has confirmed that the agency buys Americans’ web browsing data from brokers without first obtaining warrants. Senator Ron Wyden (D-OR) blocked the appointment of the NSA’s inbound director Timothy Haugh until the agency answered his questions regarding its collection of Americans’ location and Internet data. Wyden said he’d been trying for three years to “publicly release the fact that the NSA is purchasing Americans’ internet records.”

In a letter dated December 11, current NSA Director Paul Nakasone confirmed to Wyden that the agency does make such purchases from brokers. "NSA acquires various types of [commercially available information] for foreign intelligence, cybersecurity, and other authorized mission purposes, to include enhancing its signals intelligence (SIGINT) and cybersecurity missions," Nakasone wrote. "This may include information associated with electronic devices being used outside and, in certain cases, inside the United States."

Nakasone went on to claim that the NSA "does not buy and use location data collected from phones known to be used in the United States either with or without a court order. Similarly, NSA does not buy and use location data collected from automobile telematics systems from vehicles known to be located in the United States."

An NSA spokesperson told Reuters that the agency uses such data sparingly but that it has notable value for national security and cybersecurity purposes. "At all stages, NSA takes steps to minimize the collection of US [personal] information, to include application of technical filters," the spokesperson said.

Wyden has called the practice unlawful. "Such records can identify Americans who are seeking help from a suicide hotline or a hotline for survivors of sexual assault or domestic abuse," he said.

The senator urged Director of National Intelligence Avril Haines to order US intelligence agencies to stop buying Americans’ private data without consent. He also asked Haines to direct intelligence agencies to "conduct an inventory of the personal data purchased by the agency about Americans, including, but not limited to, location and internet metadata." Wyden said that any data that does not comply with Federal Trade Commission standards regarding personal data sales should be deleted.

Wyden pointed to an FTC settlement that this month banned a data broker from selling location data. The agency alleged that the information, which it claimed was sold to buyers including government contractors, "could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, places of religious worship and domestic abuse shelters."

The FTC stated in its complaint against the broker, formerly known as X-Mode Social, that by "failing to fully inform consumers how their data would be used and that their data would be provided to government contractors for national security purposes, X-Mode failed to provide information material to consumers and did not obtain informed consent from consumers to collect and use their location data."

The settlement was the first of its kind with a data broker. In a statement, Wyden, who has been investigating the data broker industry for several years, said he was "not aware of any company that provides such a warning to users [regarding their consent] before collecting their data."

The issue of US federal agencies buying phone location data isn't exactly new. In 2020, it emerged that Customs and Border Protection had been doing so. The following year, Wyden claimed the Defense Intelligence Agency and the Pentagon bought and used location data from Americans’ phones.

The Securities and Exchange Commission has provided more details about how its official X account was compromised earlier this month. In a statement, the regulator confirmed that it had been the victim of a SIM swapping attack and that its X account was not secured with multi-factor authentication (MFA) at the time it was accessed.

“The SEC determined that the unauthorized party obtained control of the SEC cell phone number associated with the account in an apparent 'SIM swap' attack," it said, referring to a common scam in which attackers persuade customer service representatives to transfer phone numbers to new devices. “Once in control of the phone number, the unauthorized party reset the password for the @SECGov account.”

The hack of its X account, which was taken over in order to falsely claim that bitcoin ETFs had been approved, has raised questions about SEC’s security practices. Government-run social media accounts are typically required to have MFA enabled. The fact that one as high-profile and with potentially market-moving abilities like @SECGiv would not be using the extra layer of security has already prompted questions from Congress.

In its statement, the SEC said that it asked X’s support staff to disable MFA last July following “issues” with its account access. “Once access was reestablished, MFA remained disabled until staff reenabled it after the account was compromised on January 9,” it said. “MFA currently is enabled for all SEC social media accounts that offer it.”

While the lack of MFA likely made it much easier to take over the SEC’s account, there are still numerous questions about the exploit, including how those responsible knew which phone was associated with the X account, how the unnamed telecom carrier fell for the scam and, of course, who was behind it. The regulator said it’s investigating these questions, along with the Department of Justice, FBI, Homeland Security and its own Inspector General.

Another lawmaker is pushing the Securities and Exchange Commission for more information about its security practices following the hack of its verified account on X. In a new letter to the agency’s Inspector general, Senator Ron Wyden, called for an investigation into “the SEC’s apparent failure to follow cybersecurity best practices.”

The letter, which was first reported by Axios, comes days after the SEC’s official X account was taken over in order to post a tweet claiming that spot bitcoin ETFs had been approved by the regulator. The rogue post temporarily juiced the price of bitcoin and forced SEC chair Gary Gensler to chime in from his X account that the approval had not, in fact, happened. (The SEC did approve 11 spot bitcoin ETFs a day later, with Gensler saying in a statement that “bitcoin is primarily a speculative, volatile asset that’s also used for illicit activity.”)

The incident has raised a number of questions about the SEC’s security practices after officials at X said the financial regulator had not been using multi-factor authentication to secure its account. In the letter, Wyden, who chairs the Senate’s finance committee, said it would be "inexcusable" for the agency to not use additional layers of security to lock down its social media accounts.

“Given the obvious potential for market manipulation, if X’s statement is correct, the SEC’s social media accounts should have been secured using industry best practices,” Wyden wrote. “Not only should the agency have enabled MFA, but it should have secured its accounts with phishing-resistant hardware tokens, commonly known as security keys, which are the gold standard for account cybersecurity. The SEC’s failure to follow cybersecurity best practices is inexcusable, particularly given the agency’s new requirements for cybersecurity disclosure”

Wyden isn’t the only lawmaker who has pushed the SEC for more details about the hack. Senators J. D. Vance and Thom Tillis sent a letter of their own, addressed to Gensler, immediately following the incident. They asked for a briefing about the agency’s security policies and investigation into the hack by January 23.

The SEC didn’t immediately respond to a request for comment. The agency said in an earlier statement that it was working with the FBI and the Inspector General to investigate the matter.

AI may or may not take people's jobs in years to come, but in the meantime, there's one thing they cannot obtain: patents. Dr. Stephen Thaler has spent years trying to get patents for two inventions created by his AI "creativity machine" DABUS. Now, the United Kingdom's Supreme Court has rejected his appeal to approve these patents when listing DABUS as the inventor, Reuters reports. 

The court's rationale stems from a provision in UK patent law that states, "an inventor must be a natural person." The ruling stipulated that the appeal was unconcerned with whether this should change in the future. "The judgment establishes that UK patent law is currently wholly unsuitable for protecting inventions generated autonomously by AI machines," Thaler's lawyers said in a statement. 

Thaler first attempt to register the patents — for a food container and a flashing light — was in 2018, as owner of the machine that invented them. However, the UK's Intellectual Property Office said he must list an actual human being on the application, and when he refused, it withdrew his application. Thaler fought the decision in the High Court and then the Court of Appeal, with Lady Justice Elisabeth Laing stating, "Only a person can have rights. A machine cannot." 

Thaler, an American, also submitted the two products to the United States Patent and Trademark Office, which rejected his application. Plus, he previously sued the US Copyright Office (USCO) for not awarding him the copyright for a piece of art DABUS created. The case reached the US District Court of Columbia, with Judge Beryl Howell's ruling explaining, "Human authorship is a bedrock requirement of copyright." Thaler has argued that this provision is unconstitutional, but the US Supreme Court declined to hear his case, ending any further chances to argue his stance. While the UK and US have rejected Thaler's petitions, he has succeeded in countries such as Australia and South Africa.