The European Union doesn't think you should have to choose between giving Meta and other major players your data or your money. In a statement, the European Data Protection Board (EDPB) stated that "consent or pay" models often don't "comply with the requirements for valid consent" when a person must choose between providing their data for behavioral advertising purposes or pay for privacy.

The EDPB argues that only offering a paid alternative to data collection shouldn't be the default for large online platforms. It doesn't issue a mandate but stresses that these platforms should "give significant consideration" to providing a free option that doesn't involve data processing (or at least not as much). "Controllers should take care at all times to avoid transforming the fundamental right to data protection into a feature that individuals have to pay to enjoy," EDPB Chair Anu Talus said. "Individuals should be made fully aware of the value and the consequences of their choices."

Currently, EU users must pay €10 ($11) monthly for an ad-free subscription or be forced to share their data. The EU is already investigating if this system complies with the Digital Markets Act, which went into effect at the beginning of March.

A data scraping service is selling information on what it claims to be 600 million Discord users. A report from 404 Media details Spy Pet, an online service that gathers, stores and sells troves of information from the social platform. But have no fear: It markets its services to totally trustworthy paying clients like law enforcement, AI model trainers or your average person curious about “what their friends are up to.” Why ask them when you can simply purchase and download a copy of their Discord activity?

For as little as $5 in cryptocurrency, Spy Pet lets you access data about specific users, such as which servers they participate in, what messages they’ve sent and when they joined or left voice channels. It claims to have information on an alleged 600 million users across 14,000 Discord servers and three billion messages.

As for what inspired Spy Pet, its creator suggested it’s a classic case of doing what one enjoys and pushing personal boundaries. “I like scraping, archiving, and challenging myself,” the creator told 404 Media. “Discord is basically the holy grail of scraping, since Discord is trying absolutely anything to combat scraping.”

Some people run a 5K, set a weight-loss goal or take up pickleball. Others start a social scraping service that sells data to the feds, AI companies and creepy exes. To each their own!

404 Media says the database lets you search for specific users. For each search result, a page shows the servers the user has joined (at least among those Spy Pet monitors), their connected accounts, a table showing their recent messages (including the server name, time stamps and the message itself) and their voice channel entry and exit times. Paying customers can conveniently export their prey’s — or “friend’s” — chats into a CSV file.

Discord says it’s investigating Spy Pet and weighing its options. “Discord is committed to protecting the privacy and data of our users,” a company spokesperson wrote in an email to Engadget. “We are currently investigating this matter. If we determine that violations of our Terms of Service and Community Guidelines have occurred, we will take appropriate steps to enforce our policies. We cannot provide further comments as this is an ongoing investigation.”

Meta is shutting down Threads in Turkey on April 29 after an interim injunction from the Turkish Competition Authority (TCA) against automatic data-sharing with Instagram. The TCA ruled that linking Threads and Instagram without user opt-in “will lead to irreparable harms” and that Meta “abused its dominant position” in the industry with the practice. The TCA also suggested that the linking exists primarily to increase the company’s “market power.”

Rather than make any changes to how Instagram and Threads integrate in the region, Meta’s pulling the nascent social media app. The company says this is merely a temporary measure as it works to appeal the injunction, but there’s no timetable for that. In the meantime, Meta suggests that users in Turkey either deactivate their accounts or delete them entirely. Those who deactivate will have their posts and interactions restored “if Threads returns” to the country.

Turkish regulators aren’t the only people who think the automatic linking between Threads and Instagram is, at best, a bit creepy. It’s been a point of contention since the platform launched last year. The apps were so tied together that users couldn’t even delete a Threads account without nuking their Instagram account, though Meta patched this several months back.

Meta also began promoting Threads posts on Facebook and Instagram without user consent, eventually allowing people to opt out of the, uh, “feature.” This is the type of automatic data-sharing that bristled the TCA, leading to the recent injunction.

Also, this isn’t the first regulatory battle between Meta and Turkey. The country fined Meta $18.6 million back in 2022 for data-sharing across its apps, according to a report by TechCrunch. This is an alleged violation of the country’s competition laws. The country asked Meta to submit documents detailing its efforts to stop violation of these laws, but Turkish regulators said the explanations were lacking. As such, the country slapped Meta with additional fines, to the tune of $160,000 each day.

Roku has disclosed a second data breach in as many months. While it was looking into a previous incident in which 15,000 accounts were affected, the company learned that another 576,000 accounts had been compromised.

In both incidents, Roku believes that the attackers used a method called credential stuffing. "It is likely that login credentials used in these attacks were taken from another source, like another online account, where the affected users may have used the same credentials," the company says.

Roku added that, in fewer than 400 cases, attackers used victims' Roku accounts to buy streaming subscriptions and Roku devices using stored payment methods. However, the hackers did not gain access to full credit card numbers or other payment information.

The company has reset the passwords for all affected accounts and informed users who have been impacted. The company is also turning on two-factor authentication for its more than 80 million active accounts. The next time you log in, you'll get a verification email. You'll need to click a link in the email before you can access your account. Meanwhile, Roku says it's refunding or reversing charges in the cases where the hackers bought subscriptions or hardware.

While the impact of this latest breach doesn't seem too disastrous, it's a good reminder that you should have a strong, unique password for every single one of your accounts. A password manager makes it much easier to have robust login credentials, as you'll only need to remember one main password or log in using biometric data.

Many web browser companies offer VPNs these days, including Google, Mozilla and Opera. DuckDuckGo is the latest to join the fray, with a Privacy Pro plan that includes three services. Along with a VPN, you'll get personal information removal and identity theft restoration services for $10 per month or $100 per year. The subscription is only available in the US for now. The Privacy Pro features are built directly into the DuckDuckGo browser, so you won't need to install separate apps.

DuckDuckGo says it won't keep VPN logs in order to help maintain user privacy. As such, it says it has "no way to tie what you do while connected to the DuckDuckGo VPN to you as an individual — or to anything else you do on DuckDuckGo, like searching." DuckDuckGo is using the open-source WireGuard protocol to encrypt your traffic and route it through VPN servers. As it stands, the company has VPN servers across the US, Europe and Canada. It plans to add more over time.

DuckDuckGo

One subscription will cover up to five desktop and mobile devices. Rather than using an account, you'll have a random ID that you'll need to keep safe. If you wish, you can add an email address for easier authorization across devices. Still, you won't need to hand over any personally identifiable information to DuckDuckGo — the company is using Stripe, Google Play and the Apple App Store to handle payments.

DuckDuckGo's focus on protecting user privacy extends to the personal information removal tool, which removes details such as your full name, home address and birthday from people search sites and data broker services. The details you provide during the setup process stay on your device and requests to remove your personal information start directly from your desktop (for now, you need a Windows or Mac computer to set up and manage the personal information removal tool).

DuckDuckGo says this is a first for a service of its ilk, as your details aren't stored on remote servers. To help it build the tool, DuckDuckGo bought data removal service Removaly in 2022. The personal information removal service will regularly re-scan people search sites and data brokers to see if your info pops up again so you can dela with it accordingly.

As for the identity theft restoration service, DuckDuckGo will connect you with an advisor from Iris, its partner, if your identity is stolen. The advisor will help with restoring any stolen accounts and financial losses, as well as fixing your credit report. Moreover, they can help you cancel and replace important documents such as your driver’s license, bank cards and passport. Iris can also provide you with a cash advance if you're far from home and stuck due to identity theft. 

Again, you won't have to provide any of your personal information up front. You'll only need to provide an advisor with those details if you need help after having your identity stolen.

Expanding privacy protections through these services is a logical way for DuckDuckGo to try and boost its bottom line. Privacy Pro seems reasonably priced compared to some of the alternatives too — Mozilla's personal information removal service alone costs $9 per month.

You can now ensure that you're not going to be hit by hidden fees and taxes before you sign up with an internet service provider (ISP). Starting today, big ISPs with more than 100,000 subscribers will be required to display "nutrition labels" both in store and online under a new FCC rule. Those labels have to show the companies' plans, fees and any additional costs, such as activation fees and upfront or rental fees for modems and other equipment. 

They also have to show whether a particular amount that's being advertised is an introductory or a discounted rate and how long you can enjoy that lower rate. Plus, the labels have to indicate each particular plan's download and upload speeds, as well as any early termination fee associated with it. ISPs can't hide these labels behind multiple clicks or camouflage them with other elements that make them hard to see. They have to be accessible from your customer account portal, and ISPs should give you a copy if you ask. 

The FCC first floated the idea of nutrition labels for ISPs back in 2016, but it wasn't until 2022 that it formally introduced rules requiring them to be displayed at the companies' points of sale. As you can see in the image below, it resembles the nutrition labels for food and will (theoretically and hopefully) account for every dollar you pay for a wired or wireless plan. Back when the rule was announced, FCC Chairperson Jessica Rosenworcel explained that the agency chose to approve and implement it as part of its efforts to "end the kind of unexpected fees and junk costs that can get buried in long and mind-numbingly confusing statements of terms and conditions."

Based on the FCC's website, providers with less than 100,000 subscribers will be given a bit more time to comply and have until October 10. And in case you come across any ISP that isn't displaying any label even when they should or is showing inaccurate information, you can file a complaint with the commission through its official portal. 

FCC

OpenAI, Google, Anthropic and other companies developing generative AI are continuing to improve their technologies and releasing better and better large language models. In order to create a common approach for independent evaluation on the safety of those models as they come out, the UK and the US governments have signed a Memorandum of Understanding. Together, the UK's AI Safety Institute and its counterpart in the US, which was announced by Vice President Kamala Harris but has yet to begin operations, will develop suites of tests to assess the risks and ensure the safety of "the most advanced AI models."

They're planning to share technical knowledge, information and even personnel as part of the partnership, and one of their initial goals seems to be performing a joint testing exercise on a publicly accessible model. UK's science minister Michelle Donelan, who signed the agreement, told The Financial Times that they've "really got to act quickly" because they're expecting a new generation of AI models to come out over the next year. They believe those models could be "complete game-changers," and they still don't know what they could be capable of. 

According to The Times, this partnership is the first bilateral arrangement on AI safety in the world, though both the US and the UK intend to team up with other countries in the future. "AI is the defining technology of our generation. This partnership is going to accelerate both of our Institutes' work across the full spectrum of risks, whether to our national security or to our broader society," US Secretary of Commerce Gina Raimondo said. "Our partnership makes clear that we aren't running away from these concerns — we're running at them. Because of our collaboration, our Institutes will gain a better understanding of AI systems, conduct more robust evaluations, and issue more rigorous guidance."

While this particular partnership is focused on testing and evaluation, governments around the world are also conjuring regulations to keep AI tools in check. Back in March, the White House signed an executive order aiming to ensure that federal agencies are only using AI tools that "do not endanger the rights and safety of the American people." A couple of weeks before that, the European Parliament approved sweeping legislation to regulate artificial intelligence. It will ban "AI that manipulates human behavior or exploits people’s vulnerabilities," "biometric categorization systems based on sensitive characteristics," as well as the "untargeted scraping" of faces from CCTV footage and the web to create facial recognition databases. In addition, deepfakes and other AI-generated images, videos and audio will need to be clearly labeled as such under its rules. 

Long before Gmail became smart enough to finish your sentences, Google’s now-ubiquitous email service was buttering up the public for a fate that defined the internet age: if you’re not paying for the product, you are the product.

When Gmail was announced on April 1, 2004, its lofty promises and the timing of its release reportedly had people assuming it was a joke. It wasn’t the first web-based email provider — Hotmail and Yahoo! Mail had already been around for years — but Gmail was offering faster service, automatic conversation grouping for messages, integrated search functions and 1GB of storage, which was at the time a huge leap forward in personal cloud storage. Google in its press release boasted that a gigabyte was “more than 100 times” what its competitors offered. All of that, for free.

Except, as Gmail and countless tech companies in its wake have taught us, there’s no such thing as free. Using Gmail came with a tradeoff that’s now commonplace: You get access to its service, and in exchange, Google gets your data. Specifically, its software could scan the contents of account holders’ emails and use that information to serve them personalized ads on the site’s sidebar. For better or worse, it was a groundbreaking approach.

“Depending on your take, Gmail is either too good to be true, or it’s the height of corporate arrogance, especially coming from a company whose house motto is ‘Don’t Be Evil,’” tech journalist Paul Boutin wrote for Slate when Gmail launched. (Boutin, one of its early media testers, wrote favorably about Google’s email scanning but suggested the company implement a way for users to opt out lest they reject it entirely.)

There was immediate backlash from those who considered Gmail to be a privacy nightmare, yet it grew — and generated a lot of hype, thanks to its invite-only status in the first few years, which spurred a reselling market for Gmail invitations at upwards of $150 a pop, according to TIME. Google continued its ad-related email scanning practices for over a decade, despite the heat, carrying on through Gmail’s public rollout in 2007 and well into the 2010s, when it really started gaining traction.

And why not? If Gmail proved anything, it was that people would, for the most part, accept such terms. Or at least not care enough to read the fine-print closely. In 2012, Gmail became the world’s largest email service, with 425 million active users.

Other sites followed Google’s lead, baking similar deals into their terms of service, so people’s use of the product would automatically mean consent to data collection and specified forms of sharing. Facebook started integrating targeted ads based on its users’ online activities in 2007, and the practice has since become a pillar of social media’s success.

Things have changed a lot in recent years, though, with the rise of a more tech-savvy public and increased scrutiny from regulators. Gmail users on multiple occasions attempted to bring about class-action lawsuits over the scanning issue, and in 2017, Google finally caved. That year, the company announced that regular Gmail users’ emails would no longer be scanned for ad personalization (paid enterprise Gmail accounts already had this treatment).

Google, of course, still collects users’ data in other ways and uses the information to serve hyper-relevant ads. It still scans emails too, both for security purposes and to power some of its smart features. And the company came under fire again in 2018 after The Wall Street Journal revealed it was allowing third-party developers to trawl users’ Gmail inboxes, to which Google responded by reminding users it was within their power to grant and revoke those permissions. As CNET reporters Laura Hautala and Richard Nieva wrote then, Google’s response more or less boiled down to: “This is what you signed up for.”

Really, what users signed up for was a cutting-edge email platform that ran laps around the other services at the time, and in many ways still does. It made the privacy concerns, for some, easier to swallow. From its inception, Gmail set the bar pretty high with its suite of free features. Users could suddenly send files of up to 25MB and check their email from anywhere as long as they had access to an internet connection and a browser, since it wasn’t locked to a desktop app.

It popularized the cloud as well as the Javascript technique AJAX, Wired noted in a piece for Gmail’s 10-year anniversary. This made Gmail dynamic, allowing the inbox to automatically refresh and surface new messages without the user clicking buttons. And it more or less did away with spam, filtering out junk messages.

Still, when Gmail first launched, it was considered by many to be a huge gamble for Google — which had already established itself with its search engine. “A lot of people thought it was a very bad idea, from both a product and a strategic standpoint,” Gmail creator Paul Buchheit told TIME in 2014. “The concern was this didn’t have anything to do with web search.”

Things obviously worked out alright, and Gmail’s dominion has only strengthened. Gmail crossed the one billion user mark in 2016, and its numbers have since doubled. It’s still leading the way in email innovation, 20 years after it first went online, integrating increasingly advanced features to make the process of receiving and responding to emails (which, let’s be honest, is a dreaded daily chore for a lot of us) much easier. Gmail may eventually have changed its approach to data collection, but the precedent it set is now deeply enmeshed in the exchange of services on the internet; companies take what data they can from consumers while they can and ask for forgiveness later.

In October, Microsoft unbundled Teams from Microsoft 365 and Office 365 suites in the European Union and Switzerland to avoid potential fines. Now, the company is expanding this offering, selling Microsoft Teams separately from Microsoft 365 and Office 365 worldwide, Reuters reports. "Doing so also addresses feedback from the European Commission by providing multinational companies more flexibility when they want to standardise their purchasing across geographies," a Microsoft spokesperson told the publication.

Current users can now choose to keep their current deal or switch to one of the separate offerings — especially helpful for anyone who uses the Office suite but prefers another communication service like Zoom or Google Meet. Commercial customers new to Microsoft's offerings can pick up Teams on its own for $5.25, while Office sans Teams is going for anywhere from $7.75 to $54.75.

Microsoft's journey to unbundling Teams and Office started in 2020 when Slack filed an antitrust complaint with the EU. The now Salesforce-owned company alleged that it was illegal to include Teams in the Office suite and that Microsoft was blocking customers from removing the chat platform. The European Commission has subsequently been investigating this matter, with Microsoft announcing in April 2023 that it would separate Teams from Microsoft 35 and Office 365. Though the move went into effect last fall, Microsoft is still at risk of owing the EU a hefty fine if found to have broken antitrust laws.

AT&T says 7.6 million current customers were affected by a recent leak in which sensitive data was released on the dark web, along with 65.4 million former account holders. TechCrunch first reported on Saturday morning that the company has reset the passcodes of all affected active accounts, and AT&T confirmed the move in an update published on its support page. The data set, which AT&T says “appears to be from 2019 or earlier,” includes names, home addresses, phone numbers, dates of birth and Social Security numbers, according to TechCrunch.

TechCrunch reports that it alerted AT&T about the potential for the leaked data to be used to access customers accounts on Monday, after a security researcher discovered that the records included easily decipherable encrypted passcodes. AT&T has since said that it’s launched an investigation into the issue, but so far “does not have evidence of unauthorized access to its systems resulting in exfiltration of the data set.” The data appeared on the dark web about two weeks ago, according to AT&T.

It comes three years after a hacker known as ShinyHunters claimed in 2021 that they’d obtained the account data of 73 million AT&T customers. AT&T at the time told BleepingComputer that it had not suffered a breach and that samples of information shared by the hacker online did “not appear to have come from our systems.” The company now says that “it is not yet known whether the data in those fields originated from AT&T or one of its vendors.”

AT&T says it is working with cybersecurity experts and will reach out to both current and former account holders who have been affected by the leak. The company also says it will offer credit monitoring to those customers “where applicable.”