A Senate Finance Committee inquiry revealed on Tuesday that police departments can get access to private medical information from pharmacies, no warrant needed. While HIPAA may protect some access to personally identifiable health data, it doesn't stop cops, according to a letter from Senator Ron Wyden, Representative Pramila Jayapal and Representative Sara Jacobs to the Department of Health and Human Services. None of the major US pharmacies are doing anything about it, either, the members of Congress say. 

"All of the pharmacies surveyed stated that they do not require a warrant prior to sharing pharmacy records with law enforcement agents, unless there is a state law that dictates otherwise," the letter said. "Those pharmacies will turn medical records over in response to a mere subpoena, which often do not have to be reviewed or signed by a judge prior to being issued."

The committee reached out to Amazon, Cigna, CVS Health, The Kroger Company, Optum Rx, Rite Aid Corporation, Walgreens Boots Alliance and Walmart about their practices for sharing medical data with police. While Amazon, Cigna, Optum, Walmart and Walgreen said they have law enforcement requests reviewed by legal professionals before complying, CVS Health, The Kroger Company and Rite Aid Corporation said they ask in-store staff to process the request immediately. Engadget reached out to the pharmacies mentioned in the letter about the claims. CVS said its pharmacy staff are trained to handle these inquiries and its following all applicable laws around the issue. Walgreens said it has a process in place to assess law enforcement requests compliant with those laws, too, and Amazon said while the law enforcement requests are rare, it does notify patients and comply with court orders when applicable. The others either haven't responded or refuse to comment.

The pharmacies mostly blamed the current lack of legislative protections for patient data for their willingness to comply with cop requests. Most of them told the committee that current HIPAA law and other policies let them disclose medical records in response to certain legal requests. That's why the Senate Finance Committee is targeting HHS to strengthen these protections, especially since the 2023 Dobbs decision let states criminalize certain reproductive health decisions. 

Under current HIPAA law, patients have the right to know who is accessing their health information. But individuals have to request the medical record disclosure data, instead of health care professionals being required to share it proactively. "Consequently, few people ever request such information, even though many would obviously be concerned to learn about disclosures of their private medical records to law enforcement agencies," the letter states. The letter also urges pharmacies to change their policies to require a warrant, and publish transparency reports about how data is shared. 

Montana's unprecedented state-wide ban of Chinese short-video app, TikTok, was supposed to take effect on January 1, 2024, but as reported by Reuters, US District Judge Donald Molloy issued a preliminary injunction just one month ahead to block said ban. This means that for now, ByteDance and app stores are allowed to continue serving TikTok to users within the Montana state, without being fined $10,000 daily from the start date of the ban.

The judge was quoted saying the ban "oversteps state power and infringes on the constitutional rights of users" — echoing the legal challenge filed by five TikTok creators on the day after the bill was signed back in May, as well as another lawsuit filed by the platform's owner, ByteDance, later on in the same month. It was also questionable as to whether Google and Apple could have effectively enforced such a state-wide ban on their app stores.  

The relevant bill was originally drafted based on claims that this Chinese app would share US users' personal data with the Chinese government, to which ByteDance had long denied since the presidency of Donald Trump. "TikTok US user data is stored in the US, with strict controls on employee access," the company claimed back in August 2020 — and again via a new "transparency" push earlier this year, with reference to "Project Texas" for safeguarding US user data with help from Oracle. 

To date, no other US state had passed a bill to bar TikTok. The outcome of Montana's case may hold the key to this Chinese app's fate across the rest of the country.

US Senators John Kennedy (R-LA) and Jeff Merkley (D-OR) introduced a bipartisan bill Wednesday to end involuntary facial recognition screening at airports. The Traveler Privacy Protection Act would block the Transportation Security Administration (TSA) from continuing or expanding its facial recognition tech program. It would also require the government agency to explicitly receive congressional permission to renew it, and it would have to dispose of all biometric data within three months.

Senator Merkley described the TSA’s biometric collection practices as the first steps toward an Orwellian nightmare. “The TSA program is a precursor to a full-blown national surveillance state,” Merkley wrote in a news release. “Nothing could be more damaging to our national values of privacy and freedom. No government should be trusted with this power.” Other Senators supporting the bill include Edward J. Markey (D-MA), Roger Marshall (R-KS), Bernie Sanders (I-VT) and Elizabeth Warren (D-MA).

The TSA began testing facial recognition at Los Angeles International Airport (LAX) in 2018. The agency’s pitch to travelers framed it as an exciting new high-tech feature, promising a “biometrically-enabled curb-to-gate passenger experience.” The TSA said this summer it planned to expand the program to over 430 US airports within the next few years.

The program at least technically allows travelers to opt-out, but that process isn’t always transparent in practice. Merkley posted the video above to X in September, demonstrating how agents guided travelers to the facial scanner without mentioning that it’s optional. No signs near the booths said it was optional or explicitly mentioned the gathering of facial data, either. The booths were arranged so that flyers would have difficulty entering their driver’s license or ID (required) without stepping in front of the facial scanner.

Advocacy groups supporting the bill include the ACLU, Electronic Privacy Information Center and Public Citizen. “The privacy risks and discriminatory impact of facial recognition are real, and the government’s use of our faces as IDs poses a serious threat to our democracy,” wrote Jeramie Scott, Senior Counsel and Director of EPIC’s Project on Surveillance Oversight, in Markley’s press release. “The TSA should not be allowed to unilaterally subject millions of travelers to this dangerous technology.”

“Every day, TSA scans thousands of Americans’ faces without their permission and without making it clear that travelers can opt out of the invasive screening,” Sen. Kennedy wrote in a separate news release. “The Traveler Privacy Protection Act would protect every American from Big Brother’s intrusion by ending the facial recognition program.”

As Meta gears up for the 2024 election, the company is grappling with a new challenge that could slow its efforts to combat foreign attempts at election interference. US government agencies have stopped sharing information with the company’s security researchers about covert influence operations on its platform.

Meta says that as of July, the government has “paused” briefings related to foreign election interference, eliminating a key source of information for the company. During a call with reporters, Meta’s head of security policy Nathaniel Gleicher, declined to speculate on the government’s motivations, but the timing lines up with a court order earlier this year that restricted the Biden Administration’s contacts with social media firms.

The order, the result of two states’ attempts to limit platforms' ability to remove misinformation, is currently suspended while the Supreme Court considers the case. But government agencies, like CISA (the Cybersecurity and Infrastructure Agency) and the FBI, have apparently opted to keep the “pause” in place.

Gleicher noted that government contacts aren’t Meta’s only source of information, and that the company continues to work with industry researchers and other civil society groups. But he acknowledged that government officials can be best-placed to advise certain kinds of threats, like those that are coordinated on other platforms. “We have seen that particularly-sophisticated threat actors, like nation states, engaged in foreign interference… there are times when government has the capability to identify these campaigns that other players may not,” he said.

Meta’s researchers regularly share details about networks of fake accounts it catches boosting foreign propaganda and conducting other kinds of influence campaigns, what the company calls “coordinated inauthentic behavior” or CIB. And while most of its takedowns don’t come as a result of government tips, the company has relied on them in detecting CIB targeting US politics. Meta acted on three separate FBI tips about fake accounts from Russia, Iran and Mexico ahead of the 2020 presidential election.

Law enforcement officials have also expressed concern about the lack of coordination with social media platforms. The FBI previously told the House Judiciary Committee that it had “discovered foreign influence campaigns on social media platforms but in some cases did not inform the companies about them because they were hamstrung by the new legal oversight,” NBC News reported, citing congressional sources.

Meta’s latest comments are the first time the company has publicly confirmed that it is no longer receiving tips about election interference. The disclosure comes as the company ramps up its efforts to prepare for multiple elections in 2024, and the inevitable attempts to manipulate political conversations on Facebook. The company said in its latest report on CIB that China is now the third-most common source of coordinated inauthentic behavior on its platform, behind Russia and Iran.

It seems Google won't block news links in Canada in response to new legislation after all. The company pledged earlier this year to pull links to Canadian news stories from Search, News and Discover when the country's Online News Act (Bill C-18) takes effect in December. However, according to the CBC, Google has reached a deal with the country's government that will see it continuing to serve users there with Canadian news.

Google is said to have agreed to pay news publishers in Canada around $100 million CAD per year. That's significantly less than the government's previous estimate that Google's annual payments should be around $172 million. The $100 million figure is in line with Google's own estimates of how much it should pay. 

The company will still need to sign an agreement with the media after negotiations. Google had demurred over a mandatory negotiation model that would have seen it hold talks with media organizations. Instead, the CBC reports that Google will only need to negotiate with a representative group, which is said to limit the company's risk of arbitration.

Google's arrangement with the government will be factored into the Bill C-18 legislative framework, which must be finalized by the middle of December. Engadget has asked Google for comment.

Although Google said in June that it would remove links to Canadian news stories from several of its key services, it hadn't followed through on that threat as yet. Meta, on the other hand, has blocked Canadian news links on Facebook and Instagram since June. According to the CBC, Meta has not returned to the negotiating table with the government. Google and Meta are the only companies that meet Bill C-18's legislative criteria.

Nuclear research hub, the Idaho National Laboratory (INL), confirmed that it fell victim to a data breach on Tuesday. SiegedSec, a group of self-proclaimed "gay furry hackers," took responsibility for the attack and claimed they accessed sensitive employee data like social security numbers, home addresses and more.

"We're willing to make a deal with INL. If they research creating irl catgirls we will take down this post," SiegedSec wrote in a post announcing the leak on Monday. 

The hacktivist group SiegedSec conducted a high profile attack on NATO last month, leaking internal documents as a retaliation against those countries for their attacks on human rights. The group commonly attacks government and affiliated organizations for political reasons, like targeting state governments for passing anti-trans legislation earlier this year.

While INL hasn't responded to our request for comment yet, a spokesperson confirmed the breach to EastIdahoNews.com. "Idaho National Laboratory determined that it was the target of a cybersecurity data breach, affecting the servers supporting its Oracle HCM system, which supports its Human Resources applications," the INL spokesperson said. The lab said it has reached out to authorities for help on how to proceed as it determines how to handle the breach. 

INL works as a Department of Energy affiliate researching nuclear reactors, among other projects like sustainable energy. It employs more than 5,000 people. 

US Senator Ron Wyden wants the public to know about the details surrounding the long-running Hemisphere phone surveillance program. Wyden has written US Attorney General Merrick Garland a letter (PDF), asking him to release additional information about the project that apparently gives law enforcement agencies access to trillions of domestic phone records. In addition, he said that federal, state, local and Tribal law enforcement agencies have the ability to request "often-warrantless searches" from the project's phone records that AT&T has been collecting since 1987. 

The Hemisphere project first came to light in 2013 when The New York Times reported that the White House Office of National Drug Control Policy (ONDCP) was paying AT&T to mine and keep records of its customers' phone calls. Four billion new records are getting added to its database every day, and a federal or state law enforcement agency can request a query with a subpoena that they can issue themselves. Any law enforcement officer can send in a request to a single AT&T analyst based in Atlanta, Georgia, Wyden's letter says, even if they're seeking information that's not related to any drug case. And apparently, they can use Hemisphere not just to identify a specific number, but to identify the target's alternate numbers, to obtain location data and to look up the phone records of everyone who's been in communication with the target. 

The project has been defunded and refunded by the government several times over the past decade and was even, at one point, receiving federal funding under the name "Data Analytical Services (DAS)." Usually, projects funded by federal agencies would be subject to a mandatory Privacy Impact Assessment conducted by the Department of Justice, which means their records would be made public. 

However, Hemisphere's funding passes through a middleman, so it's not required to go through mandatory assessment. To be specific, ONDCP funds the program through the Houston High Intensity Drug Trafficking Area, which is a regional funding organization that distributes federal anti-drug law grants and is governed by a board made up of federal, state and local law enforcement officials. The DOJ had provided Wyden's office with "dozens of pages of material" related to the project in 2019, but they had been labeled "Law Enforcement Sensitive" and cannot be released to the public. 

"I have serious concerns about the legality of this surveillance program, and the materials provided by the DOJ contain troubling information that would justifiably outrage many Americans and other members of Congress," Wyden wrote in his letter. "While I have long defended the government’s need to protect classified sources and methods, this surveillance program is not classified and its existence has already been acknowledged by the DOJ in federal court. The public interest in an informed debate about government surveillance far outweighs the need to keep this information secret."

The Federal Communications Commission (FCC) is keeping a close eye on internet providers to make sure they provide Americans with equal access to broadband services regardless of customers' "income level, race, ethnicity, color, religion or national origin." Two years after the Bipartisan Infrastructure Law became official, the FCC has adopted (PDF) a final set of relevant rules to enforce. 

The Commission will have the power to investigate possible instances of "digital discrimination" under the new rules and could penalize providers for violating them. It could, for instance, look into a company's pricing, network upgrades and maintenance procedures to decide whether a provider is keeping an affluent area well-maintained while failing to provide the same level of service to a low-income area. As The Wall Street Journal explains, it could even hold companies like AT&T and Comcast liable even if they weren't intentionally discriminatory, as long as their actions "differentially impact consumers' access to broadband." If the FCC does receive complaints against a particular provider, though, it will take into account any technical and economic challenges it may be facing that prevents it from providing equal access to its services. 

According to The Journal, the FCC approved the new rules in a 3-2 vote. Their critics — mainly internet providers and Republican members of the Congress — argued that the decision could affect investments and that the commission is taking things too far by penalizing unintentional discrimination. But FCC Chairwoman Jessica Rosenworcel found the rules to be reasonable, especially since the agency will "accept genuine reasons of technical and economic feasibility as valid reasons." 

In addition to adopting a set of rules for digital discrimination, the FCC has also updated its protections against SIM swapping and port-out scams (PDF). It will now require wireless providers to notify customers immediately when a SIM change or a port-out is requested for their account and phone number. Further, providers are required to take additional steps to protect their subscribers from the schemes. Finally, the FCC has voted to begin a formal inquiry (PDF) to look into the impact of artificial intelligence on robocalls. It could, after all, be used to block unwanted voice and text messages, but it could also be used to more easily defraud people through calls and texts. 

A group of lawmakers from a House of Representatives committee wants Apple, like many Jon Stewart enthusiasts, to explain why its streaming arm abruptly canceled the talk show The Problem With Jon Stewart. The current affairs TV series hosted by Jon Stewart briefly made its debut on Apple TV+ in 2021 but its time on air ended when the show received the ax for a third season, reportedly due to “disagreements” over show topics.

According to Reuters, Lawmakers want to know if the show's coverage and criticism of China has anything to do with the show’s cancellation. The government officials have asked Apple to speak on the issue by Dec 15, 2023. 

In a letter to the tech giant, the House members wrote that while Apple has the right to determine what content it deems appropriate for its platform, “the coercive tactics of a foreign power should not be directly or indirectly influencing these determinations.” This effort is bipartisan, with members from both Republican and Democratic parties affiliated with the House of Representatives' Select Committee on Competition with the Chinese Communist Party.

Roughly 19 percent of Apple sales come from China, with over $72.5 billion in net sales reported for the company’s fiscal 2023, which closed in September. It might make sense that the company would avoid streaming a show with strong political opinions that could impact its bottom line in such a significant way. But the show discussed several hot-button topics, including artificial intelligence and gun control. According to the New York Times, sources familiar with the matter said that, beyond discussions about China, the show’s criticism of topics like artificial intelligence played a role in the decision to cut the show.

The state agencies of Maine had fallen victim to cybercriminals who exploited a vulnerability in the MOVEit file transfer tool, making them the latest addition to the growing list of entities affected by the massive hack involving the software. In a notice the government has published about the cybersecurity incident, it said the event impacted approximately 1.3 million individuals, which basically make up the state's whole population. The state first caught wind of the software vulnerability in MOVEit on May 31 this year and found that cybercriminals were able to access and download files from its various agencies on May 28 and 29. 

While the nature of stolen data varies per person based on their interaction with a particular agency, the notice says that the bad actors had stolen names, Social Security numbers, birthdates, driver's license and state identification numbers, as well as taxpayer identification numbers. In some cases, they were also able to get away with people's medical and health insurance information. Over 50 percent of the stolen data came from the Maine Department of Health and Human Services, followed by the Maine Department of Education.

The state government had blocked internet access to and from the MOVEit server as soon as it became aware of the incident. However, since the cybercriminals were already able to steal residents' information, it's also offering two years of complimentary credit monitoring and identity theft protection services to people whose SSNs and taxpayer numbers were compromised. As TechCrunch notes, the Clop ransomware gang that's believed to be behind previously reported incidents, has yet to release data stolen from Maine's agencies.

Clop took credit for an earlier New York City Department of Education hack, wherein the information of approximately 45,000 students was stolen. Cybercriminals exploiting the vulnerability haven't only been targeting the government, though, but also companies around the world. Sony is one of them. There's also Maximus Health Services, Inc, a US government contractor, whose breach has been the biggest MOVEit-related incident, so far. 

The Securities and Exchange Commission is already investigating MOVEit creator Progress Software, though it only just sent the company a subpoena in October and is still in the "fact-finding inquiry" phase of its probe.