Looking at it most favorably, if they ever want to not be dependent on Google, they need revenue to replace what they get from Google and like it or not much of the money online comes from advertising. If they can find a way to get that money without being totally invasive on privacy, that's still better than their current position.

The best response that I've seen to this so far is this video of a former student speaking to the school board:

Bridget, our first ever interaction was when you retweeted a hate article about me from The Nationalist while I was a Sarasota County school student. You are a reminder that some people view politics as a service to others while some view it as an opportunity for themselves. On this board you have spent public funds that could have been used to increase teacher pay to change our district lines for political gain, remove books from schools, target trans and queer children, erase black history, and elevate your political career, all while sending your children to private schools because you do not believe in the public school system that you've been leading. My question is why doesn't an elected official using our money to harm our students and our teachers for her gain seem to matter as much for us as her having a threesome does? Bridget Ziegler, you do not deserve to be on the Sarasota County School Board but you do not deserve to be removed from it for having a threesome. That defeats the lesson we've been trying to teach you which is that a politician's job is to serve their community, not to police personal lives. So, to be extra clear: Bridget, you deserve to be fired from your job because you are terrible at your job, not because you had sex with a woman.

Closest to the original source I can find (referenced in numerous news articles): https://www.tiktok.com/@queenofhives/video/7313654227564383530

You also know that all votes are technically public and can be viewed by any instance admin that's federated with the server a community is on, right? There's no way to see that in the Lemmy UI at the moment but the data is there on the server.

Ah yes, MacRumors falsely reporting... Apple's own statements, right...:

Previously: https://web.archive.org/web/20240216001557/https://developer.apple.com/support/dma-and-apps-in-the-eu/

Why don’t users in the EU have access to Home Screen web apps?

To comply with the Digital Markets Act, Apple has done an enormous amount of engineering work to add new functionality and capabilities for developers and users in the European Union — including more than 600 new APIs and a wide range of developer tools.

The iOS system has traditionally provided support for Home Screen web apps by building directly on WebKit and its security architecture. That integration means Home Screen web apps are managed to align with the security and privacy model for native apps on iOS, including isolation of storage and enforcement of system prompts to access privacy impacting capabilities on a per-site basis.

Without this type of isolation and enforcement, malicious web apps could read data from other web apps and recapture their permissions to gain access to a user’s camera, microphone or location without a user’s consent. Browsers also could install web apps on the system without a user’s awareness and consent. Addressing the complex security and privacy concerns associated with web apps using alternative browser engines would require building an entirely new integration architecture that does not currently exist in iOS and was not practical to undertake given the other demands of the DMA and the very low user adoption of Home Screen web apps. And so, to comply with the DMA’s requirements, we had to remove the Home Screen web apps feature in the EU.

EU users will be able to continue accessing websites directly from their Home Screen through a bookmark with minimal impact to their functionality. We expect this change to affect a small number of users. Still, we regret any impact this change — that was made as part of the work to comply with the DMA — may have on developers of Home Screen web apps and our users.

Now: https://developer.apple.com/support/dma-and-apps-in-the-eu/

Why don’t users in the EU have access to Home Screen web apps?

UPDATE: Previously, Apple announced plans to remove the Home Screen web apps capability in the EU as part of our efforts to comply with the DMA. The need to remove the capability was informed by the complex security and privacy concerns associated with web apps to support alternative browser engines that would require building a new integration architecture that does not currently exist in iOS.

We have received requests to continue to offer support for Home Screen web apps in iOS, therefore we will continue to offer the existing Home Screen web apps capability in the EU. This support means Home Screen web apps continue to be built directly on WebKit and its security architecture, and align with the security and privacy model for native apps on iOS.

Developers and users who may have been impacted by the removal of Home Screen web apps in the beta release of iOS in the EU can expect the return of the existing functionality for Home Screen web apps with the availability of iOS 17.4 in early March.

The names are public. Per Georgia Code Title 17. Criminal Procedure § 17-7-54 it looks like they're spelled out as part of the standard form that indictments take. Addresses aren't that hard to get once you know the name.

Currently being investigated by browser makers but not something they can just do on their own like Signal.

Here's Chromium's current proposal that they're testing:

https://blog.chromium.org/2023/08/protecting-chrome-traffic-with-hybrid.html

For me it's not boot licking but recognizing that IA made a huge unforced error that may cost us all not just that digital lending program but stuff like the Wayback Machine and all the other good projects the IA runs.

That's likely what they want. If you're not viewing their ads and your third-party app is even blocking all the tracking, then you are not providing any value to them to keep you as a 'customer'. All it does is reduce their hosting and serving costs when you're blocked or when you eventually stop using it.

Doesn't necessarily need to be anyone with a lot of money, just a lot of people mass reporting things combined with automated systems.

As for what these were, they are modified versions of the official YouTube app. What has been taken down is the full modified app files (.ipa) ready to install on an iPhone, not the source code to the tweaks that are in the repos.

These modifications do things like replicate the paid YouTube Premium features, from the uYou features list for example:

• Ad-Free Browsing: Bid farewell to interruptions and enjoy seamless video playback without annoying advertisements.
• Background Playback: Keep your favorite videos running in the background while you multitask or lock your device.
• Video and Audio Downloads: Download videos, shorts, and audio tracks in various formats, including MP4 and WebM, for offline viewing and listening pleasure.
• [...]

You can see why Google would want to have them taken down. They aren't even a re-implementation with their own code/UI like NewPipe.

They're downplaying their responsibility and the problem while taking a negative tone about the white hat (bold added):

https://www.cuinsight.com/press-release/cu-solutions-group-issues-statement-on-recent-crm-vulnerability/

CUSG was notified of this vulnerability by Jeremiah Fowler, a self-acclaimed “researcher” who appears to access corporate systems to expose vulnerabilities, then notifies the organizations regarding their exposure. At least in the case of this incident, he also requested a “bounty” to help fund his research, and then published the information in his blog which was later picked up by a specialized publication called, “HACK READ.” These posts can then be google-searched by other parties including media outlets. CUSG did not agree to pay the requested “bounty.”

CUSG was in the process of gathering information and preparing a client communication when news of this publication broke. Nowhere in the article is an actual breach alleged. In fact, after exaggerating the incident to readers in an effort to sell their products, even the HACK READ article and Mr. Fowler’s personal blog post point out that the identified vulnerability was secured and rectified “on the same day.” [...] In his Website Planet blog, Mr. Fowler has done similar “research/publication” work regarding scores of companies including Software Projects, Australian travel agency Inspiring Vacations, the America Family Law Center, Redcliffe Labs, Deutsche Bank, retailer Hendel Hogar, and numerous others. Again, the motivation seems to be to raise awareness, but also to benefit Mr. Fowler personally in his career as a researcher, writer, and speaker.

CUSG CEO Dave Adams, summarized this incident this way: “While researchers like Mr. Fowler can help remind us of the importance of good data security, the publication of his findings in ways that potentially disparage corporate brands, create a customer “call to action”, and exaggerate the facts is clearly irresponsible and could place him and others at legal risk if their hacked data ends up being mishandled.”

And of course, the obligatory 'we have an excellent security team, everyone faces threats, you can't blame us':

Continuing, Adams expressed confidence in CUSG’s Internal Technology security: “For over 30 years, CUSG has operated with the same experienced technology team and leadership that has a stellar reputation for managing IT security on behalf of its stakeholders. While all companies are exposed to the ever-growing threats of cyber-security, and ransomware, CUSG’s team constantly monitors vulnerabilities and makes corrections immediately as needed and then reports to stakeholders with transparency.”

Basically the standard "we take security seriously":

https://www.troyhunt.com/we-take-security-seriously-otherwise/

“We take security seriously”, otherwise known as “We didn’t take it seriously enough”

You mean a lawsuit like the one about the "Great 78 Project" by the music companies or maybe the one about the "National Emergency Library" by the book publishers?

I think you're right that we need to start working on alternatives, hopefully something decentralized. The Wayback Machine would be an irreplaceable loss though if the data isn't preserved somehow.

It should never have gotten to the external feedback stage because internal feedback should have been sufficient to kill the idea before it even got a name due to it being such a security and privacy risk. The fact that it didn't is worrying from a management perspective.

To be more accurate: Mozilla does plan on deprecating MV2 once they have all of the MV3 stuff supported and sufficient time to transition has been given but they will make the the crucial "webRequestBlocking" API used by ad blockers available on MV3 (unlike Chrome) for those extensions that need it to do more than declarativeNetRequest allows for.

See: https://blog.mozilla.org/addons/2022/11/17/manifest-v3-signing-available-november-21-on-firefox-nightly/

Towards the end of 2023 — once we’ve had time to evaluate and assess MV3’s rollout (including identifying important MV2 use cases that will persist into MV3) — we’ll decide on an appropriate timeframe to deprecate MV2.

To protect against casual theft of a device causing the data to be in the thief's hands in addition to the actual device.

The average person unfortunately is not likely to properly backup their encryption keys so if they forget their password (or don't use one and rely on the default of just TPM), they'll complain about losing their data. Having the key backed up gives them a way to get their data back in non-theft situations.

https://blog.mozilla.org/addons/2024/05/14/manifest-v3-updates/

We also wanted to take this opportunity to address a couple common questions we’ve been seeing in the community, specifically around the webRequest API and MV2:

1. The webRequest API is not on a deprecation path in Firefox
2. Mozilla has no current plans to deprecate MV2 as mentioned in our previous MV3 update

That said, I believe Firefox users have gotten a lot of benefits by having extensions made that work in both Firefox and Chromium-based browsers. I don't believe there will still be as much effort for a Firefox-only extension but I believe there will be a sufficient number of motivated users and developers to still develop blockers and other extensions that take advantage of Firefox continuing to support MV2 and webRequest.

That's one of my main problems with Microsoft at this point. They can make improvements to the underlying technologies (WSL, better security sandboxing, FDE by default on supported hardware, etc) and develop actually decent software (Edge) but then they keep doing things to piss off the users like forced online account logins, the mess they made of the default app selection going from 10 to 11, pre-installed junk, and now this. They just need to get out of their own way and focus on making decent products: ones people want to use, instead of ones they're coerced to use.

It also doesn't help housing prices that the landlords are colluding to raise prices:

https://www.ftc.gov/business-guidance/blog/2024/03/price-fixing-algorithm-still-price-fixing

It isn't just Airbnb's fault, it's landlords wanting to maximize their return, no matter the method (short-term rentals or price fixing collusion).

It was just for the EU, because they didn't want to add a whole framework and support for third-party browser engines to act as home screen web apps. Now they'll continue to offer those based on WebKit everywhere.

The ability to easily link to a specific post or comment in a way that works across instances/clients, like you can with communities.

Not too surprising. I'm not sure I've actually seen anyone adopt their new ad technologies yet and nothing is listed in my browser. If their competition hasn't adopted it but they have, it's definitely anti-competitive for the ad market if they just shut off third-party cookies and only affect other companies (which seems to be what's delaying it with the UK's CMA).

I feel like even if it was open-source, it would still be too big of a target for malware and data exfiltration to ever be justified for most people.

Third party doctrine for one: the data held by third parties has no expectation of privacy, even if it's about you.

From Wikipedia:

The third-party doctrine is a United States legal doctrine that holds that people who voluntarily give information to third parties—such as banks, phone companies, internet service providers (ISPs), and e-mail servers—have "no reasonable expectation of privacy" in that information. A lack of privacy protection allows the United States government to obtain information from third parties without a legal warrant and without otherwise complying with the Fourth Amendment prohibition against search and seizure without probable cause and a judicial search warrant.

Basically the government's argument: if you wanted it to remain private, you wouldn't have given it to someone else.

I'm reality, it's an area of law that desperately needs to be updated.

It's probably overkill for most people but I would love to have a system that lets me choose what combination of factors together work to login rather than just 'password and something else'. Something like A,B,C are on the account and you can use A+B or B+C to login. It'd be great for those who don't necessarily want to trust SMS-based one-time passwords (due to SIM swapping, theft, etc) if we could require something else along with it.

That said, the way passkeys are typically used satisfy multiple factors at once:

Password to unlock your password database that stores your passkey: something you know, the password + something you have, the database

Biometric to unlock your phone that has your passkey: something you are, fingerprint or face + something you have, the phone

Vizio makes twice as much profit from those ads and tracking services than the actual TVs:

https://www.theverge.com/2021/11/10/22773073/vizio-acr-advertising-inscape-data-privacy-q3-2021

It's not that they need to know that to provide a potential answer, it's that they want to know that before they decide to help you bypass a filter.

It does if you just type in something like wikipedia.org . This most recent change they're working on is so that a link on a page to:

http://wikipedia.org will get redirected to https://wikipedia.org if the site supports it.

This will fix a bunch of old links that are still floating around on various sites, forums, etc and keep people on https, instead of doing the https -> http -> https redirect bouncing around that can happen now.

The fact that that needs to have disambiguation parentheses is even worse: it means there's more than one statue.

Passwords are known (or accessible in a password manager) by the user and the user gives one to a site to prove they are who they say they are. The user can be tricked into giving that password to the wrong site (phishing).The site can also be hacked and have the passwords (or hashes of the passwords leaked), exposing that password to the world (a data breach).

With passkeys, the browser is the one checking that it's talking to the right site before talking by making sure the domain name matches. Passkeys also don't send a secret anywhere but instead use math to sign a message that proves they are the returning user. This security is possible because there is a public key and a private key. The user is the only one with a public key. The authenticity of the message is guaranteed by math by checking it with the public key that the user provided to the site when they registered their passkey. The site doesn't need access to the private key that the user has to verify the message so there's nothing sensitive for the site to leak.

In practical terms, instead of having to have your password manager autofill the username and password and then do some kind of second factor, it just signs a message saying "this is me" and the site logs you in.

I'm pretty sure the main picture on the article is what the revised opt in/out message looks like. Previously it was opt-out with just a message describing the feature with a check box to have it open Settings when you were finished with the out of box experience so that you can look at the options later.

Edit: Fixed mention of opt-in to opt-out, thanks tal.

It doesn't even have to be your friends. It could just be you walking by in the background of a photo someone else took.

I love how the GitHub issue asking for ProtonMail's domains to be removed is entirely about how Gmail, Outlook, iCloud, and Yahoo provide anonymous emails too and shouldn't they be on the list if ProtonMail is... and they are. Someone is just checking lists for ProtonMail's domains and not actually modifying their copypaste issue or doing any kind of research into the list/repo they're posting to.

Google has a dominant position in the advertising industry with AdSense and their other advertising-related products. Google also has a dominant position in the browser market with Chrome. Google can't use that dominant position in the browser industry to make changes to their browser that would negatively affect their competitors in the advertising industry without consulting competition authorities which are trying to make sure they aren't intentionally harming their competition in the ad market using their dominance in another market (the browser market) to benefit themselves. Firefox is small enough (and generally doesn't have any other services they could leverage) that they can just make changes to their browser without running afoul of any competition concerns.

There's also the advantage that Google has when it comes to the large number of popular first party services they have, like Gmail, Search, YouTube, etc. Using those services alone, they may be able to develop a profile of a user that's better than the competition would be able to do with the new Topics API, Protected Audience API, etc and thus even just getting rid of third-party cookies without a replacement might be seen as anti-competitive. This is probably why places like the EU are also forcing services to make it possible to unlink those services and not have the data shared between them.

I agree that the no algorithm hill gets annoying once you're following enough people.

What I don't understand is why they don't setup something like Bluesky has where you can choose which algorithm you want, including those not made directly by the Bluesky team: https://www.theverge.com/2023/5/26/23739174/bluesky-custom-feeds-algorithms-twitter-alternative

One of those algorithms could just be a chronological feed that some people seem dead set on sticking with. Everyone can be happy.

Passkeys are a way of doing public/private key-pair crypto to prove that you are in possession of the private key that corresponds to the public key that was registered with a site or service when you added the passkey to the account. The use of the passkey is often protected by biometrics like the fingerprint or facial recognition systems on your device but it doesn't necessarily need to use biometrics at all if you don't want to and you can instead use a passcode to unlock your device or password/passkey manager.

Basically instead of the normal way with passwords:

• You ---password---> website

• Website verifies password matches, either directly to an actual stored password (bad) or through a hash they have stored

With passkeys you have:

• You <---challenge--- website

• You sign the challenge with a private key that only you have

• You ---signed challenge ---> website

• Website verifies that the signed challenge corresponds to the public key you provided when you set up the passkey

In the password scenario, the website could be following best practices and hashing the password or it could just be storing them directly and insecurely. You have no idea what really goes on inside their systems. This also means that due to reused passwords, a security breach at one site can mean problems for other sites, even if they didn't do anything wrong.

In the passkey scenario, you're not sending anything particularly sensitive to each site so it's more secure.

https://support.google.com/maps/answer/14169818

Update Google Maps to use Timeline on your device

Important: These changes are gradually rolling out to all users of the Google Maps app. You'll get a notification when an update is available for your account.

Location History is now called Timeline, and you now have new choices for your data. To continue using Timeline, you must have an up-to-date version of the Google Maps app. Otherwise, you may lose data and access to your Timeline on Google Maps.

Timeline is created on your devices.

Basically they're getting rid of the web version because they're moving the data to being stored on local devices only. Part of this might be because they got a lot of flak for stuff like recording location data for people who went near reproductive health clinics and other sensitive things. They can't be forced to respond to subpoenas for data if they don't have the data and can thus stay out of it, so I wouldn't necessarily say it's all that altruistic on their part.

I'm pretty sure that people were unhappy because it was opt-out at first. Now that bridging is opt-in, I don't think most people have a problem with it and I've seen a number of posts from both sides of the bridge so it seems to be working.

Bitwarden can both generate and store them in the browser extension. It can also use them through the browser extension but it can't yet use them through the mobile apps (they're working on it).

Looks like it's not focused on the student's schoolwork/personal data but how they use the devices/services.

From the original BleepingComputer article that The Verge article is based on:

https://www.bleepingcomputer.com/news/google/denmark-orders-schools-to-stop-sending-student-data-to-google/

The agency clarified that permissible uses of student data include providing the educational services offered by Google Workspace, enhancing the security and reliability of these services, facilitating communication, and fulfilling legal obligations.

Non-permissible cases are purposes related to maintaining and improving Google Workspace for Education, ChromeOS, and the Chrome browser, including measuring performance or developing new features and services for these platforms.

The Microsoft accounts are already required (without resorting to increasingly convoluted methods) and I think the hardware for Hello might be too now for OEM built computers, I'm not sure.