A year and a half later, Amazon's Luna cloud gaming service has formally launched in the U.S. for Android, iOS, Chrome OS, macOS and Windows. Engadget reports: The core Luna+ service with over 100 games will normally cost $10 per month, with the kid-friendly Family Channel and Ubisoft+ Channels available for a respective $6 and $18 per month. Amazon hopes to reel in newcomers by dropping the monthly fees of Luna+ and the Family channel to $6 and $3 for anyone who signs up during March. Existing users just have to maintain their subscriptions to lock in that pricing.

The official debut comes alongside some new channels. A Prime Gaming channel, as the name implies, gives Amazon Prime members a free, rotating mix of games. The March selection will include titles like Devil May Cry 5 and Flashback. Pay $5 per month for the Retro Channel and you'll get Capcom and SNK classics like Street Fighter II Hyper Fighting and Metal Slug 3, while a similar outlay for the Jackbox Games Channel provides access to all eight Jackbox Party Pack titles. Luna's latest update also makes it simpler to stream gameplay from a Fire TV device, Mac or Windows PC on Twitch.

Jolla, a Finnish startup that develops a mobile Linux-based alternative to Google's Android which has had some take-up by the Russian government in the past, is looking to restructure its business to jettison links to the Russian state. TechCrunch reports: We reached out to the startup earlier this week to ask if it was concerned about the impact of looming EU sanctions on Russia -- given how, since 2018, it has counted Russian telecom company, Rostelecom, as a strategic investor. "We have actually ramped down business and exports to Russia already in 2021," CEO and co-founder Sami Pienimaki told TechCrunch. "Thus, the potential tech sanctions would not impact Jolla's business anymore. In parallel, Jolla is growing in particular rapidly in the automotive sector, and it formed already significant part of our 2021 revenues. In regards the ownership, that is correct, and something we're looking to re-structure during this year," he also confirmed. Sailfish has been certified in Russia for government and corporate use since 2016.

Samsung shipped an estimated 100 million smartphones with botched encryption, including models ranging from the 2017 Galaxy S8 on up to last year's Galaxy S21. Threatpost reports: Researchers at Tel Aviv University found what they called "severe" cryptographic design flaws that could have let attackers siphon the devices' hardware-based cryptographic keys: keys that unlock the treasure trove of security-critical data that's found in smartphones. What's more, cyber attackers could even exploit Samsung's cryptographic missteps -- since addressed in multiple CVEs -- to downgrade a device's security protocols. That would set up a phone to be vulnerable to future attacks: a practice known as IV (initialization vector) reuse attacks. IV reuse attacks screw with the encryption randomization that ensures that even if multiple messages with identical plaintext are encrypted, the generated corresponding ciphertexts will each be distinct.

The design flaws primarily affect devices that use ARM's TrustZone technology: the hardware support provided by ARM-based Android smartphones (which are the majority) for a Trusted Execution Environment (TEE) to implement security-sensitive functions. TrustZone splits a phone into two portions, known as the Normal world (for running regular tasks, such as the Android OS) and the Secure world, which handles the security subsystem and where all sensitive resources reside. The Secure world is only accessible to trusted applications used for security-sensitive functions, including encryption.

Matthew Green, associate professor of computer science at the Johns Hopkins Information Security Institute, explained on Twitter that Samsung incorporated "serious flaws" in the way its phones encrypt key material in TrustZone, calling it "embarrassingly bad." "They used a single key and allowed IV re-use," Green said. "So they could have derived a different key-wrapping key for each key they protect," he continued. "But instead Samsung basically doesn't. Then they allow the app-layer code to pick encryption IVs." The design decision allows for "trivial decryption," he said.

Samsung responded to the academics' disclosure by issuing a patch for affected devices that addressed CVE-2021-25444: an IV reuse vulnerability in the Keymaster Trusted Application (TA) that runs in the TrustZone. Keymaster TA carries out cryptographic operations in the Secure world via hardware, including a cryptographic engine. The Keymaster TA uses blobs, which are keys "wrapped" (encrypted) via AES-GCM. The vulnerability allowed for decryption of custom key blobs. Then, in July 2021, the researchers revealed a downgrade attack -- one that lets attacker trigger IV reuse vulnerability with privileged process. Samsung issued another patch -- to address CVE-2021-25490 -- that remoged the legacy blob implementation from devices including Samsung's Galaxy S10, S20 and S21 phones.

An anonymous reader quotes a report from TechCrunch, written by security editor Zack Whittaker: Consumer-grade spyware is often sold under the guise of child monitoring software, but also goes by the term "stalkerware" for its ability to track and monitor other people or spouses without their consent. Stalkerware apps are installed surreptitiously by someone with physical access to a person's phone and are hidden from home screens, but will silently and continually upload call records, text messages, photos, browsing history, precise location data and call recordings from the phone without the owner's knowledge. Many of these spyware apps are built for Android, since it's easier to plant a malicious app than on iPhones, which have tighter restrictions on what kind of apps can be installed and what data can be accessed. Last October, TechCrunch revealed a consumer-grade spyware security issue that's putting the private phone data, messages and locations of hundreds of thousands of people, including Americans, at risk. But in this case it's not just one spyware app exposing people's phone data. It's an entire fleet of Android spyware apps that share the same security vulnerability.

On the front line of the operation is a collection of white-label Android spyware apps that continuously collect the contents of a person's phone, each with custom branding, and fronted by identical websites with U.S. corporate personas that offer cover by obfuscating links to its true operator. Behind the apps is a server infrastructure controlled by the operator, which is known to TechCrunch as a Vietnam-based company called 1Byte. TechCrunch found nine nearly identical spyware apps that presented with distinctly different branding, some with more obscure names than others: Copy9, MxSpy, TheTruthSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy. Other than their names, the spyware apps have practically identical features under the hood, and even the same user interface for setting up the spyware. Once installed, each app allows the person who planted the spyware access to a web dashboard for viewing the victim's phone data in real time -- their messages, contacts, location, photos and more. Much like the apps, each dashboard is a clone of the same web software. And, when TechCrunch analyzed the apps' network traffic, we found the apps all contact the same server infrastructure. But because the nine apps share the same code, web dashboards and the same infrastructure, they also share the same vulnerability.

The vulnerability in question is known as an insecure direct object reference, or IDOR, a class of bug that exposes files or data on a server because of sub-par, or no, security controls in place. It's similar to needing a key to unlock your mailbox, but that key can also unlock every other mailbox in your neighborhood. IDORs are one of the most common kinds of vulnerability [...]. But shoddy coding didn't just expose the private phone data of ordinary people. The entire spyware infrastructure is riddled with bugs that reveal more details about the operation itself. It's how we came to learn that data on some 400,000 devices -- though perhaps more -- have been compromised by the operation. Shoddy coding also led to the exposure of personal information about its affiliates who bring in new paying customers, information that they presumably expected to be private; even the operators themselves. After emailing 1Byte with details of the security vulnerability, the email address was shut down along with "at least two of the branded spyware apps," according to TechCrunch. "That leaves us here. Without a fix, or intervention from the web host, TechCrunch cannot disclose more about the security vulnerability -- even if it's the result of bad actors themselves -- because of the risk it poses to the hundreds of thousands of people whose phones have been unknowingly compromised by this spyware."

In a separate report, security editor Zack Whittaker explains how one can remove common consumer-grade spyware.

There's won't be a big revival for BlackBerry phones anytime soon. OnwardMobility, the Austin-based startup that announced its plans to release a 5G BlackBerry device with a physical keyboard back in 2020, is shutting down. From a report: The company posted a notice of its closure on its website, making it clear that it won't be proceeding with the development of the smartphone. This comes a month after it responded to people asking about the status of the project with a blog post entitled "contrary to popular belief, we are not dead." While OnwardMobility didn't expound on the reason behind its closure, Android Police reported a few days ago that its license to use the BlackBerry name had been canceled. Apparently, BlackBerry wants to distance itself from its past as a smartphone manufacturer after it sold off its remaining mobile patents for $600 million in the beginning of February. OnwardMobility reportedly decided not to push through with the development of a new smartphone without the BlackBerry name, especially since it won't be easy entering the market with an ongoing global component shortage.

AndroidPolice reports: Google has confirmed to us that the Pixel 3 series has received its last update, marking the end of a three-year promise. But revisiting the 2018-era flagship, I still can't help but be disappointed that Google didn't try harder to keep it supported longer. Google may have met its marketing requirements, but as I've said before, it's hypocritical for a company committed to sustainability and customer security to leave old smartphones behind so quickly. Revisiting it for the last few days, the Pixel 3 is still a perfectly good phone that could have years of life left in it. And, according to everyone I've spoken to, there aren't any good technical reasons for it being left behind. Google just doesn't care.

Linux programmers fixed bugs faster than anyone — in an average of just 25 days (improving from 32 days in 2019 to just 15 in 2021). That's the conclusion of Google's "Project Zero" security research team, which studied the speed of bug-fixing from January 2019 to December 2021.

ZDNet reports that Linux's competition "didn't do nearly as well." For instance, Apple, 69 days; Google, 44 days; and Mozilla, 46 days. Coming in at the bottom was Microsoft, 83 days, and Oracle, albeit with only a handful of security problems, with 109 days.

By Project Zero's count, others, which included primarily open-source organizations and companies such as Apache, Canonical, Github, and Kubernetes, came in with a respectable 44 days.

Generally, everyone's getting faster at fixing security bugs. In 2021, vendors took an average of 52 days to fix reported security vulnerabilities. Only three years ago the average was 80 days. In particular, the Project Zero crew noted that Microsoft, Apple, and Linux all significantly reduced their time to fix over the last two years.

As for mobile operating systems, Apple iOS with an average of 70 days is a nose better than Android with its 72 days. On the other hand, iOS had far more bugs, 72, than Android with its 10 problems.

Browsers problems are also being fixed at a faster pace. Chrome fixed its 40 problems with an average of just under 30 days. Mozilla Firefox, with a mere 8 security holes, patched them in an average of 37.8 days. Webkit, Apple's web browser engine, which is primarily used by Safari, has a much poorer track record. Webkit's programmers take an average of over 72 days to fix bugs.

The Washington Post reports: Google announced it will begin the process of getting rid of long-standing ad trackers on its Android operating system, upending how advertising and data-collection work on phones and tablets used by more than 2.5 billion people around the world.

Right now, Google assigns special IDs to each Android device, allowing advertisers to build profiles of what people do on their phones and serve them highly targeted ads. Google will begin testing alternatives to those IDs this year and eventually remove them completely, the company said in a Wednesday blog post. Google said the changes will improve privacy for Android users, limiting the massive amounts of data that app developers collect from people using the platform.

But the move also could give Google even more power over digital advertising, and is likely to deepen concerns regulators have already expressed about the company's competitive practices... It made $61 billion in advertising revenue in the fourth quarter of 2021 alone....

The announcement comes over a year after Apple began blocking trackers on its own operating system, which runs on its iPhones, giving customers more tools to limit the data they share with app developers.... Google contrasted its plan with Apple's, saying it would make the changes over the next two years, working closely with app developers and the advertising industry to craft new ways of targeting ads and measuring their effectiveness before making any drastic changes.

"We realize that other platforms have taken a different approach to ads privacy, bluntly restricting existing technologies used by developers and advertisers," said Anthony Chavez, vice president of product management for Android security and privacy, in the blog post. "We believe that without first providing a privacy-preserving alternative path such approaches can be ineffective and lead to worse outcomes for user privacy and developer businesses."
The Post also includes this quote from the chief security office of Mozilla (which began restricting ad tracking in Firefox several years ago). "Google's two year plan is too long. People deserve better privacy now."

An anonymous reader quotes a report from CNET: The delayed 5G BlackBerry phone is dead, OnwardMobility has confirmed on its website. "It is with great sadness that we announce that OnwardMobility will be shutting down, and we will no longer be proceeding with the development of an ultra-secure smartphone with a physical keyboard," OnwardMobility said in a message posted Friday, as spotted earlier by CrackBerry. "Please know that this was not a decision that we made lightly or in haste. We share your disappointment in this news and assure you this is not the outcome we worked and hoped for." Android Police and CrackBerry originally reported the phone had been cancelled on Feb. 11, saying OnwardMobility, a Texas-based startup seeking to revitalize the iconic brand through an Android-based, next-gen Wi-Fi device, lost the license from BlackBerry Ltd. to use the BlackBerry brand name. OnwardMobility did not expand on why it is shutting down and cancelling production of the phone. The news comes after BlackBerry ended service for its legacy devices in early January. "Before OnwardMobility picked up the license, Chinese manufacturer TCL was the most recent maker of BlackBerry-branded phones," adds CNET.

Most recently, the company sold its prized patent portfolio to "Catapult IP Innovations Inc." for $600 million.

Microsoft last month received a US patent covering modifications to a data-encoding technique called rANS, one of several variants in the Asymmetric Numeral System (ANS) family that support data compression schemes used by leading technology companies and open source projects. The Register reports: The creator of ANS, Jaroslaw Duda, assistant professor at Institute of Computer Science at Jagiellonian University in Poland, has been trying for years to keep ANS patent-free and available for public use. Back in 2018, Duda's lobbying helped convince Google to abandon its ANS-related patent claim in the US and Europe. And he raised the alarm last year when he learned Microsoft had applied for an rANS (range asymmetric number system) patent.

Now that Microsoft's patent application has been granted, he fears the utility of ANS will be diminished, as software developers try to steer clear of a potential infringement claim. "I don't know what to do with it -- [Microsoft's patent] looks like just the description of the standard algorithm," he told The Register in an email. The algorithm is used in JPEG XL and CRAM, as well as open source projects run by Facebook (Meta), Nvidia, and others. "This rANS variant is [for example] used in JPEG XL, which is practically finished (frozen bitstream) and [is] gaining support," Duda told The Register last year. "It provides ~3x better compression than JPEG at similar computational cost, compatibility with JPEG, progressive decoding, missing features like HDR, alpha, lossless, animations. "There is a large team, mostly from Google, behind it. After nearly 30 years, it should finally replace the 1992 JPEG for photos and images, starting with Chrome, Android."

The Food and Drug Administration cleared a smartphone app from Tandem Diabetes Care to program insulin delivery for its t:slim X2 insulin pump, the company announced Wednesday. The Verge reports: It's the first phone app for both iOS and Android to able to deliver insulin, the company said in a statement. Previously, delivery had to be handled through the pump itself. With this update, pump users will be able to program or cancel bolus doses of insulin, which are taken at mealtimes and are crucial in keeping blood glucose levels under control. "Giving a meal bolus is now the most common reason a person interacts with their pump, and the ability to do so using a smartphone app offers a convenient and discrete solution," John Sheridan, president and CEO of Tandem Diabetes Care, said in a statement. [...] Tandem said in the statement that it will launch the new bolus delivery update for select users this spring ahead of a wider launch this summer.

An anonymous reader quotes a report from Ars Technica: Now that Windows 11's first major post-release update has been issued, Microsoft has started testing a huge collection of new features, UI changes, and redesigned apps in the latest Windows Insider preview for Dev channel users. By and large, the changes are significant and useful -- there's an overhauled Task Manager, folders for pinned apps in the Start menu, the renewed ability to drag items into the Taskbar (as you could in Windows 10), improvements to the Do Not Disturb and Focus modes, new touchscreen gestures, and a long list of other fixes and enhancements.

But tucked away toward the bottom of the changelog is one unwelcome addition: like the Home edition of Windows 11, the Pro version will now require an Internet connection and a Microsoft account during setup. In the current version of Windows 11, you could still create a local user account during setup by not connecting your PC to the Internet -- something that also worked in the Home version of Windows 10 but was removed in 11. That workaround will no longer be available in either edition going forward, barring a change in Microsoft's plans. While most devices do require a sign-in to fully enable app stores, cloud storage, and cross-device sharing and syncing, Windows 11 will soon stand alone as the only major consumer OS that requires account sign-in to enable even basic functionality.

Google said on Wednesday that it was working on privacy measures meant to limit the sharing of data on smartphones running its Android software. But the company promised those changes would not be as disruptive as a similar move by Apple last year. From a report: Apple's changes to its iOS software on iPhones asked users for permission before allowing advertisers to track them. Apple's permission controls -- and, ultimately, the decision by users to block tracking -- have had a profound impact on internet companies that built businesses on so-called targeted advertising. Google did not provide an exact timeline for its changes, but said it would support existing technologies for at least two more years.

This month, Meta, the company founded as Facebook, said Apple's privacy changes would cost it $10 billion this year in lost advertising revenue. The revelation weighed on Meta's stock price and led to concerns about other companies reliant on digital advertising. Anthony Chavez, a vice president at Google's Android division, said in an interview before the announcement that it was too early to gauge the potential impact from Google's changes, which are meant to limit the sharing of data across apps and with third parties. But he emphasized that the company's goal was to find a more private option for users while also allowing developers to continue to make advertising revenue.

An anonymous reader quotes a report from Ars Technica: Here's a fun new feature of Android 13: working virtualization support. Google is building virtualization into Android for its own reasons, but Android developer kdrag0n has commandeered the feature to boot ARM Windows 11 and desktop Linux. The developer even got the Windows version of Doom running, all inside a VM on the Pixel 6. kdrag0n says that Android 13 has "full KVM functionality" at "near-native performance." You need root to enable the functionality, which doesn't support GPU acceleration. The functionality also doesn't support nested virtualization, so while you can now run Android on Windows and Windows on Android, making an infinitely nested OS turducken is out of the question.

This makes for a neat demo that's not at all what Google wants to do with Android's upcoming VM support. Esper's Mishaal Rahman has been meticulously tracking Android's virtualization progress for some time now, and the apparent plan is to someday (maybe in Android 13) use virtual machines as a security and privacy sandbox for various features. Imagine instead of processing sensitive data at the normal app permission level, the data could be processed in a separate OS, so any attackers would have to break through the app security model, then Android, then the hypervisor, then this other, private OS.

Google has announced a new version of Chrome OS called Chrome OS Flex, which is designed to run on old PCs and Macs. The Verge reports: The operating system can be installed "within minutes," according to Google's blog post. Google told me that Chrome OS Flex will look and feel identical to Chrome OS on a Chromebook -- it's built from the same code base and follows the same "release cadence." It did caveat that some features may be dependent on the hardware of the PC you're using. In fact, it said this for every specific feature I asked about, including always-on Google Assistant and Android phone syncing. So, if you're going to try this, keep an eye out.

If you want to try out Chrome OS Flex yourself, you can learn more on the Chrome Enterprise website. Note that the OS is still in early access mode, so you may encounter bugs -- you can boot it directly from a USB drive if you'd rather poke around before installing it on your machine.

Microsoft is releasing its first big update to Windows 11 today, and it includes a lot of new additions. From a report: A public preview of Android apps on Windows 11 will be available today in the US, alongside redesigned Notepad and Media Player apps. The first big Windows 11 update will also include a bunch of improvements to the taskbar. The public preview of Android apps on Windows 11 will allow users to install apps from Amazon's Appstore. The Verge points to workarounds to get Google Play Store running on Windows 11 unofficially. Back to more changes: The biggest changes in this Windows 11 update are related to the taskbar. The time and date will finally be available on multiple monitors in Windows 11, something that was missing at launch. The weather widget also returns to the taskbar in this update, and a new mute / unmute feature in the taskbar will be available for Microsoft Teams calls. You'll also be able to quickly screen share a specific app or window from the taskbar directly into a Microsoft Teams call. Microsoft has also redesigned the Media Player and Notepad apps for Windows 11. Notepad now includes multi-step undo, an improved search interface, and dark mode support. The new Media Player app is designed to replace Groove Music and Windows Media Player and includes support for both audio and video and a design that better matches Windows 11's UI improvements.

Apple faces competition from many different brands all offering Android alternatives, but Xiaomi looks to be the most determined to beat it in the high-end phone market. From a report: As the South China Morning Post reports, Xiaomi CEO Lei Jun posted on the microblogging platform Weibo on Tuesday, stating, "[We aim to] fully benchmark against Apple in [terms of] product and experience, and become China's biggest high-end brand in the next three years." Lei Jun isn't classing this as just a competition, though, it's "a war of life and death" apparently. That claim is backed up by some serious investment promises being made by the company. As MacRumors reports, Xiaomi already operates 10,000 retail stores in China, but intends to increase that to 30,000 by 2025. Competing with and beating Apple means producing smartphones that outperform the iPhone in all areas, so Xiaomi is investing $16 billion in research and development over the next five years.

An anonymous reader quotes a report from TechCrunch: Use of Google Analytics has now been found to breach European Union privacy laws in France -- after a similar decision was reached in Austria last month. The French data protection watchdog, the CNIL, said today that an unnamed local website's use of Google Analytics is non-compliant with the bloc's General Data Protection Regulation (GDPR) -- breaching Article 44 which covers personal data transfers outside the bloc to so-called third countries which are not considered to have essentially equivalent privacy protections. The U.S. fails this critical equivalence test on account of having sweeping surveillance laws which do not provide non-U.S. citizens with any way to know whether their data is being acquired, how it's being used or to seek redress for any misuse.

France's CNIL has been investigating one of 101 complaints filed by European privacy advocacy group, noyb, back in August 2020 -- after the bloc's top court invalidated the EU-U.S. Privacy Shield agreement on data transfers. Since then (indeed, long before) the legality of transatlantic transfers of personal data have been clouded in uncertainty. While it has taken EU regulators some time to act on illegal data transfers -- despite an immediate warning from the European Data Protection Board of no grace period in the wake of the July 2020 CJEU ruling (aka 'Schrems II) -- decisions are now finally starting to flow. Including another by the European Data Protection Supervisor last month, also involving Google Analytics. In France, the CNIL has ordered the website which was the target of one of noyb's complaints to comply with the GDPR -- and "if necessary, to stop using this service under the current conditions" -- giving it a deadline of one month to comply.

"[A]lthough Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for U.S. intelligence services," the CNIL writes in a press release announcing the decision. "There is therefore a risk for French website users who use this service and whose data is exported." The CNIL does leave open the door to continued use of Google Analytics -- but only with substantial changes that would ensure only "anonymous statistical data" gets transferred. The French regulator is also very emphatic that under "current conditions" use of Google Analytics is non-compliant -- and may therefore need to cease in order for the site in question to comply with the GDPR. The CNIL also suggests use of an alternative analytics tool which does not involve a transfer outside the EU to end the breach. Additionally, it says it's launched an evaluation program to determine which website audience measurement and analysis services may be exempt from the need to obtain user consent (i.e. because they only produce anonymous statistical data which can be exported legally under GDPR). Which suggests the CNIL could issue guidance in future that recommends GDPR compliant alternatives to Google Analytics.

Google today announced the first developer release of Android 13. These very early releases, which are only meant for developers and aren't available through over-the-air updates, typically don't include too many user-facing changes. From a report: That's true this time as well, but even in this early release, the company is already showing off a few changes that will impact how you'll use your Android phone. Unlike with Android 12, Google plans to have two developer releases and then launch a beta in April, a month earlier than in 2021. The final release could come as early as August, based on Google's roadmap, whereas Android 12 launched in early October. All of this is happening while Android 12L, the Android release for large-screen devices, is still in development, too, though Google notes that it will bring some of those features to Android 13 as well. These include improved support for tablets, foldables and Android apps on Chromebooks. One of the most visible changes in Android 13 so far is that Google will bring the dynamic color feature of Material You, which by default takes its cues from your home screen image to all app icons. Developers will have to supply a monochromatic app icon for this to work, which many will hopefully do, because the current mix of themed and un-themed icons doesn't make for a great look. For now, this will only be available on Pixel devices, though, and Google says it will work with its partners to bring it to more devices. With this release, Google supports the Pixel 6 Pro, Pixel 6, Pixel 5a 5G, Pixel 5, Pixel 4a (5G), Pixel 4a, Pixel 4 XL, and Pixel 4.

Ars Technica recently pointed out that the concept of downvoting posts and comments "has been a staple of the Internet for decades, appearing on sites such as Slashdot, Reddit, and Ars Technica."

And Twitter is now experimenting with its own version, according to the International Business Times: After initially announcing the launch of a "downvoting" feature in July, Twitter revealed on Wednesday that it would be taking the feature to the global testing stage, even as questions remain about whether a more positive or negative environment is fostered on the platform as a result. The company announced that the "downvotes" will expand to more people on iOS and Android devices, and reiterated that the votes are not public, but can help the company determine what type of content different people actually wish to see.

"We learned a lot about the types of replies you don't find relevant and we're expanding this test — more of you on web and soon iOS and Android will have the option to use reply downvoting.

"Downvotes aren't public, but they'll help inform us of the content people want to see...".

Twitter has not yet announced when the "downvote" feature will be rolled out to all users, or if it ever will be. While the test should help the company figure out if the downvote option promotes a more hateful environment or fosters a better experience, their final decision is yet to be revealed.
The Washington Post includes a screenshot of the downvoting button, describing it as a small arrow to the right of the like button.