The Guardian reports: Travel website Booking.com has left many hotel operators and other partners across the globe thousands of dollars out of pocket for months on end, blaming the lack of payment on a "technical issue". The issue is widespread in Thailand, Indonesia and Europe among hoteliers who are venting their frustrations in Facebook groups as rumours swirl about the cause of the failure to pay. Usually, if a customer makes a booking for a hotel through the website Booking.com and elects to pay upfront, the site takes the payment and passes it on to the hotel operator, minus a commission. Booking.com's partners have reported issues receiving payments since July, and in some cases months earlier. While Booking.com has continued taking payments from customers, the company has not always passed on the amount owed to hotel operators and others whom the Guardian has spoken to.
The article adds that last month Hungary's consumer watchdog agency "launched a probe into the company's failure to pay hotel operators in the country and raided Booking.com's local office, after local reporting on the issue."

In a statement to the Guardian, Booking.com acknowledged the "frustration" of customers affected by "an ongoing technical issue." They also said "the system errors that affected the payments have now been corrected," and that they had now processed the transactions of "most of" our partners. "We acknowledge that for some this has taken longer than it should have and continue to work urgently to finalise the rest of the transactions...."

In the company's August results, CFO David Goulden said there were "lower than expected" IT expenses in the second quarter of this year, in part due to phasing IT spend into the third quarter, but did not outline what this IT expense included.
Thanks to Alain Williams (Slashdot reader #2,9272) for sharing the article.

The Associated Press reports: The National Security Agency is starting an artificial intelligence security center -- a crucial mission as AI capabilities are increasingly acquired, developed and integrated into U.S. defense and intelligence systems, the agency's outgoing director announced Thursday. Army Gen. Paul Nakasone said the center would be incorporated into the NSA's Cybersecurity Collaboration Center, where it works with private industry and international partners to harden the U.S. defense-industrial base against threats from adversaries led by China and Russia.

Nakasone was asked about using AI to automate the analysis of threat vectors and red-flag alerts -- and he reminded the audience that U.S. intelligence and defense agencies already use AI. "AI helps us, But our decisions are made by humans. And that's an important distinction," Nakasone said. "We do see assistance from artificial intelligence. But at the end of the day, decisions will be made by humans and humans in the loop."

Nakasone said it would become "NSA's focal point for leveraging foreign intelligence insights, contributing to the development of best practices guidelines, principles, evaluation, methodology and risk frameworks" for both AI security and the goal of promoting the secure development and adoption of AI within "our national security systems and our defense industrial base." He said it would work closely with U.S. industry, national labs, academia and the Department of Defense as well as international partners.

An anonymous reader shares a report: Next time you try to wipe a smudge off your iPhone screen, take a closer look. See if you can spot one of the two tiny QR codes etched into its glass. Chances are you won't be able to find them. Both codes are tiny -- one is the size of a grain of sand and can only be seen with special equipment, while the other, roughly the size of the tip of a crayon, is laser-printed on the reverse side of the glass somewhere along its black border or bezel. The codes are placed on the glass at different stages of manufacturing to help Apple track and reduce defects. They represent the company's obsessive attention to detail in manufacturing devices such as the iPhone, which has helped it squeeze costs in a traditionally low-margin business.

"Apple has been granularly and singularly tracking many components in the iPhone for some time, but expanding that to the glass and doing it with a microscopic bar code is another level of obsessive attention to detail that few companies would do," said Kyle Wiens, CEO of iFixit, a popular Apple gadget repair site. "I've never heard of serial numbers on the glass level, but if you're throwing infinite money at improving your manufacturing knowledge, then why not?" Apple added the smaller of the two QR codes -- 0.2 mm in width -- to iPhone screens in 2020 so it can track precisely how many usable cover glass units its two Chinese suppliers, Lens Technology and Biel Crystal, are making and how many defective cover glass units they are throwing away during manufacturing. Lens and Biel have previously stymied Apple's efforts to learn the true rate of defects, which can raise its production costs. Apple has paid millions of dollars to install laser and scanning equipment at Lens and Biel factories to both add the microscopic QR code and scan the cover glass at the end of the production process.

Slash_Account_Dot writes: I recently got my hands on an ordinary-looking iPhone-to-HDMI adapter that mimics Apple's branding and, when plugged in, runs a program that implores you to "Scan QR code for use." That QR code takes you to an ad-riddled website that asks you to download an app that asks for your location data, access to your photos and videos, runs a bizarre web browser, installs tracking cookies, takes "sensor data," and uses that data to target you with ads. The adapter's app also kindly informed me that it's sending all of my data to China.

The cord was discovered by friend of 404 Media John Bumstead, an electronics refurbisher and artist who buys devices in bulk from electronics recyclers. Bumstead tweeted about the cord and was kind enough to send me one so I could try it myself. Joseph has written about malicious lightning cables and USB cables made by hackers that can be used for keystroke logging and spying. While those malicious lightning cables are products marketed for spying, the HDMI adapter Bumstead has been found in the wild and is just another crappy knockoff cable sold on Amazon's increasingly difficult to navigate website. This HDMI adapter is designed to look exactly like Apple's same adapter.

An anonymous reader shares a report: In December 2022, we published a short PSA, reminding users they could still activate Windows 11 and 10 with valid Windows 7, 8, and 8.1 keys. This practice dates back to 2015 when Microsoft launched Windows 10 with a one-year free upgrade window. Besides letting Windows 7/8 users upgrade for free to Windows 10, Microsoft allowed activating its newest OS using keys from the previous releases.

Upgrade from Windows 7 and 8 to Windows is no longer possible, and it now seems that Microsoft is removing the loophole to prevent users from activating Windows 11 with old Windows license keys. As spotted by Deskmodder, Microsoft published a message on the Device Partner Center, notifying customers that the installation path to obtain free upgrades from Windows 7 and 8 to more recent Windows versions is no longer available. What it means is that you can no longer update from Windows 7/8/8.1 to Windows 10 or 11.

Bill Toulas writes via BleepingComputer: Malicious advertisements are now being injected into Microsoft's AI-powered Bing Chat responses, promoting fake download sites that distribute malware. [...] Malicious ads spotted by Malwarebytes are pretending to be download sites for the popular 'Advanced IP Scanner' utility, which has been previously used by RomCom RAT and Somnia ransomware operators.

The researchers found that when you asked Bing Chat how to download Advanced IP Scanner, it would display a link to download it in the chat. However, when you hover over an underlined link in a chat, Bing Chat may show an advertisement first, followed by the legitimate download link. In this case, the sponsored link was a malvertisements pushing malware. [...] Unfortunately, Malwarebytes could not find the final payload for this malware campaign, so it is unclear what malware is ultimately being installed. However, in similar campaigns, threat actors commonly distribute information-stealing malware or remote access trojans that allow them to breach other accounts or corporate networks.

SonicSpike shares a report: A U.S. security researcher is warning of a chilling effect after he was detained on arrival at a U.S. airport, his phone was searched, and was ordered to testify to a grand jury, only to have prosecutors reverse course and drop the investigation later. On Wednesday, Sam Curry, a security engineer at blockchain technology company Yuga Labs, said in a series of posts on X, formerly Twitter, that he was taken into secondary inspection by U.S. federal agents on September 15 after returning from a trip to Japan. Curry said agents with the Internal Revenue Service's Criminal Investigation (IRS-CI) unit and the Department of Homeland Security questioned him at Dulles International Airport in Washington DC about a "high profile phishing campaign," searched his unlocked phone, and served him with a grand jury subpoena to testify in New York the week after.

According to a photo of the subpoena that Curry posted, the grand jury was investigating wire fraud and money laundering. But Curry said he later received confirmation that the copy of his device data was deleted and the grand jury subpoena was canceled once prosecutors realized that Curry was investigating the theft of crypto, and not involved in it.

An anonymous reader quotes a report from Ars Technica: Hackers backed by the Chinese government are planting malware into routers that provides long-lasting and undetectable backdoor access to the networks of multinational companies in the US and Japan, governments in both countries said Wednesday. The hacking group, tracked under names including BlackTech, Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda, has been operating since at least 2010, a joint advisory published by government entities in the US and Japan reported. The group has a history of targeting public organizations and private companies in the US and East Asia. The threat actor is somehow gaining administrator credentials to network devices used by subsidiaries and using that control to install malicious firmware that can be triggered with "magic packets" to perform specific tasks.

The hackers then use control of those devices to infiltrate networks of companies that have trusted relationships with the breached subsidiaries. "Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network," officials wrote in Wednesday's advisory. "To extend their foothold across an organization, BlackTech actors target branch routers -- typically smaller appliances used at remote branch offices to connect to a corporate headquarters -- and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network."

Most of Wednesday's advisory referred to routers sold by Cisco. In an advisory of its own, Cisco said the threat actors are compromising the devices after acquiring administrative credentials and that there's no indication they are exploiting vulnerabilities. Cisco also said that the hacker's ability to install malicious firmware exists only for older company products. Newer ones are equipped with secure boot capabilities that prevent them from running unauthorized firmware, the company said. "It would be trivial for the BlackTech actors to modify values in their backdoors that would render specific signatures of this router backdoor obsolete," the advisory stated. "For more robust detection, network defenders should monitor network devices for unauthorized downloads of bootloaders and firmware images and reboots. Network defenders should also monitor for unusual traffic destined to the router, including SSH."

To detect and mitigate this threat, the advisory recommends administrators disable outbound connections on virtual teletype (VTY) lines, monitor inbound and outbound connections, block unauthorized outbound connections, restrict administration service access, upgrade to secure boot-capable devices, change compromised passwords, review network device logs, and monitor firmware changes for unauthorized alterations.

Ars Technica notes: "The advisory didn't provide any indicators of compromise that admins can use to determine if they have been targeted or infected."

Volkswagen says it was hit by a major IT outage on Wednesday, halting production at the company's namesake brand in Germany. Reuters reports: Volkswagen said that the whole group, which includes the Porsche AG and Audi brands, was affected. Volkswagen said there had been an unspecified "IT malfunction of network components" at the carmaker's site in Wolfsburg, its global headquarters.

"The fault has been present since 12:30 p.m. (CET) and is currently being analysed. There are implications for vehicle-producing plants," the group said. "According to current analyses, an external attack is unlikely to be the cause of the system malfunction," Volkswagen said, adding that efforts to fix the problem were of the highest priority and well under way.

A company that acquires and sells zero-day exploits -- flaws in software that are unknown to the affected developer -- is now offering to pay researchers $20 million for hacking tools that would allow its customers to hack iPhones and Android devices. From a report: On Wednesday, Operation Zero announced on its Telegram accounts and on its official account on X, formerly Twitter, that it was increasing payments for zero-days in those platforms tenfold, from $200,000 to $20 million. "By increasing the premium and providing competitive plans and bonuses for contract works, we encourage the developer teams to work with our platform," the company wrote.

Operation Zero, which is based in Russia and launched in 2021, also added that "as always, the end user is a non-NATO country." On its official website, the company says that "our clients are Russian private and government organizations only." When asked why they only sell to non-NATO countries, Operation Zero CEO Sergey Zelenyuk declined to say. "No reasons other than obvious ones," he said. Zelenyuk also said that the bounties Operation Zero offer right now may be temporary, and a reflection of a particular time in the market, and the difficulty of hacking iOS and Android.

Kyle Orland writes via Ars Technica: The "first official Unity user group in the world" has announced that it is dissolving after 13 years because "the trust we used to have in the company has been completely eroded." The move comes as many developers are saying they will continue to stay away from the company's products even after last week's partial rollback of some of the most controversial parts of its fee structure plans.

Since its founding in 2010, the Boston Unity Group (BUG) has attracted thousands of members to regular gatherings, talks, and networking events, including many technical lectures archived on YouTube. But the group says it will be hosting its last meeting Wednesday evening via Zoom because the Unity of today is very different from the Dave Helgason-led company that BUG says "enthusiastically sanctioned and supported" the group at its founding.

"Over the past few years, Unity has unfortunately shifted its focus away from the games industry and away from supporting developer communities," the group leadership wrote in a departure note. "Following the IPO, the company has seemingly put profit over all else, with several acquisitions and layoffs of core personnel. Many key systems that developers need are still left in a confusing and often incomplete state, with the messaging that advertising and revenue matter more to Unity than the functionality game developers care about."

BUG says the install-fee terms Unity first announced earlier this month were "unthinkably hostile" to users and that even the "new concessions" in an updated pricing model offered late last week "disproportionately affect the success of indie studios in our community." But it's the fact that such "resounding, unequivocal condemnation from the games industry" was necessary to get those changes in the first place that has really shaken the community to its core. "We've seen how easily and flippantly an executive-led business decision can risk bankrupting the studios we've worked so hard to build, threaten our livelihoods as professionals, and challenge the longevity of our industry," BUG wrote. "The Unity of today isn't the same company that it was when the group was founded, and the trust we used to have in the company has been completely eroded."

An anonymous reader quotes a report from Ars Technica: GPUs from all six of the major suppliers are vulnerable to a newly discovered attack that allows malicious websites to read the usernames, passwords, and other sensitive visual data displayed by other websites, researchers have demonstrated in a paper (PDF) published Tuesday. The cross-origin attack allows a malicious website from one domain -- say, example.com -- to effectively read the pixels displayed by a website from example.org, or another different domain. Attackers can then reconstruct them in a way that allows them to view the words or images displayed by the latter site. This leakage violates a critical security principle that forms one of the most fundamental security boundaries safeguarding the Internet. Known as the same origin policy, it mandates that content hosted on one website domain be isolated from all other website domains. [...]

GPU.zip works only when the malicious attacker website is loaded into Chrome or Edge. The reason: For the attack to work, the browser must:

1. allow cross-origin iframes to be loaded with cookies
2. allow rendering SVG filters on iframes and
3. delegate rendering tasks to the GPU

For now, GPU.zip is more of a curiosity than a real threat, but that assumes that Web developers properly restrict sensitive pages from being embedded by cross-origin websites. End users who want to check if a page has such restrictions in place should look for the X-Frame-Options or Content-Security-Policy headers in the source. "This is impactful research on how hardware works," a Google representative said in a statement. "Widely adopted headers can prevent sites from being embedded, which prevents this attack, and sites using the default SameSite=Lax cookie behavior receive significant mitigation against personalized data being leaked. These protections, along with the difficulty and time required to exploit this behavior, significantly mitigate the threat to everyday users. We are in communication and are actively engaging with the reporting researchers. We are always looking to further improve protections for Chrome users."

An Intel representative, meanwhile, said that the chipmaker has "assessed the researcher findings that were provided and determined the root cause is not in our GPUs but in third-party software." A Qualcomm representative said "the issue isn't in our threat model as it more directly affects the browser and can be resolved by the browser application if warranted, so no changes are currently planned." Apple, Nvidia, AMD, and ARM didn't comment on the findings.

An informational write-up of the findings can be found here.

Microsoft is releasing one of its biggest updates to Windows 11 today. It includes access to the new Windows Copilot, AI-powered updates to Paint, Snipping Tool, and Photos, RGB lighting support, a modernized File Explorer, and much more. From a report: Windows Copilot is the big new feature for this Windows 11 update, bringing the same Bing Chat feature straight to the Windows 11 desktop. It appears as a sidebar in Windows 11, allowing you to control settings on a PC, launch apps, or simply answer queries. Microsoft is integrating Copilot into many parts of Windows, too. Copilot will essentially exist as an AI-powered digital assistant, much like Microsoft's vision for Cortana. While Microsoft shut down the Cortana app inside Windows 11 last month, Copilot looks like it's very much Microsoft's big push into AI.

Microsoft is also adding AI-powered features to Paint, Snipping Tool, and Windows 11's Photos app. Microsoft Paint is getting Photoshop-like features, with support for transparency and layers. [...] File Explorer is getting a more modern look with this Windows 11 update. The updated File Explorer UI includes a modern home interface with large file thumbnails and a carousel interface that can surface recent files and favorited ones. These changes make File Explorer blend in better with the overall Windows 11 design.

Bill Toulas writes via Bleeping Computer reports: Google is notifying Gmail users that the webmail's Basic HTML view will be deprecated in January 2024, and users will require modern browsers to continue using the service. After that date, all users of the popular webmail service will automatically be redirected to the more modern Standard view, which supports all the latest usability and security features.

The basic HTML view is a stripped-down version of Gmail that does not offer users chat, spell checking, keyboard shortcuts, adding or importing contacts, setting custom "from" addresses, or using rich text formatting. This feature is designed for people living in areas with internet access, using older hardware with limited memory, or using legacy web browsers that do not support current HTML features.

However, one of the biggest reasons users use HTML view is that text-to-speech tools used by users with visual impairment are more reliable, as the Standard view introduces technical complexities that are harder for these tools to manage. Nonetheless, Google has decided to retire Gmail's HTML view without providing specific reasons.

Lenovo launched the first foldable laptop in 2020, but the first real era of foldable PCs is only starting to unfold now. From a report: Today, LG became the latest OEM to announce a foldable-screen laptop, right after HP announced its first attempt, the Spectre Foldable PC, earlier this month. LG only announced the Gram Fold in South Korea thus far. A Google translation of LG's Korean announcement said the laptop is 9.4-mm (0.37-inches) thick when unfolded and used like a 17-inch tablet. Alternatively, the OLED PC can be folded in half to use like an approximately 12.2-inch laptop. In the latter form, a virtual keyboard can appear on the bottom screen, and you can dock a Bluetooth keyboard to the bottom screen or pair a keyboard with the system wirelessly. The screen has 1920Ã--2560 pixels for a pixel density of 188.2 pixels per inch.

One draw of foldable PCs is supposed to be portability. The Gram Fold weighs 2.76 pounds (1,250g), which is even lighter than LG's latest Gram clamshell laptop (2.9 pounds). According to Android Authority, LG's laptop will have an Intel Core i5-1335U, which has 8 Efficient cores (E-cores) at up to 3.4 GHz, two Performance cores (P-cores) at up to 4.6 GHz, 12 threads, and 12MB of cache. The PC is also supposed to have 16GB of RAM, a 512GB NVMe SSD, a 72 Wh battery, Wi-Fi 6E, and two USB-C ports. LG is claiming 99.5 percent DCI-P3 color coverage with the laptop.

[...] It's also possible we'll see similar designs from other laptop brands, as panel supplier LG Display announced today that it will start mass production of 17-inch foldable OLED laptop panels. The foldable OLED is made with what LG Display calls a Tandem OLED structure, using two-stack OLED technology, "which adds an extra organic emitting layer to deliver brighter screens while effectively dispersing energy across OLED components for optimal stability and longer lifespans," LG Display's announcement said. LG Display first entered mass production of foldable (13.3-inch) laptop panels in 2020. However, foldable PCs didn't immediately take off then, despite the panel being used in Lenovo's 2020 ThinkPad X1 Fold. Foldable PCs lacked the software support that Windows 11 now affords with its Snap windows layouts that make organizing windows across dual or folded screens more intuitive.

Tom Ivan, reporting for VGC: Ransomware group Ransomed[dot]vc claims to have successfully breached Sony Group and is threatening to sell a cache of data stolen from the Japanese company. While its claims remain unverified, Cyber Security Connect reports that the relative ransomware newcomer "has racked up an impressive amount of victims" since bursting onto the scene last month. "We have successfully compromissed [sic] all of sony systems," the group claimed on both the clear and dark nets. "We won't ransom them! We will sell the data. Due to Sony not wanting to pay. DATA IS FOR SALE."

According to Cyber Security Connect, the group has posted some proof-of-hack data, although it says this is "not particularly compelling information on the face of things." It includes what appear to be screenshots of an internal log-in page, an internal PowerPoint presentation, several Java files, and a file tree of the leak which seemingly includes fewer than 6,000 files. Most of the Ransomed[dot]vc's members reportedly operate out of Ukraine and Russia.

The founder of the data-breach notification site Have I Been Pwned manages "the largest known repository of stolen data on the planet," reports Australia's public broadcaster ABC, including over 6 billion email address. Yet with no employees, Troy Hunt manages all of the technical and operational aspects single-handedly, and "has ended up playing an oddly central role in global cybersecurity." Troy is very careful with how he handles what he finds. He only collects (and encrypts) the mobile numbers, emails and passwords that he finds in the breaches, discarding the victims' names, physical addresses, bank details and other sensitive information. The idea is to let users find out where their data has been leaked from, but without exposing them to further risk. Once he identifies where a data breach has occurred, Troy also contacts the organisation responsible to allow it to inform its users before he does. This, he says, is often the hardest step of the process because he has to convince them it's legitimate and not some kind of scam itself.

He's not required to give organisations this opportunity, much less persist when they ignore his messages or accuse him of trying to shake them down for money. But there's evidence that this approach is working. Despite the legal grey area he has operated in for a decade now, he's avoided being sued by any of the organisations responsible for the 705 breaches that are now searchable on Have I Been Pwned. These days, major tech companies like Mozilla and 1Password use Have I Been Pwned, and Troy likes to point out that dozens of national governments and law enforcement agencies also partner with his service...

"He's not a company that's audited. He's just a dude on the web," says Jane Andrew, an expert on data breaches at the University of Sydney. "I think it's so shocking that this is where we find out information about ourselves. She says governments and law enforcement have, in general, left it to individuals to deal with the fallout from data breaches... Without an effective global regulator, Professor Andrew says, a crucial part of the world's cybersecurity infrastructure is left to rely on the goodwill of this one man on the Gold Coast.
Thanks to long-time Slashdot reader slincolne for sharing the article.

"As more companies enforce their office mandates, some workers are choosing to quit instead of complying and returning to the office," reports the Washington Post. Workers say their reasons for quitting include everything from family to commuting expenses to being required to relocate. And many workers worry that people like those with disabilities or who are primary caregivers may be left behind due to their inability to successfully work from the office... Workers are pushing back, penning letters to executives, staging walkouts and quitting despite the tight labor market. "I'm not surprised at all," Prithwiraj Choudhury, a Harvard Business School professor who studies the future of work, said about workers quitting. "By mandating these rigid policies, you're risking your top performers and diversity. It just doesn't make economic sense."

Choudhury said companies should provide overall guidance that allows each to determine how they best work after analysis and feedback from workers. That's especially important for women, whom Choudhury said are resigning in large numbers — a notion multiple surveys support... For some workers who moved or were hired remotely during the pandemic, commuting is a nearly impossible task, they say.
In a related note, Grindr tells the Post they're still requiring two-days-per-week in the office starting in October. Grindr they're looking forward to "further improving productivity and collaboration."

Recent breaches of MGM's casino systems "were probably carried out by teens and young adults who have allied themselves with one of the world's most notorious ransomware gangs," writes the Washington Post's technology reporter.

Their alliance with the "Scattered Spider" group is described as "part of a trend that has alarmed security experts and defenders of corporate computer networks." The group is said to be "very active in the past two years, targeting large companies via stolen employee credentials and tricks such as convincing tech support employees that they have been accidentally locked out of their computers and need a new password." They moved from cryptocurrency thefts to targeting businesses that provide third-party business functions such as help desks and call center staffing, allowing them to infiltrate networks of many customers. And they extorted Western Digital and other technology firms after stealing internal data before heading for the jackpots in Las Vegas. But their willingness to deploy crippling ransomware while demanding money is a major escalation, as is their choice of a business partner: ALPHV, a hacking group whose affiliates include members of the former Russian powerhouses BlackMatter and DarkSide, the groups responsible for the Colonial Pipeline hack that awoke Washington to the national security risk of ransomware. ALPHV provided the BlackCat ransomware that the young hackers installed in the casinos' systems...

[According to new research presented Friday at the LABScon security conference] they came together through crimes enabled by SIM-swapping, which usually involves convincing phone company employees to hand over control of someone else's phone number. Because of poor security controls around those numbers, such gambits have allowed criminals to amass millions of dollars by beating SMS text-based two-factor authentication on cryptocurrency accounts. The extra money has made alliances possible with criminals who have different skills to bring to the table, including some who had hacked police servers and could send emails from purported officers demanding emergency disclosures of information on phone and internet customers. Worse, the researchers said, they have now attracted recruiters for the Russian gangs who want to combine their business savvy with the techniques and local knowledge of the native English speakers.

Meredith Whittaker, the president of the Signal Foundation, which maintains the nonprofit Signal messaging app, reaffirmed that Signal would leave the U.K. if the country's recently passed Online Safety Bill forced Signal to build "backdoors" into its end-to-end encryption. From a report: "We would leave the U.K. or any jurisdiction if it came down to the choice between backdooring our encryption and betraying the people who count on us for privacy, or leaving," Whittaker said. "And that's never not true." The Online Safety Bill, which was passed into law in September, includes a clause -- clause 122 -- that, depending on how it's interpreted, could allow the U.K.'s communications regulator, Ofcom, to break the encryption of apps and services under the guise of making sure illegal material such as child sexual exploitation and abuse content is removed.

Ofcom could fine companies not in compliance up to $22.28 million, or 10% of their global annual revenue, under the bill -- whichever is greater. Whittaker didn't mince words in airing her fears about the Online Safety Bill's implications. "We're not about political stunts, so we're not going to just pick up our toys and go home to, like, show the bad U.K. they're being mean," she said. "We're really worried about people in the U.K. who would live under a surveillance regime like the one that seems to be teased by the Home Office and others in the U.K."