Mozilla is urging Firefox users to update their browsers to version 128 or later (or ESR 115.13 for extended support users) before March 14, 2025, to avoid security risks and add-on disruptions caused by the expiration of a key root certificate. "On 14 March a root certificate (the resource used to prove an add-on was approved by Mozilla) will expire, meaning Firefox users on versions older than 128 (or ESR 115) will not be able to use their add-ons," warns a Mozilla blog post. "We want developers to be aware of this in case some of your users are on older versions of Firefox that may be impacted." BleepingComputer reports: A Mozilla support document explains that failing to update Firefox could expose users to significant security risks and practical issues, which, according to Mozilla, include:

- Malicious add-ons can compromise user data or privacy by bypassing security protections.
- Untrusted certificates may allow users to visit fraudulent or insecure websites without warning.
- Compromised password alerts may stop working, leaving users unaware of potential account breaches.

It is noted that the problem impacts Firefox on all platforms, including Windows, Android, Linux, and macOS, except for iOS, where there's an independent root certificate management system. Mozilla says that users relying on older versions of Firefox may continue using their browsers after the expiration of the certificate if they accept the security risks, but the software's performance and functionality may be severely impacted.

An anonymous reader quotes a report from the EFF: EFF is deeply saddened to learn of the passing of Mark Klein, a bona fide hero who risked civil liability and criminal prosecution to help expose a massive spying program that violated the rights of millions of Americans. Mark didn't set out to change the world. For 22 years, he was a telecommunications technician for AT&T, most of that in San Francisco. But he always had a strong sense of right and wrong and a commitment to privacy. When the New York Times reported in late 2005 that the NSA was engaging in spying inside the U.S., Mark realized that he had witnessed how it was happening. He also realized that the President was not telling Americans the truth about the program. And, though newly retired, he knew that he had to do something. He showed up at EFF's front door in early 2006 with a simple question: "Do you folks care about privacy?"

We did. And what Mark told us changed everything. Through his work, Mark had learned that the National Security Agency (NSA) had installed a secret, secure room at AT&T's central office in San Francisco, called Room 641A. Mark was assigned to connect circuits carrying Internet data to optical "splitters" that sat just outside of the secret NSA room but were hardwired into it. Those splitters -- as well as similar ones in cities around the U.S. -- made a copy of all data going through those circuits and delivered it into the secret room. Mark not only saw how it works, he had the documents to prove it. He brought us over a hundred pages of authenticated AT&T schematic diagrams and tables. Mark also shared this information with major media outlets, numerous Congressional staffers, and at least two senators personally. One, Senator Chris Dodd, took the floor of the Senate to acknowledge Mark as the great American hero he was.

Schools across the United States are increasingly using artificial intelligence to monitor students' online activities, raising significant privacy concerns after Vancouver Public Schools inadvertently released nearly 3,500 unredacted, sensitive student documents to reporters.

The surveillance software, developed by companies like Gaggle Safety Management, scans school-issued devices 24/7 for signs of bullying, self-harm, or violence, alerting staff when potential issues are detected. Approximately 1,500 school districts nationwide use Gaggle's technology to track six million students, with Vancouver schools paying $328,036 for three years of service.

While school officials maintain the technology has helped counselors intervene with at-risk students, documents revealed LGBTQ+ students were potentially outed to administrators through the monitoring.

An anonymous reader quotes a report from The Register: New York State has sued Allstate Insurance for operating websites so badly designed they would deliver personal information in plain-text to anyone that went looking for it. The data was lifted from Allstate's National General business unit, which ran a website for consumers who wanted to get a quote for a policy. That task required users to input a name and address, and once that info was entered, the site searched a LexisNexis Risk Solutions database for data on anyone who lived at the address provided. The results of that search would then appear on a screen that included the driver's license number (DLN) for the given name and address, plus "names of any other drivers identified as potentially living at that consumer's address, and the entire DLNs of those other drivers."

Naturally, miscreants used the system to mine for people's personal information for fraud. "National General intentionally built these tools to automatically populate consumers' entire DLNs in plain text -- in other words, fully exposed on the face of the quoting websites -- during the quoting process," the court documents [PDF] state. "Not surprisingly, attackers identified this vulnerability and targeted these quoting tools as an easy way to access the DLNs of many New Yorkers," according to the lawsuit. The digital thieves then used this information to "submit fraudulent claims for pandemic and unemployment benefits," we're told. ... [B]y the time the insurer resolved the mess, crooks had built bots that harvested at least 12,000 individuals' driver's license numbers from the quote-generating site.

The Washington Post reports: Meta was willing to go to extreme lengths to censor content and shut down political dissent in a failed attempt to win the approval of the Chinese Communist Party and bring Facebook to millions of internet users in China, according to a new whistleblower complaint from a former global policy director at the company.

The complaint by Sarah Wynn-Williams, who worked on a team handling China policy, alleges that the social media giant so desperately wanted to enter the lucrative China market that it was willing to allow the ruling party to oversee all social media content appearing in the country and quash dissenting opinions. Meta, then called Facebook, developed a censorship system for China in 2015 and planned to install a "chief editor" who would decide what content to remove and could shut down the entire site during times of "social unrest," according to a copy of the 78-page complaint exclusively seen by The Washington Post.

Meta chief executive Mark Zuckerberg also agreed to crack down on the account of a high-profile Chinese dissident living in the United States following pressure from a high-ranking Chinese official the company hoped would help them enter China, according to the complaint, which was filed in April to the Securities and Exchange Commission [SEC]. When asked about its efforts to enter China, Meta executives repeatedly "stonewalled and provided nonresponsive or misleading information" to investors and American regulators, according to the complaint.

Wynn-Williams bolstered her SEC complaint with internal Meta documents about the company's plans, which were reviewed by The Post. Wynn-Williams, who was fired from her job in 2017, is also scheduled to release a memoir this week documenting her time at the company, titled "Careless People: A Cautionary Tale of Power, Greed, and Lost Idealism." According to a memo in the complaint, Meta leaders faced aggressive pressure by Chinese government officials to host Chinese users' data to local data centers, which Wynn-Williams alleges would have made it easier for the Chinese Communist Party to covertly obtain the personal information of its citizens.
Wynn-Williams told the Washington Post that "for many years Meta has been working hand in glove with the Chinese Communist Party, briefing them on the latest technological developments and lying about it."

Reached for a comment, Meta spokesman Andy Stone told the Washington Post it was "no secret" they'd been interested in operating in China. "This was widely reported beginning a decade ago. We ultimately opted not to go through with the ideas we'd explored, which Mark Zuckerberg announced in 2019." Although the Post shares new details about what a Facebook privacy policy staffer offer China in negotations in 2014. ("In exchange for the ability to establish operations in China, FB will agree to grant the Chinese government access to Chinese users' data — including Hongkongese users' data.")

The Post also describes one iteration of a proposed agreement in 2015. "To aid the effort, Meta built a censorship system specially designed for China to review, including the ability to automatically detect restricted terms and popular content on Facebook, according to the complaint...

"In 2017, Meta covertly launched a handful of social apps under the name of a China-based company created by one of its employees, according to the complaint."

Equuleus42 (Slashdot reader #723) brings word that the Electronic Frontier Foundation (EFF) is sharing a new tool for fighting back against cellphone surveillance by Stingray cell-site simulators.

Android Authority reports: "Rayhunter" uses an open-source software package designed to look for evidence of IMSI catchers in action, running on an old Orbic Speed RC400L mobile hotspot. The great thing about that choice is that you can pick one up for practically nothing — we're seeing them listed for barely over $10 on Amazon, and you can find them even cheaper on eBay. There's an installation script for Macs and Linux to automate getting set up, but once the Orbic is flashed with the Rayhunter software, it should be ready go, collecting data about sketchy-looking "cell towers" it picks up.

Right now, much of the use of IMSI catchers is still shrouded in mystery, with the groups who regularly employ them extremely hesitant to disclose their methods. As a result, a big focus of this EFF project is just getting more info on how and where these are actually used, giving protestors a better sense of the steps they'll need to take if they want to protect their privacy.

Signal President Meredith Whittaker warned at SXSW that agentic AI poses significant privacy and security risks, as these AI agents require extensive access to users' personal data, likely processing it unencrypted in the cloud. TechCrunch reports: "So we can just put our brain in a jar because the thing is doing that and we don't have to touch it, right?," Whittaker mused. Then she explained the type of access the AI agent would need to perform these tasks, including access to our web browser and a way to drive it as well as access to our credit card information to pay for tickets, our calendar, and messaging app to send the text to your friends. "It would need to be able to drive that [process] across our entire system with something that looks like root permission, accessing every single one of those databases -- probably in the clear, because there's no model to do that encrypted," Whittaker warned.

"And if we're talking about a sufficiently powerful ... AI model that's powering that, there's no way that's happening on device," she continued. "That's almost certainly being sent to a cloud server where it's being processed and sent back. So there's a profound issue with security and privacy that is haunting this hype around agents, and that is ultimately threatening to break the blood-brain barrier between the application layer and the OS layer by conjoining all of these separate services [and] muddying their data," Whittaker concluded.

If a messaging app like Signal were to integrate with AI agents, it would undermine the privacy of your messages, she said. The agent has to access the app to text your friends and also pull data back to summarize those texts. Her comments followed remarks she made earlier during the panel on how the AI industry had been built on a surveillance model with mass data collection. She said that the "bigger is better AI paradigm" -- meaning the more data, the better -- had potential consequences that she didn't think were good. With agentic AI, Whittaker warned we'd further undermine privacy and security in the name of a "magic genie bot that's going to take care of the exigencies of life," she concluded. You can watch the full speech on YouTube.

An anonymous reader quotes a report from The Verge: DuckDuckGo has big plans for embedding AI into its search engine. The privacy-focused company just announced that its AI-generated answers, which appear for certain queries on its search engine, have exited beta and now source information from across the web -- not just Wikipedia. It will soon integrate web search within its AI chatbot, which has also exited beta. DuckDuckGo first launched AI-assisted answers -- originally called DuckAssist -- in 2023. The feature is billed as a less obnoxious version of tools like Google's AI Overviews, designed to offer more concise responses and let you adjust how often you see them, including turning the responses off entirely. If you have DuckDuckGo's AI-generated answers set to "often," you'll still only see them around 20 percent of the time, though the company plans on increasing the frequency eventually.

Some of DuckDuckGo's AI-assisted answers bring up a box for follow-up questions, redirecting you to a conversation with its Duck.ai chatbot. As is the case with its AI-assisted answers, you don't need an account to use Duck.ai, and it comes with the same emphasis on privacy. It lets you toggle between GPT-4o mini, o3-mini, Llama 3.3, Mistral Small 3, and Claude 3 Haiku, with the advantage being that you can interact with each model anonymously by hiding your IP address. DuckDuckGo also has agreements with the AI company behind each model to ensure your data isn't used for training.

Duck.ai also rolled out a feature called Recent Chats, which stores your previous conversations locally on your device rather than on DuckDuckGo's servers. Though Duck.ai is also leaving beta, that doesn't mean the flow of new features will stop. In the next few weeks, Duck.ai will add support for web search, which should enhance its ability to respond to questions. The company is also working on adding voice interaction on iPhone and Android, along with the ability to upload images and ask questions about them. ... [W]hile Duck.ai will always remain free, the company is considering including access to more advanced AI models with its $9.99 per month subscription.

1Password has introduced a 'nearby items' feature, allowing users to tag credentials with physical locations so the relevant information automatically surfaces when users are near those locations. Engadget reports: Location information can be added to any new or existing item in a 1Password vault. The app has also been updated with a map view for setting and viewing the locations of your items. In the blog post announcing the feature, the company cited examples such as door codes for a workplace, health records at a doctor's office, WiFi access at the gym and rewards membership information for local shops as potential uses for location data.

Privacy and security are paramount for a password manager, and 1Password confirmed that a user's location coordinates are only used locally and do not leave the device. Nearby items is available to 1Password customers starting today.

India's income tax department will gain powers to access citizens' social media accounts, emails and other digital spaces beginning April 2026 under the new income tax bill, in a significant expansion of its search and seizure authority.

The legislation, which has raised privacy concerns among legal experts, allows tax officers to "gain access by overriding the access code" to computer systems and "virtual digital spaces" if they suspect tax evasion.

The bill broadly defines virtual digital spaces to include email servers, social media accounts, online investment accounts, banking platforms, and cloud servers.

"The expansion raises significant concerns regarding constitutional validity, potential state overreach, and practical enforcement," Sonam Chandwani, Managing Partner at KS Legal and Associates, told Indian newspaper Economic Times.

Utah has become the first U.S. state to pass legislation requiring app store operators to verify users' ages and obtain parental consent for minors downloading apps.

The App Store Accountability Act adds to a wave of children's online safety bills advancing through state legislatures nationwide. Similar legislation has faced legal challenges, with many being blocked in courts. A comparable federal bill failed last year amid free expression concerns.

The approach shifts verification responsibility to mobile app stores rather than individual websites, a move supported by Meta, Snap, and X in a joint statement urging Congress to follow suit. "Parents want a one-stop shop to verify their child's age and grant permission," they stated. Critics, including Chamber of Progress, warn the law threatens privacy and constitutional rights. A federal judge previously blocked a similar Utah law over First Amendment concerns.

CISA has warned U.S. federal agencies about active exploitation of vulnerabilities in Cisco VPN routers and Windows systems. "While the cybersecurity agency has tagged these flaws as actively exploited in the wild, it has yet to provide specific details regarding this malicious activity and who is behind it," adds Bleeping Computer. From the report: The first flaw (tracked as CVE-2023-20118) enables attackers to execute arbitrary commands on RV016, RV042, RV042G, RV082, RV320, and RV325 VPN routers. While it requires valid administrative credentials, this can still be achieved by chaining the CVE-2023-20025 authentication bypass, which provides root privileges. Cisco says in an advisory published in January 2023 and updated one year later that its Product Security Incident Response Team (PSIRT) is aware of CVE-2023-20025 publicly available proof-of-concept exploit code.

The second security bug (CVE-2018-8639) is a Win32k elevation of privilege flaw that local attackers logged into the target system can exploit to run arbitrary code in kernel mode. Successful exploitation also allows them to alter data or create rogue accounts with full user rights to take over vulnerable Windows devices. According to a security advisory issued by Microsoft in December 2018, this vulnerability impacts client (Windows 7 or later) and server (Windows Server 2008 and up) platforms.

Today, CISA added the two vulnerabilities to its Known Exploited Vulnerabilities catalog, which lists security bugs the agency has tagged as exploited in attacks. As mandated by the Binding Operational Directive (BOD) 22-01 issued in November 2021, Federal Civilian Executive Branch (FCEB) agencies now have three weeks, until March 23, to secure their networks against ongoing exploitation.

"We need a license to allow us to make some of the basic functionality of Firefox possible," Mozilla explained Wednesday in a clarification a recent Terms of Use update. "Without it, we couldn't use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice."

But Friday they went further, and revised those new Terms of Use "to more clearly reflect the limited scope of how Mozilla interacts with user data," according to a Mozilla blog post. More details from the Verge: The particular language that drew criticism was:

"When you upload or input information through Firefox, you hereby grant us a nonexclusive, royalty-free, worldwide license to use that information to help you navigate, experience, and interact with online content as you indicate with your use of Firefox."

That language has been removed. Now, the language in the terms says:

"You give Mozilla the rights necessary to operate Firefox. This includes processing your data as we describe in the Firefox Privacy Notice. It also includes a nonexclusive, royalty-free, worldwide license for the purpose of doing as you request with the content you input in Firefox. This does not give Mozilla any ownership in that content...."

Friday's post additionally provides some context about why the company has "stepped away from making blanket claims that 'We never sell your data.'" Mozilla says that "in some places, the LEGAL definition of 'sale of data' is broad and evolving," and that "the competing interpretations of do-not-sell requirements does leave many businesses uncertain about their exact obligations and whether or not they're considered to be 'selling data.'" Mozilla says that "there are a number of places where we collect and share some data with our partners" so that Firefox can be "commercially viable," but it adds that it spells those out in its privacy notice and works to strip data of potentially identifying information or share it in aggregate.

Mozilla has denied allegations that its new Firefox browser terms of service allow it to harvest user data for artificial intelligence training, following widespread criticism of the recently updated policy language. The controversy erupted after Firefox introduced terms that grant Mozilla "a nonexclusive, royalty-free, worldwide license to use that information" when users upload content through the browser, prompting competitor Brave Software's CEO Brendan Eich to suggest a business pivot toward data monetization.

"These changes are not driven by a desire by Mozilla to use people's data for AI or sell it to advertisers," Mozilla spokesperson Kenya Friend-Daniel told TechCrunch. "Our ability to use data is still limited by what we disclose in the Privacy Notice." The company clarified that its AI features operate locally on users' devices and don't send content data to Mozilla. Any data shared with advertisers is provided only on a "de-identified or aggregated basis," according to the spokesperson. Mozilla explained it used specific legal terms -- "nonexclusive," "royalty-free," and "worldwide" -- because Firefox is free, available globally, and allows users to maintain control of their own data.

UPDATE (3/1/2025): "We need a license to allow us to make some of the basic functionality of Firefox possible," Mozilla explained Wednesday in a clarification a recent Terms of Use update. "Without it, we couldn't use information typed into Firefox, for example. It does NOT give us ownership of your data or a right to use it for anything other than what is described in the Privacy Notice."

But Friday they went further, and revised those new Terms of Use "to more clearly reflect the limited scope of how Mozilla interacts with user data," according to a Mozilla blog post. ("You give Mozilla the rights necessary to operate Firefox... This does not give Mozilla any ownership in that content.")

Slashdot's original post below...

New submitter SharkByte writes: Mozilla just updated its Terms of Use and Privacy Policy for Firefox with a very disturbing "You Give Mozilla Certain Rights and Permissions" clause:

H/T to reader agristin as well, who also wrote about this.

Researchers at George Mason University discovered a vulnerability in Apple's Find My network that allows hackers to silently track any Bluetooth device as if it were an AirTag, without the owner's knowledge. 9to5Mac reports: Although AirTag was designed to change its Bluetooth address based on a cryptographic key, the attackers developed a system that could quickly find keys for Bluetooth addresses. This was made possible by using "hundreds" of GPUs to find a key match. The exploit called "nRootTag" has a frightening success rate of 90% and doesn't require "sophisticated administrator privilege escalation."

In one of the experiments, the researchers were able to track the location of a computer with an accuracy of 10 feet, which allowed them to trace a bicycle moving through the city. In another experiment, they reconstructed a person's flight path by tracking their game console. "While it is scary if your smart lock is hacked, it becomes far more horrifying if the attacker also knows its location. With the attack method we introduced, the attacker can achieve this," said one of the researchers. Apple has acknowledged the George Mason researchers for discovering a Bluetooth exploit in its Find My network but has yet to issue a fix. "For now, they advise users to never allow unnecessary access to the device's Bluetooth when requested by apps, and of course, always keep their device's software updated," reports 9to5Mac.

Apple announced a new feature allowing parents to share a child's age with app developers without exposing sensitive information, as lawmakers debate age-verification laws for social media and apps. Reuters reports: States, such as Utah and South Carolina, are currently debating laws that would require app store operators such as Apple and Alphabet's Google to check the ages of users. That has set up a conflict in the tech industry over which party should be responsible for checking ages for users under 18 -- app stores, or each individual app. Meta, for instance, has long argued in favor of legislation requiring app stores to check ages when a child downloads an app.

Apple on Thursday said it does not want to be responsible for collecting sensitive data for those age verifications. "While only a fraction of apps on the App Store may require age verification, all users would have to hand over their sensitive personally identifying information to us -- regardless of whether they actually want to use one of these limited set of apps," Apple wrote in a whitepaper on its website.

An anonymous reader quotes a report from TechCrunch: Security researchers are warning that data exposed to the internet, even for a moment, can linger in online generative AI chatbots like Microsoft Copilot long after the data is made private. Thousands of once-public GitHub repositories from some of the world's biggest companies are affected, including Microsoft's, according to new findings from Lasso, an Israeli cybersecurity company focused on emerging generative AI threats.

Lasso co-founder Ophir Dror told TechCrunch that the company found content from its own GitHub repository appearing in Copilot because it had been indexed and cached by Microsoft's Bing search engine. Dror said the repository, which had been mistakenly made public for a brief period, had since been set to private, and accessing it on GitHub returned a "page not found" error. "On Copilot, surprisingly enough, we found one of our own private repositories," said Dror. "If I was to browse the web, I wouldn't see this data. But anyone in the world could ask Copilot the right question and get this data."

After it realized that any data on GitHub, even briefly, could be potentially exposed by tools like Copilot, Lasso investigated further. Lasso extracted a list of repositories that were public at any point in 2024 and identified the repositories that had since been deleted or set to private. Using Bing's caching mechanism, the company found more than 20,000 since-private GitHub repositories still had data accessible through Copilot, affecting more than 16,000 organizations. Lasso told TechCrunch ahead of publishing its research that affected organizations include Amazon Web Services, Google, IBM, PayPal, Tencent, and Microsoft. [...] For some affected companies, Copilot could be prompted to return confidential GitHub archives that contain intellectual property, sensitive corporate data, access keys, and tokens, the company said.

Google has updated its Results About You tool with a redesigned hub, easier removal requests directly from Search, and the ability to refresh outdated results. Engadget reports: Today, the tech giant is announcing the latest changes, including a redesigned hub and the ability to update outdated search results to reflect the latest changes.

The redesign isn't only for show. You can now submit removal requests directly from Search with fewer actions by clicking or tapping the three dots beside a search result. If you manage to have content about you deleted or changed from a website but Google Search hasn't caught up, you can refresh the search, which will "recrawl the page and obtain the latest information." In other words, you can always see the most up-to-date results about you.

U.S. Director of National Intelligence Tulsi Gabbard has condemned a British order requiring Apple to break its encrypted storage worldwide as an "egregious" violation of American rights that could breach the CLOUD Act facilitating cross-border investigations. In a letter [PDF] to Senator Ron Wyden and Representative Andy Biggs, Gabbard revealed she has directed a legal review of the secret order, which she learned about through media reports.

"This would be a clear and egregious violation of Americans' privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors," Gabbard wrote. The UK Home Office, under the Investigatory Powers Act, prohibited Apple from disclosing the order to Congress or U.S. regulators. The directive would have forced Apple to compromise its Advanced Data Protection encryption, enabling officials to access individual data. Apple refused compliance, instead withdrawing the secure storage option from UK customers while maintaining it elsewhere globally. Despite Apple's pullback, the UK demand for backdoor creation remains. Gabbard pledged to ensure UK actions protect American privacy rights "consistent with the CLOUD Act and other applicable laws."