submitted 1 year ago* (last edited 11 months ago) by ResidualBit@beehaw.org to c/technology@beehaw.org

Regarding Beehaw defederating from lemmy.world and sh.itjust.works, this post goes into detail on the why and the philosophy behind that decision. Additionally, there is an update specific to sh.itjust.works here.

For now, let's talk about what federation is and what defederation means for members of Beehaw or the above two communities interacting with each other, as well as the broader fediverse.

Federation is not something new on the internet. Most users use federated services every day (for instance, the url used to access instances uses a federated service known as DNS, and email is another system that functions through federation.) Just like those services, you elect to use a service provider that allows you to communicate with the rest of the world. That service provider is your window to work with others.

When you federate, you mutually agree to share your content. This means that posting something to a site can be seen by another and all comments are shared. Even users from other sites can post to your site.

Now when you defederate, this results in content to be no longer shared. It didn't reverse any previous sharing or posts, it just stops the information from flowing with the selected instance. This only impacts the site's that are called out.

What this means to you is when a user within one instance (e.g. Beehaw) that's chosen to defederate with another (e.g. lemmy.world), they can no longer interact with content on another instance, and vice versa. Other instances can still see the content of both servers as though nothing has happened.

  • A user is not limited to how many instances they can join (technically at least - some instance have more stringent requirements for joining than others do)
  • A user can interact with Lemmy content without being a user of any Lemmy instance - e.g. Mastodon (UI for doing so is limited, but it is still possible.)

Considering the above, it is important to understand just how much autonomy we, as users have. For example, as the larger instances are flooded with users and their respective admins and mods try to keep up, many, smaller instances not only thrive, but emerge, regularly (and even single user instances - I have one for just myself!) The act of defederation does not serve to lock individual users out of anything as there are multiple avenues to constantly maintain access to, if you want it, the entirety of the unfiltered fediverse.

On that last point, another consideration at the individual level is - what do you want out of Lemmy? Do you want to find and connect with like-minded people, share information, and connect at a social and community level? Do you want to casually browse content and not really interact with anyone? These questions and the questions that they lead to are critical. There is no direct benefit to being on the biggest instance. In fact, as we all deal with this mass influx, figure out what that means for our own instances and interactions with others, I would argue that a smaller instance is actually much better suited for those who just want to casually browse everything.

Lastly, and tangential, another concern I have seen related to this conversation is people feeling afraid of being locked out of the content and conversation from the "main" communities around big topics starting to form across the Lemmiverse (think memes, gaming, tech, politics, news, etc.) Over time, certain communities will certainly become a default for some people just given the community size (there will always be a biggest or most active - it's just a numbers game.) This, again though, all comes down to personal preference and what each individual is looking to get from their Lemmy experience. While there may, eventually, be a “main” sub for (again, by the numbers), there will also always be quite a few other options for targeted discussions on , within different communities, on different instances, each with their own culture and vibe. This can certainly feel overwhelming and daunting (and at the moment, honestly it is.) Reddit and other non-federated platforms provided the illusion of choice, but this is what actual choice looks and feels like.

[edit: grammar and spelling]

submitted 1 year ago* (last edited 1 year ago) by RedPander@lemmy.rogers-net.com to c/technology@beehaw.org

Hopefully I'm posting this in the right place, but I see Reddit developments as Tech news right now.

Wanted to share a website that is tracking Subreddits that have/will be going dark. It even has a sound notification for when they change their status.

Edit: Adding the stream https://www.twitch.tv/reddark_247

Double Edit: Data visualization https://blackout.photon-reddit.com/


As soon as Apple announced its plans to inject generative AI into the iPhone, it was as good as official: The technology is now all but unavoidable. Large language models will soon lurk on most of the world’s smartphones, generating images and text in messaging and email apps. AI has already colonized web search, appearing in Google and Bing. OpenAI, the $80 billion start-up that has partnered with Apple and Microsoft, feels ubiquitous; the auto-generated products of its ChatGPTs and DALL-Es are everywhere. And for a growing number of consumers, that’s a problem.

Rarely has a technology risen—or been forced—into prominence amid such controversy and consumer anxiety. Certainly, some Americans are excited about AI, though a majority said in a recent survey, for instance, that they are concerned AI will increase unemployment; in another, three out of four said they believe it will be abused to interfere with the upcoming presidential election. And many AI products have failed to impress. The launch of Google’s “AI Overview” was a disaster; the search giant’s new bot cheerfully told users to add glue to pizza and that potentially poisonous mushrooms were safe to eat. Meanwhile, OpenAI has been mired in scandal, incensing former employees with a controversial nondisclosure agreement and allegedly ripping off one of the world’s most famous actors for a voice-assistant product. Thus far, much of the resistance to the spread of AI has come from watchdog groups, concerned citizens, and creators worried about their livelihood. Now a consumer backlash to the technology has begun to unfold as well—so much so that a market has sprung up to capitalize on it.

Obligatory "fuck 99.9999% of all AI use-cases, the people who make them, and the techbros that push them."


Archived version

  • Former employee Andrew Harris says the software giant dismissed his warnings about a critical flaw because it feared losing government business. Russian hackers later used the weakness to breach the National Nuclear Security Administration, among others.

  • Harris said he pleaded with the company for several years to address the flaw in the product. But at every turn, Microsoft dismissed his warnings, telling him they would work on a long-term alternative — leaving cloud services around the globe vulnerable to attack in the meantime.

  • He scrambled to alert some of the company’s most sensitive customers about the threat and personally oversaw the fix for the New York Police Department. Frustrated by Microsoft’s inaction, he left the company in August 2020.

  • Within months, his fears became reality. U.S. officials confirmed reports that a state-sponsored team of Russian hackers had carried out SolarWinds, one of the largest cyberattacks in U.S. history. They used the flaw Harris had identified to vacuum up sensitive data from a number of federal agencies, including the National Nuclear Security Administration, which maintains the United States’ nuclear weapons stockpile, and the National Institutes of Health, which at the time was engaged in COVID-19 research and vaccine distribution.

  • The Russians also used the weakness to compromise dozens of email accounts in the Treasury Department, including those of its highest-ranking officials. One federal official described the breach as “an espionage campaign designed for long-term data collection".

  • From the moment the hack surfaced, Microsoft insisted it was blameless. Microsoft President Brad Smith assured Congress in 2021 that “there was no vulnerability in any Microsoft product or service that was exploited” in SolarWinds.

  • The Microsoft manager also said customers could have done more to protect themselves.

  • Harris said they were never given the chance. "The decisions are not based on what’s best for Microsoft’s customers but on what’s best for Microsoft,” he said.


Archived version

Microsoft president Brad Smith will tell lawmakers on Capitol Hill Thursday that the company is responsible for "each and every one of the issues" that a government advisory board uncovered while investigating a recent China hack, according to prepared remarks.

Why it matters: Lawmakers, administration officials and regulators have started to lose trust in the tech giant's ability to secure its products after a series of nation-state cyberattacks.

Driving the news: Microsoft has faced two notable nation-state cyberattacks in the last year that has put federal agencies' communications in jeopardy.

  • Microsoft disclosed last July that a China-backed hacking group had broken into the email accounts of several organizations, including federal offices. Commerce Secretary Gina Raimondo and several State officials were affected.

  • Russian intelligence hackers also stole several federal agencies' emails after breaching Microsoft, the Cybersecurity and Infrastructure Security Agency said earlier this year.

The big picture: Ever since these incidents, Microsoft has faced a mountain of scrutiny in Washington from lawmakers and competitors.

  • The Cyber Safety Review Board (CSRB) said in an April report that the Chinese espionage campaign, in particular, was "preventable and should never have occurred."

  • Senators are pushing back against the Pentagon's reported plans to upgrade its suite of Microsoft products as part of its zero-trust transition.

  • And eager competitors have gone on a campaign to woo Microsoft's government customers.

The other side: Microsoft has been briefing federal security leaders and their teams on a new set of security principles it's been implementing internally, known as the Secure Future Initiative.

-The plan ties executives' pay to improving cybersecurity and calls on teams to prioritize security investments over fast product development.

Zoom in: In his remarks to the House Homeland Security Committee, Smith will tell lawmakers that he sees the advisory board's recommendations as good advice for all corporations to follow as they face "more prolific, well-resourced, and sophisticated cyberattacks."

  • Smith plans to lay out how the new Secure Future Initiative will help address each issue in the advisory board's report, per his remarks published Wednesday.

  • "We acknowledge that we can and must do better, and we apologize and express our deepest regrets to those who have been impacted," Smith will say.

  • Microsoft has invited the Cybersecurity and Infrastructure Security Agency (CISA) to its headquarters for a "detailed technical briefing" on the initiative, according to the published remarks.

Between the lines: Compared to past hearings about cyberattacks, Thursday's congressional hearing will hit close to home for lawmakers given the federal government's heavy reliance on Microsoft's products.

  • Many agencies rely on Microsoft as their sole operating system, email provider, cybersecurity product vendor and office software provider.

  • The Software & Information Industry Association — a trade group that represents software vendors — sent a letter Wednesday to agency leaders urging them to find ways to diversify beyond Microsoft.

What we're watching: Smith will need to provide bulletproof reassurances and transparency about Microsoft's security plans to lawmakers and regulators to regain their trust in Washington.

submitted 8 hours ago by hedge@beehaw.org to c/technology@beehaw.org
submitted 18 hours ago by BevelGear@beehaw.org to c/technology@beehaw.org

Company he works at eternos.life

submitted 1 day ago by 0x815@feddit.de to c/technology@beehaw.org

Mozilla, the maker of the popular web browser Firefox, said it received government demands to block add-ons that circumvent censorship.

The Mozilla Foundation, the entity behind the web browser Firefox, is blocking various censorship circumvention add-ons for its browser, including ones specifically to help those in Russia bypass state censorship. The add-ons were blocked at the request of Russia’s federal censorship agency, Roskomnadzor — the Federal Service for Supervision of Communications, Information Technology, and Mass Media — according to a statement by Mozilla to The Intercept.

“Following recent regulatory changes in Russia, we received persistent requests from Roskomnadzor demanding that five add-ons be removed from the Mozilla add-on store,” a Mozilla spokesperson told The Intercept in response to a request for comment. “After careful consideration, we’ve temporarily restricted their availability within Russia. Recognizing the implications of these actions, we are closely evaluating our next steps while keeping in mind our local community.”

“It’s a kind of unpleasant surprise because we thought the values of this corporation were very clear in terms of access to information.”

Stanislav Shakirov, the chief technical officer of Roskomsvoboda, a Russian open internet group, said he hoped it was a rash decision by Mozilla that will be more carefully examined.

“It’s a kind of unpleasant surprise because we thought the values of this corporation were very clear in terms of access to information, and its policy was somewhat different,” Shakirov said. “And due to these values, it should not be so simple to comply with state censors and fulfill the requirements of laws that have little to do with common sense.”

Developers of digital tools designed to get around censorship began noticing recently that their Firefox add-ons were no longer available in Russia.

On June 8, the developer of Censor Tracker, an add-on for bypassing internet censorship restrictions in Russia and other former Soviet countries, made a post on the Mozilla Foundation’s discussion forums saying that their extension was unavailable to users in Russia.

The developer of another add-on, Runet Censorship Bypass, which is specifically designed to bypass Roskomnadzor censorship, posted in the thread that their extension was also blocked. The developer said they did not receive any notification from Mozilla regarding the block.

Two VPN add-ons, Planet VPN and FastProxy — the latter explicitly designed for Russian users to bypass Russian censorship — are also blocked. VPNs, or virtual private networks, are designed to obscure internet users’ locations by routing users’ traffic through servers in other countries.

The Intercept verified that all four add-ons are blocked in Russia. If the webpage for the add-on is accessed from a Russian IP address, the Mozilla add-on page displays a message: “The page you tried to access is not available in your region.” If the add-on is accessed with an IP address outside of Russia, the add-on page loads successfully.

Supervision of Communications

Roskomnadzor is responsible for “control and supervision in telecommunications, information technology, and mass communications,” according to the Russia’s federal censorship agency’s English-language page.

In March, the New York Times reported that Roskomnadzor was increasing its operations to restrict access to censorship circumvention technologies such as VPNs. In 2018, there were multiple user reports that Roskomnadzor had blocked access to the entire Firefox Add-on Store.

According to Mozilla’s Pledge for a Healthy Internet, the Mozilla Foundation is “committed to an internet that includes all the peoples of the earth — where a person’s demographic characteristics do not determine their online access, opportunities, or quality of experience.” Mozilla’s second principle in their manifesto says, “The internet is a global public resource that must remain open and accessible.”

The Mozilla Foundation, which in tandem with its for-profit arm Mozilla Corporation releases Firefox, also operates its own VPN service, Mozilla VPN. However, it is only available in 33 countries, a list that doesn’t include Russia.

The same four censorship circumvention add-ons also appear to be available for other web browsers without being blocked by the browsers’ web stores. Censor Tracker, for instance, remains available for the Google Chrome web browser, and the Chrome Web Store page for the add-on works from Russian IP addresses. The same holds for Runet Censorship Bypass, VPN Planet, and FastProxy.

“In general, it’s hard to recall anyone else who has done something similar lately,” said Shakirov, the Russian open internet advocate. “For the last few months, Roskomnadzor (after the adoption of the law in Russia that prohibits the promotion of tools for bypassing blockings) has been sending such complaints about content to everyone.”


cross-posted from: https://lazysoci.al/post/14579120

YouTube is currently experimenting with server-side ad injection. This means that the ad is being added directly into the video stream.

This breaks sponsorblock since now all timestamps are offset by the ad times.

For now, I set up the server to detect when someone is submitting from a browser with this happening and rejecting the submission to prevent the database from getting filled with incorrect submissions.


This post contains a canary message that's cryptographically signed by the official BusKill PGP release key

BusKill Canary #008
The BusKill project just published their Warrant Canary #008

For more information about BusKill canaries, see:

Hash: SHA512

Status: All good
Release: 2024-06-11
Period: 2024-06-01 to 2024-12-31
Expiry: 2025-01-31


The BusKill Team who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is June 11, 2024.

2. The current BusKill Signing Key (2020.07) is

   E0AF FF57 DC00 FBE0 5635  8761 4AE2 1E19 36CE 786A

3. We positively confirm, to the best of our knowledge, that the 
   integrity of our systems are sound: all our infrastructure is in our 
   control, we have not been compromised or suffered a data breach, we 
   have not disclosed any private keys, we have not introduced any 
   backdoors, and we have not been forced to modify our system to allow 
   access or information leakage to a third party in any way.

4. We plan to publish the next of these canary statements before the
   Expiry date listed above. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.

Special announcements


Disclaimers and notes

This canary scheme is not infallible. Although signing the 
declaration makes it very difficult for a third party to produce 
arbitrary declarations, it does not prevent them from using force or 
other means, like blackmail or compromising the signers' laptops, to 
coerce us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to 
demonstrate that this canary could not have been created prior to the 
date stated. It shows that a series of canaries was not created in 

This declaration is merely a best effort and is provided without any 
guarantee or warranty. It is not legally binding in any way to 
anybody. None of the signers should be ever held legally responsible 
for any of the statements made here.

Proof of freshness

04 Jun 24 14:10:16 UTC

Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
Fortress Europe: Migrants Abandoned on the Edge of the Sahara
Israel-Gaza-Krieg: Menschenrechtler Aryeh Neier über Schuldfrage und Strafverfolgung (Kopie)

Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
Middle East Crisis: Israeli Airstrikes Kill Iranian General in Syria
Live Updates: India’s Election Results Suggest a Setback for Modi

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Shock for India's Modi as opposition set to slash majority
Gaza ceasefire plan turns into deadly game of survival

Source: Bitcoin Blockchain (https://blockchain.info/q/latesthash)



To view all past canaries, see:

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

What is BusKill? (Explainer Video)
Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

submitted 1 day ago by 0x815@feddit.de to c/technology@beehaw.org

- Hackers working for the Chinese government gained access to more than 20,000 VPN appliances sold by Fortinet using a critical vulnerability that the company failed to disclose for two weeks after fixing it, Netherlands government officials said.

- The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense.

- Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.--

The vulnerability, tracked as CVE-2022-42475, is a heap-based buffer overflow that allows hackers to remotely execute malicious code. It carries a severity rating of 9.8 out of 10. A maker of network security software, Fortinet silently fixed the vulnerability on November 28, 2022, but failed to mention the threat until December 12 of that year, when the company said it became aware of an “instance where this vulnerability was exploited in the wild.” On January 11, 2023—more than six weeks after the vulnerability was fixed—Fortinet warned a threat actor was exploiting it to infect government and government-related organizations with advanced custom-made malware.

Enter CoatHanger

The Netherlands officials first reported in February that Chinese state hackers had exploited CVE-2022-42475 to install an advanced and stealthy backdoor tracked as CoatHanger on Fortigate appliances inside the Dutch Ministry of Defense. Once installed, the never-before-seen malware, specifically designed for the underlying FortiOS operating system, was able to permanently reside on devices even when rebooted or receiving a firmware update. CoatHanger could also escape traditional detection measures, the officials warned. The damage resulting from the breach was limited, however, because infections were contained inside a segment reserved for non-classified uses.

On Monday, officials with the Military Intelligence and Security Service (MIVD) and the General Intelligence and Security Service in the Netherlands said that to date, Chinese state hackers have used the critical vulnerability to infect more than 20,000 FortiGate VPN appliances sold by Fortinet. Targets include dozens of Western government agencies, international organizations, and companies within the defense industry.

"Since then, the MIVD has conducted further investigation and has shown that the Chinese cyber espionage campaign appears to be much more extensive than previously known,” Netherlands officials with the National Cyber Security Center wrote. “The NCSC therefore calls for extra attention to this campaign and the abuse of vulnerabilities in edge devices.”

Monday’s report said that exploitation of the vulnerability started two months before Fortinet first disclosed it and that 14,000 servers were backdoored during this zero-day period. The officials warned that the Chinese threat group likely still has access to many victims because CoatHanger is so hard to detect and remove.

Netherlands government officials wrote in Monday’s report:

Since the publication in February, the MIVD has continued to investigate the broader Chinese cyber espionage campaign. This revealed that the state actor gained access to at least 20,000 FortiGate systems worldwide within a few months in both 2022 and 2023 through the vulnerability with the identifier CVE-2022-42475 . Furthermore, research shows that the state actor behind this campaign was already aware of this vulnerability in FortiGate systems at least two months before Fortinet announced the vulnerability. During this so-called 'zero-day' period, the actor alone infected 14,000 devices. Targets include dozens of (Western) governments, international organizations and a large number of companies within the defense industry.

The state actor installed malware at relevant targets at a later date. This gave the state actor permanent access to the systems. Even if a victim installs security updates from FortiGate, the state actor continues to have this access.

It is not known how many victims actually have malware installed. The Dutch intelligence services and the NCSC consider it likely that the state actor could potentially expand its access to hundreds of victims worldwide and carry out additional actions such as stealing data.

Even with the technical report on the COATHANGER malware, infections from the actor are difficult to identify and remove. The NCSC and the Dutch intelligence services therefore state that it is likely that the state actor still has access to systems of a significant number of victims.

Fortinet’s failure to timely disclose is particularly acute given the severity of the vulnerability. Disclosures are crucial because they help users prioritize the installation of patches. When a new version fixes minor bugs, many organizations often wait to install it. When it fixes a vulnerability with a 9.8 severity rating, they’re much more likely to expedite the update process. Given the vulnerability was being exploited even before Fortinet fixed it, the disclosure likely wouldn't have prevented all of the infections, but it stands to reason it could have stopped some.

Fortinet officials have never explained why they didn’t disclose the critical vulnerability when it was fixed. They have also declined to disclose what the company policy is for the disclosure of security vulnerabilities. Company representatives didn’t immediately respond to an email seeking comment for this post.


In a former wallpaper factory in Chiswick, west London, a start-up firm has been developing a long-term storage system that uses lasers to burn tiny holograms into a light-sensitive polymer.

Chief executive Charlie Gale points out that with magnetic tape, data can only be stored on the surface, whereas holograms can store data in multiple layers.

"You can do things called multiplexing, whereby you can layer multiple sets of information in one space. That's really kind of the superpower of what we're doing. And we believe we can put more information in less space than ever before," he says.

HoloMem's polymer blocks can handle extreme temperatures, without the data becoming corrupted - between -14C to 160C.

By comparison, magnetic tape needs to be kept between 16C and 25C, which means significant heating and cooling costs, particularly in countries with extreme temperatures.

Tape also needs replacing after around 15 years, whereas the polymer is good for at least 50 years.


NewJeans filed an ex parte application in late March in the Northern District of California, where Google is headquartered, for an “order authorizing limited discovery” of the user’s data from the company “for use in a criminal matter in Korea,” the order granting the application states. The group alleges that the account, which according to court documents posts under the handle @Middle7, has posted as many as 33 defamatory videos that had been viewed nearly 14 million times as of their filing. Because the account is anonymous, however, the lawsuit cannot continue until the user has been identified.

Among the statements NewJeans claims are defamatory include calling one of the members the “eldest daughter of a Vietnamese farmer,” and a video titled "Reasons Why NewJeans Is A Crap Group."

Google also recently cut down its Legal Investigations team, which handles the company’s responses to subpoenas and law enforcement requests, by what a union representing some workers alleged was over a third of the less-than-100-person team, though a Google spokesperson later clarified that less than a dozen positions had been impacted.


Archived version


Following change in Twitter’s ownership and subsequent changes to content moderation policies, many in academia looked to move their discourse elsewhere and migration to Mastodon was pursued by some. Our study looks at the dynamics of this migration. Utilizing publicly available user account data, we track the posting activity of academics on Mastodon over a one year period. Our analyses reveal significant challenges sustaining user engagement on Mastodon due to its decentralized structure as well as competition from other platforms such as Bluesky and Threads. The movement lost momentum after an initial surge of enthusiasm as most users did not maintain their activity levels, and those who did faced lower levels of engagement compared to Twitter. Our findings highlight the challenges involved in transitioning professional communities to decentralized platforms, emphasizing the need for focusing on migrating social connections for long-term user engagement.

submitted 2 days ago* (last edited 2 days ago) by 0x815@feddit.de to c/technology@beehaw.org

Temu, a popular marketplace where consumers can buy direct from factories overseas at cheap prices, is drawing concerns from lawyers and privacy experts in North America who allege the shopping app can be “invasive” for unwitting users.

Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois, which have not been certified. A third class action was filed in Quebec in March.

Many Canadians might first have been exposed to Temu during the Super Bowl this year or last, where the company took out multiple ads encouraging viewers to “shop like a billionaire.”

The app and online storefront sell cheap clothing, electronics, furniture and more from overseas manufacturers based largely in China. Temu’s website says the company was founded in Boston in 2022, but it’s a subsidiary of Shanghai-based PDD Holdings, a multinational commerce group established in 2015 in China.

PDD Holdings on Wednesday became the largest e-commerce player in China by market valuation, topping rival giant Alibaba, according to a CNBC report citing LSEG data.

The allegations about Temu’s deep reach into user data come as governments in both Canada and the United States grapple with privacy concerns around apps like TikTok, another Chinese-owned platform.

Temu has also earned comparisons to China’s ultra-fast-fashion giant Shein among industry observers for its factory-to-consumer business model.

As of May 31, Temu is the top free app on the Apple App Store and Google Play Store in Canada.

Class-action lawsuits filed in U.S., Quebec

Temu is currently the subject of two proposed class-action lawsuits filed last year in district courts in New York and Illinois.

A third class action was filed in Quebec in March, but is not yet certified and is reserved to residents of the province.

All suits filed cite various privacy complaints among users of the Temu app.

Jeff Orenstein, lawyer at the Consumer Law Group that filed the Quebec suit, says the permissions the Temu app asks for when you download it do not adequately detail how “invasive” the program can be.

The Consumer Law Group’s class-action complaint alleges that Temu’s app can access data via your phone’s camera, photos, messages, contacts and other apps.

“Some of the things that were picked up that the app is looking at are things that really have nothing to do with the functionality of the app,” he tells Global News.

Consumer Law Group alleges that these privacy violations are intentional on Temu’s part. The firm is seeking damages for violating individuals’ charter-protected rights to privacy and an injunction to prevent the app from taking the data in Quebec.

In response to these claims, a Temu spokesperson told Global News the app collects “the minimum information necessary” to deliver its services.

“We categorically deny the allegations in these lawsuits and intend to vigorously defend ourselves against them,” an emailed statement read.

Temu denies overreach

The spokesperson pointed Global News to the “permissions” section of the Temu website, which claims that access to contacts, calendars, microphones and Bluetooth are not requested via the app.

Temu says the camera may be used on iOS devices when using pictures to leave reviews or search via image for a product. Temu does not request full permissions to a smartphone’s photos app, the website says, but can use a device’s “built-in image picker” – an interface that allows users to choose from pictures on their device in-app – without giving complete access to the photo archive.

Temu also does not ask for location access in “most countries,” including Canada, according to the disclaimer. The listed exception is the Middle East, where Temu says location data helps users fill in shipping addresses.

Orenstein says much of the Consumer Law Group suit is based on a September 2023 report from Grizzly Research, a U.S.-based firm that identifies short-selling opportunities on equity markets.

Grizzly lambasted Temu as “the most dangerous app in wide circulation” in a report on its parent company, PDD Holdings.

Security issues in the Temu app amount to “spyware,” the report published last September argues. It claimed that the reach of the app goes far beyond what’s listed upfront in the company’s privacy policy, with the potential to access more of a phone’s file system than a user intended.

The Grizzly report is based on publicly available information and the firm says it engaged a team of unnamed cyber experts to back up its warnings. Grizzly said it stands by its research but also includes a disclaimer that the report is opinion only and should not be treated as a “statement of fact.”

In an email to Global News, Temu also denied allegations that its application amounts to spyware and dismissed the Grizzly report as unfactual. A spokesperson pointed to the app’s listings on Google’s Play Store and Apple’s App Store, which they said “rigorously screen apps for malware and spyware.”

Grizzly compares the app to TikTok, which has come under threat of ban in the U.S. unless its Chinese owners ByteDance Ltd. sell to an American firm, and is the subject of a national security review in Canada.

ByteDance has sued to prevent the U.S. ruling from coming into effect on Jan. 19, 2025, and has denied claims that TikTok poses a security risk.

The head of Canada’s national spy agency recently said TikTok is a “real threat” to users’ data security because of the app’s Chinese ties, a warning Prime Minister Justin Trudeau said Canadians ought to heed. TikTok has previously denied it provides data to the Chinese government in a statement to Global News.

But Temu is “demonstrably more dangerous than TikTok,” the Grizzly report argues, and should be removed from app stores as a result.

Global News reached out to both Apple and Google to ask whether Temu’s privacy policies satisfy their respective app stores and whether the platforms have taken action to address data security complaints. Neither company has responded with comment.

Why is this such a big deal?

Rob D’Ovidio, associate professor at Drexel University in Philadelphia, is one of the privacy experts sounding the alarm about Temu’s reach.

He says the risk from Temu is not necessarily in having access to a user’s most sensitive data, but to smaller tidbits that build up over time to build a profile of a shopper.

“You’ve got to start saying, buyer beware. You should look to an alternative marketplace,” he tells Global News.

Small pieces of information like purchases or a photo here and there might seem “innocent” to users, D’Ovidio says, “but when you combine multiple data elements, they start uncovering patterns of health, they start uncovering patterns of taste and likes and habits.”

"And that’s really where the concern here is. It’s not just a one-snapshot look at you. It’s a look over time,” he says.

The kinds of information collected via the Temu app is not unique to that marketplace, D’Ovidio says.

[Edit typo.]


Oh Spotify, when will you stop trying to push people to the high seas 🏴‍☠️


"...For Nvidia, after this latest run-up took it north of the $3T milestone, the company is being valued at more than $100M for each of its 29,600 employees (per its filing that counted up to the end of Jan 2024).

That’s more than 5x any of its big tech peers, and hundreds of times higher than more labor-intensive companies like Walmart and Amazon. It is worth noting that Nvidia has very likely done some hiring since the end of January — I think the company might be in growth mode — but even if the HR department has been working non-stop, Nvidia will still be a major outlier on this simple measure.

We are running out of ways to describe Nvidia’s recent run... but a nine-figure valuation per employee is a new one."

view more: next ›


37208 readers
693 users here now

Rumors, happenings, and innovations in the technology sphere. If it's technological news or discussion of technology, it probably belongs here.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago