As new details about the scope of the sabotage emerge, the perpetrators—and the reason for their vandalism—remain unknown.

At present, there’s little information about who may have been behind the attacks. No groups or individuals have claimed responsibility for the damage, and French police have not announced any arrests linked to the cuts. Neither the Paris Public Prosecutor’s Office nor Anssi, the French cybersecurity agency, responded to WIRED’s requests for comment.

In June, CyberScoop reported claims that “radical ecologists” who oppose digitalization may be behind the attacks. However, multiple experts speaking to WIRED were skeptical of the suggestion. “It’s quite unlikely,” Combot says. Instead, in many potential sabotage instances he has seen, those who attack telecom infrastructure aim to target cell phone towers where damage is obvious and claim responsibility for their actions.

In France—and more widely around the world—there’s been an increase in attacks against telecom towers in recent years, including cutting cables, setting fire to cell phone towers, and attacking engineers. When the Covid-19 pandemic started in early 2020, there was an uptick in attacks against 5G equipment as conspiracy theorists falsely believed the network standard could be dangerous to people’s health.

While some caution against assuming environmentalist groups were behind the April attacks, there is a precedent for such actions in France: A December 2021 investigation by environmental news outlet _Reporterre_, as noted by CyberScoop, documented more than 140 attacks against 5G equipment and telecom infrastructure. The attacks were said to show a pattern based on “refusal of a digitized society.”

In one of the other biggest attacks against French networks, more than 100,000 people found themselves struggling to get online in May 2020 after several cables were cut. During the past three months, there have been an estimated 75 attacks against telecom networks in France. The total number of attacks has declined since 2020, however.

Combot says the April attack was one of the “biggest incidents” targeting telecom infrastructure in recent years. It also highlights the fragility of local internet cables. “Breaking the internet is not a good thing for those who have the idea to do so, because the internet is locally vulnerable but globally resilient,” Guillaume says.

While cutting cables and setting fire to cell phone towers can cause temporary internet outages or slowdowns, internet traffic can usually be rerouted relatively quickly. In short: It’s very hard to take the internet offline at scale. The internet can largely withstand human sabotage, damage from natural events, and Canadian beavers chomping through cables.

This doesn’t mean threats to connectivity can’t cause widespread disruption. “I fear that these attacks, in France and elsewhere in the world, will happen again,” Combot says. “There are vulnerable points everywhere in the world,” he adds, highlighting Egypt, where subsea cables pass between Europe and Asia. In June the EU published an in-depth review of subsea internet cables that says more should be done to protect them.

DE-CIX’s King says that most incidents around cables are usually accidents, such as damage from roadworks or earthquakes. “The solution is to introduce redundancy in the design of connectivity,” King says. This means having more connections in the internet’s backbone and systems to replace others in case of potential failures or attacks. Every system should have a backup.

Political and technical measures could decrease the chances of attacks on network connections. “The best way to fight against these attacks is to have a better threat intelligence,” says Oxford’s Laudrain. The French Telecoms Federation says it is working more closely with law enforcement to try to stop those who would attack cables. “Some companies publish confidential network information on their websites,” Lumen’s Modlin says. “They should seriously consider removing exact location data, given its sensitive nature.” (She did not name the companies.)

Meanwhile, Guillame says simple physical security measures can be taken, such as ensuring that areas where cables are accessible through the ground are covered by security cameras. Others suggest adding movement sensors to these locations. Preventing internet cables and equipment from damage and destruction is crucial, Guillame says. “Behind the digital economy, there are small businesses, artisans, schools, emergency services hard hit when they can no longer connect their service. It’s not acceptable.”

The Unsolved Mystery Attack on Internet Cables in Paris

While cybersecurity and foreign meddling remain priorities, domestic threats against election workers have risen to the top of the list.

In the lead-up to the 2018 midterm elections in the United States, law enforcement, intelligence, and election officials were on high alert for digital attacks and influence operations after Russia demonstrated the reality of these threats by targeting the presidential elections in 2016. Six years later, the threat of hacking and malign foreign influence remain, but 2022 is a different time and a new top-line risk has emerged: physical safety threats to election officials, their families, and their workplaces.

In July 2021 the Department of Justice launched a task force to counter threats against election workers, and the US Election Assistance Commission released security guidance for election professionals. But in public comments this week, lawmakers, top national security officials, and election administrators themselves all expressed concern that misinformation about the security and validity of US voting continues to shape a new threat landscape going into the midterms.

“In New Mexico, the conspiracies about our voting and election systems have gripped a certain portion of the electorate and have caused people to act,” New Mexico’s Secretary of State and top election official Maggie Toulouse Oliver testified before the House of Representatives Homeland Security Committee yesterday. “During the 2020 election cycle, I was doxxed and had to leave my home for weeks under state police protection. Since 2020, my office has certainly seen an uptick in social media trolling, aggrieved emails, and calls into our office, and other communications that parrot the misinformation circulating widely in the national discourse. But more recently, especially since our June 2022 primary election, my office has experienced pointed threats serious enough to be referred to law enforcement.”

In a discussion on Tuesday about midterm election security at the Fordham International Conference on Cyber Security in New York City, FBI director Christopher Wray and NSA director Paul Nakasone emphasized that federal intelligence and law enforcement view foreign adversaries that have been active during past US elections—including Russia, China, and Iran—as potential threats heading into the 2022 midterms. But threats against election workers now appear at the top of their list.

“We are … positioning ourselves to understand our adversaries better, so we do have a series of operations that we’re conducting now and in the future as we approach the fall,” Nakasone said on Tuesday. “But I think the other piece of it is, this isn’t episodic, this for us is a persistent engagement that we have across time, in terms of being able to understand where our adversaries are at, what they’re trying to do, where we need to impact them, understanding how they’re getting better.”

When asked how the FBI handles misinformation that stems from foreign influence operations but ultimately embeds itself in the domestic psyche, Wray said that the Bureau simply has a set of enforcement mandates around elections that it focuses on carrying out.

“We’re not the truth police,” he told the conference. “It’s not to say there isn’t an important role for calling out falsity versus truth, it’s just that our contributions are fairly specific. We’re targeting foreign malign influence. We are investigating malicious cyber actors, whether they are foreign or otherwise, that target election infrastructure—so cyber activity. We are investigating federal election crimes, and that covers everything from campaign finance violations, to voter fraud and voter suppression, to something that we’ve seen an alarming amount of over the last little bit—threats of violence against election workers, which we’re not going to tolerate.”

Wray added that threats against election officials are currently a priority for the FBI. “These are people who are engaging in tireless and really, frankly, selfless work to ensure free and fair elections for all of us, and the idea that they would become the target of threats of violence is totally unacceptable,” Wray said.

In a US Election Assistance Commission discussion on election official security last week, Sheriff Peter Koutoujian of the Middlesex Sheriff’s Office in Massachusetts noted that state and local law enforcement are also dealing with questions of how best to protect election officials.

“We all witnessed the rhetoric and the threats leveled towards officials … during the 2020 election,” he said. “You can see them still being leveled against election officials this past spring during local elections as well as in reference to upcoming state and federal elections this fall. In law enforcement, we need to make sure that we’re following up on threats of violence as appropriate and protecting these individuals and thus protecting our democracy.”

The shift in the threat landscape is significant. Election officials and security researchers have focused over the past two decades on raising awareness about the need for better coordination and stronger digital security protections across the diverse patchwork of local election systems that is a hallmark of US voting. But with that work still in progress and in need of funding, threats to election officials could undercut hard-won progress.

“While we are now on the right track to secure our election infrastructure against cyberattacks, new and different threats, many with domestic roots, have arisen, including threats of physical harm to our election officials, their families, and their staff," Elizabeth Howard, senior counsel at New York University’s Brennan Center for Justice, told the House Homeland Security Committee during yesterday's hearing. “Not surprisingly, these threats are leading to additional serious concerns, such as an alarming number of election officials leaving the profession, which are contributing to the fragility of our democracy."

In her testimony, Howard urged Congress to allocate more funds for protecting election officials and to direct federal agencies to focus on the issue and combat misinformation about election integrity in any way possible. 

John Katko, a Republican from New York and ranking member of the House Homeland Security Committee, summed up the challenge bluntly: “A lot of the problems with election security are generated, it seems like to me, from the internet and the ability of cowards to hide behind the internet and foment discontent online, and then make that discontent actionable by nutjobs locally.”

With the November midterms less than four months away, the need to protect election officials grows more urgent by the day, not only for workers and their families but also for US stability more broadly. As Koutoujian put it, “If we’re not protective and careful of what we do now—I believe we’re more fragile than we think we are.”

The 2022 US Midterm Elections' Top Security Issue: Death Threats

A bill with bipartisan support might finally give the US a strong federal data protection law.

Usually, when Congress is working on major tech legislation, the inboxes of tech reporters get flooded with PR emails from politicians and nonprofits either denouncing or trumpeting the proposed statute. Not so with the American Data Privacy and Protection Act. A first draft of the bill seemed to pop up out of nowhere in June. Over the next month, it went through so many changes that no one could say for sure what it was even designed to do. For such an important topic, the bill’s progress has been surprisingly under the radar.

Now comes an even bigger surprise: A new version of the ADPPA has taken shape, and privacy advocates are mostly jazzed about it. It just might have enough bipartisan support to become law—meaning that, after decades of inaction, the United States could soon have a real federal privacy statute.

Perhaps the most distinctive feature of the new bill is that it focuses on what’s known as data minimization. Generally, companies would only be allowed to collect and make use of user data if it’s necessary for one of 17 permitted purposes spelled out in the bill—things like authenticating users, preventing fraud, and completing transactions. Everything else is simply prohibited. Contrast this with the type of online privacy regime most people are familiar with, which is all based on consent: an endless stream of annoying privacy pop-ups that most people click “yes” on because it’s easier than going to the trouble of turning off cookies. That’s pretty much how the European Union’s privacy law, the GDPR, has played out.

“The reason I really like this bill is, it takes a data-minimization approach first,” says Sara Collins, senior policy council at Public Knowledge, a consumer advocacy group in DC. “The bill at the outset is like, ‘One, you don't collect any more data than you reasonably need, and, two, here’s a list of reasons you might need this data.’”

A major caveat is that the list of reasons includes targeted advertising, which is the economic driver of most commercial surveillance in the first place. So the bill falls well short of simply banning the practice, which is what many data-privacy advocates would prefer. On the other hand, it imposes much stricter limits on targeted advertising—and the data collection supporting it—than any law in the US and perhaps the world. It would completely prohibit targeting ads to minors, something Joe Biden called for in his 2022 State of the Union address. It would ban targeting ads based on “sensitive data.” That category includes things like health information, precise geolocation, and private communications—as well as “information identifying an individual’s online activities over time and across third-party websites or online services.” In other words, companies would no longer be allowed to follow you around the internet, gathering data on everything you do and using it to sell you stuff.

“I think it’s a pretty fundamental shift,” says Alan Butler, executive director and president of the Electronic Privacy Information Center. “It gets at the heart of what I see as the major privacy problem in the way that ad tech has developed over the last 20 years, largely because there was no privacy law in effect. What’s developed is an ad tech industry that just gorges on personal information in every possible way it can, grabbing every possible piece of data they can find about people.”

Under the new version of the ADPPA, Butler says, some forms of targeting would remain common, particularly targeting based on first-party data. If you shop for shoes on Target.com, Target could still use that information to show you ads for shoes when you’re on another site. What it wouldn’t be able to do is match your shopping history with everything else you do on the web and on your phone to show you ads for stuff you’ve never told them you wanted. Nor could Facebook and Google continue to spy on you by placing trackers on nearly every website or free app you use, in order to build a profile of you for advertisers.

“If they’re tracking your activity across third-party websites, which they certainly are, then that’s sensitive data, and they can’t be processing that for targeted advertising purpose,” says Butler.

To the extent that the new bill would still allow targeted advertising, it would require companies to give users the right to opt out—while prohibiting the sorts of tricks that companies often use to nudge users to click “Accept all cookies” under the GDPR. And it would direct the Federal Trade Commission to create a standard for a universal opt-out that companies would have to honor, meaning users could decline all targeted advertising in one click. (That’s an important feature of California’s recently adopted privacy law.)

The ad industry seems to agree that the bill would mark a fundamental shift. Yesterday, the Association of National Advertisers, a trade group, issued a statement opposing the bill on the grounds that it would “prohibit companies from collecting and using basic demographic and online activity data for typical and responsible advertising purposes.”

Apart from its data-minimization approach, the new bill contains quite a lot of provisions that data privacy experts have long called for, including transparency standards, anti-discrimination rules, increased oversight for data brokers, and new cybersecurity requirements.

Federal privacy legislation has been something of a white whale in DC over the last few years. Since 2019, a bipartisan agreement has supposedly been just around the corner. The effort kept stalling because Democrats and Republicans were divided on two key issues: whether a federal bill should preempt state privacy laws, and whether it should create a “private right of action” allowing individuals, not just the government, to sue companies for violations. Democrats are generally against preemption and in favor of a private right of action, Republicans the reverse.

The new bill represents a long-sought compromise on those issues. It preempts state laws, but with some exceptions. (Most notably, it empowers California’s brand-new privacy agency to enforce the ADPPA within the state.) And it contains a limited private right of action, with restrictions on the damages that people can sue for.

The bill has other shortcomings, inevitably. The universal opt-out requirement is nice, but it won’t mean much until the largest browsers, especially Chrome and Safari, add the feature. The bill gives the FTC new authority to issue rules and enforce them, but it doesn’t direct any new resources to the agency, which already lacks the staff and funding to handle everything on its plate.

As a result, not everyone in the privacy camp is on board. On Tuesday, a group of mostly blue-state state attorneys general sent a letter to the committee objecting to the preemption provision. And the Electronic Frontier Foundation tweeted on Wednesday that it is “disappointed” by the compromises in the bill.

On the whole, however, the ADPPA seems wildly popular both on the Hill and among advocacy organizations. It has the support of leading privacy and civil rights nonprofits, and the House Commerce Committee voted to advance it by a 53-2 margin—an overwhelmingly bipartisan consensus that bodes well for the bill’s prospects when the full House votes on it. During yesterday’s markup hearing, several members noted that while the bill isn’t perfect, it’s simply politically impossible to pass a federal privacy law that doesn’t involve compromise on those two key issues.

Even the tech industry hasn’t launched any public campaign to kill the bill. You could take this as a sign that it’s actually too weak to trouble the industry. But Adam Kovacevich, the CEO of Chamber of Progress, a Big Tech lobbying group, points out that even the bill’s liberal critics have acknowledged that it goes further than any of the state laws it would preempt—even California’s. “I don’t think anyone in industry is crazy about the idea of the private right of action, the idea of more lawsuits,” he says. But, he adds, tech companies have already spent years learning to comply with the growing web of privacy regimes around the world. A somewhat stricter law might not be so bad if it provides a clear, fixed national standard.

None of this means that the ADPPA is sure to become law, of course. In the Senate, Maria Cantwell, the top Democrat on the Commerce Committee, has not gotten behind the effort yet, though her Republican counterpart has. And time is running out for that sclerotic body to pass any major laws before next year, when Democrats will almost surely lose their governing trifecta.

Still, privacy advocates are cautiously optimistic. “You’re looking at a situation where you have bicameral, bipartisan support, with Republicans and Democrats on board on the House and Senate side,” says Butler. “I don’t think we’ve ever been this close.”

Congress Might Pass an Actually Good Privacy Bill

The ACLU released a trove of documents showing how Homeland Security contracted with surveillance companies to scour location information.

For years, people have wondered not if, but how much, the Department of Homeland Security accesses mobile location data to monitor US citizens. This week, the American Civil Liberties Union released thousands of heavily redacted pages of documents that provide a “glimpse” of how DHS agencies came to leverage “a shocking amount” of location data, apparently purchasing data without following proper protocols to ensure they had the authority to do so.

Documents were shared with the ACLU “over the course of the last year through a Freedom of Information Act (FOIA) lawsuit.” Then Politico got access and released a report confirming that DHS contracted with two surveillance companies, Babel Street and Venntel, to scour hundreds of millions of cell phones from 2017 to 2019 and access “more than 336,000 location data points across North America.” The collection of emails, contracts, spreadsheets, and presentation slides provide evidence that “the Trump administration's immigration enforcers used mobile location data to track people's movements on a larger scale than previously known,” and the practice has continued under Biden due to a contract that didn't expire until 2021.

The majority of the new information details an extensive contract DHS made with Venntel, a data broker that says it sells mobile location data to solve “the world's most challenging problems.” In documents, US Customs and Border Patrol said Venntel's location data helped them improve immigration enforcement and investigations into human trafficking and narcotics.

It's still unclear whether the practice was legal, but a DHS privacy officer was worried enough about privacy and legal concerns that DHS was ordered to “stop all projects involving Venntel data” in June 2019. It seems that the privacy and legal teams, however, came to an agreement on use terms, because the purchase of location data has since resumed, with Immigration and Customs Enforcement signing a new Venntel contract last winter that runs through June 2023.

The ACLU still describes the practice as “shadowy,” saying that DHS agencies still owed them more documents that would further show how they are “sidestepping” the “Fourth Amendment right against unreasonable government searches and seizures by buying access to, and using, huge volumes of people's cell phone location information quietly extracted from smartphone apps.” Of particular concern, the ACLU also noted that an email from DHS's senior director of privacy compliance confirmed that DHS “appeared to have purchased access to Venntel even though a required Privacy Threshold Assessment was never approved.”

DHS did not comment on the Politico story, and neither the DHS agencies mentioned nor the ACLU immediately responded to Ars' request for comment.

The ACLU says that no laws currently prevent data sales to the government, but that could change soon. The ACLU endorses a bill called the Fourth Amendment Is Not for Sale Act, which is designed to do just that. Even if that bill is passed, though, the new law would still provide some exceptions that would allow government agencies to continue tracking mobile location data. The ACLU did not immediately respond to comment on any concerns about those exceptions.

How to Stop Location Data Tracking

The main question being debated is whether a Supreme Court decision in 2017 that said police must have a warrant to search cell phone data applies to government agencies like DHS. It's a gray area, the Congressional Research Service says, because “the Supreme Court has long recognized that the government may conduct routine inspections and searches of individuals entering at the US border without a warrant” and that “some federal courts have applied the 'border search exception' to allow relatively limited, manual searches at the border of electronic devices such as computers and cell phones.”

DHS isn't the only government agency that considers itself an exception, though. In 2021, the Defense Intelligence Agency also purchased location data without a warrant, bypassing the 2017 Supreme Court decision because the Department of Defense has its own "Attorney General-approved data handling requirements."

It's all part of a troubling pattern that shows a growing preference for the practice across many government agencies that have considered themselves exempt from legal concerns over the past few years.

Now, as privacy concerns over data tracking by law enforcement have heightened in post-_Roe v. Wade_ America, more mobile phone users are considering ways to keep their data private.

The first step for many might be to stop sharing location data with untrustworthy apps or maybe even entirely. Any time an app asks to track location data, users can either opt in or out. The ACLU told Politico that this opt-in process is what gives third-party vendors like Venntel the right to grant government access to data, claiming users have given permission to share with the government just by opting in.

“It's very clear that when people are doing that, they're not expecting that that's going to be potentially creating this massive database of their entire location history that's available to the government at any time,” Shreya Tewari, the Brennan fellow for the ACLU's Speech, Privacy and Technology Project, told Politico.

For mobile phone users concerned about DHS data tracking, users can specifically opt out of Venntel data collection.

There's not enough information identifying other contracts DHS might have with other vendors selling location data. The ACLU did not comment on the next steps to retrieve the rest of the DHS documents the organization requested, but its initial FOIA request asked for all contracts “concerning government access to or receipt of data from commercial databases containing cell phone location information.” That information may come in a future document dump, as the ACLU lawsuit states, but history proves DHS is not always prompt to respond. The ACLU waited nine months for a response before suing and noted at that time that “DHS has even refused to provide its legal memorandum about these practices to US senators who have requested it.”

The Fourth Amendment Is Not for Sale Act was introduced in Congress in April last year, where it was read twice and then referred to the Committee on the Judiciary. A request for an update on the bill's progress from one of its most vocal authors, Senator Ron Wyden, Democrat of Oregon, did not yield an immediate response. The ACLU advises that officials act sooner rather than later, saying, "Lawmakers must seize the opportunity to end this massive privacy invasion without delay. Each day without action only allows the government's covert trove of our personal information to grow."

_This story originally appeared on_ _Ars Technica__._

The DHS Bought a ‘Shocking Amount’ of Phone-Tracking Data

Under increased scrutiny, certain period-tracking apps are seeing a surge of new users. Which are as safe as they claim to be?

This not only shifts the burden of risk assessment to individual users, but also makes evaluating the privacy and security of apps difficult to begin with. To do so, we consulted evaluation frameworks pioneered by the Beth Israel Deaconess Medical Center (MIND) and The Digital Standard to arrive at four core questions to guide our study.

\*A score of (0) = the app did not fulfill the privacy requirement, (1) = the app partially fulfilled the privacy requirement, (2) = the app fulfilled the privacy requirement, and (3) = the app fulfilled the privacy requirement well

\*\*’Clear specification’ is defined here as an index of third-party companies and the data they receive.

Local vs. Cloud Storage

Understanding _where_ companies store your data is pivotal to assessing the privacy risk that comes with using their products. Most popular mobile apps store user data in the cloud—across multiple servers in multiple locations—which allows them to process large amounts of easily recoverable information. It also means that your data is more vulnerable to bad actors. This is why organizations like Givens’ prefer apps that store information directly on users’ devices. If an app stores data directly on your mobile phone, you’ll have more complete control of it. None of the apps reviewed above gave users the option to store their data locally, but Euki and Mozilla Foundation-backed Drip do.

Third-Party Sharing

If you’ve used Facebook to log in to a website or app recently, you’re already familiar with some of the ways that app developers share information with third parties. Understanding which third parties a company works with and what type of data is passed on to them is a helpful way to evaluate your level of protection. For example, Period Tracker’s privacy policy admits to sharing users’ device IDs with advertising networks, which is quite risky. It also expresses their willingness to sell or transfer user data as a result of a corporate merger or sale. Typically, apps who lay out plainly who they’re providing info to and why—like Clue does —are more trustworthy.

It’s also helpful to know whether data is routinely anonymized (stripped of identifying user information) before being shared with these third parties. However, this isn’t a panacea. Stripped-down data can still lead back to individual users under certain conditions. Machine learning makes this threat even more real, since the technology can speed up shady “re-identification” processes. Despite vowing to refrain from sharing user data themselves, Clue passes on anonymized data to certain third-party research groups. While Stardust expresses a commitment to limiting the information they share with third parties, their policy states it could share information in order to “comply with or respond to law enforcement,” or to protect the “security of the Company.” Ideally, apps are extremely selective with which third-parties they’re willing to share info with—or they don't share with third-parties at all.

Data Deletion

Every app should have established protocols that allow users to delete their personal data from the developers’ systems at will. While many US-based apps include these protocols to comply with the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), users should look out for privacy policies that _clearly_ extend these erasure privileges to all users, regardless of location. Even so this can be tricky, says Givens: “If you’re not a resident of the jurisdiction that the law is covering, there’s no guarantee that they are going to honor it.”

Even apps that invite data deletion requests may not always execute them in a timely or complete fashion. Flo, whose security practices placed them under FTC scrutiny in 2021, states specifically in their privacy policy that upon deletion of their app, they “retain your personal data for a period of 3 years in case you decide to re-activate.” Period Tracker admits to retaining users’ mobile device IDs “for up to 24 months” after receiving a request. The safest apps should retain your data for 30 days or less, and ideally submit deletion requests to third parties on your behalf, like Clue does.

Location Tracking

If an app explicitly stores location data (like Period Calendar and Period Tracker do) it presents a greater privacy issue. While three out of the five apps analyzed here didn’t appear to save location data explicitly, each app saves users’ IP addresses, which can be used to determine someone’s general location. Flo, for example, explicitly shares IP addresses with third-parties such as AppsFlyer.

Stardust’s practices decouple users’ IP addresses from their health data, which increases security. But critics say their methods fall short of true end-to-end encryption. Regardless, when IP addresses are combined with outside data, such as a user’s search history or even other publicly available information about the user, they can easily reveal that person’s identity and their activities. The CDT and other privacy advocates have warned that users’ text messages and search histories have already been used against them in legal proceedings involving their reproductive health, and the practice is likely to expand.

The Bottom Line

At the end of the day, a period-tracking app like Clue presents users with slightly less risk than apps like Flo, Stardust, Period Calendar, and Period Tracker. However, all five of these apps, chosen for their outsize popularity, falter when compared with more secure options like Euki and Drip, as corroborated by Consumer Reports. Insofar as it’s possible for users to analyze _all_ of their apps according to standards set forth in The Digital Standard, Mhealth Index, and elsewhere, users can make educated decisions about which companies to align with—but evaluating the risks of using specific apps is an imperfect science. In addition to being extremely time consuming and often confusing, it’s nowhere near a suitable replacement for a lack of widespread legal privacy protections available for all Americans.

According to privacy experts like Givens, period-tracking apps represent the tip of the iceberg when it comes to digital privacy and security post-_Roe_. The CDT recommends that people assess their own risk level in order to determine whether using a period-tracking app is even worth it. In the meantime, taking steps to secure your personal information like text messages and search histories is probably more worthwhile.

For those looking to make a difference, experts recommend advocating directly to tech companies, especially precedent-setting organizations like Google and Meta (formerly Facebook) to demand better individual protections. It’s these corporations that will eventually have to respond to requests from law enforcement for user data, and many already promise to curtail their surveillance (but also lobby aggressively against privacy legislation and regulation). To pave the way for better policy, tech companies should aim to take serious inventory of the data they’re collecting, file transparency reports regularly, and, most importantly, take public stances in defense of privacy rights early and often.

The Most Popular Period-Tracking Apps, Ranked by Data Privacy

Despite alerting Meta months ago, feminist groups say tens of thousands of fake accounts continue to bombard them on the platform.

IRANIAN women’s rights groups have for months faced a deluge of bots following their Instagram accounts and disrupting their digital outreach operations. Activists say that while they have repeatedly asked Meta, Instagram’s parent company, to stymie the flood of junk followers, more keep coming, totaling in the millions across dozens of organizations operating in Iran and elsewhere around the world.

The targeted bot campaigns, in which a group receives tens of thousands of new followers in as little as a single day, have gained momentum as the Iranian government works to counter broad dissent focused on an array of pressing social issues, including economic hardship. Women’s rights activists say they have faced a particularly aggressive crackdown from the government in recent months, with some surveilled by law enforcement and arrested. As the National Day of Hijab and Chastity approached last Tuesday, women around the country participated in #No2Hijab actions, in which they pushed back their hijabs, revealing their hair, or removed them altogether. Authorities label participants “bad-hijab women.” 

Through it all, Instagram has served as a crucial communication platform for feminist organizers because it is one of the few international platforms accessible and uncensored in Iran’s tightly controlled digital landscape.

“More and more people are pushing back against hijab right now; it’s unprecedented and I think the government is feeling threatened by the women’s rights movement,” says Firuzeh Mahmoudi, executive director of United for Iran, one of the organizations that has faced bot targeting on its Instagram page. “So whatever is going on with these bots that have been purchased systematically to target Instagram pages is definitely not a coincidence, in my opinion. We’ve seen about 30 women’s rights groups inside Iran and 40 outside targeted in this way.”

The bot campaigns align with the interests of the Iranian regime, but the actors behind them haven’t yet been identified. The attacks are in some ways subtle because they don’t involve a flood of malicious comments or attempts to take down entire pages. Instead, activists say, their Instagram pages—which often have just a few thousand followers—suddenly gain tens of thousands more in the span of a few hours. The new follower accounts seem to be named using long, systematic strings of unintelligible consonants and numbers. In one example, Mahmoudi says that a United for Iran page jumped from consistently averaging around 27,000 followers to 70,000 overnight. Other activists shared similar stories of their accounts gaining tens of thousands of followers in a few hours in recent weeks and then gaining and losing followers a few thousand at a time after that. 

These massive spikes and fluctuations skew administrators’ metrics, making it hard to determine whether they are reaching legitimate followers with their posts and stories. Activists also note that the bot accounts will individually report specific posts to Instagram as abusive to get them wrongly taken down.

“It’s not consistent, but it hasn’t stopped since April,” says Shaghayegh Norouzi, founder of Me\_Too\_Movement\_Iran. “For example, if we are working on a sexual assault report from someone with strong connections to the government, we get a lot of fake followers. In the past 10 days, over 100,000 fake accounts have been added to our public account. They repeatedly report our posts, so Instagram removes our posts. These attacks specifically affect our performance to spread our message and be in contact with women and minorities who need our help.”

Despite having known about the issue for months, Meta tells WIRED that its investigation into the bot attacks is ongoing and not yet complete. “We want everyone to feel safe on Instagram—particularly activists, both in Iran and around the world,” a company spokesperson said in a statement. “We are continuing to investigate the activists’ concerns and will take action on any accounts that break our rules.”

The company says it has been receiving updates about the issues from Iranian women’s rights activists since April and had taken down hundreds of Instagram accounts in connection with the activity prior to this week. Meta describes the bot bombardments as adversarial but says it has not found evidence of automated or scripted activity. When asked what else could explain the patterns the activists have been seeing on their accounts, the company declined to comment on the record.

After WIRED reached out to Meta for comment, the company initially said it “checkpointed” a few hundred more accounts, a protective measure in which potentially suspicious accounts are blocked unless their owner can confirm their identity. Moments prior to publication, a Meta spokesperson said the company was taking down an additional 18,000 accounts that have targeted Iranian women’s rights groups. The company says that, in contrast to the activists’ reports, it does not see evidence that individual posts are being falsely reported and taken down.

Me\_Too\_Movement\_Iran’s Norouzi says her organization has been forced to create a private Instagram page in addition to its public one in an attempt to create a safe space for legitimate users. But multiple page administrators tell WIRED that it is difficult and time-consuming to screen followers and noted that, of course, creating a private page limits who can see posts.

At the end of June, a consortium of activists released a statement with AccessNow about the attacks on Iranian women’s groups, urging Meta to take action against the bots. 

“The fake followers have built a campaign of harassment by using high numbers of comments to intimidate and silence these users,” the groups wrote. “The fake followers have also damaged the credibility of the accounts they have targeted, resulting in a significant loss in engagement, likes, and viewership. This campaign is essentially drowning out the real engagement and outreach these accounts previously had.”

Last month, digital rights and security nonprofit Qurium released an analysis of the campaigns targeting Iranian feminist groups. The researchers found that the bots used in April and May seemed to be purchased from a few specific social media marketing companies based in Pakistan. The firms advertise services through which a customer could spend about $50 to purchase 10,000 bot followers or about $1,500 for up to 1 million fake accounts.

“So far, Meta has been slow to investigate this problem, even though the fake followers violate Meta’s ‘inauthentic behaviour policy,’” the groups wrote at the end of June. “They do not depict typical bot-like behaviour, and are potentially being operated by real humans from paid-for troll farms. Despite these complexities, Meta has enough documentation and evidence … to warrant swift action.”

For weeks, numerous groups have been communicating with Meta about the issue. Tord Lundström, Qurium’s technical director, tells WIRED that he has been trying to provide concrete suggestions to the company on how to investigate and identify the bots Qurium discovered in its analysis. 

“The response from Facebook can be summarized as follows: ‘We are looking into it, it is very difficult to solve, we have lots of people working on it,’ but nothing happens,” Lundström tells WIRED. “The fake followers, likes, and reviews industry has been camping inside Facebook for years. We have identified dozens of portals inside Facebook providing these services. It takes seconds to find them, but it seems that Facebook has difficulties stopping this market. Why?"

Milad Keshtan, program lead at United For Iran, expressed similar frustrations. “We have really clear action items that Meta could take to help us mitigate these campaigns, but we haven’t seen any response from them, even though we have reached out to them directly,” he says.

Meta emphasized that its investigation is ongoing and that multiple teams within the company are analyzing the activity. But the company did not comment on the record about why it hasn’t specifically acted on the researchers’ recommendations.

And it is a particularly urgent moment for comprehensive action to safeguard the accounts of Iranian women’s rights organizers.

“The Me Too movement in Iran started about three years ago and has grown exponentially in the past six months,” Me\_Too\_Movement\_Iran’s Norouzi says. “Of course, government and anti-feminist movements in Iran do not like this growth and awareness. And it’s not only us as feminist activists, but also whoever has collaborated with us who have experienced these attacks on Instagram. We are in shock that Instagram is letting people use their platform to shut down voices of women and minorities.”

Instagram Slow to Tackle Bots Targeting Iranian Women’s Groups

Plus: A wild Indian cricket scam, an elite CIA hacker is found guilty of passing secrets to WikiLeaks, and more of the week's top security news.

The websites you visit can reveal (almost) everything about you. If you are looking up health information, reading about trade unions, or researching details around certain types of crime, then you can potentially give away a huge amount of detail about yourself that a malicious actor could use against you. Researchers this week have detailed a new attack, using the web’s basic functions, that can unmask anonymous users online. The hack uses common web browser features—included in every major browser—and CPU functions to analyze whether you’re logged in to services such as Twitter or Facebook and subsequently identify you.

Elsewhere, we detailed how the Russian “hacktivist” group Killnet is attacking countries that backed Ukraine but aren’t directly involved in the war. Killnet has launched DDoS attacks against official government websites and businesses in Germany, the United States, Italy, Romania, Norway, and Lithuania in recent months. And it’s only one of the pro-Russian hacktivist groups causing chaos.

We’ve also looked at a new privacy scandal in India where donors to nonprofit organizations have had their details and information handed to police without their consent. We also looked at the new “Retbleed” attack that can steal data from Intel and AMD chips. And we took stock of the ongoing January 6 committee hearings—and predicted what’s to come.

But that’s not all. Each week we round up the news that we didn’t break or cover in-depth. Click on the headlines to read the full stories. And stay safe out there!

For years, Amazon-owned security camera firm Ring has been building relationships with law enforcement. By the start of 2021, Amazon had struck more than 2,000 partnerships with police and fire departments across the US, building out a huge surveillance network with officials being able to request videos to help with investigations. In the UK, Ring has partnered with police forces to give cameras away to local residents.

This week, Amazon admitted to handing police footage recorded on Ring cameras without their owners’ permission. As first reported by Politico, Ring has given law enforcement officials footage on at least 11 occasions this year. This is the first time the firm has admitted to passing on data without consent or a warrant. The move will raise further concerns over Ring’s cameras, which have been criticized by campaign groups and lawmakers for eroding people’s privacy and making surveillance technology ubiquitous. In response, Ring says it doesn’t give anyone “unfettered” access to customer data or video but may hand over data without permission in emergency situations where there is imminent danger of death or serious harm to a person.

In 2017, the Vault 7 leaks exposed the CIA’s most secretive and powerful hacking tools. Files published by WikiLeaks showed how the agency could hack Macs, your router, your TV, and a whole host of other devices. Investigators soon pointed the finger at Joshua Schulte, a hacker in the CIA’s Operations Support Branch (OSB), which was responsible for finding exploits that could be used in the CIA’s missions. Schulte has now been found guilty of leaking the Vault 7 files to Wikileaks and is potentially facing decades in prison. Following an earlier mistrial in 2018, Schulte was this week found guilty on all nine charges against him. Weeks ahead of his second trial, _The New Yorker_ published this comprehensive feature exploring Schulte’s dark history and how the CIA’s OSB operates.

Hackers linked to China, Iran, and North Korea have been targeting journalists and media outlets, according to new research from security firm Proofpoint. Alongside efforts to compromise the official accounts of members of the press, Proofpoint says, multiple Iranian hacking groups have posed as journalists and tried to trick people into handing over their online account details. The Iranian-linked group Charming Kitten has sent detailed interview requests to its potential hacking targets, and they have also tried to impersonate multiple Western news outlets. “This social engineering tactic successfully exploits the human desire for recognition and is being leveraged by APT actors wishing to target academics and foreign policy experts worldwide, likely in an effort to gain access to sensitive information,” Proofpoint says.

In any company or organization, items will go missing from time to time. Usually these are misplaced phones, security passes, and files occasionally being left at bus stops by mistake. Losing any of these things may open up security risks if devices are insecure or if sensitive information is made public. Less commonly lost are desktop computers—unless you’re the FBI. According to FBI records obtained by VICE’s _Motherboard_, the agency lost 200 desktop machines between July and December 2021. Also lost, or in some cases stolen, were pieces of body armor and night-vision scopes.

Scams don’t get much more elaborate than this. This week, police in India busted a fake “Indian Premier League” cricket tournament. A group of alleged scammers set up the fake league in the western Indian state of Gujarat and hired young men to play cricket matches, posing as professional teams while they livestreamed the matches for people to bet on. According to police, the group hired a fake commentator, created onscreen graphics showing real-time scores, and played crowd noises downloaded from the internet. To hide the fact that the matches took place on a farm instead of inside a large stadium, the videofeed only showed closeups of the action. Police said they caught the gang as a quarterfinal match was being played. Police believe the gang was potentially running multiple leagues and was planning to expand to a volleyball league, too. The match footage is worth watching.

Amazon Handed Ring Videos to Cops Without Warrants

Researchers have found a way to use the web's basic functions to identify who visits a site—without the user detecting the hack.

Everyone from advertisers and marketers to government-backed hackers and spyware makers wants to identify and track users across the web. And while a staggering amount of infrastructure is already in place to do exactly that, the appetite for data and new tools to collect it has proved insatiable. With that reality in mind, researchers from the New Jersey Institute of Technology are warning this week about a novel technique attackers could use to de-anonymize website visitors and potentially connect the dots on many components of targets’ digital lives.

The findings, which NJIT researchers will present at the Usenix Security Symposium in Boston next month, show how an attacker who tricks someone into loading a malicious website can determine whether that visitor controls a particular public identifier, like an email address or social media account, thus linking the visitor to a piece of potentially personal data. 

When you visit a website, the page can capture your IP address, but this doesn’t necessarily give the site owner enough information to individually identify you. Instead, the hack analyzes subtle features of a potential target’s browser activity to determine whether they are logged into an account for an array of services, from YouTube and Dropbox to Twitter, Facebook, TikTok, and more. Plus the attacks work against every major browser, including the anonymity-focused Tor Browser.

“If you’re an average internet user, you may not think too much about your privacy when you visit a random website,” says Reza Curtmola, one of the study authors and a computer science professor at NJIT. “But there are certain categories of internet users who may be more significantly impacted by this, like people who organize and participate in political protest, journalists, and people who network with fellow members of their minority group. And what makes these types of attacks dangerous is they’re very stealthy. You just visit the website and you have no idea that you’ve been exposed.”

The risk that government-backed hackers and cyber-arms dealers will attempt to de-anonymize web users isn’t just theoretical. Researchers have documented a number of techniques used in the wild and have witnessed situations in which attackers identified individual users, though it wasn’t clear how.

Other theoretical work has looked at an attack similar to the one NJIT researchers developed, but much of this past investigation has focused on grabbing revealing data that’s leaked between websites when one service makes a request to another. As a result of this prior work, browsers and website developers have improved how data is isolated and restricted when content loads, making these potential attack paths less feasible. Knowing that attackers are motivated to seek out techniques for identifying users, though, the researchers wanted to explore additional approaches.

“Let’s say you have a forum for underground extremists or activists, and a law enforcement agency has covertly taken control of it,” Curtmola says. “They want to identify the users of this forum but can’t do this directly because the users use pseudonyms. But let’s say that the agency was able to also gather a list of Facebook accounts who are suspected to be users of this forum. They would now be able to correlate whoever visits the forum with a specific Facebook identity.”

How this de-anonymization attack works is difficult to explain but relatively easy to grasp once you have the gist. Someone carrying out the attack needs a few things to get started: a website they control, a list of accounts tied to people they want to identify as having visited that site, and content posted to the platforms of the accounts on their target list that either allows the targeted accounts to view that content or blocks them from viewing it—the attack works both ways. 

Next, the attacker embeds the aforementioned content on the malicious website. Then they wait to see who clicks. If anyone on the targeted list visits the site, the attackers will know who they are by analyzing which users can (or cannot) view the embedded content.

The attack takes advantage of a number of factors most people likely take for granted: Many major services—from YouTube to Dropbox—allow users to host media and embed it on a third-party website. Regular users typically have an account with these ubiquitous services and, crucially, they often stay logged into these platforms on their phones or computers. Finally, these services allow users to restrict access to content uploaded to them. For example, you can set your Dropbox account to privately share a video with one or a handful of other users. Or you can upload a video to Facebook publicly but block certain accounts from viewing it. 

These “block” or “allow” relationships are the crux of how the researchers found that they can reveal identities. In the “allow” version of the attack, for instance, hackers might quietly share a photo on Google Drive with a Gmail address of potential interest. Then they embed the photo on their malicious web page and lure the target there. When visitors’ browsers attempt to load the photo via Google Drive, the attackers can accurately infer whether a visitor is allowed to access the content—aka, whether they have control of the email address in question. 

Thanks to the major platforms’ existing privacy protections, the attacker can’t check directly whether the site visitor was able to load the content. But the NJIT researchers realized they could analyze accessible information about the target’s browser and the behavior of their processor as the request is happening to make an inference about whether the content request was allowed or denied. 

The technique is known as a “side channel attack” because the researchers found that they could accurately and reliably make this determination by training machine learning algorithms to parse seemingly unrelated data about how the victim’s browser and device process the request. Once the attacker knows that the one user they allowed to view the content has done so (or that the one user they blocked has been blocked) they have de-anonymized the site visitor.

Complicated as it may sound, the researchers warn that it would be simple to carry out once attackers have done the prep work. It would only take a couple of seconds to potentially unmask each visitor to the malicious site—and it would be virtually impossible for an unsuspecting user to detect the hack. The researchers developed a browser extension that can thwart such attacks, and it is available for Chrome and Firefox. But they note that it may impact performance and isn’t available for all browsers.

Through a major disclosure process to numerous web services, browsers, and web standards bodies, the researchers say they have started a larger discussion about how to comprehensively address the issue. At the moment, Chrome and Firefox have not publicly released responses. And Curtmola says fundamental and likely infeasible changes to the way processors are designed would be needed to address the issue at the chip level. Still, he says that collaborative discussions through the World Wide Web Consortium or other forums could ultimately produce a broad solution.

“Vendors are trying to see if it’s worth the effort to resolve this,” he says. “They need to be convinced that it’s a serious enough issue to invest in fixing it.”

A New Attack Can Unmask Anonymous Users on Any Major Browser

The exploit can leak password information and other sensitive material, but the chipmakers are rolling out mitigations.

Some microprocessors from Intel and AMD are vulnerable to a newly discovered speculative execution attack that can covertly leak password data and other sensitive material, sending both chipmakers scrambling once again to contain what is proving to be a stubbornly persistent vulnerability.

Researchers from ETH Zurich have named their attack Retbleed because it exploits a software defense known as retpoline, which chipmakers introduced in 2018 to mitigate the harmful effects of speculative execution attacks. Speculative execution attacks, also known as Spectre, exploit the fact that when modern CPUs encounter a direct or indirect instruction branch, they predict the address for the next instruction they’re about to receive and automatically execute it before the prediction is confirmed. Spectre works by tricking the CPU into executing an instruction that accesses sensitive data in memory that would normally be off-limits to a low-privileged application. Retbleed then extracts the data after the operation is canceled.

Is It a Trampoline or a Slingshot?

Retpoline works by using a series of return operations to isolate indirect branches from speculative execution attacks, in effect erecting the software equivalent of a trampoline that causes them to safely bounce. Stated differently, a retpoline works by replacing indirect jumps and calls with returns, which many researchers presumed weren’t susceptible. The defense was designed to counter variant 2 of the original speculative execution attacks from January 2018. Abbreviated as BTI, the variant forces an indirect branch to execute so-called gadget code, which in turn creates data to leak through a side channel.

Some researchers have warned for years that retpoline isn’t sufficient to mitigate speculative execution attacks because the returns retpoline used were susceptible to BTI. Linux creator Linus Torvalds famously rejected such warnings, arguing that such exploits weren’t practical.

The ETH Zurich researchers have conclusively shown that retpoline is insufficient for preventing speculative execution attacks. Their Retbleed proof-of-concept works against Intel CPUs with the Kaby Lake and Coffee Lake microarchitectures as well as with AMD Zen 1, Zen 1+, and Zen 2 microarchitectures.

“Retpoline, as a Spectre-BTI mitigation, fails to consider return instructions as an attack vector,” researchers Johannes Wikner and Kaveh Razavi wrote. “While it is possible to defend return instructions by adding a valid entry to the RSB return stack buffer before executing the return instruction, treating every return as potentially exploitable in this way would impose a tremendous overhead. Previous work attempted to conditionally refill the RSB with harmless return targets whenever a perCPU counter that tracks the call stack depth reaches a certain threshold, but it was never approved for upstream. In the light of Retbleed, this mitigation is being re-evaluated by Intel, but AMD CPUs require a different strategy.”

In an email, Razavi explained it this way:

_Spectre variant 2 exploited indirect branches to gain arbitrary speculative execution in the kernel. Indirect branches were converted to returns using the retpoline to mitigate Spectre variant 2._

_Retbleed shows that return instructions unfortunately leak under certain conditions similar to indirect branches. These conditions are unfortunately common on both Intel (Skylake and Skylake-based) and AMD (Zen, Zen+ and Zen2) platforms. This means that retpoline was unfortunately an inadequate mitigation to begin with._

In response to the research, both Intel and AMD advised customers to adopt new mitigations that the researchers said will add as much as 28 percent more overhead to operations.

Retbleed can leak kernel memory from Intel CPUs at about 219 bytes per second and with 98 percent accuracy. The exploit can extract kernel memory from AMD CPUs with a bandwidth of 3.9 kB per second. The researchers said that it’s capable of locating and leaking a Linux computer’s root password hash from physical memory in about 28 minutes when running the Intel CPUs and in about six minutes for AMD CPUs.

Retbleed works by using code that essentially poisons the branch prediction unit that CPUs rely on to make their guesses. Once the poisoning is complete, this BPU will make mispredictions that the attacker can control.

“We found that we can inject branch targets that reside inside the kernel address-space, even as an unprivileged user,” the researchers wrote in a blog post. “Even though we cannot access branch targets inside the kernel address-space—branching to such a target results in a page fault—the Branch Prediction Unit will update itself upon observing a branch and assume that it was legally executed, even if it's to a kernel address.”

Intel and AMD Respond

Both Intel and AMD have responded with advisories. Intel has confirmed that the vulnerability exists on Skylake-generation processors that don’t have a protection known as enhanced Indirect Branch Restricted Speculation (eIBRS) in place.

“Intel has worked with the Linux community and VMM vendors to provide customers with software mitigation guidance which should be available on or around today's public disclosure date,” Intel wrote in a blog post. “Note that Windows systems are not affected given that these systems use Indirect Branch Restricted Speculation (IBRS) by default which is also the mitigation being made available to Linux users. Intel is not aware of this issue being exploited outside of a controlled lab environment.”

AMD, meanwhile, has also published guidance. “As part of its ongoing work to identify and respond to new potential security vulnerabilities, AMD is recommending software suppliers consider taking additional steps to help guard against Spectre-like attacks,” a spokesman wrote in an email. The company has also published a white paper.

Both the researchers’ research paper and blog post explain the microarchitectural conditions necessary to exploit Retbleed:

_**Intel**. On Intel, returns start behaving like indirect jumps when the Return Stack Buffer, which holds return target predictions, is underflowed. This happens upon executing deep call stacks. In our evaluation we found over a thousand of such conditions that can be triggered by a system call. The indirect branch target predictor for Intel CPUs has been studied in_ _previous work__._

_**AMD**. On AMD, returns will behave like an indirect branch regardless of the state of their Return Address Stack. In fact, by poisoning the return instruction using an indirect jump, the AMD branch predictor will assume that it will encounter an indirect jump instead of a return and consequentially predict an indirect branch target. This means that any return that we can reach through a system call can be exploited—and there are tons of them._

In an email, Razavi added: “Retbleed is more than just a retpoline bypass on Intel, specially on AMD machines. AMD is in fact going to release a white paper introducing Branch Type Confusion based on Retbleed. Essentially, Retbleed is making AMD CPUs confuse return instructions with indirect branches. This makes exploitation of returns very trivial on AMD CPUs.”

The mitigations will come at a cost that the researchers measured to be between 12 percent and 28 percent more computational overhead. Organizations that rely on affected CPUs should carefully read the publications from the researchers, Intel, and AMD, and be sure to follow the mitigation guidance.

_This story originally appeared on_ _Ars Technica__._

New ‘Retbleed’ Attack Can Swipe Key Data From Intel and AMD CPUs

Nonprofit donors had their information given to law enforcement without consent, highlighting limited data protections in the world’s largest democracy.

Prasanto K. Roy, a public policy consultant from New Delhi, is worried. In 2017 he began sending regular donations to the Indian fact-checking organization Alt News to support its work countering online misinformation. But on July 5 the nonprofit said that Indian payments gateway Razorpay, which it used to receive donations, had shared its donors’ data with New Delhi police following the arrest of Alt News cofounder Mohammed Zubair last month.

Roy is now hesitant to use Razorpay, saying he is concerned about tech companies handing over data—including his own—to law enforcement without consent. “When a payment gateway gives out donor databases on a police demand that is excessive, that information can be misused by the police or others it could reach,” he said. “India doesn’t even have privacy laws in place yet.”

The full extent of the data that Razorpay shared with police remains unclear, but Alt News said that the data it collects from donors includes phone numbers, email addresses, and tax IDs. A police official told the _Hindustan Times_ that the force is gathering data from banks to cross-reference with the Alt News data.

The investigation appears to be part of an ongoing probe to check whether Alt News received donations from outside of India, after police claimed that the organization’s parent received funds from several other countries, including Pakistan and Syria. Zubair, the cofounder of Alt News, was arrested on June 27 for a 2018 tweet that allegedly hurt religious sentiments, but is also being investigated for other charges, including receiving foreign funds under India’s Foreign Contribution (Regulation) Act, which restricts foreign donations to nonprofits.

While the arrest has spurred many Indians to fear that police are quashing internet freedom, it has also highlighted the limited legal protections on privacy in the world’s largest democracy, which lacks a comprehensive data protection law. The stakes are growing higher as more people in India use the internet for leisure, communications, and commerce. The country’s digital payments market—already at $3 trillion in value—is expected to skyrocket to $10 trillion by 2026, according to Boston Consulting Group.

Razorpay has faced social media backlash and threats of a boycott for sharing donor data without first informing Alt News. “Many donors and fundraisers said they wouldn’t use Razorpay again, and that was my initial reaction too,” said Roy, while adding that perhaps other companies would also have caved under the same pressure from police.

In a public statement on Twitter, Razorpay did not mention Alt News and said that the data shared was “restricted to what was within the scope of investigation.” Razorpay CEO Harshil Mathur tweeted that police were attempting to “determine whether there were any foreign donations or not” and claimed that donors’ tax IDs and addresses were not shared. Razorpay did not respond to a request for comment; Alt News cofounder Pratik Sinha declined to comment.

Indian police obtained the data from Razorpay under section 91 of the Criminal Procedure Code, which allows officials to seek documents or data connected to an ongoing investigation. But criminal lawyers told WIRED that the law gives police considerable flexibility, leaving room for overreach or misuse.

“Section 91 allows the police to make any request for information to any person during an inquiry, and it’s a standard investigative tool,” said Abhinav Sekhri, a criminal lawyer based in New Delhi. “Companies routinely receive such requests, at severe cost, because there are consequences for noncompliance, leaving them with no choice at times.” One such consequence could be an executive facing criminal action and potentially imprisonment, Sekhri says.

Meanwhile, financial technology experts say that even if Razorpay hadn’t complied with the demand to hand over Alt News data, the police could likely have retrieved it from other players in the payments ecosystem. “The source and destination information is stored across the entire chain,” said Srikanth Lakshmanan, a researcher who runs Cashless Consumer, a collective that works on consumer awareness of digital payments in India. “It’s not just Razorpay that will store this information, but also the card issuer and acquiring bank and payment network.”

This broad collection and sharing of data can make privacy in digital payments in India seem nigh on impossible. “The state of privacy in digital payments in India is nonexistent,” Lakshmanan says. The ease with which digital data can be shared and leaked makes privacy challenging around the world, but India’s centralized biometric identity system, Aadhaar, can add extra vulnerabilities, he says. “It's easy to look for more information in India where a whole range of data sets are cross-linked, giving a much richer profile.”

Source

Wired