Kytch, the company that tried to fix McDonald’s broken ice cream machines, has unearthed a 3-year-old email it says proves claims of an alleged plot to undermine their business.

A little over three years have passed since McDonald's sent out an email to thousands of its restaurant owners around the world that abruptly cut short the future of a three-person startup called Kytch—and with it, perhaps one of McDonald's best chances for fixing its famously out-of-order ice cream machines.

Until then, Kytch had been selling McDonald's restaurant owners a popular internet-connected gadget designed to attach to their notoriously fragile and often broken soft-serve McFlurry dispensers, manufactured by McDonalds equipment partner Taylor. The Kytch device would essentially hack into the ice cream machine's internals, monitor its operations, and send diagnostic data over the internet to an owner or manager to help keep it running. But despite Kytch's efforts to solve the Golden Arches’ intractable ice cream problems, a McDonald’s email in November 2020 warned its franchisees not to use Kytch, stating that it represented a safety hazard for staff. Kytch says its sales dried up practically overnight.

Now, after years of litigation, the ice-cream-hacking entrepreneurs have unearthed evidence that they say shows that Taylor, the soft-serve machine maker, helped engineer McDonald's Kytch-killing email—kneecapping the startup not because of any safety concern, but in a coordinated effort to undermine a potential competitor. And Taylor's alleged order, as Kytch now describes it, came all the way from the top.

Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines—and how the fast-food giant froze them out.

On Wednesday, Kytch filed a newly unredacted motion for summary adjudication in its lawsuit against Taylor for alleged trade libel, tortious interference, and other claims. The new motion, which replaces a redacted version from August, refers to internal emails Taylor released in the discovery phase of the lawsuit, which were quietly unsealed over the summer. The motion focuses in particular on one email from Timothy FitzGerald, the CEO of Taylor parent company Middleby, that appears to suggest that either Middleby or McDonald's send a communication to McDonald's franchise owners to dissuade them from using Kytch's device.

“Not sure if there is anything we can do to slow up the franchise community on the other solution,” FitzGerald wrote on October 17, 2020. “Not sure what communication from either McD or Midd can or will go out.”

In their legal filing, the Kytch cofounders, of course, interpret “the other solution” to mean their product. In fact, FitzGerald's message was sent in an email thread that included Middleby's then COO, David Brewer, who had wondered earlier whether Middleby could instead acquire Kytch. Another Middleby executive responded to FitzGerald on October 17 to write that Taylor and McDonald’s had already met the previous day to discuss sending out a message to franchisees about McDonald’s lack of support for Kytch.

But Jeremy O'Sullivan, a Kytch cofounder, claims—and Kytch argues in its legal motion—that FitzGerald’s email nonetheless proves Taylor's intent to hamstring a potential competitor. “It's the smoking gun,” O'Sullivan says of the email. “He's plotting our demise.”

Although FitzGerald's email doesn't actually order anyone to act against Kytch, the company’s motion argues that Taylor played a key role in what happened next. It's an “ambiguous yet direct message to his underlings,” argues Melissa Nelson, Kytch's other cofounder. “It's just like a mafia boss giving coded instructions to his team to whack someone."

On November 2, 2020, a little over two weeks after FitzGerald's open-ended suggestion that perhaps a “communication” from McDonald's or Middleby to franchisees could “slow up” adoption of “the other solution,” McDonald's sent out its email blast cautioning restaurant owners not to use Kytch's product.

The email stated that the Kytch gadget “allows complete access to all aspects of the equipment’s controller and confidential data”—meaning Taylor’s and McDonald’s data, not the restaurant owners’ data; that it “creates a potential very serious safety risk for the crew or technician attempting to clean or repair the machine"; and finally, that it could cause “serious human injury.” The email concluded with a warning in italics and bold: “McDonald’s strongly recommends that you remove the Kytch device from all machines and discontinue use.”

Kytch has long argued that McDonald’s safety warning was bogus: In its legal complaint, it noted that its devices received certification from Underwriters Laboratory, an independent product safety nonprofit, including meeting its safety standards. It also countered in the complaint any claim that a Kytch device's remote connection to an ice cream machine could result in the machine turning on while a person's hand was inside—in fact, Taylor's own manual advises unplugging the machine before servicing it, and removing the door of the machine to access its rotating barrels automatically disables its motor.

Kytch's legal motion now argues that FitzGerald's email reveals that the McDonald's warning to restaurant owners was never really about safety, so much as protecting its equipment partner from a startup that might represent competition. The CEO's email “essentially put into place their plan to defame us," Nelson says.

She and O’Sullivan also argue that the internal email directly contradicts FitzGerald’s public statements that Middleby hadn’t sought to kill Kytch. “We’re not in business to put other companies out of business,” FitzGerald told _The New York Times_ early last year.

When WIRED reached out to Middleby, Taylor’s parent company, for comment, a spokesperson responded in a statement disputing Kytch’s interpretation of its internal emails. “McDonald’s decided to issue the November 2020 field brief on its own accord, not at Middleby or Taylor’s direction,” the statement reads. “Taylor stood, and continues to stand, by the accuracy of statements made in the field brief.” The spokesperson also notes that Taylor won an early ruling in the lawsuit against Kytch’s request for a preliminary injunction—which would have prevented Taylor from developing a device that Kytch claims was copied from its product—and promises an upcoming filing responding to Kytch’s argument, which court documents say will happen in early 2024.

At the time of McDonald's warning email to franchisees about Kytch, Taylor was developing its own internet-connected ice cream machine, what it referred to as Taylor Shake/Sundae Connectivity, which McDonald's recommended in the same email. But, even now, more than two years after it was promised for delivery, that device has yet to arrive in restaurants—and the publicly documented ice cream headaches at McDonald’s appear to have continued. According to the website McBroken, which tracks ice cream machine downtime at McDonald's restaurants across the US, between 13 percent and 17 percent of McDonald's restaurants have had broken ice cream machines at any given time just this month. That percentage has recently been as high as 35 percent in New York City and 28 percent in Washington, DC.

Taylor declined to comment on any upcoming internet-connected ice cream machine model. But that long-touted solution to the problem has still not been made available to franchisees, according to one McDonald's restaurant owner who goes by the handle McFranchisee (and previously used the handle McD Truth) on X. But McFranchisee says that Taylor has integrated those new features into its next model, which is expected to be available in four to six months. (McFranchisee has also criticized Kytch, claiming that the startup's failure was due to its own reliability problems and an increase in its prices, not a Taylor or McDonald's conspiracy against them.)

Despite the email from Middleby's CEO that Kytch claims suggests dissuading franchisees from using Kytch's product, Kytch argues that other documents released in the lawsuit’s discovery phase show McDonald's itself was also eager to stymie Kytch from the beginning. In February 2020, Taylor president Jeremy Dobrowolski wrote in another email that “McDonald's is all hot and heavy about” Kytch's growing use in restaurants. Before the company sent out its November 2 email warning franchisees about Kytch, Taylor and McDonald’s executives had a meeting to discuss the message, and a McDonald's exec also sent a draft to Taylor for its approval. A Taylor executive wrote to others within the ice cream machine company, “I am a bit in shock they are willing to take such a strong position.”

When WIRED reached out to McDonald’s for comment on Kytch’s new argument about the “smoking gun” email from Taylor’s CEO, a spokesperson responded with a statement: “McDonald’s won’t speculate about the intent behind this email discussion that we weren't a part of. The intent of our Nov. 2020 communication was to bring awareness to potential safety concerns regarding the unapproved Kytch device.”

In addition to its lawsuit against Taylor, Kytch is still pursuing a bigger lawsuit against McDonald's itself, asking for $900 million in damages for what it describes in its legal complaint as McDonald’s effort to “drive Kytch out of the marketplace.” That lawsuit against McDonald's, if it moves forward, may soon produce more answers explaining Kytch’s legal claims that McDonald's appears to have cooperated with Taylor in telling its customers not to use Kytch—even as many of its restaurants took a significant hit from lost ice cream sales.

In the meantime, Kytch says it plans, if necessary, to take the lawsuit against Taylor to a jury trial, currently set for May. “The conspiracy described in Kytch's complaint involved folks at the highest levels of leadership, not just at Taylor but also at Middleby and at McDonald’s,” says Daniel Watkins, Kytch's attorney. “We’re really looking forward to the opportunity to present it to an open trial.”

McDonald’s Ice Cream Machine Hackers Say They Found the ‘Smoking Gun’ That Killed Their Startup

Ten years in, Microsoft’s DCU has honed its strategy of using both unique legal tactics and the company’s technical reach to disrupt global cybercrime and state-backed actors.

Governments and the tech industry around the world have been scrambling in recent years to curb the rise of online scamming and cybercrime. Yet even with progress on digital defenses, enforcement, and deterrence, the ransomware attacks, business email compromises, and malware infections keep on coming. Over the past decade, Microsoft's Digital Crimes Unit (DCU) has forged its own strategies, both technical and legal, to investigate scams, take down criminal infrastructure, and block malicious traffic.

The DCU is fueled, of course, by Microsoft's massive scale and the visibility across the internet that comes from the reach of Windows. But DCU team members repeatedly told WIRED that their work is motivated by very personal goals of protecting victims rather than a broad policy agenda or corporate mandate.

In just its latest action, the DCU announced Wednesday evening efforts to disrupt a cybercrime group that Microsoft calls Storm-1152. A middleman in the criminal ecosystem, Storm-1152 sells software services and tools like identity verification bypass mechanisms to other cybercriminals. The group has grown into the number one creator and vendor of fake Microsoft accounts—creating roughly 750 million scam accounts that the actor has sold for millions of dollars.

The DCU used legal techniques it has honed over many years related to protecting intellectual property to move against Storm-1152. The team obtained a court order from the Southern District of New York on December 7 to seize some of the criminal group’s digital infrastructure in the US and take down websites including the services 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as a site that sold fake Outlook accounts called Hotmailbox.me.

The strategy reflects the DCU’s evolution. A group with the name “Digital Crimes Unit” has existed at Microsoft since 2008, but the team in its current form took shape in 2013 when the old DCU merged with a Microsoft team known as the Intellectual Property Crimes Unit.

“Things have become a lot more complex,” says Peter Anaman, a DCU principal investigator. “Traditionally you would find one or two people working together. Now, when you’re looking at an attack, there are multiple players. But if we can break it down and understand the different layers that are involved it will help us be more impactful.”

The DCU’s hybrid technical and legal approach to chipping away at cybercrime is still unusual, but as the cybercriminal ecosystem has evolved—alongside its overlaps with state-backed hacking campaigns—the idea of employing creative legal strategies in cyberspace has become more mainstream. In recent years, for example, Meta-owned WhatsApp and Apple both took on the notorious spyware maker NSO Group with lawsuits.

Still, the DCU's particular progression was the result of Microsoft's unique dominance during the rise of the consumer internet. As the group's mission came into focus while dealing with threats from the late 2000s and early 2010s—like the widespread Conficker worm—the DCU's unorthodox and aggressive approach drew criticism at times for its fallout and potential impacts on legitimate businesses and websites.

“There's simply no other company that takes such a direct approach to taking on scammers,” WIRED wrote in a story about the DCU from October 2014. “That makes Microsoft rather effective, but also a little bit scary, observers say.”

Richard Boscovich, the DCU’s assistant general counsel and a former assistant US attorney in Florida’s Southern District, told WIRED in 2014 that it was frustrating for people within Microsoft to see malware like Conficker rampage across the web and feel like the company could improve the defenses of its products, but not do anything to directly deal with the actors behind the crimes. That dilemma spurred the DCU’s innovations and continues to do so.

“What’s impacting people? That’s what we get asked to take on, and we’ve developed a muscle to change and to take on new types of crime,” says Zoe Krumm, the DCU’s director of analytics. In the mid-2000s, Krumm says, Brad Smith, now Microsoft’s vice chair and president, was a driving force in turning the company’s attention toward the threat of email spam.

“The DCU has always been a bit of an incubation team. I remember all of a sudden, it was like, ‘We have to do something about spam.’ Brad comes to the team and he’s like, ‘OK, guys, let’s put together a strategy.’ I’ll never forget that it was just, ‘Now we’re going to focus here.’ And that has continued, whether it be moving into the malware space, whether it be tech support fraud, online child exploitation, business email compromise.”

As the group has matured and expanded into all of these areas, Boscovich says, a “preoccupation with exposure to liability and risk” is another element of the work that keeps him up at night.

“You want to help, and you want to do all these things, but no good deed goes unpunished sometimes,” he says. “Sometimes, we would try to help someone—and to help them you kind of shut their computer down—and even though you’re trying to help them, their small business goes down. So how do you manage that? That’s always been the hardest part of my job. The legal creativity is cool, but how do I make sure that it’s acceptable risk and that we research everything so there’s no collateral damage?”

The legal strategies the group has focused on developing evolve as digital threats evolve. In 2016, the DCU began taking the approach of establishing a court “special master” when working on disruptions related to state-sponsored hacking. This judge-appointed official is a direct point of contact for ongoing cases and even remains active for years after a case has been officially closed, enabling the DCU to get court approval for infrastructure takedowns and other actions without having to file for new court orders.

“It allows us to stay on top of these threats and get an order within minutes,” Boscovich says. “We can accelerate the process of litigation almost to the speed of cyber.”

He also points out the challenge of taking action against threat actors given the professionalization of the cybercriminal ecosystem in recent years. Crime groups now operate as syndicates with different departments working on different aspects of carrying out crimes while also contracting with third parties for services they don't develop in-house.

“There’s a legal problem: How do you get a bunch of people doing separate activities into one complaint or one charge? They don’t always even know each other,” Boscovich says. To address this situation, the group worked on legal strategies under the US Racketeer Influenced and Corrupt Organizations Act (RICO), which is designed to focus on criminal organizations rather than individual criminal acts.

“These are the guys who developed the malware, brokered the malware, operate the malware, so we can put them all into one legal filing to bring them together,” he says. “Now that has become part of our legal game plan as well.”

As cybercriminal and state-backed hacking has continued to escalate, the DCU has expanded its collaborations with law enforcement and used its techniques during an ever-changing array of global crises. In 2016, for example, the group carried out its first disruption of a state actor, conducting takedowns related to Russia’s APT 28, known as Fancy Bear. The attackers had been using Microsoft-like domains in their notorious phishing rampages and disinformation campaigns related to that year’s US elections. In 2018, the group shared findings with the Delhi police about the actors behind 10 criminal call centers in India who were scamming victims in the US, Canada, the Netherlands, and Australia. The information-sharing resulted in 63 arrests. In 2020, the DCU seized domains used in pandemic-related cybercrime and also conducted takedowns against the notorious Trickbot ransomware group ahead of the 2020 US elections.

“We tend to think about it from the victim protection perspective,” says Amy Hogan-Burney, who oversees the DCU as Microsoft's general manager and associate general counsel of cybersecurity policy and protection. “I leave deterrence generally to governments, but what I always focus on is victim protection. That can be narrow, meaning a Microsoft customer or type of Microsoft customer, or it can be really broad—anyone who is using the internet who may be impacted by cybercrime.”

Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cybercrime

A hacker group calling itself Solntsepek—previously linked to Russia’s notorious Sandworm hackers—says it carried out a disruptive breach of Kyivstar, a major Ukrainian mobile and internet provider.

Over nearly a decade, the hacker group within Russia's GRU military intelligence agency known as Sandworm has launched some of the most disruptive cyberattacks in history against Ukraine's power grids, financial system, media, and government agencies. Signs now point to that same usual suspect being responsible for sabotaging a major mobile provider for the country, cutting off communications for millions and even temporarily sabotaging the air raid warning system in the capital of Kyiv.

On Tuesday, a cyberattack hit Kyivstar, one of Ukraine's largest mobile and internet providers. The details of how that attack was carried out remain far from clear. But it “resulted in essential services of the company’s technology network being blocked,” according to a statement posted by Ukraine’s Computer Emergency Response Team, or CERT-UA.

Kyivstar's CEO, Oleksandr Komarov, told Ukrainian national television on Tuesday, according to Reuters, that the hacking incident “significantly damaged \[Kyivstar's\] infrastructure \[and\] limited access.”

“We could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy's access,” he continued. “War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war.”

The Ukrainian government hasn't yet publicly attributed the cyberattack to any known hacker group—nor have any cybersecurity companies or researchers. But on Tuesday, a Ukrainian official within its SSSCIP computer security agency, which oversees CERT-UA, pointed out in a message to reporters that a group known as Solntsepek had claimed credit for the attack in a Telegram post, and noted that the group has been linked to the notorious Sandworm unit of Russia's GRU.

“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 computers, more than 4 thousand servers, all cloud storage and backup systems,” reads the message in Russian, addressed to Ukrainian president Volodymyr Zelenskyy and posted to the group's Telegram account. The message also includes screenshots that appear to show access to Kyivstar's network, though this could not be verified. “We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as government agencies and law enforcement agencies of Ukraine. The rest of the offices helping the Armed Forces of Ukraine, get ready!”

Solntsepek has previously been used as a front for the hacker group Sandworm, the Moscow-based Unit 74455 of Russia's GRU, says John Hultquist, the head of threat intelligence at Google-owned cybersecurity firm Mandiant and a longtime tracker of the group. He declined, however, to say which of Solntsepek’s network intrusions have been linked to Sandworm in the past, suggesting that some of those intrusions may not yet be public. “It's a group that has claimed credit for incidents we know were carried out by Sandworm,” Hultquist says, adding that Solntsepek's Telegram post bolsters his previous suspicions that Sandworm was responsible. "Given their consistent focus on this type of activity, it's hard to be surprised that another major disruption is linked to them.”

If Solntsepek is a front for Sandworm, it would be far from the first. Over its years of targeting Ukrainian infrastructure, the GRU unit has used a wide variety of covers, hiding behind false flags such as independent hacktivist groups and cybercriminal ransomware gangs. It even attempted to frame North Korea for its attack on the 2018 Winter Olympics.

Today, Kyivstar countered some of Solntsepek's claims in a post on X, writing that “we assure you that the rumors about the destruction of our ‘computers and servers’ are simply fake.” The company had also written on the platform that it hoped to restore its network's operations by Wednesday, adding that it's working with the Ukrainian government and law enforcement agencies to investigate the attack. Kyivstar's parent company, Veon, headquartered in Amsterdam, didn't respond to WIRED's request for more information.

While the fog of war continues to obscure the exact scale of the Kyivstar incident, it already appears to be one of the most disruptive cyberattacks to have hit Ukraine since Russia's full-scale invasion began in February 2022. In the year that followed, Russia launched more data-destroying wiper attacks on Ukrainian networks than have been seen anywhere else in the world in the history of computing, though most have had far smaller effects than the Kyivstar intrusion. Other major Russian cyberattacks to hit Ukraine over the past 20 months include a cyberattack that crippled thousands of Viasat satellite modems across the country and other parts of Europe, now believed to have been carried out by the GRU. Another incident of cybersabotage, which Mandiant attributes to Sandworm specifically, caused a blackout in a Ukrainian city just as it was being hit by missile strikes, potentially hampering defensive efforts.

It's not yet clear if the Kyivstar attack—if it was indeed carried out by a Russian state-sponsored hacker group—was merely intended to sow chaos and confusion among the company's customers, or if it had a more specific tactical intention, such as disguising intelligence-gathering within Kyivstar's network, hampering Ukrainian military communications, or silencing its alerts to civilians about air raids.

“Telecoms offer intelligence opportunities, but they're also very effective targets for disruption," says Mandiant's Hultquist. “You can cause significant disruption to people's lives. And you can even have military impacts.”

Hacker Group Linked to Russian Military Claims Credit for Cyberattack on Kyivstar

Competing bills moving through the House of Representatives both reauthorize Section 702 surveillance—but they pave very different paths forward for Americans’ privacy and civil liberties.

Two surveillance bills are barreling their way through the US House of Representatives this week. Both claim to achieve roughly the same goal: Enact sweeping reforms and save a dying surveillance program beleaguered by “persistent and widespread” abuse.

Under this program, Section 702, the US government collects hundreds of millions of phone calls, emails, and text messages each year. An inestimable chunk belongs to American citizens, permanent residents, and others in the United States neither suspected nor accused of any crime.

While both bills would extend the program’s life, only one of them can credibly lay claim to the title of reform. Legislation introduced last week by Representative Andy Biggs in the House Judiciary Committee would require the Federal Bureau of Investigation (FBI) to obtain warrants before accessing the communications of Americans collected under Section 702. The second bill, introduced by the House Intelligence Committee, contains no equivalent protection.

The House Judiciary Committee’s Protect Liberty and End Warrantless Surveillance Act (PLEWSA, unfortunately) secures a glaring loophole in US law that helps police and intelligence agencies buy their way around the Fourth Amendment by paying US companies for information that they’d otherwise demand a warrant to disclose. The House Intelligence Committee’s bill—the FISA Reform and Reauthorization Act, or FRRA—does nothing to address this privacy threat.

What the FRRA does appear to do, despite its name, is explode the number of companies the US government may compel to cooperate with wiretaps under Section 702. That was the assessment on Friday of Marc Zwillinger, amicus curiae to the Foreign Intelligence Surveillance Court of Review (FISCR). “These changes would vastly widen the scope of businesses, entities, and their affiliates who are eligible to be compelled to assist 702 surveillance,” Zwillinger wrote in an article with Steve Lane, a former Justice Department (DOJ) attorney.

Section 702 currently allows the government to compel a class of companies called “electronic communications providers” to collect communications. If the FRRA becomes law, according to Zwillinger, that category would be greatly expanded to include a slew of new businesses, including “data centers, colocation providers, business landlords, and shared workspaces,” as well as, he says, “hotels where guests connect to the internet.”

Congressional sources tell WIRED that officials at the DOJ, Department of Defense, and National Security Agency have been placing urgent calls directly to House lawmakers to oppose the PLEWSA and advance the FRRA—an effort, the sources say, being coordinated by White House advisers. Privately, some Democrats have been urged to help kill the “Jim Jordan bill,” an aide said, explaining the apparent jab is meant to frame an entirely bipartisan bill as an extreme Republican measure. (Jordan, the aide noted, is not the bill’s author and did not introduce it.) Regardless, a major chunk of the PLEWSA was cannibalized from privacy legislation with a record of broad bipartisan support, and particularly in the Senate, where top Democrat Chuck Schumer has previously lent his name to a bill banning police and intelligence agencies from buying people’s personal data.

The PLEWSA likewise exited the House Judiciary Committee last week with broad bipartisan support from both Jordan, the Republican chair, and Jerrold Nadler, its ranking Democrat.

Section 702 surveillance begins with monitoring the communications of foreigners believed to be located outside of the United States. Under these conditions, the US government can ignore most constitutional protections, wiretapping nearly any individual it deems likely to possess—or likely to possess in the future—information of intelligence value.

Correspondence between foreign targets and their lawyers, doctors, religious leaders, wives, husbands, and children are all open for collection, a fact that would not change if every one of them were a US citizen. Whatever calls, emails, or texts are intercepted as a result of targeting a foreigner under 702 are legally permissible, or “incidental,” in spy agency parlance.

Once that information is legally in the government’s possession, the use of it is subject to a different set of legal doctrines, many of which ignore the novel circumstances under which it was initially seized. A federal appeals court in 2021 described the “two-step” process by which communications may be seized under 702 and only years later dug up for an entirely different reason. The process on the whole is constitutional, it said, so long as each step “independently complies with the Fourth Amendment.” Under this logic, the FBI has been permitted to treat the private communications of Americans—secretly obtained during foreign surveillance—as roughly the equivalent of information it stumbles across in plain view.

How often Americans are targeted by Section 702 surveillance is a question that the government says it genuinely can’t answer. It does, however, disapprove of using the word “target” to describe Americans whose calls and texts are intercepted by US spies.

Congressional sources opposed to the FRRA, the House Intelligence Committee’s bill, say it reflects a deference toward executive power that has become customary among House and Senate intelligence staff. In arguing that constant experience has never shown secret agencies to be predisposed to self-restraint, a senior aide pointed to the case of an intelligence analyst caught abusing 702 data for “online dating” purposes last year. It had recently been confirmed, they said, that the analyst had not been fired.

“The Intelligence Committee’s ‘FISA Reform and Reauthorization Act’ may have the word ‘reform’ in its name, but the bill’s text proves otherwise,” says Representative Zoe Lofgren. “Congress must not green-light another major surveillance reauthorization without enacting surveillance reform measures that curb abuses and protect Americans’ civil liberties."

Talking points obtained by WIRED that were being circulated over the weekend by critics of the PLEWSA bill’s deeper reforms allude to the “grave damage” it poses to national security. Supporters of the FRRA bill have dubiously credited the 702 with halting “another 9/11.” But the PLEWSA bill strikes an appreciable balance between privacy and security for a surveillance authority aimed at foiling tier-one threats. It contains clear caveats to help the government advance investigations of cybercrime and exigencies for most immediate, violent threats.

Sources say both the PLEWSA and the FRRA could receive a floor vote as early as Tuesday under rarely prescribed Queen-of-the-Hill rules—meaning, in short, that the bill with the greatest number of supporters might ultimately carry the day.

Congress Clashes Over the Future of America’s Section 702 Spy Program

With its war against Russia raging on, Ukraine has begun raising funds to rebuild homes and structures one by one using its own crowdfunding platform.

While Ukraine remains locked in a brutal war with Russia, Ukraine’s government in Kyiv is already looking forward to a day when the country rebuilds itself from the ground up.

It will be no small task. The World Bank estimates that, as of early this year, Ukraine’s rebuilding costs surpassed $410 billion. To recover from Russia’s bombing, shelling, and attacks against critical infrastructure, Ukraine will need massive investments in its water services, agriculture, mine disposal, health care system, and more.

While the push to rebuild Ukraine’s critical infrastructure will be gargantuan, there is also a mounting need to repair the country’s housing stock. The World Bank estimates Ukraine will need at least $69 billion to replace homes and apartment buildings damaged and destroyed by the war—roughly $2 billion of that amount is needed urgently.

While billions are pouring in from governments around the world to fund Ukraine’s defensive efforts and to replace critical infrastructure, the country is turning to private donors to help replace its citizens’ wrecked homes. Using United24, Kyiv’s official crowdfunding platform, the government is hoping to show its supporters what’s been lost and what might be rebuilt.

As part of the crowdfunding campaign, supporters can explore a map of homes that are in need of repair. Each address features a 3D rendering of the home before it was damaged in the war. It also includes personal stories from the building’s former residents and testimonials about their desire to return. Some even include a livestream of the construction in progress.

One, in Irpin, is a nine-storey apartment building whose 390 residents were forced to abandon their homes after the structure was shelled by a Russian tank, which “would aimlessly shoot” at the building, according to the crowdfunding page. Photos of the damage to the exterior are bad, a former resident told United24: “It is even worse to see these completely destroyed and burnt apartments live.”

Another, a brutalist apartment block in Borodianka, was devastated by air strikes and mortar shells—some of its residents stayed in the building through the frigid Ukrainian winter, having repaired a hole in the wall themselves.

In Hostomel, a huge apartment building was damaged by a Russian missile before being occupied by the invading soldiers. The Russians mined the area before leaving, according to Kyiv. Alyona, a former resident, explained in a statement supplied by United24 that she hasn’t given up on it: “Despite everything, this is the house in which we lived happily with our husband and children.”

The new fundraising appeal comes amid a certain “tiredness” from donors, as Ukraine’s finance minister put it. Yaroslava Gres, United24’s main coordinator, says overcoming that fatigue is his mission. “We ask ourselves: What will motivate them to keep standing with Ukraine?” he tells WIRED.

Gres says he hopes that letting prospective donors see the homes they will help rebuild, and hear from the people who want to return home, will inspire the support to keep coming. “Storytelling gives our donors an opportunity to feel complicity with the specific people they support, as well as with the specific targets they help rebuild,” he says.

The 3D renderings come via LUN, a Ukrainian realty website that partnered with United24 for the project. The company dispatched photographers, equipped with drones, to buildings across the country. The footage is used to create a digital replica of a damaged building. From there, its architects plot the reconstruction of the building.

“We have been digitizing the future for years, modeling how cities can develop, and how new buildings can be built,” a LUN spokesperson tells WIRED. “It was difficult to see destruction instead; to look through hundreds of photos of the damage dealt and depict everything as is.”

Video: United24

These 3D renderings will also be made available through augmented reality, letting users picture the buildings through their phone camera or AR headset.

The logistics behind rebuilding Ukraine’s civil infrastructure is going to be enormous and complicated. In a presentation delivered in May, Maksym Smilianets—co-owner of Ukrainian internet service provider Viner—highlighted the magnitude of the problem they face in rebuilding and reconnecting the country. The air strikes and shelling did an enormous amount of damage to the telecommunications infrastructure, he explained. Hundreds of kilometers of fiber-optic cable have already been laid to repair that destruction.

In the areas currently under Russian control, the invading army quickly switched the connection to the Moscow-controlled internet. “They rebuilt the connections and stole our equipment,” Smilianets’ presentation explained. In the liberated parts of Ukraine, repair crews found boobytraps inside the telecommunications infrastructure, he said. “They did everything possible for total disconnection.”

Even as ISPs like Smilianets’ Viner work to rebuild the shared infrastructure of Ukraine, once one of the best-connected countries in Europe, there will be enormous work required to reconnect each damaged home and apartment block across the country. That “last mile” will likely require hundreds of kilometers more fiber-optic cable.

“No one has the power to cleanse the depths of human nature from the evil that sometimes rises to the surface and destroys and kills,” Ukrainian president Voldomyr Zelensky told the Ukraine Recovery Conference held in London this past June. “But you and I, and right now, we are able to protect life and overcome the ruins.”

Ukraine Is Crowdfunding Its Reconstruction

Videos featuring Elijah Wood, Mike Tyson, and Priscilla Presley have been edited to push anti-Ukraine disinformation, according to Microsoft researchers.

For around $340, actor Elijah Wood can record you a personalized video wishing you happy birthday. John McGinley, best known for his role in medical TV show _Scrubs_, will give you a lengthy pep talk for around $475. Priscilla Presley will record a clip talking about everything from Christmas shopping to Graceland for around $200.

These celebrities all use the video-sharing platform Cameo to quickly snap homemade videos for fans who pay them for the honor. They can be seen celebrating anniversaries, lightly roasting people, or offering advice. This summer, however, some videos have been weaponized by an unknown Russian group, which has crudely edited the clips and used them as part of its wide-ranging information warfare tactics against Ukraine.

At least seven seemingly unaware celebrities, including those listed above, have had their Cameo videos manipulated by pro-Russian actors to appear as if they are criticizing Ukrainian president Volodymyr Zelensky, according to new Microsoft research published today. The altered Cameo videos were shared on social media then heavily reported on by Russian government-owned or controlled newspapers and TV channels, the research says.

The videos started appearing in July and follow similar patterns. “It's at a regular interval,” says Clint Watts, the general manager of Microsoft Threat Analysis Center, which published the research in an update on Russian information and cyber activities. “It's a different actor or actress popping up saying a very similar script,” Watts says.

The videos often see the celebrity talking to “Vladimir” and saying they should get help with possible substance abuse. The videos are later edited to appear as if the celebrity were addressing Ukrainian president Volodymyr Zelensky—the Kremlin has consistently pushed disinformation calling Zelensky an addict. The videos can have emoji, links, and social handles added to them before they are shared on social media.

The seven celebrities Microsoft highlights are actors Elijah Wood, John McGinley, Dean Norris, Kate Flannery, and Priscilla Presley; musician Shavo Odadjian; and boxer Mike Tyson. There is no suggestion that the celebrities knew their videos would be edited or manipulated in this way.

“I just want to make sure you are getting help,” Wood, the former _Lord of the Rings_ actor, appears to say in the video. The manipulated video has a Ukrainian flag, a social media handle for Zelensky, and a link to a drug and alcohol research center, and has been made to look like it appeared on Instagram. The video has several jarring cuts throughout and is evidently altered. “I hope you get the help that you need. Lots of love, Vladimir, take care,” Wood seemingly says at the end of the footage. In another video, Kate Flannery, who starred in _The Office_, appears to say, “You need to go to the rehab,” and that Vladimir deserves a good life.

Over the past decade, Russian disinformation efforts have evolved to keep up with the current web trends, Watts says. Around the 2016 US elections, pro-Russian accounts were sharing their messages using blog post links. Watts says that the Cameo videos did not appear to have reached a wide audience, but the effort was “novel” and part of Russia’s ever-changing tactics. “It’s very hard to influence if you’re not in video, in the current era,” Watts says, adding that the Cameo videos were not edited to a high quality.

“The request was submitted through Cameo and was in no way intended to be addressed to Zelensky or have anything at all to do with Russia or Ukraine or the war,” says a representative for Elijah Wood. A spokesperson for boxer Mike Tyson says the video of him is “false” and he does not produce such content. “Anything outside of his usual lighthearted Cameo videos \[is\] being altered,” the representative says. Representatives for other celebrities in the Cameo videos did not immediately respond to requests for comment or could not be reached ahead of publication.

Brandon Kazimer, a spokesperson for Cameo, says it is the company’s policy not to comment on any trust and safety investigations. However, Kazimer says the kind of videos described in the research would violate the company’s community guidelines, and “Cameo will typically take steps to remove the problematic content and suspend the purchaser's account to help prevent further issues.”

Additional analysis of the Cameo videos shows how they spread through Russian government-owned or backed media outlets. Antibot4Navalny, an anonymous Russia-based disinformation research group, looked at mentions of the seven celebrities and the videos and found they appeared dozens of times in Russian media, which is largely state-backed or owned.

An Antibot4Navalny member, who was not involved in the Microsoft research, says it appears that one celebrity was targeted each week for nearly two months. The researcher says that Priscilla Presley’s video was mentioned on one of the biggest “prime-time political talk shows” in Russia. The “widest coverage, as measured by number of major media agencies mentioning \[them\], was received by John McGinley,” the researcher says. This included news service RT, which is sanctioned in Europe. They add that Russian fact-checking website Provereno has debunked several of the videos.

The Cameo videos are not the first time that pro-Russian actors have used celebrities to try and push their messages. This week, WIRED revealed how a notorious Russian disinformation effort called Doppelganger, which has links to Russian military intelligence, has been using images of celebrities, including Taylor Swift, Beyoncé, Oprah, Justin Bieber, and Cristiano Ronaldo, to promote anti-Ukraine messages on social media. The efforts reached more than 7.6 million people on Facebook in November, according to an analysis of ads on the platform.

The Antibot4Navalny researcher says people trust well-known, public figures, even if they are not an expert on a subject area. “This is exactly what is exploited by Russian media domestically, and in a quite similar way by Doppelganger operators targeting other countries,” the researcher says. “If you are out of experts saying what you need, just use a video footage (or a photo) with whoever looks familiar, and add subtitles, voiceover, or a written ‘quote,’ with whatever talking points you are seeking to amplify.”

“When the Russians are particularly successful is when they're quick and tied to current events and news stories,” says Microsoft’s Watts. In recent weeks, researchers, including those at Microsoft, have linked some disinformation about the Israel–Hamas war to Russian actors trying to capitalize on the moment. Videos faking news reports from the BBC and Bellingcat have been posted on Russian Telegram channels in the past two months. The videos, according to researchers, include false quotes attributed to Bellingcat founder Eliot Higgins and use a similar style to the BBC. The videos push messages incorrectly claiming that Ukraine is selling weapons to Hamas.

Most of the Russian narratives highlighted by recent research focus on discrediting Ukraine and its leadership as Russia’s full-scale war enters its second winter. However, next year, dozens of countries—including the US, EU, and UK—are set to hold elections. As this happens, Russian influence operations may also change course. Microsoft’s Watts says he expects that by March, one of the biggest concerns will be whether Russian malicious actors, including hacker groups, are targeting more European and North American targets to potentially conduct “hack and leak operations to drive narratives around any sort of political warfare that they want to pursue.”

Elijah Wood and Mike Tyson Cameo Videos Were Used in a Russian Disinformation Campaign

Mark Zuckerberg personally promised that the privacy feature would launch by default on Messenger and Instagram chat. WIRED goes behind the scenes of the company’s colossal effort to get it right.

Since 2016, the social behemoth now known as Meta has been working to deploy end-to-end encryption in its communication apps. CEO Mark Zuckerberg even promised in 2019 that the data privacy protection would roll out by default across all of the company's chat apps. In practice, though, it was a wildly ambitious goal fraught with technical and political challenges, and Meta has only been able to move toward it in gradual, incremental steps. But this week the company is finally starting its full rollout.

“It's been a wild ride," says Jon Millican, a software engineer within Meta's messenger privacy team. “I suspect this is the first time that something’s been end-to-end encrypted with all of the constraints that we’re working with. It’s not just that we’re migrating people’s data, but it’s actually that we're having to fundamentally change a bunch of the assumptions that they work with when they’re using the product.”

Meta has had to stake out a position as a committed proponent of end-to-end encryption amid pressure from law enforcement and victim advocacy groups that the privacy feature—which makes data unintelligible everywhere except on the devices of the sender and recipient—limits necessary oversight and impedes crucial police investigations. Meanwhile, the company has spent the past four years, not to mention the better part of a decade, developing the technology to retrofit two massive communication platforms—Messenger and Instagram chat—such that they could still offer the features and general experience users expect under the technical constraints and usability challenges of end-to-end encryption.

“I understand that many people don't think Facebook can or would even want to build this kind of privacy-focused platform—because frankly, we don't currently have a strong reputation for building privacy-protective services, and we've historically focused on tools for more open sharing,” Zuckerberg memorably wrote in his 2019 treatise. But he added that there was a clear desire from users to have access to private and secure encrypted communication services. “This is the future I hope we will help bring about,” he wrote.

Meta says that it will take some time for the rollout of full default end-to-end encryption to reach all Messenger and Instagram chat users, and the feature is still only launching for direct messages between two accounts. End-to-end encryption for group chats will continue to be opt-in for now. But these final delays have to do with gradually converting billions of accounts to run the cryptography and encrypted storage schemes that underly the effort. And while the infrastructure is new and had to be painstakingly tailored to Meta's services, the company says it built the system on the Signal Protocol and thoroughly vetted the implementation both internally and with independent experts. In the lead-up to this announcement, the company did a final round of outreach to privacy groups and cryptographers to show them the documentation and have them test the feature.

“It looks just like Messenger, except that under the hood it has really strong encryption,” says Matt Green, a Johns Hopkins cryptographer who previewed the launch a few weeks ago. “Getting things to work on the web seems like it was the hard part, but they pulled it off.”

The challenge of building end-to-end encrypted services has to do with the fact that such systems inherently blind the servers that enable them to the activity they are facilitating. In other words, these systems have to somehow stand in the hallway on the first day of school and tell each student which classes to go to and how to get there without knowing who any of the kids are or what their course schedule is.

This especially poses challenges for syncing people's messages across multiple devices or repopulating their messages on a new device. Some encrypted chat apps like Signal address this issue by storing all your messages locally on your device and then providing a tool that helps you transfer that data trove from one device to the next over Bluetooth when you, say, get a new phone and want to switch everything over. This approach doesn't preserve your history if you lose the device where the data is saved, and many users around the world don't have resources or access to devices with enough storage space to preserve messages locally. People may want to auto-delete messages anyway, but for users who want to save their history, such schemes can be impractical.

With these considerations in mind, Meta engineers developed an encrypted storage protocol, dubbed Labyrinth, that allows the company to store users' chat histories and other communication data on its servers for ease of use, but in a form that is always encrypted and inaccessible to the company.

“There are two things users will experience” in the transition, Gail Kent, Messenger's global policy director, tells WIRED. “They will be asked to create secure storage and create a pin that will then enable them to add the data and the messages onto other devices and restore if they lose their device. Yet nobody apart from them has access to that message content. It seems like a tiny thing, but the innovation behind it is pretty extraordinary. And then the second thing that they’ll see is a line in their conversations that says this message is now end-to-end encrypted. And when they start a new conversation, it will say that at the start of the conversation.”

Turning on end-to-end encryption for cloud services makes it harder for companies to assist their users with data recovery. It also requires thoughtful strategies for keeping systems usable while striking a balance with security. The challenge is one that companies like Apple have grappled with as well. Like many of its peers, Meta will offer multiple options for protecting and accessing Labyrinth secure storage, including setting a pin, storing a code in a third-party service like iCloud, or saving a 40-character recovery code.

Meta is also providing an option for people to use end-to-end encrypted communication without turning on secure storage at all if they want to store messages locally on one or all devices. Currently, the company isn't offering a mechanism to transfer this local data onto other devices. A core component of Labyrinth, though, is what's known in cryptography as a “key rotation” system for revoking a device's access and keeping it from viewing or sending messages on an account if a user wants to remove it.

Meta's engineers have spent a huge amount of time over the past four years re-architecting more than 100 Messenger and Instagram chat features so they interoperate with end-to-end encryption and seem to function the same way they always have—even if they're working differently on a technical level under the hood. Extra features like themes, custom reactions, and emojis are all preserved. The company also announced new features this week like the ability to edit a message and control whether other users see a read receipt once you've viewed a message.

Initial reactions to the launch have already begun to mirror the broader controversy around end-to-end encryption, with privacy advocates lauding the move and law enforcement and victim defense groups, particularly those that aim to address online child sexual abuse, condemning the step. After years of receiving both sympathy and criticism about the scale and scope of the project, though, Meta is finally, really taking the plunge.

“The technical complexity was just extraordinary, and it's even more complex when you are doing it for well over a billion users who don’t stop using the app to let you re-create it,” Meta's Kent says. But at the same time, she adds, “we’re increasing the security, safety, and privacy for well over a billion people, and that’s a pretty amazing feat.”

End-to-End Encrypted Instagram and Messenger Chats: Why It Took Meta 7 Years

Binance’s settlement requires it to offer years of transaction data to US regulators and cops, exposing the company—and its customers—to a “24/7, 365-days-a-year financial colonoscopy.”

One attraction of Binance, as the company grew from its 2017 founding into the biggest cryptocurrency exchange in the world, was the firm's freewheeling flouting of rules. As it amassed well over 100 million crypto-trading users globally, it openly told the United States government that, as an offshore operation, it didn't have to comply with the country's financial regulations and money-laundering laws.

Then, late last month, those years of brushing off US regulators caught up with the company in the form of one the most punitive money-laundering criminal settlements in the history of the US Justice Department. The crackdown doesn't just mean a chastened Binance will have to change its practices going forward. It means that when the company is sentenced in a matter of months, it will be forced to open its _past_ books to regulators, too. What was once a haven for anarchic crypto commerce is about to be transformed into the opposite: perhaps the most fed-friendly business in the cryptocurrency industry, retroactively offering more than a half-decade of users' transaction records to US regulators and law enforcement.

When the Department of Justice announced on November 21 that Binance's executives had agreed to plead guilty to criminal money-laundering charges, much of the attention on that settlement focused on founder Changpeng Zhao giving up his CEO role and on the company's record-breaking $4.3 billion fine. But Binance's settlement agreements with the DOJ and the US Treasury Department also stipulate a strict new regime of data-sharing with law enforcement and regulators. The company has agreed to comply with regulators' "requests for information"—a term that carries none of the evidence or suspicion requirements necessary for obtaining a warrant or even a subpoena—to the point of producing any "information, testimony, document, record, or other tangible evidence."

Binance has also agreed to scour all of its transactions from 2018 to 2022 and file suspicious activity reports (SARs) for anything it deems a potential violation of US law from that five-year period. That “SAR lookback” means the company will now be actively scrutinizing its customers in retrospect, not just passively assenting to regulators poring over its databases. Those SARs are collected by FinCEN, the Treasury Department's financial crimes division, but then made available to law enforcement agencies from the FBI to IRS Criminal Investigations to local police. And all of this new scrutiny will be overseen by a "monitor" firm chosen by the US government but paid by Binance—an in-house watchdog assigned to make sure Binance is complying in good faith.

"I don't think Binance's customers have the slightest clue of the ramifications of this plea and consent decree. It's unprecedented," says John Reed Stark, who spent 20 years as an attorney at the US Securities and Exchange Commission (SEC), including as the founder of its Office of Internet Enforcement. “If they're a drug dealer or a terrorist or a child pornography peddler, they're going to get caught." He describes Binance's agreement as a "24/7, 365-days-a-year financial colonoscopy."

One US prosecutor, who asked not to be named because they weren't authorized to speak to media about the case, calls the degree of access to Binance's records described in the agreement "kind of crazy," and remains in disbelief at the idea of Binance abiding by the settlement. "I don't know what kind of business would want to operate while allowing that much government oversight, especially one that's deliberately stayed out of the US so that they're not under our nose," they say. "The other option must have been really bad."

If Binance does comply, however, the prosecutor adds that "it would be a game changer in taking down transnational syndicates doing evil deeds worldwide and trying to shield those crimes by using cryptocurrency to move money."

Binance's chief compliance officer, Noah Perlman, tells WIRED that Binance has collected "know-your-customer" information on users and cooperated with US law enforcement on data requests for the past two years. He added that all reports to the monitor firm inside Binance would be "confidential"—as in, not shared publicly, only with the US government—and that it would continue to abide by data privacy laws in the jurisdictions where it operates.

But Perlman also says he's "excited" for the new era the agreements represent for Binance. "I feel like this is a great opportunity for Binance to set the standard for what compliance in this industry should look like," he says. "For the general community, removing concerns of illicit finance in crypto is one of the most important things we can do to drive mainstream adoption. Hopefully, the vast majority of users will feel that there's assurance here, that the funds are safer than ever, and they have nothing to worry about as long as they're not part of the very small, small group of users that use crypto for illicit purposes."

While Binance's new radical transparency may be welcomed by law enforcement and regulators, its users and advocates of financial privacy may not be so pleased. Human Rights Foundation chief strategy officer Alex Gladstein calls the settlement an "overreach" that he believes is part of a US regulatory effort to set a precedent for crypto as a whole. “They’re going to try to force people to use these regulated platforms where everything is monitorable," Gladstein says. He adds that Binance is "an unsavory corporation, but still, it's alarming what the US government is doing."

Digital civil liberties nonprofit the Electronic Frontier Foundation, too, has historically called on cryptocurrency exchanges to stop giving up users' transaction data to law enforcement and regulators without notifying those users. Now, the Binance settlement would create perhaps the most extreme case yet of that crypto exchange data-sharing, giving the US government wholesale access to the records of a crypto hub that at some points processed billions of transactions a day.

"EFF is increasingly worried about law enforcement turning to intermediaries such as cryptocurrency exchanges and hosted wallet providers to obtain sensitive user data," the EFF's cryptocurrency-focused attorney, Marta Belcher, wrote in a 2020 blog post. "The fact that the transactions are made through cryptocurrency rather than through traditional financial channels indicates that the transactions are more likely to be sensitive, and that the person making the transaction may be turning to cryptocurrency precisely because of the privacy protection it provides." That argument may apply particularly to Binance, given its early reputation as an offshore exchange that didn't bow to US government data demands.

In fact, some Binance users may not have considered the risk of their data becoming available to crypto investigators in the new settlement, in part because Binance has at some points collected far _less_ data on its users than other exchanges. Part of Binance's appeal to users has been that, for years, it asked only for a user's email address to set up an account—one of its many now-admitted violations of US know-your-customer requirements that led to last month's crackdown.

But US law enforcement has proven that even troves of exchange data that lack users' names can nonetheless be highly revealing of their financial history—especially in combination with blockchain data and information from other exchanges that usually _do_ comply with know-your-customer laws. In the case of the Welcome to Video child sexual abuse materials dark-web site in 2017, for instance, one alleged abuser was identified and arrested after his email address was tied to an account on the cryptocurrency exchange BTC-e, which authorities had seized months earlier.

In another case, BTC-e's data allowed IRS criminal investigators to identify a hacker who had taken nearly 70,000 bitcoins from the Silk Road dark-web drug market—worth more than $3 billion today—and then track them down and seize the funds. Though BTC-e didn't collect users' names or other identifying details, its data still served as the missing link in both those cases—just as Binance's no doubt will in many more investigations to come.

Assenting to have US regulators comb through its data, for a company that spent years resisting regulation, may be a severe culture shock, says Stark, the former SEC attorney. He says he won't be surprised if the company ends up violating the terms of the agreement. "It's like taking someone who's been a drug addict for a decade and drug-testing them every day and thinking that they're not going to try to sneak something in," he says.

Ultimately, with enormous fines and criminal sentences hanging over the heads of its executives—and worse punishments if its settlement falls through—Binance may not have a choice about baring its soul to the US government. Neither, whether they know it or not, will its users.

The Binance Crackdown Will Be an 'Unprecedented' Bonanza for Crypto Surveillance

Governments can access records related to push notifications from mobile apps by requesting that data from Apple and Google, according to details in court records and a US senator.

If you have push notifications turned on for sensitive apps, you may want to reconsider your settings.

The United States government and foreign law enforcement can demand Apple and Google share metadata associated with push notifications from apps on iOS and Android, according to a US senator and court records reviewed by WIRED. These notifications can reveal which apps a person uses, along with other information that may be pertinent to law enforcement investigations.

US Senator Ron Wyden, an Oregon Democrat, highlighted the government surveillance technique in a letter sent to the US Department of Justice (DOJ) today. Wyden is specifically asking the DOJ to allow Apple and Google to discuss government requests for push notification records with their users, which Wyden says the US government has required them to keep secret thus far.

“In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone ‘push’ notification records from Google and Apple,” Wyden wrote in the letter, which was first reported by Reuters. “My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.”

App developers deliver push notifications using Apple’s Push Notification Service on iOS or Google’s Firebase Cloud Messaging on Android. Each user of an app is assigned a “push token,” which is transferred between the app and the mobile operating system’s push notification service. Push tokens are not permanently assigned to a single user, and new tokens may be generated when a person reinstalls an app or switches to a new device.

To identify a person of interest and whom they may have been communicating with, law enforcement must first go to an app developer to obtain the relevant push token and then bring it to the operating system maker—Apple or Google—and request information on which account the token is associated with. This puts the tech giants in “a unique position to facilitate government surveillance of how users are using particular apps,” Wyden writes.

According to Wyden, the records that governments can obtain from Apple and Google include metadata that reveals which apps a person has used, when they’ve received notifications, and the phone associated with a particular Google or Apple account. The content of push notifications is not included in this information, but, for at least some apps, law enforcement could obtain information about the content of specific pushes through additional requests based on the information from the push tokens.

While Wyden’s letter says that governments outside the US have requested people’s push notification records, the Federal Bureau of Investigation (FBI) has done so as well. A February 2021 search warrant application submitted by an FBI agent to the US District Court in Washington, DC, requested details for two accounts controlled by Meta (then Facebook), specifically citing a request for push notification tokens. The search warrant request related to an investigation into a person accused of taking part in the January 6, 2021, attack on the US Capitol.

Meta, which owns Facebook, WhatsApp, and Instagram, did not immediately respond to WIRED’s request to comment. A spokesperson for Signal, the popular encrypted messaging app, also did not respond. The DOJ declined to comment.

Although Wyden is asking the DOJ to allow Apple and Google to discuss government requests for push notification records, the senator’s letter appears to have enabled them to do just that.

An Apple spokesperson tells WIRED that the company has updated its Law Enforcement Guidelines in its transparency report to reflect government requests for push notification records. The company will also begin to detail these requests in its next transparency report. Apple's updated rules for police requests say push notification records “may be obtained with a subpoena or greater legal process.”

“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” Apple says in a statement. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Google confirmed to WIRED that it receives requests for push notification records, but the company says it already includes these types of requests in its transparency reports. The company says requests from US-based law enforcement for push notification records require court orders with judicial approval.

“We were the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden,” a Google spokesperson tells WIRED. “We share the senator’s commitment to keeping users informed about these requests.”

A WIRED review of Google’s most recent transparency report for the period between December 2019 and December 2022 found that it does not specifically break out government requests for push notification records, and Google confirmed that it aggregates this data in its transparency report.

Google’s transparency report shows that the US government requested Google Cloud Platform data from enterprise customers 175 times during the period, and of those, used a search warrant 13 times. It is unclear whether any of those requests for user data included push notification records—details that may, following Wyden’s letter, be revealed in the future.

_Additional reporting by William Turton and Dhruv Mehrotra._

_Updated at 1:30 pm ET, December 6, 2023, to note that the DOJ has declined to comment on Wyden's letter and to add additional details about Apple's updated rules for law enforcement regarding requests for push notification records._

_Updated at 3:50 pm ET, December 6, 2023, to add details about Google's legal requirement for law enforcement requests for push notification records._

Police Can Spy on Your iOS and Android Push Notifications

23andMe has provided more information about the scope and scale of its recent breach, but with these details come more unanswered questions.

More details are emerging about a data breach the genetic testing company 23andMe first reported in October. But as the company shares more information, the situation is becoming even murkier and creating greater uncertainty for users attempting to understand the fallout.

23andMe said at the beginning of October that attackers had infiltrated some of its users' accounts and piggybacked off of this access to scrape personal data from a larger subset of users through the company's opt-in, social sharing service known as DNA Relatives. At the time, the company didn't indicate how many users had been impacted, but hackers had already begun selling data on criminal forums that seemed to be taken from at least a million 23andMe users, if not more. In a US Securities and Exchange Commission filing on Friday, the company said that “the threat actor was able to access a very small percentage (0.1 %) of user accounts,” or roughly 14,000 given the company's recent estimate that it has more than 14 million customers.

Fourteen thousand is a lot of people in itself, but the number didn't account for the users impacted by the attacker's data-scraping from DNA Relatives. The SEC filing simply noted that the incident also involved “a significant number of files containing profile information about other users’ ancestry.”

On Monday, 23andMe confirmed to TechCrunch that the attackers collected the personal data of about 5.5 million people who had opted in to DNA Relatives, as well as information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed." 23andMe subsequently shared this expanded information with WIRED as well.

From the group of 5.5 million people, hackers stole display names, most recent login, relationship labels, predicted relationships, and percentage of DNA shared with DNA Relatives matches. In some cases, this group also had other data compromised, including ancestry reports and details about where on their chromosomes they and their relatives had matching DNA, self-reported locations, ancestor birth locations, family names, profile pictures, birth years, links to self-created family trees, and other profile information. The smaller (but still massive) subset of 1.4 million impacted DNA Relatives users specifically had display names and relationship labels stolen and, in some cases, also had birth years and self-reported location data affected.

Asked why this expanded information wasn't in the SEC filing, 23andMe spokesperson Katie Watson tells WIRED that “we are only elaborating on the information included in the SEC filing by providing more specific numbers.”

23andMe has maintained that attackers used a technique known as credential stuffing to compromise the 14,000 user accounts—finding instances where leaked login credentials from other services were reused on 23andMe. In the wake of the incident, the company forced all of its users to reset their passwords and began requiring two-factor authentication for all customers. In the weeks after 23andMe initially disclosed its breach, other similar services. including Ancestry and MyHeritage, also began promoting or requiring two-factor authentication on their accounts.

In October and again this week, though, WIRED pressed 23andMe on its finding that the user account compromises were attributable solely to credential-stuffing attacks. The company has repeatedly declined to comment, but multiple users have noted that they are certain their 23andMe account usernames and passwords were unique and could not have been exposed somewhere else in another leak.

On Tuesday, for example, US National Security Agency cybersecurity director Rob Joyce noted on his personal X (formerly Twitter) account: “They disclose the credential stuffing attacks, but they don’t say how the accounts were targeted for stuffing. This was unique and not an account that could be scraped from the web or other sites.” Joyce, who was apparently a 23andMe user impacted by the breach, wrote that he creates a unique email address for each company he makes an account with. “That account is used NOWHERE else and it was unsuccessfully stuffed,” he wrote, adding: “Personal opinion: @23andMe hack was STILL worse than they are owning with the new announcement.”

23andMe has not clarified how such accounts can be reconciled with the company's disclosures. Furthermore, it may be that the larger numbers of impacted users were not in the SEC report because 23andMe (like many companies that have suffered security breaches) does not want to include _scraped_ data in the category of _breached_ data. These inconsistencies, though, ultimately make it difficult for users to grasp the scale and impact of security incidents.

“I firmly believe that cyber-insecurity is fundamentally a policy problem,” says Brett Callow, a threat analyst at the security firm Emsisoft. “We need standardized and uniform disclosure and reporting laws, prescribed language for those disclosures and reports, regulation and licensing of negotiators. Far too much happens in the shadows or is obfuscated by weasel words. It's counterproductive and helps only the cybercriminals.”

Meanwhile, apparent 23andMe user Kendra Fee flagged on Tuesday that 23andMe is notifying customers about changes to its terms of service related to dispute resolutions and arbitration. The company says that the changes will “encourage a prompt resolution of any disputes” and “streamline arbitration proceedings where multiple similar claims are filed.” Users can opt out of the new terms by notifying the company that they decline within 30 days of receiving notice of the change.

Source

Wired