Former Google chief Eric Schmidt thinks the US Army should expunge "useless" tanks and replace them with AI-powered drones instead. From a report: Speaking at the Future Investment Initiative in Saudi Arabia this week, he said: "I read somewhere that the US had thousands and thousands of tanks stored somewhere," adding, "Give them away. Buy a drone instead."

The former Google supremo's argument is that recent conflicts, such as the war in Ukraine, have demonstrated how "a $5,000 drone can destroy a $5 million tank." In fact, even cheaper drones, similar to those commercially available for consumers, have been shown in footage on social media dropping grenades through the open turret hatch of tanks. Schmidt, who was CEO of Google from 2001 to 2011, then executive chairman to 2015, and executive chairman of Alphabet to 2018, founded White Stork with the aim of supporting Ukraine's war effort. It hopes to achieve this by developing a low-cost drone that can use AI to acquire its target rather than being guided by an operator and can function in environments where GPS jamming is in operation.

Notably, Schmidt also served as chair of the US government's National Security Commission on Artificial Intelligence (NSCAI), which advised the President and Congress about national security and defense issues with regard to AI. "The cost of autonomy is falling so quickly that the drone war, which is the future of conflict, will get rid of eventually tanks, artillery, mortars," Schmidt predicted.

With Windows 10 support set to expire on October 14, 2025, Microsoft is offering a one-time, one-year Extended Security Updates plan for consumers. "For $30, you'll receive 'critical' and 'important' security updates -- basically security patches that will continue to protect your Windows 10 PC from any vulnerabilities," reports PCWorld. "That $30 is for one year's worth of updates, and that's the only option at this time." From the report: Microsoft has been warning users for years that Windows 10 support will expire in 2025, specifically October 14, 2025. At that point, Windows 10 will officially fall out of support: there will be no more feature updates or security patches. On paper, that would mean that any Windows 10 PC will be at risk of any new vulnerabilities that researchers uncover.

Previously, Microsoft had quietly hinted that consumers would be offered the same ESU protections offered to businesses and enterprises, as it did in December 2023 and again in an "editor's note" shared in an April 2024 support post, in which the company said that "details will be shared at a later date for consumers." That time is now, apparently.

Back in December 2023, Microsoft offered the ESU on an annual basis to businesses for three years, one year at a time. The fees would double each year, charging businesses hundreds of dollars for the privilege. Consumers won't be offered the same deal, as a Microsoft representative said via email that it'll be a "one-time, one-year option for $30."

Canada's Communications Security Establishment (CSE) revealed a sustained cyber campaign by the People's Republic of China, targeting Canadian government and private sector networks over the past five years. The report also flagged India, alongside Russia and Iran, as emerging cyber threats. The Register reports: The biennial National Cyber Threat Assessment described the People's Republic of China's (PRC) cyber operations against Canada as "second to none." Their purpose is to "serve high-level political and commercial objectives, including espionage, intellectual property (IP) theft, malign influence, and transnational repression." Over the past four years, at least 20 networks within Canadian government agencies and departments were compromised by PRC cyber threat actors. The CSE assured citizens that all known federal government compromises have been resolved, but warned that "the actors responsible for these intrusions dedicated significant time and resources to learn about the target networks."

The report also alleges that government officials -- particularly those perceived as being critical of the Chinese Communist Party (CCP) -- were attacked. One of those attacks includes an email operation against members of Interparliamentary Alliance on China. The purpose of the cyber attacks is mainly to gain information that would lead to strategic, economic, and diplomatic advantages. The activity appears to have intensified following incidents of bilateral tension between Canada and the PRC, after which Beijing apparently wanted to gather timely intelligence on official reactions and unfolding developments, according to the report. Canada's private sector is also in the firing line, with the CSE suggesting "PRC cyber threat actors have very likely stolen commercially sensitive data from Canadian firms and institutions." Operations that collect information that could support the PRC's economic and military interests are priority targets.

For months, the Colorado Department of State inadvertently exposed partial passwords for voting machines in a public spreadsheet. "While the incident is embarrassing and already fueling accusations from the state's Republican party, the department said in a statement that it 'does not pose an immediate security threat to Colorado's elections, nor will it impact how ballots are counted,'" reports Gizmodo. From the report: Colorado NBC affiliate station 9NEWS reported that Hope Scheppelman, vice chair of the state's Republican party, revealed the error in a mass email sent Tuesday morning, which included an affidavit from a person who claimed to have downloaded the spreadsheet and discovered the passwords by clicking a button to reveal hidden tabs.

In its statement, the Department of State said that there are two unique passwords for each of its voting machines, which are stored in separate places. Additionally, the passwords can only be used by a person who is physically operating the system and voting machines are stored in secure areas that require ID badges to access and are under 24/7 video surveillance.

"The Department took immediate action as soon as it was aware of this, and informed the Cybersecurity and Infrastructure Security Agency, which closely monitors and protects the [country's] essential security infrastructure," The department said, adding that it is "working to remedy this situation where necessary." Colorado voters use paper ballots, ensuring that a physical paper trail that can be used to verify results tabulated electronically.

Canada is bracing for Indian government-backed hacking as the two nations' diplomatic relationship nosedives to its lowest ebb in a generation. From a report: "We judge that official bilateral relations between Canada and India will very likely drive Indian state-sponsored cyber threat activity against Canada," the Canadian Centre for Cyber Security said in its annual threat report published Wednesday, adding that such hackers are probably already conducting cyber-espionage.

This month, Prime Minister Justin Trudeau's cabinet and Canadian police have ramped up a remarkable campaign of public condemnations against India, accusing Narendra Modi's officials of backing a wave of violence and extortion against Canadians on Canadian soil -- particularly those who agitate for carving out a separate Sikh state in India called Khalistan. India has rejected the accusations and believes some Khalistan activists to be terrorists harbored by Canada.

An anonymous reader shares a report: A disgruntled former Disney employee allegedly repeatedly hacked into a third-party menu creation software used by Walt Disney World's restaurants and changed allergy information on menus to say that foods that had peanuts in them were safe for people with allergies, added profanity to menus, and at one point changed all fonts used on menus to Wingdings, according to a federal criminal complaint.

The suspect in the case, Michael Scheuer, broke into a proprietary menu creation and inventory system that was developed by a third-party company exclusively for Disney and is used to print menus for its restaurants, the complaint alleges. The complaint alleges he did this soon after being fired by Disney using passwords that he still had access to on several different systems. Once inside the systems, he allegedly altered menus and, in once case, broke the software for several weeks.

"The threat actor manipulated the allergen information on menus by adding information to some allergen notifications that indicated certain menu items were safe for individuals with peanut allergies, when in fact they could be deadly to those with peanut allergies," the criminal complaint states. According to the complaint, the menus were caught by Disney after they were printed but before they were distributed to Disney restaurants. Disney's menus have extensive "allergy friendly" sections.

GitHub Copilot will switch from using exclusively OpenAI's GPT models to a multi-model approach, adding Anthropic's Claude 3.5 Sonnet and Google's Gemini 1.5 Pro. Ars Technica reports: First, Anthropic's Claude 3.5 Sonnet will roll out to Copilot Chat's web and VS Code interfaces over the next few weeks. Google's Gemini 1.5 Pro will come a bit later. Additionally, GitHub will soon add support for a wider range of OpenAI models, including GPT o1-preview and o1-mini, which are intended to be stronger at advanced reasoning than GPT-4, which Copilot has used until now. Developers will be able to switch between the models (even mid-conversation) to tailor the model to fit their needs -- and organizations will be able to choose which models will be usable by team members.

The new approach makes sense for users, as certain models are better at certain languages or types of tasks. "There is no one model to rule every scenario," wrote [GitHub CEO Thomas Dohmke]. "It is clear the next phase of AI code generation will not only be defined by multi-model functionality, but by multi-model choice." It starts with the web-based and VS Code Copilot Chat interfaces, but it won't stop there. "From Copilot Workspace to multi-file editing to code review, security autofix, and the CLI, we will bring multi-model choice across many of GitHub Copilot's surface areas and functions soon," Dohmke wrote. There are a handful of additional changes coming to GitHub Copilot, too, including extensions, the ability to manipulate multiple files at once from a chat with VS Code, and a preview of Xcode support. GitHub also introduced "Spark," a natural language-based app development tool that enables both non-coders and coders to create and refine applications using conversational prompts. It's currently in an early preview phase, with a waitlist available for those who are interested.

Phoronix's Michael Larabel reports: CVE-2024-9632 was made public today as the latest security vulnerability affecting the X.Org Server. The CVE-2024-9632 security issue has been present in the codebase now for 18 years and can lead to local privilege escalation. Introduced in the X.Org Server 1.1.1 release back in 2006, CVE-2024-9632 affects the X.Org Server as well as XWayland too. By providing a modified bitmap to the X.Org Server, a heap-based buffer overflow privilege escalation can occur.

This security issue is within _XkbSetCompatMap() and stems from not updating the heap size properly and can lead to local privilege escalation if the server is run as root or as a remote code execution with X11 over SSH. You can read the security advisory announcement here.

French newspaper Le Monde found that the fitness app Strava can easily track confidential movements of foreign leaders, including U.S. President Joe Biden, and presidential rivals Donald Trump and Kamala Harris. The Independent reports: Le Monde found that some U.S. Secret Service agents use the Strava fitness app, including in recent weeks after two assassination attempts on Trump, in a video investigation released in French and in English. Strava is a fitness tracking app primarily used by runners and cyclists to record their activities and share their workouts with a community. Le Monde also found Strava users among the security staff for French President Emmanuel Macron and Russian President Vladimir Putin. In one example, Le Monde traced the Strava movements of Macron's bodyguards to determine that the French leader spent a weekend in the Normandy seaside resort of Honfleur in 2021. The trip was meant to be private and wasn't listed on the president's official agenda.

Le Monde said the whereabouts of Melania Trump and Jill Biden could also be pinpointed by tracking their bodyguards' Strava profiles. In a statement to Le Monde, the U.S. Secret Service said its staff aren't allowed to use personal electronic devices while on duty during protective assignments but "we do not prohibit an employee's personal use of social media off-duty." "Affected personnel has been notified," it said. "We will review this information to determine if any additional training or guidance is required." "We do not assess that there were any impacts to protective operations or threats to any protectees," it added. Locations "are regularly disclosed as part of public schedule releases."

In another example, Le Monde reported that a U.S. Secret Service agent's Strava profile revealed the location of a hotel where Biden subsequently stayed in San Francisco for high-stakes talks with Chinese President Xi Jinping in 2023. A few hours before Biden's arrival, the agent went jogging from the hotel, using Strava which traced his route, the newspaper found. The newspaper's journalists say they identified 26 U.S. agents, 12 members of the French GSPR, the Security Group of the Presidency of the Republic, and six members of the Russian FSO, or Federal Protection Service, all of them in charge of presidential security, who had public accounts on Strava and were therefore communicating their movements online, including during professional trips. Le Monde did not identify the bodyguards by name for security reasons.

Banks and regulators are warning that QR code phishing scams -- also known as "quishing" -- are slipping through corporate cyber defences and increasingly tricking customers into giving up their financial details. From a report: Lenders including Santander, HSBC, and TSB have joined the UK National Cyber Security Centre and US Federal Trade Commission among others to raise concerns about a rise in fraudulent QR codes being deployed for sophisticated fraud campaigns.

The new type of email scam often involves criminals sending QR codes in attached PDFs. Experts said the strategy is effective because the messages frequently get through corporate cyber security filters -- software that typically flags malicious website links, but often does not scan images within attachments. "The appeal for criminals is that it's bypassing all of the [cyber security] training and it's also bypassing our products," said Chester Wisniewski, a senior adviser at security software company Sophos.

When it comes to introducing liability for software products, "the EU and U.S. are taking very different approaches," according to Lawfare's cybersecurity newsletter. "While the U.S. kicks the can down the road, the EU is rolling a hand grenade down it to see what happens." Under the status quo, the software industry is extensively protected from liability for defects or issues, and this results in systemic underinvestment in product security. Authorities believe that by making software companies liable for damages when they peddle crapware, those companies will be motivated to improve product security... [T]he EU has chosen to set very stringent standards for product liability, apply them to people rather than companies, and let lawyers sort it all out.

Earlier this month, the EU Council issued a directive updating the EU's product liability law to treat software in the same way as any other product. Under this law, consumers can claim compensation for damages caused by defective products without having to prove the vendor was negligent or irresponsible. In addition to personal injury or property damages, for software products, damages may be awarded for the loss or destruction of data. Rather than define a minimum software development standard, the directive sets what we regard as the highest possible bar. Software makers can avoid liability if they prove a defect was not discoverable given the "objective state of scientific and technical knowledge" at the time the product was put on the market.

Although the directive is severe on software makers, its scope is narrow. It applies only to people (not companies), and damages for professional use are explicitly excluded. There is still scope for collective claims such as class actions, however. The directive isn't law itself but sets the legislative direction for EU member states, and they have two years to implement its provisions. The directive commits the European Commission to publicly collating court judgements based on the directive, so it will be easy to see how cases are proceeding.

Major software vendors used by the world's most important enterprises and governments are publishing comically vulnerable code without fear of any blowback whatsoever. So yes, the status quo needs change. Whether it needs a hand grenade lobbed at it is an open question. We'll have our answer soon.

SC World reports: Several major end-to-end encrypted cloud storage services contain cryptographic flaws that could lead to loss of confidentiality, file tampering, file injection and more, researchers from ETH Zurich said in a paper published this month.

The five cloud services studied offer end-to-end encryption (E2EE), intended to ensure files can not be read or edited by anyone other than the uploader, meaning not even the cloud storage provider can access the files. However, ETH Zurich researchers Jonas Hofmann and Kien Tuong Truong, who presented their findings at the ACM Conference on Computer and Communications Security (CCS) last week, found serious flaws in four out of the five services that could effectively bypass the security benefits provided by E2EE by enabling an attacker who managed to compromise a cloud server to access, tamper with or inject files.

The E2EE cloud storage services studied were Sync, pCloud, Seafile, Icedrive and Tresorit, which have a collective total of about 22 million users. Tresorit had the fewest vulnerabilities, which could enable some metadata tampering and use of non-authentic keys when sharing files. The other four services were found to have more severe flaws posing a greater risk to file confidentiality and integrity.
BleepingComputer reports that Sync is "fast-tracking fixes," while Seafile "promised to patch the protocol downgrade problem on a future upgrade." And SC World does note that all 10 of the tested exploits "would require the attacker to have already gained control of a server with the ability to read, modify and inject data.

"The authors wrote that they consider this to be a realistic threat model for E2EE services, as these services are meant to protect files even if such a compromise was to occur."

Thanks to Slashdot reader spatwei for sharing the article.

In 2004 Alaa Abd El Fattah answered questions from Slashdot's readers about organizing the first-ever Linux installfest in Egypt.

In 2014 he was arrested for organizing poltical protests without requesting authorization, according to Wikipedia, and then released on bail — but then sentenced to five years in prison upon retrial. He was released in late March of 2019, but then re-arrested again in September by the National Security Agency, convicted of "spreading fake news" and jailed for five years...

Wikipedia describes Abd El-Fattah as an "Egyptian-British blogger, software developer and a political activist" who has been "active in developing Arabic-language versions of software and platforms." But this week an EFF blog post noticed that his released date had recently passed — and yet he was still in prison: It's been 28 days since September 29, the day that should have seen British-Egyptian blogger, coder, and activist Alaa Abd El Fattah walk free. Egyptian authorities refused to release him at the end of his sentence, in contradiction of the country's own Criminal Procedure Code, which requires that time served in pretrial detention count toward a prison sentence. [Human Rights Watch says Egyptian authorities are refusing to count more than two years of pretrial detention toward his time served. Amnesty International has also called for his release.] In the days since, Alaa's family has been able to secure meetings with high-level British officials, including Foreign Secretary David Lammy, but as of yet, the Egyptian government still has not released Alaa...

Alaa deserves to finally return to his family, now in the UK, and to be reunited with his son, Khaled, who is now a teenager. We urge EFF supporters in the UK to write to their MP to place pressure on the UK's Labour government to use their power to push for Alaa's release.
Last month the EFF wrote:: Over 20 years ago Alaa began using his technical skills to connect coders and technologists in the Middle East to build online communities where people could share opinions and speak freely and privately. The role he played in using technology to amplify the messages of his fellow Egyptians — as well as his own participation in the uprising in Tahrir Square — made him a prominent global voice during the Arab Spring, and a target for the country's successive repressive regimes, which have used antiterrorism laws to silence critics by throwing them in jail and depriving them of due process and other basic human rights.

Alaa is a symbol for the principle of free speech in a region of the world where speaking out for justice and human rights is dangerous and using the power of technology to build community is criminalized...

An anonymous reader quotes a report from TechCrunch: Ahead of the debut of Apple's private AI cloud next week, dubbed Private Cloud Compute, the technology giant says it will pay security researchers up to $1 million to find vulnerabilities that can compromise the security of its private AI cloud. In a post on Apple's security blog, the company said it would pay up to the maximum $1 million bounty to anyone who reports exploits capable of remotely running malicious code on its Private Cloud Compute servers. Apple said it would also award researchers up to $250,000 for privately reporting exploits capable of extracting users' sensitive information or the prompts that customers submit to the company's private cloud.

Apple said it would "consider any security issue that has a significant impact" outside of a published category, including up to $150,000 for exploits capable of accessing sensitive user information from a privileged network position. "We award maximum amounts for vulnerabilities that compromise user data and inference request data outside the [private cloud compute] trust boundary," Apple said. You can learn more about Apple's Private Cloud Computer service in their blog post. Its source code and documentation is available here.

Joe Biden's administration is investigating alleged Chinese efforts to hack US telecoms infrastructure amid reports hackers had targeted the phones of former president Donald Trump and his running mate JD Vance. Financial Times: The FBI and the Cybersecurity and Infrastructure Security Agency said they were investigating "unauthorised access to commercial telecommunications infrastructure by actors affiliated with the People's Republic of China."

The statement followed a report in the New York Times that Chinese hackers had accessed US telecoms networks and targeted data on Trump and Vance's phones. The FBI declined to say if the hackers had targeted their phones.

Steven Cheung, Trump's campaign spokesperson, blamed the alleged attack on Kamala Harris, the US vice-president and Democratic presidential nominee. But he declined to say if US authorities had informed the campaign about the hacking effort.

Cheung said: "This is the continuation of election interference by Kamala Harris and Democrats who will stop at nothing, including emboldening China and Iran attacking critical American infrastructure, to prevent president Trump from returning to the White House. Their dangerous and violent rhetoric has given permission to those who wish to harm president Trump." Further reading:
Chinese Hackers Targeted Trump and Vance's Phone Data (CNN);

China Sought To Hack Trump, Vance and Campaign Phones, Officials Say (Washington Post);

Chinese Hackers Targeted Phones of Trump, Vance, and Harris Campaign (Wall Street Journal);

US Investigating Breach of Telecoms by China-Linked Hackers (Bloomberg);

Trump, Vance Potential Targets in Broad China-Backed Hacking Operation (CBS News);

Chinese Hackers Attempted To Breach Trump, Vance Cellphone Data: Report (Fox News);

Chinese Hackers Believed To Have Targeted Trump, Vance Cellphones: Sources (ABC News);

Chinese Hackers Targeted Cellphones Used by Trump, Vance (Associated Press).

UnitedHealth Group said a ransomware attack in February resulted in more than 100 million individuals having their private health information stolen. The U.S. Department of Health and Human Services first reported the figure on Thursday. TechCrunch reports: The ransomware attack and data breach at Change Healthcare stands as the largest known digital theft of U.S. medical records, and one of the biggest data breaches in living history. The ramifications for the millions of Americans whose private medical information was irretrievably stolen are likely to be life lasting. UHG began notifying affected individuals in late July, which continued through October. The stolen data varies by individual, but Change previously confirmed that it includes personal information, such as names and addresses, dates of birth, phone numbers and email addresses, and government identity documents, including Social Security numbers, driver's license numbers, and passport numbers. The stolen health data includes diagnoses, medications, test results, imaging and care and treatment plans, and health insurance information -- as well as financial and banking information found in claims and payment data taken by the criminals.

The cyberattack became public on February 21 when Change Healthcare pulled much of its network offline to contain the intruders, causing immediate outages across the U.S. healthcare sector that relied on Change for handling patient insurance and billing. UHG attributed the cyberattack to ALPHV/BlackCat, a Russian-speaking ransomware and extortion gang, which later took credit for the cyberattack. The ransomware gang's leaders later vanished after absconding with a $22 million ransom paid by the health insurance giant, stiffing the group's contractors who carried out the hacking of Change Healthcare out of their new financial windfall. The contractors took the data they stole from Change Healthcare and formed a new group, which extorted a second ransom from UHG, while publishing a portion of the stolen files online in the process to prove their threat.

There is no evidence that the cybercriminals subsequently deleted the data. Other extortion gangs, including LockBit, have been shown to hoard stolen data, even after the victim pays and the criminals claim to have deleted the data. In paying the ransom, Change obtained a copy of the stolen dataset, allowing the company to identify and notify the affected individuals whose information was found in the data. Efforts by the U.S. government to catch the hackers behind ALPHV/BlackCat, one of the most prolific ransomware gangs today, have so far failed. The gang bounced back following a takedown operation in 2023 to seize the gang's dark web leak site. Months after the Change Healthcare breach, the U.S. State Department upped its reward for information on the whereabouts of the ALPHV/BlackCat cybercriminals to $10 million.

Ahead of Georgia's parliamentary elections, Georgian authorities raided the homes of disinformation researchers Eto Buziashvili and Sopo Gelava, seizing personal devices. The Record: Eto Buziashvili and Sopo Gelava, both employees of the Atlantic Council think tank, had their homes searched and their own and their family members' personal devices seized by investigators working for the country's Ministry of Finance, according to friends of the pair who spoke to Recorded Future News. Both women are said to be safe, although there are concerns about the security of their devices and online accounts. The searches come a day after Buziashvili published an article detailing how the Kremlin was influencing Georgian politics by supporting the incumbent government and interfering in the upcoming elections.

Local media reported that the offices of outsourcing company Concentrix and other Georgian citizens were also subject to searches. The Ministry of Finance claimed on Facebook it launched searches of "specific facilities" related to "call centers" alleged to be engaged in illegal activity. The investigations come ahead of an election that is being seen as a bellwether of the country's future direction, either pursuing closer ties to Russia under the current prime minister Irakli Kobakhidze or moving towards the West through opposition figures. Graham Brookie, the Atlantic Council's vice president for technology programs and strategy, said the organization "is deeply concerned about this development and its impact on our staff's work shortly before Georgian elections. [Gelava and Buziashvili] are engaged in independent, non-partisan work aimed at defending and strengthening democracy from those who would undermine it in online spaces, including research related to foreign influence efforts, the targeting of marginalized communities, and other online harms."

"We trust that Georgian authorities will provide more clarity on their actions, ensure the safety and security of our staff, return their property, and allow them to continue their contributions to Georgian democracy."

The White House is directing the Pentagon and intelligence agencies to increase their adoption of AI, expanding the Biden administration's efforts to curb technological competition from China and other adversaries. From a report: The edict is part of a landmark national security memorandum published Thursday. It aims to make government agencies step up experiments and deployments of AI. The memo also bans agencies from using the technology in ways that "do not align with democratic values," according to a White House news release.

"This is our nation's first ever strategy for harnessing the power and managing the risks of AI to advance our national security," national security adviser Jake Sullivan said in a speech Thursday. Sullivan called the speed of change in AI "breathtaking" and said it had the potential to affect fields ranging from nuclear physics to rocketry and stealth technology. The White House believes that providing clear rules for using AI will make it easier for government agencies to use the technology, according to a briefing with senior administration officials who spoke on the condition of anonymity to discuss details of the report before its publication.

Cable companies, advertising firms, and newspapers are asking courts to block a federal "click-to-cancel" rule that would force businesses to make it easier for consumers to cancel services. From a report: Lawsuits were filed yesterday, about a week after the Federal Trade Commission approved a rule that "requires sellers to provide consumers with simple cancellation mechanisms to immediately halt all recurring charges."

Cable lobby group NCTA-The Internet & Television Association and the Interactive Advertising Bureau trade group sued the FTC in the conservative US Court of Appeals for the 5th Circuit. The lawsuit claims the 5th Circuit is a proper venue because a third plaintiff, the Electronic Security Association, has its principal offices in Dallas. That group represents security companies such as ADT.

Ireland's data-protection watchdog fined LinkedIn 310 million euros ($334.3 million), saying the Microsoft-owned career platform's personal-data processing breached strict European Union data-privacy and security legislation. From a report: The Irish Data Protection Commission in 2018 launched a probe into LinkedIn's processing of users' personal data for behavioral analysis and targeted advertising after its French equivalent flagged a complaint it received from a non-profit organization. Irish officials raised concerns on the lawfulness, fairness and transparency of the practice, saying Thursday that LinkedIn was in breach of the EU's General Data Protection Regulation.

"The lawfulness of processing is a fundamental aspect of data protection law and the processing of personal data without an appropriate legal basis is a clear and serious violation of a data subjects' fundamental right to data protection," said Graham Doyle, deputy commissioner at the Irish Data Protection Commission. In their decision, Irish officials said LinkedIn wasn't sufficiently informing users when seeking their consent to process third-party data for behavioral analysis and targeted advertising and ordered the platform to bring its processing into compliance.