Cybercriminals are selling ready-made "pig-butchering" scam kits on the dark web to conduct "DeFi savings" cryptocurrency fraud, according to Sophos. The kits expedite scamming worldwide. In these scams, criminals build online relationships then persuade victims to invest in fake crypto schemes, manipulating them to drain digital wallets. The bundled kits contain websites enabling wallet access via Ethereum blockchain plus chat support posing as technical staff. Victims open legitimate crypto apps but enter malicious sites letting criminals steal funds. The report details the mass distribution of these DIY crypto fraud kits.

wiredmikey writes: Web security and CDN giant Cloudflare said it was hacked by a threat actor using stolen credentials to access internal systems, code repositories, along with an AWS environment, as well as Atlassian Jira and Confluence. The goal of the attack, Cloudflare says, was to obtain information on the company's infrastructure, likely to gain a deeper foothold.

According to Cloudflare, more than 5,000 individual production credentials were rotated following the incident, close to 5,000 systems were triaged, test and staging systems were physically segmented, and every machine within the Cloudflare global network was reimaged and rebooted.

"China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if or when China decides the time has come to strike," said FBI Director Christopher Wray in a prepared testimony before the House Select Committee on the Chinese Communist Party. NBC News reports: Wray also argued that "there has been far too little public focus" that Chinese hackers are targeting critical infrastructure in the U.S. such as water treatment plants, electrical grids, oil and natural gas pipelines, and transportation systems, according to the prepared remarks. "And the risk that poses to every American requires our attention -- now," his prepared testimony said.

As Wray testified, the Justice Department and FBI announced they had disabled a Chinese hacking operation that had infected hundreds of small office and home routers with botnet malware that targeted critical infrastructure. The DOJ said the hackers, known to the private sector as "Volt Typhoon," used privately owned small routers that were infected with "KV botnet" malware to conceal further Chinese hacking activities against U.S. and foreign victims. Wray addressed the malware in his testimony, emphasizing that it targets critical infrastructure in the U.S. [...]

At Wednesday's hearing, the director of the federal Cybersecurity and Infrastructure Security Agency, Jen Easterly, testified that Americans should expect efforts by China to wage influence campaigns online relating to the 2024 election. However, Easterly added that she was confident that voting systems and other election infrastructure are well-defended. "To be very clear, Americans should have confidence in the integrity of our election infrastructure because of the enormous amount of work that's been done by state and local election officials, by the federal government, by vendors, by the private sector since 2016," Easterly said in her testimony.

Wray emphasized in the remarks that the "cyber onslaught" of Chinese hackers "goes way beyond prepositioning for future conflict," saying in the prepared remarks that every day the hackers are "actively attacking" U.S. economic security, engaging in "wholesale theft of our innovation, and our personal and corporate data." "And they don't just hit our security and economy. They target our freedoms, reaching inside our borders, across America, to silence, coerce, and threaten our citizens and residents," the excerpts said.

In an interview with The Register, author and activist Cory Doctorow offers potential solutions to stop "enshittification," an age-old phenomenon that has become endemic in the tech industry. It's when a platform that was once highly regarded and user-friendly gradually deteriorates in quality, becoming less appealing and more monetized over time. Then, it dies. Here's an excerpt from the interview, conducted by The Register's Iain Thomson: [...] Doctorow explained that the reasons for enshittification are complex, and not necessarily directly malicious -- but a product of the current business environment and the state of regulation. He thinks the way to flush enshittification is enforcing effective competition. "We need to have prohibition and regulation that prohibits the capital markets from funding predatory pricing," he explained. "It's very hard to enter the market when people are selling things below cost. We need to prohibit predatory acquisitions. Look at Facebook: buying Instagram, and Mark Zuckerberg sending an email saying we're buying Instagram because people don't like Facebook and they're moving to Instagram, and we just don't want them to have anywhere else to go."

The frustrating part of this is that the laws needed to break up the big tech monopolies that allow enshittification, and encourage competition, are already on the books. Doctorow lamented those laws haven't been enforced. In the US, the Clayton Act, the Federal Trade Act, and the Sherman Act are all valid, but have either not been enforced or are being questioned in the courts. However, in the last few years that appears to be changing. Recent actions by increasingly muscular regulatory agencies like the FTC and FCC are starting to move against the big tech monopolies, as well as in other industry sectors. What's more, Doctorow pointed out, these are not just springing from the Democratic administration but are being actively supported by an increasing number of Republicans. He cited Lina Khan, appointed as chair of the FTC in part thanks to the support of Republican politicians seeking change (although the GOP now regularly criticizes her positions).

The sheer size of the largest tech companies certainly gives them an advantage in cases like these, Doctorow opined, noting that we've seen this in action more than 20 years ago. "Think back to the Napster era, and compare tech and entertainment. Entertainment was very concentrated into about seven big firms and they had total unity and message discipline," Doctorow recalled. "Tech was a couple of hundred firms, and they were much larger -- like an order of magnitude larger in aggregate than entertainment. But their messages were all over the place, and they were contradicting each other. And so they just lost, and they lost very badly." Doctorow discusses the detrimental effects of mega-companies on innovation and security, noting how growth strategies focused on raising costs and reducing value can lead to vulnerabilities and employee demoralization. "Remember when tech workers dreamed of working for a big company before striking out on their own to put that big company out of business? Then that dream shrank to working for a few years, quitting and doing a fake startup to get hired back by your old boss in the world's most inefficient way to get a raise," he told the Def Con crowd last August. "Next it shrank even further. You're working for a tech giant your whole life but you get free kombucha and massages. And now that dream is over and all that's left is work with a tech giant until they fire your ass -- like those 12,000 Googlers who got fired six months after a stock buyback that would have paid their salaries for the next 27 years. We deserve better than this."

Additionally, Doctorow emphasizes the growing movement toward labor organizing in the tech industry, which could be a pivotal factor in reversing the trend of enshittification. "We're so much closer to tech unionization than we were just a few years ago. Yeah, it's still nascent, and yes, it's easy to double small numbers, but the strength is doubling very quickly and in a very heartening way," Doctorow told The Register. "We're really at a turning point. And some of it is coming from the kind of solidarity like you see with warehouse workers and tech workers."

Ultimately, Doctorow argues it should be possible to reintroduce a more competitive and innovative tech industry environment, where the interests of users, employees, and investors are better balanced.

Ivanti warned on Wednesday that hackers are exploiting another previously undisclosed zero-day vulnerability affecting its widely used corporate VPN appliance. From a report: Since early December, ââChinese state-backed hackers have been exploiting Ivanti Connect Secure's flaws -- tracked as CVE-2023-46805 and CVE-2024-21887 -- to break into customer networks and steal information. Ivanti is now warning that it has discovered two additional flaws -- tracked as CVE-2024-21888 and CVE-2024-21893 -- affecting its Connect Secure VPN product. The former is described as a privilege escalation vulnerability, while the latter -- known as a zero-day because Ivanti had no time to fix the bug before hackers began exploiting it -- is a server-side bug that allows an attacker access to certain restricted resources without authentication. In its updated disclosure, Ivanti said it has observed "targeted" exploitation of the server-side bug. Germany's Federal Office for Information Security, known as the BSI, said in a translated advisory on Wednesday that it has knowledge of "multiple compromised systems."

Todd Bishop reports via GeekWire: A Microsoft AI engineering leader says he discovered vulnerabilities in OpenAI's DALL-E 3 image generator in early December allowing users to bypass safety guardrails to create violent and explicit images, and that the company impeded his previous attempt to bring public attention to the issue. The emergence of explicit deepfake images of Taylor Swift last week "is an example of the type of abuse I was concerned about and the reason why I urged OpenAI to remove DALL-E 3 from public use and reported my concerns to Microsoft," writes Shane Jones, a Microsoft principal software engineering lead, in a letter Tuesday to Washington state's attorney general and Congressional representatives.

404 Media reported last week that the fake explicit images of Swift originated in a "specific Telegram group dedicated to abusive images of women," noting that at least one of the AI tools commonly used by the group is Microsoft Designer, which is based in part on technology from OpenAI's DALL-E 3. "The vulnerabilities in DALL-E 3, and products like Microsoft Designer that use DALL-E 3, makes it easier for people to abuse AI in generating harmful images," Jones writes in the letter to U.S. Sens. Patty Murray and Maria Cantwell, Rep. Adam Smith, and Attorney General Bob Ferguson, which was obtained by GeekWire. He adds, "Microsoft was aware of these vulnerabilities and the potential for abuse."

Jones writes that he discovered the vulnerability independently in early December. He reported the vulnerability to Microsoft, according to the letter, and was instructed to report the issue to OpenAI, the Redmond company's close partner, whose technology powers products including Microsoft Designer. He writes that he did report it to OpenAI. "As I continued to research the risks associated with this specific vulnerability, I became aware of the capacity DALL-E 3 has to generate violent and disturbing harmful images," he writes. "Based on my understanding of how the model was trained, and the security vulnerabilities I discovered, I reached the conclusion that DALL-E 3 posed a public safety risk and should be removed from public use until OpenAI could address the risks associated with this model."

On Dec. 14, he writes, he posted publicly on LinkedIn urging OpenAI's non-profit board to withdraw DALL-E 3 from the market. He informed his Microsoft leadership team of the post, according to the letter, and was quickly contacted by his manager, saying that Microsoft's legal department was demanding that he delete the post immediately, and would follow up with an explanation or justification. He agreed to delete the post on that basis but never heard from Microsoft legal, he writes. "Over the following month, I repeatedly requested an explanation for why I was told to delete my letter," he writes. "I also offered to share information that could assist with fixing the specific vulnerability I had discovered and provide ideas for making AI image generation technology safer. Microsoft's legal department has still not responded or communicated directly with me." "Artificial intelligence is advancing at an unprecedented pace. I understand it will take time for legislation to be enacted to ensure AI public safety," he adds. "At the same time, we need to hold companies accountable for the safety of their products and their responsibility to disclose known risks to the public. Concerned employees, like myself, should not be intimidated into staying silent." The full text of Jones' letter can be read here (PDF).

Russia is facing a widespread internet outage that's affected users across the country, with access to websites on the local .ru domain down. From a report: The issue was linked to a technical problem with the .ru domain's global Domain Name System Security Extensions, or DNSSEC, which is used to secure data exchanged in internet protocol networks, Russia's Digital Ministry said in a statement on Telegram Tuesday. Websites including the most popular local search engine Yandex.ru, ecommerce leaders Ozon.ru and Wildberries.ru, and apps of the country's biggest banks -- Sberbank PJSC and VTB Group -- were all affected, state-run Ria reported, citing Downradar, a traffic monitoring service.

Dan Goodin, reporting for ArsTechnica: ChatGPT is leaking private conversations that include login credentials and other personal details of unrelated users, screenshots submitted by an Ars reader on Monday indicated. Two of the seven screenshots the reader submitted stood out in particular. Both contained multiple pairs of usernames and passwords that appeared to be connected to a support system used by employees of a pharmacy prescription drug portal. An employee using the AI chatbot seemed to be troubleshooting problems they encountered while using the portal.

"THIS is so f-ing insane, horrible, horrible, horrible, i cannot believe how poorly this was built in the first place, and the obstruction that is being put in front of me that prevents it from getting better," the user wrote. "I would fire [redacted name of software] just for this absurdity if it was my choice. This is wrong." Besides the candid language and the credentials, the leaked conversation includes the name of the app the employee is troubleshooting and the store number where the problem occurred. The entire conversation goes well beyond what's shown in the redacted screenshot above. A link Ars reader Chase Whiteside included showed the chat conversation in its entirety. The URL disclosed additional credential pairs. The results appeared Monday morning shortly after reader Whiteside had used ChatGPT for an unrelated query.

New York Attorney General Letitia James filed a lawsuit against Citibank on Tuesday, alleging the big bank failed to do enough to protect and reimburse victims of fraud. From a report: The lawsuit argues that New York customers lost millions of dollars -- in some cases their entire lifesavings -- to scammers and hackers because of Citi's weak security and anti-fraud measures. According to the NY AG, Citi does not do enough to prevent unauthorized account takeovers, illegally refuses to reimburse fraud victims and "misleads" customers about their rights after their accounts are hacked.

The lawsuit, filed in US District Court for the Southern District of New York, alleges that Citi has "overpromised and underdelivered on security" and failed to respond appropriately to red flags. "Banks are supposed to be the safest place to keep money, yet Citi's negligence has allowed scammers to steal millions of dollars from hardworking people, James said in a statement. There is no excuse for Citi's failure to protect and prevent millions of dollars from being stolen from customers' accounts and my office will not write off illegal behavior from big banks."

AmiMoJo writes: Apple has attacked proposals for the UK government to pre-approve new security features introduced by tech firms. Under the proposed amendments to existing laws, if the UK Home Office declined an update, it then could not be released in any other country, and the public would not be informed. The government is seeking to update the Investigatory Powers Act (IPA) 2016. The Home Office said it supported privacy-focused tech but added that it also had to keep the country safe.

A government spokesperson said: "We have always been clear that we support technological innovation and private and secure communications technologies, including end-to-end encryption, but this cannot come at a cost to public safety." The proposed changes will be debated in the House of Lords tomorrow. Apple says it is an "unprecedented overreach" by the UK government. "We're deeply concerned the proposed amendments to the Investigatory Powers Act (IPA) now before Parliament place users' privacy and security at risk," said Apple in a statement. "It's an unprecedented overreach by the government and, if enacted, the UK could attempt to secretly veto new user protections globally preventing us from ever offering them to customers."

The U.S. government in recent months launched an operation to fight a pervasive Chinese hacking operation that successfully compromised thousands of internet-connected devices, Reuters reported Tuesday, citing two Western security officials and another person familiar with the matter. From the report: The Justice Department and Federal Bureau of Investigation sought and received legal authorization to remotely disable aspects of the Chinese hacking campaign, the sources told Reuters. The Biden administration has increasingly focused on hacking, not only for fear nation states may try to disrupt the U.S. election in November, but because ransomware wreaked havoc on Corporate America in 2023.

The hacking group at the center of recent activity, Volt Typhoon, has especially alarmed intelligence officials who say it is part of a larger effort to compromise Western critical infrastructure, including naval ports, internet service providers and utilities. While the Volt Typhoon campaign initially came to light in May 2023, the hackers expanded the scope of their operations late last year and changed some of their techniques, according to three people familiar with the matter. The widespread nature of the hacks led to a series of meetings between the White House and private technology industry, including several telecommunications and cloud commuting companies, where the U.S. government asked for assistance in tracking the activity.

The Internet Corporation for Assigned Names and Numbers (ICANN) has proposed creating a new top-level domain (TLD) and never allowing it to be delegated in the global domain name system (DNS) root. From a report: The proposed TLD is .INTERNAL and, as the name implies, it's intended for internal use only. The idea is that .INTERNAL could take on the same role as the 192.168.x.x IPv4 bloc -- available for internal use but never plumbed into DNS or other infrastructure that would enable it to be accessed from the open internet.

ICANN's Security and Stability Advisory Committee (SSAC) advised the development of such a TLD in 2020. It noted at the time that "many enterprises and device vendors make ad hoc use of TLDs that are not present in the root zone when they intend the name for private use only. This usage is uncoordinated and can cause harm to Internet users" -- in part by forcing DNS servers to handle, and reject, queries for domains only used internally. DNS, however, can't prevent internal use of ad hoc TLDs. So the SSAC recommended creation of a TLD that would be explicitly reserved for internal use.

An anonymous reader quotes a report from TechCrunch: Mercedes-Benz accidentally exposed a trove of internal data after leaving a private key online that gave "unrestricted access" to the company's source code, according to the security research firm that discovered it. Shubham Mittal, co-founder and chief technology officer of RedHunt Labs, alerted TechCrunch to the exposure and asked for help in disclosing to the car maker. The London-based cybersecurity company said it discovered a Mercedes employee's authentication token in a public GitHub repository during a routine internet scan in January. According to Mittal, this token -- an alternative to using a password for authenticating to GitHub -- could grant anyone full access to Mercedes's GitHub Enterprise Server, thus allowing the download of the company's private source code repositories.

"The GitHub token gave 'unrestricted' and 'unmonitored' access to the entire source code hosted at the internal GitHub Enterprise Server," Mittal explained in a report shared by TechCrunch. "The repositories include a large amount of intellectual property connection strings, cloud access keys, blueprints, design documents, [single sign-on] passwords, API Keys, and other critical internal information." Mittal provided TechCrunch with evidence that the exposed repositories contained Microsoft Azure and Amazon Web Services (AWS) keys, a Postgres database, and Mercedes source code. It's not known if any customer data was contained within the repositories. It's not known if anyone else besides Mittal discovered the exposed key, which was published in late-September 2023. A Mercedes spokesperson confirmed that the company "revoked the respective API token and removed the public repository immediately."

"We can confirm that internal source code was published on a public GitHub repository by human error. The security of our organization, products, and services is one of our top priorities. We will continue to analyze this case according to our normal processes. Depending on this, we implement remedial measures."

Remember that cheery corporate video Internet Brands tried announcing their new (non-negotiable) hybrid return-to-office policy (with the festive song "Iko Iko" playing in the background)? They've now pulled the video from Vimeo.

Could that signal a larger shift in attitudes about working from home? The Washington Post reports: Now, new research from the Katz Graduate School of Business at the University of Pittsburgh suggests that office mandates may not help companies' financial performances, but they can make workers less satisfied with their jobs and work-life balance... "We will not get back to the time when as many people will be happy working from the office the way they were before the pandemic," said Mark Ma, co-author of the study and associate professor at the Katz Graduate School of Business. Additionally, mandates make workers less happy, therefore less productive and more likely to look for a new job, he said.

The study analyzed a sample of Standard & Poor's 500 firms to explore the effects of office mandates, including average change in quarterly results and company stock price. Those results were compared with changes at companies without office mandates. The outcome showed the mandates made no difference. Firms with mandates did not experience financial boosts compared with those without. The sample covered 457 firms and 4,455 quarterly observations between June 2019 and January 2023...

"There are compliance issues universally," said Prithwiraj Choudhury, a Harvard Business School professor who studies remote work. "Some companies are issuing veiled threats about promotions and salary increases ... which is unfortunate because this is your talent pool, your most valuable resource...." Rather than grappling with mandates as a means of boosting productivity, companies should instead focus on structuring their policies on a team basis, said Choudhury of Harvard. That means not only understanding the frequency and venue in which teams would be most productive in-person, but also ensuring that in-person days are structured for more collaboration. Requiring employees to work in-office to boost productivity in general has yet to prove itself out, he added.

"Return-to-office is just a knee-jerk reaction trying to make the world go back to where it was instead of recognizing this as a point for fundamental transformation," he said. "I call them return-to-the-past mandates."
The article cites US Bureau of Labor Statics showing movement in the other directionRoughly 78% of workers ages 16 and older "worked entirely on-site in December 2023, down from 81% a year earlier" — and for tech workers only 34% worked entirely on-site last month compared with 38% last year.

"Still, some companies are going all in on mandates, reminding workers and sometimes threatening promotions and job security for noncompliance. Leaders are unlikely to backtrack on mandates once they have been implemented because that could be viewed as admitting they made a mistake, said Ma."

Slashdot reader Bruce66423 shared this report from the BBC: A Spanish court has cleared a British man of public disorder, after he joked to friends about blowing up a flight from London Gatwick to Menorca.

Aditya Verma admitted he told friends in July 2022: "On my way to blow up the plane. I'm a member of the Taliban." But he said he had made the joke in a private Snapchat group and never intended to "cause public distress"... The message he sent to friends, before boarding the plane, went on to be picked up by UK security services. They then flagged it to Spanish authorities while the easyJet plane was still in the air.

Two Spanish F-18 fighter jets were sent to flank the aircraft. One followed the plane until it landed at Menorca, where the plane was searched. Mr Verma, who was 18 at the time, was arrested and held in a Spanish police cell for two days. He was later released on bail... If he had been found guilty, the university student faced a fine of up to €22,500 (£19,300 or $20,967) and a further €95,000 (£81,204 or $103,200) in expenses to cover the cost of the jets being scrambled.
But how did his message first get from the encrypted app to the UK security services? One theory, raised in the trial, was that it could have been intercepted via Gatwick's Wi-Fi network. But a spokesperson for the airport told BBC News that its network "does not have that capability"... A spokesperson for Snapchat said the social media platform would not "comment on what's happened in this individual case".
richi (Slashdot reader #74,551) thinks it's obvious what happened: SnapChat's own web site says they scan messages for threats and passes them on to the authorities. ("We also work to proactively escalate to law enforcement any content appearing to involve imminent threats to life, such as...bomb threats...."

"In the case of emergency disclosure requests from law enforcement, our 24/7 team usually responds within 30 minutes."

"Security experts expect many more companies to disclose that they've been hacked by Russian intelligence agents who stole emails from executives," reports the Washington Post, "following disclosures by Microsoft and Hewlett-Packard Enterprise in the past week." Microsoft said late Thursday that it had found more victims and was in the process of notifying them. A spokesperson declined to say how many. But three experts in and out of government said that the attack was deeper and broader than the disclosures to date reveal. Two said that more than 10 companies, and perhaps far more, are expected to come forward...

The Securities and Exchange Commission last year strengthened the rules that require companies to notify their stockholders of computer intrusions that could have a material impact on company results. That helped spur the recent disclosures.
A spokesperson for America's Department of Homeland Security said "at this time we are not aware of impacts to Microsoft customer environments or products," according to the article. (Although the Washington Post adds that "The Microsoft and HPE breaches are especially concerning because so many other companies and agencies rely on them for cloud services, including email.")

The attackers were potentially spying on Microsoft's senior leadership team "for weeks or months," reports the Verge, citing a newly-published analysis by Microsoft: Crucially, the non-production test tenant account that was breached didn't have two-factor authentication enabled. [A cyber-breaching group named Nobelium from Russia's foreign intelligence service] "tailored their password spray attacks to a limited number of accounts, using a low number of attempts to evade detection," says Microsoft. From this attack, the group "leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment...." This elevated access allowed the group to create more malicious OAuth applications and create accounts to access Microsoft's corporate environment and eventually its Office 365 Exchange Online service that provides access to email inboxes...

Hewlett Packard Enterprise (HPE) revealed earlier this week that the same group of hackers had previously gained access to its "cloud-based email environment." HPE didn't name the provider, but the company did reveal the incident was "likely related" to the "exfiltration of a limited number of [Microsoft] SharePoint files as early as May 2023."

An anonymous reader shares a report: The creator of an audio deepfake of US President Joe Biden urging people not to vote in this week's New Hampshire primary has been suspended by ElevenLabs, according to a person familiar with the matter. ElevenLabs' technology was used to make the deepfake audio, according to Pindrop Security, a voice-fraud detection company that analyzed it.

ElevenLabs was made aware this week of Pindrop's findings and is investigating, the person said. Once the deepfake was traced to its creator, that user's account was suspended, said the person, asking not to be identified because the information isn't public. ElevenLabs, a startup that uses artificial intelligence software to replicate voices in more than two dozen languages, said in a statement that it couldn't comment on specific incidents. But added, "We are dedicated to preventing the misuse of audio AI tools and take any incidents of misuse extremely seriously."

Global regulators, aviation security specialists and manufacturers failed to reach an agreement on a quick technical fix to the problem of GPS spoofing near war zones, instead calling for better training of pilots to deal with the issue, Reuters reports, citing sources briefed on the talks. From the report: Airlines have been urging quick action after a series of incidents where navigation systems were disrupted to show a false location or wrong time, though aircraft flight controls remained intact. Spoofing might involve one country's military sending false Global Positioning System signals to an enemy plane or drone to hinder its ability to function, which has a collateral effect on nearby airliners.

GPS jamming and spoofing have grown worse in Eastern Europe, the Black Sea and the Middle East, according to industry group OpsGroup. GPS is a growing part of aviation infrastructure as it replaces traditional radio beams used to guide planes towards landing. The first international meeting bringing together the sector was held on Thursday in Cologne, Germany, organized by the European Union Aviation Safety Agency (EASA) and international trade group the International Air Transport Association (IATA). GPS interference "can pose significant challenges to aviation safety," and requires that airlines increase data-sharing on jamming and spoofing events, EASA and IATA said in a joint statement.

The National Security Agency buys certain logs related to Americans' domestic internet activities from commercial data brokers, according to an unclassified letter by the agency. The New York Times: The letter [PDF], addressed to a Democratic senator and obtained by The New York Times, offered few details about the nature of the data other than to stress that it did not include the content of internet communications. Still, the revelation is the latest disclosure to bring to the fore a legal gray zone: Intelligence and law enforcement agencies sometimes purchase potentially sensitive and revealing domestic data from brokers that would require a court order to acquire directly.

It comes as the Federal Trade Commission has started cracking down on companies that trade in personal location data that was gathered from smartphone apps and sold without people's knowledge and consent about where it would end up and for what purpose it would be used. In a letter to the director of national intelligence dated Thursday, the senator, Ron Wyden, Democrat of Oregon, argued that "internet metadata" -- logs showing when two computers have communicated, but not the content of any message -- "can be equally sensitive" as the location data the F.T.C. is targeting. He urged intelligence agencies to stop buying internet data about Americans if it was not collected under the standard the F.T.C. has laid out for location records. "The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Mr. Wyden wrote.

A wide-spanning investigation by 404 Media reveals more details about a secretive spy tool that can tracks billions of phone profiles through the advertising industry called Patternz. From the report: Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability that starts with ads inside each app, and ends with the apps' users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people to build billions of profiles, according to a 404 Media investigation.

404 Media's investigation, based on now deleted marketing materials and videos, technical forensic analysis, and research from privacy activists, provides one of the clearest examinations yet of how advertisements in ordinary mobile apps can ultimately lead to surveillance by spy firms and their government clients through the real time bidding data supply chain. The pipeline involves smaller, obscure advertising firms and advertising industry giants like Google. In response to queries from 404 Media, Google and PubMatic, another ad firm, have already cut-off a company linked to the surveillance firm.