Law professor Dan Solove has a new article on privacy regulation. In his email to me, he writes: “I’ve been pondering privacy consent for more than a decade, and I think I finally made a breakthrough with this article.” His mini-abstract:

In this Article I argue that most of the time, privacy consent is fictitious. Instead of futile efforts to try to turn privacy consent from fiction to fact, the better approach is to lean into the fictions. The law can’t stop privacy consent from being a fairy tale, but the law can ensure that the story ends well. I argue that privacy consent should confer less legitimacy and power and that it be backstopped by a set of duties on organizations that process personal data based on consent.

Full abstract:

Consent plays a profound role in nearly all privacy laws. As Professor Heidi Hurd aptly said, consent works “moral magic”—it transforms things that would be illegal and immoral into lawful and legitimate activities. As to privacy, consent authorizes and legitimizes a wide range of data collection and processing.

There are generally two approaches to consent in privacy law. In the United States, the notice-and-choice approach predominates; organizations post a notice of their privacy practices and people are deemed to consent if they continue to do business with the organization or fail to opt out. In the European Union, the General Data Protection Regulation (GDPR) uses the express consent approach, where people must voluntarily and affirmatively consent.

Both approaches fail. The evidence of actual consent is non-existent under the notice-and-choice approach. Individuals are often pressured or manipulated, undermining the validity of their consent. The express consent approach also suffers from these problems ­ people are ill-equipped to decide about their privacy, and even experts cannot fully understand what algorithms will do with personal data. Express consent also is highly impractical; it inundates individuals with consent requests from thousands of organizations. Express consent cannot scale.

In this Article, I contend that most of the time, privacy consent is fictitious. Privacy law should take a new approach to consent that I call “murky consent.” Traditionally, consent has been binary—an on/off switch—but murky consent exists in the shadowy middle ground between full consent and no consent. Murky consent embraces the fact that consent in privacy is largely a set of fictions and is at best highly dubious.

Because it conceptualizes consent as mostly fictional, murky consent recognizes its lack of legitimacy. To return to Hurd’s analogy, murky consent is consent without magic. Rather than provide extensive legitimacy and power, murky consent should authorize only a very restricted and weak license to use data. Murky consent should be subject to extensive regulatory oversight with an ever-present risk that it could be deemed invalid. Murky consent should rest on shaky ground. Because the law pretends people are consenting, the law’s goal should be to ensure that what people are consenting to is good. Doing so promotes the integrity of the fictions of consent. I propose four duties to achieve this end: (1) duty to obtain consent appropriately; (2) duty to avoid thwarting reasonable expectations; (3) duty of loyalty; and (4) duty to avoid unreasonable risk. The law can’t make the tale of privacy consent less fictional, but with these duties, the law can ensure the story ends well.

Enlarge / Cows being milked (credit: Getty | Edwin Remsberg )

The Food and Drug Administration on Tuesday announced that genetic fragments from the highly-pathogenic avian influenza virus H5N1 have been detected in the pasteurized, commercial milk supply. However, the testing completed so far—using quantitative polymerase chain reaction (qPCR)—only detects the presence of viral genetic material and cannot tell whether the genetic material is from live and infectious viral particles or merely remnants of dead ones killed by the pasteurization process.

Testing is now ongoing to see if viable, infectious H5N1 can be identified in milk samples.

So far, the FDA still believes that the milk supply is safe. "To date, we have seen nothing that would change our assessment that the commercial milk supply is safe," the agency said in a lengthy explanation of the finding and ongoing testing .

Read 10 remaining paragraphs | Comments

Former senior White House cyber policy director A. J. Grotto talks about the economic incentives for companies to improve their security—in particular, Microsoft:

Grotto told us Microsoft had to be “dragged kicking and screaming” to provide logging capabilities to the government by default, and given the fact the mega-corp banked around $20 billion in revenue from security services last year, the concession was minimal at best.

[…]

“The government needs to focus on encouraging and catalyzing competition,” Grotto said. He believes it also needs to publicly scrutinize Microsoft and make sure everyone knows when it messes up.

“At the end of the day, Microsoft, any company, is going to respond most directly to market incentives,” Grotto told us. “Unless this scrutiny generates changed behavior among its customers who might want to look elsewhere, then the incentives for Microsoft to change are not going to be as strong as they should be.”

Breaking up the tech monopolies is one of the best things we can do for cybersecurity.

Interesting social-engineering attack vector :

McAfee released a report on a new LUA malware loader distributed through what appeared to be a legitimate Microsoft GitHub repository for the “C++ Library Manager for Windows, Linux, and MacOS,” known as vcpkg .

The attacker is exploiting a property of GitHub: comments to a particular repo can contain files, and those files will be associated with the project in the URL.

What this means is that someone can upload malware and “attach” it to a legitimate and trusted project.

As the file’s URL contains the name of the repository the comment was created in, and as almost every software company uses GitHub, this flaw can allow threat actors to develop extraordinarily crafty and trustworthy lures.

For example, a threat actor could upload a malware executable in NVIDIA’s driver installer repo that pretends to be a new driver fixing issues in a popular game. Or a threat actor could upload a file in a comment to the Google Chromium source code and pretend it’s a new test version of the web browser.

These URLs would also appear to belong to the company’s repositories, making them far more trustworthy.

Enlarge (credit: Getty )

On March 29, 2022, CNN+ , CNN's take on a video streaming service, debuted. On April 28, 2022 , it shuttered, making it the fastest shutdown of any launched streaming service. Despite that discouraging superlative, CNN has plans for another subscription-based video streaming platform, Financial Times (FT) reported on Wednesday.

Mark Thompson, who took CNN's helm in August 2023, over a year after CNN+'s demise, spoke with FT about evolving the company. The publication reported that Thompson is "working on plans for a digital subscription streaming service." The executive told the publication that a digital subscription, including digital content streaming, is "a serious possibility," adding, "no decisions had been made, but I think it’s quite likely that we’ll end up there."

CNN++, or whatever a new CNN streaming package might be named, would not just be another CNN+, per Thompson.

Read 18 remaining paragraphs | Comments

After the XZ Utils discovery, people have been examining other open-source projects. Surprising no one, the incident is not unique:

The OpenJS Foundation Cross Project Council received a suspicious series of emails with similar messages, bearing different names and overlapping GitHub-associated emails. These emails implored OpenJS to take action to update one of its popular JavaScript projects to “address any critical vulnerabilities,” yet cited no specifics. The email author(s) wanted OpenJS to designate them as a new maintainer of the project despite having little prior involvement. This approach bears strong resemblance to the manner in which “Jia Tan” positioned themselves in the XZ/liblzma backdoor.

[…]

The OpenJS team also recognized a similar suspicious pattern in two other popular JavaScript projects not hosted by its Foundation, and immediately flagged the potential security concerns to respective OpenJS leaders, and the Cybersecurity and Infrastructure Security Agency (CISA) within the United States Department of Homeland Security (DHS).

The article includes a list of suspicious patterns, and another list of security best practices.

Enlarge / Three female skeletons found in a Neolithic storage pit in France show signs of ritualistic human sacrifice. (credit: . Beeching/Ludes et al., 2024)

Archaeologists have discovered the remains of two women in a Neolithic tomb in France, with the positioning of the bodies suggesting they may have been ritualistically murdered by asphyxia or self-strangulation, according to a recent paper published in the journal Science Advances.

(WARNING: graphic descriptions below.)

France's Rhône Valley is home to several archaeological sites dating to the end of the Middle Neolithic period (between 4250 and 3600/3500 BCE in the region); the sites include various storage silos, broken grindstones, imported ceramics, animal remains (both from communal meals and sacrifices), and human remains deposited in sepulchral pits. Saint-Paul-Trois-Châteaux is one such site.

Read 8 remaining paragraphs | Comments

A new paper presents a polynomial-time quantum algorithm for solving certain hard lattice problems. This could be a big deal for post-quantum cryptographic algorithms, since many of them base their security on hard lattice problems.

A few things to note. One, this paper has not yet been peer reviewed. As this comment points out: “We had already some cases where efficient quantum algorithms for lattice problems were discovered, but they turned out not being correct or only worked for simple special cases .”

Two, this is a quantum algorithm, which means that it has not been tested. There is a wide gulf between quantum algorithms in theory and in practice. And until we can actually code and test these algorithms, we should be suspicious of their speed and complexity claims.

And three, I am not surprised at all. We don’t have nearly enough analysis of lattice-based cryptosystems to be confident in their security.

Units on alert, naval ships repositioning, bombers postured to fly, Marines ready to storm the beaches. These are all of the routines of a crisis that signals U.S. military readiness for war. But there’s another routine that often eludes Washington’s acknowledgment: the military’s own deployment schedule when it comes to units venturing out there into the real world. The schedule is sacrosanct. So while some might think the potential for war with Iran — right now — is high and the U.S. military is on high alert, the reality is that it’s business as usual.

On Friday, the Pentagon made vague statements that it is moving assets to the Middle East to express American displeasure and readiness should Iran attack Israel. President Joe Biden made a public threat toward Iran: “Don’t,” referring to any Iranian strike. And the administration trumpeted the presence of Gen. Michael “Erik” Kurilla, commander of Central Command, or CENTCOM, in Israel, there to “consult” with America’s ironclad partner.

But as Washington hawks and the news media hold their breath for what they call an “imminent” strike overseen by Tehran on Israeli soil, the U.S. military in the Middle East is sticking to its regular schedule of soldier comings and goings, including the redeployment of a high-profile Marine battle group that returned to the U.S. after an eight-month voyage.

In fact, thousands of Marines, Navy sailors, Army troops, and Air Force war fighters have cycled back stateside over the past few weeks and even since the Israeli attack on the Iranian Embassy compound in Syria on April 1. In a purely routine way, in accordance with existing plans, some half-dozen deployments to the Middle East have come to an end. For the armed services, maintaining soldier schedules is more important than geopolitics. And indeed, there’s no evidence that the military services take much notice of the contradiction between their schedules and a brewing escalation. They are more focused on trying to please service members, wives, and parents in their bids to recruit and retain enlisted people than they are on the Pentagon’s war game machinations.

Even the Army’s undertakers are calling it quits. According to a recent announcement , Army body-bag handlers returned from the Middle East this month. “The 54th Quartermaster Company is the Army’s only active-duty mortuary affairs unit,” the announcement reads. “The unit sent 29 Soldiers to Kuwait, Iraq, Bahrain, Qatar, Jordan, and the United Arab Emirates in support of a wide array of operations in the region. Today, we get to welcome back detachment number one, 29 of our best from CENTCOM,” the company commander Capt. Peter Kase said.

Meanwhile, service members overseeing rescue operations relating to air and naval attacks by Yemen returned home this month . An announcement celebrating the accomplishments and return of the U.S. Air Force Capt. Araceli Saunders last week details her efforts while deployed in Saudi Arabia, including “providing airborne alert for Operation POSEIDON ARCHER enabling thirty-one coalition strikes on Yemeni bases” and “reducing the threat to international maritime shipping in the Red Sea and Gulf of Aden.”

Despite Houthi attacks from Yemen and Iran-backed militia strikes from Syria and Iraq, U.S. forces routinely cycle in and out of the Middle East. On March 16, more than 4,000 Marines and sailors with the 26th Marine Expeditionary Unit began their journey home from a deployment that was reoriented from pure training to direct support for American diplomacy and military readiness after the Hamas attack on Israel on October 7.

Meanwhile, soldiers tasked with strengthening deterrence on land, according to the Army, have also ended their deployments. On February 8, artillery gunners with the Michigan Army National Guard returned from a deployment to Al Dhafra Air Base in the United Arab Emirates. According to the press release , the soldiers supported Operation Inherent Resolve, the military’s ongoing war against ISIS.

“Alpha Battery’s accomplishments during their deployment underscore the Michigan National Guard’s commitment to ensuring the safety and security of our nation,” a spokespeople said. “Their dedication and proficiency in operating the HIMARS [long-range missile] system have significantly advanced our strategic objectives in the region.”

The return of soldiers from CENTCOM follows an announcement this past week that the 379th Air Expeditionary Wing, based out of Al Udeid Air Base in Qatar, is reorganizing to better meet its own internal deployment requirements. There’s no mention of strategic reshuffling to meet imminent plans for war, but rather “to provide predictability for Airmen” in future deployments and rotations, in other words, to meet quality-of-life objectives.

As intelligence officials give dire predictions to the New York Times about Iran’s threat, and Israeli military officials warn citizens against hoarding in preparation for a volley of cruise missiles, Iran continues to go to great lengths to avoid an out-of-control conflict with its sworn adversary, and its hawkish Prime Minister Benjamin Netanyahu.

A Financial Times report from this week details Iran’s efforts to convey through diplomatic channels that it does not wish to see an escalation that stokes all-out war with Israel and the United States. This and other news media reports say that Iran is engaging the United States through diplomatic channels to find a response that both demonstrates deterrence in response to the April 1 strike, without starting a war. (The U.S. and Iran have been talking through Oman to avoid an appearance of direct negotiations.)

In a subtle nod to its view that it’s business as usual, the U.S. Navy quietly relinquished command of the Red Sea Combined Task Force 153, handing it over to an Italian counterpart at the beginning of April. “I am incredibly proud of all the hard work and dedication by CTF 153 staff and units at-sea in support of Operation Prosperity Guardian,” outgoing U.S. Navy commander Capt. David Coles said. “Their efforts have directly contributed to regional maritime security and freedom of navigation in the CTF 153 area of operations. … It is a true honor to hand over command to an incredibly strong maritime partner like Italy. I know the Task Force is in good hands, and look forward to celebrating CTF 153’s future accomplishments under Capt. Messina’s stewardship.”

If Iran attacks Israel or the United States, on the ground, the American military posture looks routine, nowhere near matching the feverish vibes coming out of Washington. From his hotel room in Tel Aviv, Kurilla undoubtedly is closer to the action with his cellphone on red alert. But his visit is purely symbolic with regard to Iran. The truth is that the U.S. “mission” in the Middle East right now is as much to dissuade Israel from escalating.

The post U.S. Military Isn’t That Concerned About War With Iran appeared first on The Intercept .