Microsoft gives deepfake porn victims a tool to scrub images from Bing search

by with No Comment Tech

deepfake porn

Image Credits: Getty Images

The advancement of generative AI tools has created a new problem for the internet: the proliferation of synthetic nude images resembling real people. On Thursday, Microsoft took a major step to give revenge porn victims a tool to stop its Bing search engine from returning these images.

Microsoft announced a partnership with StopNCII, an organization that allows victims of revenge porn to create a digital fingerprint of these explicit images, real or not, on their device. StopNCII’s partners then use that digital fingerprint, or “hash” as it’s technically known, to scrub the image from their platforms. Microsoft’s Bing joins Facebook, Instagram, Threads, TikTok, Snapchat, Reddit, PornHub, and OnlyFans in partnering with StopNCII, and using its digital fingerprints to stop the spread of revenge porn.

In a blog post, Microsoft says it already took action on 268,000 explicit images being returned through Bing’s image search in a pilot through the end of August with StopNCII’s database. Previously, Microsoft offered a direct reporting tool, but the company says that’s proven to be not enough.

“We have heard concerns from victims, experts, and other stakeholders that user reporting alone may not scale effectively for impact or adequately address the risk that imagery can be accessed via search,” said Microsoft in its blog post on Thursday.

You can imagine how much worse that problem would be an a significantly more popular search engine: Google.

Google Search offers its own tools to report and remove explicit images from its search results, but has faced criticism from former employees and victims for not partnering with StopNCII, according to a Wired investigation. Since 2020, Google users in South Korea have reported 170,000 search and YouTube links for unwanted sexual content, Wired reported.

The AI deepfake nude problem is already widespread. StopNCII’s tools only work for people over 18, but “undressing” sites are already creating problems for high schoolers around the country. Unfortunately, the United States doesn’t have an AI deepfake porn law to hold anyone accountable, so the country is relying on a patchwork approach of state and local laws to address the issue.

San Francisco prosecutors announced a lawsuit in August to take down 16 of the most “undressing” sites. According to a tracker for deepfake porn laws created by Wired, 23 American states have passed laws to address nonconsensual deepfakes, while nine have struck proposals down.

23andMe at the gift lounge during the 19th annual Latin GRAMMY Awards at MGM Grand Garden Arena on November 12, 2018 in Las Vegas, Nevada.

23andMe tells victims it's their fault that their data was breached

by with No Comment Tech

23andMe at the gift lounge during the 19th annual Latin GRAMMY Awards at MGM Grand Garden Arena on November 12, 2018 in Las Vegas, Nevada.

Image Credits: Gabe Ginsberg/Getty Images for LARAS

Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers.

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.

From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

In other words, by hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Zavareei said that 23andMe is “shamelessly” blaming the victims of the data breach.

“This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” Zavareei said in an email.

“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” said Zavareei.

Contact Us

Do you have more information about the 23andMe incident? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email [email protected]. You also can contact TechCrunch via SecureDrop.

In response to 23andMe’s letter, Dante Termohs, a 23andMe customer who was impacted by the data breach, told TechCrunch that he found “it appalling that 23andMe is attempting to hide from consequences instead of helping its customers.”

23andMe’s lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims.

“The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe’s platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature. Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information),” the letter read.

23andMe and one of its lawyers did not respond to TechCrunch’s request for comment.

After disclosing the breach, 23andMe reset all customer passwords, and then required all customers to use multi-factor authentication, which was only optional before the breach.

In an attempt to pre-empt the inevitable class action lawsuits and mass arbitration claims, 23andMe changed its terms of service to make it more difficult for victims to band together when filing a legal claim against the company. Lawyers with experience representing data breach victims told TechCrunch that the changes were “cynical,” “self-serving” and “a desperate attempt” to protect itself and deter customers from going after the company.

Clearly, the changes didn’t stop what is now a flurry of class action lawsuits.

23andMe confirms hackers stole ancestry data on 6.9 million users

Families of Uvalde shooting victims sue Activision and Meta

by with No Comment Tech

Call of Duty screenshot

Image Credits: Activision (opens in a new window)

The families of victims of the shooting at Robb Elementary School in Uvalde, Texas are suing Activision and Meta, as well as gun manufacturer Daniel Defense.

The families bringing the lawsuits are represented by attorney Josh Koskoff, who previously won a settlement from Remington for the families of Sandy Hook shooting victims. The suit against the technology companies claims, “Over the last 15 years, two of America’s largest technology companies … have collaborated with the firearms industry in a scheme that makes the Joe Camel campaign look laughably harmless, even quaint.”

Specifically, the suit points to Activision’s popular “Call of Duty” video game franchise, which it describes as a “cunning form of marketing [that] has helped cultivate a new, youthful consumer base for the AR-15 assault rifle,” and to Instagram, the photo app owned by Meta, which the suit claims “knowingly promulgates flimsy, easily circumvented rules that ostensibly prohibit firearm advertising; in fact, these rules function as a playbook for the gun industry.”

In a statement, Activision expressed sympathy for the families but said, “Millions of people around the world enjoy video games without turning to horrific acts.” We’ve reached out to Activision and Meta for additional comment.

In the lawsuit’s telling, the Uvalde shooter was a “Call of Duty: Modern Warfare” player, and he was also targeted by Daniel Defense’s advertising on Instagram. (Meta bans gun sales on its platforms, but The Washington Post previously reported that the company gives gun sellers 10 strikes before booting them.)

“Defendants are chewing up alienated teenage boys and spitting out mass shooters,” the lawsuit argues.

Politicians continue to debate whether video games promote gun violence. A recent review by the Stanford Brainstorm Lab looked at 82 medical research articles on the topic and concluded, “current medical research and scholarship have not found any causal link between playing video games and gun violence in real life.”

23andMe at the gift lounge during the 19th annual Latin GRAMMY Awards at MGM Grand Garden Arena on November 12, 2018 in Las Vegas, Nevada.

23andMe tells victims it's their fault that their data was breached

by with No Comment Tech

23andMe at the gift lounge during the 19th annual Latin GRAMMY Awards at MGM Grand Garden Arena on November 12, 2018 in Las Vegas, Nevada.

Image Credits: Gabe Ginsberg/Getty Images for LARAS

Facing more than 30 lawsuits from victims of its massive data breach, 23andMe is now deflecting the blame to the victims themselves in an attempt to absolve itself from any responsibility, according to a letter sent to a group of victims seen by TechCrunch.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing the victims who received the letter from 23andMe, told TechCrunch in an email.

In December, 23andMe admitted that hackers had stolen the genetic and ancestry data of 6.9 million users, nearly half of all its customers.

The data breach started with hackers accessing only around 14,000 user accounts. The hackers broke into this first set of victims by brute-forcing accounts with passwords that were known to be associated with the targeted customers, a technique known as credential stuffing.

From these 14,000 initial victims, however, the hackers were able to then access the personal data of the other 6.9 million victims because they had opted-in to 23andMe’s DNA Relatives feature. This optional feature allows customers to automatically share some of their data with people who are considered their relatives on the platform.

In other words, by hacking into only 14,000 customers’ accounts, the hackers subsequently scraped personal data of another 6.9 million customers whose accounts were not directly hacked.

But in a letter sent to a group of hundreds of 23andMe users who are now suing the company, 23andMe said that “users negligently recycled and failed to update their passwords following these past security incidents, which are unrelated to 23andMe.”

“Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the letter reads.

Zavareei said that 23andMe is “shamelessly” blaming the victims of the data breach.

“This finger pointing is nonsensical. 23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing — especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform,” Zavareei said in an email.

“The breach impacted millions of consumers whose data was exposed through the DNA Relatives feature on 23andMe’s platform, not because they used recycled passwords. Of those millions, only a few thousand accounts were compromised due to credential stuffing. 23andMe’s attempt to shirk responsibility by blaming its customers does nothing for these millions of consumers whose data was compromised through no fault of their own whatsoever,” said Zavareei.

Contact Us

Do you have more information about the 23andMe incident? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or email [email protected]. You also can contact TechCrunch via SecureDrop.

In response to 23andMe’s letter, Dante Termohs, a 23andMe customer who was impacted by the data breach, told TechCrunch that he found “it appalling that 23andMe is attempting to hide from consequences instead of helping its customers.”

23andMe’s lawyers argued that the stolen data cannot be used to inflict monetary damage against the victims.

“The information that was potentially accessed cannot be used for any harm. As explained in the October 6, 2023 blog post, the profile information that may have been accessed related to the DNA Relatives feature, which a customer creates and chooses to share with other users on 23andMe’s platform. Such information would only be available if plaintiffs affirmatively elected to share this information with other users via the DNA Relatives feature. Additionally, the information that the unauthorized actor potentially obtained about plaintiffs could not have been used to cause pecuniary harm (it did not include their social security number, driver’s license number, or any payment or financial information),” the letter read.

23andMe and one of its lawyers did not respond to TechCrunch’s request for comment.

After disclosing the breach, 23andMe reset all customer passwords, and then required all customers to use multi-factor authentication, which was only optional before the breach.

In an attempt to pre-empt the inevitable class action lawsuits and mass arbitration claims, 23andMe changed its terms of service to make it more difficult for victims to band together when filing a legal claim against the company. Lawyers with experience representing data breach victims told TechCrunch that the changes were “cynical,” “self-serving” and “a desperate attempt” to protect itself and deter customers from going after the company.

Clearly, the changes didn’t stop what is now a flurry of class action lawsuits.

23andMe confirms hackers stole ancestry data on 6.9 million users

FTX crypto fraud victims to get their money back — plus interest

by with No Comment Tech

Image Credits: ANGELA WEISS (opens in a new window) / Getty Images

Bankruptcy lawyers representing customers impacted by the dramatic crash of cryptocurrency exchange FTX 17 months ago say that the vast majority of victims will receive their money back — plus interest.

The news comes six months after FTX co-founder and former CEO Sam Bankman-Fried (SBF) was found guilty on seven counts related to fraud, conspiracy, and money laundering, with some $8 billion of customers’ funds going missing. SBF was hit with a 25-year prison sentence in March and ordered to pay $11 billion in forfeiture. The crypto mogul filed an appeal last month that could last years.

Restructuring

After filing for bankruptcy in late 2022, SBF stood down and U.S. attorney John J. Ray III was brought in as CEO and “chief restructuring officer,” charged with overseeing FTX’s reorganization. Shortly after taking over, Ray said in testimony that despite some of the audits that had been done previously at FTX, he didn’t “trust a single piece of paper in this organization.” In the months that followed, Ray and his team set about tracking the missing funds, with some $8 billion placed in real estate, political donations, and VC investments — including a $500 million investment in AI company Anthropic before the generative AI boom, which the FTX estate managed to sell earlier this year for $884 million.

Initially, it seemed unlikely that investors would recoup much, if any, of their money, but signs in recent months suggested that good news might be on the horizon, with progress made on clawing back cash via various investments FTX had made, as well as from executives involved with the company.

We now know that 98% of FTX creditors will receive 118% of the value of their FTX-stored assets in cash, while the other creditors will receive 100% — plus “billions in compensation for the time value of their investments,” according to a press release issued by the FTX estate today.

In total, FTX says that it will be able to distribute between $14.5 billion and $16.3 billion in cash, which includes assets currently under control of entities, including chapter 11 debtors, liquidators, the Securities Commission of the Bahamas, the U.S. Department of Justice, among various other parties.

While the reorganization plan will need approval from the relevant bankruptcy court, the intention, they say, is to resolve all ongoing disputes with stakeholders and government, “without costly and protracted litigation.”

It is worth noting here that creditors won’t benefit from the Bitcoin boom that has emerged from the crypto industry since FTX went belly-up. At the time of its bankruptcy filing, FTX had a huge shortfall in Bitcoin and Ethereum — far less than customers believed it actually owned.

As such, the appreciation in value of these tokens won’t be realized as part of this settlement.