Cryptocurrency was everywhere this week, funded anti-Russian resistance groups and hacktivists in Ukraine and was seized by the US Department of Justice in a massive pile of $3.6 billion worth of laundered bitcoins. If you’re just getting into crypto yourself and need a place to store your digital assets, we’ve got a guide to choosing and setting up a cryptocurrency wallet.
Microsoft took a huge security step this week by announcing that it will disable its oft-abused macro feature by default in Microsoft Excel and Word files downloaded from the Internet. Healthcare privacy researchers have released findings about medical and genetic testing companies that left details of third-party ad tracking and lead generation methods out of their privacy policies. And pro-democracy activists, many of whom have gone into hiding since Myanmar’s 2021 coup, fear that their phone records – and by extension the identities of their loved ones and resistance networks – could be at risk of falling into the hands of the junta.
And if you’re starting to fear the possibility of being tracked using Apple AirTags, here’s our guide on how to figure things out and protect yourself.
And there’s more. Here, we’ve rounded up all the news we haven’t broken or covered in depth this week. Click on the headlines to read the full stories. And stay safe out there.
Partially redacted documents released Thursday night by the U.S. intelligence community reveal a secret CIA surveillance network that collected data on some Americans under a program that had no congressional approval or oversight. Senate Intelligence Committee members Ron Wyden (D-Oregon) and Martin Heinrich (D-New Mexico) sent a letter to the director of national intelligence and the director of the CIA on April 13, 2021, demanding that information about the program be declassified. “Among the many details the public deserves to know are the nature of the CIA’s relationship with its sources and the legal framework for the collection,” the senators wrote in their letter.
The program was authorized under a 1981 Presidential Executive Order. “Intelligence Activities of the United States”. Citing the Foreign Intelligence Surveillance Act, the senators said in a statement Thursday that “FISA has been drawing attention because of periodic reauthorizations by Congress and the release of DOJ, ODNI, and FISA documents” and the data collection programs Congress authorizes under the law. “But what these documents demonstrate is that many of the same concerns that Americans have about their privacy and civil liberties also apply to how the CIA collects and processes information under executive order and outside of FISA.”
The Senate Judiciary Committee advanced a familiar bill, the EARN IT Act, on Thursday. The legislation aims to increase the liability of technology companies for child sexual abuse material posted or distributed through their services. Technologists and privacy advocates have repeatedly and urgently warned that EARN IT will have significant implications for cybersecurity and human rights by disincentivizing technology companies to implement end-to-end encryption schemes. The legislation would force online services to “win” some of the Section 230 protections that currently shield them from liability for material posted by their users. The bill was first introduced in 2020. and then it also came out of committee, but did not receive a vote before the end of the congressional session.
In a report this week, Google’s Project Zero bug-hunting team said companies are becoming faster at patching after the group discloses a vulnerability to them. Project Zero is known for setting deadlines for developers to release fixes for their products, from seven to 90 days depending on the severity of the bug. Once the deadline has passed, sometimes with an additional grace period of up to 14 days, the group publicly discloses the deficiencies. Project Zero said this week that it took companies an average of 52 days to patch vulnerabilities in 2021, down from an average of about 80 days in 2018. It has also become very rare for organizations to miss the Project Zero time limit. Only one bug exceeded its 2021 deadline, although the group noted that 14 percent of bugs actually used the grace period. The group emphasized that the findings may not be generalizable across the industry because Project Zero is well-known and has a particular reputation for being rigorous and effective in fixing bugs. Companies may be more inclined to act quickly when Project Zero comes along. Nevertheless, the trends are promising and show that there is a more mainstream understanding of the vulnerability disclosure process.
More great stories on WIRED