Microsoft’s New Recall AI Tool May Be a ‘Privacy Nightmare’

Sex, drugs, and … Eventbrite? A WIRED investigation published this week uncovered a network of spammers and scammers pushing the illegal sale of controlled substances like Xanax and oxycodone, escort services, social media accounts, and personal information on the event management platform. Making matters worse, Eventbrite’s recommendation algorithm promoted posts for opioids alongside addiction recovery events. The good news is, the company appears to have removed most of the more than 7,400 illicit posts WIRED uncovered.

If you drive a Tesla Model 3, make sure to enable your PIN-to-drive feature or your car could be easily stolen within seconds. While the company has added new ultra-wideband radio tech to its keyless system, which can prevent “relay attacks,” researchers at Beijing-based security firm GoGoByte found that Model 3s (as well as other unnamed makes and models of vehicles) are still vulnerable. Relay attacks use inexpensive radios to transmit the signal from someone’s key fob or phone app that can then be used to unlock and start an impacted vehicle. Tesla says its adoption of ultra-wideband radio was not meant to stop relay attacks (even though it technically could), but it’s possible the automaker will add that protection in the future.

Police busting people for running illicit online markets is nearly as old a tale as the dark web itself. But this week’s takedown offered a new twist. The FBI recently arrested Lin Rui-siang, a 23-year-old accused of operating Incognito Market, which authorities claim facilitated $100 million in sales of narcotics on the dark web. US prosecutors claim Lin then extorted Incognito’s users by threatening to expose them unless they paid up. Curiously, Lin’s professional experience includes teaching police how to catch cybercriminals by tracing cryptocurrency on blockchains. If the US Justice Department is correct about his alleged involvement in Incognito Market, that would make him one of the most unusual cybercriminals we’ve ever encountered.

Leaks don’t just impact people on the wrong side of the law, of course. An unsecured database recently exposed biometric data of police officers in India, including face scans, fingerprints, and more. The incident reveals the dangers of collecting sensitive biometrics in the first place.

Finally, the saga of WikiLeaks founder Julian Assange inched forward again this week, with a British court ruling that he can appeal his extradition to the US, where he faces 18 charges under the Espionage Act for WikiLeaks’ publication of classified US military information. The judges said that Assange can appeal US prosecutors’ assurances about how his trial would be conducted and on First Amendment grounds. The appeals process will inevitably push back any final decision about his potential extradition for months.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

Following the trend of tech companies in the AI race throwing privacy and caution to the wind, Microsoft unveiled plans this week to launch a tool on its forthcoming Copilot+ PCs called Recall that takes screenshots of its customers’ computers every few seconds. Microsoft says the tool is meant to give people the ability to “find the content you have viewed on your device.” The company also claims to have a range of protections in place and says the images are only stored locally in an encrypted drive, but the response has been roundly negative nonetheless, with some watchdogs reportedly calling it a possible “privacy nightmare.” The company notes that an intruder would need a password and physical access to the device to view any of the screenshots, which should rule out the possibility of anyone with legal concerns ever adopting the system. Ironically, Recall’s description sounds eerily reminiscent of computer monitoring software the FBI has used in the past. Microsoft even acknowledges that the system takes no steps to redact passwords or financial information.

Federal authorities are reportedly working quietly to establish ties between antiwar demonstrators on US campuses and any foreign groups or individuals overseas, according to journalist Ken Klippenstein, formerly of the Intercept, who says the National Counterterrorism Center is at the center of the effort. Evidence of overseas ties would lend further ammunition to politicians, university officials, and police, who’ve widely claimed “outside agitators” are to blame for the demonstrations—an allegation that’s routinely lobbed at protesters in the United States, often meant to imply that the protesters themselves are dupes. Incidentally, authorities may also overcome constitutional hurdles to surveillance by establishing a foreign target to spy on; someone unprotected by the country’s Fourth Amendment. Republicans in Congress—representatives Mark Green and August Pfluger—have, meanwhile, asked the FBI and Department of Homeland Security to supply congressional committees with records about the government’s surveillance of the protesters, including any efforts to infiltrate them using “online covert employees or confidential human sources.”

The FBI has nabbed a 42-year-old Wisconsin man for using Stable Diffusion, the text-to-image generative AI software, to manufacture child sexual abuse material. The man was reportedly caught with “thousands of realistic images” of children, some featuring them nude or partially clothed with men. Court records indicate the evidence includes more than 13,000 gen-AI images as well as the prompts he used to create the images. “Using AI to produce sexually explicit depictions of children is illegal, and the Justice Department will not hesitate to hold accountable those who possess, produce, or distribute AI-generated child sexual abuse material,” Nicole Argentieri, head of the Justice Department’s Criminal Division, says in a statement. The arrest is part of Project Safe Childhood, a collaboration between the government and corporations reportedly targeting online offenders.

Security researchers this week disclosed to TechCrunch that they’d discovered consumer-grade spyware—often known as “stalkerware”—on the computers of “at least three” Wyndham hotels in the United States, potentially exposing travelers’ personal details. The stalkerware, called pcTattletale, can be installed on Android and Windows devices, giving whoever has control of the sneaky app the ability to access data on the targeted machine and monitor users’ activity. The presence of pcTattletale was discovered thanks to a security flaw in the spyware that exposed screenshots of infected machines to the open internet, according to the researchers. Although the researchers found pcTattletale on Wyndham computers, the hotel company says each of its locations are franchises, suggesting that the spyware infection could be limited to just a few locations.