aggregator

Google Chrome Proposes 'Privacy Sandbox' To Reform Advertising Evils

Slashdot - Your Rights Online - 1 godz. 9 min ago
Google's Chrome team proposed a "privacy sandbox" Thursday that's designed to give us the best of both worlds: ads that publishers can target toward our interests but that don't infringe our privacy. From a report: It's a major development in an area where Chrome, the dominant browser, has lagged competitors. Browsers already include security sandboxes, restrictions designed to confine malware to limit its possible damage. Google's proposed privacy sandbox would similarly restrict tracking technology, according to proposal details Google published. The privacy sandbox is "a secure environment for personalization that also protects user privacy," said Justin Schuh, a director of Chrome Engineering focused on security matters, in a privacy sandbox blog post. "Our goal is to create a set of standards that is more consistent with users' expectations of privacy." For example, Chrome would restrict some private data to the browser -- an approach rival Brave Software has taken with its privacy-focused rival web browser. And it could restrict sharing personal data until it's shared across a large group of people using technologies called differential privacy and federated learning.

Read more of this story at Slashdot.

Backdoor Code Found In 11 Ruby Libraries

Slashdot - Your Rights Online - 9 godzin 3 min ago
Maintainers of the RubyGems package repository have yanked 18 malicious versions of 11 Ruby libraries that contained a backdoor mechanism and were caught inserting code that launched hidden cryptocurrency mining operations inside other people's Ruby projects. ZDNet reports: The malicious code was first discovered yesterday inside four versions of rest-client, an extremely popular Ruby library. According to an analysis by Jan Dintel, a Dutch Ruby developer, the malicious code found in rest-client would collect and send the URL and environment variables of a compromised system to a remote server in Ukraine. "Depending on your set-up this can include credentials of services that you use e.g. database, payment service provider," Dintel said. The code also contained a backdoor mechanism that allowed the attacker to send a cookie file back to a compromised project, and allow the attacker to execute malicious commands. A subsequent investigation by the RubyGems staff discovered that this mechanism was being abused to insert cryptocurrency mining code. RubyGems staff also uncovered similar code in 10 other projects. All the libraries, except rest-client, were created by taking another fully functional library, adding the malicious code, and then re-uploading it on RubyGems under a new name. All in all, all the 18 malicious library versions only managed to amass 3,584 downloads before being removed from RubyGems.

Read more of this story at Slashdot.

Flaws in Cellphone Evidence Prompt Review of 10,000 Verdicts in Denmark

Slashdot - Your Rights Online - Śr, 2019-08-21 23:30
The authorities in Denmark say they plan to review over 10,000 court verdicts because of errors in cellphone tracking data offered as evidence. From a report: The country's director of public prosecutions on Monday also ordered a two-month halt in prosecutors' use of cellphone data in criminal cases while the flaws and their potential consequences are investigated. "It's shaking our trust in the legal system," Justice Minister Nick Haekkerup said in a statement. The first error was found in an I.T. system that converts phone companies' raw data into evidence that the police and prosecutors can use to place a person at the scene of a crime. During the conversions, the system omitted some data, creating a less-detailed image of a cellphone's whereabouts. The error was fixed in March after the national police discovered it. In a second problem, some cellphone tracking data linked phones to the wrong cellphone towers, potentially connecting innocent people to crime scenes, said Jan Reckendorff, the director of public prosecutions. "It's a very, very serious case," Mr. Reckendorff told Denmark's state broadcaster. "We cannot live with incorrect information sending people to prison." The authorities said that the problems stemmed partly from police I.T. systems and partly from the phone companies' systems, although a telecom industry representative said he could not understand how phone companies could have caused the errors. The national police determined that the flaws applied to 10,700 court cases dating to 2012, but it is unclear whether the faulty data was a decisive factor in any verdicts. The justice minister set up a steering group to track the extent of the legal problems they may have caused and to monitor the reviews of cases that may have been affected.

Read more of this story at Slashdot.

Microsoft Contractors Listened To Xbox Owners in Their Homes

Slashdot - Your Rights Online - Śr, 2019-08-21 20:50
Contractors working for Microsoft have listened to audio of Xbox users speaking in their homes in order to improve the console's voice command features, Motherboard has learned. From a report: The audio was supposed to be captured following a voice command like "Xbox" or "Hey Cortana," but contractors said that recordings were sometimes triggered and recorded by mistake. The news is the latest in a string of revelations that show contractors working on behalf of Microsoft listen to audio captured by several of its products. Motherboard previously reported that human contractors were listening to some Skype calls as well as audio recorded by Cortana, Microsoft's Siri-like virtual assistant. "Xbox commands came up first as a bit of an outlier and then became about half of what we did before becoming most of what we did," one former contractor who worked on behalf of Microsoft told Motherboard. Motherboard granted multiple sources in this story anonymity as they had signed non-disclosure agreements. The former contractor said they worked on Xbox audio data from 2014 to 2015, before Cortana was implemented into the console in 2016. When it launched in November 2013, the Xbox One had the capability to be controlled via voice commands with the Kinect system.

Read more of this story at Slashdot.

MoviePass Exposed Thousands of Unencrypted Customer Card Numbers

Slashdot - Your Rights Online - Śr, 2019-08-21 20:10
New submitter sizzlinkitty writes: Movie ticket subscription service MoviePass has exposed tens of thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. Mossab Hussein, a security researcher at Dubai-based cybersecurity firm SpiderSilk, found an exposed database on one of the company's many subdomains. The database was massive, containing 161 million records at the time of writing and growing in real time. Many of the records were normal computer-generated logging messages used to ensure the running of the service -- but many also included sensitive user information, such as MoviePass customer card numbers. These MoviePass customer cards are like normal debit cards: they're issued by Mastercard and store a cash balance, which users who sign up to the subscription service can use to pay to watch a catalog of movies.

Read more of this story at Slashdot.

T-Mobile 'Put My Life in Danger' Says Woman Stalked With Black Market Location Data

Slashdot - Your Rights Online - Śr, 2019-08-21 18:47
Joseph Cox, reporting for Motherboard: Ruth Johnson didn't know exactly who rang her phone and threatened her around 20 times in 2014. The person on the other end said he was John Edens from the U.S. Marshals with a warrant for her arrest for stealing a car. She was behind on her payments. It later turned out John Edens didn't have a warrant, nor was he from law enforcement at all. Instead, he was a debt collector with a history of stalking and domestic violence who had managed to get hold of Johnson's phone location data. He did this by pretending to be a U.S. Marshal with the "Georgia Fugitive Task Force" to T-Mobile, which then provided Edens with the location of Johnson's phone in a handy Google Maps interface -- "pinging" the phone, in industry parlance. "Fearful," is the word Johnson first used to explain the episode in a phone call with Motherboard. "It was very fearful." Motherboard previously reported on Edens' case using court documents and sources in the bounty hunting industry; Edens was sentenced to one year in prison for impersonating a U.S. officer. Now, Johnson explained in an interview what it was like to have her phone tracked. Her story demonstrates the very real human impact that the black market use and sale of phone location data can have. "I was very upset with the phone company, because I was under the impression that you had to get [a] court order in order to get information such as that out," she said. T-Mobile "put my life in danger," she added.

Read more of this story at Slashdot.

Apple, Google, and Mozilla Block Kazakhstan's HTTPS Intercepting Certificate

Slashdot - Your Rights Online - Śr, 2019-08-21 17:33
Apple, Google, and Mozilla have moved in to ban a root certificate the Kazakhstan government used in the past month to spy on its citizens' web traffic. From a report: Starting today, Chrome, Firefox, and Safari will show errors if any HTTPS web traffic is encrypted with the Kazakh government's root or leaf certificates. This coordinated action will ensure the safety of Kazakh users who were forced last month by their local Kazakh ISPs to install this certificate under the threat of not being allowed to use the internet otherwise. Kazakh ISPs forced their customers to install the government's root certificate after the Kazakh government issued a decree and said the measure was "aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats." But in reality, the Kazakh government abused this root certificate installed in millions of users browsers to intercept and decrypt HTTPS traffic users were making to 37 domains, such as such Facebook, Google, Twitter, Instagram, and YouTube.

Read more of this story at Slashdot.

Walmart Sues Tesla Over Fires At Stores Fitted With Its Solar Panels

Slashdot - Your Rights Online - Śr, 2019-08-21 03:30
Walmart filed a lawsuit on Tuesday against Tesla accusing the company of supplying solar panels that were responsible for fires at about seven of its stores. Reuters reports: The fires destroyed significant amounts of store merchandise and required substantial repairs, totaling hundreds of thousands of dollars in out-of-pocket losses, Walmart said in the lawsuit. As of November 2018, no fewer than seven Walmart stores, including in Denton, Maryland and Beavercreek, Ohio, had experienced fires due to Tesla's solar systems, according to the lawsuit. The world's largest retailer started using solar panels made by SolarCity in 2010 and the roofs of around 240 of its stores were fitted with solar panels made by the company. "This is a breach of contract action arising from years of gross negligence and failure to live up to industry standards by Tesla with respect to solar panels that Tesla designed, installed, and promised to operate and maintain safely on the roofs of hundreds of Walmart stores," Walmart said in the court filing.

Read more of this story at Slashdot.

Man Sued For Using Bogus YouTube Takedowns To Get Address For Swatting

Slashdot - Your Rights Online - Śr, 2019-08-21 00:10
An anonymous reader quotes a report from Ars Technica: YouTube is suing a Nebraska man the company says has blatantly abused its copyright takedown process. The Digital Millennium Copyright Act offers online platforms like YouTube legal protections if they promptly take down content flagged by copyright holders. However, this process can be abused -- and boy did defendant Christopher L. Brady abuse it, according to YouTube's legal complaint (pdf). Brady allegedly made fraudulent takedown notices against YouTube videos from at least three well-known Minecraft streamers. In one case, Brady made two false claims against a YouTuber and then sent the user an anonymous message demanding a payment of $150 by PayPal -- or $75 in bitcoin. "If you decide not to pay us, we will file a 3rd strike," the message said. When a YouTube user receives a third copyright strike, the YouTuber's account gets terminated. A second target was ordered to pay $300 by PayPal or $200 in Bitcoin to avoid a third fraudulent copyright strike. A third incident was arguably even more egregious. According to YouTube, Brady filed several fraudulent copyright notices against another YouTuber with whom he was "engaged in some sort of online dispute." The YouTuber responded with a formal counter-notice stating that the content wasn't infringing -- a move that allows the content to be reinstated. However, the law requires the person filing the counter-notice to provide his or her real-world name and address -- information that's passed along to the person who filed the takedown request. This contact information is supposed to enable a legitimate copyright holder to file an infringement lawsuit in court. Shortly after filing a counter-notice, the targeted YouTuber "announced via Twitter that he had been the victim of a swatting scheme." YouTube says it doesn't have hard proof that Brady was responsible for the swatting call -- even though it "appears" that way, but it does have compelling evidence that Brady was responsible for the fraudulent takedown notices, which are against the law.

Read more of this story at Slashdot.

You Can Finally See All Of The Info Facebook Collected About You From Other Websites

Slashdot - Your Rights Online - Wt, 2019-08-20 20:12
Facebook said Tuesday it's rolling out a long-awaited privacy feature that will let users see and clear information from apps and websites they browse outside of the social network. Some people in Ireland, South Korea, and Spain will gain access to this feature first, but the company plans to broaden the availability soon. From a report: Facebook collects information about its users in two ways: first, through the information you input into its website and apps, and second, by tracking which websites you visit while you're not on Facebook. That's why, after you visit a clothing retailer's website, you'll likely see an ad for it in your Facebook News Feed or Instagram feed. Basically, Facebook monitors where you go, all across the internet, and uses your digital footprints to target you with ads. But Facebook users have never been able to view this external data Facebook collected about them, until now. Facebook tracks your browsing history via the "Login with Facebook" button, the "like" button, Facebook comments, and little bits of invisible code, called the Facebook pixel, embedded on other sites. Today the company will start to roll out a feature called "Off-Facebook Activity" that allows people to manage that external browsing data -- finally delivering on a promise it made over a year ago when CEO Mark Zuckerberg announced at a company event that it would develop a feature then called "Clear History." The new tool will display a summary of those third-party websites that shared your visit with Facebook, and will allow you to disconnect that browsing history from your Facebook account. You can also opt out of future off-Facebook activity tracking, or selectively stop certain websites from sending your browsing activity to Facebook. Nearly a third of all websites include a Facebook tracker, according to several studies.

Read more of this story at Slashdot.

WebKit Introduces New Tracking Prevention Policy

Slashdot - Your Rights Online - Wt, 2019-08-20 17:30
AmiMoJo writes: WebKit, the open source HTML engine used by Apple's Safari browser and a number of others, has created a new policy on tracking prevention. The short version is that many forms of tracking will now be treated the same way as security flaws, being blocked or mitigated with no exceptions. While on-site tracking will still be allowed (and is practically impossible to prevent anyway), all forms of cross-site tracking and covert tracking will be actively and aggressively blocked.

Read more of this story at Slashdot.

How Malformed Packets Caused CenturyLink's 37-Hour, Nationwide Outage

Slashdot - Your Rights Online - Wt, 2019-08-20 01:20
Ars Technica reports on what went wrong last December when CenturyLink had a nationwide, 37-hour outage that disrupted 911 service for millions of Americans and prevented completion of at least 886 calls to 911. From the report: Problems began the morning of December 27 when "a switching module in CenturyLink's Denver, Colorado node spontaneously generated four malformed management packets," the FCC report said. CenturyLink and Infinera, the vendor that supplied the node, told the FCC that "they do not know how or why the malformed packets were generated." Malformed packets "are usually discarded immediately due to characteristics that indicate that the packets are invalid," but that didn't happen in this case, the FCC report explained: "In this instance, the malformed packets included fragments of valid network management packets that are typically generated. Each malformed packet shared four attributes that contributed to the outage: 1) a broadcast destination address, meaning that the packet was directed to be sent to all connected devices; 2) a valid header and valid checksum; 3) no expiration time, meaning that the packet would not be dropped for being created too long ago; and 4) a size larger than 64 bytes." The switching module sent these malformed packets "as network management instructions to a line module," and the packets "were delivered to all connected nodes," the FCC said. Each node that received the packet then "retransmitted the packet to all its connected nodes." The report continued: "Each connected node continued to retransmit the malformed packets across the proprietary management channel to each node with which it connected because the packets appeared valid and did not have an expiration time. This process repeated indefinitely. The exponentially increasing transmittal of malformed packets resulted in a never-ending feedback loop that consumed processing power in the affected nodes, which in turn disrupted the ability of the nodes to maintain internal synchronization. Specifically, instructions to output line modules would lose synchronization when instructions were sent to a pair of line modules, but only one line module actually received the message. Without this internal synchronization, the nodes' capacity to route and transmit data failed. As these nodes failed, the result was multiple outages across CenturyLink's network." While CenturyLink dispatched network engineers to log in to affected nodes and removed the Denver node that had generated the malformed packets, the outage continued because "the malformed packets continued to replicate and transit the network, generating more packets as they echoed from node to node," the FCC wrote. Just after midnight, at least 20 hours after the problem began, CenturyLink engineers "began instructing nodes to no longer acknowledge the malformed packets." They also "disabled the proprietary management channel, preventing it from further transmitting the malformed packets." The FCC report said that CenturyLink could have prevented the outage or lessened its negative effects by disabling the system features that were not in use, using stronger filtering to prevent the malformed packets from propagating, and setting up "memory and processor utilization alarms" in its network monitoring.

Read more of this story at Slashdot.

Bernie Sanders Wants To Ban Facial Recognition Use By Police

Slashdot - Your Rights Online - Pn, 2019-08-19 22:04
Democratic presidential candidate Senator Bernie Sanders (I-VT) wants to put an end to police use of facial recognition software. Sanders called for the ban as part of a criminal justice reform plan introduced over the weekend ahead of a two-day tour of South Carolina. From a report: The plan also calls for the ban of for-profit prisons and would revoke the practice of law enforcement agencies benefiting from civil asset forfeitures. Sanders kicked off his campaign by saying "I'm running for president because we need to understand that artificial intelligence and robotics must benefit the needs of workers, not just corporate America and those who own that technology."

Read more of this story at Slashdot.

Developers Accuse Apple of Anti-Competitive Behavior With Its Privacy Changes in iOS 13

Slashdot - Your Rights Online - Pn, 2019-08-19 20:02
A group of app developers have penned a letter to Apple CEO Tim Cook, arguing that certain privacy-focused changes to Apple's iOS 13 operating system will hurt their business. From a report: In a report by The Information, the developers were said to have accused Apple of anti-competitive behavior when it comes to how apps can access user location data. With iOS 13, Apple aims to curtail apps' abuse of its location-tracking features as part of its larger privacy focus as a company. Today, many apps ask users upon first launch to give their app the "Always Allow" location-tracking permission. Users can confirm this with a tap, unwittingly giving apps far more access to their location data than is actually necessary, in many cases. In iOS 13, however, Apple has tweaked the way apps can request location data. There will now be a new option upon launch presented to users, "Allow Once," which allows users to first explore the app to see if it fits their needs before granting the app developer the ability to continually access location data. This option will be presented alongside existing options, "Allow While Using App" and "Don't Allow." The "Always" option is still available, but users will have to head to iOS Settings to manually enable it. The app developers argue that this change may confuse less technical users, who will assume the app isn't functioning properly unless they figure out how to change their iOS Settings to ensure the app has the proper permissions.

Read more of this story at Slashdot.

Degrading Tor Network Performance Only Costs a Few Thousand Dollars Per Month

Slashdot - Your Rights Online - Pn, 2019-08-19 17:21
Threat actors or nation-states looking into degrading the performance of the Tor anonymity network can do it on the cheap, for only a few thousands US dollars per month, new academic research has revealed. An anonymous reader writes: According to researchers from Georgetown University and the US Naval Research Laboratory, threat actors can use tools as banal as public DDoS stressers (booters) to slow down Tor network download speeds or hinder access to Tor's censorship circumvention capabilities. Academics said that while an attack against the entire Tor network would require immense DDoS resources (512.73 Gbit/s) and would cost around $7.2 million per month, there are far simpler and more targeted means for degrading Tor performance for all users. In research presented this week at the USENIX security conference, the research team showed the feasibility and effects of three types of carefully targeted "bandwidth DoS [denial of service] attacks" that can wreak havoc on Tor and its users. Researchers argue that while these attacks don't shut down or clog the Tor network entirely, they can be used to dissuade or drive users away from Tor due to prolongued poor performance, which can be an effective strategy in the long run.

Read more of this story at Slashdot.

Fearing Data Privacy Issues, Google Cuts Some Android Phone Data For Wireless Carriers

Slashdot - Your Rights Online - Pn, 2019-08-19 16:00
Alphabet' Google has shut down a service it provided to wireless carriers globally that showed them weak spots in their network coverage, Reuters reported Monday, citing people familiar with the matter, because of Google's concerns that sharing data from users of its Android phone system might attract the scrutiny of users and regulators. From the report: The withdrawal of the service, which has not been previously reported, has disappointed wireless carriers that used the data as part of their decision-making process on where to extend or upgrade their coverage. Even though the data were anonymous and the sharing of it has become commonplace, Google's move illustrates how concerned the company has become about drawing attention amid a heightened focus in much of the world on data privacy. Google's Mobile Network Insights service, which had launched in March 2017, was essentially a map showing carriers signal strengths and connection speeds they were delivering in each area. The service was provided free to carriers and vendors that helped them manage operations. The data came from devices running Google's Android operating system, which is on about 75% of the world's smartphones, making it a valuable resource for the industry. [...] Nevertheless, Google shut down the service in April due to concerns about data privacy, four people with direct knowledge of the matter told Reuters. Some of them said secondary reasons likely included challenges ensuring data quality and connectivity upgrades among carriers being slow to materialize.

Read more of this story at Slashdot.

Massive Ransomware Attack Hits 23 Local Texas Government Offices

Slashdot - Your Rights Online - Pn, 2019-08-19 06:34
Long-time Slashdot reader StonyCreekBare shared this press release from the Texas Department of Information Resources (Dir) press release as of August 17, 2019, at approximately 5:00 p.m. central time: On the morning of August 16, 2019, more than 20 entities in Texas reported a ransomware attack. The majority of these entities were smaller local governments... At this time, the evidence gathered indicates the attacks came from one single threat actor. Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time. It appears all entities that were actually or potentially impacted have been identified and notified. Twenty-three entities have been confirmed as impacted. Responders are actively working with these entities to bring their systems back online. The State of Texas systems and networks have not been impacted.

Read more of this story at Slashdot.

Why Am I Receiving Unordered Boxes From Amazon?

Slashdot - Your Rights Online - N, 2019-08-18 23:04
It's an unexpected surprise that's been popping up "all over the country," according to the Better Business Bureau. People are receiving boxes of unordered merchandise from Amazon. The companies, usually foreign, third-party sellers that are sending the items are simply using your address and your Amazon information. Their intention is to make it appear as though you wrote a glowing online review of their merchandise, and that you are a verified buyer of that merchandise. They then post a fake, positive review to improve their products' ratings, which means more sales for them. The payoff is highly profitable from their perspective... The fake online review angle is only one way they benefit...they also are increasing their sales numbers. After all, they aren't really purchasing the items since the payment goes right back to them.... Then there is the "porch pirate" angle. There have been instances where thieves used other people's mailing addresses and accounts, then watched for the delivery of the package so they can steal it from your door before you get it... The fact that someone was able to have the items sent to you as if you purchased them indicates that they probably have some of your Amazon account information. Certainly, they have your name and address and possibly, your phone number and a password. The company either hacked your account themselves or purchased the information from a hacker. The BBB notes that although it's strange to receive boxes of unordered merchandise, "You are allowed to keep it. The Federal Trade Commission says you have a legal right to keep unordered merchandise." "The bigger issue is: What do you do about your information having been obtained by crooks?"

Read more of this story at Slashdot.

Alexa, Siri, and Google Home Can Be Tricked Into Sending Callers To Scam Phone Numbers

Slashdot - Your Rights Online - N, 2019-08-18 22:34
"Don't ask your smart device to look up a phone number, because it may accidentally point you to a scam," warn the consumer watchdogs at the Better Business Bureau: You need the phone number for a company, so you ask your home's smart device -- such as Google Home, Siri, or Alexa -- to find and dial it for you. But when the company's "representative" answers, the conversation takes a strange turn. This representative has some odd advice! They may insist on your paying by wire transfer or prepaid debit card. In other cases, they may demand remote access to your computer or point you to an unfamiliar website. Turns out, that this "representative" isn't from the company at all. Scammers create fake customer service numbers and bump them to the top of search results, often by paying for ads. When Siri, Alexa, or another device does a voice search, the algorithm may accidentally pick a scam number. One recent victim told BBB.org/ScamTracker that she used voice search to find and call customer service for a major airline. She wanted to change her seat on an upcoming flight, but the scammer tried to trick her into paying $400 in pre-paid gift cards by insisting the airline was running a special promotion. In another report, a consumer used Siri to call what he thought was the support number for his printer. Instead, he found himself in a tech support scam. People put their faith in voice assistants, even when they're just parroting the results from search engines, the BBB warns. The end result? "Using voice search to find a number can make it harder to tell a phony listing from the real one."

Read more of this story at Slashdot.

YouTube's Algorithms Blamed For Brazil's Dangerous Conspiracy Video-Sharing on WhatsApp

Slashdot - Your Rights Online - N, 2019-08-18 01:34
Sunday the New York Times reported that YouTube "radicalized" Brazil -- by "systematically" diverting users to conspiracy videos. Yet conventional wisdom in Brazil still puts the blame on WhatsApp, the Times reported in a follow-up story on Thursday shared by Slashdot reader AmiMoJo. "Everything began to click into place when we met Luciana Brito, a soft-spoken clinical psychologist who works with families affected by the Zika virus." Her work had put her on the front lines of the struggle against conspiracy theories, threats and hatred swirling on both platforms. And it allowed her to see what we -- like so many observers -- had missed: that WhatsApp and YouTube had come to form a powerful, and at times dangerous, feedback loop of extremism and misinformation. Either platform had plenty of weaknesses on its own. But, together, they had formed a pipeline of misinformation, spreading conspiracy theories, campaign material and political propaganda throughout Brazil. The first breakthrough came when we spoke to Yasodara Cordova, who at the time was a researcher at Harvard's Berkman Center for Internet and Society. Illiteracy remains widespread in some parts of Brazil, she said, ruling out text-based social media or news sources for many people. And TV networks can be low-quality, which has helped drive YouTube's stunning growth in many parts of Brazil, particularly on mobile. But YouTube has had less success in poorer regions of Brazil for one simple reason: Users cannot afford the cellphone data. "The internet in Brazil is really expensive," Ms. Cordova said. "I think it's the fourth or fifth country in terms of internet prices." WhatsApp has become a workaround. The messaging app has a deal with some carriers to offer free data on the app, and poorer users found that this offered them a way around YouTube's unaffordability. They would share snippets of YouTube videos that they found on WhatsApp, where the videos can be watched and shared for free. Ms. Cordova suspected that the WhatsApp-spread misinformation had often come from videos that first went viral on YouTube, where they had been boosted by the extremism-favoring algorithms that we documented in our story earlier this week... It was like an infection jumping from one host to the next. Some of the videos blame the mosquito-bourne Zika virus on vaccines or suggest an international conspiracy, while some were "staged to resemble news reports or advice from health workers," the Times reports -- adding that as of Thursday the videos were still being recommended by YouTube's algorithm. (A spokesperson for YouTube "called the results unintended, and said the company would change how its search tool surfaced videos related to Zika.") Researchers say conspiracy videos were even shown to people who'd searched for reputable information on the virus, the Times reports. "The videos often spread in WhatsApp chat groups that had been set up to share information and news about coping with Zika, turning users' efforts to take control of their families' health against them." YouTube told the Times that their recommendation system now drives 70% of total time spent on YouTube -- and according to their article Thursday, Dr. Brito estimates that she now receives serious threats on her life about once a week.

Read more of this story at Slashdot.