Matt Stoller, looking at this month's antitrust suit against Amazon filed by D.C. attorney general Karl Racine: To understand why, we have to start with the idea of free shipping. Free shipping is the God of online retail, so powerful that France actually banned the practice to protect its retail outlets. Free shipping is also the backbone of Prime. Amazon founder Jeff Bezos knew that the number one pain point for online buyers is shipping -- one third of shoppers abandon their carts when they see shipping charges. Bezos helped invent Prime for this reason, saying the point of Prime was to use free shipping "to draw a moat around our best customers." The goal was to get people used to buying from Amazon, knowing they wouldn't have to worry about shipping charges. Once Amazon had control of a large chunk of online retail customers, it could then begin dictating terms of sellers who needed to reach them.

This became clear as you read Racine's complaint. One of the most important sentences in the AG's argument is a quote from Bezos in 2015 where he alludes to this point. In discussing the firm's logistics service that is the bedrock of its free shipping promise, Fulfillment by Amazon (FBA), he said, "FBA is so important because it is glue that inextricably links Marketplace and Prime. Thanks to FBA, Marketplace and Prime are no longer two things. Their economics ... are now happily and deeply intertwined." Amazon wants people to see Prime, FBA, and Marketplace as one integrated mega-product, what Bezos likes to call "a flywheel," to disguise the actual monopolization at work. (Indeed, any time you hear the word "flywheel" relating to Amazon, replace it with "monopoly" and the sentence will make sense.)

Last Sunday Belarus "forcibly landed a Ryanair plane flying from Athens to Vilnius and arrested the opposition blogger Roman Protasevich and his girlfriend, who were on board," Reuters reports.

By Tuesday the Guardian reports there was a "confession" video which the blogger's father said his son had clearly been physically coerced into recording.

And then... YouTube ran advertisements featuring confession videos published by Belarusian authorities of detained journalist and activist Roman Protasevich and his girlfriend Sofia Sapega, according to a number of people on social media...

The YouTube advertisements appear to have been purchased by a pro-government channel with less than 2,000 subscribers with a name which translates to "Belarus, country for life." The channel has published a number of viral videos about Belarus and its logo features the Belarusian presidential flag... Screenshots posted online suggest the ads displayed Protasevich's confession video to viewers and directed them to a pro-government Telegram channel with almost 80,000 subscribers. At least one person on Twitter also reported seeing another ad from the same channel featuring Sapega's confession tape.

A spokesperson for Google, which owns YouTube, said the company had identified both of the ads and took action against them according to its inappropriate content policy. "YouTube has always had strict policies around the type of content that is allowed to serve as ads on our platform," the spokesperson said in an email. "We quickly remove any ads that violate these policies." YouTube generally allows advertisers to run political ads, but its rules around inappropriate content prohibit those that "single out someone for abuse or harassment; content that suggests a tragic event did not happen, or that victims or their families are actors, or complicit in a cover-up of the event."

The advertisements raise questions about YouTube's ability to effectively moderate how its platform may be used to amplify questionable content in ads...

Tadeusz Giczan, editor-in-chief of NEXTA, the independent media organization Protasevich previously worked for, said on Twitter that Belarus officials have long used YouTube advertisements to spread propaganda. "Fun fact: for almost a year Belarusian state news agency BelTA has been using hostage videos like the one with Roman Protasevich as paid ads on YouTube with links to their network of pro-govt telegram channels," he wrote. "We tried everything but YouTube says there's nothing wrong about it." Last year, several people complained online about YouTube advertisements promoting Belarusian government propaganda seemingly from the same channel.

YouTube did not immediately answer follow-up questions about whether it had previously taken action against the "Belarus, country for life" account.

GameStop has quietly unveiled a new web portal for a non-fungible token (NFT) platform. The Block reports: "We are building a team" the page declares, stating: "We welcome exceptional engineers (solidity, react, python), designers, gamers, marketers, and community leaders. If you want to join our team, send your profile or something you've built to: nfteam@gamestop.com."

The exact scope of the project is unclear, though prominently featured on the page is a link to an Ethereum address, indicating that GameStop's team will use Ethereum as a technology base. The smart contract code declares "Game On Anon" and links to GameStop's NFT page and indicates that potential GameStop-released NFTs will utilize Ethereum's ERC721 standard. The code also points to a dedicated token, GME.

"The official Python software package repository, PyPI, is getting flooded with spam packages..." Bleeping Computer reported Thursday.

"Each of these packages is posted by a unique pseudonymous maintainer account, making it challenging for PyPI to remove the packages and spam accounts all at once..." PyPI is being flooded with spam packages named after popular movies in a style commonly associated with torrent or "warez" sites that provide pirated downloads: watch-(movie-name)-2021-full-online-movie-free-hd-... Although some of these packages are a few weeks old, BleepingComputer observed that spammers are continuing to add newer packages to PyPI... The web page for these bogus packages contain spam keywords and links to movie streaming sites, albeit of questionable legitimacy and legality...

February of this year, PyPI had been flooded with bogus "Discord", "Google", and "Roblox" keygens in a massive spam attack, as reported by ZDNet. At the time, Ewa Jodlowska, Executive Director of the Python Software Foundation had told ZDNet that the PyPI admins were working on addressing the spam attack, however, by the nature of pypi.org, anyone could publish to the repository, and such occurrences were common.

Other than containing spam keywords and links to quasi-video streaming sites, these packages contain files with functional code and author information lifted from legitimate PyPI packages... As previously reported by BleepingComputer, malicious actors have combined code from legitimate packages with otherwise bogus or malicious packages to mask their footsteps, and make the detection of these packages a tad more challenging...

In recent months, the attacks on open-source ecosystems like npm, RubyGems, and PyPI have escalated. Threat actors have been caught flooding software repositories with malware, malicious dependency confusion copycats, or simply vigilante packages to spread their message. As such, securing these repositories has turned into a whack-a-mole race between threat actors and repository maintainers.

An anonymous reader quotes a report from BuzzFeed News: In a national effort to get through to horny but vaccine-hesitant Americans, the White House announced Friday that it is joining forces with dating apps to encourage people to get their COVID-19 vaccines so that they can go forth and fuck freely this summer. Vaccinated users on Tinder, Hinge, Bumble, and Badoo will have access to some premium features for free. OkCupid, Chispa, BLK, and Match are giving out a free "Boost" to those who've been vaccinated so that their profiles are more likely to be seen first. Plenty of Fish is also offering free credits to vaccinated members for its livestreaming feature.

The dating apps will add badges or stickers that users can include on their profile to indicate that they've been vaccinated, as well as filters so that you only swipe on fellow vaccinated people. There will also be in-app links to find your closest vaccination site. "People who display their vaccination status are 14% more likely to get a match," White House COVID-19 adviser Andy Slavitt said at a press conference, citing research from OkCupid. "We have finally found the one thing that makes us all more attractive." The new features are expected to launch on the apps in the next few weeks.

Do gamers need a dedicated browser? Opera sure thinks so. Two years after launching Opera GX, a browser aimed at gamers, on desktop, the company has started to beta test Opera GX on iOS and Android. From a report: So what sets it apart from regular browsers? For starters, Opera GX features a control panel that lets you set limits on CPU, RAM and network bandwidth. Mobile users can also utilize the fast action button to quickly access functions like search and to open and close tabs. Exporting elements from the world of gaming, the button also uses vibrations and haptic feedback. You can also sync the mobile browser with the desktop version by scanning a QR code. Doing this will allow you to transfer across files of up to 10MB, links, YouTube videos, photos and various ephemera. The company says it expects Opera GX for iOS and Android to leave beta in a few weeks.

An anonymous reader quotes a report from NPR: At a hearing this March on Capitol Hill, the Republican congresswoman [Cathy McMorris Rodgers] from Washington confronted Facebook CEO Mark Zuckerberg, Twitter CEO Jack Dorsey and Google CEO Sundar Pichai with a list of statistics: From 2011 to 2018, rates of teen depression increased by more than 60%, and from 2009 to 2015, emergency room admissions for self-harm among 10- to 14-year-old girls tripled. "It's a battle for their development. It's a battle for their mental health -- and ultimately a battle for their safety," McMorris Rodgers told the tech leaders. But when she pointed a question specifically to Zuckerberg, about whether he acknowledged a connection between children's declining mental health and social media platforms, he demurred. "I don't think that the research is conclusive on that," replied Zuckerberg.

It's a position that he and his company, which is working on expanding its offerings to even younger children, have held for years. But mental health researchers whom NPR spoke with disagree. They describe an increasingly clear correlation between poor mental health outcomes and social media use, and they worry that Facebook (which also owns Instagram and WhatsApp) in particular may be muddying the waters on that connection to protect its public image. "The correlational evidence showing that there is a link between social media use and depression is pretty definitive at this point," said Jean Twenge, a psychology professor at San Diego State University. "The largest and most well-conducted studies that we have all show that teens who spend more time on social media are more likely to be depressed or unhappy."

Correlation is not causation, and one area of further study is whether greater social media usage leads to poor mental health outcomes or whether those who are depressed and unhappy are drawn to spend more time on social media. But researchers also worry that not enough government funding is going toward getting objective data to answer these sorts of questions. Facebook also almost certainly knows more than it has publicly revealed about how its products affect people. Zuckerberg told McMorris Rodgers that the company has specifically researched the mental health effects Facebook has on children, but when McMorris Rodgers' staff followed up the company declined to share any of its research.

"I believe that they have done the research. They're not being transparent," McMorris Rodgers told NPR in an interview. "They seem to be more concerned about their current business model, and they have become very wealthy under their current business model. But the fact of the matter is we're seeing more and more evidence ... that their current business model is harming our kids."

ITWire reports on how Norwegian firm Volue Technology handled a ransomware attack that began on May 5th: The company has set up a Web page with information about the attack and also links to frequent updates about the status of its systems. There was no obfuscation about the attack, none at all. The company said: "The ransomware attack on Volue Technology ('Powel') was caused by Ryuk, a type of malware usually known for targeting large, public-entity Microsoft Windows systems."

What is even more remarkable about this page is that it has provided the telephone number and email address of its chief executive, Trond Straume, and asked for anyone who needs additional information to contact him. Not some underling.
ITWire argues this response "demonstrated to the rest of the world how a ransomware attack should be handled."

sandbagger shares a report from The Register: FingerprintJS, maker of a browser-fingerprinting library for fraud prevention, on Thursday said it has identified a more dubious fingerprinting technique capable of generating a consistent identifier across different desktop browsers, including the Tor Browser. Konstantin Darutkin, senior software engineer at FingerprintJS, said in a blog post that the company has dubbed the privacy vulnerability "scheme flooding." The name refers to abusing custom URL schemes, which make web links like "skype://" or "slack://" prompt the browser to open the associated application. "The scheme flooding vulnerability allows an attacker to determine which applications you have installed," explains Darutkin. "In order to generate a 32-bit cross-browser device identifier, a website can test a list of 32 popular applications and check if each is installed or not."

Visiting the schemeflood.com site using a desktop (not mobile) browser and clicking on the demo will generate a flood of custom URL scheme requests using a pre-populated list of likely apps. A browser user would typically see a pop-up permission modal window that says something like, "Open Slack.app? A website wants to open this application. [canel] [Open Slack.app]." But in this case, the demo script just cancels if the app is present or reads the error as confirmation of the app's absence. It then displays the icon of the requested app if found, and moves on to its next query. The script uses each app result as a bit to calculate the identifier. The fact that the identifier remains consistent across different browsers means that cross-browser tracking is possible, which violates privacy expectations.

An anonymous reader quotes a report from MIT Technology Review: In 1998 a couple of Stanford graduate students published a paper describing a new kind of search engine: "In this paper, we present Google, a prototype of a large-scale search engine which makes heavy use of the structure present in hypertext. Google is designed to crawl and index the Web efficiently and produce much more satisfying search results than existing systems." The key innovation was an algorithm called PageRank, which ranked search results by calculating how relevant they were to a user's query on the basis of their links to other pages on the web. On the back of PageRank, Google became the gateway to the internet, and Sergey Brin and Larry Page built one of the biggest companies in the world. Now a team of Google researchers has published a proposal for a radical redesign that throws out the ranking approach and replaces it with a single large AI language model, such as BERT or GPT-3 -- or a future version of them. The idea is that instead of searching for information in a vast list of web pages, users would ask questions and have a language model trained on those pages answer them directly. The approach could change not only how search engines work, but what they do -- and how we interact with them.

[Donald Metzler and his colleagues at Google Research] are interested in a search engine that behaves like a human expert. It should produce answers in natural language, synthesized from more than one document, and back up its answers with references to supporting evidence, as Wikipedia articles aim to do. Large language models get us part of the way there. Trained on most of the web and hundreds of books, GPT-3 draws information from multiple sources to answer questions in natural language. The problem is that it does not keep track of those sources and cannot provide evidence for its answers. There's no way to tell if GPT-3 is parroting trustworthy information or disinformation -- or simply spewing nonsense of its own making.

Metzler and his colleagues call language models dilettantes -- "They are perceived to know a lot but their knowledge is skin deep." The solution, they claim, is to build and train future BERTs and GPT-3s to retain records of where their words come from. No such models are yet able to do this, but it is possible in principle, and there is early work in that direction. There have been decades of progress on different areas of search, from answering queries to summarizing documents to structuring information, says Ziqi Zhang at the University of Sheffield, UK, who studies information retrieval on the web. But none of these technologies overhauled search because they each address specific problems and are not generalizable. The exciting premise of this paper is that large language models are able to do all these things at the same time, he says.

An anonymous reader quotes a report from The Verge: Amazon's Alexa has a voice familiar to millions: calm, warm, and measured. But like most synthetic speech, its tones have a human origin. There was someone whose voice had to be recorded, analyzed, and algorithmically reproduced to create Alexa as we know it now. Amazon has never revealed who this "original Alexa" is, but journalist Brad Stone says he tracked her down, and she is Nina Rolle, a voiceover artist based in Boulder, Colorado. The claim comes from Stone's upcoming book on the tech giant, Amazon Unbound, an excerpt of which is published here in Wired. Neither Amazon nor Rolle confirmed or denied Stone's reporting, which he says is based on conversations with the professional voiceover community, but Rolle's voice alone makes for a compelling case.

Here's how Stone writes up the process in selecting Alexa's voice: "Believing that the selection of the right voice for Alexa was critical, [then-Amazon exec Greg] Hart and colleagues spent months reviewing the recordings of various candidates that GM Voices produced for the project, and presented the top picks to Bezos. The Amazon team ranked the best ones, asked for additional samples, and finally made a choice. Bezos signed off on it. Characteristically secretive, Amazon has never revealed the name of the voice artist behind Alexa. I learned her identity after canvasing the professional voice-over community: Boulder, Colorado -- based voice actress and singer Nina Rolle. Her professional website contains links to old radio ads for products such as Mott's Apple Juice and the Volkswagen Passat -- and the warm timbre of Alexa's voice is unmistakable. Rolle said she wasn't allowed to talk to me when I reached her on the phone in February 2021. When I asked Amazon to speak with her, they declined."

Following Twitter's lead, Facebook is trying out a new feature designed to encourage users to read a link before sharing it. TechCrunch reports: The test will reach 6% of Facebook's Android users globally in a gradual rollout that aims to encourage "informed sharing" of news stories on the platform. Users can still easily click through to share a given story, but the idea is that by adding friction to the experience, people might rethink their original impulses to share the kind of inflammatory content that currently dominates on the platform.

The strategy demonstrates Facebook's preference for a passive strategy of nudging people away from misinformation and toward its own verified resources on hot-button issues like COVID-19 and the 2020 election. While the jury is still out on how much of an impact this kind of gentle behavioral shaping can make on the misinformation epidemic, both Twitter and Facebook have also explored prompts that discourage users from posting abusive comments.

The Electronic Frontier Foundation (EFF) has filed a lawsuit against the remote testing company Proctorio on behalf of Miami University student Erik Johnson. The Verge reports: The lawsuit is intended to "quash a campaign of harassment designed to undermine important concerns" about the company's remote test-proctoring software, according to the EFF. The lawsuit intends to address the company's behavior toward Johnson in September of last year. After Johnson found out that he'd need to use the software for two of his classes, Johnson dug into the source code of Proctorio's Chrome extension and made a lengthy Twitter thread criticizing its practices -- including links to excerpts of the source code, which he'd posted on Pastebin. Proctorio CEO Mike Olsen sent Johnson a direct message on Twitter requesting that he remove the code from Pastebin, according to screenshots viewed by The Verge. After Johnson refused, Proctorio filed a copyright takedown notice, and three of the tweets were removed. (They were reinstated after TechCrunch reported on the controversy.)

In its lawsuit, the EFF is arguing that Johnson made fair use of Proctorio's code and that the company's takedown "interfered with Johnson's First Amendment right." "Copyright holders should be held liable when they falsely accuse their critics of copyright infringement, especially when the goal is plainly to intimidate and undermine them," said EFF Staff Attorney Cara Gagliano in a statement. "I'm doing this to stand up against student surveillance, as well as abuses of copyright law," Johnson told The Verge. "This isn't the first, and won't be the last time a company abuses copyright law to try and make criticism more difficult. If nobody calls out this abuse of power now, it'll just keep happening."

The Apple vs. Epic legal battle has brought new documents to light, revealing the strained relationship between Apple and Facebook that dates as far back as 2011. 9to5Mac reports: Around this time, Facebook had not yet released a dedicated app for the iPad, which debuted in 2010. Apple's Scott Forstall, then serving as the company's software chief, sent an email to Phil Schiller and Steve Jobs regarding a meeting he had with Mark Zuckerberg about bringing Facebook to the iPad. At the heart of Facebook's concerns was that Apple would not allow the Facebook for iPad application to include "embedded apps." Forstall wrote: "I just discussed with Mark how they should not include embedded apps in the Facebook iPad app -- neither in an embedded web view or as a directory of links that would redirect to Safari. Not surprisingly, he wasn't happy with this as he considers these apps part of the 'whole Facebook experience' and isn't sure they should do an iPad app without them. Everything works in Safari, so he is hesitant to push people to a native app with less functionality, even if the native app is better for non-third party app features."

Zuckerberg suggested a few compromises to Forstall: Do not include a directory of apps in the Facebook app, links, or otherwise; Do not have third-party apps run in the embedded web view; Allow user posts in the news feed related to apps; and Tapping on one of these app-related links would (1) fast switch to a native app if one exists and the user has it installed, (2) take the user to the App Store if a native app exists and the user has not installed it, (3) link out to Safari otherwise.

"I think this is all reasonable, with the possible exception of #3," Forstall wrote in the email. Steve Jobs responded and wrote, "I agree -- if we eliminate Fecebooks third proposal it sounds reasonable." Note Jobs's spelling of Facebook there. A few days later, Forstall followed up and said that Zuckerberg did not like Apple's counterproposal. [...] CNBC adds: "When Facebook's iPad app eventually launched, it said that it would not support its own Credits currency on iOS for apps like Farmville -- a compromise along the lines of what Apple's executives discussed.

A U.K. company behind digital addressing system What3Words has sent a legal threat to a security researcher for offering to share an open-source software project with other researchers, which What3Words claims violate its copyright. From a report: Aaron Toponce, a systems administrator at XMission, received a letter on Thursday from London-based law firm JA Kemp representing What3Words, requesting that he delete tweets related to the open-source alternative, WhatFreeWords. The letter also demands that he disclose to the law firm the identity of the person or people with whom he had shared a copy of the software, agree that he would not make any further copies of the software and to delete any copies of the software he had in his possession. The letter gave him until May 7 to agree, after which What3Words would "waive any entitlement it may have to pursue related claims against you," a thinly-veiled threat of legal action. "This is not a battle worth fighting," he said in a tweet.

Toponce told TechCrunch that he has complied with the demands, fearing legal repercussions if he didn't. He has also asked the law firm twice for links to the tweets they want deleting but has not heard back. "Depending on the tweet, I may or may not comply. Depends on its content," he said. U.K.-based What3Words divides the entire world into three-meter squares and labels each with a unique three-word phrase. The idea is that sharing three words is easier to share on the phone in an emergency than having to find and read out their precise geographic coordinates. But security researcher Andrew Tierney recently discovered that What3Words would sometimes have two similarly-named squares less than a mile apart, potentially causing confusion about a person's true whereabouts. In a later write-up, Tierney said What3Words was not adequate for use in safety-critical cases.

This week the New York Times published their online investigation into the seamy world of the professional slander industry. (Alternate URL.)
At first glance, the websites appear amateurish. They have names like BadGirlReports.date, BustedCheaters.com and WorstHomeWrecker.com. Photos are badly cropped. Grammar and spelling are afterthoughts. They are clunky and text-heavy, as if they're intended to be read by machines, not humans. But do not underestimate their power...

One woman in Ohio was the subject of so many negative posts that Bing declared in bold at the top of her search results that she "is a liar and a cheater" — the same way it states that Barack Obama was the 44th president of the United States. For roughly 500 of the 6,000 people we searched for, Google suggested adding the phrase "cheater" to a search of their names. The unverified claims are on obscure, ridiculous-looking sites, but search engines give them a veneer of credibility. Posts from Cheaterboard.com appear in Google results alongside Facebook pages and LinkedIn profiles....

That would be bad enough for people whose reputations have been savaged. But the problem is all the worse because it's so hard to fix. And that is largely because of the secret, symbiotic relationship between those facilitating slander and those getting paid to remove it.
Who, exactly? The Times spoke to:

• Cyrus Sullivan, the Portland-based owner of one site who also runs a reputation-management service "to help people get 'undesirable information' about themselves removed from their search engine results. The 'gold package' cost $699.99. For those customers, Mr. Sullivan would alter the computer code underlying the offending posts, instructing search engines to ignore them...."

• 247Removal's owner Heidi Glosser, who "charges $750 or more per post removal, which adds up to thousands of dollars for most of her clients. To get posts removed, she said, she often pays an 'administrative fee' to the gripe site's webmaster. We asked her whether this was extortion. 'I can't really give you a direct answer,' she said." She appeared to have links to...

• Web developer Vikram Parmar, who seemed to be running several sites that produced slander while also simultaneously running sites that made money by removing that slander.

But finally, the Times reminded their readers that "in certain circumstances, Google will remove harmful content from individuals' search results, including links to 'sites with exploitative removal practices.' If a site charges to remove posts, you can ask Google not to list it.

"Google didn't advertise this policy widely, and few victims of online slander seem aware that it's an option. That's in part because when you Google ways to clean up your search results, Google's solution is buried under ads for reputation-management services..."

Hmmmmmm shares a report from The Guardian: The French government is planning to harden counter-terrorism laws, permitting the use of algorithms to detect online extremist activity, amid a growing political row over security in the run up to next year's presidential race. The interior minister, Gerald Darmanin, said attackers were now "isolated individuals, increasingly younger, unknown to intelligence services, and often without any links to established Islamist groups." This was a growing problem for France because they self-radicalized very quickly, within days or weeks. These attackers no longer used text messages or mobile phones to communicate but instead went online or used social media direct messaging, he said. Darmanin said algorithms would allow the state to potentially pick up if a person was repeatedly searching online for a topic such as beheadings. He argued that Google and other online commercial sites already used algorithms and the state should be able to as well, with independent oversight -- despite concern from some rights lawyers that there would not be enough transparency.

"The last nine attacks on French soil were committed by individuals who were unknown to the security services, who were not on a watchlist and were not suspected of being radicalised," Darmanin told France Inter radio. This meant new methods were needed, he said, adding that of 35 attacks prevented by the state since 2017, two were stopped by intelligence work online. Since 2017, French security agencies have been able to use algorithms to monitor messaging apps. The new bill would make that experimental use permanent and extend the use of algorithms to websites and web searches. The legislation makes permanent several temporary measures in use since France's state of emergency after the Islamist terrorist attacks in 2015. It would give security agencies more power to watch over and limit the movements of high-risk individuals after release from jail, for two years rather than one.

"Nomadland" director Chloe Zhao made history on Sunday by becoming the first woman of color and first Chinese woman to win the Oscar for best director. Official media, major search engines and internet censors in her home country are making as if it didn't happen. From a report: Ms. Zhao's win, just the second time a woman has walked away with best director, unleashed a flurry of congratulatory messages on Chinese social-media sites when it was announced Monday morning Beijing time. By midafternoon, nearly all of the posts had been erased. Searches for her name on Baidu and Sogou, the country's dominant search engines, produced numerous links to news of her previous accolades but only scattered links to deleted articles about the Academy Award honor.

State broadcaster China Central Television, the official Xinhua News Agency, and Communist Party mouthpiece the People's Daily stayed silent on the award throughout the day. Two state media reporters told the Journal they had received orders from China's propaganda ministry not to report on her victory, despite what they described as her status as a Chinese national, because of "previous public opinion." China's Foreign Ministry declined to comment on the removal of social-media posts during a regular news conference on Monday, saying it wasn't a diplomatic issue.

Still smarting from last month's dump of phone numbers belonging to 500 million Facebook users, the social media giant has a new privacy crisis to contend with: a tool that, on a massive scale, links Facebook accounts with their associated email addresses, even when users choose settings to keep them from being public. Wired reports: A video circulating on Tuesday showed a researcher demonstrating a tool named Facebook Email Search v1.0, which he said could link Facebook accounts to as many as 5 million email addresses per day. The researcher -- who said he went public after Facebook said it didn't think the weakness he found was "important" enough to be fixed -- fed the tool a list of 65,000 email addresses and watched what happened next. "As you can see from the output log here, I'm getting a significant amount of results from them," the researcher said as the video showed the tool crunching the address list. "I've spent maybe $10 to buy 200-odd Facebook accounts. And within three minutes, I have managed to do this for 6,000 [email] accounts."

The researcher [...] said that Facebook Email Search exploited a front-end vulnerability that he reported to Facebook recently but that "they [Facebook] do not consider to be important enough to be patched." Earlier this year, Facebook had a similar vulnerability that was ultimately fixed. "This is essentially the exact same vulnerability," the researcher says. "And for some reason, despite me demonstrating this to Facebook and making them aware of it, they have told me directly that they will not be taking action against it."

In a statement, Facebook said: "It appears that we erroneously closed out this bug bounty report before routing to the appropriate team. We appreciate the researcher sharing the information and are taking initial actions to mitigate this issue while we follow up to better understand their findings." A Facebook representative didn't respond to a question asking if the company told the researcher it didn't consider the vulnerability important enough to warrant a fix. The representative said Facebook engineers believe they have mitigated the leak by disabling the technique shown in the video.

The owner of the Daily Mail newspaper and MailOnline website is suing Google over allegations the search engine manipulates search results. The BBC reports: Associated Newspapers accuses Google of having too much control over online advertising and of downgrading links to its stories, favoring other outlets. It alleges Google "punishes" publishers in its rankings if they don't sell enough advertising space in its marketplace. Google called the claims "meritless."

Associated Newspapers' concerns stem from its assessment that its coverage of the Royal Family in 2021 has been downplayed in search results. For example, it claims that British users searching for broadcaster Piers Morgan's comments on the Duchess of Sussex following an interview with Oprah Winfrey were more likely to see articles about Morgan produced by smaller, regional outlets. That is despite the Daily Mail writing multiple stories a day about his comments around that time and employing him as a columnist. In response, a Google spokesperson said: "The Daily Mail's claims are completely inaccurate. The use of our ad tech tools has no bearing on how a publisher's website ranks in Google search. More generally, we compete in a crowded and competitive ad tech space where publishers have and exercise multiple options. The Daily Mail itself authorizes dozens of ad tech companies to sell and manage their ad space, including Amazon, Verizon and more. We will defend ourselves against these meritless claims."