CNN Investigates ‘Airbnb’s Hidden Camera Problem’

2017 Slashdot headline: “People Keep Finding Hidden Cameras in Their Airbnbs.”

Nearly seven years later, CNN launched their own investigation of “Airbnb’s hidden camera problem”.

CNN: “Across North America, police have seized thousands of images from hidden cameras at Airbnb rentals, including people’s most intimate moments… It’s more than just a few reported cases. And Airbnb knows it’s a problem. In this deposition reviewed by CNN, an Airbnb rep said 35,000 customer support tickets about security cameras or recording devices had been documented over a decade. [The deposition estimates “about” 35,000 tickets “within the scope of the security camera and recording devices policy.”]

Airbnb told CNN a single complaint can involve multiple tickets.
CNN actually obtained the audio recording of an Airbnb host in Maine admitting to police that he’d photographed a couple having sex using a camera hidden in a clock — and also photographed other couples. And one Airbnb guest told CNN he’d only learned he’d been recorded “because police called him, months later, after another guest found the camera” — with police discovering cameras in every single room in the house, concealed inside smoke detectors. “Part of the challenge is that the technology has gotten so advanced, with these cameras so small that you can’t even see them,” CNN says.

But even though recording someone without consent is illegal in every state, CNN also found that in this case and others, Airbnb “does not contact law enforcement once hidden cameras are discovered — even if children are involved.” Their reporter argues that Airbnb “not only fails to protect its guests — it works to keep complaints out of the courts and away from the public.”

They spoke to two Florida attorneys who said trying to sue Airbnb if something goes wrong is extremely difficult — since its Terms of Service require users to assume every risk themselves. “The person going to rent the property agrees that if something happens while they’re staying at this accommodation, they’re actually prohibited from suing Airbnb,” says one of the attorneys. “They must go a different route, which is a binding arbitration.” (When CNN asked if this was about controlling publicity, the two lawyers answered “absolutely” and “100%”.) And when claims are settled, CNN adds, “Airbnb has required guests to sign confidentiality agreements — which CNN obtained — that keep some details of legal cases private.”

Responding to the story, Airbnb seemed to acknowledge guests have been secretly recorded by hosts, by calling such occurrences “exceptionally rare… When we do receive an allegation, we take appropriate, swift action, which can include removing hosts and listings that violate the policy.

“Airbnb’s trust and safety policies lead the vacation rental industry…”

Read more of this story at Slashdot.

In SolarWinds Case, US Judge Rejects SEC Oversight of Cybersecurity Controls

SolarWinds still faces some legal action over its infamous 2020 breach, reports NextGov.com. But a U.S. federal judge has dismissed most of the claims from America’s Securities and Exchange Commission, which “alleged the company defrauded investors because it deliberately hid knowledge of cyber vulnerabilities in its systems ahead of a major security breach discovered in 2020.”

Slashdot reader krakman shares this report from the Washington Post:
“The SEC’s rationale, under which the statute must be construed to broadly cover all systems public companies use to safeguard their valuable assets, would have sweeping ramifications,” [judge] Engelmayer wrote in a 107-page decision. “It could empower the agency to regulate background checks used in hiring nighttime security guards, the selection of padlocks for storage sheds, safety measures at water parks on whose reliability the asset of customer goodwill depended, and the lengths and configurations of passwords required to access company computers,” he wrote. The federal judge also dismissed SEC claims that SolarWinds’ disclosures after it learned its customers had been affected improperly covered up the gravity of the breach…

In an era when deeply damaging hacking campaigns have become commonplace, the suit alarmed business leaders, some security executives and even former government officials, as expressed in friend-of-the-court briefs asking that it be thrown out. They argued that adding liability for misstatements would discourage hacking victims from sharing what they know with customers, investors and safety authorities. Austin-based SolarWinds said it was pleased that the judge “largely granted our motion to dismiss the SEC’s claims,” adding in a statement that it was “grateful for the support we have received thus far across the industry, from our customers, from cybersecurity professionals, and from veteran government officials who echoed our concerns.”

The article notes that as far back as 2018, “an engineer warned in an internal presentation that a hacker could use the company’s virtual private network from an unauthorized device and upload malicious code. Brown did not pass that information along to top executives, the judge wrote, and hackers later used that exact technique.”
Engelmayer did not dismiss the case entirely, allowing the SEC to try to show that SolarWinds and top security executive Timothy Brown committed securities fraud by not warning in a public “security statement” before the hack that it knew it was highly vulnerable to attacks.

The SEC “plausibly alleges that SolarWinds and Brown made sustained public misrepresentations, indeed many amounting to flat falsehoods, in the Security Statement about the adequacy of its access controls,” Engelmayer wrote. “Given the centrality of cybersecurity to SolarWinds’ business model as a company pitching sophisticated software products to customers for whom computer security was paramount, these misrepresentations were undeniably material.”

Read more of this story at Slashdot.

The Data That Powers AI Is Disappearing Fast

An anonymous reader quotes a report from the New York Times: For years, the people building powerful artificial intelligence systems have used enormous troves of text, images and videos pulled from the internet to train their models. Now, that data is drying up. Over the past year, many of the most important web sources used for training A.I. models have restricted the use of their data, according to a study published this week by the Data Provenance Initiative, an M.I.T.-led research group. The study, which looked at 14,000 web domains that are included in three commonly used A.I. training data sets, discovered an “emerging crisis in consent,” as publishers and online platforms have taken steps to prevent their data from being harvested.

The researchers estimate that in the three data sets — called C4, RefinedWeb and Dolma — 5 percent of all data, and 25 percent of data from the highest-quality sources, has been restricted. Those restrictions are set up through the Robots Exclusion Protocol, a decades-old method for website owners to prevent automated bots from crawling their pages using a file called robots.txt. The study also found that as much as 45 percent of the data in one set, C4, had been restricted by websites’ terms of service. “We’re seeing a rapid decline in consent to use data across the web that will have ramifications not just for A.I. companies, but for researchers, academics and noncommercial entities,” said Shayne Longpre, the study’s lead author, in an interview.

Read more of this story at Slashdot.