Five amendments to law approved before deadline, none undercut core goals

Analysis California’s landmark digital privacy law will remain “largely intact” despite a year of determined lobbying by Google and other tech giants to undermine it.

That’s the conclusion of privacy rights groups that have been carefully tracking the legislation since it was signed into law in June 2018 and us due to come into effect in January 2020.

Thanks to the unusual way in which the law was passed, lawmakers were given an entire year to approve amendments to it. That left the door open to tech lobbyists, who have been doing everything in their power to undermine the law’s main goals.

However, Friday was the deadline for amendments and of the five that made it through the process, none managed to introduce the legislative loopholes that Google, Facebook, and friends have been pushing for.

A joint statement by Consumer Reports and the Electronic Frontier Foundation made no bones about the year-long battle. They made a point of praising lawmakers for resisting tech industry pressure to “insert last-minute loopholes” and celebrate the fact that the law has been left “largely intact.”

The American Civil Liberties Union of Northern California reiterated the same point when it said in its own statement that “industry tried and failed this session to weaken or eliminate the key protections of the CCPA,” adding that it wished to “applaud the legislature for holding the line against big technology companies.”

All three organizations stress that the “fight is not over” in the effort to regain privacy rights back from Big Tech but in privacy terms it’s a case of this battle being won but a larger war still going on.


The last time we checked in on the process, there were nine proposed amendments that had made it through the legislative process, none of which expanded privacy rights. Four of the amendments were benign in that were intended to clean up the law. But that left five that has been clearly designed by the tech companies – and in some cases, written by them too – to create specific loopholes.

Of those five, three made it through as legislative amendments – Assembly Bills 25, 874 and 1564 – and one was put off until next year (AB 846). But in the final text of each, none of them undercut the main goal of the legislation: to give Californians the right to view the data that companies like Google and Facebook hold on them, and, critically, request that it be deleted and not sold to third parties.

That GDPR-like law gives the state’s 40 million inhabitants the right to demand and delete private information and it applies to any company that holds data on more than 50,000 people, with each violation carrying a hefty $7,500 fine.

The amendments themselves (those above plus AB 1146 and 1355) will put a one-year moratorium on employee data as well as let companies use data published by the government. The car industry got an effective exemption thanks to warranties. And the requirement to provide a toll-free number to explain their rights to consumers was pulled; now an email is sufficient.

But the tech industry had really pushed hard for changes that have not made it through, including exempting “targeted advertising” – which is basically Google and Facebook’s entire business model – and expanding the type of datasets that are exempt from the law to cover, you guessed it, the data that Facebook and Google sell. The tech companies tried multiple different creative ways to jam through loopholes – such as a novel definition of what “social media” actually is – however, lawmakers, assisted by eagle-eyed privacy advocates, beat them back.

Still not done

This isn’t the end of it, however. Even though the law will come in effect on January 1, enforcement won’t begin until mid-2020 and the final regulations that companies will have to follow are being drawn up by California’s attorney general. That process could swing either way, with tech companies required to do more than they envisioned, or possibly less.

The first draft of the regulations is expected next month with subsequent comment and review periods. Which means more battles.

It is clear Big Tech has admitted defeat in this case. Don’t imagine for a second that that means you will regain rights over your private data, however: Google et al have already joined up with other companies and moved the fight to Washington DC, where lawmakers have suddenly discovered a newfound passion for federal privacy legislation.

Such legislation would, of course, override this California Consumer Privacy Act. ®

Sponsored: Disrupting with data – challenges for digital native organizations

All part of Big Red’s regular small-ish release plan as opposed to large infrequent updates

Code One Oracle on Monday announced the release of Java SE 13 (JDK 13), saying it shows the tech titan’s continued commitment to make innovation happen faster by sticking to a predictable six-month release cycle.

No evidence was provided to demonstrate that enterprise innovation is actually accelerating as a consequence of biannual platform revisions. Oracle at least deserves credit for its commitment to consistency.

Word of JDK 13 arrived on Monday as Oracle’s co-located OpenWorld and Code One conferences got underway in San Francisco. The Code One keynote, preceded as in previous years with a disclaimer that investors shouldn’t rely on anything said at the show, opened with an overview of quantum computing by Jessica Pointing, a doctoral student in quantum computing at Stanford University.

What does quantum computing have to do with Java? Well, Pointing said developers can write code for the Strange Quantum Computer Simulator in Java.

The challenge for quantum computing right now, she explained, is to demonstrate that a quantum computer can outperform a classical computer to solve specific types of problems. Surprisingly, despite quite a bit of investment, that hasn’t happened yet. It could happen in the next few months. Or it might take a few years. Or decades.

Looking back a few years to 2017, Georges Saab, veep of software development for the Java platform, recalled the decision to change the Java release cadence, noting that large releases every few years displayed downsides as the world embraced more rapid change.

Oracle’s Java team shifted to a six-month release cadence two years ago because waiting three or four years between major releases just isn’t done anymore, for the most part. C++ still sticks to a three-year update cycle but that seems glacial compared to annual ECMAScript improvements, twice yearly Node.js revisions and Chrome browser releases that appear every six weeks.

Enterprise Java spec packs bags, ready for new life under assumed name – Jakarta


“Three of these releases have been delivered since then and the fourth is imminent,” said Saab. “We’re proud to announce Java 13 with general availability starting tomorrow.”

Binaries for JDK 13 are expected to be available for download on Tuesday, September 17.

Saab proceeded to interview various developers who use Java at various companies to reveal that they’re happy with the faster release cycle. Unsurprisingly, no naysayers showed up.

Java, insists Oracle, is the world’s most popular programming language; IT consultancy RedMonk ranks Java at number two, behind JavaScript. But such measurements say more about statistical methodology and data sources than verifiable popularity. Suffice to say that Java is widely used among companies large and small, and it remains an employable competency.

Notable preview features in the release include switch expressions (JEP 354), which extends the switch statement so it can be used either as a statement or as an expression, and text blocks, which provides a concise way to represent multi-line text strings without escape characters (JEP 355).

“It’s not a particularly sophisticated feature but it makes a big difference,” said Brian Goetz, Java release architect.

Preview features may be changed or removed, and are provided to solicit community feedback.

JDK 13 includes several other JEPs (Java Enhancement Proposals). JEP 350 extends application class-data sharing to improve startup and memory footprint. JEP 351 modifies the Z Garbage Collection (ZGC) so it returns unused heap memory back to the operating system. And JEP 353 replaces the old Socket and ServerSocket APIs with more modern code that’s more maintainable. It also lays the groundwork for user-mode threads, known as fibers.

Goetz acknowledged that there aren’t a lot of big features because those are now being broken up into smaller ones to accommodate more frequent updates. “There’s just as much innovation, going on, perhaps more, but it will be broken up over a series of smaller releases,” he said. ®

Sponsored: Transforming infrastructure to enable top-performing development teams

Update now to stop webpages snooping on recently used credentials

LastPass has fixed a security bug that potentially allowed malicious websites to obtain the username and passphrase inserted by the password manager on the previously visited site.

In other words, if you visited website A, and LastPass automatically injected a username and password for you to log in, and then you surfed to website B, the latter could access the password issued to website A. Netizens are advised to update LastPass to version 4.33.0 or later, which squashes this bug.

Google Project Zero flaw-finder Tavis Ormandy discovered and privately reported the programming blunder, which is technically a clickjacking vulnerability, and went public with the details on Sunday night.

“To exploit this bug, a series of actions would need to be taken by a LastPass user including filling a password with the LastPass icon, then visiting a compromised or malicious site and finally being tricked into clicking on the page several times,” LastPass explained just before the weekend.

“This exploit may result in the last site credentials filled by LastPass to be exposed.”

According to Ormandy, a malicious page would be able exploit the flaw, and steal login information for the previous site, by creating popup windows and accessing cached credentials.

“I noticed that you can create a popup without calling do_popupregister() by iframing popupfilltab.html (i.e. via moz-extension, ms-browser-extension, chrome-extension, etc). It’s a valid web_accessible_resource,” Ormandy explained in his now-public bug report.

“Because do_popupregister() is never called, ftd_get_frameparenturl() just uses the last cached value in g_popup_url_by_tabid for the current tab. That means via some clickjacking, you can leak the credentials for the previous site logged in for the current tab.”

In practice, an attacker would be able to lure users to malicious pages that would be able to abuse the bug to harvest credentials in some cases. There are no public reports of this actually happening, however, as Ormandy privately tipped off LastPass, which got a patch out before the flaw was publicly disclosed.

Again, users and admins are advised to make sure they have updated to the latest version of LastPass (4.33.0 or later) to make sure the vulnerability is patched. ®

Sponsored: Transforming infrastructure to enable top-performing development teams

The last Surface RT user just needs to fill in a web form to… oh heck

The bad news bus has continued rolling for users of hardware both young and old as Wi-Fi woes plague Windows 10 and even Windows 8.1.

Hot on the heels of broken audio in Windows 10 – for which the company “estimates a solution will be available in late September”, according to its health dashboard – comes news that Wi-Fi is not happy on some machines using Intel Centrino chippery.

The problem is an incompatibility issue with Intel Centrino 6205/6235 and Broadcom 802.11ac Wi-Fi cards running Windows 10 1903 on certain unnamed NEC devices.

Upgrade those machines to 1903 and wave a fond farewell to Wi-Fi, according to Microsoft. The “mitigation”, such as it is, consists of disabling and re-enabling the adapter in the Windows 10 Device Manager, which should bring things back to life.

Up until you reboot, of course.

It might all be a cunning ploy to get users up to speed on PowerShell’s handy Disable-NetAdapter command in a boot script. Or it might just be another sign that all is still not entirely well in quality land as far as Windows 10 1903 is concerned.

The team is working on a fix “in an upcoming release” but advises that users with the hardware hold off on clicking that Update Now button until things tweaks have gone through.

Of course, it isn’t just Windows 10 being hit with the borkage bat. The Windows Latest mag also noted a problem with the patch KB4516067, released last week for Windows 8.1 and Server 2012 R2 users.

The issue is that Internet Explorer 11 may be rendered inoperative. Which, in itself, is unlikely to be an issue for many. After all, there are plenty of alternative browsers out there unless you have a certain site that demands the old thing.

However, for the two Surface RT users not using Microsoft’s finest as a glorified photo-frame, the issue is critical. The moribund Microsoft app store doesn’t really offer much in the way of alternatives, and the devices are locked down to all but the most creative owners.

Perhaps a clue that it might be time to move on from Microsoft’s earlier Arm experiment? ®

Sponsored: Transforming infrastructure to enable top-performing development teams

Police officers have raised concerns about using “biased” artificial-intelligence tools, a report commissioned by one of the UK government’s advisory bodies reveals.

The study warns such software may “amplify” prejudices, meaning some groups could become more likely to be stopped in the street and searched.

It says officers also worry they could become over-reliant on automation.

And it says clearer guidelines are needed for facial recognition’s use.

“The police are concerned that the lack of clear guidance could lead to uncertainty over acceptable uses of this technology,” the Royal United Services Institute (Rusi)’s Alexander Babuta told BBC News.

“And given the lack of any government policy for police use of data analytics, it means that police forces are going to be reluctant to innovate.

“That means any potential benefits of these technologies may be lost because police forces’ risk aversion may lead them not to try to develop or implement these tools for fear of legal repercussions.”

Rusi interviewed about 50 experts for its study, including senior police officers in England and Wales – who were not named – as well as legal experts, academics and government officials.

The work was commissioned by the Centre for Data Ethics and Innovation, which plans to draw up a code of practice covering the police’s use of data analytics next year.

‘Self-fulfilling prophecy’

One of the key concerns expressed was about using existing police records to train machine-learning tools, since these might be skewed by the arresting officers’ own prejudices.

“Young black men are more likely to be stopped and searched than young white men, and that’s purely down to human bias,” said one officer.

“That human bias is then introduced into the datasets and bias is then generated in the outcomes of the application of those datasets.”

An added factor, the report said, was people from disadvantaged backgrounds were more likely to use public services frequently. And this would generate more data about them, which in turn could make them more likely to be flagged as a risk.

Matters could worsen over time, another officer said, when software was used to predict future crime hotspots.

“We pile loads of resources into a certain area and it becomes a self-fulfilling prophecy, purely because there’s more policing going into that area, not necessarily because of discrimination on the part of officers,” the interviewee said.

There was disagreement, however, on how much scope should be given to officers wanting to ignore predictive software’s recommendations.

“Officers often disagree with the algorithm,” said one.

“I’d expect and welcome that challenge. The point where you don’t get that challenge, that’s when people are putting that professional judgement aside.”

But another officer worried about others being too willing to ignore an app’s recommendations, adding: “Professional judgement might just be another word for bias.”

‘Patchwork quilt’

Mr Babuta said this problem could be addressed.

“There are ways that you can scan and analyse the data for bias and then eliminate it,” he told BBC News.

“[And] there are police forces that are exploring the opportunities of these new types of data analytics for actually eliminating bias in their own data sets.”

But he added that “we need clearer processes to ensure that those safeguards are applied consistently”.

In the meantime, one officer described the current landscape as being like “a patchwork quilt – uncoordinated and delivered to different settings and for different outcomes”.

The National Police Chiefs’ Council has responded saying UK police always seek to strike a balance between keeping people safe and protecting their rights.

“For many years police forces have looked to be innovative in their use of technology to protect the public and prevent harm and we continue to explore new approaches to achieve these aims,” Assistant Chief Constable Jonathan Drake said.

“But our values mean we police by consent, so anytime we use new technology we consult with interested parties to ensure any new tactics are fair, ethical and producing the best results for the public.”

Guv’nor explains regression again, without the expletives

A softer, gentler Linus Torvalds released the Linux 5.3 kernel over the weekend and swung open the doors on 5.4.

Things were held up a little this time around, something Torvalds attributed to his travel schedule rather than anything more sinister. He was, however, pleased to note that the extra week meant that a few last-minute fixes could be squeezed in.

While not an earth-shattering release, the 5.3 kernel has brought support for the new AMD Radeon Navi graphics cards, such as the Radeon RX 5700 and RX 5700 XT and x86 Zhaoxin CPUs. Other silicon-supporting tweaks included improvements to Intel Icelake graphics and Intel HDR display support.

However, Torvald’s emission revealed a gentler side to the Linux supremo as he highlighted a commit he’d reverted “that wasn’t actually buggy”.

“In fact,” he went on, “it was doing exactly what it set out to do, and did it very well.”

The problem, he said, was that “it did it _so_ well that the much improved IO patterns it caused then ended up revealing a user-visible regression due to a real bug in a completely unrelated area.”

Sticking code in the kernel that can mess with existing users is strictly verboten, as Torvalds famously raged about expressed at the end of 2012 in the measured way for which the man is famed. A Christmas to remember for the developer on the receiving end, for sure.

The issue was, of course, a little different this time around, and the manner in which Torvalds explained why regression was important was, as he described, “instructive” rather than expletive-laden. The key takeaway wasn’t about fixing a bug, or iffy code – it was about whether “something breaks existing users’ workflow”, no matter how worthy the intentions.

Torvalds hoped the “better IO patterns introduced by the change” would make an appearance once developers had worked out how to handle the fact that people had begun to rely on the previous behaviour.

If you need the latest and greatest, you can get compiling now, although it might be worth hanging fire for the first point release before letting it anywhere near anything production-related. ®

Sponsored: Transforming infrastructure to enable top-performing development teams

Body scanners used to screen passengers for hidden explosives and weapons are being used for the first time at a London railway station.

A Home Office sponsored five-day trial has started at Stratford station, east London.

Portable scanners are being used to screen passengers from up to 30ft away without them having to pass through a security checkpoint.

The Home Office said the scheme was part of a “battle against knife crime”.

Policing Minister Kit Malthouse said: “No-one should feel they can walk the streets with a knife and expect to get away with it.

“We are pulling out all the stops in a battle against knife crime in London and across the country.”

The scanners, built by British firm Thruvision, reveal objects hidden inside clothing that block body heat.

Sensitive cameras capable of screening 2,000 passengers an hour will enable officers to see the size, shape and location of any blade or gun.

It does not show any intimate body parts, the Home Office said.

The station, which connects several Transport for London lines with Overground services, has an average of 110,000 passengers a day.

The trial will also look at how officers can use technology to reduce reliance on controversial stop-and-search powers.

Thruvision is already used on the Los Angeles Metro, which last year became the first mass transport system in the US to adopt it.

Assistant Chief Constable Robin Smith, from British Transport Police, said: “Fortunately, knife crime on the rail network is very low.

“In support of the Home Office and other police forces, we are keen to explore how technology can assist us in tackling violent crime head on.”

The BBC is to switch off the news and sport text services on the TV red button early next year.

The decision spells the end of reading headlines, football scores, weather, travel news and more on TV sets, 45 years after the launch of Ceefax.

Red button text launched in 1999, taking over as Ceefax was phased out.

TVs will still be able to access other red button services, like picking a stage to watch at Glastonbury or a court to watch at Wimbledon.

“From early 2020, viewers will no longer be able to access text-based BBC News and BBC Sport content by pressing red,” a BBC spokesperson said.

“It’s always a difficult decision to reduce services, and we don’t take decisions like this lightly, but we have taken it because we have to balance the resources needed to maintain and develop this service with the need to update our systems to give people even better internet-based services.

“Viewers can still access this information on the BBC website, BBC News and Sport mobile apps – as well as 24-hour news on the BBC News Channel.”

Follow us on Facebook, or on Twitter @BBCNewsEnts. If you have a story suggestion email .

A community platform called SuperSisters, aimed at young Muslim women, has defended receiving a grant from the Home Office.

However, it apologised on social media for not being more open about the source of its funding.

It said it had retained “full independent control” over its output.

SuperSisters’s parent company, J-Go, is one of 233 groups that received funding via the government’s Building a Stronger Britain Together programme.

‘Countering extremism’

SuperSisters describes itself as “a global media platform for young Muslimahs in… east London and beyond to share and create inspiring and empowering content with positivity at its core”.

The Home Office said J-Go had received funding since 2018. While its list of successful recipients includes J-Go, it does not specifically name SuperSisters.

“BSBT is an open and transparent programme, which supports local people in their vital work to bring communities together, promote fundamental values and tackle the spread of all extremist ideologies,” it said in a statement.

The platform launched in 2015, in response to the actions of Shamima Begum, who fled Britain to join the Islamic State group in Syria at the age of 15.

In a statement on its website, J-Go said it had accepted the grant to pay its staff a living wage and countering extremism was part of its purpose.

“We want to emphasise that even though BSBT may fund us, they do not have any creative control over SuperSisters content,” it said.

SuperSisters’s former social media manager Sabah Ismail told the Guardian she had left in August after finding out about the grant.

However, J-Go said it was “clear and transparent” about its funding to all interviewed candidates, including Ms Ismail.

Ms Ismail has been contacted by BBC News for comment.

In August, it was revealed the Home Office was behind a social news network called This is Woke, which featured discussions about many aspects of the Muslim faith.

That was part of a government counter-terrorism programme called Prevent, which SuperSisters said it had originally received money from but this had stopped because “what we did was not deemed suitable for the Prevent funding”.

The TV industry is about to enter “a second wave of disruption” due to new players in the streaming market, according to the BBC chief Tony Hall.

In a speech on Wednesday, Lord Hall will say the main impact of the new Disney and Apple streaming services may be felt by Amazon and Netflix.

Lord Hall will welcome their arrival as an opportunity for the BBC to offer an even better service to the UK public.

He will say: “Our industry is about to enter a second wave of disruption.

“The first was about the rise of Netflix, Amazon and Spotify – market shapers that fundamentally changed audience behaviour, often at the cost of huge losses or massive cross-subsidy.”

“The second wave will see a range of new entrants entering an already crowded market,” he will add.

“We saw it last week as Apple announced their new subscription service. Disney, Hulu and others are to follow.

“This is, of course, great for audiences. Possibly.”

The BBC’s director general will go on to say the libraries of Amazon and Netflix are “likely to shrink, as programme-makers pull their content away from these services to place them on their own”.

“The established streamers will need to fight harder to offer the value they currently give today.”

‘Unique mission’

In July, it was announced that shows like Love Island, Gavin & Stacey, Gentleman Jack and Broadchurch will be available on Britbox – their joint streaming venture with ITV – when it launches this year.

Speaking at the Royal Television Society convention in Cambridge, Lord Hall will argue that rather than being a threat, this “second wave of disruption” should act as an opportunity for the corporation, which is “much more than all of them put together.

“In this market, services that are distinctive and different will stand out.”

“And two vital things make us different. Firstly, we have a unique mission and purpose, all audiences – young and old – believe in it.

“Purpose and values matter today more than ever, as people pick and choose services for ethical reasons as much as economic ones.

“Secondly, no one offers the range of content, in so many genres, on so many platforms, as the BBC,” he went on.

“We’re not Netflix, we’re not Spotify. We’re not Apple News. We’re so much more than all of them put together.”

From Monday, the BBC’s Radio iPlayer is being phased out and users will be re-directed to the improved BBC Sounds instead. Lord Hall says BBC Sounds now has “all the key functionality of the old iPlayerRadio” and is being used by two million people every week.

Answering commentators who have argued that the BBC can only lose ground with younger audiences, Lord Hall noted how these online audio services are starting to turn the tide.

“In the space of a year, iPlayer’s reach to young audiences is up by a third.

“There is really promising growth right across the piece. And that’s before we roll out our full plans for extended availability and exclusive content.”

Follow us on Facebook, or on Twitter @BBCNewsEnts. If you have a story suggestion email .