Tech News

CircleCI, a company whose development products are popular with software engineers, has urged users to rotate their secrets following a breach of the company’s systems.

The San Francisco-headquartered DevOps company said in anadvisory published late Wednesday it is currently investigating the security incident — its most recent in recent years.

“We wanted to make you aware that we are currently investigating a security incident, and that our investigation is ongoing,” CircleCI CTO Rob Zuber. “At this point, we are confident that there are no unauthorized actors active in our systems; however, out of an abundance of caution, we want to ensure that all customers take certain preventative measures to protect your data as well.”

CircleCI, which claims its technology is used by more than a million software engineers, is advising users to rotate “any and all secrets” stored in CircleCI, including those stored in project environment variables or in contexts. Secrets are passwords or private keys that are used to connect and authenticate servers together.

For projects using API tokens, CircleCI said it has invalidated these tokens and users will be required to replace them.

CircleCI, which in 2021 announced a $100M Series F at a $1.7B valuation, hasn’t shared any more information about the nature of the incident and has yet to respond to TechCrunch’s questions.

However, the company is also advising users to audit their internal logs for unauthorized access occurring between December 21, 2022 and January 4, 2023, which suggests the company’s breach began some two weeks earlier. The company on December 21 also announced that it had released reliability updates to the service to resolve underlying “systemic issues.

In 2019, CircleCI was hit by a data breach after a third-party vendor was compromised. This saw hackers compromise user data including usernames and email addresses, usernames and email addresses associated with GitHub and Bitbucket, along with user IP addresses.

In November, CircleCI said that it had also witnessed an increasing number of phishing attempts whereby unauthorized actors were impersonating CircleCI to gain access to users’ code repositories on GitHub.

CircleCI warns customers to rotate ‘any and all secrets’ after hack by Carly Page originally published on TechCrunch

At a time when there is a lot of debate going on around ChatGPT and generative AI potentially eating up jobs, Apple has launched AI-powered audio narration for select titles on Apple Books. On its website for authors, the company says that this feature will help independent authors who might not be able to convert their titles to audiobooks because of “the cost and complexity of production.”

Currently, only select titles are narrated by Apple’s own AI-generated voices. Users will see “Apple Books” in the narrator section for these titles.

While Apple says the program is for independent authors, currently they have to sign up with partner publishing companies — Draft2Digital or Ingram CoreSource — to get their book narrated by Apple’s AI voices.

Apple is already accepting submissions under the romance and fiction genres — with support for only literary, historical, and women’s fiction at the moment — through the partners mentioned above. Plus, it is starting its AI-powered voice narration work for nonfiction and self-development genres. Currently, Apple offers four voices under soprano and baritone categories: Madison and Jackson (romance and fiction); Helena and Mitchell (self-development and non-fiction). The company said that these voices are trained in specific genres, but Apple didn’t specify what training data it is using to tune them.

“Apple Books digital narration brings together advanced speech synthesis technology with important work by teams of linguists, quality control specialists, and audio engineers to produce high-quality audiobooks from an ebook file. Apple Books has long been on the forefront of innovative speech technology and has now adapted it for long-form reading, working alongside publishers, authors, and narrators,” Apple said on its website.

If you look at audiobook titles on the Apple Book store, they are often narrated by the author with other guests or voice artists pitching in at times. Apple’s AI-generation suit probably aims to remove any need for sitting down and recording the narration in a studio. But even with this process, results are not instant. The Cupertino-based company said that once an author submits a request, it takes “one to two months to process the book and conduct quality checks.”

Apple specified that if there is not enough time for post-production checks, the title is published as soon as the processing is completed. However, the company didn’t provide any details on what might be the shortcomings of such a rushed process and how the final might sound.

It’s not clear if authors are allowed to port their Apple AI-powered audiobooks to other platforms. We have asked Apple for a comment, and we will update the story if we hear back.

A report from The Guardian noted that Apple wanted to release this feature last November. But it got delayed because of industry-wide layoffs and the Elon Musk-Twitter drama.

Most platforms — apart from Audible — allow books that are narrated by AI-generated voices. However, Apple’s entry into the market might attract a lot of attention to platforms such as Matrix-backed Murf that creators to make AI-powered audiobooks. At the moment, there’s no detail about how much Apple is charging publishers (or authors) for the whole process of converting a book into an audiobook.

As Apple is getting pushback from regulators about App Store fees, and it might have to allow alternative app stores and third-party payment options that might have an impact on its revenue. So when generative AI is having its moment, Apple is taking the first steps into making it a viable cash-generating option.

Apple launches AI-powered book narrations by Ivan Mehta originally published on TechCrunch

A rare privacy penalty for Apple: France’s data protection watchdog, the CNIL, has announcedit imposed a sanction of €8 million (~$8.5M) on the iPhone maker for not obtaining local mobile users’ consent prior to placing (and/or reading) ad identifiers on their devices in breach of local data protection law.

The sanction decision was issued on December 29 but only made public yesterday (the text of the decision is available here in French).

The CNIL is acting under the European Union’s ePrivacy Directive — which allows for Member State level data protection authorities to take action over local complaints about breaches, rather than requiring they be referred to a lead data supervisor in the country where the company in question has its main EU establishment (as happens with the EU’s newer General Data Protection Regulation, or GDPR).

While the size of this ePrivacy fine isn’t going to cause any sleepless nights in Cupertino, Apple leverages claims of peerless user privacy to polish its premium brand — and differentiate iPhones from cheaper hardware running Google’s Android platform — so any dent in its reputation for protecting user data should sting.

The CNIL says it was acting on a complaint against Apple for showing personalized ads on its App Store. The action relates to an older version (14.6) of the iPhone operating system, under which — after the watchdog investigated in 2021 and 2022 — it found the tech giant had not obtained prior consent from users to process their data for targeted advertising that was served when a user visited Apple’s App Store.

CNIL found that v14.6 of iOS automatically read identifiers on the user’s iPhone — which served a number of purposes, including powering personalizing ads on the App Store — and that processing occurred without Apple obtaining proper consent, in the regulator’s view, as consent was being gathered via a setting that was pre-checked by default. (NB: 2019 CNIL guidance on the ePrivacy Directive stipulates that consent is necessary for ad tracking.)

From the CNIL’s press release [translated from French with machine translation]:

Due to their advertising purpose, these identifiers are not strictly necessary for the provision of the service (the App Store). Consequently, they must not be able to be read and/or deposited without the user having expressed his prior consent. However, in practice, the ad targeting settings available from the iPhone’s ‘Settings’ icon were pre-checked by default.

In addition, the user had to perform a large number of actions to successfully deactivate this parameter since this possibility was not integrated into the initialization process of the telephone. The user had to click on the ‘Settings’ icon of the iPhone, then go to the ‘Privacy’ menu and finally to the section entitled ‘Apple Advertising’. These elements did not make it possible to collect the prior consent of users.

The CNIL said the level of fine reflects the scope of the processing (which it notes was limited to the App Store); the number of French users affected; and the profits Apple derives from ad revenue indirectly generated from the data collected by the identifiers — as well as the regulator factoring in Apple having since brought itself into compliance.

Apple was contacted for comment on the CNIL sanction. A company spokesman confirmed it plans to appeal — sending us this statement:

We are disappointed with this decision given the CNIL has previously recognized that how we serve search ads in the App Store prioritizes user privacy, and we will appeal.Apple Search Ads goes further than any other digital advertising platform we are aware of by providing users with a clear choice as to whether or not they would like personalized ads. Additionally, Apple Search Ads never tracks users across 3rd party apps and websites, and only uses first-party data to personalize ads. We believe privacy is a fundamental human right and a user should always get to decide whether to share their data and with whom.

It’s not the first time Apple has faced critical scrutiny over privacy double standards. Back in 2020, European privacy rights campaign group noyb filed a series of complaints with EU data protection watchdogs about an Identifier for Advertisers (aka IDFA) baked into the iPhone by default by Apple, arguing the existence of the IDFA was a similar breach of the prior consent to tracking principle.

The company has also been accused of privacy hypocrisy in recent years over its different treatment vis-a-vis the tracking of iPhone users’ app activity to serve its own ‘personalized ads’ vs a recently introduced requirement that third party apps obtain consent from users — after it introduced the App Tracking Transparency feature (aka ATT) to iOS back in 2021.

Apple has continued to dispute these lines of arguments — claiming it complies with local privacy laws and offers a higher level of privacy and data protection for iOS users than rival platforms.

France, meanwhile, has been very active in enforcing breaches of ePrivacy against tech giants in recent years, with another example just last month when it hit Microsoft with a €60 million penalty over dark pattern design in relation to cookie tracking — after finding the company had not offered a mechanism for users to refuse cookies that was as easy as the button it presented to them for accepting cookies.

Amazon, Google and Meta (Facebook) have also all been hit with CNIL sanctions for cookie-related breached since 2020. And last year Google went on to update its cookie consent pop-up across the EU to (finally) offer a simple ‘accept all’ or ‘refuse all’ option offered at the top level.

tl;dr: Regulatory enforcement of privacy works.

The steady flow of enforcements and corrections that the CNIL’s interventions have been able to achieve for users in France via ePrivacy — a much older EU directive than the GDPR — has cast further critical light on the operation of the latter flagship privacy regulation where scrutiny and enforcement on tech giants continues to be bogged down by forum shopping, associated procedural bottlenecks and resourcing issues, as well as by disputes between regulators over how to settle these cross-border cases.

But while a GDPR complaint against a tech giant can take years, plural to get enforced — such as the ~4.8 years it took to finalize ‘forced consent’ advertising complaints against two Meta properties, Facebook and Instagram, and still with likely years of appeals of that decision ahead (and with other even longer-standing complaints still inching painstakingly toward a final decision) — the difference between an EU directive and a regulation means that enforcement is pan-EU by default, rather than being localized to the jurisdiction of the enforcing DPA. That means, with ePrivacy, any wider compliance rollouts are at the discretion of a sanctioned entity — so the impact for users may be more localized.

Additionally, any (eventual) GDPR penalties may also be more substantial than ePrivacy stings — with the GDPR allowing for fines of up to 4% of global annual turnover, while ePrivacy is stuck with an older regime that leaves it up to Member States to set “effective, proportionate and dissuasive” penalties. (Ergo, user rights here are tethered to local politics.)

Although corrective orders can have far more bite for big tech than financial sanctions given how much revenue these giants pull in — as even fines that run to hundreds of millions or more may be written off as just a cost of doing business. Whereas orders to change practices to comply with privacy laws can force meaningful reforms.

It’s worth noting that the EU has been attempting — for years — to replace the now more-than-two-decades-old ePrivacy Directive with an updated ePrivacy Regulation. However big tech lobbying and lawmaker disputes over a 2017 Commission proposal have conspired to stall the file for most of this period.

Member States did, at long last, agree a common negotiating position in February 2021 — finally enabling trilogue negotiations to kick off. But debates between the EU’s co-legislators over big and small details continue — and it’s not clear when (or even if) a consensus can be hashed out.

And that means the veteran ePrivacy Directive may still have years more working life — and millions more in big tech fines — ahead of it.

France fines Apple over App Store ad targeting ePrivacy breach by Natasha Lomas originally published on TechCrunch

Amazon has announced that it will be “eliminating” more than 18,000 roles at the company, extending a previously-announced round of layoffs that was set to impact some 10,000 workers.

The announcement is significant in terms of the number of people impacted, though it represents just 1.2% of Amazon’s 1.5 million global headcount.

In a memo to employees early this morning, CEO Andy Jassy said that in addition to the roles affected in its Devices and Books businesses during its previous announcement back in November, the majority of the roles hit by the latest cutbacks will be in its People, Experience, and Technology (PXT) and Amazon Stores businesses.

Layoffs continue

The news comes just a day after Salesforce announced that it was cutting around 10% of its workforce, impacting more than 7,000 employees, and continues a trend that saw countless companies throughout 2022 scale back their workforces to counter economic headwinds. Data from layoff-tracking website Layoffs.fyi suggests that tech companies cut more than 150,000 positions in 2022.

Today’s announcement was seemingly made earlier than Amazon had intended after a Wall Street Journal report got hold of preliminary details via a leak, which is why Amazon said that it has yet to inform those that will be impacted — but it plans to do so starting on January 18.

“We typically wait to communicate about these outcomes until we can speak with the people who are directly impacted,” Jassy wrote. “However, because one of our teammates leaked this information externally, we decided it was better to share this news earlier so you can hear the details directly from me.”

This also means that Amazon has yet to announce what kind of severance packages it will provide, though Jassy said it will provide a “separation payment, transitional health insurance benefits, and external job placement support.”

Amazon to cut 18,000 jobs as tech layoffs continue by Paul Sawers originally published on TechCrunch