A group of influential users and developers of MySQL have invited Oracle to join their plans to create an independent foundation to guide the future development of the popular open source database, which Big Red owns.…

In honor of this important anniversary, I downloaded the original Flash SWF file from Internet Archive, played it using Ruffle in a full-screen window, and replaced the audio with the original MP3 of "Invasion of the Gabber Robots" by The Laziest Men on Mars. So this is probably the highest fidelity encoding possible, without going back to the original forum GIFs.

Make your time.

While the move came as a surprise to the high-profile vaccine maker, it is just the latest hostility toward vaccines—and mRNA vaccines in particular—from an agency overseen by the fervent anti-vaccine activist Robert F. Kennedy Jr. In his first year in office, Kennedy has already dramatically slashed childhood vaccine recommendations and canceled $500 million in research funding for mRNA vaccines against potential pandemic threats.

In a news release late Tuesday, Moderna said it was blindsided by the FDA's refusal, which the FDA cited as being due to the design of the company's Phase 3 trial for its mRNA flu vaccine, dubbed mRNA-1010. Specifically, the FDA's rejection was over the comparator vaccine Moderna used.

Read full article

Comments

At some point, you may have been faced with the decision yourself: should I continue to use this service if I have to verify my age? And if so, how can I do that with the least risk to my personal information? This is our guide to navigating those decisions, with information on what questions to ask about the age verification options you’re presented with, and answers to those questions for some of the top most popular social media sites. Even though there’s no way to implement mandated age gates in a way that fully protects speech and privacy rights, our goal here is to help you minimize the infringement of your rights as you manage this awful situation.

Follow the Data

Since we know that leaks happen despite the best efforts of software engineers, we generally recommend submitting the absolute least amount of data possible. Unfortunately, that’s not going to be possible for everyone. Even facial age estimation solutions where pictures of your face never leave your device, offering some protection against data leakage, are not a good option for all users: facial age estimation works less well for people of color, trans and nonbinary people, and people with disabilities. There are some systems that use fancy cryptography so that a digital ID saved to your device won’t tell the website anything more than if you meet the age requirement, but access to that digital ID isn’t available to everyone or for all platforms. You may also not want to register for a digital ID and save it to your phone, if you don’t want to take the chance of all the information on it being exposed upon request of an over-zealous verifier, or you simply don’t want to be a part of a digital ID system

If you’re given the option of selecting a verification method and are deciding which to use, we recommend considering the following questions for each process allowed by each vendor:

• Data: What info does each method require?
• Access: Who can see the data during the course of the verification process?
• Retention: Who will hold onto that data after the verification process, and for how long?
• Audits: How sure are we that the stated claims will happen in practice? For example, are there external audits confirming that data is not accidentally leaked to another site along the way? Ideally these will be in-depth, security-focused audits by specialized auditors like NCC Group or Trail of Bits, instead of audits that merely certify adherence to standards. 
• Visibility: Who will be aware that you’re attempting to verify your age, and will they know which platform you’re trying to verify for?

We attempt to provide answers to these questions below. To begin, there are two major factors to consider when answering these questions: the tools each platform uses, and the overall system those tools are part of.

In general, most platforms offer age estimation options like face scans as a first line of age assurance. These vary in intrusiveness, but their main problem is inaccuracy, particularly for marginalized users. Third-party age verification vendors Private ID and k-ID offer on-device facial age estimation, but another common vendor, Yoti, sends the image to their servers during age checks by some of the biggest platforms. This risks leaking the images themselves, and also the fact that you’re using that particular website, to the third party. 

Then, there’s the document-based verification services, which require you to submit a hard identifier like a government-issued ID. This method thus requires you to prove both your age and your identity. A platform can do this in-house through a designated dataflow, or by sending that data to a third party. We’ve already seen examples of how this can fail. For example, Discord routed users’ ID data through its general customer service workflow so that a third-party vendor could perform manual review of verification appeals. No one involved ever deleted users’ data, so when the system was breached, Discord had to apologize for the catastrophic disclosure of nearly 70,000 photos of users’ ID documents. Overly long retention periods expose documents to risk of breaches and historical data requests. Some document verifiers have retention periods that are needlessly long. This is the case with Incode, which provides ID verification for Tiktok. Incode holds onto images forever by default, though TikTok should automatically start the deletion process on your behalf.

Some platforms offer alternatives, like proving that you own a credit card, or asking for your email to check if it appears in databases associated with adulthood (like home mortgage databases). These tend to involve less risk when it comes to the sensitivity of the data itself, especially since credit cards can be replaced, but in general still undermine anonymity and pseudonymity and pose a risk of tracking your online activity. We’d prefer to see more assurances across the board about how information is handled.

Each site offers users a menu of age assurance options to choose from. We’ve chosen to present these options in the rough order that we expect most people to prefer. Jump directly to a platform to learn more about its age checks:

• Meta – Facebook, Instagram, WhatsApp, Messenger, Threads
• Google – Gmail, YouTube
• TikTok
• Everywhere Else

Meta – Facebook, Instagram, WhatsApp, Messenger, Threads

Inferred Age

If Meta can guess your age, you may never even see an age verification screen. Meta, which runs Facebook, Threads, Instagram, Messenger, and WhatsApp, first tries to use information you’ve posted to guess your age, like looking at “Happy birthday!” messages. It’s a creepy reminder that they already have quite a lot of information about you.

If Meta cannot guess your age, or if Meta infers you’re too young, it will next ask you to verify your age using either facial age estimation, or by uploading your photo ID. 

Face Scan

If you choose to use facial age estimation, you’ll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that “as soon as an age has been estimated, the facial image is immediately and permanently deleted.” Though it’s not as good as not having that data in the first place, Yoti’s security measures include a bug bounty program and annual penetration testing. Researchers from Mint Secure found that Yoti’s app and website are filled with trackers, so the fact that you’re verifying your age could be not only shared to Yoti, but leaked to third-party data brokers as well. 

You may not want to use this option if you’re worried about third parties potentially being able to know you’re trying to verify your age with Meta. You also might not want to use this if you’re worried about a current picture of your face accidentally leaking—for example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you’d be concerned with identifying your location or embarrassing you in the background in case the image leaks.

Upload ID

If Yoti’s age estimation decides your face looks too young, or if you opt out of facial age estimation, your next recourse is to send Meta a photo of your ID. Meta sends that photo to Yoti to verify the ID. Meta says it will hold onto that ID image for 30 days, then delete it. Meanwhile, Yoti claims it will delete the image immediately after verification. Of course, bugs and process oversights exist, such as accidentally replicating information in logs or support queues, but at least they have stated processes. Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting leaked through errors or hacking, but it also lets Meta see the information needed to tie your profile to your identity—which you may not want. If you don’t want Meta to know your name and where you live, or rely on both Meta and Yoti to keep to their deletion promises, this option may not be right for you.

Google – Gmail, YouTube 

Inferred Age

If Google can guess your age, you may never even see an age verification screen. Your Google account is typically connected to your YouTube account, so if (like mine) your YouTube account is old enough to vote, you may not need to verify your Google account at all. Google first uses information it already knows to try to guess your age, like how long you’ve had the account and your YouTube viewing habits. It’s yet another creepy reminder of how much information these corporations have on you, but at least in this case they aren’t likely to ask for even more identifying data.

If Google cannot guess your age, or decides you’re too young, Google will next ask you to verify your age. You’ll be given a variety of options for how to do so, with availability that will depend on your location and your age.

Google’s methods to assure your age include ID verification, facial age estimation, verification by proxy, and digital ID. To prove you’re over 18, you may be able to use facial age estimation, give Google your credit card information, or tell a third-party provider your email address.

Face Scan

If you choose to use facial age estimation, you’ll be sent to a website run by Private ID, a third-party verification service. The website will load Private ID’s verifier within the page—this means that your selfie will be checked without any images leaving your device. If the system decides you’re over 18, it will let Google know that, and only that. Of course, no technology is perfect—should Private ID be mandated to target you specifically, there’s nothing to stop it from sending down code that does in fact upload your image, and you probably won’t notice. But unless your threat model includes being specifically targeted by a state actor or Private ID, that’s unlikely to be something you need to worry about. For most people, no one else will see your image during this process. Private ID will, however, be told that your device is trying to verify your age with Google and Google will still find out if Private ID thinks that you’re under 18.

If Private ID’s age estimation decides your face looks too young, you may next be able to decide if you’d rather let Google verify your age by giving it your credit card information, photo ID, or digital ID, or by letting Google send your email address to a third-party verifier.

Email Usage

If you choose to provide your email address, Google sends it on to a company called VerifyMy. VerifyMy will use your email address to see if you’ve done things like get a mortgage or paid for utilities using that email address. If you use Gmail as your email provider, this may be a privacy-protective option with respect to Google, as Google will then already know the email address associated with the account. But it does tell VerifyMy and its third-party partners that the person behind this email address is looking to verify their age, which you may not want them to know. VerifyMy uses “proprietary algorithms and external data sources” that involve sending your email address to “trusted third parties, such as data aggregators.” It claims to “ensure that such third parties are contractually bound to meet these requirements,” but you’ll have to trust it on that one—we haven’t seen any mention of who those parties are, so you’ll have no way to check up on their practices and security. On the bright side, VerifyMy and its partners do claim to delete your information as soon as the check is completed.

Credit Card Verification

If you choose to let Google use your credit card information, you’ll be asked to set up a Google Payments account. Note that debit cards won’t be accepted, since it’s much easier for many debit cards to be issued to people under 18. Google will then charge a small amount to the card, and refund it once it goes through. If you choose this method, you’ll have to tell Google your credit card info, but the fact that it’s done through Google Payments (their regular card-processing system) means that at least your credit card information won’t be sitting around in some unsecured system. Even if your credit card information happens to accidentally be leaked, this is a relatively low-risk option, since credit cards come with solid fraud protection. If your credit card info gets leaked, you should easily be able to dispute fraudulent charges and replace the card.

Digital ID

If the option is available to you, you may be able to use your digital ID to verify your age with Google. In some regions, you’ll be given the option to use your digital ID. In some cases, it’s possible to only reveal your age information when you use a digital ID. If you’re given that choice, it can be a good privacy-preserving option. Depending on the implementation, there’s a chance that the verification step will “phone home” to the ID provider (usually a government) to let them know the service asked for your age. It’s a complicated and varied topic that you can learn more about by visiting EFF’s page on digital identity.

Upload ID

Should none of these options work for you, your final recourse is to send Google a photo of your ID. Here, you’ll be asked to take a photo of an acceptable ID and send it to Google. Though the help page only states that your ID “will be stored securely,” the verification process page says ID “will be deleted after your date of birth is successfully verified.” Acceptable IDs vary by country, but are generally government-issued photo IDs. We like that it’s deleted immediately, though we have questions about what Google means when it says your ID will be used to “improve [its] verification services for Google products and protect against fraud and abuse.” No system is perfect, and we can only hope that Google schedules outside audits regularly.

TikTok

Inferred Age

If TikTok can guess your age, you may never even see an age verification notification. TikTok first tries to use information you’ve posted to estimate your age, looking through your videos and photos to analyze your face and listen to your voice. By uploading any videos, TikTok believes you’ve given it consent to try to guess how old you look and sound.

If TikTok decides you’re too young, appeal to revoke their age decision before the deadline passes. If TikTok cannot guess your age, or decides you’re too young, it will automatically revoke your access based on age—including either restricting features or deleting your account. To get your access and account back, you’ll have a limited amount of time to verify your age. As soon as you see the notification that your account is restricted, you’ll want to act fast because in some places you’ll have as little as 23 days before the deadline passes.

When you get that notification, you’re given various options to verify your age based on your location.

Face Scan

If you’re given the option to use facial age estimation, you’ll be sent to Yoti, a third-party verification service. Your photo will be uploaded to their servers during this process. Yoti claims that “as soon as an age has been estimated, the facial image is immediately and permanently deleted.” Though it’s not as good as not having that data in the first place, Yoti’s security measures include a bug bounty program and annual penetration testing. However, researchers from Mint Secure found that Yoti’s app and website are filled with trackers, so the fact that you’re verifying your age could be leaked not only to Yoti, but to third-party data brokers as well.

You may not want to use this option if you’re worried about third parties potentially being able to know you’re trying to verify your age with TikTok. You also might not want to use this if you’re worried about a current picture of your face accidentally leaking—for example, if elements in the background of your selfie might reveal your current location. On the other hand, if you consider a selfie to be less sensitive than a photograph of your ID or your credit card information, this option might be better. If you do choose (or are forced to) use the face check system, be sure to snap your selfie without anything you’d be concerned with identifying your location or embarrassing you in the background in case the image leaks.

Credit Card Verification

If you have a credit card in your name, TikTok will accept that as proof that you’re over 18. Note that debit cards won’t be accepted, since it’s much easier for many debit cards to be issued to people under 18. TikTok will charge a small amount to the credit card, and refund it once it goes through. It’s unclear if this goes through their regular payment process, or if your credit card information will be sent through and stored in a separate, less secure system. Luckily, these days credit cards come with solid fraud protection, so if your credit card gets leaked, you should easily be able to dispute fraudulent charges and replace the card. That said, we’d rather TikTok provide assurances that the information will be processed securely.

Credit Card Verification of a Parent or Guardian

Sometimes, if you’re between 13 and 17, you’ll be given the option to let your parent or guardian confirm your age. You’ll tell TikTok their email address, and TikTok will send your parent or guardian an email asking them (a) to confirm your date of birth, and (b) to verify their own age by proving that they own a valid credit card. This option doesn’t always seem to be offered, and in the one case we could find, it’s possible that TikTok never followed up with the parent. So it’s unclear how or if TikTok verifies that the adult whose email you provide is your parent or guardian. If you want to use credit card verification but you’re not old enough to have a credit card, and you’re ok with letting an adult know you use TikTok, this option may be reasonable to try.

Photo with a Random Adult?

Bizarrely, if you’re between 13 and 17, TikTok claims to offer the option to take a photo with literally any random adult to confirm your age. Its help page says that any trusted adult over 25 can be chosen, as long as they’re holding a piece of paper with the code on it that TikTok provides. It also mentions that a third-party provider is used here, but doesn’t say which one. We haven’t found any evidence of this verification method being offered. Please do let us know if you’ve used this method to verify your age on TikTok!

Photo ID and Face Comparison

If you aren’t offered or have failed the other options, you’ll have to verify your age by submitting a copy of your ID and matching photo of your face. You’ll be sent to Incode, a third-party verification service. In a disappointing failure to meet the industry standard, Incode itself doesn’t automatically delete the data you give it once the process is complete, but TikTok does claim to “start the process to delete the information you submitted,” which should include telling Incode to delete your data once the process is done. If you want to be sure, you can ask Incode to delete that data yourself. Incode tells TikTok that you met the age threshold without providing your exact date of birth, but then TikTok wants to know the exact date anyway, so it’ll ask for your date of birth even after your age has been verified.

TikTok itself might not see your actual ID depending on its implementation choices, but Incode will. Your ID contains sensitive information such as your full legal name and home address. Using this option not only runs the (hopefully small, but never nonexistent) risk of that data getting accidentally leaked through errors or hacking. If you don’t want TikTok or Incode to know your name, what you look like, and where you live—or if you don’t want to rely on both TikTok and Incode to keep to their deletion promises—then this option may not be right for you.

Everywhere Else

We’ve covered the major providers here, but age verification is unfortunately being required of many other services that you might use as well. While the providers and processes may vary, the same general principles will apply. If you’re trying to choose what information to provide to continue to use a service, consider the “follow the data” questions mentioned above, and try to find out how the company will store and process the data you give it. The less sensitive information, the fewer people have access to it, and the more quickly it will be deleted, the better. You may even come to recognize popular names in the age verification industry: Spotify and OnlyFans use Yoti (just like Meta and Tiktok), Quora and Discord use k-ID, and so on. 

Unfortunately, it should be clear by now that none of the age verification options are perfect in terms of protecting information, providing access to everyone, and safely handling sensitive data. That’s just one of the reasons that EFF is against age-gating mandates, and is working to stop and overturn them across the United States and around the world.

Republished from the EFF’s Deeplinks blog.

“Please help,” the woman said, again and again, her voice rising to a scream.

Then, her pleas stopped.

By the time support arrived, the observer was gone. All that remained was an empty SUV, engine running, abandoned in the middle of the city’s snow-lined streets.

Referred to locally as abductions, it was at least the fourth such disappearance of the day — the third in a span of less than 30 minutes.

The observers call themselves commuters. They are locals who have organized to resist “Operation Metro Surge,” a massive U.S. Immigration and Customs Enforcement and Border Patrol campaign targeting Minnesota’s undocumented population, by monitoring federal operations in the Twin Cities. The Department of Homeland Security, which oversees both agencies, has called the incursion the largest immigration enforcement operation in history.

Three days before the commuters were taken, the new head of Metro Surge, Trump administration border czar Tom Homan, announced a “drawdown” of 700 federal officers and agents. The president had tapped Homan to head the mission a week earlier, appointing the former ICE acting director to take over from Border Patrol commander Gregory Bovino, whose heavy-handed tactics culminated in three shootings in three weeks, including the killings of U.S. citizens Renee Good and Alex Pretti.

Homan has vowed to take a more “targeted” line of attack in Minnesota. His announced drawdown has fueled speculation that the civil rights abuses and unlawful arrests documented in viral videos and court filings during Bovino’s tenure may be coming to an end. On the ground, the feeling is quite different.

In a message circulated among commuters Friday, the community group Defrost MN, which uses crowdsourced data to track federal immigration operations, warned residents of an “uptick in abductions” — which refer to arrests of both immigrant community members and legal observers — following Homan’s takeover and an increase in the number of government personnel and vehicles involved in those operations.

“National attention on Minnesota has waned with the departure of Bovino and rhetoric by Homan that things are de-escalating,” the group noted, but recent data and reports from commuters in the field did not support those conclusions. Despite orders to the contrary, the group continued, “Agents continue to draw their weapons and deploy chemical agents against observers.”

Meanwhile, the deportation pipeline out of Minnesota continues to flow, with 66 shackled passengers loaded onto a plane the night of Homan’s address — the highest total in nearly two weeks — according to evidence collected at the Minneapolis–St. Paul International Airport.

Friday’s midafternoon disappearance of multiple commuters in quick succession provided visceral evidence that, despite the change in leadership, the struggle between President Donald Trump’s federal agents and residents continues.

Commuter Kaegan Recher was among those who hurried to the scene of the observer who disappeared while on call.

“She was so scared,” Recher told The Intercept. “The terror in her voice was really, really horrible.”

Response to a Siege

In Minneapolis and St. Paul, as well as the surrounding suburbs, tens of thousands of immigrant families are relying on churches and mutual aid for food and financial support. People have not left their homes for weeks. Local schools have reverted to Covid-era online measures to support immigrant students too terrified to come to class. Those students who still attend in person are transported by U.S.-born neighbors and family friends. Campuses at all grade levels are patrolled by volunteers in fluorescent vests, an effort aimed at deterring federal agents’ practice of targeting parent pick-up and drop-off sites.

Conservative estimates from local healthcare providers suggest emergency room and clinic visits in the Minneapolis area are down by 25 percent. City leaders report local businesses are losing upwards of $20 million a week. Immigrant-owned businesses have been devasted, with revenue losses hovering between 80 to 100 percent and many closing their doors for good.

These are the conditions commuters respond to. Their focus is two-fold: to document and alert. Some participate on foot, others by bicycle, many by car. They patrol neighborhoods, reporting suspicious vehicles, the license plates of which are run through a crowdsourced database of known or suspected Department of Homeland Security vehicles. When confirmations are made, commuters follow, honking their horns while observers on foot blow whistles at the passing vehicles. The Intercept has observed several such interactions in recent weeks.

Typically, federal agents try to lose the tail. If they are traveling in a caravan, one vehicle may drive slowly ahead of a commuter, allowing others to speed away. If commuters outnumber the agents, the maneuver can be difficult. Unable to shake their noisy entourage, agents will often head for the highway and, if the pursuit continues, retreat to federal headquarters.

Most commuters are careful to keep a distance between their vehicles and those of the agents. Sometimes, the authorities will pull over and stop. The commuters will stop behind them. Both vehicles will sit idling, waiting for the other to move, then carry on.

Related

Federal Agents Keep Invoking Killing of Renee Good to Threaten Protesters in Minnesota

Occasionally, agents, heavily armed and frequently masked, will exit their vehicles and warn commuters to cease their pursuit. Some commuters do; others don’t. Sometimes, commuters come upon agents at a home, a business, or an apartment complex. Given the heated state of affairs — two Americans dead, immigrants living in terror, children unable to attend school, and sweeping social and economic impacts — the encounters are often raw with emotion. Nearly everything is recorded, by agents and commuters alike.

As these interactions have become a familiar, legal experts have noted that following and filming law enforcement is protected under the Constitution. With the federal government asserting sweeping and highly contested immigration authorities, they say those efforts are more important than ever.

The Trump administration has taken a different view. Officials argue Minnesota is infested with “agitators” impeding law enforcement. Mounting evidence suggests they are mobilizing resources to put their resistance down.

Homan’s Takeover

Much of the recent media attention surrounding Metro Surge has focused on Homan’s reduction in forces, a move the border czar has linked to Minnesota expanding ICE’s access to jails, thus reducing the number of federal personnel needed to meet the administration’s immigration arrest quotas.

With some 2,000 officers and agents still on the ground, the current federal contingent is still 13 times larger than the agencies’ normal footprint, outnumbering the Minneapolis Police Department three to one.

Related

While Minnesotans Rejoice Over Greg Bovino’s Ouster, His Replacement Is a Deportation Hard-Liner

While reducing the number of federal agents dominated headlines, it isn’t the only talking point Homan has driven home since taking over.

Homan spent much of a press conference last week describing how ICE’s full withdrawal hinges on the public acquiescing to the agency’s mission, which, he stressed, is to achieve the president’s promise of “mass deportations.” The immediate goal in Minnesota is a complete federal drawdown, Homan explained, “but that is largely contingent on the end of the illegal and threatening activities against ICE and its federal partners that we’re seeing in the community.”  

In the past month, Homan told reporters, 158 people have been arrested for interfering with federal law enforcement, a crime for which penalties range from one to 20 years in prison. Of those cases, he claimed, 85 have been accepted for prosecution. The rest are still pending.

In most cases, people arrested for interfering with ICE are taken to the Bishop Henry Whipple Federal Building, a seven-story edifice that is part of Fort Snelling, the historic site of a government-run concentration camp during the U.S.–Dakota War of 1862.

Typically, commuters and other legal observers are held for around eight hours before being released. During that time, U.S. officials collect a range of identifying information. With ample evidence that the Department of Homeland Security is amassing a growing catalogue of the president’s critics, and with Homan himself advertising his desire to include people who follow ICE’s activities in a government “database,” community concern is running high over what, exactly, the Trump administration is doing with its information on U.S. citizens.

In his address last week, Homan described an evolving effort by federal officials, including creation of a “multi-agency surge task force” and a new “unified joint operations center” that will allow the agency to “leverage joint intelligence capabilities to effectively target threats.” He emphasized that there would be no reduction in security elements — often militarized tactical teams — assigned to guard deportation operations against “hostile incidents, until we see a change in what’s happening with the lawlessness in impeding and interfering and assaulting of ICE and Border Patrol officers.”

Homan reminded the press that he’s long warned that the “hateful extreme rhetoric” of the president’s opponents would lead to bloodshed. Now, he said, “there has been.” Without acknowledging whose blood had been spilled, or by whom, Homan implored local leaders to urge calmness and “end the resistance.”

“One Warning”

Recher, the commuter who responded to Friday’s observer disappearances, has been in the streets monitoring ICE’s operations since early January. His busiest week was after Homan took over. He’s since noticed that agents have been less prone to immediately jump out of their cars with guns drawn — a welcome change — but that a similarly unsettling directive appears to have gone out regarding ICE’s engagement with the public.

A video he shot Friday appeared to confirm as much, with a deportation officer telling Recher that he and his colleagues have been ordered to give commuters a single warning before taking them into custody.

“You just got one warning, that’s it,” the officer said. “What we’re told, that’s all you need.”

Recher heeded the officer’s warning. He received the panicked and disturbing call for help from the vanished commuter soon after.

“I hear less and less about successful abductions, which I’m glad,” he said. “But I hear more and more about abductions of observers.”

For Recher, like so many others following ICE’s operations in Minnesota, the point of commuting is the thousands of immigrant families living in hiding across the Twin Cities. It is an effort to push back against the pervasive fear at the heart of the Trump administration’s occupation.

“How do you justify terrorizing an entire community?” he asked. “It is the most un-American thing I’ve ever experienced in my entire life.”

The post “Uptick in Abductions”: ICE Ramps Up Targeting of Minneapolis Legal Observers appeared first on The Intercept.

Republicans hate it because they say it lets websites censor conservative speech. Democrats hate it because they say it lets websites host dangerous disinformation.

Read those two sentences again.

One side is furious that platforms can moderate. The other side is furious that platforms don’t have to moderate. Both sides are attacking the same 26-word provision of a 30-year-old law—and if you understand why their complaints are contradictory, you understand what Section 230 actually does.

This weekend marked the 30th anniversary of the Telecommunications Act of 1996, which contained the mostly unconstitutional Communications Decency Act, which inexplicably contained Section 230. (If you want the full history, I hosted a podcast series about it last year.) And after three decades, there’s now a concerted, bipartisan effort to kill it—by people who either don’t understand what the law does, or understand perfectly well and see its destruction as a path to controlling the flow of information online.

Years back I wrote a piece debunking many of the myths about 230. The myths have only multiplied since.

Both critiques, stripped of their partisan framing, are about the same thing: who gets to control what speech appears where. And Section 230’s answer to both sides is the same: pound sand.

That’s what the law actually does. It doesn’t mandate or prohibit “censorship.” It doesn’t require neutrality (that’s a myth that won’t die). It simply says: if you have a problem with content online, take it up with the person who created it, not the service hosting it. Platforms can moderate however they see fit—aggressively, lightly, inconsistently, politically—and they won’t face ruinous liability for those choices. They also won’t face liability for what they don’t remove.

This is what makes an open internet possible. Without that protection, no service would risk hosting user content at all. Or if they did, every moderation decision would require a lawyer’s sign-off, optimizing for liability reduction rather than healthy communities. The people who actually understand how to build good online spaces—trust and safety professionals, community managers—would be overruled by legal departments playing defense.

Almost all criticism of Section 230 is not actually about Section 230. It’s about one of two things: (1) not liking something in society that manifests online, and incorrectly believing that changing the law will somehow fix it, or (2) wanting control over what content platforms host.

So what happens if critics get their way? There’s a lobbying campaign right now claiming that reforming or repealing 230 will lead to “greater responsibility from tech companies.”

This is exactly backwards.

Without 230’s protections, smaller platforms—the ones that might actually compete with the giants—get destroyed first. They can’t afford the vexatious lawsuits. They can’t afford buildings full of lawyers. The big players survive, and their market position gets locked in even harder.

And those surviving giants won’t become more responsible. They’ll become less. Any competent legal team will tell them: the less you know, the less liability you have. Don’t proactively look for harmful content. Don’t research how your platform causes harm—those findings would be exhibit A in every lawsuit. Just stick your head in the sand and let the lawyers handle the subpoenas.

This is how liability regimes work, and America’s exceptionally litigious legal culture makes these incentives even stronger. The critics either don’t understand this or don’t care, because their actual goal was never “responsibility.” It was control. That they’ve duped some tech critics into thinking it’s about “responsibility” or “safety” doesn’t change that. Because it won’t improve responsibility or safety. But it will give politicians tremendous power over online speech.

Thirty years ago, a 26-word provision buried in a mostly unconstitutional law kicked off the open internet. It let anyone build a platform, host a community, create something new—without needing permission from lawyers or regulators first. That era is now under direct attack by people who misrepresent what Section 230 does and misrepresent what killing it would mean.

The open web turned 30 this weekend. The bipartisan campaign to kill it was never about responsibility or safety, it was always about control. Whether the open web sees age 31 comes down to 26 words that tell both sides to pound sand.

PostgreSQL 18 made one very important change – data block checksums are now enabled by default for new clusters at cluster initialization time. I already wrote about it in my previous article. I also mentioned that there are still many existing PostgreSQL installations without data checksums enabled, because this was the default in previous versions. In those installations, data corruption can sometimes cause mysterious errors and prevent normal operational functioning. In this post, I want to dissect common PostgreSQL data corruption modes, to show how to diagnose them, and sketch how to recover from them.

Corruption in PostgreSQL relations without data checksums surfaces as low-level errors like “invalid page in block xxx”, transaction ID errors, TOAST chunk inconsistencies, or even backend crashes. Unfortunately, some backup strategies can mask the corruption. If the cluster does not use checksums, then tools like pg_basebackup, which copy data files as they are, cannot perform any validation of data, so corrupted pages can quietly end up in a base backup. If checksums are enabled, pg_basebackup verifies them by default unless –no-verify-checksums is used. In practice, these low-level errors often become visible only when we directly access the corrupted data. Some data is rarely touched, which means corruption often surfaces only during an attempt to run pg_dump — because pg_dump must read all data.

Typical errors include:

-- invalid page in a table:
pg_dump: error: query failed: ERROR: invalid page in block 0 of relation base/16384/66427
pg_dump: error: query was: SELECT last_value, is_called FROM public.test_table_bytea_id_seq

-- damaged system columns in a tuple:
pg_dump: error: Dumping the contents of table "test_table_bytea" failed: PQgetResult() failed.
pg_dump: error: Error message from server: ERROR: could not access status of transaction 3353862211
DETAIL: Could not open file "pg_xact/0C7E": No such file or directory.
pg_dump: error: The command was: COPY public.test_table_bytea (id, id2, id3, description, data) TO stdout;

-- damaged sequence:
pg_dump: error: query to get data of sequence "test_table_bytea_id2_seq" returned 0 rows (expected 1)

-- memory segmentation fault during pg_dump:
pg_dump: error: Dumping the contents of table "test_table_bytea" failed: PQgetCopyData() failed.
pg_dump: error: Error message from server: server closed the connection unexpectedly
This probably means the server terminated abnormally
before or while processing the request.
pg_dump: error: The command was: COPY public.test_table_bytea (id, id2, id3, description, data) TO stdout;

/*
* The following checks don't prove the header is correct, only that
* it looks sane enough to allow into the buffer pool. Later usage of
* the block can still reveal problems, which is why we offer the
* checksum option.
*/

if ((p->pd_flags & ~PD_VALID_FLAG_BITS) == 0 &&
    p->pd_lower <= p->pd_upper &&
    p->pd_upper <= p->pd_special &&
    p->pd_special <= BLCKSZ &&
    p->pd_special == MAXALIGN(p->pd_special))
    header_sane = true;

if (header_sane && !checksum_failure)
    return true;

SELECT * FROM page_header(get_raw_page('pg_toast.pg_toast_32840', 100));

     lsn    | checksum | flags | lower | upper | special | pagesize | version | prune_xid
------------+----------+-------+-------+-------+---------+----------+---------+-----------
 0/2B2FCD68 |        0 |     4 |    40 |    64 |    8192 |     8192 |       4 |         0

Here we can nicely see the Item IDs array – offsets and lengths. The first tuple is stored at the very end of the data block, therefore it has the biggest offset. Each subsequent tuple is stored closer and closer to the beginning of the page, so offsets are getting smaller. We can also see lengths of tuples, they are all different, because they contain a variable-length text value. We can also see tuples and their system columns, but we will look at them later.

Now, when we damage the Item IDs array and diagnose how it looks like – output is shortened because all other columns are empty as well. Due to the damaged Item IDs array, we cannot properly read tuples. Here we can immediately see the problem – offsets and lengths contain random values, the majority of them exceeding 8192, i.e. pointing well beyond data page boundaries:

 lp | lp_off | lp_flags | lp_len | t_xmin | t_xmax 
----+--------+----------+--------+--------+--------
  1 |  19543 |        1 |  16226 |        | 
  2 |   5585 |        2 |   3798 |        | 
  3 |  25664 |        3 |  15332 |        | 
  4 |  10285 |        2 |  17420 |        |

SELECT * FROM verify_heapam('test_table', FALSE, FALSE, 'none', 7, 7);

 blkno | offnum | attnum | msg
-------+--------+--------+---------------------------------------------------------------------------
     7 |      1 |        | line pointer to page offset 19543 is not maximally aligned
     7 |      2 |        | line pointer redirection to item at offset 5585 exceeds maximum offset 4
     7 |      4 |        | line pointer redirection to item at offset 10285 exceeds maximum offset 4

 lp | lp_off | lp_flags | lp_len |   t_xmin   |   t_xmax   |  t_field3  |       t_ctid       | t_infomask2 | t_infomask | t_hoff | t_bits | t_oid
----+--------+----------+--------+------------+------------+------------+--------------------+-------------+------------+--------+--------+-------
  1 |   6160 |        1 |   2032 | 1491852297 |  287039843 |  491133876 | (3637106980,61186) |       50867 |      46441 |    124 |        |
  2 |   4128 |        1 |   2032 | 3846288155 | 3344221045 | 2002219688 | (2496224126,65391) |       34913 |      32266 |     82 |        |
  3 |   2096 |        1 |   2032 | 1209990178 | 1861759146 | 2010821376 | (426538995,32644)  |       23049 |       2764 |    215 |        |

Summary

Memory prices are set to spike again as chipmakers prioritize AI server production over consumer devices, with analysts warning of a high double-digit jump in Q1 2026 alone as demand outpaces supply.…

Apparently Google is dropping support for Gmail accounts being able to fetch mail from outside accounts. At all. And they announced this change less than 60 days ago. (The announcement was in the basement, stairs, leopard, etc.)

What I want to accomplish is simple:

1. When email arrives for employee@dnalounge.com, have it delivered to the inbox of dna_employee@gmail.com.
2. When that employee is logged into that gmail account, have them able to send email with employee@dnalounge.com in the From: header.

This cannot be accomplished by simply having mail.dnalounge.com forward messages for employee@dnalounge.com to dna_employee@gmail.com because SPF destroyed email forwarding. Specifically:

1. customer@example.com sends mail to employee@dnalounge.com.
2. The SPF record of example.com includes "-all" (strict) as is now common.
3. mail.dnalounge.com forwards that messages to dna_employee@gmail.com.
4. Gmail says, "example.com does not permit dnalounge.com to send email on their behalf" and rejects it with "550 SPF hard fail".

My current email flow is this:

1. Inbound mail:
   1. Email for employee@dnalounge.com arrives at my server.
   2. Message is stored in my server's Dovecot/Maildir.
   3. dna_employee@gmail.com has "Import emails from my other account (POP3)" selected, and Gmail has a saved plaintext copy of their mail.dnalounge.com email password to accomplish this.
   4. Gmail polls and downloads their email over POP3 every 30-90 minutes, sometimes longer. ← This is the thing that is going away.
   5. Gmail runs their aggressive spam filtering on that, and puts some subset of it into their Gmail inbox.

2. Outbound mail:
   6. dna_employee@gmail.com has its outgoing From address configured as employee@dnalounge.com (via "Add another email address").
   7. When they use Gmail to send mail from their employee@dnalounge.com address, Gmail delivers it to mail.dnalounge.com, authenticating with the saved plaintext copy of the employee's mail.dnalounge.com password.
   8. mail.dnalounge.com delivers it to customer@example.com, so the SPF record matches mail.dnalounge.com as the origin (and I don't have to have my SPF record say "any spammer on gmail.com is allowed to send mail pretending to be any dnalounge.com address.").

The linked article says "Gmail will continue to support IMAP" which sounds like: "Gmail can still poll your server to download email, you just have to switch from POP to IMAP". That would be fine if it were true, but it is not. Gmail does not and has never supported importing email via IMAP into the Gmail MDA/MTA. It only supports adding an IMAP server as a second account in the MUA, which is not the same thing at all.

Now that Google is removing the ability to have Gmail poll my server to download messages, what are my options?

Here are some things that people will suggest that are unacceptable:

1. Have the dnalounge.com MX record point to some Google thing and let them take over 100% of my company's email. Fuck no. Also it wouldn't integrate with our internal systems, store, transactional emails, bounce processing, etc.

2. Have my employees' official business email addresses end in @gmail.com. Obviously no. (Maybe @aol.com though.)

3. Use "Sender Rewriting Scheme" to have dnalounge.com rewrite customer@example.com to customer%example.com@dnalounge.com before forwarding it to dna_employee@gmail.com, which is insane, but also will cause any forwarded spam to be tallied against dnalounge.com and Google will just stop delivering them. At some point, Google's "best practices for forwarding" document specifically dis-recommended SRS.

4. Find some other third-party email provider that still offers the POP3-download service that Gmail used to, and tell my staff, "Great news everybody! You have to switch from Gmail to Hotmail now."

So the only options that I think I have left are:

5. Self-host IMAP.
   1. Every employee gets their own IMAP account, hosted on my own server.
   2. They can add that account to the Gmail mobile app or whatever, as a second IMAP account that is not Gmail. Which is apparently still supported. For now.
   3. My server is now responsible for storing all of their messages, including all of their spam. It is a vast amount of data. I will have to implement quotas.
   4. My employees will be wasting a bunch of time trying to find and delete emails with the same giant attachment in each of the 30 messages in the same thread, and if they don't, mail to them will bounce.
   5. "I can't find that old email any more" is a conversation that we will be having all the time.
   6. My employees will be receiving way more spam, since Gmail's spam filtering is (presumably?) still more effective than what I can accomplish with some stock set of spamassassin rules.

6. Walk North until I reach the nearest fjord, board an ice floe, lie down, and wait for my bones to turn to dust. The ocean will sequester my carbon. I hope this email does not find you.

Do I have other options?

In summary, everything is terrible.

Previously, previously, previously, previously, previously, previously, previously.

Hovertext:
Someone out there is going to take a timed break from running a content farm, read this, and get a faraway look for a second.

A lot of claims have been made about the purported benefits of adding chopped carbon fiber to FDM filaments, but how many of these claims are actually true? In the case of PLA at least, the [I built a thing] channel on YouTube makes a convincing case that for PLA filament, the presence of chopped CF can be considered a contaminant that weakens the part.

Using the facilities of the University of Basel for its advanced imaging gear, the PLA-CF parts were subjected to both scanning electron microscope (SEM) and Micro CT imaging. The SEM images were performed on the fracture surfaces of parts that were snapped to see what this revealed about the internal structure. From this, it becomes apparent that the chopped fibers distribute themselves both inside and between the layers, with no significant adherence between the PLA polymer and the CF. There is also evidence for voids created by the presence of the CF.

To confirm this, an intact PLA-CF print was scanned using a Micro CT scanner over 13 hours. This confirmed the SEM findings, in that the voids were clearly visible, as was the lack of integration of the CF into the polymer. This latter point shouldn’t be surprising, as the thermal coefficient of PLA is much higher than that of the roughly zero-to-negative of CF. This translates into a cooling PLA part shrinking around the CF, thus creating the voids.

What this means is that for PLA-CF, the presence of CF is by all measures an undesirable contaminant that effectively compromises it as much as having significant moisture in the filament before printing. Although for other thermoplastics used with FDM printing, chopped CF may make more sense, with PLA-CF, you’re effectively throwing away money for worse results.

As also noted in the video, in medical settings, these CF-reinforced FDM filaments aren’t permitted due to the chopped CF fragments. This topic has featured more widely in both the scientific literature and YouTube videos in recent years, with some significant indications that fragments of these chopped fibers can have asbestos-like implications when inhaled.

Meanwhile, are you’re looking for the thrill of a weird filament? Maybe try one of these.

There are many reasons, unrelated to artist reimbursement, why Spotify is the dirt worst of the streaming platforms. I trust by now you are aware of these.

I want to make it very clear that I am not criticising anyone for using streaming platforms. Everyone streams, living is hell and we all love music. [...]

As you can see, the vast majority of people who streamed All Hell did so using Spotify. Unfortunately, of the major streaming platforms, Spotify pays significantly less per stream than anywhere else.

If everyone who streamed All Hell on Spotify had done so using Tidal instead, we would have received an extra £31,847.38, which would double the amount we made from streaming of the album in this time period. Or if everyone used Apple Music it would have been £12,331 more.

Relatedly, today is Bandcamp Friday when 100% of your money goes to the artists.

"But what do you use, jwz?" none of you are asking. I'm glad you asked! I do not use any streaming platforms. I purchase music as files that then live on my computers and computer-like devices that are backed up on hard drives that I own. I listen to them with headphones that have analog cables.

When at all possible, I purchase music from Bandcamp, because of all the options available, that is the one where the artists make the most money.

When an album is not available on Bandcamp (as often happens with bands signed to major labels who contractually prohibit the bands from making their music available on Bandcamp) I have been using Qobuz, which seems to be the least-bad second option at this time. The files are high quality and DRM-free.

Previously, previously, previously, previously.

Google's "don't be evil" ethos is so 2015. These days, the Chocolate Factory is all about integrating users with bots, whether they like it or not. Now, it's rolling out Workspace "smart features" that process personal content with AI, and many users are finding the settings enabled by default.…

Here is the text of the bill. The House bill was introduced September 18 by Zoe Lofgren of California, and the Senate bill was introduced September 19 by Alex Padilla, also of California.

When many southwest Raleigh residents went to the polls in 2024 to cast a “yes” vote for Wake County’s $142 million public libraries bond, they expected that a successful bond referendum would ensure that their community library would remain in their community. 

County staff, they say, had made the community that promise in 2022 after the library, housed inside Athens Drive Magnet High School since it opened in 1978, was thrice threatened with closure and saw its operating hours starkly reduced due to safety concerns and the pandemic. 

“We supported the bond based on this promise and if we are betrayed, we should never forget it,” Yevonne Brannon, a neighborhood activist and former county commissioner, wrote in an email to neighbors ahead of a community meeting at the Thomas G. Crowder Woodland Center on Saturday morning, which the INDY attended. 

The Wake County Public School System (WCPSS) will begin renovations to the high school in 2026, closing the library. The countywide bond allocates a total $67.1 million to build a replacement for the Athens Drive Community Library as well as community libraries in Rolesville, Apex, Wendell, and southeast Raleigh. Of that $67.1 million, the county has determined that $16.3 million is available for Athens Drive Community Library replacement.

Now, members of Wake County’s Board of Commissioners, making steady progress in implementing the bond, are weighing two sites for the library’s replacement.

One site, currently home to retired restaurateur Arthur Gordon’s Well Fed Community Garden, is less than a quarter mile away on Athens Drive, just a four-minute walk from the library’s current location. (The INDY reported earlier this year on a rezoning application Gordon and his wife, Anya, had filed with the City of Raleigh to build affordable housing on the two-parcel property, but the Gordons withdrew their application in July.)

The other site is three miles, or a 10-minute drive, away and located in another town—Cary—at the intersection of Tryon Road and Yates Mill Pond Road. 

WCPSS currently owns the Cary site, which, at more than 12 acres, is much larger and would provide ample space for parking.

The county would have to buy the Well Fed Community Garden site from the Gordons. The site is 2.6 acres and would require a two-story facility. The property is valued at around $840,000 for the combined two parcels. 

District 2 Wake County commissioner Safiyah Jackson attended Saturday’s community meeting. While her district covers Fuquay-Varina, Holly Springs, and Garner, Jackson told the 70-some residents in attendance that she was happy to have a conversation with them about the library as she is one of seven commissioners who will have to make a final decision on a site. 

County leaders, Jackson told the crowd, have to consider certain criteria in evaluating where to locate the library’s replacement, including what seems to be the county’s principal guiding metric: how many people in the county live within a 10-minute drive of a new library. 

But, Jackson emphasized, no decisions will be made based on that single factor, and the county will also consider growth patterns—66 people move to Wake County each day—and the cost of land in “the equation of where we move the library, next door or five minutes away.”

“Your community connections, your walkability, your history, the reach, people that are already in this community … those are considerations as well as the larger amounts of Wake County who are able to drive to a library,” Jackson said. 

Residents at the meeting said, overall, the better choice—to keep the library close—is clear. Their community is one of the densest and fastest-growing areas of the city, home to thousands of young families and well-served with walkable roads and sidewalks, bike lanes, and public transit.   

“We have good potential for infill, and for land-saving, two-story construction of a library building without suburban sprawl,” said Joe Hartman, who lives near the library and recently turned 80. 

Other residents called the 10-minute drive metric “arbitrary” and pointed out that the Cary site, while it technically has more residents within a 10-minute drive, isn’t located along any public transit routes. 

Resident Jamie Hammermann, who has been taking her daughter to Athens Drive Community Library since she was eight months old, has conducted extensive research on the demographics and amenities around the two sites, including economic diversity and public transit access. Hammermann’s research shows that a few hundred households, or a fraction of a percentage of the overall county population, live within a 10-minute drive of the Cary site, a “nominal” increase over the number of households served by keeping the Athens Drive library in its current part of town. 

“Who would actually benefit are some pretty wealthy neighborhoods,” Hammermann said.

Jane Harrison, the Raleigh City Council representative for Raleigh’s District D, which includes Athens Drive High School, supports keeping the library in southwest Raleigh.

She noted how much new affordable housing has been built and is currently planned for the area, including new projects on Kent Road, Lorimer and Garland, Trailwood Drive, and Hope Village on Method Road, which will provide new homes for students aging out of foster care. These are all in addition to existing affordable housing, including the Raleigh Housing Authority’s Kentwood development on Kent Road just south of Western Boulevard. 

“It’s not just one or two developments,” Harrison said. “We are in several qualified census tracts right around here, so they’re qualified for Low-Income Housing Tax Credit projects .… This is all within this neighborhood. We’re going to continue to see that added density, and I just want to make sure we have the infrastructure and amenities to serve our population.”

It’s not clear when the county commissioners will make a decision about the library site. Jackson said although the meeting marked her first conversation with the community, it won’t be the last. She promised to review the community’s feedback and get answers to questions that arose for her during the meeting, 

“I will be transparent, however I vote, about how that decision is made,” Jackson said. “We’re not going to be voting in two weeks, so there is time.”

But for the residents, it’s a matter of trust.

“Let’s not play any games, nobody’s going to fool this community or any voter that the replacement meant, ‘Now we can have an opportunity to close the Athens Drive Community Library and set up a regional library in Cary,’” said Brannon, the former county commissioner, at the end of the meeting. “We voted for the bond. I’ve sat in the seat, I know the pressure, but I can tell you one thing you can’t do to the public. You could not lose their trust.”

Send an email to Raleigh editor Jane Porter: jporter@indyweek.com. Comment on this story at backtalk@indyweek.com.

In the 12–0 vote, the committee of advisors selected by anti-vaccine activist Robert F. Kennedy Jr. adopted a recommendation for adults 65 and older and people aged 6 months to 64 years to get a COVID-19 vaccine based on shared clinical decision-making. After this story was published, the Centers for Disease Control and Prevention adopted the recommendation, which will broadly maintain requirements that federal and private health insurance plans cover COVID-19 vaccines at no cost. While the shared clinical decision-making is a new requirement, the CDC noted in adopting the recommendation that such decision making can be done in consultation with providers, "including physicians, nurses, and pharmacists". Most people receive COVID-19 vaccines from their local pharmacists.

Earlier this year, the FDA limited the approvals of this year's shots, which have previously been available to anyone 6 months of age or older. The FDA's new restriction limits them to adults aged 65 and up and for people between the ages of 6 months and 64 years who have an underlying medical condition that puts them at high risk of severe COVID-19.

Read full article

Comments

The Onion: What are your core beliefs?

Newsom: Are those a prerequisite for being president?

The Onion: Where did you grow up?

Newsom: I need to check some polling data before I answer that question.

The Onion: ​A​re you running for president in 2028?

Newsom: ​Right now, I’m purely focused on alienating the people of California.

The Onion: How do you respond to accusations that you’re beholden to large donors?

Newsom: I assure you, there is no one I won’t betray in my pursuit of power.

The Onion: What is your solution to the homelessness crisis in California?

Newsom: A thick tarp, some duct tape, and a shovel.

The Onion: How are you working to fix California’s $12 billion budget deficit?

Newsom: By making fun of the president.

The Onion: What’s next for you?

Newsom: More teeth.

The post The Onion’s Exclusive Interview With Gavin Newsom appeared first on The Onion.

However, during these early years of spaceflight, NASA engineers and astronauts cut their teeth on a variety of spaceflight firsts, flying a series of harrowing missions during which it seems a miracle that no one died.

Because the Gemini missions, as well as NASA's first human spaceflight program Mercury, yielded such amazing stories, I was thrilled to realize that a new book has recently been published—Gemini & Mercury Remastered—that brings them back to life in vivid color.

Read full article

Comments

This isn’t normal. Federal judges don’t usually air their grievances about the Supreme Court in open court. The fact that an entire appeals court panel—including respected conservative judges—turned their oral argument into what Politico called “a remarkable, 80-minute venting session” tells you everything about how broken the system has become.

The immediate catalyst was trying to figure out what to do with a case about DOGE’s access to Social Security data after the Supreme Court issued one of its trademark unexplained emergency orders. But the real issue was much bigger: how are lower courts supposed to function when the highest court in the land operates like it’s playing Calvinball?

“They’re leaving the circuit courts, the district courts out in limbo,” said Judge James Wynn… “We’re out here flailing. … I’m not criticizing the justices. They’re using a vehicle that’s there, but they are telling us nothing. They could easily just give us direction and we would follow it.”

Judge Wynn didn’t stop there:

“They cannot get amnesia in the future because they didn’t write an opinion on it. Write an opinion,” Wynn said. “We need to understand why you did it. We judges would just love to hear your reasoning as to why you rule that way. It makes our job easier. We will follow the law. We will follow the Supreme Court, but we’d like to know what it is we are following.”

I’ve been writing about the law for almost three decades. I’ve never seen anything like this. Ever. Not even in the same zip code as this. These are judges crying out for help under a completely lawless Supreme Court.

And, no, this wasn’t just liberal judges complaining. Judge J. Harvie Wilkinson III—a Reagan appointee and one of the most respected conservative jurists in the country—was right there with them:

“The Supreme Court’s action must mean something,” said Judge J. Harvie Wilkinson III, a Reagan appointee. “It doesn’t do these things just for the kicks of it.”

Even Wilkinson can’t figure out what the hell the Supreme Court is doing. When you’ve lost Harvie Wilkinson—a judge so conservative and institutionally minded that he’s basically judicial royalty—you’ve completely broken the system.

The specific case that triggered this judicial revolt involves the Supreme Court’s typical shadow docket bullshit. In June, the Court overruled the Fourth Circuit’s decision and lifted an injunction against DOGE’s use of Social Security data. But they did so in the most bizarre and troubling way. After sending the case back to the Fourth Circuit for more review, it said that even if the Fourth Circuit rules that DOGE is breaking the law, the stay will remain in place.

By an apparent 6-3 vote, the justices went further, saying that no matter what the appeals court decided, the injunction would remain on hold until the case returned to the Supreme Court. Yet, the high court’s majority offered no substantive rationale for the lower court to parse.

So the Supreme Court basically said: “We’re overturning you, and also whatever you decide doesn’t matter anyway, but we’re not going to tell you why.” This left the entire Fourth Circuit panel wondering what the fuck they’re even supposed to do.

That left many of the 15 4th Circuit judges on hand for Thursday’s unusual en banc arguments puzzling at their role. One even suggested the appeals court should simply issue a one-line opinion saying the injunction is lifted and kick the case back to the Supreme Court to resolve.

Some judges thought they should just give up entirely and punt the case back to SCOTUS since SCOTUS has already said whatever they decide here doesn’t actually matter. Others insisted they had a constitutional duty to actually do their jobs:

“It sounds like some of my colleagues think that there’s no work to be done, that we’re done because the Supreme Court has told us what the answer is,” said Judge Albert Diaz, an Obama appointee.

Judge Robert King said punting on the case would be a mistake.

“We each have a commission and we have a robe and we have an oath to abide by,” said King, a Clinton appointee.

This perfectly captures the impossible position the Supreme Court has created. Lower court judges literally don’t know if they’re supposed to do their jobs or just rubber-stamp whatever vibes they think they’re getting from the shadow docket.

The whole mess stems from a series of recent Supreme Court shadow docket rulings (without much explanation) basically telling lower courts they have to follow SCOTUS shadow docket rulings (also without much explanation) as binding precedent. But as we’ve written about extensively, these aren’t reasoned legal decisions—they’re often unexplained orders issued with minimal briefing, no oral arguments, and little to no explanation of any reasoning.

This has created a situation where experienced federal judges—people who’ve spent decades interpreting legal precedent (often longer than the Justices themselves)—literally can’t figure out what the Supreme Court wants them to do.

What we’re witnessing is the breakdown of the federal judiciary as a functioning institution. When Reagan and Obama appointees are united in open revolt, and Harvie Wilkinson can’t figure out what the Supreme Court wants, the system has collapsed.

The three liberal Justices have been warning about this in dissent after dissent, while the conservative majority just keeps issuing more unexplained orders and then getting pissy when lower courts can’t read their minds. This isn’t jurisprudence. It’s government by judicial decree, where constitutional law operates on vibes and the only consistent principle is “give Trump whatever he wants.”

When federal judges with decades of experience are reduced to public pleading for basic guidance during oral arguments, we’ve crossed into judicial authoritarianism. The Supreme Court has effectively told the entire federal judiciary: “Follow our orders, but we won’t explain what they mean, and if you guess wrong, we’ll scold you for defying us.”

That’s not how precedent works. That’s not how courts work. That’s not the rule of law. It’s just nine people in robes demanding deference to their unexplained whims.

But last month, Proton disabled email accounts belonging to journalists reporting on security breaches of various South Korean government computer systems following a complaint by an unspecified cybersecurity agency. After a public outcry, and multiple weeks, the journalists’ accounts were eventually reinstated — but the reporters and editors involved still want answers on how and why Proton decided to shut down the accounts in the first place.

Martin Shelton, deputy director of digital security at the Freedom of the Press Foundation, highlighted that numerous newsrooms use Proton’s services as alternatives to something like Gmail “specifically to avoid situations like this,” pointing out that “While it’s good to see that Proton is reconsidering account suspensions, journalists are among the users who need these and similar tools most.” Newsrooms like The Intercept, the Boston Globe, and the Tampa Bay Times all rely on Proton Mail for emailed tip submissions.

Shelton noted that perhaps Proton should “prioritize responding to journalists about account suspensions privately, rather than when they go viral.”

On Reddit, Proton’s official account stated that “Proton did not knowingly block journalists’ email accounts” and that the “situation has unfortunately been blown out of proportion.” Proton did not respond to The Intercept’s request for comment.

The two journalists whose accounts were disabled were working on an article published in the August issue of the long-running hacker zine Phrack. The story described how a sophisticated hacking operation — what’s known in cybersecurity parlance as an APT, or advanced persistent threat — had wormed its way into a number of South Korean computer networks, including those of the Ministry of Foreign Affairs and the military Defense Counterintelligence Command, or DCC.

The journalists, who published their story under the names Saber and cyb0rg, describe the hack as being consistent with the work of Kimsuky, a notorious North Korean state-backed APT sanctioned by the U.S. Treasury Department in 2023.

As they pieced the story together, emails viewed by The Intercept show that the authors followed cybersecurity best practices and conducted what’s known as responsible disclosure: notifying affected parties that a vulnerability has been discovered in their systems prior to publicizing the incident.

Saber and cyb0rg created a dedicated Proton Mail account to coordinate the responsible disclosures, then proceeded to notify the impacted parties, including the Ministry of Foreign Affairs and the DCC, and also notified South Korean cybersecurity organizations like the Korea Internet and Security Agency, and KrCERT/CC, the state-sponsored Computer Emergency Response Team. According to emails viewed by The Intercept, KrCERT wrote back to the authors, thanking them for their disclosure.

A note on cybersecurity jargon: CERTs are agencies consisting of cybersecurity experts specializing in dealing with and responding to security incidents. CERTs exist in over 70 countries — with some countries having multiple CERTs each specializing in a particular field such as the financial sector — and may be government-sponsored or private organizations. They adhere to a set of formal technical standards, such as being expected to react to reported cybersecurity threats and security incidents. A high-profile example of a CERT agency in the U.S. is the Cybersecurity and Infrastructure Agency, which has recently been gutted by the Trump administration.

A week after the print issue of Phrack came out, and a few days before the digital version was released, Saber and cyb0rg found that the Proton account they had set up for the responsible disclosure notifications had been suspended. A day later, Saber discovered that his personal Proton Mail account had also been suspended. Phrack posted a timeline of the account suspensions at the top of the published article, and later highlighted the timeline in a viral social media post. Both accounts were suspended owing to an unspecified “potential policy violation,” according to screenshots of account login attempts reviewed by The Intercept.

The suspension notice instructed the authors to fill out Proton’s abuse appeals form if they believed the suspension was in error. Saber did so, and received a reply from a member of Proton Mail’s Abuse Team who went by the name Dante.

In an email viewed by The Intercept, Dante told Saber that their account “has been disabled as a result of a direct connection to an account that was taken down due to violations of our terms and conditions while being used in a malicious manner.” Dante also provided a link to Proton’s terms of service, going on to state, “We have clearly indicated that any account used for unauthorized activities, will be sanctioned accordingly.” The response concluded by stating, “We consider that allowing access to your account will cause further damage to our service, therefore we will keep the account suspended.”

On August 22, a Phrack editors reached out to Proton, writing that no hacked data was passed through the suspended email accounts, and asked if the account suspension incident could be deescalated. After receiving no response from Proton, the editor sent a follow-up email on September 6. Proton once again did not reply to the email.

On September 9, the official Phrack X account made a post asking Proton’s official account asking why Proton was “cancelling journalists and ghosting us,” adding: “need help calibrating your moral compass?” The post quickly went viral, garnering over 150,000 views.

Proton’s official account replied the following day, stating that Proton had been “alerted by a CERT that certain accounts were being misused by hackers in violation of Proton’s Terms of Service. This led to a cluster of accounts being disabled. Our team is now reviewing these cases individually to determine if any can be restored.” Proton then stated that they “stand with journalists” but “cannot see the content of accounts and therefore cannot always know when anti-abuse measures may inadvertently affect legitimate activism.”

Proton did not publicly specify which CERT had alerted them, and didn’t answer The Intercept’s request for the name of the specific CERT which had sent the alert. KrCERT also did not reply to The Intercept’s question about whether they were the CERT that had sent the alert to Proton.

Related

Proton Mail Says It’s “Politically Neutral” While Praising Republican Party

Later in the day, Proton’s founder and CEO Andy Yen posted on X that the two accounts had been reinstated. Neither Yen nor Proton explained why the accounts had been reinstated, whether they had been found to not violate the terms of service after all, why had they been suspended in the first place, or why a member of the Proton Abuse Team reiterated that the accounts had violated the terms of service during Saber’s appeals process.

Phrack noted that the account suspensions created a “real impact to the author. The author was unable to answer media requests about the article.” The co-authors, Phrack pointed out, were also in the midst of the responsible disclosure process and working together with the various affected South Korean organizations to help fix their systems. “All this was denied and ruined by Proton,” Phrack stated. 

Phrack editors said that the incident leaves them “concerned what this means to other whistleblowers or journalists. The community needs assurance that Proton does not disable accounts unless Proton has a court order or the crime (or ToS violation) is apparent.”

The post Proton Mail Suspended Journalist Accounts at Request of Cybersecurity Agency appeared first on The Intercept.