Image: Getty Images
People aged under 18 living in China will now only be allowed to play online games for three hours per week.The new mandate will see minors only be allowed to play one hour of online games on Fridays, Saturdays, Sundays, and on official holidays, according to state media outlet Xinhua. The one hour of online game time for these days will also only be allowed from 8pm to 9pm. The ban, issued by China’s National Press and Publication Administration (NAAP) on Monday evening, is aimed at preventing minors from becoming addicted to online gaming, the report said. In issuing the ban, the gaming regulator reportedly called for online game providers to implement real-name registration and logins, saying online game providers should not allow minors to play online games if they fail to register and log in using their real identifications. The NAAP also reportedly told Xinhua it would increase the frequency of its inspections on online gaming companies to ensure they implement time limit and anti-addiction systems. Prior to the latest measures, Tencent at the start of the month had already announced further restrictions for how much minors could play its flagship game Honour of Kings as part of efforts to appease government concerns. In that restriction, Honour of Kings gamers under the age of 18 had their playing time limited to one hour on regular days and two hours on public holidays.

The expanded gaming ban is the latest among a flurry of moves China has made as part of its local crackdown on tech. In the area of online child protection alone, Beijing prosecutors have launched a civil public lawsuit against WeChat, accusing the company of not complying with laws focused on protecting minors, while the Cyberspace Administration of China passed a special action last month banning people under the age of 16 from appearing in content within online live-streaming and video platforms. Beyond online child protection, the Chinese government has pushed through new personal data protection laws, punished 43 apps for illegally transferring user data, and ordered local food delivery platforms to provide riders with minimum wages. It has also removed Didi from Chinese app stores and placed it under cybersecurity review, slapped Alibaba with a record 18.2 billion yuan fine, and put Tencent on notice for collecting more user data than deemed necessary when offering services.Related Coverage More

Image: Getty Images/iStockphoto
Representatives from Google have told an Australian Parliamentary committee looking into foreign interference that the country has not been the target of coordinated influence campaigns.”We’ve not seen the sort of foreign coordinated foreign influence campaigns targeted at Australia that we have with other jurisdictions, including the United States,” Google director of law enforcement and information security Richard Salgado said.”Some of the disinformation campaigns that originate outside Australia, even if not targeting Australia, may affect Australia as collateral … but not as a target of the campaign.”We have found no instances of foreign coordinated influence campaigns targeting Australia.”While acknowledging campaigns that reach Australia do exist, he reiterated they have not specifically targeted Australia.”Some of these campaigns are broad enough that the disinformation could be, sort of, divisive in any jurisdiction in which it is consumed, even if it’s not targeting that jurisdiction,” Salgado told the Select Committee on Foreign Interference Through Social Media.”Google services, YouTube in particular, which is where we have seen most of these kinds of campaigns run, isn’t really very well designed for the purpose of targeting groups to create the division that some of the other platforms have suffered, so it isn’t actually all that surprising that we haven’t seen this on our services.”

Appearing alongside Salgado on Friday was Google Australia and New Zealand director of government affairs and public policy Lucinda Longcroft, who told the committee her organisation has been in close contact with the Australian government as it looks to prevent disinformation from emerging leading up the next federal election.Additionally, the pair said that Google undertakes a “constant tuning” of the artificial intelligence and machine learning tech used. It said it also constantly adjusts policies and strategies to avoid moments of surprise, where Google could find itself unable to handle a shift in attacker strategy or shift in volume of attack.No money made from your GPay transactionsAppearing earlier in the week before the Parliamentary Joint Committee on Corporations and Financial Services, Google VP of product membership and partnerships Diana Layfield said her company does not monetise data from Google Pay in Australia.”I suppose you could argue that there are non-transaction data aspects — so people’s personal profile information,” she added. “If you sign up for an app, you have to have a Google account. So, by and large, we would have that personal profile information; we may have slightly more generalised data about a user from their signing up for Google Pay, but we do not monetise transaction data or payments data from within the app in Australia.”The committee questioned Layfield’s claims, citing remarks from the Reserve Bank of Australia, as one example, that because Google’s business model is about collecting data not transaction fees, it does not charge for Google Pay.”One narrow version of ‘monetise’ is that you take the transaction data and sell it. You say you don’t do that. But another way of understanding it may be that that transaction data goes into the general pool of understanding the customer and their preferences, being able to give them a psychographic profile and monetising that profile, which is a well-known aspect of your business model,” Labor MP Julian Hill asked.”I buy a pair of shoes online, you’re not going to tell anyone else about the shoes that I buy, but it may go into my profile that you then may monetise elsewhere.”Layfield said that while that would be true for Google’s other products, that it was not the case for Google Pay.”In the case of Google Pay, if you were to make a payments transaction and you were to buy a pair of shoes, that transaction data that might give us that information does not leave the Google Pay environment. We don’t use transaction data for ads, for example,” she explained. “Our ads monetisation, which is, as you say, our primary monetisation route, does not receive that data from Google Pay.”She said the transaction data, such as address, name, and profile data, is used both for fraud purposes and for the purposes of updating a user’s overall Google account.THIS WEEK FROM GOOGLE More

Google has provided new information on the end of the troubled development process for the FLoC (Federated Learning of Cohorts) it had hoped to use as a replacement for cookies, and it has done so as part of its reveal of another proposed replacement: Topics. 

The search giant’s first attempt to replace the third-party cookie with its own technology was met with staunch opposition from some, a wary eye from others, and very little positive feedback. It originally committed, in early 2021, to ending third-party cookie support within its Chrome browser in 2022. At that time, Google intended for FLoC to replace cookies with a new technology which it claimed was far more anonymized and still able to yield conversion rates of 95% for every ad dollar spent. Obviously, things didn’t work out quite as the company had hoped. It eventually ended the development of FLoC in July 2021, around the same time it announced that Chrome would continue supporting third party cookies until at least mid-2023. The company had remained cagey on how it planned to move forward with its still-extant plans to replace the cookie until now. Dubbed simply “Topics,” the new technology aims to track users anonymously using a new API designed to fulfill Google’s four main privacy goals: The technology must make it “difficult to reidentify significant numbers of users across sites using just the API.”It should offer a viable replacement for “a subset of the capabilities of third-party cookies.”Any recorded data must be “less personally sensitive” than what is being collected today. The API should be understandable to users and transparent in its intentions. Google apparently feels its Topics API meets all of these criteria while still providing the data interest-based ads (IBAs) need to continue operating at a level similar to their current cookie-based endeavors. In addition to posting a GitHub entry revealing the technical details of Topics, Google’s Privacy Sandbox lead Ben Galbraith also held a press briefing in which he revealed additional parameters to several news outlets. Among them was the fact that Topics will initially attempt to track the user’s behavior across up to 300-350 specific areas of interest. These areas are based on the IAB Audience Taxonomy, which contains a much more comprehensive list of 1,500 or so trackable areas of interest.  Google’s GitHub post noted that this is an initial design, hinting at the fact that those 350, or so, might expand further in the future. According to Galbraith, if they do, they will not be expanding into what Google called “sensitive topics,” which includes things like the user’s race and gender. 

In practical operation, the Topics API lets the user’s browser share three of their detected areas of interest when the user visits a site using IBAs. The API will randomly select those three from among the top five it detected. One topic will be chosen from the top five for each of the previous three weeks to give a better but still anonymized picture of the user’s recent online browsing history. Google intends for users to be able to get personally involved with their Topics as well, noting that they will be able to disable the tracking of specific areas of interest while also being able to review what Topics have been chosen for them at any given point. This level of transparency and user control addresses two of the biggest issues Google heard about in feedback surrounding the failed FLoC proposal: that it was too opaque and added too much personalized “digital fingerprinting” data to the system. The company’s aforementioned promise to avoid “sensitive” topics likewise addresses an unfortunate tendency that FLoC had for automatically creating ad cohorts around topics like gender and race. Google plans to begin testing Topics with external parties sometime later this quarter. It remains to be seen whether this technology will fare any better than FLoC or if Google will once again be forced to continue accepting third-party cookies within its Chrome browser for years to come.  More

Microsoft has released 117 security fixes for software including a remote code execution (RCE) vulnerability in Exchange Server found by participants of the Pwn2Own competition.

The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for 117 flaws tackling RCEs, privilege escalation, spoofing, memory corruption, and information disclosure. Thirteen are considered critical and nine are zero-days — with four under active exploit. Products impacted by Microsoft’s latest security update, issued on July 13, include Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows Kernel, and Windows SMB.  Read on: Some of the most interesting vulnerabilities resolved in this update are:  CVE-2021-31206: A Microsoft Exchange Server RCE found during Pwn2Own. CVE-2021-34448: An actively exploited scripting engine memory corruption vulnerability, requiring a victim to actively visit a malicious website or to click a malicious link.CVE-2021-34494: A Windows DNS Server RCE, albeit restricted to DNS servers only.CVE-2021-34458: A Windows Kernel RCE which permits a single root input/output virtualization (SR-IOV) device, assigned to a guest, to potentially tamper with PCIe associates. The latest round of patches comes just a week after an emergency fix was issued by Microsoft to rectify a security flaw nicknamed “PrintNightmare.” Tracked under CVE-2021-1675 and CVE-2021-34527, the combination of RCE and a local privilege escalation flaw is already impacting some printers, and exploit code has been released. In total, four of the vulnerabilities — CVE-2021-34527 (PrintNightmare), CVE-2021-34448, CVE-2021-31979, and CVE-2021-33771 — are listed as exploited in the wild. 

Microsoft thanked researchers from Google Security, Checkmarx, the Trend Micro Zero Day Initiative, and Fortinet’s FortiGuard Lab, among other organizations, for reporting the now-patched security flaws, A number of vulnerabilities were also reported by Microsoft Threat Intelligence Center (MSTIC). According to the Zero Day Initiative (ZDI), which reported 17 of the bugs, this month’s volume of fixes “is more than the last two months combined and on par with the monthly totals from 2020.” Last month, Microsoft resolved 50 vulnerabilities in the June batch of security fixes. These included seven zero-day bugs, six of which were reported by the Redmond giant as being actively exploited.  A month prior, the tech giant tackled 55 security flaws during May Patch Tuesday. Four of which were deemed critical, and three were zero-days. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

Image: Lee Paz on Unsplash Sony launched today a bug bounty program for the PlayStation Network and the PlayStation 4 gaming console, a company spokesperson told ZDNet. The program aims to reward security researchers who find bugs in PlayStation-related devices and websites and report them to Sony’s security team to have them patched before getting […] More