Government by regulation structures how constitutional democracies normally operate. Legislatures and executive agencies enact formal rules that govern conduct, embodying the ideal of government by laws rather than by individuals. Yet regulators also govern through threats of regulation. When public officials seek to alter private behavior, they may warn regulated actors that failure to comply will trigger new or stricter rules. These warnings can achieve regulatory goals without the adoption of formal rules. Because officials often issue such threats in informal, private communications, the practice escapes public scrutiny and challenges the dominant model of democratic rule-making, which assumes open deliberation by accountable institutions. This paper theorizes threats of regulation as a governance device that remains largely invisible to outsiders but offers significant advantages to regulators. Although United States courts attempt to distinguish unlawful coercion from permissible persuasion, they struggle to enforce these boundaries in practice. The paper argues that increasing transparency in routine communications between regulators and corporate actors would reduce the risk of abuse while preserving regulatory effectiveness.

Study.

https://commet.chat/

@commetchat@fosstodon.org

A business consultant is raising alarms about AI-conducted job interviews after he says a tech company’s evaluation of him drew some concerning conclusions, including criticizing his "habitual" use of Google's Chrome internet browser.

As some companies outsource job interviews to artificial intelligence, rejected candidates can be left wondering what went wrong.

After not hearing back about a job he applied for in Madrid with marketing company Anteriad, Daniel Alvarez, who is based in Spain, decided to find out exactly how the AI judged him.

He obtained a copy of the AI-generated evaluation from Anteriad under the European Union’s General Data Protection Regulation. The company had used a third-party firm called ChattyHiring to conduct the screening interview.

Alvarez, who is not Canadian but lived in Toronto for much of last year, shared the full evaluation and transcript with CBC News. He said he was not impressed by what he found, and doesn't feel companies should use AI interviews in the hiring process.

“It's not a human-to-human interaction when you have, for example, language repair.... I can say something, and depending on your face, I can immediately rephrase it," he said.

"That’s gone in this kind of interaction."

In September last year, Peter Mandelson was fighting to keep his job as British Ambassador to the US after the first raft of revelations about the extent of his friendship with Jeffrey Epstein.

Within hours of the details emerging, an anonymous Wikipedia editor had made changes to Mandelson’s page that distanced him from Epstein and cast him in a sympathetic light. That editor has since been blocked for making undisclosed paid changes.

New details about the relationship between the two – including that Mandelson recommended a villa where Epstein could host his “guests” – have sparked a national scandal in recent weeks and led to pressure on Keir Starmer to step down as prime minister.

But over the course of two days in September, while Mandelson was still in his government job, the mysterious account made a series of edits that either reflected more favourably on him or pushed details of the Epstein scandal under unrelated information.

And when Mandelson was eventually sacked on 11 September, it moved within hours to remove the reason given by the Foreign Office for his dismissal: that Mandelson had told Epstein his 2008 conviction for sex offences was wrong and encouraged him to clear his name.

Archive.

This investigation surveyed the entire Chrome Web Store, filtering extensions that request sensitive permissions (history, tabs, webRequest, etc.) and we scanned with our method top 32,000 extensions ordered by user count. Using Docker with Chromium behind a man‑in‑the‑middle proxy, we simulated browsing sessions and recorded every outbound request. By correlating request size with URL length we derived a leakage metric (Redp); values ≥ 1.0 indicate definite history exfiltration, while 0.1 ≤ Redp < 1.0 suggest probable leakage.

The pipeline flagged 287 extensions that actively transmit users’ browsing histories. Manual inspection of the captured traffic revealed a variety of obfuscation schemes: base64, ROT47, LZ‑String compression, and full AES‑256 encryption wrapped in RSA‑OAEP. Decoding these payloads showed raw Google search URLs, page referrers, user IDs and timestamps being sent to a network of proprietary domains and cloud‑provider endpoints.

We leveraged the leakage further and by browsing URLs of the honeypot in the sandboxed environment we allowed those data to be leaked. Honeypot URLs lured some actors and were accessed by known scraper IPs (Amazon Japan, Google LLC, Kontera), confirming active harvesting pipelines. We applied OSINT to the leaking extensions and managed uncover some actors.

Aggregating install counts gave an exposure of roughly 37.4 million users, representing roughly about 1 % of global Chrome users. The majority of the activity clusters around a handful of actors: SimilarWeb (≈ 10 M users), Alibaba‑related groups, Bytedance, and a cluster of Chinese data‑broker firms. Many extensions appear under reputable brand names (e.g., “SimilarWeb - Website Traffic & SEO Checker”) while others masquerade as utilities such as ad blockers (“Ad Blocker: Stands AdBlocker”) or AI assistants.

Limitations include the inability to see WebSocket or DNS‑tunneled traffic and the fact that some extensions only leak after a privacy‑policy popup is accepted, meaning the 37.4 M is a conservative lower bound.

If your instant message requires immediate attention, fine. But many don’t — they’re just inconsiderate.

Am I the only one still using email instead of WhatsApp? Perhaps so. I find it ever harder to persuade my contacts — and more vexingly, my friends — to use email for important messages instead of interrupting me with the ping of an instant message. And my failure to persuade others is a problem, because communication is a two-way street. Your choices affect my life, and sending instant messages that should have been emails is like snacking on chocolate bars and then expecting me to clear up the discarded wrappers.

Email is flawed, to be sure — many emails should have been a conversation. And if a message is either urgent or utterly disposable, then instant messaging is fine. But as a serious tool for important communication, email remains underrated.

First, it’s asynchronous. We don’t live in the 1990s any more, so email doesn’t beep for attention. The understanding is that if you send an email I will respond at a time that is convenient to me. Instant messages ping because — well, instant, right? And while I could switch off the needy noises from text or WhatsApp or almost anything, that would mean stripping the technology of a genuine use case in order to deflect some of the annoyance of people misusing it.

Second, email contains its own written record. You can check back, remind yourself of details and read old attachments. It is easy to file or to tag. Admittedly, some instant-message platforms have a way to search for old messages — if you can remember which platform they were sent on. But as a retrievable record of communication it’s hard to beat email.

(Reasons one and two explain why my wife and I will often send emails to each other across the room. It’s not sociopathy; sometimes it’s useful to provide notes and links for something we need to discuss, and it’s always considerate not to interrupt someone who is busy.)

Third, my computer has a keyboard and my phone doesn’t. Yes, I could install WhatsApp on a personal computer, but even if WhatsApp was well reviewed on Windows (it isn’t), I wouldn’t want to. It would be just another source of interruptions.

Fourth, it’s easy to organise email visually. When I check my email, I see four folders: an inbox, a “to do” list, a “to read” list and a “waiting for” list. When I check WhatsApp, I mostly see emojis. I am told that Snapchat is even worse.

Fifth, it’s much easier to customise the way email works — you can schedule future messages and set up filters, auto-replies and templates with chunks of text you regularly need to use. You can turn emails into calendar appointments with a click or two. Some instant-messaging apps offer some of this functionality, but all of it is commonplace on email, most of it for decades.

Finally, there is the enshittification problem: many instant-messaging platforms have an owner with market power and an ever-present temptation to degrade the user experience in pursuit of profit. If you don’t like WhatsApp and would rather use Signal, you need to persuade your friends to embrace the new platform. This co-ordination problem gives WhatsApp’s owner Meta considerable leeway to make your life worse before you get round to leaving.

In contrast, nobody owns email: it’s an open standard. You may be relying on Big Tech to provide your Outlook or Gmail account, but you can switch easily if you don’t like it any more. Nothing stops you sending messages from one email provider to another, so when you switch you don’t need to persuade your friends to switch with you. This power of exit is easy to take for granted — until you need it.

Of course, there are sometimes good reasons to use instant-messaging platforms. Their encryption is usually better than email; they handle photographs better; they can be fun for quick, disposable sharing of jokes or co-ordinating where to meet for a drink.

But that’s not why so many people are sending texts that should have been emails. The attraction of instant messaging is selfish. Messages are designed to interrupt the person to whom they are sent. HEY, STOP! LOOK AT THIS!

If your message demands that sort of immediate attention, fine. That is why they call it “instant”. But many instant messages don’t — they’re just inconsiderate interruptions. And because instant-messaging apps don’t have a proper inbox, they’re inconsiderate interruptions that can easily slip out of sight.

When the message is important but not urgent (that is, when the message should have been an email), then you’re implicitly requiring the recipient to set aside their priorities immediately to respond to yours — at the very least, making a note to themselves to deal with your interruption later.

Cory Doctorow — the author of Enshittification and an email power user, captured how this feels in a recent essay: “getting an IM mid-flow is like someone walking up to a juggler who’s working on a live chainsaw, a bowling ball and a machete, and tossing him a watermelon while shouting, ‘Hey, catch this!’”

I find this watermelon toss infuriating. Life presents us with enough incoming watermelons already; we don’t need people throwing them at us out of simple thoughtlessness.

In examining my own rage, I think I’ve come to understand why I find this behaviour so upsetting. I object to being dragged into a mess of other people’s making. The digital world is full of what are euphemistically termed “walled gardens”, a term which conjures an image of a sheltered oasis, but in reality means a cross between a doggy toilet and a prison camp. That would be fine if I could stay outside on the open internet, but my friends and colleagues keep insisting that they’re having a picnic in the garden and they would be so delighted if I’d show up.

Whenever I receive an instant message that should have been an email, I assume the worst: the person who sent it did so because they lost control of their email. Their inbox is overflowing; the searchable, fileable history of communications is no longer an asset but a guilty burden; they don’t trust themselves to reliably deal with an email, and so they don’t trust me either.

In other words, their email game is so weak that they might as well be flinging WhatsApps. And that drags me into their chaotic, goldfish-memory world.

Did I say that all these instant messages were like asking me to pick up your discarded chocolate wrappers? Let me change the simile. Your instant messages are like you eating the cheeseburger, while I have the heart attack.

They finally did it. Microsoft has successfully over-engineered a text editor into a threat vector.

This CVE is an 8.8 severity RCE in Notepad of all things.

Apparently, the "innovation" of adding markdown support came with the ability of launching unverified protocols that load and execute remote files.

We have reached a point where the simple act of opening a .md file in a native utility can compromise your system.

Last month, the popular social video app TikTok finalized a deal with investors, including Oracle, to appease a bipartisan bill that called on the app’s Chinese owner, ByteDance, to divest — or be banned in the United States.

The deal launched a frenzy among its US-based users over possible censorship, with some accusing it of taking down footage of ICE agents or restricting searches for words, such as “Epstein.” While TikTok denied these claims, pointing to a “data center power outage,” the app also changed its privacy policy at the time — now allowing it to collect more detailed data on its users, including their precise locations.

That sparked new fears. As The New Republic argues, TikTok’s deal means that agents at Immigration and Customs Enforcement (ICE), whose deportation efforts have been supercharged under the Trump administration, could skip tedious court-ordered data requests and monitor users by buying their data from private data brokers that obtain the info from TikTok directly — a “highly ironic” development, the magazine writes, considering the ByteDance deal was motivated in the first place by fears over Chinese state-sponsored surveillance.

In the days after the US Department of Justice (DOJ) published 3.5 million pages of documents related to the late sex offender Jeffrey Epstein, multiple users on X have asked Grok to “unblur” or remove the black boxes covering the faces of children and women in images that were meant to protect their privacy.

DDoS hit blog that tried to uncover Archive.today founder's identity in 2023. [...] A Tumblr blog post apparently written by the Archive.today founder seems to generally confirm the emails’ veracity, but says the original version threatened to create “a patokallio.gay dating app,” not “a gyrovague.gay dating app.”

https://www.heise.de/en/news/Archive-today-Operator-uses-users-for-DDoS-attack-11171455.html:

By having Archive.today unknowingly let users access the Finnish blogger's URL, their IP addresses are transmitted to him. This could be a point of attack for prosecuting copyright infringements.

On January 14, 2026, global telnet traffic observed by GreyNoise sensors fell off a cliff. A 59% sustained reduction, eighteen ASNs going completely silent, five countries vanishing from our data entirely. Six days later, CVE-2026-24061 dropped. Coincidence is one explanation.

The pattern points toward one or more North American Tier 1 transit providers implementing port 23 filtering

It's a day with a name ending in Y, so you know what that means: Another OpenClaw cybersecurity disaster.

This time around, SecurityScorecard's STRIKE threat intelligence team is sounding the alarm over the sheer volume of internet-exposed OpenClaw instances it discovered, which numbers more than 135,000 as of this writing. When combined with previously known vulnerabilities in the vibe-coded AI assistant platform and links to prior breaches, STRIKE warns that there's a systemic security failure in the open-source AI agent space.

"Our findings reveal a massive access and identity problem created by poorly secured automation at scale," the STRIKE team wrote in a report released Monday. "Convenience-driven deployment, default settings, and weak access controls have turned powerful AI agents into high-value targets for attackers."