New York Attorney General Letitia James (D) is investigating Facebook’s “unauthorized collection of 1.5 million Facebook” users' email contacts (see 1904180060), her office announced Thursday. Though the platform claims it collected data for 1.5 million users, consumers affected without consent could be “hundreds of millions,” given the number of contacts involved, James said. The data collected allegedly was used for targeted advertising, she continued. Email verification is standard for such services, she said, noting the company requested email passwords. James is one of multiple state AGs investigating Facebook’s Cambridge Analytica scandal and data practices (see 1902010049). “We're in touch with the New York State attorney general’s office and are responding to their questions on this matter," a Facebook spokesperson said.

Silicon Labs shares closed up 18 percent at $110.04 Wednesday amid signs the semiconductor industry slump is coming to an end. Executives noted growth in key segments. Q1 bookings were “robust,” signaling a Q2 rebound “despite macro turbulence,” said CEO Tyson Tuttle. Revenue was $188 million, at the midpoint of guidance, compared with $205 million in Q1 2018, the company reported. Sequentially, revenue was down 13 percent due to the “broad slowdown in the semiconductor industry,” said Chief Financial Officer John Hollister. This “should represent the bottom of the downturn,” said Tuttle. “We have not seen material improvements in key macroeconomic conditions, including geopolitical and trade factors” since the January earnings call. Silicon Labs expects Q2 revenue of $202 million-$212 million on sequential growth in its IoT, broadcast and access businesses, with infrastructure “flat.” The company’s Wireless Gecko Series 2 launch was announced Monday. The platform enables “payment-grade” security down to the device level, the chief said. Products on deck are geared to the Bluetooth, Z-Wave and “higher levels of functionality,” he said.

Facebook expects to lose between $3 billion and $5 billion as a result of the FTC’s investigation of the Cambridge Analytica scandal and data privacy practices, said Wednesday’s Q1 report, signaling a potential record fine for the agency. “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome." The report includes a $3 billion legal expense “accrued in the first quarter of 2019 related to the ongoing” FTC probe. The tech platform reported $2.4 billion profit for the quarter, down 51 percent from the year-ago quarter. The company didn’t comment.

An online rewards website and a children’s dress-up games site failed to properly secure consumer data and allowed hackers to breach both sites, the FTC alleged in two settlements announced Wednesday with a 5-0 vote. A settlement with i-Dressup.com included a $35,000 civil penalty and alleged Children’s Online Privacy Protection Act violations. Unixiz, owners of i-Dressup.com, didn’t secure parental consent for collecting data on children under 13, the FTC said. The operators also transmitted personal information in plain text and failed to secure data that led to a breach, the agency said. Owner of online rewards ClixSense.com, James Grago, deceived consumers about data protections, while failing to implement “minimal data security measures,” the FTC said in a settlement that doesn’t include a fine. Future violations of the settlements carry civil penalties up to $42,530 per offense. Neither company commented. The agency is committed to strengthening its consent order, particularly on privacy violations, said a statement. The deals included new requirements that “go beyond requirements from previous data security orders,” the commission said: a senior officer must provide “annual certifications of compliance” to the agency, and the defendants are barred from “making misrepresentations to the third parties conducting assessments of their data security programs.”

The FTC doesn’t have proper tools or resources to regulate the data broker industry, Intel Global Privacy Officer David Hoffman wrote Tuesday. Data brokers identify as technology companies but are nothing more than “malicious profiteers” weaponizing and monetizing data, he said. The agency has difficulty extending Section 5 of the FTC Act to regulate data brokers, which gather sensitive information without directly interacting with consumers, Hoffman wrote. The agency lacks proper rulemaking authority, and the “teeth” needed to incentivize proper handling of data, Hoffman wrote, citing recent comments to the agency. The Association of National Advertisers' Data Marketing and Analytics Division didn't immediately comment.

The right-to-repair movement's spread into consumer tech has “direct roots” in the allegedly “illegal” practices “now common in enterprise computing" of tying service updates to maintenance contracts that choke off third-party competition, said Gay Gordon-Byrne, executive director of the Repair Association. Member iFixit alleges major tech firms link security updates to service subscriptions (see 1903170001). Cisco, HP Enterprise, IBM and Oracle “linked access to safety and security updates to having a separate maintenance contract in place with the OEM entitled by serial number,” said Gordon-Byrne. "Third parties cannot acquire patches and fixes even on behalf of the customer unless the customer has such a contract.” None of the companies she cited responded to queries Monday. Right-to-repair advocates argue such arrangements are “illegal” under U.S. antitrust law, emailed Gordon-Byrne. Advocates met with DOJ’s Antitrust Division, but “we came to understand very quickly that anti-trust law wouldn't come to our rescue in our lifetime,” she said. The department advised the advocates to “seek a legislative solution -- which we have done,” said Gordon-Byrne. DOJ didn’t comment. Right-to-repair bills were introduced in nearly two dozen state legislatures this year, but the bills historically have had a poor success record (see 1904030028). When consumers “can't repair our stuff, the only route we have if it is available is the manufacturer's service,” Georgian David Bley commented last week in docket FTC-2019-0013. “I hear about people submitting legislation to gain the right to repair the stuff that they own,” he said. “I am not sure when we lost that right, because as a kid, we always tried to fix whatever we owned that broke.” Comments are due April 30 for submitting “empirical research” in the FTC’s inquiry into whether manufacturer limitations on third-party repairs can thwart consumer protections under the 1975 Magnuson-Moss Warranty Act (see 1903130060).

Federal privacy legislation should bar racial, gender and sexual orientation discrimination for employment, housing, credit and education, 26 civil society groups wrote Congress Friday. The groups argued for legislation that doesn’t pre-empt stronger state laws, provides enforcers with rulemaking authority and establishes a private right of action. The Center for Digital Democracy, Color of Change, Common Cause, National Hispanic Media Coalition, New America's Open Technology Institute, Public Citizen and Public Knowledge signed the letter to Senate and House Commerce Committee leaders.

Facebook “unintentionally” collected the email contacts of as many as 1.5 million users without consent, the company said Thursday, citing a design flaw from 2016. The issue stems from the platform verifying new accounts via user email passwords. When the verification process was altered in May 2016, language informing users of email contact collection was removed, though the uploading continued. The company ended email password verification for new users earlier this month, a spokesperson said. “These contacts were not shared with anyone and we're deleting them,” the company said, noting that affected users will be notified.

The EU’s potential one-hour requirement for platforms to remove terrorist content could result in the “over-removal of lawful content,” said the Computer and Communications Industry Association Wednesday. The requirement is included in a draft regulation to be the basis for the “European Parliament’s position in the final trilogue negotiations with the European Commission and the European Council,” CCIA said. Hopefully EU policymakers will “introduce a more workable content removal timeframe as the one hour deadline would not work for many, especially smaller, tech firms,” said CCIA Europe Senior Policy Manager Maud Sacquet.

The Internet Society’s Online Trust Alliance (OTA) gave its highest overall audit security and privacy scores to consumer-facing U.S. government websites and its lowest to healthcare sites, it said Tuesday in its ranking of seven industries. OTA said the healthcare industry ranked second in terms of privacy, but its last-place ranking was “largely due to sparse adoption of email authentication and always-encrypted sessions.” Overall, the audit found increased encryption, with 93 percent of sites encrypting all web sessions, compared with 52 percent in 2017, and more email authentication. “Almost every sector improved its security and privacy practices, and the record scores reflect that,” said Jeff Wilbur, OTA technical director. “The U.S. Government in particular made stunning improvements, from near last in 2017 to top of the class in 2018. Unfortunately, some sectors still have a long way to go to demonstrate acceptable security and privacy practices.”