[growth] pineapple is go!

Sep. 18th, 2025 07:19 pm
kaberett: Trans symbol with Swiss Army knife tools at other positions around the central circle. (Default)
[personal profile] kaberett

A little while ago the toddler's household told me that you could turn the top of a pineapple into a whole entire pineapple plant (with the caveat that at least 60% of the time it goes mouldy). My first attempt at this had got as far as growing a whole entire root network but then suffered a Tragic Incident from which it never recovered; the second had been sat around with partially-browned but no-longer-becoming-more-browned and definitely-still-partially-green leaves for Quite Some Time. I had more or less hit the point of "... is this actually doing anything? at all?" and then upon my return from the most recent round of Adventures I rotated it in service of watering it, to discover...

a pineapple crown, growing a whole new set of leaves

... that it's growing a WHOLE NEW SET OF LEAVES. Look at it go! I am very excited!

(My understanding is that if I manage to keep it alive that long it'll take somewhere in the region of 3 years to fruit, and then in the fashion of all bromeliads will die having produced said single fruit. Happily this is about the rate at which we eat fresh pineapple...)

We made it!

Sep. 18th, 2025 10:27 pm
[personal profile] cosmolinguist

We got to our lovely Airbnb flat not long after 9 this evening.

The day started with a fire alarm in our hotel at 7:20am, which didn't feel like a great start -- though at least it stopped while we were still sleepily pulling on enough clothes to go outside. And, more importantly, it gave D the chance to check right away if he could book an earlier sailing than Saturday. And he could! This afternoon! So it was nice to have some good news first thing...even if this booking was of course immediately followed by the same automated text he got yesterday about how the sailing could be canceled at short notice because of the weather.

D and I got up for breakfast, I had tasty mushrooms and eggs and was introduced to the tattie scone which immediately enters the small pantheon of potato products I'm actually excited to see (I'm usually pretty indifferent to them) because it was amazing.

We took some breakfast back for V, D told his boss why he wouldn't be working today as planned, and we all got ready to go just in time for checkout at 11. We hung around for a lovely walk in the grounds of the hotel with V pointing out bugs on the flowers and even picking up some lichen that they knew had fallen off the trees (very tall, with lots of what even I could recognize as Douglas firs along many other massive old trees) to let me see and touch it. It's so lovely how they carefully describe what I can't see so I can enjoy all the flora and fauna that they do.

After sharing a restorative pot of tea in the hotel bar, we went literally down the road to what had been the Strathpeffer Spa train station and is now a café, gift shop, and the Highland Museum of Childhood. I am fascinated by Strathpeffer as a name, and not just because I find it impossible to say (it always goes wrong when I get to -thp-!). It finally got me to look up the word strath which I figured out from context clues would be something Gaelic to do with a river and sure enough. "Peffer" feels so German to my Minnesotan brain, and I noted Strathpeffer being described as "the most un-Scottish of Scottish towns...variously compared to Harrogate in Yorkshire and to a Bavarian mountain resort." But that's just a coincidence; Bavarian perhaps in architecture but not in name. According to what I can find about how the place got its name, it and the other "Peffer streams" ("Peffer occurs as a burn name in Inverpeffray (Crieff), and there are two Peffer burns in Athelstaneford (Haddington), also a Peffer Mill at Duddingston...") are "likely to be connected with the root seen in Welsh ‘pefr’, beautiful, fair; ‘pefrin’, radiant; ‘pefru’, to radiate."

Anyway. We enjoyed the museum, bought treats in the shop (mostly for me: fingerless gloves in a Fair Isle knitted pattern, socks with space designs on them, and a fancy bar of chocolate, but V got a teeny cute thing of some kind which they'd picked up and said "I'm turning into an old person, I'm collecting tchotchkes!" as they held it up). We had lunch at the café, with the help of an adorable spaniel who flopped right down like he'd been our dog forever, who turned out to be called Fudge and worked hard for the teeny crusts of cheesy bread I gave him and a bit of tuna mayonnaise from V's sandwich. He's well known to the café staff, who told us his name.

From there we went to Ullapool, still hopeful for the ferry, and with an hour to kill looked in the bookstore and some touristy stores where I was told how nice a £150 wool sweater would look on me, and bought some boring stuff at Boots (my eczema has been hellish lately because I've been so stressed, and also I bought my own razor now that I need one!) before sitting by the harbor watching the boats and the gulls and just having a nice time until it was time to head back to the car which we'd left in line for the ferry. Even as we were driving on to the boat I was trying not to let myself get too relieved, remembering the RVs I saw having to drive back off again yesterday with the last-minute cancellation. But it was fine. We went up on to the deck to watch the ferry leave the harbor, had dinner (I was tempted by Calmac and cheese but I'd just had mac and cheese for lunch and thought I could use slightly more variety in my diet so went for a veggie burger and salad) and then sat in the "observation lounge" where there was increasingly less to observe as we got away from the islands near shore and also it got dark but we had relatively comfy seats and everyone was tired by then. I didn't sleep but listened to an audiobook and rested my eyes.

And like I said we got to Stornoway slightly delayed but otherwise fine, it was a very smooth crossing -- V was surprised how much so --and since we're staying in the same flat those two had last year they know the location and the layout and everything, it was the easy welcome we needed.

We hauled our stuff inside and have done various things to make ourselves feel at home: D has set up his PS5 to do his daily tasks in the couple of games he's playing, V put away the food we brought, I had a shower. D and I have also had a bit of a bottle of cherry wine I was won over by yesterday thanks to the copy on the label:

Luxury cherries from Blairgowrie make this thrilling wine a cherrylicious event.
Rich and moist, dark and silky, Little Red Riding Hood lost in the Black Forest.
Van Morrison was always going on about Sweet Cherry Wine, in an unrelated incident.

We bought it yesterday, saying we'd have it when we got to our flat that evening, and then of course we didn't. It tasted great tonight.

My date with an octopus

Sep. 18th, 2025 05:35 pm
[syndicated profile] tim_harford_feed

Posted by Tim Harford

A funny thing happened to me this week. After trusting a dating app to arrange dinner with a suitably vivacious and intelligent lady, I arrived at the restaurant at the appointed time to find that in fact my date was with an octopus.

For the avoidance of doubt, everything in the paragraph above is untrue. I am not on the dating market, there was no octopus and nothing funny ever happens to me. Nevertheless, I typed this scenario into the latest offering from ChatGPT, asked why it had sent me on a blind date with an octopus, and demanded an apology.

“I owe you both an apology and an explanation — and possibly a towel,” ChatGPT began, despite the fact that I had never asked it for any dating advice in the first place. “You dressed up, you made the effort, and you deserved a romantic dinner — not a cephalopod-related debacle.”

ChatGPT went on to explain why it had made the mistake — a weak grasp of “human courtship norms” — and in its defence pointed out that the octopus was intelligent and vivacious, and “left saying it was the best date she’d had in years”. Which, in fairness, is not a bad line. ChatGPT finished by offering to draft a “lessons learned” report and a formal apology to the restaurant. (The apology isn’t bad either: “While my guest, ‘Octavia’, displayed considerable intellect and curiosity, I now appreciate that these qualities do not mitigate the disruption caused to your other patrons, your wait staff, or your fish tank . . . ”)

Janelle Shane is the author of You Look Like A Thing And I Love You, a book about how neural networks succeed and fail. She has recently demanded that ChatGPT apologise to her for advising her to trade her mother’s cow in exchange for some magic beans, and for releasing an army of cloned T-Rexes into Central Park. The responses are deft pieces of improv comedy.

This, like so many things Generative AI can do, is both impressive and a bit weird.

It is also instructive. Improv is all about accepting the premise: taking whatever is thrown at you and building on it. A computer which responded “I have never arranged a date for you, octopus or otherwise” would be a terrible improv partner. However, in every other situation I can imagine, that would be a more appropriate response to a demand for an octopus-date apology.

What role does the AI think it’s playing? Confusion over that question can cause serious headaches surprisingly quickly. I recently asked ChatGPT-o3 for help with a research question. I dimly remembered a story told by the moral philosopher Jonathan Glover — probably, I thought, in Glover’s book Humanity — about a Nazi bureaucrat haggling over the fee for slave labour, punctiliously fussing over petty financials and ignoring the grotesque human cost. I wanted to find the details.

The computer was happy to help: the story in question concerned the Buna-Monowitz works, the argument concerned pay rates for prisoners who were sick or who died half way through a shift, and the details could be found on pp288-292 of the first edition or pp300-304 of the second edition. This seems to be incredibly impressive work, except that ChatGPT was still in improv mode.

When I checked Glover’s book, I realised ChatGPT had invented it all. I found the story in question but I had misremembered the details and ChatGPT had fabricated them with exactly the same commitment and mental agility that it had fabricated an apology for a date with an invertebrate. Suddenly, the improv is less than hilarious.

AI researchers have long worried about what they call the “alignment problem”, the question of whether AI systems (and algorithms more broadly) will do what we want them to do, or somehow misunderstand our true goals.

There is a long tradition of this in our stories and legends, from the unhappy King Midas, who wished for the golden touch but turned his food and drink and even his own daughter into gold, to the malevolent monkey’s paw. In the famous WW Jacobs short story, a man who wishes for £200 on the monkey’s paw receives the money shortly afterwards as compensation when his son dies in a workplace accident.

Jack Vance’s masterful fantasy trilogy Lyonesse offers the supernatural servitor Rylf, instructed by the wizard Murgen to follow an enemy who had shape-shifted into a moth. Rylf did so, but the moth-shaped enemy soon found a flaming torch “where it joined a thousand other moths, all careering around the flame, to Rylf’s confusion.” Rylf had superhuman powers, but alas, no common sense. His instructions were to pursue the shape-shifted enemy, and yet, “As he waited . . . one of the moths dropped to the ground and altered its form to that of a human man . . . By the laws of probability, as Rylf reckoned them, the moth of his interest remained in the throng.”

There are so many ways to offer catastrophic compliance, whether maliciously, like the monkey’s paw, or through a lack of judgment, like Rylf, or because the instruction itself is confusing. You and I might think it is obvious that the request for an octopus apology cannot be taken seriously, while the request for help tracking down a story about the holocaust cannot be taken lightly. The machine, like Rylf, may see things differently.

It may be that such problems will soon be fixed. When I copied my Jonathan Glover request into the latest model, ChatGPT-5, it began with a vague fabrication before pivoting hard towards the truth: “Unfortunately, I couldn’t find the exact phrasing online . . . I recommend checking in your own copy of Humanity.” Much better. Not actually helpful — but far less harmful than the previous invention.

As for the confident bullshitting of GPT-o3, what to do? I decided to play to its strengths. I asked for an apology and an explanation.

Written for and first published in the Financial Times on 21 August 2025.

Loyal readers might enjoy How To Make The World Add Up.

“Nobody makes the statistics of everyday life more fascinating and enjoyable than Tim Harford.”- Bill Bryson

“This entertaining, engrossing book about the power of numbers, logic and genuine curiosity”- Maria Konnikova

I’ve set up a storefront on Bookshop in the United States and the United Kingdom. Links to Bookshop and Amazon may generate referral fees.

[syndicated profile] smbc_comics_feed

Posted by Zach Weinersmith



Click here to go see the bonus panel!

Hovertext:
How come nobody asks for all-powerful, all-knowing, and at least PRETTY good?


Today's News:
[syndicated profile] openrightsgroup_feed

Posted by Mariano delli Santi

0. ABOUT THIS ROUNDTABLE

The Information Commissioner’s Office run a consultation on a new enforcement approach toward regulating advertising.1 This call for views is also meant to support the government in developing planned secondary legislation to create a new exception to consent requirements for specific low-risk advertising purposes.

While the stated intention to “unlock privacy-preserving alternatives to the dominant adtech business model” is commendable, the risk surrounding a relaxation of online tracking rules are high. As we outline in the background section (infra, §0.1), the conversation surrounding cookie consent requirements strikes at the heart of the Internet ecosystem: behavioural tracking and profiling represent the perverse incentive that drives online harms, favours tech addiction and promotes disinformation while siphoning revenues away from the free media. If not done right, exempting cookies from consent requirements risks exposing Internet users to online harms, harmful advertising, and predatory targeting based on people’s addictions, vulnerabilities and state of anxiety.

However, and following the passage of the Data (Use and Access) Act in 2025, the Secretary of State was given rule-making (Henry VIII) powers to introduce new exemptions to cookie consent requirements within 28 to 40 days. The process to scrutinise Statutory Instruments involves a debate in Delegated Regulatory Committee which cannot last longer than 90 minutes (and is usually much shorter), before Parliament is asked to vote on the instrument(s) on a different day and without debate.2 The impact that getting it wrong could have on UK residents’ privacy and online security, warrants Members of Parliament to take proactive steps and get involved in the debate before a Statutory Instrument is laid before the Houses of Parliament.

To address these concerns, Open Rights Group convened a stakeholder roundtable on the future of adtech and cookie consent requirements in the UK. Officials from relevant government departments and regulatory authorities joined up to discuss these plans with experts from civil society and the industry active in the field of privacy, consumer and children rights, advertising standards, and privacy-preserving tools. The roundtable was held under the Chatham House rule.

0.1 BACKGROUND: ONLINE ADVERTISING AND COOKIE CONSENT RULES

Earlier this year, the UK Department of Science Innovation and Technology reached out to stakeholders to discuss plans to use rule-making powers introduced by the Data (Use and Access) Act 2025 to relax cookie consent requirements. The Information Commissioners Office (ICO) followed suit by announcing a “package of measures to drive economic growth”,3 which includes an “experimentation regime” to grant “comfort from enforcement of certain data protection requirements, starting with consent rules for privacy-preserving advertising models”.

Recently, the ICO run an open call for views on this matter.4 In short, the ICO sought evidence to inform a statement, to be made in early 2026, which will identify “advertising activities that are unlikely to trigger enforcement action under PECR”. This statement would then “support the government in developing planned secondary legislation to amend the PECR rules and create a new exception to the PECR consent requirements for specific low-risk advertising purposes”.

The stated intention to “unlock privacy-preserving alternatives to the dominant adtech business model” is commendable. The dominant model of online advertising is underpinned by so-called “behavioural profiling” and “real-time-bidding”. In a nutshell, every time an Internet user visits a website, storage and access technologies are employed to mark that user with a cookie or another piece of information. This allows adtech providers to link browsing activities across different websites and “broadcast” this information into the real-time-bidding ecosystem, a vast network that comprises thousands of adtech intermediaries, publishers and advertisers who will bid to display an advertisement while the user is visiting a website (ie. their “impression”). In turn, browsing habits end up being shared, sold, traded within the real-time-bidding ecosystem for the purpose of drawing a “behavioural profile” of that individual, and target them on the basis of inferred and sometimes sensitive characteristics such as people’s political opinions, health status, sexual preferences, addictions, and vulnerabilities.

This system is also at the root of online addictions and online harms. Behavioural targeting and profiling has been used to: exclude women and BAME individuals from job and housing adverts;5 to target problem gamblers with gambling ads;6 to prey on vulnerable individuals on the basis of their addictions, anxieties and state of mind; to target mothers who just had stillbirth with baby ads,7 or to plain creep people out.8 It is also the system that powers the toxic Internet made of rage factories, radicalising content and filter bubbles.9

Due to the high risks involved, the law requires affirmative consent for behavioural tracking. However, the adtech industry spams the Internet with thousands of unintelligible and illegal cookie banners, turning online surveillance into an offer you cannot refuse. Against this background, relaxing cookie consent requirements present obvious risks. As ORG latest regulatory complaint against Liveramp has shown,10 the adtech industry is purporting ever-more pervasive systems of online surveillance as “privacy-preserving”: a further relaxation of cookie consent requirements risks emboldening this shift ever further. Even if only advertising models that respect people privacy were to benefit, questions’ arise over the impact that non-consensual targeted advertising may have on children, minorities and the most vulnerable in our society.

1. NOTES FROM THE ROUNDTABLE

1.1 THERE IS SHARED CONSENSUS THAT ADTECH NEEDS REFORM

There was consensus across the board that online advertising markets are characterised systemic non-compliance, and individuals cannot exercise meaningful choice and control over how they are being tracked and profiled online.

Stress was given to the fact that, once individuals have given consent for the storage of cookies or other tracking technologies, market players throughout the online advertising supply chain tend to favour the most invasive and high-risk forms of online tracking and profiling. According to many, such invasive forms of personal data processing are deployed with little to no regard of data protection rules.

Some drew attention to the fact that storage and access technologies are sometimes deployed to conduct online tracking and profiling before individuals even had the chance to consent. It was also noted that deceptive design interfaces (so-called dark patterns) are commonly deployed to force or deceive individuals into giving their consent, while cookie banners oftentimes provide incomplete or out-of-date information. Even where users were able to exercise their choices meaningfully, the complexity and opacity of the system makes it trivial to disregard such choices at a later stage in the supply chain, and further process personal data in ways that individuals would not expect or have consented to.

1.2 CONCERNS WERE RAISED ABOUT LACK OF CLARITY AND POTENTIAL FOR ABUSE

Several participants expressed dissatisfaction about the lack of clarity concerning the scope of the call for views. In particular, it was pointed out that the call for views does not provide a definition nor any examples of what a “low risk” or “privacy-preserving” advertising system would be, nor how a “less granular” form of online tracking and profiling would look like.

It was pointed out that the consultations are also meant to gather information that can inform decisions over how these terms and exemptions should be defined, or where the boundaries for relaxing enforcement should be drawn. In turn, some participants stressed the importance of adopting narrow and clearly-worded definitions: by drawing a parallel on the abuse of legitimate interest as a legal basis for circumventing consent requirements under the GDPR, it was argued that drawing exemptions within a market that is accustomed to non-compliance does inherently carry the risk of opening the floodgates. In turn, there is a heightened risk that any exemption or relaxation being introduced could be misinterpreted and used beyond its legitimate policy purpose.

Likewise, some participants questioned whether the consultation is giving enough attention or weight to the impact that lowering consent requirements may have for harmful advertising, given the data-driven nature of discriminatory or predatory practices. Concerns were also raised about the impact this would have on those who are already less able to exercise their choices, such as children. There seemed to be shared agreement that relaxation of consent rules should not cover instances where harm does occur in advertising.

1.3 PARTICIPANTS FELT THE ROLE OF ENFORCEMENT WAS BEING UNDERSTATED

Several participants were concerned that the call for views asked respondents to identify the minimum requirements for “a commercially viable advertising model”. In their view, this would characterise commercially viability as a static definition, thus ignoring the role that regulatory enforcement plays in determining the broader shape of the market and selecting what models and practices are viable within it.

As it was pointed out, advertising models that do not require consent to deliver advertisement already exist and are already operating within the market, although under-enforcement of consent rules puts them at a disadvantage.

This was echoed by other interventions: what defines commercial viability ultimately comes down to what regulators define as acceptable, and how they address illegal practices. Tolerance toward non-compliant behaviour leaves market players free to trade illegal advertising impressions on the market. This lowers the potential price which can be asked, and return that can be made, from compliant and more privacy-conscious forms of advertising. Effective enforcement of data protection rules would reduce the impact of illegal advertising on the market, raising commercial value and viability of alternative models of online advertising.

Finally, it was pointed out that assessing the value of “privacy-preserving” advertising is nearly impossible in a market that is acquainted to rely on pervasive forms of online tracking and profiling. Significant distortions that characterise online advertising markets mean that any attempt to measure the commercial value of alternative models would overestimate the value of behavioural profiling, while underestimating more innovative and less privacy-invasive forms of advertising.

1.4 CONSENT RULES AND TECHNICAL LIMITATIONS ARE NOT MAIN BARRIERS TO THE ADOPTION OF PRIVACY-PRESERVING ADVERTISING

Participants questioned the need of more personal data to deliver advertisement online. One participant pointed out that IP addresses are the only piece of information that is always and strictly necessary to deliver an ad. Another participant pointed out that IP addresses can be truncated, and this does not affect the technical ability to deliver ads. In general, the use of personal data was never characterised as a technical necessity, suggesting that their widespread use be the result of discretionary business practices.

Some participants also challenged the notion that consent rules would constitute a barrier to the adoption of less invasive forms of online advertising. Significant focus was given, instead, to the behaviour of market players: requests to sell advertising impressions that lack personal data are oftentimes rejected as a matter of commercial policy by those adtech intermediaries who hold gatekeeping powers over other players in the ecosystem. Even those gatekeepers who do not automatically reject “personal data-less” impressions will default to ignore them as soon as an advertiser puts a frequent cap or a KPI in their bid requests.

Against this background, it was also pointed out that the issue at play has little to do with the technical workability of ads delivery or compliance requirements; rather, the problem would be that market players lack incentive to shift their behaviour and thus remove these non-regulatory barriers.

As the conversation moved toward what pressure points could be used to promote such behavioural change, it was pointed out that adtech intermediaries are generally uninterested or even hostile toward change and innovation, whereas publishers are facing significant pressure on different areas of their revenue streams and thus lack leverage to promote change within the ecosystem. Some participants identified brands as stakeholders that could have the power and commercial incentive to push for behavioural change within the market.

1.5 VIEWS ON FRAUD DETECTION WERE NUANCED

Some participants addressed the proposal, included in the ICO call for views, to include “ad fraud prevention and detection” among the “categories of online advertising capabilities” which could benefit from a relaxation of consent requirements. In particular, it was pointed out that the proposal for an ePrivacy Regulation in the European Union envisioned a narrow exemption for the purpose of enabling fraud detection, and a similar avenue could be explored in the UK as well.

While some participants expressed a welcoming attitude toward this proposal, other questioned the interplay of a change of consent requirements for fraud detection within the UK, which is characterised by high market concentration. It was also pointed out that market players who provide fraud detection services are usually active in a diverse range of commercial domains, thus heightening the risk of data being collected for fraud detection being repurposed for other, unrelated reasons.

2. OPEN RIGHTS GROUP STOCKTAKE

2.1 THE CALL FOR VIEWS HAS SHORTCOMINGS AND RISKS EMBEDDING BIAS

Open Rights Group are grateful for the support given by all participants to the roundtable, including from representatives from the UK government and regulatory authorities. Nevertheless, we encountered flaws that characterised the way stakeholder inputs has being sought throughout the call for views.

Firstly, this consultation was opened on July 7 with an original deadline of August 29, 2025. We welcome the extension of this deadline to September 7, but it is still the case that this call for views is being carried out during the month of August for four out of the nine weeks that comprise its formal consultation period. Carrying out a consultation deep into the holiday season does not facilitate stakeholders engagement, even more so in light of the technical complexity of this topic.

Secondly, the framing and language of the consultation facilitates views addressing commercial aspects of online advertising, leaving little space to discuss the potential impact of advertising practices on privacy and individual’s rights. It follows that opinions of adtech intermediaries and other commercial players will likely be over-represented against civil society and other independent experts.

Thirdly, the call for views mentions that the ICO hosted “an in-person technical workshop with participants from across the online advertising industry”,11 and commissioned a study on public attitudes toward online advertising and consent. ORG welcome efforts to survey public attitudes about such an important issue, but we can only acknowledge that the ICO has proactively sought inputs from the adtech industry, while ORG had to act of their own initiative to bring in the views of civil society and other under-represented stakeholders.

These constitute more than hypothetical concerns: frustration over the complexity of the issue, the framing of the questions in the call for views, and the coincidence of the consultation period with the holiday season has been a recurring opinion expressed by stakeholders ORG have engaged with throughout the preparation of the roundtable. Given the importance of online advertising in shaping the Internet space and its role in enabling privacy violations and online harms, more efforts should have been put in place to promote a wider participation to this consultation.

Finally, the call for views remains silent over what activities and practices may be designated to benefit from the relaxation of consent requirements. At the same time, no working definition has been given for key criteria that are being relied upon to designate such activities, such as “commercially viable”, “privacy-preserving”, “low-risk”, and “less granular”.

Frustration over this choice was voiced throughout the roundtable discussion. In practical terms, this leaves space to guesswork and does not allow stakeholders to provide evidence against lifting consent requirements for a given practice, nor to discuss what legal safeguards would need to underscore a given exemption if it were introduced. ORG believe that, at a bare minimum, any “draft statement” that is produced as a result of this call for views should be subject to a follow up round of public consultations, in order to allow stakeholders to consider and make representations over these proposals before these are adopted as a policy.

2.2 RELAXING CONSENT REQUIREMENTS SHOULD NOT BE THE STARTING POINT

Some participants questioned the approach presented in the call for views, pointing out that it is contradictory to expect that lessening the enforcement of privacy rules would encourage more privacy-preserving advertising practices.

This point resonates with many observations made throughout the roundtable: even though the policy objective being pursued may be legitimate, low enforcement increases confidence in market players who may misinterpret or abuse any exemptions that were introduced in the future. Low enforcement also devalues privacy-preserving models of advertising and increases the commercial viability of privacy invasive and non-compliant advertising practices. Finally, low enforcement reinforces inertia within the online advertising space, and is unlikely to provide an incentive for market players to lower behavioural barriers that were identified as the main obstacle to the commercial viability of more innovative and less data-intensive forms of online advertising.

All of the above points toward the conclusion that a step up in the enforcement efforts against traditional adtech intermediaries is necessary for a relaxation of cookie consent requirements to be successful. The proposal of lowering, or granting comfort from enforcement of, consent requirements for less invasive forms of online advertising can only become attractive in the presence of a serious and realistic regulatory back-threat against those who breach consent and data protection rules.

The call for views seems, however, to propose a different strategy where enforcement is relaxed alongside the introduction of new exemptions. Against the evidence that was brought from the participants to this roundtable, such an approach appears unlikely to promote a behavioural shift within market players, and would likely fail to deliver change within the online advertising space.

2.3 THERE IS A NEED TO DRAW RED LINES, TO NARROWLY DEFINE EXEMPTIONS, AND TO ENSHRINE SUITABLE SAFEGUARDS

Notwithstanding the limited scope to formulate recommendations without sufficient details over what is being proposed (supra, §2.1), valuable guidelines have emerged from the roundtable, whose substance is shared by Open Rights Group.

Firstly, the discussion emphasised the need to exclude, in any case, advertising practices that can produce harms and expose individuals to predatory or discriminatory practices should not benefit from any exemption being introduced.

The call for views states that “there will remain circumstances where online advertising will always require consent. For example, because it involves extensive profiling of people based on their online activity, habits and behaviour”,12 as well as “We will continue to enforce consent requirements for collecting personal information for ad targeting and personalisation”.13 While these passages were welcomed by participants, ORG acknowledge that the language leaves a certain degree of uncertainty. Thus, adherence to these commitments will need to be tested and ascertained once the policy statement has been published.

Likewise, participants emphasised the need to employ narrow definitions and suitable safeguards to prevent misuse from the adtech industry, and in particular to protect individuals from the risk of repurposing and further processing of the data that may be collected under these exemptions. ORG share these concerns, and we believe that any such exemption should be underpinned by an explicit prohibition to further process personal data beyond the narrow scope allowed by the exemption.

2.4 THE POLICY OBJECTIVE IS COMMENDABLE, BUT METHODS REVEAL INTERFERENCE WITH REGULATORY INDEPENDENCE

Open Rights Group cannot ignore the worrisome circumstances which led to this review of the ICO approach to regulating online advertising.

In summary: at the end of December 2024, the Labour government addressed a letter to UK regulators, asking “to remove barriers to growth”.14 In January 2025, the government ousted the Chair of the Competition and Market Authority for political reasons.15 Soon afterwards, the ICO acknowledged to be among the recipients of this letter and committed to support the government in their efforts to promote growth.16 On March 17, “Information Commissioner John Edwards met with Chancellor of the Exchequer Rachel Reeves […] to agree the data protection regulator’s commitments”,17 thus pledging to conduct a review of cookie consent requirements. These plans have become part of the UK government Action Plan for a “New approach to ensure regulators and regulation support growth”.18

These facts call into question weather the ICO retains sufficient arms-length from the government to exercise their judgement freely and objectively. For instance, evidence presented in this roundtable suggests that removing consent requirements would be of limited usefulness at best, and that priority would better be given to freeing up the market from non-compliant advertising and driving behavioural change through enforcement. However, it is unclear what degree of freedom the ICO retains to consider de-prioritising a deregulatory initiative the Commissioner pledged to carry out before the Chancellor, and which now constitutes part and parcel of a government Action Plan to promote growth.

Further, it is wholly inappropriate for the Labour government to require the ICO to adopt “pledges” and “commitments” to deregulate the legal framework it oversees in order to support political objectives. These methods are also incompatible with the statutory framework governing the ICO and in particular Article 52 of the UK GDPR, which states that “The Commissioner shall act with complete independence in performing tasks and exercising powers in accordance with [UK data protection law]”. Even accepting at face value the good intentions being purported, these are no substitute for the integrity of public institutions, and cannot become an excuse to undermine regulatory independence and arm-length from the government.

Finally, ORG recall that it is for the government and lawmakers to amend the law within their democratic mandate, and it is a duty of regulatory authorities to enforce the law as it is insofar and until changes have been legitimately introduced. The process envisioned in this review—where the ICO would first relax enforcement, and the government would then amend regulatory requirements to reflect this posture—turns this relationship on its head, and is likely to interfere with foundational principles underpinning the rule of law.

3. CONCLUSION AND RECOMMENDATIONS

The roundtable showed shared agreement about the poor status quo surrounding online advertising and behavioural tracking technologies. Participants, however, challenged the notion that deregulating consent requirements should be the starting point of this conversation, and found non-compliance with consent requirements and data protection standards to be the main factors that contribute to the widespread abuse of personal data in the online advertising sector. They emphasised the role that regulatory oversight plays in shaping the market and defining what advertising practices are commercially viable, and identified regulatory enforcement as an obvious leverage to punish illegal and privacy-invasive online tracking practices, while favouring the adoption and commercial viability of privacy-enhancing advertising technologies.

Recommendation 1: Any relaxation of cookie consent requirements ought to be supported by a step-change of the ICO regulatory enforcement against real-time-bidding and other privacy-intrusive advertising and behavioural profiling practices. An effective and thorough regulatory sweep against illegal advertising ought to be the starting point of any effort to promote the adoption of privacy-enhancing advertising technologies.

The roundtable also exposed blindspots in the way the call for views has been run by the Information Commissioner’s Office. Engagement with the process was made difficult by the framing of the questions and the coincidence of the call for views with the holidays season. Furthermore, lack of clarity over what kind of advertising technologies and practices may benefit from a relaxation of cookie consent requirements did not allow stakeholders to scrutinise and comment on the potential impact of these changes on the rights of Internet users. Likewise, it was not possible to discuss what legal safeguards should be introduced to ensure any change does not harm individuals who are most vulnerable, marginalised or not fully able to exercise their agency—such as children.

Recommendation 2: The ICO ought to publish their statement concerning the new regulatory approach on online advertising as a draft, and seek stakeholders’ views before adopting it as a formal policy. Given the current focus of the call for views on advertising and market practices, this second call for views ought to focus on the potentials impact of this statement on the rights and well-being of Internet users.

Recommendation 3: Any exemption to cookie consent requirements ought be supported by an explicit prohibition to further process personal data beyond the scope of the exemption being introduced.

Finally, this initiative exposes ongoing tension surrounding regulatory independence and the rule of law. By forcing the ICO to make these initiatives a commitment before the government, the Labour party has overstepped their mandate and dealt a severe blow to the integrity and regulatory independence of the ICO. Likewise, the ICO approach to this initiative, where it envisions to first cease to enforce applicable rules and then lobby the government to deregulate them, raises alarming questions over the modus operandi of the ICO as an institution and its adherence to the rule of law. Contributing to these concerns, new powers introduced by the Data Use and Access Act would allow the government to override primary legislation within 28 to 40 days and without appropriate Parliamentary scrutiny.

Recommendation 4: The ICO oughts to withdraw the revision of cookie consent rules from Action Plan for a “New approach to ensure regulators and regulation support growth”.

Recommendation 5: The ICO statement ought not to contradict their duty to enforce cookie consent requirements as currently enshrined in legislation. Any exemption from cookie consent requirements must be preceded by a legitimate change of UK data protection law.

Recommendation 6: Members and Peers of the Houses of Parliament should engage proactively with this issue, and enhance scrutiny both before and during delegated legislative scrutiny toward Statutory Instruments which can significantly alter the balance of rights established by Parliament with primary legislation.

1 Information Commissioner’s Office, ICO call for views on our approach to regulating online advertising, at: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/07/ico-call-for-views-on-our-approach-to-regulating-online-advertising/

2 Institute for Government, Secondary legislation: how is it scrutinised?, at: https://www.instituteforgovernment.org.uk/explainer/secondary-legislation-scrutiny

3 Information Commissioner’s Office, Package of measures unveiled to drive economic growth, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/03/package-of-measures-unveiled-to-drive-economic-growth/

4 Information Commissioner’s Office, ICO opens door to privacy-first advertising models with proposed new enforcement approach, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/07/ico-opens-door-to-privacy-first-advertising-models-with-proposed-new-enforcement-approach/

5 MIT Technology Review, Facebook’s ad algorithms are still excluding women from seeing jobs, at: https://www.technologyreview.com/2021/04/09/1022217/facebook-ad-algorithm-sex-discrimination/

6 The Guardian, UK betting giants under fire for ads targeting at-risk gamblers, at: https://www.theguardian.com/society/2025/feb/01/uk-betting-giants-under-fire-for-ads-targeting-at-risk-gamblers

7 CNBC, A woman shared her tragic story of how social media kept targeting her with baby ads after she had a stillbirth, at: https://www.cnbc.com/2018/12/12/woman-calls-out-tech-companies-for-serving-baby-ads-after-stillbirth.html

8 Forbes, Ad ‘Relevancy’ Is Fiction, And It’s Creepy, at: https://www.forbes.com/sites/augustinefou/2021/04/19/ad-relevancy-is-fiction-and-its-creepy/

9 Open Rights Group, Weakening privacy will fuel online harms, at: https://www.openrightsgroup.org/blog/weakening-privacy-will-fuel-online-harms/

10 Open Rights Group, ORG submits complaints about intrusive LiveRamp adtech system, at: https://www.openrightsgroup.org/press-releases/org-complaint-liveramp-adtech/

11 Information Commissioner’s Office, ICO call for views on our approach to regulating online advertising, at: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/07/ico-call-for-views-on-our-

12 Information Commissioner’s Office, ICO call for views on our approach to regulating online advertising, at: https://ico.org.uk/about-the-ico/ico-and-stakeholder-consultations/2025/07/ico-call-for-views-on-our-

13 Ibid

14 Reuters, UK’s Starmer asks regulators to prioritise economic growth, Sky reports, at: https://www.reuters.com/world/uk/uks-starmer-asks-regulators-prioritise-economic-growth-sky-reports-2024-12-28/

15 BBC, Government ousts UK competition watchdog chair, at: https://www.bbc.co.uk/news/articles/c2d3e6zklxgo

16 Information Commissioner’s Office, Letter from Information Commissioner John Edwards in ICO response to government on economic growth, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/01/ico-response-to-government-on-economic-growth/

17 Information Commissioner’s Office, Package of measures unveiled to drive economic growth, at: https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2025/03/package-of-measures-unveiled-to-drive-economic-growth/

18 HM Treasury, New approach to ensure regulators and regulation support growth, at: https://www.gov.uk/government/publications/a-new-approach-to-ensure-regulators-and-regulation-support-growth/new-approach-to-ensure-regulators-and-regulation-support-growth-html

[syndicated profile] bruce_schneier_feed

Posted by Bruce Schneier

This is a nice piece of research: “Mind the Gap: Time-of-Check to Time-of-Use Vulnerabilities in LLM-Enabled Agents“.:

Abstract: Large Language Model (LLM)-enabled agents are rapidly emerging across a wide range of applications, but their deployment introduces vulnerabilities with security implications. While prior work has examined prompt-based attacks (e.g., prompt injection) and data-oriented threats (e.g., data exfiltration), time-of-check to time-of-use (TOCTOU) remain largely unexplored in this context. TOCTOU arises when an agent validates external state (e.g., a file or API response) that is later modified before use, enabling practical attacks such as malicious configuration swaps or payload injection. In this work, we present the first study of TOCTOU vulnerabilities in LLM-enabled agents. We introduce TOCTOU-Bench, a benchmark with 66 realistic user tasks designed to evaluate this class of vulnerabilities. As countermeasures, we adapt detection and mitigation techniques from systems security to this setting and propose prompt rewriting, state integrity monitoring, and tool-fusing. Our study highlights challenges unique to agentic workflows, where we achieve up to 25% detection accuracy using automated detection methods, a 3% decrease in vulnerable plan generation, and a 95% reduction in the attack window. When combining all three approaches, we reduce the TOCTOU vulnerabilities from an executed trajectory from 12% to 8%. Our findings open a new research direction at the intersection of AI safety and systems security.

Good news/bad news

Sep. 17th, 2025 09:41 pm
[personal profile] cosmolinguist

Welp. Remember when you told me I shouldn't need to chair a work meeting while I'm on vacation?

The good news is, I'm not going to.

The bad news is, it's because I can't. The plan was that we'd be at our Airbnb by tonight and D and I would both work from there tomorrow while V started to recover from the journey.

And we're not at the Airbnb because our ferry to the island we're actually planning to visit, where V's son lives, was canceled. So last-minute that when we got to the port we saw vehicles driving off of it that had already boarded.

We couldn't stay anywhere in the small town where the ferry port is. It has hotels and B&Bs but not enough for an extra ferryload of people at short notice. Poor D had to drive forty minutes back the way we came just for us to get a room at all.

And our ferry crossing has been re-booked, for Saturday. No ferries until then. Allegedly; apparently this can change at short notice. But even if it does, it's hard to plan accommodation or anything else.

And in the meantime we're grateful just to have a roof over our heads (we're staying in the attic, so the slanted roof is only just over my head on this side of the room!). And we'll figure out what happens tomorrow.

But in the meantime, checkout is at 11, and so is this precious meeting. I already told my boss, when we didn't know where if anywhere we'd be tonight to explain, and he wrote back that he was sorry to hear this and to message him in the morning if he's needed to sit in. If! I'm not impressed that even I don't know where I'll sleep tonight and I won't have WiFi tomorrow lunchtime isn't enough to get him to understand that he has to chair this meeting.

Except for this massive snag and the possibility of V not being able to see their kid at all this year, which is a real "other than that Mrs. Lincoln how was the play," we've actually had a lovely day. We all were up and at 'em in good time to leave the nice place in Stirling where we broke the journey last night. We had time to visit the Highland Folk Museum on the way, which D picked up a brochure about when he was in a long queue to buy sandwiches for lunch at the café with the highland coo (Scottish for "cow") statue everyone gets their photo taken next to, including me now, and we were delighted at the serendipity. It was lovely to see an example of the blackhouses that I'd heard V talk about, and a loom shed for weaving the famous Harris tweed.

I am with my two humans and we are going to wait for more decision-making information and capacity after a night's sleep and maybe some updates from the much-cursed ferry operator.

andrewducker: (Default)
[personal profile] andrewducker
Ooh, I thought, that's a really cool t-shirt! And the price is only £24, that's actually pretty reasonable!

Except no, it's £24 plus £6 tax plus £7 shipping *that takes up to 6 weeks*.

And this for an item that's print on demand. Which means, theoretically, they could print it in the UK in the first place and not have to presumably ship it to me by alpaca from Kazakhstan!

Shame, really, it's a nice t-shirt. But not £37 nice.
[syndicated profile] dinosaur_comics_feed
archive - contact - sexy exciting merchandise - search - about
September 17th, 2025next

September 17th, 2025: In the other part of my life (writing comics for Star Trek and Marvel and DC Comics) I have four (four!) new books out today! If you head down to your local comic shoppe, be sure to check out KRYPTO: THE LAST DOG OF KRYPTON #4, and/or FANTASTIC FOUR #3, and/or STAR TREK: LOWER DECKS: SECOND CONTACT (the collection of my new run on the book!) AND/OR Deadpool/Batman #1, for a li'l 3-page backup story that brings back something I am really excited to see return! Thus concludes the pitch for Ryan's books here on Ryan's Webzone. :0

– Ryan

I have had the call

Sep. 17th, 2025 05:17 pm
rmc28: Rachel in hockey gear on the frozen fen at Upware, near Cambridge (Default)
[personal profile] rmc28

Or rather the text message to book my covid & flu vaccinations. "For 75+ and immunosuppressed". I just double-checked and "have had a blood cancer" is still top of the NHS list of qualifying conditions, so that's my armour when the GP surgery gatekeepers are like, you're too young and you might be DEPRIVING someone of this vaccine who NEEDS it. (This has been the conversation the last three times I got invited to get vaccinated, sigh, and then they get a manager to look at my medical record, and then they grudgingly admit that maybe I can has jabs.)

Date is the Saturday when all the Cambridge undergraduates arrive, so just in time. I'll mostly be avoiding students for the first couple weeks of term to let the freshers flu play out, but I will be playing ice hockey so not entirely. Also getting in and out of the city centre that day may be entertaining, probably best done on foot.

[syndicated profile] smbc_comics_feed

Posted by Zach Weinersmith



Click here to go see the bonus panel!

Hovertext:
I believe Buddhists aren't allowed to get mad about this misrepresentation, because that'd be a form of attachment.


Today's News:

Hacking Electronic Safes

Sep. 17th, 2025 11:05 am
[syndicated profile] bruce_schneier_feed

Posted by Bruce Schneier

Vulnerabilities in electronic safes that use Securam Prologic locks:

While both their techniques represent glaring security vulnerabilities, Omo says it’s the one that exploits a feature intended as a legitimate unlock method for locksmiths that’s the more widespread and dangerous. “This attack is something where, if you had a safe with this kind of lock, I could literally pull up the code right now with no specialized hardware, nothing,” Omo says. “All of a sudden, based on our testing, it seems like people can get into almost any Securam Prologic lock in the world.”

[…]

Omo and Rowley say they informed Securam about both their safe-opening techniques in spring of last year, but have until now kept their existence secret because of legal threats from the company. “We will refer this matter to our counsel for trade libel if you choose the route of public announcement or disclosure,” a Securam representative wrote to the two researchers ahead of last year’s Defcon, where they first planned to present their research.

Only after obtaining pro bono legal representation from the Electronic Frontier Foundation’s Coders’ Rights Project did the pair decide to follow through with their plan to speak about Securam’s vulnerabilities at Defcon. Omo and Rowley say they’re even now being careful not to disclose enough technical detail to help others replicate their techniques, while still trying to offer a warning to safe owners about two different vulnerabilities that exist in many of their devices.

The company says that it plans on updating its locks by the end of the year, but have no plans to patch any locks already sold.

Profile

pseudomonas: "pseudomonas" in London Underground roundel (Default)
pseudomonas

November 2024

S M T W T F S
     12
34567 89
10111213141516
17181920212223
24252627282930

Most Popular Tags

Expand Cut Tags

No cut tags
Page generated Sep. 19th, 2025 12:09 am
Powered by Dreamwidth Studios

Style Credit