But LoSavio had opted out of the arbitration agreement and was given the option of filing an amended complaint.

This is why it’s important to opt out of arbitration!

Also notice the potential for fuckery in the statute of limitations here:

the relevant statutes of limitations range from two to four years, and LoSavio sued over five years after buying the car. Under the delayed discovery rule, the limitations period begins when “the plaintiff has, or should have, inquiry notice of the cause of action.”

But when Tesla declined to update his car’s cameras in April 2022, “LoSavio allegedly discovered that he had been misled by Tesla’s claim that his car had all the hardware needed for full automation.”

Without that specific moment to point to, to reset the clock through delayed discovery, Tesla could just say “Yeah, we lied, but you bought the lie for 5 years, so now we’re in the clear!”

lmao, you asked.

I’m not a security expert, but my tech career has involved a lot of automated testing in weird scenarios, including iframe-based Facebook games and browser-based mobile apps. Automated tests face a lot of the same challenges that a malicious third-party would, so I know a little bit about how to get past them – or rather, how to deliberately create vulnerabilities (in the dev build of your system) so that your tests can get past them.

Edit: I am curious why someone downvoted me on that one though. I can understand how my comment about the ban being dumb but TikTok also shipping a keylogger could anger people on one side or the other. But just explaining how in-app browsers revive a security problem that’s been long-solved in standalone browsers?

Absolutely. But the penalty does modify the cost-benefit analysis. If a hacker demands $5m or else they will release stolen data, you might be more inclined to YOLO the 5 mil on the 1% chance they’re an honest hacker if the penalty for the breach is $50bn.

No. This is analogous to cross-frame scripting.

So imagine you go to tiktok.com and you click on a link to bestbuy.com/cool-product-i-want-to-buy. But instead of taking you directly to bestbuy.com/cool-product-i-want-to-buy, it keeps you on tiktok.com and just opens an iframe with a keylogger injected into it.

So then when you enter credit card info into the bestbuy.com UI, the tiktok.com JS can see what you typed.

(This scenario is largely impossible these days, due to modern browser security.)

The difference is that if you witnessed this kind of XFS in your desktop browser, you might notice it because the location bar still says tiktok.com, because you never actually left the site. But in a mobile in-app browser, you don’t need an iframe. You can inject JS directly into the browser itself, making it invisible to the user. As far as you can tell, you’re on regular ol’ bestbuy.com, not a modified version of it.

The ban is a dumb policy, but you’re daft if you think the security implications are at all similar.

TikTok was caught injecting a keylogger into their in-app browser and their response was “Well yeah, but we promise we’re not using it.”

Instantly makes ransomware [edit 2: my brain was being dumb, I didn’t mean literally ransomware, I meant hackers blackmailing companies with the threat of releasing/selling stolen data] far more profitable.

Edit: And heavily discourages self-reporting. There’s a Schneier quote I like: “You can’t defend. You can’t prevent. The only thing you can do is detect and respond.”

First, they sent the missionaries. They built communities, facilities for the common good, and spoke of collaboration and mutual prosperity. They got so many of us to buy into their belief system as a result.

Then, they sent the conquistadors. They took what we had built under their guidance, and claimed we “weren’t using it” and it was rightfully theirs to begin with.

Cory Doctorow says this is the best FTC we’ve had in 40 years, and Lisa Khan is “doing the Lord’s work”. I trust him implicitly on such matters.