Getty Images and Shutterstock are joining forces in a merger valued at around $3.7 billion, the companies announced on Tuesday. The merger will allow the companies to expand their stock photo libraries as they face increasing competition from AI-powered image creation tools.

Getty Images CEO Craig Peters will remain the head of the combined companies when the merger closes, while a reworked board of directors will consist of members from both Getty Images and Shutterstock, including Shutterstock CEO Paul Hennessy. In the press release, Peters said the merger will bolster the companies by “enhancing our content offerings, expanding event coverage, and delivering new technologies to better serve our customers.”

Shutterstock will remain a separate website following the merger, Getty Images spokesperson Anne Flanagan confirmed to The Verge.

The merger comes amid the rise of text-to-image AI tools from companies like OpenAI, Google, Microsoft, and Adobe. In 2023, Getty Images responded to the trend by launching an image generator trained on its vast library of licensed photos. It rolled out a similar tool on iStock, which Getty also owns, and partnered with online image editor Picsart to create a “responsible, commercially-safe” AI image generator.

Meanwhile, Shutterstock struck an AI training deal with OpenAI, and has agreements with Meta, Google, and Amazon, according to Reuters.

The decision to combine two stock photo powerhouses may also spur antitrust scrutiny, but it’s unclear how a more merger-friendly Trump administration will respond.

Asus’ new featherweight laptop is aiming to be the latest Windows rival to the Apple MacBook Air. The Asus Zenbook A14 is a new thin and light productivity machine announced at CES 2025 sporting a Qualcomm Snapdragon X processor for a claimed battery life of up to 32 hours and a weight of just 2.18 pounds — just over half a pound lighter than the current M3 MacBook Air. The A14’s ultralight magnesium alloy chassis is decked out in Asus’ “Ceraluminum” ceramic coating to keep its weight down and give the laptop a matte, stone-like finish.

Asus is undercutting Apple’s M3 Air in price as well as weight. The Zenbook A14 with a new base-model eight-core Snapdragon X will start at $1,099.99 in gray when it launches in mid-January with 32GB of RAM, 1TB SSD, and a 14-inch OLED display capable of 1920 x 1200 resolution running at 60Hz with 600 nits of peak brightness. Later in March, Asus will launch an even cheaper $899.99 model in beige that’s a little heavier at 2.4 pounds, with a slightly higher-end eight-core Snapdragon X Plus chip but only 16GB of RAM and 512GB of storage — exclusively sold at Best Buy.

The A14 has a 70Wh battery, compared to the smaller 52.6Wh cell in the MacBook Air. And it offers a decent selection of ports, with two USB 4 Type-C for charging / data, one USB-A 3.2 Gen 2, a 3.5mm combo headphone / mic jack, and a full-size HDMI 2.1 port. The A14 can connect to up to three external monitors with its lid open, compared to the M3 MacBook Air’s two monitors while its lid is closed (though, keep in mind, one of those monitors will have to provide power to the Zenbook over USB-C).

It all sounds pretty compelling on paper, but while Windows on Arm proved its competence in 2024 through Snapdragon X’s balance of performance and battery life, there can still be compatibility headaches in some unsupported apps and games. And frankly, while our benchmarks of Snapdragon X Plus and X Elite processors were competitive in some ways with Apple’s M3 MacBook Air, I’m skeptical a new lower-end version can really hang against it — let alone an anticipated M4 model.

I had a very brief moment to get my hands on the Zenbook A14 at an early preview event in December, and I can attest to how surprisingly light Asus’ new laptop is. You can pick it up from a corner with just two or three fingers with ease, but it doesn’t feel flimsy or cheap. The matte finish and sad beige aesthetic may not be to everyone’s liking, and I wager most people might think a MacBook Air’s exposed aluminum feels fancier, but Asus put some of its build quality where it counts. For example, the A14’s hinge can be opened with just one finger, while far too many Windows laptops out there require both hands to pry open their lids.

There have been plenty of claimed “MacBook killers” and past Windows laptops aiming for Apple’s crown as the go-to pick for the average user, but few stack up as the complete packages like those offered by Apple. Maybe pairing a Snapdragon X’s excellent battery life with some nice extras like OLED screens and solid build at affordable-ish prices might bring something special to the table — though we’ll have to see about performance.

Photography by Antonio G. Di Benedetto / The Verge

Hackers claim to have compromised Gravy Analytics, the parent company of Venntel which has sold masses of smartphone location data to the U.S. government.  The hackers said they have stolen a massive amount of data, including customer lists, information on the broader industry, and even location data harvested from smartphones which show peoples’ precise movements, and they are threatening to publish the data publicly.

The news is a crystalizing moment for the location data industry. For years, companies have harvested location information from smartphones, either through ordinary apps or the advertising ecosystem, and then built products based on that data or sold it to others. In many cases, those customers include the U.S. government, with arms of the military, DHS, the IRS, and FBI using it for various purposes. But collecting that data presents an attractive target to hackers.

“A location data broker like Gravy Analytics getting hacked is the nightmare scenario all privacy advocates have feared and warned about. The potential harms for individuals is haunting, and if all the bulk location data of Americans ends up being sold on underground markets, this will create countless deanonymization risks and tracking concerns for high risk individuals and organizations,” Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, and who has followed the location data industry closely, told 404 Media. “This may be the first major breach of a bulk location data provider, but it won't be the last.”

In a message posted to two Gravy websites, the hackers wrote that “Personal data of millions users is affected,” according to screenshots posted on Russian cybercrime forum XSS. The forum is typically not publicly accessible but a source with access provided 404 Media with the screenshots and sample data posted by the hackers. “Company have 24h to answer or we will start to publish data,” the message continues.

The samples of data posted by the hackers include the apparent historical location of smartphones. The files contain precise latitude and longitude coordinates of the phone, and the time at which the phone was there. Some screenshots indicate what country the data has been collected from. One alphabetically ordered list mentions Mexico, Morocco, Netherlands, North Korea, Pakistan, and “Palestinian State (proposed).” That is only a snapshot of where Gravy sourced data from; one file includes location data relating to phones in Russia, and U.S. agencies have previously used such data as part of immigration operations on the country's border. (Gravy provides some of its data to subsidiary Venntel, which then works directly with those and other agencies).

Another screenshot shows classifiers that Gravy has added to collected data, such as “LIKELY_DRIVING.”

A file called “users” included in a sample of data posted by the hackers includes multiple well known companies such as Gannett, Uber, Comcast, Apple, LexisNexis, Equifax, and many more. It also specifically mentions Babel Street, which is another U.S. government contractor. This corroborates 404 Media’s earlier reporting on where Babel Street sourced its location data from, at least in part. 404 Media and a group of other outlets previously showed how Babel Street’s Locate X tool can be used to track visitors to out-of-state abortion clinics.

Demonstrating the depth of the alleged compromise, other screenshots posted by the hackers indicate access into Gravy’s infrastructure, including root access on a Gravy-associated Ubuntu server, control over Gravy’s domains, and access to Amazon S3 buckets which are often used to store massive amounts of data. In another posted message, the hackers claimed to have access since 2018.

At the time of writing, Gravy’s website is down. Usually that website redirects to Unacast, which acquired Gravy in 2023. Unacast executives did not respond to multiple requests for comment.

“For years, this data has been sold to corporate and government interests but it's never been widely available to all the threat actors targeting Western users. This type of data has been used to track visits to abortion clinics, sensitive government locations, and locations which could identify sensitive protected qualities of people like their sexual orientation,” Edwards continued. “This data could tell a threat actor where you take your kids to school, where you work, and where you spend leisure time. It's long overdue for Congress to pass a comprehensive federal privacy bill that puts safeguards on the collection of this type of sensitive data.”

In December, the FTC announced sweeping action against Gravy and Venntel, saying in a proposed order they will be banned from selling, disclosing, or using sensitive location data, except in “limited circumstances” involving national security or law enforcement. The FTC also demanded the companies delete all historic location data. The agency alleged that Gravy and Venntel violated the FTC Act by “unfairly selling sensitive consumer location data, and by collecting and using consumers’ location data without obtaining verifiable user consent for commercial and government uses.”

This piece has been updated to include a paragraph about the FTC's recent actions against Gravy and Venntel.

Meta’s HR team is deleting internal employee criticism of new board member, UFC president and CEO Dana White, at the same time that CEO Mark Zuckerberg announced to the world that Meta will “get back to our roots around free expression,” 404 Media has learned. Some employee posts questioning why criticism of White is being deleted are also being deleted. 

Monday, Zuckerberg made a post on a platform for Meta employees called Workplace announcing that Meta is adding Dana White, John Elkann, and Charlie Songhurst to the company’s board of directors (Zuckerberg’s post on Workplace was identical to his public announcement). Employee response to this was mixed, according to screenshots of the thread obtained by 404 Media. Some posted positive or joking comments: “Major W,” one employee posted. “We hire Connor [McGregor] next for after work sparring?,” another said. “Joe Rogan may be next,” a third said. A fourth simply said “LOL.”

But other employees criticized the decision and raised the point that there is video of White slapping his wife in a nightclub; White was not arrested and was not suspended from UFC for the domestic violence incident. McGregor, one of the most famous UFC fighters of all time, was held liable for sexual assault and was ordered by a civil court to pay $260,000 to a woman who accused him of raping her in 2018. McGregor is appealing the decision. 

“Kind of disheartening to see people in the comments celebrating a man who is on video assaulting his wife and another who was recently convicted of rape,” one employee commented, referring to White and McGregor. “I can kind of excuse individuals for being unaware, but Meta surely did their due diligence on White and concluded that what he did is fine. I feel like I’m on another planet,” another employee commented. “We have completely lost the plot,” a third said. 

Several posts critical of White were deleted by Meta’s “Internal Community Relations team” as violating a set of rules called the “Community Engagement Expectations,” which govern internal employee communications. In the thread, the Internal Community Relations team member explained why they were deleting content: “I’m posting a comment here with a reminder about the CEE, as multiple comments have been flagged by the community for review. It’s important that we maintain a respectful work environment where people can do their best work. We need to keep in mind that the CEE applies to how we communicate with and about members of our community—including members of our Board. Insulting, criticizing, or antagonizing our colleagues or Board members is not aligned with the CEE.” In 2022, Meta banned employees from discussing “very disruptive” topics.

One employee posted “Why do critical comments of this announcement keep getting deleted?” 

“LOL my comment got CEE’d too. Good stuff,” a second posted. A third said “I think it’s particularly fascinating that none of the comments I have seen disappear contained any specifically prohibited content under the CEE and must have fallen under ‘disruptive content’ - and if any criticism of company decisions falls under the ‘disruptive content’ bucket, the future of the company is looking bleak.” 

Tracy Clayton, a Meta spokesperson, told 404 Media that no changes to the CEE have been made and stressed that some criticism has been left up. “There are also several comments that have expressed criticism that didn’t violate the CEE that remain up,” Clayton said. “Our CEE is very nuanced and it’s not a one-size-fits-all.”

The hypersensitive moderation of employees internally criticizing major public figures is particularly notable given that Tuesday morning, Mark Zuckerberg announced that Meta would get rid of many of its content moderation rules on its platforms. “It’s time to get back to our roots around free expression and giving people voice on our platforms. Here’s what we’re going to do,” Zuckerberg posted. “Replace fact-checkers with Community Notes, starting in the US. Simplify our content policies and remove restrictions on topics like immigration and gender that are out of touch with mainstream discourse.” Joel Kaplan, Meta’s new President of Global Affairs and the former Republican political operative who served in the George W. Bush administration, posted about the changes internally on Workplace, saying the policies were intended to foster “more speech and fewer mistakes.” 

One employee brought up this apparent disparity: “Given Zuck’s message this morning on decreasing content moderation on our platforms, is that also going to apply internally?” 

The rules for employees, the internal content moderator responded, are different than the rules for the public: “The CEE, which is focused on mitigating the potential for disruption and allowing us the space to work, ensuring a respectful work environment, and protecting company information, is different from our external content policies.”

“Curious to know if we can expect a similar shift to ‘more speech’ in internal Workplace posts/groups,” another employee asked. “CEE is quite chilling,” another said. “Basically any large scope critical post I make gets at least one message from ICR [Internal Community Relations].”

In a comment that has not yet been deleted, an employee posted “since my other comment was taken down, I’m just gonna let everyone know that I for one love my wife and daughter, and to top it off I also respect other people.”

“Our CEE has nothing to do with the announcements made today, internal and external moderation are separate, and I’ll repeat that it would be inaccurate to report that we’re loosening restrictions externally, while tightening internally,” Tracy Clayton, a Meta spokesperson, told 404 Media. “It’s important to note here that these comments were as you see there ‘flagged by the community for review.’ Further background our CEE is designed to help minimize disruption, so employees can focus and remain productive.”

Some Motorola automated license plate reader surveillance cameras are live-streaming video and car data to the unsecured internet where anyone can watch and scrape them, a security researcher has found. In a proof-of-concept, a privacy advocate then developed a tool that automatically scans the exposed footage for license plates, and dumps that information into a spreadsheet, allowing someone to track the movements of others in real time.

Matt Brown of Brown Fine Security made a series of YouTube videos showing vulnerabilities in a Motorola Reaper HD ALPR that he bought on eBay. As we have reported previously, these ALPRs are deployed all over the United States by cities and police departments. Brown initially found that it is possible to view the video and data that these cameras are collecting if you join the private networks that they are operating on. But then he found that many of them are misconfigured to stream to the open internet rather than a private network.

“My initial videos were showing that if you’re on the same network, you can access the video stream without authentication,” Brown told 404 Media in a video chat. “But then I asked the question: What if somebody misconfigured this and instead of it being on a private network, some of these found their way onto the public internet?” 

In his most recent video, Brown shows that many of these cameras are indeed misconfigured to stream both video as well as the data they are collecting to the open internet and whose IP addresses can be found using the Internet of Things search engine Censys. The streams can be watched without any sort of login.

In many cases, they are streaming color video as well as infrared black-and-white video of the streets they are surveilling, and are broadcasting that data, including license plate information, onto the internet in real time. 

Will Freeman, the creator of DeFlock, an open-source map of ALPRs in the United States, said that people in the DeFlock community have found many ALPRs that are streaming to the open internet. Freeman built a proof of concept script that takes data from unencrypted Motorola ALPR streams, decodes that data, and adds timestamped information about specific car movements into a spreadsheet. A spreadsheet he sent me shows a car’s make, model, color, and license plate number associated with the specific time that they drove past an unencrypted ALPR near Chicago. So far, roughly 170 unencrypted ALPR streams have been found.

“Let’s say 10 of them are in a city at strategic locations. If you connect to all 10 of them, you’d be able to track regular movements of people,” Freeman said. 

Freeman told 404 Media that this fact is more evidence that the proliferation of ALPRs around the United States and the world represents a significant privacy risk, and Freeman has been a strong advocate against the widespread adoption of ALPRs. 

“I’ve always thought these things were concerning, but this just goes to show that law enforcement agencies and the companies that provide ALPRs are no different than any other data company and can’t be trusted with this information,” Freeman told 404 Media. “So when a police department says there’s nothing to worry about unless you’re a criminal, there definitely is. Here’s evidence of a ton of cameras operated by law enforcement freely streaming sensitive data they’re collecting on us. My hometown is mostly Motorola [ALPRs], so someone could simply write a script that maps vehicles to times and precise locations.”

A Motorola Solutions spokesperson told 404 Media that the company is working on a firmware update that “will introduce additional security hardening.”

“Motorola Solutions designs, develops and deploys our products to prioritize data security and protect the confidentiality, integrity and availability of data,” the spokesperson said. “The ReaperHD camera is a legacy device, sales of which were discontinued in June 2022. Findings in the recent YouTube videos do not pose a risk to customers using their devices in accordance with our recommended configurations. Some customer-modified network configurations potentially exposed certain IP addresses. We are working directly with these customers to restore their system configurations consistent with our recommendations and industry best practices. Our next firmware update will introduce additional security hardening.”

This is not the first time that ALPRs have been found to be streaming directly to the unsecured internet. In 2015, the Electronic Frontier Foundation and researchers at the University of Arizona found hundreds of exposed ALPR streams. In 2019, an ALPR vendor for the Department of Homeland Security was hacked and license plates and images of travelers were leaked onto the dark web. Last year, the U.S. government’s Cybersecurity and Infrastructure Security Agency put out a warning saying that Motorola’s Vigilant ALPR cameras were remotely exploitable. 

Brown said that, although not all Motorola ALPRs are streaming to the internet, the security problems he found are deeply concerning and it’s not likely that ALPR security is something that’s going to suddenly be fixed.

“Let’s say the police or Motorola were like ‘Oh crap, we shouldn’t have put those on the public internet.’ They can clean that up,” he said. “But you still have a super vulnerable device that if you gain access to their network you can see the data. When you deploy the technology into the field, attacks always get easier, they don’t get harder.”