Key developments
Pronto home-recording pilot sparks consent backlash
Inc42's Shrishti Bisht reported that Pronto drew backlash after reports and investor materials said it was exploring in-home video capture during household chores to generate training data for physical AI and robotics systems in India. Pronto said the pilot is strictly opt-in at booking, fewer than 0.01% of users are enrolled, anonymized footage is shown in-app for 48 hours, and the files are deleted from servers after 48 hours. The story also says Snabbit and Urban Company denied recording inside customer homes, while MeitY is examining surveillance, consent and DPDP Act concerns.
Why it matters
It could shape how India treats household video as AI training data and what counts as valid consent in private spaces.
Sources & driving stories
INC42 · Shrishti Bisht
Inc42 coverageFIRSTPOST · Firstpost Videos Desk
Firstpost coveragePowerSchool settlement resolves student tracking claims
M-A Chronicle reported that a settlement tied to PowerSchool's Naviance platform covers students whose accounts were accessed between Aug. 18, 2021 and Jan. 23, 2026. The Chicago complaint filed in August 2023 alleged Naviance embedded Heap to record keystrokes, clicks, mouse movements and counselor messages, then sent them to Google, Microsoft and Hotjar without student, parent or district consent. PowerSchool denied the allegations; the settlement calls for $17.25 million in damages and a final approval hearing on Aug. 19, 2026, with Heap, Google, Microsoft and Hotjar agreeing to delete stored student data.
Why it matters
It shows how edtech analytics can create privacy exposure even without a traditional breach.
Sources & driving stories
M-A CHRONICLE
M-A Chronicle coverageFBI warns of Kali365 device-code phishing
BleepingComputer's Lawrence Abrams reported that the FBI is warning about Kali365, a phishing-as-a-service platform that first appeared in April 2026 and is marketed through Telegram. Kali365 uses OAuth device-code phishing to trick victims into authorizing attacker-generated codes, which lets criminals capture session tokens, bypass MFA and take over Microsoft 365 and Entra accounts. The FBI says the service includes AI-generated phishing lures, automated campaign templates, victim dashboards and token-capture tools, and recommends blocking device-code authentication where possible.
Why it matters
It turns a legitimate login flow into a turnkey account-hijacking path that can expose mailboxes and SaaS data.
Sources & driving stories
BLEEPINGCOMPUTER · Lawrence Abrams
BleepingComputer coverageWorth noting
WORTH NOTING
Google Assistant settlement claim window opens
USA TODAY's roundup says a $68 million Google Assistant privacy settlement covers users whose devices allegedly recorded audio after accidental false accepts, with claims due Aug. 27, 2026.
WORTH NOTING
MemberSource CU exposes unencrypted files
CUToday.info reports that a breach affected 22,308 Texas residents and exposed names, Social Security numbers, ID numbers and financial account information, with filings to state regulators.
Still unclear
OPEN QUESTION
Can 48-hour deletion hold up?
Pronto's retention promise may be hard to reconcile with annotation, curation and downstream model training needs.
OPEN QUESTION
Will admins block device-code login?
Kali365 shows a legitimate Microsoft sign-in flow can be abused to bypass MFA, pushing defenses toward access-policy changes.