It has been, to be quite honest, a fairly bad week, as far as weeks go. But despite the sustained downbeat news, a few good things managed to happen as well. So we'll start with those.

California has passed the strongest digital privacy law in the United States, for starters, which as of 2020 will give customers the right to know what data companies use, and to disallow those companies from selling it. It's just the latest in a string of uncommonly good bits of privacy news, which included last week's landmark Supreme Court decision in Carpenter v. US. That ruling will require law enforcement to get a warrant before accessing cell tower location data. And at the beginning of the week, the Wi-Fi Alliance detailed the full specifications of the WPA3 security standard that's going to make the next generation of Wi-Fi much, much safer to use.

And then there's the bad news. A marketing firm called Exactis left as many as 340 million personal information records sitting on the open internet for anyone to find. Anthony Kennedy announced that he'll retire from the Supreme Court, an absence that will have ramifications for privacy and technology. The next arms race is going to happen in space, which will be less fun than it sounds. And Congress wants to talk with Cambridge Analytica alum Matt Oczkowski about whether his new firm, Data Propria, will just repeat the same indiscretions as is former employer.

But wait, there's more! As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

The Intercept this week published the locations of eight AT&T buildings that it says also serve as surveillance hubs for the National Security Agency. By piecing together public documents, classified files, and interviews, the outlet identified these networking equipment centers in Seattle, San Francisco, Los Angeles, Chicago, Dallas, New York, DC, and Atlanta. These locations are significant in that they route traffic not just from AT&T customers but from other internet backbone providers who have so-called peering agreements with the telecom giant. The facilities don't exist specifically for the NSA; they simply offer the most bang for the buck in terms of watching data pass through. There's nothing necessarily illegal about the arrangement, but the NSA is prohibited from spying on communications between two US citizens—a lot of which presumably travels through these eight sites.

And you thought Cambridge Analytica got to have all the fun! This week, security researcher Inti De Ceukelaire outlined his discovery that a popular Facebook app called NameTests showed personal data in JavaScript file. Any third party could have accessed it. Facebook paid out $8,000 to the charity of De Ceukelaire's choice as part of a bug bounty, but that doesn't go very far toward helping the 120 million people—yep, 120 million—who had their data potentially exposed.

Texas State University's Advanced Law Enforcement Rapid Response Training has a pretty self-explanatory mission. It also, reports ZDNet, exposed a database containing the personal information of thousands of officials who have gone through its program since April 2017. The database includes contact information like home addresses and phone numbers. Several email messages were also left vulnerable, including some that detailed lack of law enforcement resources in certain communities—information that could be used by criminals looking to take advantage of soft spots.

Ross Ulbricht, who went by the moniker Dread Pirate Roberts when operating the notorious dark web bazaar the Silk Road, is officially out of appeals. Ulbricht had asked the Supreme Court to reconsider his life sentence; they declined. Ulbricht had previously lost an appeal in 2017, after his initial sentencing in 2015.

More Great WIRED Stories