Tag: encryption

X Urges EU to Reject “Chat Control 2.0” Surveillance Law Threatening End-to-End Encryption

X is urging European governments to reject a major surveillance proposal that the company warns would strip EU citizens of core privacy rights.

In a public statement ahead of a key Council vote scheduled for October 14, the platform called on member states to “vigorously oppose measures to normalize surveillance of its citizens,” condemning the proposed regulation as a direct threat to end-to-end encryption and private communication.

The draft legislation, widely referred to as “Chat Control 2.0,” would require providers of messaging and cloud services to scan users’ content, including messages, photos, and links, for signs of child sexual abuse material (CSAM).

Central to the proposal is “client-side scanning” (CSS), a method that inspects content directly on a user’s device before it is encrypted.

X stated plainly that it cannot support any policy that would force the creation of “de facto backdoors for government snooping,” even as it reaffirmed its longstanding commitment to fighting child exploitation.

The company has invested heavily in detection and removal systems, but draws a clear line at measures that dismantle secure encryption for everyone.

Privacy experts, researchers, and technologists across Europe have echoed these warnings.

By mandating that scans occur before encryption is applied, the regulation would effectively neutralize end-to-end encryption, opening private conversations to potential access not only by providers but also by governments and malicious third parties.

The implications reach far beyond targeted investigations. Once CSS is implemented, any digital platform subject to the regulation would be forced to scrutinize every message and file sent by its users.

This approach could also override legal protections enshrined in the EU Charter of Fundamental Rights, specifically Articles 7 and 8, which safeguard privacy and the protection of personal data.

A coalition of scientists issued a public letter warning that detection tools of this kind are technically flawed and unreliable at scale.

High error rates could lead to false accusations against innocent users, while actual abuse material could evade detection.

Keep reading

U.S. Secret Service disrupts telecom network that threatened NYC during U.N. General Assembly

The Secret Service has disrupted a sprawling telecommunications network in the New York tri-state area that investigators say posed a serious potential disruption to New York’s telecom systems and a possible threat to the United Nations General Assembly meetings this week.

In the largest seizure of its kind, the U.S. Secret Service announced Tuesday that the agency found active SIM farms at abandoned apartment buildings located at more than five sites. In total, law enforcement discovered 300 SIM servers – over 100,000 SIM cards – enabling encrypted, anonymous communication and capable of sending 30 million text messages per minute. Officials say the servers were so powerful they could have disabled cell phone towers and launched distributed denial of services attacks with the ability to block emergency communications like EMS and police dispatch. 

“This network had the potential to disable cell phone towers and essentially shut down the cellular network in New York City,” U.S. Secret Service Special Agent in Charge Matt McCool said in a video released by the agency.

An official briefed on the investigation told reporters that this week, the sophisticated network “could text message the entire country within 12 minutes,” later adding, “This was well organized and well funded.”

Telephonic threats to multiple senior U.S. officials this past spring – including multiple people protected by the Secret Service – first triggered the investigation, but officials say the network was seized within the last three weeks.

“We cannot share which officials were targeted out of concerns for their privacy, but as the forensics investigation continues, we do expect that we will find more targeted officials once we get through that data,” McCool said. 

Early analysis shows the network was used for communication between foreign governments and individuals known to U.S. law enforcement, including members of known organized crime gangs, drug cartels and human trafficking rings, according to multiple officials briefed on the investigation. The U.S. Secret Service says it is combing through the more than 100,000 SIM cards in an ongoing, exhaustive forensic analysis.

“Each SIM basically has the equivalent data of a cell phone. So we’re working through every call, every text, every search made on those SIM cards,” an official told CBS News, adding, “Early analysis indicates that this network was used for communication between foreign governments and individuals that are known to federal law enforcement here in the U.S.”

The equipment was found within 35 miles of the United Nations in New York, ahead of the U.N. General Assembly. Investigators also found 80 grams of cocaine, illegal firearms, plus computers and phones.

“This isn’t a group of people in a basement playing a video game and trying to play a prank,” one official said. “This was well organized and well funded.”

Keep reading

What Is ICE Doing With This Israeli Spyware Firm?

The deployment of Paragon’s Graphite spyware was a major scandal in Italy. Earlier this year, the messaging app WhatsApp revealed that 90 journalists and civil society figures had been targeted by the military-grade surveillance tech, which gives “total access” to a victim’s messages. The Italian government admitted to spying on refugee rights activists, and Paragon cancelled its contract with the government almost immediately after the story broke.

Now the same software may be coming to America—and again with an immigration focus. Last week, the U.S. Department of Homeland Security quietly lifted a stop-work order on a $2 million contract that Immigration and Customs Enforcement (ICE) had with Paragon for a “fully configured proprietary solution including license, hardware, warranty, maintenance, and training.”

The deal was first signed by the Biden administration, and it was frozen in October 2024, less than a week after Wired broke the news of the contract. An administration official later insisted to Wired that, rather than reacting to bad publicity, they were reviewing the contract to comply with President Joe Biden’s order to ensure that commercial spyware use by the U.S. government “does not undermine democracy, civil rights and civil liberties.”

The details of that review—or even the contract itself—were never publicly disclosed. But the results are clear: ICE now has a green light to use whatever software Paragon was offering. (Neither Paragon nor ICE responded to requests for comment from The Guardian.)

The Citizen Lab at the University of Toronto, dedicated to researching electronic surveillance, found that Graphite targeted users through a “zero-click exploit.” By adding someone to a WhatsApp group in a certain way, Graphite can force their phones to read an infected PDF file without the user’s input. In other words, a cyberattack can be disguised as a spam text—and works even if victims ignore it.

After discovering the vulnerability with the Citizen Lab’s help, WhatsApp said in a statement that it was “constantly working to stay ahead of threats” and “build new layers of protection into WhatsApp.”

Paragon was co-founded by Ehud Barak, a former Israeli prime minister and general in charge of military intelligence, and Ehud Schneorson, a former head of Unit 8200, the Israeli equivalent of the National Security Agency. Last year, an American private equity firm bought Paragon for $500 million with the intention of merging it into RED Lattice, a firm connected to former U.S. intelligence officials. Paragon has positioned itself as a more ethical alternative to NSO Group, a spyware company similarly run by Unit 8200 veterans.

In 2021, NSO Group suffered a series of scandals after it was revealed that its Pegasus spyware was sold to police states around the world and was possibly used to spy on journalists who were murdered. NSO Group accused the media of running a “vicious and slanderous campaign” and promised to “thoroughly investigate any credible proof of misuse.” The Biden administration hit NSO Group with economic sanctions in response.

Around the time that the Pegasus scandal was breaking, a Paragon executive boasted to Forbes that their company would only deal with customers who “abide by international norms and respect fundamental rights and freedoms.”

Keep reading

Mullvad Introduces QUIC-Based WireGuard Obfuscation to Bypass Censorship and VPN Blocks

Mullvad has begun rolling out a new feature that hides WireGuard connections inside QUIC traffic, a technique designed to help users slip past aggressive censorship systems.

By making VPN traffic look more like ordinary encrypted browsing, the update gives people in tightly controlled regions, including Russia and China, a better chance of maintaining stable access to the internet.

It also helps with accessing websites that are increasingly trying to ban VPNs.

The addition comes as Mullvad prepares to move away from OpenVPN, which it will no longer support starting January 2026.

With that change on the horizon, the company is putting its weight behind WireGuard while also making sure it remains usable in countries where standard WireGuard connections are heavily throttled or blocked.

QUIC itself is not new. Originally created by Google and now the backbone of HTTP/3, the protocol is prized for its speed, ability to handle multiple streams of data at once, and resilience against network issues.

Services like YouTube already rely on it, making QUIC traffic extremely common. Mullvad takes advantage of that by wrapping WireGuard’s UDP packets inside QUIC, effectively disguising VPN usage as something indistinguishable from normal web activity.

To make this possible, Mullvad has turned to MASQUE, a standard that allows UDP traffic to be tunneled through HTTP/3 connections.

The result is traffic that appears identical to everyday browsing, far harder for censors to single out and shut down.

The feature is included in Mullvad’s desktop apps for Windows and macOS beginning with version 2025.9.

Users can activate it in the VPN settings, though if multiple connection attempts fail, the client will automatically switch over to QUIC on its own. Support for Android and iOS devices is also planned.

Different VPN companies are taking different routes to achieve similar goals. Proton VPN relies on its Stealth protocol, which disguises WireGuard traffic inside TLS.

Keep reading

JD Vance Stops UK Apple Backdoor Order Threatening Americans’ Privacy

Vice President J.D. Vance played a decisive role in persuading the United Kingdom to drop its demand that Apple provide the government with a “backdoor” into personal user data, according to U.S. officials.

The negotiations followed months of quiet but direct engagement between American and British leaders on the matter, as reported by Fox News.

A U.S. official told Fox News Digital that Vance was “in charge and was personally involved in negotiating a deal, including having direct conversations with the British government.”

The official said Vance worked with U.K. partners to negotiate “a mutually beneficial understanding” that led the British government to withdraw the order.

The agreement, the official added, ensures “each country’s sovereignty while maintaining close cooperation on data sharing.”

The vice president’s background in technology, along with his stated commitment to privacy rights and the U.S.-U.K. alliance, shaped his involvement.

Keep reading

Civil liberties group opposes Garda access to messages

Plans to force encrypted messaging apps like WhatsApp and Signal to give Gardaí access to private conversations would “profoundly undermine” digital security, the Irish Council for Civil Liberties (ICCL) has said.

In a statement issued this week, the group said cybersecurity experts were unanimous that so-called “backdoors” for law enforcement could not be created without also leaving users vulnerable to hackers and malicious actors.

“It is impossible to create ‘backdoor’ access pathways for law enforcement that can’t also be exploited,” the organisation said.

The ICCL added that encryption protects not only personal conversations but also online banking, shopping and wider digital activity.

“We all rely on encryption to safeguard our sensitive personal data when browsing, communicating or doing business online,” it said.

“Forcing companies to break their own encryption would profoundly undermine our digital security, as well as our fundamental rights to privacy and data protection.”

The council cited the position of the United Nations and the European Court of Human Rights in opposing laws that compromise encryption. It also highlighted the recent example of the UK government withdrawing a demand for Apple to install a backdoor into its cloud services, after the company refused.

“Apple stated it had never built – and never would build – backdoor access into any of its encrypted products,” the ICCL noted.

“Instead, Apple disabled its advanced data protection service in the UK and challenged the order in court.”

The group urged Justice Minister Jim O’Callaghan to reconsider his planned legislation, describing the proposals as “neither proportionate nor technically sound.”

It called for “transparent consultation with cybersecurity experts, civil society and technologists before proposing any legislation that could irreversibly damage digital privacy and cybersecurity.”

Last month, O’Callaghan told an audience that Gardaí must have powers to intercept modern communications.

“None of us would like to imagine living in a surveillance State,” he said.

Keep reading

Ireland’s Dangerous War on Encryption

The Irish government’s proposed Communications (Interception and Lawful Access) Bill would significantly expand the state’s ability to monitor digital communications, thereby striking at the very foundation of end-to-end encryption. 

This form of encryption, used by services like WhatsApp, iMessage, and Signal, ensures that only the sender and the recipient can access the content of a message. Under the new bill, Gardaí, the Defence Forces, and the Garda Ombudsman would be allowed to intercept private messages in real time. Achieving this would require altering or bypassing encryption entirely.

Such a measure would introduce a permanent vulnerability into digital infrastructure. Once a system is designed to allow access for one party, others can and will exploit it. 

Backdoors do not stay private. They create a single point of failure that can be used by cybercriminals, hostile foreign governments, or commercial spyware operations. 

The government claims that oversight and warrant requirements will ensure the powers are used responsibly. However, no legal safeguard can address the underlying technical risk created by breaking encryption. 

The presence of a backdoor makes every message on a platform more exposed, whether or not it is the target of surveillance. Encryption cannot be selectively weakened. Any interference compromises the security of the system for all users.

Major technology companies have already taken strong positions against laws that would force them to degrade encryption. 

Apple recently removed some of its data protection features from the UK rather than comply with legislation that would have weakened user privacy. 

Keep reading

Austria Approves Spyware Law to Infiltrate Encrypted Messaging Platforms

Austria is moving forward with legislation that would authorize law enforcement to infiltrate encrypted communications, marking a pivotal shift in the country’s surveillance powers and stirring a fierce debate over digital privacy.

The federal cabinet’s approval of the plan comes after months of negotiations, with proponents citing national security needs and opponents warning of expansive overreach.

The proposed law targets messaging platforms widely used for private communication, including WhatsApp, Signal, and Telegram.

It introduces the use of spyware, formally known as source TKÜ, which would allow authorities to bypass encryption and monitor conversations directly on suspects’ devices. The change represents a major escalation in surveillance capabilities for a country that has traditionally lagged behind its European counterparts in digital interception laws.

Backers of the measure, such as Social Democrat Jörg Leichtfried, who oversees the Directorate for State Security and Intelligence (DSN), framed the move as a preventative strategy. “The aim is to make people planning terrorist attacks in Austria feel less secure; and increase everyone else’s sense of security.”

Leichtfried called the cabinet’s approval an “important milestone.”

Austria’s domestic intelligence services have until now been dependent on international partners, including the UK and the US, to provide warnings of potential threats.

Keep reading

Florida Rejects Controversial Encryption Backdoor Bill

Legislators in the US state of Florida have shot down a bid to introduce a law that would have mandated encryption backdoors.

The outcome of the effort – known as SB 868: Social Media Use by Minors – means that the backdoors would have allowed encryption to be weakened in this fundamental way affecting all platforms where minors might choose to open an account.

As the fear-mongering campaign against encryption is being reiterated over and over again, it’s worth repeating – there is no known way of undermining encryption for any one category of users, without leaving the entire internet open and at the mercy of anything from government spies, to plain criminals.

And that affects both people’s communications and transactions.

Not to mention that while framing such radical proposals as needed for a declaratively equally large goal to achieve – the safety of youth online – in reality, by shuttering encryption, young people and everyone else are negatively affected.

If anything, it would make everyone online less secure, and, by nature of the world –  young people more so than others.

And so, Florida’s Senate on announced that SB 868 is now “indefinitely postponed and withdrawn from consideration.”

The idea behind the proposal was to allow law enforcement access to communications on a social platform – by forcing a company to build in backdoors any time law enforcement came up either with a warrant – or merely a subpoena.

Keep reading

Florida’s New Social Media Bill Says the Quiet Part Out Loud and Demands an Encryption Backdoor

At least Florida’s SB 868/HB 743, “Social Media Use By Minors” bill isn’t beating around the bush when it states that it would require “social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.” Usually these sorts of sweeping mandates are hidden behind smoke and mirrors, but this time it’s out in the open: Florida wants a backdoor into any end-to-end encrypted social media platforms that allow accounts for minors. This would likely lead to companies not offering end-to-end encryption to minors at all, making them less safe online.

Encryption is the best tool we have to protect our communication online. It’s just as important for young people as it is for everyone else, and the idea that Florida can “protect” minors by making them less safe is dangerous and dumb.

The bill is not only privacy-invasive, it’s also asking for the impossible. As breaches like Salt Typhoon demonstrate, you cannot provide a backdoor for just the “good guys,” and you certainly cannot do so for just a subset of users under a specific age. After all, minors are likely speaking to their parents and other family members and friends, and they deserve the same sorts of privacy for those conversations as anyone else. Whether social media companies provide “a mechanism to decrypt end-to-end encryption” or choose not to provide end-to-end encryption to minors at all, there’s no way that doesn’t harm the privacy of everyone.

If this all sounds familiar, that’s because we saw a similar attempt from an Attorney General in Nevada last year. Then, like now, the reasoning is that law enforcement needs access to these messages during criminal investigations. But this doesn’t hold true in practice.

In our amicus brief in Nevada, we point out that there are solid arguments that “content oblivious” investigation methods—like user reporting— are “considered more useful than monitoring the contents of users’ communications when it comes to detecting nearly every kind of online abuse.” That remains just as true in Florida today.

Law enforcement can and does already conduct plenty of investigations involving encrypted messages, and even with end-to-end encryption, law enforcement can potentially access the contents of most messages on the sender or receiver’s devices, particularly when they have access to the physical device. The bill also includes measures prohibiting minors from accessing any sort of ephemeral messaging features, like view once options or disappearing messages. But even with those features, users can still report messages or save them. Targeting specific features does nothing to protect the security of minors, but it would potentially harm the privacy of everyone.

Keep reading