Tag: privacy

The KIDS Act: A Bipartisan Mass Surveillance Megabill

Just weeks after Americans criticized the United Kingdom for imposing intrusive and heavy-handed social media rules, Congress is now advancing legislation that raises strikingly similar concerns about government overreach, privacy erosion, and the expansion of online surveillance.

A bipartisan agreement on children’s online safety legislation unveiled by House Energy and Commerce Committee leaders would impose new obligations on social media platforms, while creating powerful incentives for companies to end online anonymity.

The proposal is part of the Kids Internet and Digital Safety Act (KIDS Act), an omnibus package that bundles together multiple bills, including the Kids Online Safety Act (KOSA), the SCREEN Act, the SAFE BOTs Act, COPPA 2.0, the SPY Kids Act, and more, as well as data broker provisions and research and education initiatives.

We obtained a copy of the bill for you here.

Committee Chairman Brett Guthrie and ranking Democrat Frank Pallone announced Monday that they had reached agreement on the legislation, which would require social media companies to provide additional safeguards and parental tools for minors. The lawmakers said it would “hold Big Tech accountable.”

“We worked across the aisle for many months and have now found common ground on policies to significantly improve the digital environment for kids,” Guthrie and Pallone said in a joint statement.

As always, under that framing lies a familiar and deeply controversial approach: imposing broad obligations on platforms that hinge on whether companies know a user is a minor, without clearly defining how that knowledge is supposed to be obtained.

Congress has tried for years to set national rules for social media and youth safety. Those efforts have repeatedly stalled, in part because of unresolved tensions between child protection goals and fundamental privacy rights. In the absence of federal action, states have moved ahead with their own laws, often pushing even more aggressive requirements.

One of the main disputes appears to have been resolved in favor of House Republicans. According to a committee spokesperson, the agreement does not include a “duty of care” provision, a requirement backed by many child-safety advocates and several Senate lawmakers.

The bill text states that nothing in it may be construed to “impose a duty of care on a provider of a covered platform.”

Keep reading

FCC Wants to Kill Burner Phones By Forcing Telecoms to Get All Customers’ IDs

The Federal Communications Commission (FCC) wants to make it effectively impossible for people to buy what many call burner phones—a phone not explicitly linked to your identity at the point of purchase—which would impact privacy-conscious people, to domestic abuse survivors, to journalists, and many more. The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who compare the measures to those from authoritarian countries where it can be difficult to buy a mobile phone plan without giving up your identity.

The proposed change would drastically shake up how people obtain phone plans in the U.S., and have all sorts of privacy and cybersecurity knock-on effects. The FCC is proposing the data collection partly as a way to combat scammers, with telecoms being required to collect other information on business and foreign customers like the intended use case of their bulk phone plan purchase and their IP address. But the changes would mean telecoms collect data on all new and renewing customers, and the FCC provides a long list of other things that the collected data could help authorities with.

“For decades, civil libertarians have looked overseas at authoritarian countries where the government requires people to register to get a mobile phone to ensure they can be tracked. We never thought that would happen here,” Jay Stanley, senior policy analyst at the American Civil Liberties Union’s (ACLU) Speech, Privacy, and Technology Project told 404 Media in an email. “But make no mistake: with this rulemaking, the government is contemplating taking away people’s ability to get a burner phone, which will hurt low-income people, domestic violence victims, and anyone else who cares about their privacy.”

In a synopsis of the proposed changes, the FCC writes, “Specifically, we seek comment on requiring originating providers to, at a minimum, obtain and retain the name, physical address, government issued identification number, and an alternate telephone number of any new and renewing customer before granting access to its services.” The goal of collecting this data, the FCC writes, is to deter some scammers from getting onto a telecom network in the first place, and so “enforcers will be better able to identify the scammers when they do.” The FCC compares the changes to the sort of data collected by banks to prevent money laundering.

One section stresses that the newly collected data would help “law enforcement to more easily identify callers that use the network to perpetuate crimes by ensuring that voice providers have accurate and complete customer information.” It goes on to ask if the data would help identify people buying and selling illicit goods; the investigation of “fraud, espionage, or influence operations that undermine national security”, and “address abuse in text messaging networks.”

“Criminals continue to leverage the anonymity provided by phone calls and texts to defraud Americans and exploit communications networks to further other crimes,” one section reads.

At the moment, the FCC is seeking comments about its proposed changes, with interested or concerned parties—think telecom companies, law enforcement, or privacy advocates—able to weigh in. But the intention of the FCC is clear: the agency wants telecoms to be legally obligated to collect much more personally identifying information on new and returning customers, linking them directly to their phone number and phone usage data. The FCC also asks whether the amount of data collected should change depending on whether a customer is seeking a prepaid or a postpaid service plan.

Multiple privacy and technology experts strongly pushed back against the proposed changes. “This proposal by the FCC will do little to combat scams and robocalls, since most people doing that will have no trouble creating fake documentation or identities,” Cooper Quintin, security researcher and senior public interest technologist with the Electronic Frontier Foundation (EFF), told 404 Media. “Given this administration’s crackdown on free expression, protest, immigrants, and women’s health we have trouble seeing this as a bold attack on freedom of communication. They want to take away our ability to make an anonymous phone call.”

Eric Null, the director of the Privacy & Data Project at the Center for Democracy & Technology, told 404 Media in an emailed statement “To address the scourge of illegal robocalls, the FCC has unfortunately proposed to force every wireless subscriber in the nation to sacrifice their privacy and give up significant personal details before receiving or renewing a wireless line. While some carriers already collect such details, there are specific circumstances where a person may need privacy and anonymity when seeking a cell phone, including if that person is a victim of domestic violence, or is a journalist or whistleblower. This proposal represents a loss of privacy across the board, and from an agency whose remit includes protecting privacy. The FCC might let a few bad apples spoil the whole bunch.”

Cape is a privacy-focused telecom company that limits the amount of data it collects on its customers. John Doyle, the company’s CEO, told 404 Media in an emailed statement “We hate robocalls and support eliminating them, but entrusting telecom carriers to effectively create a nationwide ID registry for every American with a phone is not the solution. Mobile carriers have been breached time and again because the incentives to secure trillions of dollars of legacy architecture aren’t there. Further enriching compromised telecom datasets with government ID, physical addresses, and alternate phone numbers harms our security rather than improving it.”

Given this proposal is in the comments stage, the FCC has many questions it is hoping to receive information on, such as whether “renewing” customers should be only those new to the provider, or those switching plans with their current telecom; or whether they should not allow the use of P.O. boxes or shared office locations as the required “physical address.”

The FCC did not respond to 404 Media’s request for comment. The proposal is open to comments until June 25.

Keep reading

Apple’s New Subdomain Kills “Hide My Email” Cover

Apple is about to label every anonymous email address its paying customers generate, creating a new obstacle for privacy-conscious users.

Hide My Email, the iCloud+ feature that creates an alias “@icloud.com” address to shield your real inbox from apps and websites, has always worked because of one specific design choice.

The generated addresses were indistinguishable from any other iCloud account. An app receiving “randomword_terms_42@icloud.com” had no way to tell whether it belonged to someone generating anonymous aliases or to someone’s grandmother.

That forced services to treat all iCloud addresses equally because filtering out the anonymous ones meant filtering out millions of regular Apple customers too.

Starting later this summer, new Hide My Email addresses will use “@private.icloud.com” instead of plain “@icloud.com,” according to a developer notice the company posted Monday.

The “private” subdomain announces to any app or email provider on the receiving end that the person signing up doesn’t want to be identified and hands them a one-line domain filter to block those sign-ups entirely.

Apple presented the move as a domain unification, consolidating Sign in with Apple addresses (previously on “@privaterelay.appleid.com”) under the same new subdomain. The company told developers that existing addresses on legacy domains will keep forwarding mail and that app and email providers should update their filtering to accommodate the change.

The gap between “@icloud.com” and “@private.icloud.com” looks cosmetic but functions as a kill switch. Services can now ban all anonymous aliases without touching regular iCloud mailboxes, the same way they already block disposable email providers like Guerrilla Mail or Mailinator.

The plausible deniability that made Hide My Email useful, the inability for a service to prove an address was anonymous, disappears the moment Apple stamps it with a subdomain that says so.

Keep reading

Why Meta Suddenly Loves the Kids Online Safety Act

For years, Meta cast itself as the reluctant holdout against the Kids Online Safety Act, the one company that just could not bring itself to endorse a bill that was, at least on the face of it, written to protect children, but has an ulterior motive.

That resistance lasted right up until the Senate sweetened the pot. Once lawmakers bundled KOSA with a federal block on state AI laws and a national digital ID push, two measures Meta has spent millions lobbying to win, the company located its conscience and decided the bill was tolerable after all.

POLITICO reported that the conversion arrived the moment the Senate paired KOSA with the App Store Accountability Act, a digital ID bill aimed squarely at app stores. Meta now sits beside Microsoft, Apple, X, Snap, and Pinterest, all of them cheering for the legislation. It makes for an awkward look; a law sold to the public as a leash on the biggest platforms, when most of the biggest platforms turn out to be holding the leash.

As we’ve said many times before, and it seems we’re having to now say on a daily basis, verifying how old you are means proving who you are. The systems that estimate your age want a government ID, a face scan, or enough surveillance of your behavior to make an educated guess. None of them confirm your age and nothing else; they confirm your identity and keep a copy, so the platform that once let you be a username now wants your legal name on file.

So why would a company that lives off your data fight to make you surrender more of it? The App Store Accountability Act would order Apple and Google to verify ages at the store, which would load the cost and the legal risk onto the two companies that run the stores. Its own apps pick up no new obligation at all. Meta collects the identity-checked internet it has wanted for years and gets to look like a bystander while Apple and Google play the heavy.

The deeper payoff is older than this bill. Meta has dreamed of a real-name internet since Facebook’s early days, back when it enforced an authentic-identity rule until the public revolt made the policy too expensive to keep.

“Age verification” revives that dream by statute and applies it to everyone, with the invoice mailed to somebody else. A network of confirmed, identity-linked humans is also a network where the bots that annoy advertisers thin out, and ad space attached to real people fetches a premium. Protecting children is the version for the cameras; the version that moves the company sits on the balance sheet.

The less advertised half of the package lives in the preemption language. A handful of states have started writing their own AI rules, some governing how companies grab biometric data and let algorithms make decisions about residents. A federal block would bulldoze those efforts and erase one of the few places ordinary people can still object to how these systems treat their information.

Meta strolls away with a single, gentler national standard while residents lose the local protections they had started to build and the whole trade gets filed under everyone wins, as long as “everyone” means Meta.

The bundle also tucks in the NO FAKES Act and this is where the child-safety wrapping paper comes off completely. The bill would let anyone sue over an “unauthorized digital replica” and would hit platforms with heavy penalties for failing to obey its demands, among them fast removal of flagged content and policies to cut off repeat offenders.

A company staring down those fines for guessing wrong on a hard case will pull lawful speech first and worry about the details later. What the bill builds is a takedown machine, with the lever handed to whoever complains the loudest.

The actors’ union SAG-AFTRA has been pushing the bill hard from the other side, gathering more than 16,000 signatures on an open letter that frames it as a shield against deepfakes used in scams, fake endorsements, and the replacement of human performers. “Unchecked AI can ruin lives,” union president Sean Astin said and on that narrow point, he has a fair case. The trouble is what the rest of the bill does and how it curbs satire and parody.

The latest version came back last month from a bipartisan group that includes Senators Marsha Blackburn, Chris Coons, Thom Tillis, and Amy Klobuchar, with OpenAI, YouTube, and IBM applauding from the wings. The Senate Judiciary Committee takes it up Thursday.

Keep reading

Colorado Gun Owners Sue Over New Law Allowing Warrantless Access to Dealer Records

A new Colorado law has raised the hackles of a coalition of gun owners in the state, leading them to challenge its constitutionality in federal court.

Signed into law on June 2 by Colorado Democratic Gov. Jared Polis, the Requirements for Firearms Dealers Act requires all gun sellers in the state to allow any “duly authorized peace officer” to inspect their sales records “at all times.”

The bill follows in the footsteps of 11 other states and Washington, D.C., by extending the state’s record-keeping requirements for firearms dealers to all retail transactions, including transfers. Dealers will be required to note the customer’s name, age, and address, as well as the firearm’s serial number, letters, make, and caliber. Failure to comply could result in a fine of up to $75,000, the loss of a dealer’s license, and up to a year in jail. 

Gun owners in the state are pushing back against this overreach. Ten days after Polis signed the bill into law, three firearms dealers and two firearms associations filed a joint civil suit in the U.S. District Court for the District of Colorado, arguing that the bill is a “warrantless-inspection scheme for firearms dealers” that violates the Fourth Amendment because it includes no stipulations for warrants or probable cause and no restrictions on time or frequency.

Colorado’s law would make it easier for law enforcement to engage in fishing expeditions. Under the law, a Colorado police officer could presumably demand that a dealer provide records of firearms sales for the last month, with no mention of a crime being committed or a suspect in mind. While the bill does prohibit law enforcement from creating or maintaining a firearms registry, that provision seems moot if firearms dealers are themselves forced to maintain the registry for cops. 

While the court challenge is ongoing, it’s difficult to see how Colorado’s law complies with the Supreme Court’s precedents on warrantless searches. 

In New York v. Burger (1987), the Court ruled that a warrantless search of a “closely regulated” industry violates the Fourth Amendment unless it satisfies three criteria: the state must have a substantial interest in regulating the industry; the warrantless inspections must directly serve that interest, be necessary for the regulatory scheme; and the statute must offer a constitutionally adequate warrant substitute, such as notification and limits on “time, place, and scope,” to “impose appropriate restraints” on an officer’s discretion. 

Colorado’s law might satisfy the first criterion. But it appears to fall short of the other two entirely, especially since the law is broad enough to allow sheriffs and campus security alike to inspect the records of any firearms dealer in the state.

Even when the law permits the government to inspect a business without a warrant—an administrative search—the Supreme Court ruled in Los Angeles v. Patel (2015) that the subject must be afforded a review by a “neutral decisionmaker” for the search to be constitutional. Colorado law does not provide firearms dealers with an opportunity for such a review before inspection.

Aside from the record-keeping provisions, the bill adds new administrative burdens for firearms dealers by requiring businesses in the state to provide the Department of Revenue with a “comprehensive security plan.” It also tasks the department with adopting rules on acceptable security measures that dealers must comply with. Those requirements will go into effect in October 2027.

State Sen. Cathy Kipp (D–Fort Collins), a cosponsor of the bill, told Complete Colorado the new law “builds on a new bureaucracy established in 2024” to stop “preventable shooting deaths” and reduce gun violence. But another outcome is far more likely: treating gun owners and firearm dealers like de facto criminals.

Colorado lawmakers have created an environment ripe for confrontation between law enforcement and legally armed Americans, all while violating Coloradans’ right to privacy.

Keep reading

UK Tech Minister Hints at Potential VPN Ban to Enforce Social Media Restrictions

The British government has suggested it may ban VPN services as it seeks to enforce its upcoming social media ban for children under 16.

The censorious left-wing UK government said that it will announce plans for Virtual Private Networks (VPNs) next month amid growing questions about how it intends to ensure that children do not subvert the upcoming social media prohibition.

Critics have warned that the social media ban for under-16s will require the state to implement a digital ID system to verify internet users’ ages, potentially impacting the privacy of all citizens, including law-abiding adults.

Others have also questioned what the government intends to do about children who simply use VPNs to mask their IP addresses and access the internet from countries that don’t prohibit children from using social media sites.

While VPNs were once mostly used by people in authoritarian countries like Communist China, Islamist Iran, or Vladimir Putin’s Russia to unblock vast swathes of the internet, they have grown in popularity in Western countries in recent years amid rising state censorship.

Indeed, according to data collected by the IT Asset Management Group, Google searches for “VPN” rose by 165 per cent after Prime Minister Sir Keir Starmer formally announced plans to ban social media for those under 16 on Monday, City AM reported.

Technology Minister Liz Kendall told the BBC on Tuesday morning that the government will “make further statements in July about VPNs and further restrictions.”

Keep reading

A Requiem for Privacy

When President Donald Trump appointed an obviously unqualified friend, a home builder executive, to be acting director of national intelligence, he inadvertently triggered attention to Section 702 of the Foreign Intelligence Surveillance Act. The director of national intelligence is the head of the umbrella agency that gathers intelligence from the 17 federal spying agencies and from that data prepares and delivers the president’s daily briefing. Sec. 702, which permits warrantless spying, expires this month.

Trump prefers to receive his briefings directly from the CIA and its foreign colleagues, leaving the DNI as an appendage with little to do. Nevertheless, the DNI employs hundreds of spies and analysts, and most of them have national security clearances that permit them to view the nation’s most closely guarded secrets and to invade anyone’s privacy.

Section 702 of FISA theoretically permits federal agents to spy without warrants or suspicion on foreign persons. In reality, it is used as a fig leaf to spy on Americans.

A few years ago, Department of Justice lawyers persuaded the FISA court secretly to permit the National Security Agency — America’s domestic spies — to spy on Americans with whom foreign persons communicate; even suspicionless Americans whose communications with foreigners are benign; even Americans removed by six degrees from conversations with foreigners.

Before 9/11, no one in law enforcement was permitted access to data obtained outside the restraints imposed by the Fourth Amendment to the Constitution. Those restraints prohibit searches and seizures — in the modern parlance, surveillance and data acquisition — without a search warrant issued by a judge based on probable cause of crime, sworn to under oath. And the warrant itself must specifically describe the places to be searched and the persons or things to be seized.

Since 9/11, the wall between surveillance and law enforcement has collapsed even though the feds still maintain that the Fourth Amendment only regulates law enforcement and not surveillance. This wild proposition is defied by the plain language of the amendment, which protects all persons from all government, and by the history of the colonists dealing with British government agents executing general warrants issued by a secret court in London.

Those warrants permitted the bearers to arrest whomever they wished, to search wherever they chose and to seize whatever they found. Under the pretext of looking for evidence of crimes, like failing to comply with the Stamp Act, these agents were truly looking for what the king considered subversive, like a draft of the Declaration of Independence.

James Madison and his colleagues who drafted the Fourth Amendment surely knew that history and shared the near universal colonial revulsion at general warrants. Hence the requirements in the amendment for probable cause of crime sworn to before the warrant-issuing judge, and specificity in the warrant itself.

All of this was crafted to outlaw general warrants, and protect all persons in America from warrantless government assaults and invasions of their “persons, houses, papers, and effects.”

Now, back to FISA. FISA was crafted in reaction to President Richard Nixon’s use of the CIA and FBI for warrantless domestic surveillance purposes. This was spying on Americans — opponents of the Vietnam War and Nixon’s political opponents — which as we all now know came crashing down on Nixon in the Watergate scandal.

Keep reading

France’s Own Hack Is the Best Argument Against Its War on Encryption

Brussels and a run of European governments, France loud among them, have spent the past few years treating strong encryption as a problem to be solved.

The argument behind proposals like Chat Control is that the state needs a way to scan private messages to keep people safe and that it can be trusted to hold that kind of access without abusing it or losing control of it.

But France just handed that argument an awkward rebuttal. Tchap, the messenger the French government built for its own civil servants, got breached.

France’s National Cybersecurity Agency, ANSSI, detected the compromise on June 7, and DINUM, the digital affairs directorate that runs the platform, blocked the account involved and published an incident notice.

The intrusion broke neither the encryption nor the servers. Someone hijacked a legitimate user account, which is all an attacker needs when any one credential is a key to the same building.

That detail is the part the backdoor crowd keeps refusing to absorb. The encryption on Tchap did its job. DINUM says private conversations stay end-to-end encrypted even when an account is impersonated and that the attacker could reach only the unencrypted public chat rooms any authenticated user is able to find.

Security researchers were quick to note what that reassurance skips over. An attacker wearing a real user’s identity can see whatever that account sees in the moment, private rooms included.

A government backdoor is exactly that, an access path bolted on beside working encryption and France just demonstrated it cannot keep one of those paths shut for a single weekend.

DINUM has notified CNIL, the French data protection regulator, because personal information may have surfaced in whatever the attacker viewed. The directorate described its handling of the intrusion in a press release.

“At this stage, the account originating the malicious requests has been identified. It was immediately blocked to remove the attacker’s persistent access and allow for a thorough analysis of the data they were able to access. The investigation continues, including the study of event logs, to identify the conversations that the attacker was able to access and the nature of the exfiltrated data,” DINUM said.

The directorate also pushed responsibility back toward its own users, reminding them where the safe lines were supposed to be.

“A message has been sent to all Tchap users reminding them that a public chat room can be found and joined by any user and that its content is not encrypted. In accordance with Tchap’s terms of service, no personal, sensitive, or confidential information should be exchanged in public chat rooms: such exchanges should be reserved for private chat rooms.”

Keep reading

UK Plans To JAIL Tech CEOs Who Refuse To SPY On Every Phone

New measures would compel client-side inspection of every photo, video and message on devices, escalating the digital ID lockdown already plotted for British smartphones in coordination with major technology firms.

Privacy advocates warn the “child safety” framing masks a broader drive to turn personal phones into mandatory surveillance endpoints, with criminal penalties aimed at any executive who resists.

Reclaim The Net, an organization dedicated to countering online censorship and digital surveillance, flagged the draft legislation in recent updates. 

The group described how UK authorities are preparing to imprison tech executives for up to five years under the Online Safety Act if companies refuse to build and deploy scanners capable of reviewing every piece of content on user devices.

The push targets expanded “client-side scanning” features, requiring devices to inspect material before it is sent or received.

Existing tools from Apple and Google, such as nudity detection in Messages or sensitive content warnings, would be broadened into comprehensive, always-active systems. Non-compliance would trigger direct penalties against company leadership rather than the firms alone.

Keep reading

UK Encryption Backdoor Could Hit US Data, Jordan Warns

Britain has refused to let a US technology company brief Congress about a secret order to weaken encryption and the chairman of the House Judiciary Committee is treating that refusal as a problem in its own right.

Jim Jordan, the Ohio Republican who leads the committee, wrote to Home Secretary Shabana Mahmood on Friday warning that Britain may be using encryption powers to reach the private data of US citizens.

The underlying dispute is not new. For more than a year, the UK’s use of secret “technical capability notices” under the Investigatory Powers Act 2016 has strained relations with Washington, ever since reports that Britain ordered Apple to open up encrypted iCloud data. What is new is the wall Jordan says he keeps hitting when he tries to learn more.

He met Sir Christian Turner, the British ambassador to the United States, in March, after a US company asked to brief members of Congress about one of these notices, something that would require Mahmood’s sign-off.

The ambassador suggested it could happen. Mahmood then refused.

“This denial is inconsistent with our understanding from Ambassador Turner and raises serious concerns about shared cooperation on these sensitive matters, particularly as Congress exercises its important oversight responsibilities,” Jordan wrote, the Telegraph reported, adding that it cast doubt on the “trust and effective partnership between our two countries.”

He asked Mahmood to “review this matter and grant the US company’s request to speak with Congress about an alleged technical capability notice,” which he said would “honour the representation made by the ambassador during our meeting and uphold the spirit of transparency and cooperation that is the foundation of our shared security relationship.”

The secrecy Jordan ran into is built into how these orders work and it is worth keeping in view.

The UK may be building “backdoors into their encrypted services,” he wrote.

A backdoor is a deliberately built flaw, a master key, or a hidden bypass that lets an intelligence agency read encrypted data without the user ever knowing. It defeats end-to-end encryption, the design that normally keeps a message readable only to the person who sent it and the person who received it.

A company served with a notice cannot tell its customers, the press, or apparently even a foreign legislature, without the express permission of the Home Secretary.

Keep reading