Tag: privacy

Apple Fixes Bug That Allowed FBI To Read Deleted Signal Messages

Tech giant Apple has fixed a security flaw that had allowed the FBI to access a Signal user’s deleted messages through their phone’s push notification database, despite the app being deleted and messages being set to disappear.

In a security advisory released on Wednesday, Apple said it had fixed a bug that allowed “notifications marked for deletion” to be “unexpectedly retained on the device.”

In an X post on Wednesday, Signal said the update fixed the issue that made a user’s messages retrievable by law enforcement.

“Apple’s advisory confirmed that the bugs that allowed this to happen have been fixed in the latest iOS release,” Signal said.

Signal uses end-to-end encryption to secure messages between its users. The bug is a reminder that messaging encryption may not be enough to keep data protected when using certain devices or operating systems.

Keep reading

EFF Sues DHS and ICE For Records on Subpoenas Seeking to Unmask Online Critics

The Electronic Frontier Foundation (EFF) sued the Department of Homeland Security (DHS) and Immigration and Customs Enforcement (ICE) today demanding public records about their use of administrative subpoenas to try to identify their online critics.

Court records and news reports show that in the past year, DHS has used administrative subpoenas to unmask or locate people who have documented ICE’s activities in their community, criticized the government, or attended protests. The subpoenas are sent to technology companies to demand information about internet users who are often engaged in protected First Amendment activity.

These subpoenas are dangerous because they don’t require judges’ approval. But they are also unlawful, and the government knows it. When a few users challenged them in court with the help of American Civil Liberties Union affiliates in Northern California and Pennsylvania, DHS withdrew them rather than waiting for a decision.

DHS and ICE have ignored EFF’s public-records requests for documents about the processes behind these subpoenas, so EFF sued Wednesday in the U.S. District Court for the District of Columbia.

“DHS and ICE should not be able to first claim that they have the legal authority to unmask critics and then run from court when users challenge these administrative subpoenas,” said EFF Deputy Legal Director Aaron Mackey. “The public deserves to know what laws the agencies believe give them the power to issue these speech-chilling subpoenas.”

An administrative subpoena cannot be used to obtain the content of communications, but they have been used to try and obtain some basic subscriber information like name, address, IP address, length of service, and session times. If a technology company refuses to comply, an agency’s only recourse is to drop it or go to court and try to convince a judge that the request is lawful.

EFF and the ACLU of Northern California in February ​wrote to Amazon, Apple, Discord, Google, Meta, Microsoft, Reddit, SNAP, TikTok, and X​ to ask that they insist on court intervention and an order before complying with a DHS subpoena; give users as much notice as possible when they are the target of a subpoena, so the users can seek help; and resist gag orders that would prevent the companies from notifying users who are targets of subpoenas.

And EFF last week ​asked California’s and New York’s attorneys general to investigate Google​ for deceptive trade practices for breaking ​its promise​ to notify users before handing their data to law enforcement, citing the case of a doctoral student who was targeted with an ICE subpoena after briefly attending a pro-Palestine protest.

Keep reading

UK Biobank health data listed for sale in China, government confirms

Medical information of 500,000 participantsof one of the UK’s landmark scientific programmes, UK Biobank, were offered for sale online in China, the government has confirmed.

Technology minister Ian Murray said information of all members of the database was found listed for sale on the website Alibaba.

Murray told MPs the charity which runs UK Biobank had told the government about the breach on Monday. He said the information did not include names, addresses, contact details or telephone numbers.

However he said it could include gender, age, month and year of birth, socioeconomic status, lifestyle habits, and measures from biological samples.

The Biobank is a collection of health data offered by volunteers which has been used to help improvements in detection and treatment of dementia, some cancers and Parkinson’s.

It has collected intimate details – including whole body scans, DNA sequences and their medical records – from hundreds of thousands of volunteers for over two decades. The project has led to more than 18,000 scientific publications.

Participants were aged from 40 to 69 when they were recruited between 2006 and 2010.

UK Biobank said it was investigating the incident and thanked the UK and Chinese governments, as well as Alibaba, for support and cooperation.

“We understand that the existence of these listings, even temporarily, will be concerning to you,” Chief Executive Professor Sir Rory Collins said in a message to participants.

“We want to reassure you that all the data are de-identified; they do not contain any personally identifying information (such as names, addresses, dates of birth, and NHS numbers).”

Sir Rory told volunteers in his letter the data involved in the incident had been made available to researchers at three institutions.

He added the data was “swiftly” removed by Alibaba, following support from the UK and Chinese government, but the data’s appearance to a “clear breach of the contract signed by these academic institutions”.

“They, along with the individuals involved, have had their access suspended,” Sir Rory added.

Murray told MPs the government has been told no purchases were made from the three listings on the website.

Alibaba has been contacted for comment.

Keep reading

Turkey to Ban Anonymous VPNs

Turkey is moving to make anonymous VPN use illegal, and Proton VPN signups in the country have doubled as word spreads. The Turkish government’s plan, reported by local outlet Yeni Şafak, would outlaw unlicensed VPN services and require any approved provider to log what users do and turn those records over to Turkish authorities on request.

A VPN that logs and reports isn’t really a VPN. It’s a second surveillance pipe pointed at the same people the government already watches.

Officials describe the measures as part of a package aimed at protecting children after school attacks in Şanlıurfa and Kahramanmaraş, with attackers reportedly drawn to violent mobile games. Packaged alongside the VPN clampdown are parent-controlled “child SIM” lines and a cap on how many mobile numbers a single person can register.

The child-protection wrapper is the sweetener, because the actual infrastructure being built, licensed VPN providers that log and disclose, reaches every adult in the country, not just children playing shooters on their phones.

Keep reading

France’s ID Portal Hacked: 19 Million Records Up for Sale

French authorities have added another case study to the growing argument against centralizing citizen identity data.

France Titres, formerly known as ANTS, operates the portal where residents apply for passports, national ID cards, residence permits, driver’s licenses, and vehicle registrations.

On April 15, something broke inside that system. A week later, the Interior Ministry confirmed what anyone watching digital ID schemes has been saying about this exact architecture for years, and the scale on offer from the attacker makes the warning harder to wave away.

A threat actor using the aliases “breach3d” and “ExtaseHunters” appeared on criminal forums on April 16, claiming to have stolen between 18 and 19 million records from the agency’s internal systems.

If accurate, that is roughly a third of France’s population sitting in a for-sale listing. The seller describes the haul as a fresh, structural compromise rather than a recycled dump, and is actively shopping it.

Early French press reports, including Le Figaro, initially pegged the figure at around 12 million accounts before later estimates climbed. The government has not confirmed any number.

What the ministry has confirmed is a “security incident that may involve the disclosure of data from both individual and professional accounts.”

Login credentials, full names, email addresses, dates of birth, unique account identifiers, postal addresses, places of birth, and phone numbers may all have been extracted. That combination is a starter kit for identity fraud, synthetic identity construction, and convincing phishing attacks against people who already expect email from French government domains.

Keep reading

Beyond Cookies – How To Stop The Invisible Browser Fingerprint That Tracks You Everywhere

For years, the privacy advice was simple: clear your cookies, use incognito mode, or click “Reject All” on those annoying consent banners. That advice is now outdated.

A groundbreaking study published last year has delivered the first peer-reviewed proof that the $600 billion online advertising industry has moved on from cookies. The new tracking method is called browser fingerprinting, and it works even if you never log in, never accept cookies, and have legally opted out under privacy laws.

Researchers from Texas A&M University and Johns Hopkins University built a tool named FPTrace to measure exactly how this works in the wild. They simulated real user sessions, systematically altered browser fingerprints, and watched what happened to the ads being served and the bids advertisers placed in real time. The results were clear: when the fingerprint changed, the price advertisers were willing to pay to target that “user” changed with it. Tracking signals dropped. The system was actively using the fingerprint to follow people across sessions and sites.

And crucially, this happened even in tests where cookies were fully deleted and users were in “opt-out” mode under GDPR and CCPA rules. The law’s exit door for cookies does not cover fingerprinting.

How Browser Fingerprinting Works (No Permission Required)

Every time your browser loads a page, it leaks dozens of tiny, seemingly harmless signals:

  • Screen resolution and color depth
  • Installed fonts
  • GPU model and graphics capabilities
  • Audio processing signatures
  • Browser version, plugins, and language settings
  • Time zone
  • Canvas rendering differences (how it draws hidden shapes)
  • Whether you run an ad blocker
  • Even battery level in some cases

Alone, each detail is common. Combined, they create a unique “fingerprint” that can identify your device with startling precision. No cookies. No login. No pop-up asking for consent. Just loading the page is enough.

Keep reading

The Surveillance Accountability Act Demands Warrants for Data

Rep. Thomas Massie (R-KY) and Rep. Lauren Boebert (R-CO) have introduced the Surveillance Accountability Act, a bill that feels like someone took the Fourth Amendment and actually meant it.

The legislation aims “to ensure that all searches that significantly impinge on the privacy or security of a person require a warrant based on probable cause” and to create “a right of action for violations of Fourth Amendment rights.” That covers the kinds of searches federal agencies currently conduct without judicial oversight: pulling your financial records from banks, requesting your browsing history from ISPs, buying your location data from brokers, and harvesting your biometric information from surveillance cameras.

We obtained a copy of the bill for you here.

The bill lands in the middle of a brutal Congressional fight over FISA Section 702, the surveillance authority that currently lets the FBI search Americans’ communications.

The new legislation goes much further than the various reform bills circulating around that debate. Where the SAFE Act and the Government Surveillance Reform Act target specific loopholes in FISA, the Surveillance Accountability Act tries to close all of them at once by rewriting the baseline rule: if the government wants your data, it needs a judge’s permission.

Keep reading

Digital Currency and the End of Financial Privacy

The push toward digital currency is being framed as innovation and efficiency, but when you strip away the marketing language, what is unfolding is a structural transformation of the financial system that shifts control away from individuals and concentrates it within governments and central banks. The Bank for International Settlements has confirmed that more than 90% of central banks are now actively researching, developing, or piloting central bank digital currencies, which is not coincidence or experimentation but a coordinated global direction. This aligns directly with what I have been warning, that when governments face a sovereign debt crisis they will turn to mechanisms that allow them to monitor and control capital flows because they cannot solve the debt problem through traditional means.

In the United States, more than 95% of transactions are already digital in some form, whether through credit cards, debit systems, ACH transfers, or mobile payment platforms, which means the infrastructure for surveillance is already largely in place. Cash has not been eliminated yet, but it has been marginalized, and that is the first step because once transactions become digital, every movement of money creates a permanent record. Governments already have the ability to access financial data through banks, but a central bank digital currency removes the intermediary entirely and places that visibility directly within a centralized system controlled by the state.

This is where the real shift takes place because a CBDC is not simply a digital version of existing currency, it is a programmable financial instrument. That means money itself can be controlled, restricted, or directed according to policy decisions. Transactions could be approved or denied in real time, spending could be limited to certain categories, and funds could even be given expiration dates to force consumption. These are not theoretical concerns as these capabilities have already been discussed openly in central bank reports and demonstrated in pilot programs around the world, including China’s digital yuan, which integrates payment systems with state oversight.

The connection to the sovereign debt crisis is critical because governments are reaching a point where they cannot sustain spending without either raising taxes, inflating the currency, or imposing controls on capital. Digital currency provides a mechanism to do all three simultaneously. Real-time taxation becomes possible because transactions can be monitored instantly, eliminating the lag between earning and reporting income. Capital controls can be enforced automatically by restricting transfers, preventing withdrawals, or limiting how funds are used. Inflation can be managed politically by directing spending into specific sectors or suppressing activity in others. This is the level of control that governments have never had before, and it changes the entire structure of the financial system.

The transition is being rolled out gradually because it cannot be imposed overnight without resistance. Digital systems will continue to coexist with cash and traditional banking for a period of time, but the direction is clear. As digital adoption increases, incentives will be introduced to encourage usage while restrictions on cash will slowly expand. Limits on cash transactions, reporting requirements, and regulatory pressure on banks are all part of this process. Eventually, participation in the digital system becomes not a choice but a necessity because alternatives are either restricted or eliminated.

There is also a geopolitical dimension to this shift because digital currencies can be used to bypass existing financial networks such as SWIFT, allowing countries to conduct transactions outside the traditional Western-dominated system. At the same time, within domestic economies, these systems give governments the ability to enforce policy at the individual level. This creates a dual structure where digital currencies are used externally to avoid sanctions and internally to impose control, and that combination is what makes this development so significant.

Keep reading

‘Unprecedented Mass Surveillance’: Bipartisan Senators Warn Of Privacy Threat Tied To FISA Renewal

Bipartisan senators are warning that a privacy threat tied to artificial intelligence (AI) could result in mass surveillance of American citizens if the renewal of the Foreign Intelligence Surveillance Act (FISA) does not include sufficient guardrails.

Efforts to renew the federal surveillance law ahead of its expiration have been complicated as House GOP leaders scramble to secure enough support to pass a clean 18-month extension aligned with President Donald Trump and House Speaker Mike Johnson’s requests, according to a Politico report. Both are pushing to reauthorize the law without changes before Monday’s deadline.

The growing power of AI is driving new worries among both Republicans and Democrats about government agencies’ warrantless purchases of Americans’ sensitive data.

Commercially available information obtained from data brokers for criminal investigations, military operations and national security circumvents constitutional restrictions on information agencies can gather from Americans, Politico reported.

Keep reading

FBI Recovers Deleted Signal Messages Through iPhone Notifications

The FBI successfully recovered private Signal messages from a defendant’s iPhone even after the app was deleted. Learn how this security loophole works and the simple setting you must change today to keep your chats private.

Most of us prefer using the Signal app because it is supposed to be very secure with a remarkable end-to-end encryption system that hides our chats from everyone else. It also has a message-disappearing feature to help us set a message deletion time.

But the Federal Bureau of Investigation (FBI) found a way to read private Signal messages on an iPhone, even after the app was deleted. This was revealed in a court case in Texas that these messages can stay hidden in the phone’s memory longer than we expected.

How the loophole works

The case involves a woman named Lynette Sharp and an attack on a Texas detention centre in July 2025. During the trial in April 2026, the FBI revealed they recovered her messages even when she had deleted the Signal app. The bureau, reportedly, retrieved the messages from the iPhone’s push notification database.

During the trial, FBI Special Agent Clark Wiethorn explained how investigators accessed the evidence. When a message arrives, the phone shows a little preview on the screen, which is handled by the phone’s operating system and not the Signal app.

Even if Signal deletes the message later, the phone’s system can save a copy of that preview in its own records. To read these saved messages from Signal, the FBI used Cellebrite, a forensic tool often used by law enforcement to scan seized devices.

A key finding is that the FBI could only see incoming messages, not the ones Sharp sent, which confirms the data came from the notification storage. It shows that while the app’s encryption is strong, the phone’s operating system keeps its own logs of everything.

Keep reading