Tag: privacy

UK Government Secretly Tracked 25 Million People as Potential EV Owners

The UK government spent two years tracking 25 million mobile devices to build a picture of who drives electric cars. Not suspects or criminals. Just ordinary people whose browsing history mentioned EVs often enough to flag them as worth following.

The Department for Transport paid telecoms company O2 £600,000 ($809,000) to run the operation. According to the Telegraph, O2 trawled through its customers’ web browsing histories and app records, flagging anyone who visited an EV-related site at least once a month across two or more months.

That pool extended beyond O2’s own customers to include people on Tesco Mobile, GiffGaff, and Virgin Mobile, networks that run on O2’s infrastructure and whose users had no idea their data was being packaged and sold to a government agency.

Once flagged as a “potential EV owner,” your physical movements were traced across the country. London, the North-West, and the East of England received particular attention.

The techniques are standard in serious organized crime investigations. The DfT applied them to people buying environmentally friendly cars.

Andy Palmer, former executive at Nissan and Aston Martin, put it plainly: “I’m told it’s anonymized and aggregated, and that may well satisfy legal thresholds. But legality and legitimacy are not the same thing.” He added: “If you erode public trust in how that data is gathered, you undermine the very transition you are trying to accelerate.”

The idea of “anonymized” data means very little.

The surveillance ran for two years before the DfT quietly admitted defeat in April 2024, conceding that “mobile data cannot directly be used to provide information around charging behaviour or travel time.”

The program ended not because anyone questioned whether mass tracking of innocent people was appropriate, but because the data turned out to be useless for its stated purpose.

Civil servants from the DfT and Treasury were simultaneously exploring new EV taxes to replace fuel duty revenue. The people being surveilled were doing exactly what government policy encouraged them to do.

Conservative MP Sir David Davis drew the obvious conclusion: “It’s an object lesson in why you can’t trust the state with unfettered access to people’s information, because they’ve obviously taken this information without people’s permission with the objective of disadvantaging them, either by tax or other policy matters. If they’ll do it on this, with people who are doing what the government wants in policy terms, namely, pursuing green policies, what on Earth will they do elsewhere?”

Keep reading

California Law Forces Age-Tracking Into Every Operating System by 2027

California wants to build a surveillance layer into every device its residents touch. Assembly Bill 1043, signed by Governor Gavin Newsom and taking effect January 1, 2027, requires every operating system provider to collect age information from users at account setup and broadcast that data to app developers through a real-time API.

Windows, macOS, Android, iOS, Linux distributions, Valve’s SteamOS: if it runs an operating system, it’s covered by this overreaching law.

The proposals are particularly dumb for open-source Linux operating systems. Linux exists specifically because some people want computing that doesn’t surveil them. That’s not incidental to why the platform exists; it’s foundational.

Distributions like Arch, Debian, and Gentoo have no centralized account infrastructure by design. Users download ISOs from mirrors, modify source code freely, and run systems that report to nobody.

Keep reading

Mexico Mandates Biometric SIM Registration for All Phone Numbers

Anonymous prepaid SIM cards are dying in Mexico. By July 1, 2026, every active cell phone number in the country must be biometrically linked to a named, government-credentialed individual or face suspension. That’s around 127 million numbers, each one tethered to an identity the Mexican government can look up by name.

The mobile registration law took effect January 9, 2026, covering prepaid and postpaid plans, physical SIMs, and eSIMs alike. Existing subscribers have until June 30 to complete registration. New lines activated after January 9 get 30 days. Miss the window, and the line goes dark.

The enforcement mechanism runs through the CURP Biométrica, Mexico’s biometric upgrade to its existing population registry code. The new credential embeds a photograph, electronic signature, and QR code that ties directly to biometrically verified records held in the national registry.

Residents registering a mobile line must provide their CURP number alongside a valid government ID, which makes biometric enrollment not optional but structurally required. You cannot register a phone number without first handing your biometric data to the state.

What Mexico is building here is a national phone network where every number has a face attached to it.

Keep reading

FTC Says Companies Can Collect Kids’ Personal Data, As Long As It’s Called “Age Verification”

The FTC just told companies they can collect children’s personal data without parental consent, as long as it’s for “age verification.”

That’s the practical effect of a policy statement the agency issued this week. Under COPPA, websites collecting data on kids under 13 generally need verifiable parental consent first. The FTC’s new statement carves out an exception: gather whatever personal information you need to verify someone’s age, and the Commission won’t come after you for it.

The agency calls this child protection. The infrastructure it’s enabling looks different.

Christopher Mufarrige, director of the FTC’s Bureau of Consumer Protection, said “Age verification technologies are some of the most child-protective technologies to emerge in decades,” and framed the announcement as a tool for parents.

What the statement actually does is green-light personal data collection from minors, on the theory that knowing someone’s age requires knowing who they are first.

The exemption is conditional. To avoid enforcement, sites must delete age verification data “promptly” after use, restrict third-party sharing to vendors with adequate security assurances, post clear notices about what they’re collecting, and use methods likely to produce “reasonably accurate” results. These requirements are unverifiable by the people whose data gets collected, and enforced by an agency that just announced it won’t enforce.

COPPA supposedly exists precisely because children’s personal data is sensitive and companies can’t be trusted to protect it without legal pressure.

The FTC’s new exemption uses that same sensitive data as the price of admission for age verification, then steps back from enforcement. The agency is weakening the law’s protections in order to expand the infrastructure that the law was supposedly designed to regulate.

Keep reading

Privacy Groups Revolt Against Google’s Demand to Register Every Android Developer

Android’s defining advantage over iOS has always been openness. You could build an app, distribute it yourself, and never touch Google’s systems. That era is about to end unless the open-source community can force Google to back down.

Starting September 2026, any app installed on a certified Android device must be registered by a Google-verified developer. No registration, no installation. The verification demands government-issued identification, agreement to Google’s terms and conditions, and a $25 fee.

Developers who skip Google’s approval process will find their apps blocked, even when distributed entirely outside Google Play, through stores like F-Droid, the Amazon Appstore, or Samsung’s Galaxy Store.

Organizations, including the Electronic Frontier Foundation, the Free Software Foundation, F-Droid, Article 19, Fastmail, and Vivaldi, signed an open letter calling on Alphabet CEO Sundar Pichai, founders Larry Page and Sergey Brin, and app ecosystem chief Vijaya Kaza to kill the policy. Their message is simple: Google is reaching into distribution channels it doesn’t own, doesn’t operate, and has no legitimate authority over.

Keep reading

40 Attorneys General Urge Congress to ‘Tie Online Access to ID’

Forty state attorneys general (AGs) last week urged federal lawmakers to pass a bill that could ultimately require people to digitally verify their identity to access the internet, according to privacy and free speech watchdog group Reclaim The Net.

In a Feb. 10 letter, the AGs backed the U.S. Senate version of the Kids Online Safety Act. They did not support the U.S. House of Representatives version, which differs in key ways.

If passed, the Senate bill would require government officials and agencies to figure out how computers, cellphones and operating systems could verify people’s age. The bill states:

“The Secretary of Commerce, in coordination with the Federal Communications Commission and the Federal Trade Commission, shall conduct a study evaluating the most technologically feasible methods and options for developing systems to verify age at the device or operating system level.”

The federal officials and agencies would be required to submit a report of their findings to Congress within a year.

Designing cellphones and computer operating systems to verify a user’s age would bring the U.S. another step closer to cementing a digital ID system, Reclaim The Net reported. In an article titled “40 State Attorneys General Want To Tie Online Access to ID,” it wrote:

“Device-level verification would likely depend on digital identity checks tied to government-issued identification, third-party age verification vendors, or persistent account authentication systems. …

“… Once age checks are embedded at the operating system level, the boundary between verifying age and verifying identity becomes difficult to maintain.”

Greg Glaser, a digital privacy expert and attorney, agreed. “By embedding identity checks into apps, hardware, or operating systems, the bill would create a de facto digital ID checkpoint for broad internet use,” he said.

Keep reading

Zuckerberg’s “Fix” for Child Safety Could End Anonymous Internet Access for Everyone

Mark Zuckerberg spent more than five hours on the stand in Los Angeles Superior Court on Wednesday, testifying before a jury for the first time about claims that Meta deliberately designed Instagram to addict children.

The headline from most coverage was the spectacle: an annotated paper trail of internal emails, a 35-foot collage of the plaintiff’s Instagram posts unspooled across the courtroom, a CEO growing visibly agitated under cross-examination.

The more important story is what Wednesday’s proceedings are being used to build.

The trial is framed as a child safety case. What it is actually doing, especially through Zuckerberg’s own testimony, is laying the political and legal groundwork for mandatory identity verification across the internet.

And Zuckerberg, rather than pushing back on that outcome, offered the court his preferred implementation plan.

Keep reading

Texas Sues Drone Maker Anzu Over Alleged Ties to CCP

Texas Attorney General Ken Paxton is suing drone-maker Anzu Robotics, alleging that the U.S.-based company misled consumers and concealed its ties with the Chinese communist regime.

Paxton announced the lawsuit on Feb. 19, accusing the Texas-based startup of rebranding products sourced from Chinese drone giant Da Jiang Innovations, commonly known as DJI.

Founded in the southern Chinese city of Shenzhen in 2006, DJI has been flagged by U.S. regulators as a security risk because of its ties to the Chinese Communist Party (CCP).

The U.S. Commerce Department added DJI to its export control list in 2020 for aiding the CCP’s human rights abuses. The Treasury banned U.S.-based individuals from trading DJI shares the following year because of similar concerns. The Pentagon blacklisted DJI as a Chinese military company in 2022, noting that the Chinese regime requires all Chinese companies to allow it to use them as part of its military-civil fusion strategy.

In the lawsuit, Paxton accused Anzu of making false and misleading representations to Texans about its business relationship with DJI, data-sharing practices, and software development.

Anzu markets itself as an American-owned, made-in-Malaysia alternative, but much of its drone technology is licensed from DJI, which receives payments for every drone that Anzu orders, the complaint alleges.

Keep reading

Spanish Court Orders NordVPN and Proton VPN to Block Piracy Streams

Spain’s soccer league has found a new target in its fight against pirate streams: the VPNs people use to protect their privacy online.

A court in Córdoba has ordered NordVPN and Proton VPN to block specific IP addresses broadcasting illegal LaLiga matches, requiring both companies to alter their “internal systems” to make those addresses “inaccessible from Spain.”

The ruling was issued without notifying either provider. Neither could challenge it before it took effect. The court says it cannot be appealed at all.

LaLiga and Telefónica Audiovisual Digital brought the case to Commercial Court No. 1 of Córdoba, framing the measures as “precautionary” and taken in “defense of [LaLiga] clubs’ audiovisual rights.”

The court’s theory of liability is that VPNs are “contributing” to piracy simply by doing what VPNs do, letting users change their IP address and location. The order also notes that VPNs “acknowledge and advertise” their effectiveness at evading internet restrictions. Offering a privacy tool that works, in other words, is now evidence of wrongdoing.

Both companies found out about the ruling the same way everyone else did. NordVPN and Proton have said that they have received no notice of this.

Keep reading

UK Government Plans to Use Delegated Powers to Undermine Encryption and Expand Online Surveillance

The UK government wants to scan people’s photos before they send them. Not just children’s photos. Everyone’s.

Technology Secretary Liz Kendall spelled it out on BBC Breakfast, floating a proposal to “block photographs being sent that are potentially nude photographs by anybody or block children from sending those.” That second clause is the tell. Blocking “anybody” from sending potentially nude images requires scanning everybody’s messages. There’s no technical path to that outcome that doesn’t involve reading content the sender assumed was private.

Kendall said the government is conducting a consultation on “whether we should have age limits on things like live streaming” and whether there should be “age limits on what’s called stranger pairing, for example, on games online.” The consultation, she said, will look at all of these. That list now covers messaging apps, photo sharing, gaming, and live streaming. Any feature that lets you share an image with another person potentially falls inside it.

This is how the mandate grows. The government announced a push for new delegated powers on February 16, framing them around age verification for social media and VPNs.

Keep reading