Tag: privacy

California Bills on Social Media and AI Chatbots Fuel Privacy Fears

Two controversial tech-related bills have cleared the California legislature and now await decisions from Governor Gavin Newsom, setting the stage for a potentially significant change in how social media and AI chatbot platforms interact with their users.

Both proposals raise red flags among privacy advocates who warn they could normalize government-driven oversight of digital spaces.

The first, Assembly Bill 56, would require social media companies to display persistent mental health warnings to minors using their platforms.

Drawing from a 2023 US Surgeon General report, the legislation mandates that platforms such as Instagram, TikTok, and Snapchat show black-box warning labels about potential harm to youth mental health.

The alert would appear for ten seconds at login, again after three hours of use, and once every hour after that.

Supporters, including Assemblymember Rebecca Bauer-Kahan and Attorney General Rob Bonta, claim the bill is necessary to respond to what they describe as a youth mental health emergency.

Critics of the bill argue it inserts state messaging into private platforms in a way that undermines user autonomy and treats teens as passive recipients of technology, rather than individuals capable of making informed choices.

Newsom has until October 13 to sign or veto the measure.

Keep reading

What Is ICE Doing With This Israeli Spyware Firm?

The deployment of Paragon’s Graphite spyware was a major scandal in Italy. Earlier this year, the messaging app WhatsApp revealed that 90 journalists and civil society figures had been targeted by the military-grade surveillance tech, which gives “total access” to a victim’s messages. The Italian government admitted to spying on refugee rights activists, and Paragon cancelled its contract with the government almost immediately after the story broke.

Now the same software may be coming to America—and again with an immigration focus. Last week, the U.S. Department of Homeland Security quietly lifted a stop-work order on a $2 million contract that Immigration and Customs Enforcement (ICE) had with Paragon for a “fully configured proprietary solution including license, hardware, warranty, maintenance, and training.”

The deal was first signed by the Biden administration, and it was frozen in October 2024, less than a week after Wired broke the news of the contract. An administration official later insisted to Wired that, rather than reacting to bad publicity, they were reviewing the contract to comply with President Joe Biden’s order to ensure that commercial spyware use by the U.S. government “does not undermine democracy, civil rights and civil liberties.”

The details of that review—or even the contract itself—were never publicly disclosed. But the results are clear: ICE now has a green light to use whatever software Paragon was offering. (Neither Paragon nor ICE responded to requests for comment from The Guardian.)

The Citizen Lab at the University of Toronto, dedicated to researching electronic surveillance, found that Graphite targeted users through a “zero-click exploit.” By adding someone to a WhatsApp group in a certain way, Graphite can force their phones to read an infected PDF file without the user’s input. In other words, a cyberattack can be disguised as a spam text—and works even if victims ignore it.

After discovering the vulnerability with the Citizen Lab’s help, WhatsApp said in a statement that it was “constantly working to stay ahead of threats” and “build new layers of protection into WhatsApp.”

Paragon was co-founded by Ehud Barak, a former Israeli prime minister and general in charge of military intelligence, and Ehud Schneorson, a former head of Unit 8200, the Israeli equivalent of the National Security Agency. Last year, an American private equity firm bought Paragon for $500 million with the intention of merging it into RED Lattice, a firm connected to former U.S. intelligence officials. Paragon has positioned itself as a more ethical alternative to NSO Group, a spyware company similarly run by Unit 8200 veterans.

In 2021, NSO Group suffered a series of scandals after it was revealed that its Pegasus spyware was sold to police states around the world and was possibly used to spy on journalists who were murdered. NSO Group accused the media of running a “vicious and slanderous campaign” and promised to “thoroughly investigate any credible proof of misuse.” The Biden administration hit NSO Group with economic sanctions in response.

Around the time that the Pegasus scandal was breaking, a Paragon executive boasted to Forbes that their company would only deal with customers who “abide by international norms and respect fundamental rights and freedoms.”

Keep reading

Where VPN Demand Surged Due To Internet Blocks In 2025

Violence and chaos have gripped Nepal as protests sparked by the blocking of social media sites spiralled out of control.

The country’s prime minister resigned Tuesday after security forces fired on protestors Monday. Hundreds were injured and at least 22 people died, most by live ammunition. The army assumed control Tuesday night after many government and other buildings were set ablaze by protestors.

Young people were reported to lead the uprising, which was catalized by the attempt to surpress online expression but brought to the surface the population’s deep discontent with issues like corruption, inequality and political participation.

Democracy in Nepal only has a relatively short history and despite the last remnants of its monarchy abolished in 2008, nepotism and deep-seated corruption have continued to rule the country, drawing the ire of the population.

This is especially true for young Nepalese who struggle with finding employment and opportunity. In a country dependent on the remittances of workers abroad, the social media ban has been described as a very strong trigger as it cut off communications with the diaspora.

As Statista’s Katharina Buchholz shows in the chart below, using data from website Top10VPN, Nepal’s social media blocks elicited the most pronounced response in terms of people looking for a way around via VPNs this year.

On September 7, VPN search volume in the country had risen almost 3,000 percent above the previous month’s average – the biggest spike recorded globally this year by the source.

Keep reading

Cardiff Man Wrongly Accused of Theft After Facial Recognition Error Triggers Privacy Complaint

A Cardiff man has filed a formal complaint with the Information Commissioner’s Office after being wrongly accused of theft in a store using facial recognition software.

The case is now drawing wider attention to the unchecked spread of biometric surveillance in everyday retail environments.

On 29 April 2025, Byron Long, 66, arrived at the B&M outlet in Cardiff Bay Retail Park expecting an ordinary shopping trip.

Instead, he was approached by staff and told he was barred from the premises. In front of other customers, he was accused of stealing £75 ($101) worth of goods during a visit earlier that month.

That accusation was entirely false. During the visit in question on 9 April, Long had bought a single item: a £7 ($9.50) packet of cat treats. He paid for them in full. He later obtained CCTV footage showing himself at the checkout in a Red Bull Formula 1 jacket, clearly completing the purchase.

“It was a horrible experience, and I haven’t been back to the store since. The incident has had a very serious impact on my mental health, which is very fragile anyway, and I am now very anxious whenever I go shopping,” Long said, as reported by Nation Cymru.

The misidentification came from Facewatch, a private firm contracted by retailers to run facial recognition scans on customers. Images from Long’s previous visit were processed and matched to a database of alleged offenders. That match triggered the alert that led B&M staff to accuse him.

B&M later acknowledged the error, issuing a written apology and stating: “Our B&M store and security teams have a duty of care to all our customers and to our company, and this includes challenging people that they believe are potentially shoplifting. This is an extremely difficult task, and sadly we don’t always get it right; your case would be one of these instances…We can confirm your data has been removed from Facewatch.”

They also offered a £25 ($34) voucher as compensation, an offer Long flatly rejected.

Facewatch responded to the incident by suspending the user who had submitted the incorrect data. Michele Bond, the company’s Head of Incident Review and Data Protection Enquiries, said: “Facewatch Incident data is submitted by authorized users, who must confirm the accuracy of the information provided. Once the error was identified, the user responsible was immediately suspended from using the Facewatch system.”

Long has since taken the matter to Big Brother Watch, a civil liberties group focused on privacy and surveillance. The organization has now submitted a complaint to the ICO on his behalf.

Keep reading

Mullvad Introduces QUIC-Based WireGuard Obfuscation to Bypass Censorship and VPN Blocks

Mullvad has begun rolling out a new feature that hides WireGuard connections inside QUIC traffic, a technique designed to help users slip past aggressive censorship systems.

By making VPN traffic look more like ordinary encrypted browsing, the update gives people in tightly controlled regions, including Russia and China, a better chance of maintaining stable access to the internet.

It also helps with accessing websites that are increasingly trying to ban VPNs.

The addition comes as Mullvad prepares to move away from OpenVPN, which it will no longer support starting January 2026.

With that change on the horizon, the company is putting its weight behind WireGuard while also making sure it remains usable in countries where standard WireGuard connections are heavily throttled or blocked.

QUIC itself is not new. Originally created by Google and now the backbone of HTTP/3, the protocol is prized for its speed, ability to handle multiple streams of data at once, and resilience against network issues.

Services like YouTube already rely on it, making QUIC traffic extremely common. Mullvad takes advantage of that by wrapping WireGuard’s UDP packets inside QUIC, effectively disguising VPN usage as something indistinguishable from normal web activity.

To make this possible, Mullvad has turned to MASQUE, a standard that allows UDP traffic to be tunneled through HTTP/3 connections.

The result is traffic that appears identical to everyday browsing, far harder for censors to single out and shut down.

The feature is included in Mullvad’s desktop apps for Windows and macOS beginning with version 2025.9.

Users can activate it in the VPN settings, though if multiple connection attempts fail, the client will automatically switch over to QUIC on its own. Support for Android and iOS devices is also planned.

Different VPN companies are taking different routes to achieve similar goals. Proton VPN relies on its Stealth protocol, which disguises WireGuard traffic inside TLS.

Keep reading

The Surveillance Net Is Closing, But the Smart Ones Can See the Writing on the Wall

The privacy coin Zano just rallied nearly 70 percent in the last 30 days, lifting its market cap toward a quarter billion dollars and pushing daily trading volume close to three million. The spike isn’t about speculation alone. It reflects a shift underway as people begin to hedge against a tightening surveillance state.

The latest proof of financial control came just last month, when Tether froze $49.6 million in USDT at regulators’ request during a coordinated international crackdown. Regardless of the guilt or innocence of the targets, the lesson is obvious. These assets can be frozen in an instant, with no trial and no process, making them less a hedge against the state and more a compliant extension of it. 

Congress reinforced this fact with the GENIUS Act, a law that hard-wires surveillance into stablecoins by forcing issuers to operate under bank-style oversight, AML regimes, and reserve mandates. The fact that Democrats and Republicans both lined up behind it should tell you everything. In Washington, true bipartisan consensus only happens when war, debt, or control are on the line.

That same logic now extends to the streets. National Guard units are being deployed into American cities to “fight crime,” but the justification is always the same: safety over freedom. Deployments like this normalize militarization at home and make clear that the tools built for foreign wars are now being pointed inward. 

The grid doesn’t stop at the barrel of a gun either. It runs through data. Federal agencies have been caught buying location data from brokers like Venntel to track millions of Americans without warrants. The AT&T Hemisphere program continues to funnel call records to law enforcement, building a quiet dragnet with virtually no oversight. License plate readers vacuum up hundreds of millions of scans, with databases shared across jurisdictions and tapped for immigration enforcement. Flock Safety’s license-plate readers generated 1,400+ immigration-related searches in Denver and 113 million scans in a year in Austin, triggering local backlash over data-sharing and policy violations. This is mass movement tracking, normalized street by street. All of this happens without a vote, without consent, and in most cases without warrants.

Keep reading

Age Verification Company Exposes User Data, Reinforcing Privacy Fears Over Digital ID Systems

A company tasked with confirming users’ ages before they access adult content may be compromising their privacy by leaking detailed browsing data, according to a report by the nonprofit AI Forensics.

The group’s investigation highlights serious flaws in how some sites are complying with growing online age-check requirements, raising new concerns about surveillance and data exposure under the guise of protecting children.

France’s law requires that users’ identities remain concealed, not just from adult websites, but from the age verification services themselves.

Known as “double anonymity,” this standard is meant to ensure that those performing the verification process have no knowledge of which websites users are visiting or what content they attempt to access.

But AI Forensics found that AgeGO, one of the verification systems in active use, doesn’t meet those expectations.

Instead, AgeGO’s system reportedly transmits precise details about the user’s activity, including the URL of the video being viewed and the name of the website.

Keep reading

Google ordered to pay over $425 million in damages for smartphone privacy violations

Tech giant Google has been ordered to pay over $425 million for improperly snooping on the data of smartphone users and invading users’ privacy from 2016-2024.

It’s a violation of public trust,” said attorney & political analyst Madeline Summerville.

The class action lawsuit, initially filed in 2020, accused the company of collecting data from 98 million devices that had turned off a tracking feature in their Google account.

Even though I’ve shutoff all the different apparatuses that would keep Google from monitoring me, they’re still doing it because they were doing it through third party apps,” Summerville said.

The jury found Google spied on users and was in violation of California privacy laws. But Google denied it was improperly accessing devices. A Google spokesperson told Reuters, this decision misunderstands how its products work and it plans to file an appeal. “Our privacy tools give people control over their data, and when they turn off personalization, we honor that choice.”

Keep reading

New ‘Sextortion’ Spyware Snaps Webcam Photos Of People Watching Porn

If you’re indulging in adult content online, you might want to slap some electrical tape over your webcam pronto, according to a new report from WIRED. Cybersecurity experts at Proofpoint, a battle-tested firm, just dropped a bombshell detailing a nasty new strain of “infostealer” malware called Stealerium. This open-source digital menace can hijack your webcam to snap photos, snoop on your browser for NSFW keywords, and capture screenshots of anything spicy – all of which could be weaponized for blackmail and extortion schemes that’ll leave victims reeling.

When it comes to infostealers, they typically are looking for whatever they can grab,” Proofpoint researcher Selena Larson told WIRED, exposing the chilling reality of this cyberthreat. “This adds another layer of privacy invasion and sensitive information that you definitely wouldn’t want in the hands of a particular hacker.”“It’s gross,” Larson fumed. “I hate it.”

WIRED has more:

More hands-on sextortion methods are a common blackmail tactic among cybercriminals, and scam campaigns in which hackers claim to have obtained webcam pics of victims looking at pornography have also plagued inboxes in recent years—including some that even try to bolster their credibility with pictures of the victim’s home pulled from Google Maps. But actual, automated webcam pics of users browsing porn is “pretty much unheard of,” says Proofpoint researcher Kyle Cucci. The only similar known example, he says, was a malware campaign that targeted French speaking users in 2019, discovered by the Slovakian cybersecurity firm ESET.

Larson laid bare the sinister tactics of sextortion spyware, which preys on individuals for profit while flying under the radar. “For a hacker, it’s not like you’re taking down a multimillion-dollar company that is going to make waves and have a lot of follow-on impacts,” she said. “They’re trying to monetize people one at a time. And maybe people who might be ashamed about reporting something like this.”

The malware’s creator, known as witchfindertr, identifies as a “malware analyst” based in London. To top it all off, Stealerium is freely available as an open-source tool on GitHub.

Keep reading

The Quiet Rebranding Of CBDCs As “Digital-ID”

Let’s call them for what they are: Social Credit systems.

We know that “CBDC” stands for Central Bank Digital Currencies – and we have long held our hypothesis on what those entail (the TL;DR is that they will either launch as, or morph into, China-style social credit systems).

We’ve seen an Executive Order expressly ruling out CBDCs in the US, but as I keep warning readers: we’re seeing components we’d expect to see under a CBDC system appearing – only they aren’t originating at The Fed (who has never really expressed an interest in them, anyway).

Now the US Treasury Department is seeking comments on Digital ID as it relates to DeFi:

“The Department of the Treasury has filed a request for public comments to provide input on the use of “innovative or novel methods to detect and mitigate illicit finance risks involving digital assets” in accordance with the GENIUS Act, as well as in accordance with Donald Trump’s policy to support “the responsible growth and use of digital assets,” as outlined in the President’s Executive Order to strengthen US leadership in digital financial technology.”

— TheRage.co

The areas covered range from:

“the use of APIs “to help enforce strict access controls, monitor transactions and activities, and bolster security and integrity of financial institutions providing digital asset services”, the use of Artificial Intelligence to “make predictions, recommendations or decisions” to “effectively identify illicit finance patterns, risks, trends, and typologies”, and blockchain monitoring to “evaluate high-risk counterparties and activities, analyze transactions across multiple blockchains,trace or monitor transaction activities, and identify patterns that indicate potential illicit transactions.”

As well as Digital ID (which I think is the catch-phrase we’re going to see a lot of in the future, that will capture a lot of the objectives of CBDCs)

“the treasury is also seeking comments on the introduction of “portable digital identity credentials designed to support various elements of AML/CFT and sanctions compliance, maximize user privacy, and reduce compliance burden on financial institutions” to potentially be used “by decentralized finance (DeFi) services’ smart contracts to automatically check for a credential before executing a user’s transaction.”

Sounds similar to what the Bank of International Settlements (BIS) wants to do in terms of rating individual crypto wallets for AML compliance.

In a white paper titled An approach to anti-money laundering compliance for cryptoassets they propose to:

“leverag[e] the provenance and history of any particular unit or balance of a cryptoasset, including stablecoins”

In order to assign an “AML compliance score”.

Keep reading