Privacy

Our latest blog post is aimed at people who 'get it' about online privacy, but who struggle to convince friends and family to take it seriously. We hope it helps!

https://grapheneos.org/donate

I started The New Oil in 2018. TNO began simply as a way to share what I was learning about privacy and security with my friends and fami...

Keep a close eye on who’s joining your group chats.

SAN FRANCISCO – The Electronic Frontier Foundation (EFF) sued the departments of Justice (DOJ) and Homeland Security (DHS) today to uncover information about the federal government demanding that tech companies remove apps that document immigration enforcement activities in communities throughout...

[TRANSLATED ARTICLE]

EU chat control comes – through the back door of voluntariness

The EU states have agreed on a common position on chat control. Data protection advocates warn against massive surveillance. What is in store for us?

After lengthy negotiations, the EU states have agreed on a common position on so-called chat control. Like from one Minutes of negotiations of the Council working group As can be seen, Internet services will in future be allowed to voluntarily search their users' communications for information about crimes, but will not be obliged to do so.

The Danish Council Presidency wants to get the draft law through the Council "as quickly as possible", "so that the trilogue negotiations can begin promptly", the minutes say. Feedback from states should be limited to "absolute red lines".

Consensus achieved

The majority of States supported the compromise proposal. At least 15 spoke in favor, including Germany and France. Germany "welcomed both the deletion of the mandatory measures and the permanent anchoring of voluntary measures", said the protocol.

However, other countries were disappointed. Spain in particular "continued to see mandatory measures as necessary, unfortunately a comprehensive agreement on this was not possible". Hungary also "seen voluntariness as the sole concept as too little".

Spain, Hungary and Bulgaria proposed "an obligation for providers to detect, at least in open areas". The Danish Presidency "described the proposal as ambitious, but did not take it up to avoid further discussion.

The organization Netzpolitik.org, which has been reporting critically on chat control for years, sees the plans as a fundamental threat to democracy. "From the beginning, a lobby network intertwined with the security apparatus pushed chat control", writes the organization. “It was never really about the children, otherwise it would get to the root of abuse and violence instead of monitoring people without any initial suspicion.”

Netzpolitik.org argues that "encrypted communication is a thorn in the side of the security apparatus". Authorities have been trying to combat private and encrypted communication in various ways for years.

A number of scholars criticize the compromise proposal, calling voluntary chat control inappropriate. "Their benefits have not been proven, while the potential for harm and abuse is enormous", one said open letter.

According to critics, the planned technology, so-called client-side scanning, would create a backdoor on all users' devices. Netzpolitik.org warns that this represents a "frontal attack on end-to-end encryption, which is vital in the digital world".

The problem with such backdoors is that "not only the supposedly 'good guys' can use them, but also resourceful criminals or unwell-disposed other states", argues the organization.

Signal considers withdrawing from the EU

Journalists' associations are also alarmed by the plans. The DJV rejects chat control as a form of mass surveillance without cause and sees source protection threatened, for which encrypted communication is essential. The infrastructure created in this way can be used for political control "in just a few simple steps", said the DJV in a statement Opinion.

The Messenger service Signal Already announced that it would withdraw from the EU if necessary. Signal President Meredith Whittaker told the dpa: “Unfortunately, if we were given the choice of either undermining the integrity of our encryption or leaving Europe, we would make the decision to leave the market.”

Next steps in the legislative process

The Permanent Representatives of the EU states are due to meet next week on the subject, followed in December by the Ministers of Justice and Home Affairs, these two bodies are due to approve the bill as the Council's official position.

The trilogue then begins, in which the Commission, Parliament and Council must reach a compromise from their three draft laws. Parliament had described the original plans as mass surveillance and called for only unencrypted suspect content to be scanned.

The EU Commission had originally proposed requiring Internet services to search their users' content for information about crimes without cause and to send it to authorities if suspected.

After Germany blocked the October vote, Europe’s surveillance proposal didn’t die—it evolved. Denmark’s November compromise claims to abandon mandatory scanning while preserving identical outcomes through legal sleight of hand. The repackaging reveals the essential dynamic: when democratic opposition defeats mass surveillance, proponents don’t accept defeat. They redraft terminology, shift articles, and reintroduce the same architecture under different labels until resistance exhausts itself.

The pattern is documented across five iterations. Sweden’s January-June 2023 presidency failed. Belgium couldn’t secure passage in June 2024. Hungary’s presidency ended December 31, 2024 without achieving agreement. Poland’s presidency collapsed in January-June 2025 when 16 pro-scanning states refused meaningful compromise. Each defeat produced not withdrawal but repackaging: “chat control” became “child sexual abuse regulation,” “scanning” became “detection orders,” “mandatory” became “risk mitigation,” and “breaking encryption” became “lawful access.” October’s blocking minority forced Denmark’s hand, but rather than accepting defeat, Justice Minister Peter Hummelgaard withdrew the proposal on October 31 and immediately began drafting version 2.0.

The Loophole Disguised as Compromise

Denmark’s November 5 revised text removes Articles 7-11’s “detection orders”—the language mandating scanning. Privacy advocates initially celebrated. Then legal experts read Article 4. The provision requires all communication providers implement “all appropriate risk mitigation measures” to prevent abuse on their platforms. Services classified as “high risk”—essentially any platform offering encryption, anonymity, or real-time communications—face obligations that experts argue constitute mandatory scanning without using the word “mandatory.”

When the Trump administration gave Immigration and Customs Enforcement access to a massive database of information about Medicaid recipients in June 2025, privacy and medical justice advocates sounded the alarm. They warned that the move could trigger all kinds of public health and human rights harms.

But most people likely shrugged and moved on with their day. Why is that? It’s not that people don’t care. According to a 2023 Pew Research Center survey, 81% of American adults said they were concerned about how companies use their data, and 71% said they were concerned about how the government uses their data.

At the same time, though, 61% expressed skepticism that anything they do makes much difference. This is because people have come to expect that their data will be captured, shared and misused by state and corporate entities alike. For example, many people are now accustomed to instinctively hitting “accept” on terms of service agreements, privacy policies and cookie banners regardless of what the policies actually say.

I wanted to share an interesting statistic with you. Approximately 1 out of every 25 people with a Google Pixel phone is running GrapheneOS right now. While it's difficult to get an exact number, we can make educated guesses to get an approximate number.

How many GrapheneOS users are there? According to an estimate released by GrapheneOS today, the number of GrapheneOS devices is approaching 400,000. This estimate is based on the number of devices that downloaded recent GrapheneOS updates. Some users may have multiple devices, such as organizations, and some users may download and flash updates externally, but it's the best estimate we have.

How many Google Pixel users are there? Despite Google's extensive data collection, this one is surprisingly harder to estimate, since Google hasn't released an exact number. There's a number floating around that Google has 4-5% of the smartphone market, which is between 10 million and 13.2 million users in the United States. I can't find the source of where this information came from. That number is problematic, too, because Japan supposedly uses more Google Pixel phones than the United States. The Pixel 9 series was also a big jump in market share for Google. I couldn't find any numbers smaller than 10 million, and it made the math nice, so that is what I went with.

Putting the numbers together, it means that 4% of Google Pixel users are running GrapheneOS. That means in a room of 25 Google Pixel users, 1 of them will be a GrapheneOS user. If you include all custom Android operating systems, that number would certainly be much, much higher.

To put it into perspective, each pixel in this image represents ~5 Google Pixel users. Each white pixel represents that those ~5 people use GrapheneOS:

Even with generous estimates to Google's market share, GrapheneOS still makes up a large portion of their users.

OC by @Charger8232@lemmy.ml

For more than a decade, the Sacramento Municipal Utility District coordinated with police to sift through the granular smart meter data of residents without suspicion to find evidence of cannabis growing.

Under the proposal, the EU would weaken data protection rules by delaying when regulations governing high-risk AI systems take effect and allowing companies to use personal data for AI training without prior consent from users in most circumstances.

How I tracked myself down using leaked location data in the in-app ads, and what I found along the way.

Want to send E2E encrypted messages and video calls with no downloads, no sign-ups and no tracking?

This prototype uses PeerJS to establish a secure browser-to-browser connection. Using browser-only storage—true zerodata privacy!

Check out the pre-release demo here.

NOTE: This is still a work-in-progress and partially a close-source project. To view the open source version see here. It has NOT been audited or reviewed. For testing purposes only, not a replacement for your current messaging app.

• Docs: https://positive-intentions.com/docs/category/sparcle
• Reddit: https://www.reddit.com/r/positive/_intentions
• Mastodon: https://infosec.exchange/@xoron
• More: https://positive-intentions.com/

How it works:

PeerJS allows users to connect with a unique string. A crypto-random ID is generated automatically on the frontend and used for the connection.

To connect, you can share your unique ID. Strangers are not able to guess your ID. Upon the initial connection, new encryption keys are exchanged and persisted to browser storage. These are used to encrypt message payloads to be sent over the WebRTC connection as created with PeerJS.

After a page reload (or future session), the app automatically pings the "known peers". If connecting to to a peer ID that is already registered, the previsously establish encryption keys are used to authenticate the user. This helps prevent MITM.

Being sanctioned by USA nowadays means getting banned from 90% of commercial internet. This is a clear example that being careful is not paranoia but valid precaution.

Amidst the glossy marketing for VPN services, it can be tempting to believe that the moment you flick on the VPN connection you can browse the internet with full privacy. Unfortunately this is quite far from the truth, as interacting with internet services like websites leaves a significant fingerprint. In a study by [RTINGS.com] this browser fingerprinting was investigated in detail, showing just how easy it is to uniquely identify a visitor across the 83 laptops used in the study.

As summarized in the related video (also embedded below), the start of the study involved the Am I Unique? website which provides you with an overview of your browser fingerprint. With over 4.5 million fingerprints in their database as of writing, even using Edge on Windows 10 marks you as unique, which is telling.

cross-posted from: https://lemmy.zip/post/53414868

The core function of the planned EU Travel App is for the Council, the option for travellers to transmit their data to the responsible authorities before arriving at the border. This will allow border officials to verify travel documents remotely and also to compare them with police and migration databases.

Despite the promised travel facilitation, civil rights activists and data protectionists are urgently warning against the consequences of digitizing travel documents. They see it as an expansion of the biometric surveillance infrastructure at the EU level. The digital travel app initially provides for automated facial recognition for biometric identification, but it is likely to pave the way for comprehensive and automated collection and evaluation of biometric data. This would restrict freedom of travel in the long term.

Chatbot roleplay and image generator platform SecretDesires.ai left cloud storage containers of nearly two million of images and videos exposed, including photos and full names of women from social media, at their workplaces, graduating from universities, taking selfies on vacation, and more.