All news with #privacy engineering tag

🩺 Generative AI chatbots are increasingly used for health questions, but they carry significant risks ranging from incorrect diagnoses to privacy exposures. Users may unknowingly share sensitive medical details that could be used for model training or passed to third parties. Health-focused services vary in their data-handling promises, and most consumer chatbots are not covered by HIPAA. Follow practical precautions and always verify AI advice with qualified medical professionals.

🔍 This post argues that many on-camera "age verification" schemes are not primarily about keeping minors out but about deanonymizing critics and giving governments a pretext to deny platform access. It notes real-world abuses such as attempts to de-bank protesters and explains why complete failure to exclude minors is unsurprising when that is not the objective. The piece also links related technical developments — from provocative zero-knowledge research to hard drive firmware reverse engineering — that change the threat landscape and raise questions about hardware attestation and vendor control.

👓 Smart glasses are returning with advanced sensors and AI, creating new privacy and security challenges for users and bystanders. They can record or livestream covertly and feed footage to AI systems for face recognition and data retrieval, enabling stalking, fraud, and surveillance. Platform policies and outsourced review raise additional exposure. Mitigations include updates, permissions control, MFA, and disabling AI training where possible.

⚖️ NOYB has filed a complaint in an Austrian court arguing that LinkedIn’s paywalled "Who’s Viewed Your Profile" feature violates GDPR Article 15 by denying EU users free access to profile-visitor data. The group says LinkedIn refuses Data Subject Access Requests (DSARs) from non-paying users while providing the same information to Premium subscribers. LinkedIn rejects the claim, saying it discloses the information via its Privacy Policy and that users can control visibility settings. NOYB seeks regulatory enforcement and potential fines to stop what it calls illegal monetization of access rights.

🔎 ICE is developing prototype smart glasses that pair wearable cameras with on-device facial recognition and real-time queries to immigration, criminal, and watchlist databases. Reporting by Ken Klippenstein, linked in Bruce Schneier's post, describes efforts to integrate hardware and software for in-field identification and instant database matches. The program raises immediate concerns about accuracy, bias, data quality, oversight, and civil liberties if deployed without transparent safeguards.

🔒 Ten years after the EU adopted the General Data Protection Regulation (GDPR), experts say it fundamentally reshaped corporate privacy culture but left important gaps. Analysts credit the GDPR with embedding privacy into daily operations, raising standards, and creating accountability by forcing organizations to know and document their processing. Yet enforcement inconsistencies, international transfer disputes, widespread consent fatigue and the rise of generative AI expose legal and practical tensions that require clarification and coordination with newer digital rules.

🔒 The Federal Trade Commission will ban data broker Kochava and its subsidiary Collective Data Solutions (CDS) from selling precise geolocation data without consumers' affirmative express consent as part of a settlement stemming from an August 2022 suit. The FTC alleged Kochava supplied paid clients — via an AWS Marketplace feed — with high-volume raw latitude/longitude transactions that enabled tracking to sensitive sites. Under the proposed court order, sales or transfers of precise location data are prohibited unless consumers directly request a service and explicitly consent; the companies must also implement a sensitive location program, supplier assessments, consent withdrawal and disclosure mechanisms, incident reporting to the FTC, and retention/deletion schedules.

📡 Modern cars act as mobile computers that log and transmit extensive telemetry to manufacturers and third parties. Law enforcement increasingly uses Car Intelligence (CARINT) tools and vendor solutions such as Ateros, Berla, and Toka to extract GPS histories, call logs, paired-device lists, and driving statistics — sometimes without warrants. Even sensor systems like unencrypted TPMS can enable low-cost tracking. Recommended mitigations include avoiding phone syncs, clearing head-unit data, disabling voice commands, and minimizing use of manufacturer apps.

🔍 A LayerX Security study found more than 80 widely used browser extensions explicitly reserve the right to collect and sell user data, with millions of combined installations across categories such as streaming, ad blocking and productivity. The researchers reported that 71% of Chrome Web Store extensions do not publish a privacy policy, leaving many users without visibility into how their data is handled. The findings detail networks of media extensions aggregating viewing behavior and at least a dozen ad blockers and 29 business-focused extensions that may expose enterprise browsing activity. LayerX recommends organisations adopt centralized extension governance and add privacy policy review to extension evaluation criteria.

📜 The House Republican proposals — the SECURE Data Act and the GUARD Financial Data Act — would establish federal privacy standards that broadly preempt stronger state laws while limiting private lawsuits and centralizing enforcement with the FTC and state attorneys general. The bills emphasize data minimization, controller-processor obligations, a federal data broker registry, and new limits on automated profiling and teen data. Critics warn the measures could weaken existing protections, impose heavy operational burdens on CIOs and CISOs, and force vendors and legal teams to rework procurement, retention, and AI training practices.

🕵️‍♂️ ICE has publicly acknowledged using spyware developed by the Israeli firm Graphite, confirming prior reporting and prompting renewed scrutiny over government surveillance practices. The agency says the tools are used in immigration and criminal investigations but provided limited details about scope, oversight, or legal justification. Privacy advocates and technologists warn that deployment of such remote access trojans can expose large amounts of personal data and evade standard protections.

🛡️ France's government agency ANTS confirmed a data breach after a threat actor claimed to have stolen citizen records in an intrusion last week. The agency says exposed fields may include login IDs, full names, email addresses, dates of birth, unique account identifiers and, for some individuals, postal addresses, places of birth and phone numbers. ANTS has notified CNIL, the Paris prosecutor and involved ANSSI, is informing affected users and warns the data could be used for phishing and social engineering.

🕵️ Ofcom has opened an investigation under the UK's Online Safety Act after receiving evidence that Telegram is being used to share child sexual abuse material (CSAM). The regulator says its probe followed reports from the Canadian Centre for Child Protection and its own assessment. Ofcom is also examining teen chat services Teen Chat and Chat Avenue, and has separately scrutinised X over AI-generated nonconsensual explicit content. Where breaches are found, Ofcom can seek fines up to £18 million or 10% of qualifying worldwide revenue and, in serious cases, request court orders to disrupt or block services in the UK.

🔐 This post by Thibault Meunier explains why the old "bots vs. humans" lens is breaking down as AI agents, accessibility tools, and proxies blur client behavior. Cloudflare outlines current bot management signals (IP, TLS, User-Agent), the rate-limit trilemma, and the limits of fingerprinting. It advocates privacy-preserving proofs such as Privacy Pass and experimental primitives like ARC and ACT to enable anonymous, accountable rate-limiting while protecting an open Web.

🔍 A Citizen Lab report details how law enforcement agencies worldwide used an ad-based geolocation platform to monitor up to 500 million mobile devices. The system, developed by Cobwebs Technologies and later sold by Penlink, aggregates device identifiers, coordinates, and profile data harvested from apps and advertising. Researchers warn the tool enables long-term, warrantless tracking and identification of individuals, raising legal and human-rights concerns.

🔍LinkedIn’s massive trove of user information is facing scrutiny after a small European firm behind the BrowserGate campaign alleged that hidden code on linkedin.com scans visitors’ machines for installed software and transmits the inventory to LinkedIn and third parties. The group, which uses names including Teamfluence and Fairlinked and is led by an individual using the name Steven Morrell, framed the activity as an “illegal” search and a form of corporate espionage. LinkedIn denied core accusations, said it discloses browser-extension scanning in its privacy policy to detect abuse and protect site stability, and declined to confirm whether the data is used only for those purposes.

🔍 A German privacy group, Fairlinked, reports that LinkedIn injects a large JavaScript payload into Chrome-based browsers that scans for over 6,000 installed extensions and collects device signals on many interaction events. The code allegedly harvests extension presence, CPU/memory/screen and other metadata and ties those fingerprints to logged-in identities. LinkedIn disputes the characterisation, saying the checks target scraping and policy-violating extensions. Users are advised to consider non-Chrome browsers and reduce extension exposure to limit profiling.

🔒 Google explains how it designed Gmail to protect user data as Gemini-powered features roll out. The company says Gemini is not trained on personal email content and only accesses messages for specific, isolated tasks like summarization. According to Gmail’s VP of product, Blake Barnes, the feature processes requests inside the inbox and does not retain the processed data.

🔒 An independent Big 4 accounting firm has completed a fresh privacy examination of Cloudflare's 1.1.1.1 public DNS resolver and confirmed that its core privacy commitments remain in force. The report reaffirms that Cloudflare does not sell or share resolver users’ personal data or use it for advertising, and that source IP addresses are anonymized and deleted within 25 hours. The review also notes that up to 0.05% of randomly sampled packets may be inspected solely for network troubleshooting and attack mitigation, and clarifies that the examination scope focused exclusively on privacy assurances.

🔒 The FBI has issued a public service announcement warning Americans about privacy and data-security risks posed by foreign-developed mobile applications, particularly those maintained by Chinese companies. The bureau says some apps may collect extensive personal data — even when only active — and may store information on servers in China or require consent to share data. The FBI recommends disabling unnecessary sharing, updating device software, and installing apps only from official app stores.