All news with #privacy engineering tag

🔍 A Citizen Lab report details how law enforcement agencies worldwide used an ad-based geolocation platform to monitor up to 500 million mobile devices. The system, developed by Cobwebs Technologies and later sold by Penlink, aggregates device identifiers, coordinates, and profile data harvested from apps and advertising. Researchers warn the tool enables long-term, warrantless tracking and identification of individuals, raising legal and human-rights concerns.

🔍LinkedIn’s massive trove of user information is facing scrutiny after a small European firm behind the BrowserGate campaign alleged that hidden code on linkedin.com scans visitors’ machines for installed software and transmits the inventory to LinkedIn and third parties. The group, which uses names including Teamfluence and Fairlinked and is led by an individual using the name Steven Morrell, framed the activity as an “illegal” search and a form of corporate espionage. LinkedIn denied core accusations, said it discloses browser-extension scanning in its privacy policy to detect abuse and protect site stability, and declined to confirm whether the data is used only for those purposes.

🔍 A German privacy group, Fairlinked, reports that LinkedIn injects a large JavaScript payload into Chrome-based browsers that scans for over 6,000 installed extensions and collects device signals on many interaction events. The code allegedly harvests extension presence, CPU/memory/screen and other metadata and ties those fingerprints to logged-in identities. LinkedIn disputes the characterisation, saying the checks target scraping and policy-violating extensions. Users are advised to consider non-Chrome browsers and reduce extension exposure to limit profiling.

🔒 Google explains how it designed Gmail to protect user data as Gemini-powered features roll out. The company says Gemini is not trained on personal email content and only accesses messages for specific, isolated tasks like summarization. According to Gmail’s VP of product, Blake Barnes, the feature processes requests inside the inbox and does not retain the processed data.

🔒 An independent Big 4 accounting firm has completed a fresh privacy examination of Cloudflare's 1.1.1.1 public DNS resolver and confirmed that its core privacy commitments remain in force. The report reaffirms that Cloudflare does not sell or share resolver users’ personal data or use it for advertising, and that source IP addresses are anonymized and deleted within 25 hours. The review also notes that up to 0.05% of randomly sampled packets may be inspected solely for network troubleshooting and attack mitigation, and clarifies that the examination scope focused exclusively on privacy assurances.

🔒 The FBI has issued a public service announcement warning Americans about privacy and data-security risks posed by foreign-developed mobile applications, particularly those maintained by Chinese companies. The bureau says some apps may collect extensive personal data — even when only active — and may store information on servers in China or require consent to share data. The FBI recommends disabling unnecessary sharing, updating device software, and installing apps only from official app stores.

🔒 Digital assets left after death — from emails and social media to passwords and crypto wallets — can complicate an already traumatic time for families and create new fraud opportunities. The legal landscape is fragmented: RUFADAA in the US, a proposed UK bill and ELI efforts in Europe offer partial solutions, but platform policies remain inconsistent. Practical steps include creating a digital inventory, appointing legacy contacts (e.g., Facebook/Instagram Legacy Contact, Google Inactive Account Manager, Apple Digital Legacy) and using emergency access features in password managers. Also file tax returns, place deceased alerts on credit reports, cancel subscriptions, and be wary of scams targeting grieving relatives.

🔒 Proton has launched Meet, a privacy-focused video conferencing service offering end-to-end encrypted calls as an alternative to mainstream platforms. Meet supports free one-hour meetings with up to 50 participants and offers a Pro tier starting at $7.99/month for longer sessions. The service uses the open-source MLS protocol, WebRTC with SFUs, and client-side encryption; authentication relies on SRP. Meetings are created via links containing an ID and locally held passwords, and Proton says it retains only non-sensitive meeting IDs, minimizing exposure even in server compromises.

🔒 Kent Walker, Google's President of Global Affairs, outlined how rapidly evolving user expectations are shaping AI development at the IAPP Global Summit 2026. He highlighted Personal Intelligence in Search and the Ukraine national assistant Diia.AI as examples of context-aware, task-oriented assistants. Google’s rollout approach emphasizes trusted testers, staged expansion, continuous feedback, and clear controls over agents’ access, while applying guardrails such as Gemini avoiding proactive assumptions. Walker urged investment in privacy-enhancing technologies, new transparency models, and global standards to align data protection with these innovations.

📞 The Information Commissioner’s Office (ICO) fined Birmingham-based monitored alarm provider TMAC £100,000 after staff used false identities on marketing sales calls and the firm made over 260,000 calls to numbers registered on the Telephone Preference Service. The ICO said TMAC deliberately targeted individuals over 60 between February and September 2024, impersonating local crime and fire prevention initiatives to trick recipients. The regulator stressed these actions breached the Privacy and Electronic Communications Regulations and highlighted the importance of public reporting in enabling enforcement.

🔔 Sen. Ron Wyden warned on the Senate floor that a classified, previously undisclosed interpretation of Section 702 is affecting Americans’ privacy and has been withheld from public and congressional debate. He raised the issue while opposing the nomination of Joshua Rudd to lead the NSA, citing Rudd’s unwillingness to accept basic constitutional limits on surveillance. Wyden said he has repeatedly asked administrations to declassify the matter and is still awaiting a response from DNI Gabbard. He urged Congress to openly debate the matter before Section 702 is reauthorized.

🔒 Proton Mail disclosed subscriber payment metadata to Swiss authorities, who in turn shared the records with the FBI. The released material appears to be billing- and payment-related information rather than message contents, but such metadata can still link an account to an individual. The case highlights that privacy-focused services may be compelled by legal process to produce stored user records.

👓 Meta's new AI glasses are a privacy disaster, capturing audio, images, and contextual data in public and private spaces without meaningful consent. Security expert Bruce Schneier warns the technology is inevitable and difficult to regulate effectively. He notes an Android app now claims to detect nearby smart glasses, but detection is limited and insufficient to address broader surveillance and policy challenges.

🔒 WhatsApp has begun rolling out parent-managed accounts for pre-teens, enabling guardians to control who can contact their child and which groups they can join. These managed profiles limit the child to messaging and calling, exclude access to Meta AI, Channels, Status, and location sharing, and preserve end-to-end encryption so messages cannot be read by third parties. Setup requires both devices present: parents verify the child's number, scan a QR code to link accounts, and set a 6-digit PIN to lock parental controls. By default children can message only saved contacts and parents must approve group additions; the child can switch to a standard account at 13.

🔒 This practical guide describes how to disable built‑in AI assistants that vendors are increasingly embedding across consumer products from Microsoft, Google, Apple, and Meta. It summarizes the privacy, security, and performance risks these agents introduce and gives concise, actionable steps to turn off AI features in Gmail and Google Docs, Chrome, Firefox, Edge, Windows (Copilot and Recall), WhatsApp, Android, macOS and iOS. Where uninstalling isn't possible, the article describes flag, settings, and registry workarounds and recommends periodic checks to ensure features haven't been reactivated.

🔒 The OpenID Foundation warns that inconsistent handling of deceased users' digital accounts across platforms and jurisdictions creates systemic gaps that invite fraud and exploitation. The report, titled The Unfinished Digital Estate, highlights the growing risk of AI-driven deepfakes simulating deceased individuals to manipulate relatives, spread disinformation, or extract funds. It urges coordinated action from policymakers, platforms and standards bodies to create interoperable frameworks, verifiable death/incapacity processes, and clear consent, delegation and audit mechanisms to protect posthumous identity autonomy.

🔎 A new study demonstrates that large language models can reliably deanonymize users from a handful of anonymous posts. Across Hacker News, Reddit, LinkedIn, and anonymized interview transcripts, LLM agents infer location, occupation, and interests and then search the web to find likely identities. The researchers report high precision results that scale to tens of thousands of candidates, showing that automated deanonymization is now practical and widely feasible.

🔒 Samsung and the State of Texas have settled a dispute over allegations that its smart TVs used Automated Content Recognition (ACR) to collect viewing data without users' express consent. Under the agreement, Samsung must halt collection or processing of ACR viewing data from Texas consumers unless they give clear, affirmative consent, and it will update TVs with clearer privacy disclosures and consent screens. Texas AG Ken Paxton said the settlement compels clear, conspicuous notices; Samsung maintains it did not spy on consumers but agreed to strengthen privacy notices.

🔒 App permissions determine which data and device features an app can access, and many users accept prompts without considering the consequences. The article, by Phil Muncaster, explains how modern Android and iOS versions surface sensitive permissions at runtime and distinguishes between benign “normal” permissions and higher-risk “dangerous” ones. It highlights particularly sensitive requests — accessibility, background location, SMS/call logs and overlay — and recommends using Allow once or While using, regularly auditing permissions via App Privacy Report or Privacy Dashboard, and installing apps only from reputable stores.

🔒 The UK Information Commissioner's Office (ICO) has fined Reddit £14.47m for failing to implement robust age verification and for not conducting a required DPIA before January 2025. The regulator found that children under 13 had personal data processed without a lawful basis and were potentially exposed to inappropriate content. Reddit maintains it avoids collecting identity data to protect privacy, while experts warn heavy-handed identity checks could introduce new privacy and security risks.