< ciso
brief />
Tag Banner

All news with #privacy engineering tag

138 articles · page 2 of 7

Google to use IPs for ad personalization in EEA, UK

🔒 Google has notified advertisers it will begin using IP addresses to identify devices for ad measurement and personalization across the EEA, UK and Switzerland on or shortly after August 3, 2026. The change repurposes IPs — already transmitted to route traffic and deliver ads — for purposes that trigger consent requirements under UK and EU law. Google will register for IAB Europe TCF Feature 3 and says it will rely on privacy-enhancing technologies while offering later user choices on its properties. Advertisers remain responsible for obtaining valid consent under Google’s EU User Consent Policy.
read more →

UK to require ID or face scan for new social accounts

🔒 The UK will ban under-16s from social media and require age checks for new accounts, likely via ID upload or facial age scans, with regulations due before Christmas and rules effective spring 2027. Longstanding accounts are largely grandfathered, but new account creation will typically need verification. Experts warn checks are easy to circumvent, risk exposing ID/biometric data, and were pushed through with limited scrutiny. The government cites parental support and aims to restrict high-risk features and certain AI chatbot functions.
read more →

Flock Camera System Misuse Sparks Stalking Concerns

📷 Multiple instances nationwide show police using the Flock surveillance camera system to obsessively and illegally stalk individuals. Reports indicate over a dozen cases where the system has been misapplied, raising privacy and civil rights concerns. The pattern highlights how persistent surveillance technologies can be abused without adequate oversight. Flock deployments and law enforcement practices are facing increased scrutiny.
read more →

FCC Proposal Would End Anonymous 'Burner' Phones

🛡️ The FCC has proposed a rule that would eliminate so-called burner phones by requiring telecom providers to collect and retain detailed personal information from virtually all phone customers. The rule would mandate submission of government-issued ID numbers, physical addresses, and additional data for business and foreign accounts, raising alarm among privacy and civil rights advocates. Supporters argue the changes target scammers and illicit activity, while critics warn of significant privacy, surveillance, and cybersecurity consequences if carriers must store this expanded dataset.
read more →

South Korea levies record fine after Coupang breach

🔒 The Personal Information Protection Commission (PIPC) fined e-commerce firm Coupang 624.6 billion won (~$409M) after a major data breach that exposed about 37.55 million people’s information. A subsidiary, Coupang Fulfillment Service, was also fined 248 million won for unlawful handling of personal and sensitive data. Investigators cited poor authentication key management, inadequate access controls, delayed breach disclosure, interference with the data protection officer’s independence, and obstruction of the probe.
read more →

Enhanced license plate tracking expands surveillance

🔎 A surveillance company proposes adding Bluetooth sensors to automatic license plate readers (ALPRs) so devices could capture both license plates and unique identifiers from phones, wearables, and other Bluetooth-enabled devices. Called SignalTrace, the technology would enable ALPRs to move from vehicle tracking to more direct tracking of specific people. ALPRs are widespread across the U.S., and SignalTrace would significantly increase the scope of data collected. While concerning, the proposal highlights broader issues given how much data smartphones already gather.
read more →

Meta to Use Off‑Site Business Data for Personalization

🔒 Meta announced it will repurpose information businesses share about users' activity off its platforms to personalize Feed content and AI chatbot responses, expanding beyond targeted ads. The company said no new data collection is involved and that users can control this through an updated "Activity from other businesses" setting, replacing "Your activity off Meta technologies." The change will roll out next month in the U.S. and several other countries.
read more →

Brave launches Origin: paid minimalist browser

🔒 Brave Software released Brave Origin, a paid, minimalist edition of its browser that omits cryptocurrency, AI, rewards, and monetization-focused features. The company positions Origin for users seeking a streamlined, privacy-focused experience while retaining core protections like Brave Shields. Origin is available as a standalone download or as an upgrade for existing installations, priced at a one-time $59.99 for up to 10 devices (free on Linux).
read more →

Proton’s Balance Between Privacy and Abuse Control

🔒 Proton struggles to block criminals while preserving its core privacy guarantees. COO Raphael Auphan explained that the service cannot access encrypted message contents or geolocate users due to its end-to-end encryption model. Instead, Proton invests in account-level and behavioral defenses, including ML models to detect bot-driven sign-ups and abuse. Lawful takedown requests are handled only after Swiss authorities vet and validate them.
read more →

Protecting children's data to prevent long-term identity harm

🔒 Children face lasting identity and privacy risks online from school accounts, gaming profiles, apps and devices. These data can be exploited for fraud or synthetic identity creation, often remaining undetected for years. Parents, schools and vendors all share responsibility; practical steps include data minimization, strong passwords, MFA, privacy settings, parental controls and credit freezes.
read more →

What to ask before using AI for health advice

🩺 Generative AI chatbots are increasingly used for health questions, but they carry significant risks ranging from incorrect diagnoses to privacy exposures. Users may unknowingly share sensitive medical details that could be used for model training or passed to third parties. Health-focused services vary in their data-handling promises, and most consumer chatbots are not covered by HIPAA. Follow practical precautions and always verify AI advice with qualified medical professionals.
read more →

Bypassing On-Camera Age Verification Checks and Risks

🔍 This post argues that many on-camera "age verification" schemes are not primarily about keeping minors out but about deanonymizing critics and giving governments a pretext to deny platform access. It notes real-world abuses such as attempts to de-bank protesters and explains why complete failure to exclude minors is unsurprising when that is not the objective. The piece also links related technical developments — from provocative zero-knowledge research to hard drive firmware reverse engineering — that change the threat landscape and raise questions about hardware attestation and vendor control.
read more →

Mitigating Security and Privacy Risks of Smart Glasses

👓 Smart glasses are returning with advanced sensors and AI, creating new privacy and security challenges for users and bystanders. They can record or livestream covertly and feed footage to AI systems for face recognition and data retrieval, enabling stalking, fraud, and surveillance. Platform policies and outsourced review raise additional exposure. Mitigations include updates, permissions control, MFA, and disabling AI training where possible.
read more →

NOYB Sues LinkedIn Over Paywalled 'Who Viewed' Data

⚖️ NOYB has filed a complaint in an Austrian court arguing that LinkedIn’s paywalled "Who’s Viewed Your Profile" feature violates GDPR Article 15 by denying EU users free access to profile-visitor data. The group says LinkedIn refuses Data Subject Access Requests (DSARs) from non-paying users while providing the same information to Premium subscribers. LinkedIn rejects the claim, saying it discloses the information via its Privacy Policy and that users can control visibility settings. NOYB seeks regulatory enforcement and potential fines to stop what it calls illegal monetization of access rights.
read more →

ICE's Smart Glasses Program Raises Surveillance Concerns

🔎 ICE is developing prototype smart glasses that pair wearable cameras with on-device facial recognition and real-time queries to immigration, criminal, and watchlist databases. Reporting by Ken Klippenstein, linked in Bruce Schneier's post, describes efforts to integrate hardware and software for in-field identification and instant database matches. The program raises immediate concerns about accuracy, bias, data quality, oversight, and civil liberties if deployed without transparent safeguards.
read more →

Ten Years of GDPR: Achievements, Gaps, and Next Steps

🔒 Ten years after the EU adopted the General Data Protection Regulation (GDPR), experts say it fundamentally reshaped corporate privacy culture but left important gaps. Analysts credit the GDPR with embedding privacy into daily operations, raising standards, and creating accountability by forcing organizations to know and document their processing. Yet enforcement inconsistencies, international transfer disputes, widespread consent fatigue and the rise of generative AI expose legal and practical tensions that require clarification and coordination with newer digital rules.
read more →

FTC to Bar Kochava From Selling Americans' Location Data

🔒 The Federal Trade Commission will ban data broker Kochava and its subsidiary Collective Data Solutions (CDS) from selling precise geolocation data without consumers' affirmative express consent as part of a settlement stemming from an August 2022 suit. The FTC alleged Kochava supplied paid clients — via an AWS Marketplace feed — with high-volume raw latitude/longitude transactions that enabled tracking to sensitive sites. Under the proposed court order, sales or transfers of precise location data are prohibited unless consumers directly request a service and explicitly consent; the companies must also implement a sensitive location program, supplier assessments, consent withdrawal and disclosure mechanisms, incident reporting to the FTC, and retention/deletion schedules.
read more →

How Vehicles Become Tools for Law Enforcement Surveillance

📡 Modern cars act as mobile computers that log and transmit extensive telemetry to manufacturers and third parties. Law enforcement increasingly uses Car Intelligence (CARINT) tools and vendor solutions such as Ateros, Berla, and Toka to extract GPS histories, call logs, paired-device lists, and driving statistics — sometimes without warrants. Even sensor systems like unencrypted TPMS can enable low-cost tracking. Recommended mitigations include avoiding phone syncs, clearing head-unit data, disabling voice commands, and minimizing use of manufacturer apps.
read more →

Study Finds Many Browser Extensions Collect and Sell Data

🔍 A LayerX Security study found more than 80 widely used browser extensions explicitly reserve the right to collect and sell user data, with millions of combined installations across categories such as streaming, ad blocking and productivity. The researchers reported that 71% of Chrome Web Store extensions do not publish a privacy policy, leaving many users without visibility into how their data is handled. The findings detail networks of media extensions aggregating viewing behavior and at least a dozen ad blockers and 29 business-focused extensions that may expose enterprise browsing activity. LayerX recommends organisations adopt centralized extension governance and add privacy policy review to extension evaluation criteria.
read more →

House GOP Privacy Bills Challenge Enterprise Data Practices

📜 The House Republican proposals — the SECURE Data Act and the GUARD Financial Data Act — would establish federal privacy standards that broadly preempt stronger state laws while limiting private lawsuits and centralizing enforcement with the FTC and state attorneys general. The bills emphasize data minimization, controller-processor obligations, a federal data broker registry, and new limits on automated profiling and teen data. Critics warn the measures could weaken existing protections, impose heavy operational burdens on CIOs and CISOs, and force vendors and legal teams to rework procurement, retention, and AI training practices.
read more →