All news with #privacy engineering tag

🔔 Italy's competition authority (AGCM) has fined Apple €98.6 million for using App Tracking Transparency (ATT) in a way the regulator says abused its dominant position in mobile app advertising. The AGCM found that ATT requires third-party apps to show a standardized tracking prompt while exempting Apple's own apps, creating a burdensome double-consent process because the ATT prompt does not satisfy GDPR requirements. Apple says it will appeal and continues to defend ATT as a privacy protection.

🕶️ MSC Cruises has added smart glasses and similar wearable devices to its list of prohibited items in public areas, citing the risk of covert recording and security exposures. The new rule means devices such as Ray‑Ban Meta or Google Glass may be confiscated by ship security if used in restricted spaces. The line argues that smart glasses are harder for bystanders to notice than phones or cameras, increasing privacy concerns. Critics counter the ban restricts helpful features like translation and accessibility.

📰 Texas Attorney General Ken Paxton has sued five TV manufacturers — Sony, Samsung, LG, Hisense, and TCL — alleging they used Automated Content Recognition (ACR) to secretly record and transmit users' viewing activity without consent. The complaints filed in Texas state courts claim some TVs capture screenshots every 500 milliseconds, monitor viewing in real time, and send that data to corporate servers where it is allegedly sold for advertising. Paxton also raised concerns that the China-based vendors may be subject to China's National Security Law, potentially exposing U.S. consumer data to foreign authorities. An LG spokesperson declined to comment on the pending matter; other vendors had not responded at the time of reporting.

🔐A new anonymous phone service allows users to register with only a ZIP code, foregoing typical identity checks like full address or payment verification. The design prioritizes ease and a veneer of privacy, but it also raises substantial operational and legal questions. Experts warn that metadata, device identifiers, and carrier cooperation can still de-anonymize users. Individuals and organizations should weigh convenience against potential misuse and regulatory scrutiny.

🔒 The Information Commissioner's Office found that an unredacted settlement document related to the long-running Horizon scandal exposed the names, home addresses and postmaster status of 502 litigants on the Post Office website between 25 April and 19 June 2024. The ICO considered a fine just under £1.1m but issued a reprimand under its public sector approach after concluding the breach was not 'egregious'. The regulator criticised the Post Office for lacking documented publishing policies, quality assurance and sufficient staff training; the organisation has offered compensation and 24 months of identity protection and taken steps to remove cached copies and strengthen controls.

🕹️ The UK Information Commissioner's Office has launched a focused review of 10 popular mobile games to assess compliance with the Children’s Code (Age-Appropriate Design Code). The review will scrutinize default privacy settings, geolocation controls, targeted advertising and other design features that could affect children’s privacy. The ICO cited parental research showing high levels of concern about data collection, exposure to strangers and harmful content in mobile games.

🔒 Wisconsin lawmakers are advancing legislation that would require age verification on sites deemed potentially sexual and mandate blocking users who access content via VPNs. The measure, A.B. 105 / S.B. 130, expands definitions of harmful to minors and would force site operators to verify age and detect or block VPN connections. Critics argue it undermines privacy, free expression, and effective safety outcomes, and advocates such as the EFF call the proposal a terrible idea.

🔒 AWS now enables AWS Clean Rooms to generate privacy-enhancing synthetic datasets for training regression and classification ML models without exposing raw records. The capability de-identifies subjects in the original data and reduces the risk of models memorizing sensitive information, allowing partners to collaborate on model training while preserving privacy. Typical use cases include campaign optimization, fraud detection, and medical research.

⚠️ The EU Council's decision to frame communications scanning as voluntary is being presented as a retreat from plans to weaken end-to-end encryption, but privacy experts warn the danger persists. Campaigners including Patrick Breyer and European Digital Rights (EDRi) say this effectively privatizes Chat Control, enabling companies to deploy error-prone, warrantless client-side scanning. For enterprises and CISOs the main concern is data leakage: false positives could expose confidential documents, code, or strategic plans to outside authorities without corporate consent.

📱 Google has made Quick Share interoperable with Apple's AirDrop, enabling two-way file transfers between Pixel devices and iPhones starting with the Pixel 10 family. The implementation uses AirDrop's "Everyone for 10 minutes" direct, device-to-device mode with no server intermediaries. Google says it applied threat modeling, internal security and privacy reviews, Rust parsing to reduce memory risks, and independent NetSPI testing. Users must manually confirm recipients before sharing.

🛡️ Mozilla announced it will end its partnership with Onerep and discontinue Monitor Plus on Dec. 17, 2025. Current subscribers will retain access through the wind-down period and receive prorated refunds for any unused portion of their subscriptions. Mozilla said it will continue to offer its free Monitor breach service integrated with Firefox’s credential manager and is focusing on integrating more privacy and security features, including its VPN. The company cited high vendor standards and the realities of the data broker ecosystem as reasons for ending the collaboration after reporting revealed Onerep’s founder maintained ties to other people-search services.

🔒 India’s new Digital Personal Data Protection (DPDP) Rules, 2025 impose strict consent, verification, and fixed deletion timelines that require large platforms and enterprises to redesign how they collect, store, and erase personal data. The rules create Significant Data Fiduciaries with added audit and algorithmic-check obligations and formalize certified Consent Managers. Organizations have 12–18 months to adopt automated consent capture, verification, retention enforcement, and data-mapping across cloud, on‑prem, and SaaS environments.

🤖 AI companion apps can feel intimate and conversational, but many collect, retain, and sometimes inadvertently expose highly sensitive information. Recent breaches — including a misconfigured Kafka broker that leaked hundreds of thousands of photos and millions of private conversations — underline real dangers. Users should avoid sharing personal, financial or intimate material, enable two-factor authentication, review privacy policies, and opt out of data retention or training when possible. Parents should supervise teen use and insist on robust age verification and moderation.

🤝 Organizations are creating a chief trust officer (CTrO) to elevate trust as a business differentiator, responding to breaches, product-safety worries and AI-related uncertainty. The CTrO typically complements the CISO by focusing on reputation, ethics, transparency and customer confidence while CISOs retain technical controls, incident response and security operations. Leaders stress the role must produce measurable outcomes and avoid becoming mere 'trust theatre' by tracking signals such as customer sentiment, retention and external certifications.

🛡️A leaked draft of the EU Commission’s proposed “Digital Omnibus” would amend the GDPR to absorb cookie rules and relax limits on AI training with personal data. The draft, due to be presented on 19 November 2025, would add Article 88a to move cookie regulation into the GDPR and allow processing on a closed list of low‑risk purposes or other legal bases including legitimate interest. Critics warn this shifts tracking from opt‑in to opt‑out and risks diluting privacy protections, while the proposal also narrows sensitive‑data protections and requires browsers to transmit consent preferences.

🔒 Mozilla has rolled out enhanced anti-fingerprinting protections in Firefox 145, initially active in Private Browsing and Enhanced Tracking Protection (ETP) Strict mode. Phase 2 measures add targeted noise to background image reads, restrict reported fonts to standard OS sets with select language exceptions, coarsen touch reporting, report screen height minus 48 pixels, and always report two processor cores. After testing these changes will be enabled by default; users can disable them per-site for compatibility. The release also removes the 32-bit Linux build.

🔎 Google says a forthcoming AI Mode for Search could, with users' opt-in consent, access content from Gmail, Drive, Calendar and Maps to provide customized results and actions. The company is testing early experiments in Labs for personalized shopping and local recommendations, and suggests features like flight summaries, scheduling, or trip planning could leverage that data. Timing remains TBD.

🔒 Lena Heimberger examines the challenge of building post-quantum Anonymous Credentials that are practical for large-scale use. The post summarizes real-world needs — from the EU digital identity wallet to Cloudflare’s Privacy Pass rate-limiting — and defines key requirements like unlinkability, unforgeability, round-optimality, and per-origin rate limits. It surveys PQ approaches (generic ZKP composition, lattice-based signatures, hash-and-sign with aborts, and MPC-in-the-head/VOLEitH), evaluates trade-offs in bandwidth and latency, and calls for standardized ZK-friendly hashes and PQ-native protocol designs.

🔒 Microsoft-owned LinkedIn will begin using profile details, public posts and feed activity from users in the UK, EU, Switzerland, Canada and Hong Kong to train generative AI models and to support personalised ads across Microsoft starting 3 November 2025. Private messages are excluded. Users can opt out via Settings & Privacy > Data Privacy and toggle Data for Generative AI Improvement to Off. Organisations should update social media policies and remind staff to review their advertising and data-sharing settings.

🔒 Incogni’s Social Media Privacy Ranking 2025 evaluates 15 major platforms across data collection, resale, AI training, privacy settings, and regulatory fines. The analysis identifies Pinterest and Quora as the most privacy-conscious, while TikTok and Facebook rank lowest, driven by extensive data use and historical penalties. The report highlights practical differences in opt-outs, data-sharing, and default settings and recommends users review privacy controls and use Kaspersky’s Privacy Checker.