All news with #privacy engineering tag

🔍 Cloudflare is upgrading its real user monitoring (RUM) suite by enabling Web Analytics for free domains by default on October 15, 2025 (EU/UK traffic excluded by default). A lightweight JavaScript beacon will collect aggregated client-side metrics—Core Web Vitals, resource timings and client-observed TLS durations—and pre-process data at the edge to remove personal identifiers before aggregation. The company emphasizes a privacy-first approach with no cookies, no localStorage, and no fingerprinting, and plans to correlate client metrics with in-network and origin telemetry to provide actionable debugging insights while preserving user privacy.

🔎 This article examines methods to infer user satisfaction from untagged chatbot conversations by combining linguistic and behavioral signals. It argues that conventional metrics such as accuracy and completion rates often miss subtle indicators of user sentiment, and recommends unsupervised and weakly supervised NLP techniques to surface those signals. The post highlights practical considerations including privacy-preserving aggregation, deployment complexity, and the potential business benefit of reducing churn and improving customer experience through targeted dialog improvements.

🔔 The California Privacy Protection Agency and the attorneys general of California, Colorado and Connecticut announced a coordinated enforcement sweep targeting businesses that fail to detect or honor Global Privacy Control (GPC) opt-out signals. Regulators will contact firms believed not to be processing consumers’ opt-out requests and urge immediate remediation. Legal advisers recommend technical steps — from reliable GPC signal recognition to consent management platform integration, routine testing and monitoring, and clear privacy notice updates — to reduce enforcement risk.

🔒 The FTC and DOJ have acted against Chinese toy maker Apitor Technology after its robot toys and companion Android app transmitted precise geolocation data about children without parental notice or consent. The company integrated a third-party SDK, JPush, which collected street-level location sufficient to identify homes and routines. Apitor agreed to a settlement with a suspended $500,000 penalty, a permanent ban on collecting sensitive kids’ data without parental consent, and obligations to delete illegally gathered records and submit to monitoring.

🔒 The U.S. Department of Justice has sued toy maker Apitor after an FTC referral, alleging it allowed a Chinese third party to collect precise geolocation data from children without notifying parents or obtaining consent required under COPPA. Apitor's Android app for robot toys uses the JPush SDK, which reportedly collected location data for any purpose, including targeted advertising. Under a proposed settlement, Apitor must secure third-party COPPA compliance, notify parents, delete collected personal information, limit retention, and faces a $500,000 penalty that is currently suspended amid claimed financial hardship.

⚠️ Meta’s new Friend Map feature on Instagram is framed as an opt-in way to see friends’ locations and shared hangouts, but it raises serious privacy and safety concerns. Enabling the map can expose precise real‑time or habitual location data that bad actors could exploit for stalking, targeted harassment, or profiling. The feature blurs digital privacy and physical security, so users should carefully review settings, limit audiences, or decline participation if concerned about their safety.

🔐 The UK government's proposal to require access to end-to-end encrypted data—intended to combat terrorism and child sexual abuse—would effectively demand backdoors that major vendors refuse to build. Apple removed Advanced Data Protection for UK users after a non-public notice under the Investigatory Powers Act reportedly sought access, and WhatsApp has supported Apple's stance. The article argues such per-country mandates are technically unenforceable and easily circumvented, creating border chaos and disproportionate privacy harms. ESET recommends preserving strong encryption and using court-backed, oversightable access mechanisms rather than backdoors.

🔒 UpGuard’s Cyber Risk Research team discovered and secured a public GitHub exposure containing sensitive employee and customer data belonging to OneHalf, a business process outsourcing firm in the APAC region. The principal artifact was the HRIS project, including a 1.2MB database dump (hrisdb-02012018.sql) with detailed personal records for roughly 250 employees, extensive medical histories, emergency contacts, and 300 usernames with plaintext passwords. A related repo, ohserviceform, listed 28 client companies and plaintext banking account numbers, increasing the risk of financial fraud. UpGuard notified OneHalf and the repositories were secured by August 22, 2018.

🔎 UpGuard discovered an unauthenticated Elasticsearch index containing roughly 22 million web-request records, of which about 95% referenced leakzone.net. The logs included client IP addresses, destination domains, request sizes, geolocation data and ISP metadata, spanning June 25 to discovery on July 18, with about one million requests per day. Analysis found extensive use of public proxies and clustered VPN exit nodes, alongside many one-off IPs likely representing direct users. The dataset raises privacy and operational concerns for visitors, service operators, and investigators.

🔒 AWS clarifies five key points about the CLOUD Act, stressing it does not grant automatic or unfettered access to customer content and that U.S. law requires judicial process for compelled disclosures. AWS reports no disclosure of enterprise or government customer content stored outside the U.S. since 2020. The company notes the Act applies to any provider with a U.S. presence and aligns with international law, while technical controls like AWS Nitro and AWS KMS limit operator access.

🔒 In this episode of Unlocked 403, host Becks and ESET Global Security Advisor Jake Moore examine how everyday online activity becomes a marketable commodity. They explain how social media, apps and websites harvest, analyze and monetize both first- and third-party data, and why metadata often reveals more than expected. The conversation highlights risks for children and the long-term consequences of pervasive collection. Jake shares practical tips for tightening app privacy settings, limiting permissions and embracing data minimization to better protect personal information.

🔓 UpGuard’s Cyber Risk Team discovered a publicly accessible Amazon S3 bucket belonging to Deep Root Analytics that contained roughly 1.1 TB of voter-related data tied to an estimated 198 million U.S. voters. The exposed files referenced Republican contractors TargetPoint Consulting and Data Trust and included names, dates of birth, addresses, phone numbers, voter registration details, and billions of modeled attributes used for political microtargeting. After notification and federal involvement, the bucket was secured and public access was removed.

🛡️ Google has open sourced its Zero-Knowledge Proof (ZKP) libraries to accelerate privacy-preserving digital ID and age-assurance solutions. Developed with Sparkasse, the release enables people to prove attributes (for example, that they are over 18) without sharing any other personal data. By making a performant ZKP codebase available, Google aims to help developers, researchers, businesses, and governments integrate privacy-first flows, including use cases for the European EUDI Wallet.

🔐 Google and Germany’s Sparkasse announced a wallet-based EU age assurance service that lets customers prove age online without sharing personal data. Using the Credential Manager API, Google Wallet and zero-knowledge cryptography, Sparkasse will issue trusted credentials across its network of 343 regional savings banks serving 50 million customers. Integration with Android and Chrome enables one-click age checks for apps and sites and will roll out in the coming months.