Policy & Regulation

CISA says it is about to change how U.S. federal agencies handle software flaws, telling them to focus first on the vulnerabilities and systems that pose the highest real-world risk. Acting Director Nick Andersen said a binding operational directive due Wednesday will shift agencies away from treating every patch the same and toward prioritizing internet-exposed assets, Known Exploited Vulnerabilities, exploit automation, and critical functions; CISA also plans closer risk reviews with critical infrastructure operators. — This could change patching deadlines and vulnerability-management practices across the federal government and influence how critical infrastructure owners prioritize fixes. Agencies and defenders should watch for the directive’s release because it may require faster action on the most dangerous exposed systems while de-emphasizing lower-risk issues.

GitHub says npm 12 will no longer run package install scripts by default, changing behavior that has long let malicious dependencies execute code on developer machines and continuous integration systems. The July release will disable automatic preinstall, install, and postinstall lifecycle scripts unless explicitly allowed with allow-scripts, turn --allow-git off by default, and set allow-remote to none to block remote URL dependency downloads; the move follows repeated supply-chain abuse, including Shai-Hulud-style malicious packages. — Developers and organizations that use npm may need to update build and install workflows before npm 12 ships, but the change should reduce one of the ecosystem's biggest package-based malware risks. Security teams should test projects now, identify legitimate packages that need script exceptions, and tighten CI defaults.

A researcher’s public release of six Windows zero-days has already led attackers to exploit three of them, and Microsoft says more unpatched flaws remain. Microsoft named the bugs as RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma; it said BlueHammer, RedSun, and UnDefend saw attacks after proof-of-concept exploit code was posted, while YellowKey is tracked as CVE-2026-45585 and, along with GreenPlasma and MiniPlasma, still lacks a fix. — Windows defenders may have little time between public disclosure and real-world attacks, especially when proof-of-concept exploit code is available. Organizations should review Microsoft mitigations immediately, monitor for compromise tied to these bug names and CVE-2026-45585, and prioritize hardening or temporary workarounds where patches do not yet exist.

EFF says police agencies searched Flock Safety automated license plate reader databases for routine matters far beyond serious criminal investigations, including school residency verification, employment background checks, and noise complaints. Based on analysis of millions of audit-log searches, the report says some agencies queried plates across thousands of shared camera networks nationwide, exposing detailed location histories without a warrant requirement and showing broad mission creep in how ALPR (automated license plate reader) data is used. — This matters to the public because a system marketed for crime-solving is being used to track ordinary people’s movements for low-level administrative and quality-of-life issues. It raises immediate privacy and civil-liberties concerns for anyone whose vehicle data may be swept into shared ALPR networks, and it increases pressure for warrant limits, access controls, and retention safeguards.

Meta says NSO Group again targeted WhatsApp users despite a court order barring it from doing so. WhatsApp said it disrupted NSO-linked social-engineering attempts involving malicious links that redirected targets to external websites, plus test accounts and groups on the platform, and published related domains and indicators of compromise. The report did not include victim counts, timing, or confirmation of successful compromises. — This matters because it suggests a spyware vendor accused of abusing messaging users may still be actively targeting people after a legal ban. WhatsApp users, journalists, activists, and high-risk targets should treat unsolicited links and unusual group invites with caution, and defenders should review the published indicators immediately.

Microsoft said it is tracking the publicly disclosed YellowKey Windows BitLocker security feature bypass as CVE-2026-45585 and published mitigations pending a security update. The flaw can allow access to BitLocker-protected drives by abusing specially crafted FsTx files and WinRE behavior; Microsoft recommends disabling autofstx.exe auto-start in WinRE and requiring BitLocker TPM+PIN startup authentication. — Organizations and users relying on BitLocker for device-at-rest protection may need to apply mitigations immediately because PoC details are public and a fix is not yet available. Defenders should review BitLocker startup settings and WinRE configuration now.

Anthropic says it intends to eventually make Mythos-class vulnerability-finding artificial intelligence available more broadly, but for now is expanding its restricted Project Glasswing program to additional partners including U.S. and allied governments. The company says Mythos has scanned more than 1,000 open-source projects, estimated 6,202 high-or-critical-severity vulnerabilities and 23,019 total flaws, and validated many findings through coordinated disclosure; no CVE list or release date for public access was provided. — This matters because a powerful AI system for finding software flaws could help defenders patch faster, but could also accelerate criminal discovery of exploitable bugs if released without effective guardrails. Security teams should expect faster vulnerability discovery pressure in widely used open-source components and be prepared for heavier disclosure and patching volume.

The UK has weakened proposed telecom security requirements that were drafted after the China-linked Salt Typhoon spying campaign against telecom networks. Recorded Future News reports the government dropped or delayed several measures after industry objections, including a proposed independent signalling intrusion detection system meant to detect abuse of telecom signalling traffic. The updated code takes effect in mid-July unless Parliament blocks it, and operators can still be judged against it under existing telecom security duties. — This affects how well UK phone and internet providers may detect and contain state-backed intrusions into core communications networks. Telecom operators, regulators, and enterprise customers should review the final code now because the changes may leave weaker safeguards against the kinds of access used for large-scale espionage.

The UK government says Apple, Google and other tech companies have three months to enable device-level controls on smartphones and tablets that detect and block nude images for children. The Home Office says the controls must work across apps and services by default and only be disabled through age assurance, with possible legislation, fines, and potential executive liability if companies do not comply. Officials also say adults would need age verification to access nude content on devices. — This is a major security-and-privacy policy development because it pushes on-device content scanning and age checks beyond individual apps into phones and tablets themselves. Device makers, app platforms, privacy advocates, parents, and UK users may all be affected, and companies now face a short deadline to respond or prepare for regulation.

Freedom of the Press Foundation sued the U.S. Department of Justice under the Freedom of Information Act to uncover whether DOJ hid legal protections for journalists when it sought a warrant to raid Washington Post reporter Hannah Natanson’s home. The suit centers on the Privacy Protection Act of 1980, which generally bars newsroom and journalist-home searches, and follows a judge’s February finding that DOJ’s omission of the law from the warrant process seriously undermined confidence in the government’s disclosures. — This matters to journalists, sources, and the public because it suggests federal investigators may be sidestepping legal safeguards meant to stop raids on reporters. The case could reveal whether the Natanson raid was an isolated abuse or part of a broader DOJ practice with implications for press freedom and government surveillance powers.

Russia has updated the technical rules for its SORM surveillance system, expanding how authorities can search and connect people's internet and communications data. The new regulations require broader collection, processing, and transmission of identifiers including names, passport and tax numbers, addresses, usernames, domains, URLs, device identifiers, and geolocation data. The rules apply beyond telecom carriers to other online service operators and increase compliance burdens on providers. — This matters because it strengthens Russia's ability to monitor individuals without shutting the internet off, making targeted repression and self-censorship easier while pressuring providers to integrate with state surveillance systems. The impact is immediate for people and companies operating in Russia, especially telecom and internet services that may need to change infrastructure or face regulatory penalties.

U.S. officials believe suspected Iranian hackers broke into fuel-tank monitoring systems at gas stations in several states. The attackers targeted automatic tank gauges, or ATG systems, that were exposed online without passwords and changed displayed readings but reportedly could not alter actual fuel volumes. No physical damage has been reported, but officials warned the access could potentially hide leaks or create other safety and critical-infrastructure risks. — Gas stations and operators using older internet-connected monitoring gear may be at risk right now, especially if devices are reachable online without authentication. Operators should immediately remove ATG systems from direct internet exposure, require passwords, and review logs and display anomalies.

The European Commission unveiled a new tech sovereignty package meant to reduce the European Union's dependence on U.S. and Chinese technology suppliers. The package includes draft laws for semiconductors and cloud and AI infrastructure, plus an Open Source Strategy that would fund maintenance and security for critical open-source components and push public-sector procurement toward open technologies as part of broader digital resilience planning. — This matters to governments, public-sector buyers, vendors, and defenders because it could reshape which technologies Europe relies on for critical systems and how security funding is directed, especially for open-source components that underpin widely used infrastructure. Organizations should watch the legislative process, procurement changes, and any resulting security requirements for cloud, AI, and software supply chains.

The White House issued a new artificial intelligence executive order that shortens the voluntary federal review period for certain advanced AI models to 30 days after public release and launches an AI cybersecurity clearinghouse. The order says access to designated "covered frontier" models should include confidentiality, cybersecurity, insider-risk, and intellectual-property safeguards, and directs Treasury, the Office of the National Cyber Director, the Cybersecurity and Infrastructure Security Agency, and the Office of Management and Budget to coordinate AI-based vulnerability detection and patch-prioritization efforts. — This matters because it shapes how the U.S. government and major AI companies will handle powerful models that could help find software flaws or affect critical infrastructure security. Organizations that rely on federal guidance, grants, or critical infrastructure partnerships should watch for implementation details and any new reporting, testing, or collaboration expectations.

The Homeland Security secretary said the Trump administration plans to refocus and rebuild CISA even as the agency has lost roughly a third of its staff and faces proposed budget cuts. Secretary Markwayne Mullin told lawmakers CISA now has about 2,200 personnel and likely needs about 2,800, while the White House's fiscal 2027 budget would cut more than $700 million. He also signaled a new nominee to lead CISA and defended assigning Treasury a lead role in an AI vulnerability clearinghouse created by the new executive order. — CISA is the main federal agency that helps defend civilian networks, coordinate with private companies, and warn about major cyber risks, so sharp cuts or mission changes can affect incident response and national cyber preparedness. This matters to defenders, state and local governments, and the public because it signals potential changes in federal cyber support, vulnerability handling, and long-term staffing capacity.

The U.S. Federal Trade Commission is considering whether to modify or set aside a 2022 privacy order against X, formerly Twitter, over the company’s use of account security data for targeted advertising. The original order followed FTC allegations that Twitter collected phone numbers and email addresses for account security, including two-factor authentication (2FA), then used that data for ads in violation of a 2011 privacy order; the case involved more than 140 million users and a $150 million penalty. The FTC has opened a public comment period through July 2, 2026. — This matters to X users because it concerns whether protections imposed after a major misuse of security-related personal data will remain in force. It also matters more broadly because weakening the order could signal reduced privacy enforcement around companies that repurpose security data for advertising.

Russia is asking its Supreme Court to ban Belarusian Cyber Partisans and Silent Crow as extremist organizations, a designation that can outlaw their activities, block their websites and channels, and expose associates to criminal penalties. The move follows the groups' claimed attacks on Russian and Belarusian government and infrastructure targets, including the July 2025 Aeroflot disruption that canceled more than 100 flights and allegedly involved data theft and destruction of airline IT systems. No CVE or software flaw is cited; this is a state action tied to politically motivated hacking and online speech. — This matters because Russia is using an extremism label against online groups tied to cyber operations, which can expand censorship and criminalize access to related information channels. People following these groups, especially in Russia, may face blocking or legal risk, while defenders and researchers should watch for knock-on effects on threat visibility and attribution.

The U.S. Supreme Court ruled that the FCC lawfully fined major wireless carriers for sharing access to customers’ location data without proper consent. In an 8-1 decision, the Court said the FCC’s forfeiture process did not violate the companies’ jury-trial rights, leaving in place penalties of roughly $47 million for Verizon, $57 million for AT&T, and $92 million for T-Mobile and Sprint. The underlying FCC case alleged the carriers sold location access to aggregators and data brokers and failed to take reasonable steps to protect that sensitive data. — This matters because it reinforces that mobile carriers can be punished for letting precise location data flow to third parties without meaningful consent. It is important for users concerned about surveillance and for companies handling sensitive data, even though there is no immediate patch or user action beyond reviewing privacy choices and carrier practices.

Two former RAC employees in the UK were ordered to repay more than £118,000 after illegally selling personal data belonging to car crash victims. The Information Commissioner's Office said the pair were previously convicted under the Computer Misuse Act 1990 and Data Protection Act 2018 after about 29,500 records were copied from RAC systems and shared over WhatsApp with an unknown buyer; one defendant now faces 18 months in prison if she does not repay the proceeds within three months. — This matters because insiders abused access to sensitive data from people involved in road accidents, showing how personal information can be monetized after a breach from inside an organization. For defenders and regulated firms, it underscores the need for monitoring, least-privilege access, and rapid response to suspicious data exports.

Law enforcement and major tech companies say they disrupted more than 1.4 million accounts and related infrastructure used by scam networks operating from Southeast Asia. The operation, called Disruption Week, involved the US Department of Justice, Royal Thai Police, and firms including Apple, Google, Meta, Microsoft, Coinbase, SpaceX, Silent Push, TRM Labs, and Zenlayer; it led to 63 arrests, the freezing of over $3.8 million in cryptocurrency, and takedowns of social-media accounts, Microsoft accounts, Starlink kits, servers, and malicious network infrastructure linked to fraud compounds in Cambodia, Laos, and Burma. — This matters because the operation targeted industrial-scale scam networks that steal money from victims worldwide and rely on mainstream platforms and connectivity to operate. Users should remain cautious of investment and impersonation scams, while defenders and platforms should watch for follow-on account rebuilds, infrastructure shifts, and related fraud activity.

The U.S. sanctioned Nobitex, Iran’s largest cryptocurrency exchange, saying it helped process transactions tied to ransomware actors and Iran’s Islamic Revolutionary Guard Corps. The Treasury’s Office of Foreign Assets Control also designated Nobitex executives and targeted other Iranian exchanges including Wallex, Bitpin, and Ramzinex as part of its "Economic Fury" campaign, alleging sanctions evasion and terrorist-financing support rather than a software flaw or CVE-tracked vulnerability. — This matters because ransomware groups and state-linked actors depend on payment channels to move money, and sanctions can disrupt those routes while raising compliance risk for exchanges, companies, and users who interact with them. Organizations handling crypto exposure should review sanctions screening and watch for links to designated wallets and entities.

A U.S. watchdog found that NIST’s National Vulnerability Database, a key public source used to track and prioritize software flaws, has become ineffective after mismanagement caused a massive processing backlog. The report says unprocessed vulnerability records grew from about 13,000 in February 2024 to more than 27,000 by the end of 2025, after NIST stopped paying contractors, missed its recovery goals, and duplicated at least 21,000 pieces of work already handled by CISA’s Vulnrichment program. — This matters because companies, government agencies, and security teams rely on NVD data to decide what to fix first, and delays can slow patching and risk decisions across the ecosystem. Affected users are indirect but broad: defenders may need to lean more on vendor advisories, CISA KEV, and other sources until NVD processing becomes reliable again.

The UK says Russian vessels and submarines recently surveyed cable routes near Britain, and the government is preparing stronger legal protections for undersea internet cables. The reported April activity involved a Russian Akula-class submarine and two specialist GUGI deep-sea research vessels, according to the minister's speech. Proposed measures include tougher penalties for reckless cable damage, new security duties for cable operators, and emergency powers allowing the government to compel stronger infrastructure protection. — Subsea cables carry much of the UK's internet and international communications, so interference could disrupt connectivity and critical services. This matters to telecom operators, infrastructure owners, and policymakers because it signals a live hybrid-threat risk and points to forthcoming compliance and resilience requirements.

European intelligence officials say Russia is increasingly using fake companies, middlemen, and cyber operations to steal Western technology, defense know-how, and software restricted by sanctions. The reported targets include defense research, dual-use camera and laser technology, machine-tool software updates, and critical infrastructure reconnaissance in Sweden, Finland, and the U.K. Officials also said Russia-linked actors attempted a destructive intrusion against a Swedish power plant last year but were detected before causing damage. — This matters to companies in defense, manufacturing, research, and critical infrastructure because they may be targeted both for theft and for pre-attack reconnaissance. Organizations should scrutinize customers and intermediaries for sanctions evasion, harden networks used for industrial systems, and watch for state-linked phishing, intrusion, and supply-chain targeting.

California lawmakers advanced AB 1856, a bill that would exempt open-source operating systems from parts of the state's age-assurance law but broaden age-checking requirements for many internet services. EFF says the amended bill would still extend the age-bracketing regime created by AB 1043 beyond operating systems and app stores to web browsers and websites, increasing pressure to collect users' age data and potentially affecting anonymity, privacy, and access to lawful speech. — If enacted, the bill could force more online services to ask for and retain age information, creating new privacy and security risks for ordinary users while raising compliance burdens for developers and platforms. People and organizations tracking internet freedom and privacy policy should watch the Senate process closely.

U.S. Immigration and Customs Enforcement is expanding field use of biometric scanners that can identify people by iris scans, fingerprints, and facial recognition. Contract records show ICE awarded Bi2 Technologies about $25.1 million for 1,570 mobile and stationary devices and access to Bi2's IRIS system, which searches more than five million booking, arrest, and incarceration records across 47 states, along with driver’s license and license-plate data; the deal follows a smaller 200-device deployment under a 2025 contract. — This matters to immigrants, protesters, and the public because it expands real-world government biometric surveillance at scale, with risks of misidentification, bias, and wider tracking. The concrete implication is policy and oversight scrutiny rather than patching: civil-liberties groups, lawmakers, and affected communities should watch how ICE uses the devices and what databases they query.

California has sued 23andMe, now operating as Chrome Holding Co., alleging the company failed to adequately protect customers’ genetic and account data in the 2023 breach affecting nearly 7 million people. The complaint says attackers used credential stuffing—trying usernames and passwords stolen elsewhere—to access about 14,000 accounts, then scrape broader data through 23andMe’s DNA Relatives features; the state also alleges 23andMe failed to require stronger safeguards such as multifactor authentication, missed warning signs for months, and only acted after stolen data was advertised for sale and ransom demands were made. — This matters because the stolen information included highly sensitive genetic and health-related data, and the lawsuit may shape how companies are expected to protect and handle biometric and genomic records. Affected users should reset reused passwords, enable multifactor authentication where available, and review what personal and relative-sharing data remains in their account.

A federal judge twice rejected prosecutors’ attempts to obtain YouTube account records tied to journalists Don Lemon and Georgia Fort, including information about their channels and possible viewers. The warrants were sought in a criminal case related to the journalists’ coverage of a protest at a church in St. Paul, Minnesota. Court records show the judge found the applications lacked probable cause and did not comply with the Privacy Protection Act of 1980, which generally limits search warrants targeting journalists and publishers. — This matters to journalists, sources, and viewers because prosecutors sought not just reporter account data but potentially audience information as well. It is a significant press-freedom and privacy issue, and it adds urgency to scrutiny of DOJ warrant practices and proposed updates to journalist-protection laws.

The Pentagon says foreign adversaries used commercially available phone-location data to target or surveil U.S. military personnel in active war zones, affecting troops who carried personal or government-issued smartphones. According to DoD responses released by Sen. Ron Wyden, U.S. Central Command received multiple threat reports tied to commercial data-broker purchases sourced from mobile advertising profiles and device ad identifiers; the department said existing guidance to disable geolocation was incomplete, and some DoD-managed phones still allowed ad-targeting data to be exposed. — This is a real-world national security and personal safety risk, not a theoretical privacy problem: location data sold by brokers can expose troop movements and bases. It raises urgency for stricter mobile-device controls, disabling ad IDs and location sharing, and rethinking bring-your-own-device policies in sensitive environments.

India's national cyber agency has told organizations to fix, mitigate, or disconnect exposed critical systems within 12 hours when a known-exploited vulnerability affects them. In new CERT-In guidance on defending against AI-assisted attacks, the agency says the half-day target applies where feasible to internet-facing or 'crown jewel' systems with exploited n-day flaws, while other cases such as internal systems generally get a 24-hour target; this is guidance rather than a single-CVE advisory. — This raises the urgency for Indian organizations and anyone tracking national cyber guidance as attackers use artificial intelligence to speed up exploitation. Defenders should review patching and mitigation playbooks now so internet-exposed high-value systems can be patched, shielded, or taken offline quickly when active exploitation is known.

Dutch authorities say they seized 800 servers and arrested two men linked to a hosting operation that allegedly helped cyberattacks, disruption campaigns, and online disinformation. Investigators said the action targeted infrastructure connected to Stark Industries, an EU-sanctioned hosting provider, and two Dutch companies allegedly used to keep its services running after sanctions; reporting links the network to pro-Russian DDoS, or distributed denial-of-service, activity by NoName057(16). — This matters because the seizure hits infrastructure allegedly used to support both cyberattacks and influence operations in Europe. Defenders, hosting providers, and abuse teams should watch for fallout such as service migration, replacement infrastructure, and renewed DDoS activity from the same actors.

Citizen Lab highlights concerns that Canada’s proposed lawful-access Bill C-22 could undermine encryption protections and require messaging services to collect metadata. Signal said it would leave the Canadian market rather than comply if the bill mandated such access, while researchers said officials were unwilling to clearly protect encryption. — The proposal could materially affect users of encrypted messaging in Canada, especially journalists, dissidents, and human-rights defenders. Defenders and civil-society groups should track the bill because it may create surveillance obligations or drive privacy-preserving services out of the market.

Two former executives of call-tracking firm C.A. Cloud pleaded guilty to concealing a years-long tech-support scam operation that targeted victims worldwide. Prosecutors say the company knowingly provided phone numbers, call forwarding, recordings, and rotating number pools to fraudsters behind fake malware-warning pop-ups, including scammers impersonating Microsoft and Apple; the pair also allegedly ran a Tunisia call center where employees carried out similar fraud through remote computer access and false invoices. — This matters because it shows the infrastructure behind tech-support scams is being targeted, not just the callers themselves, and the scams often hit older and vulnerable people. Users should be wary of pop-ups or calls claiming their computer is infected, especially if they demand remote access or immediate payment.

The U.S. Supreme Court is considering whether police can use geofence warrants to make Google hand over location-history data for everyone near a crime scene, a ruling that could affect millions of users. The case, Chatrie, centers on a Fourth Amendment challenge to a reverse warrant that sought unknown suspects by searching Google location data across a defined area and time window; the outcome could also shape the legality of broader reverse searches such as keyword or AI-chat queries. — This could change how easily law enforcement can obtain bulk location and other sensitive platform data about people who are not suspects. It matters to anyone whose phone or online accounts generate location history, and to privacy defenders, platforms, and policymakers watching limits on digital searches.

Canadian authorities arrested Ottawa resident Jacob Butler, alleged online as “Dort,” and U.S. prosecutors unsealed charges accusing him of running the Kimwolf Internet-of-Things botnet that hijacked millions of connected devices. The complaint says Kimwolf infected devices such as cameras and digital photo frames, issued more than 25,000 attack commands, powered distributed denial-of-service attacks measured at nearly 30 terabits per second, and was also rented to other criminals; the case follows March seizures of Kimwolf infrastructure and related botnets Aisuru, JackSkid, and Mossad. — This matters to internet providers, enterprises, and anyone running exposed connected devices because it shows how insecure Internet-of-Things products can be turned into large-scale attack infrastructure. Defenders should keep internet-facing devices patched, disable unnecessary exposure, and review mitigations tied to the exploitation path Kimwolf used to spread.

CISA has launched a new public form and email pathway for researchers, vendors, and industry partners to submit vulnerabilities for possible inclusion in its Known Exploited Vulnerabilities (KEV) catalog. The change affects no single CVE or product; instead it creates a formal process for reporting suspected exploited-in-the-wild flaws to CISA, with submitters asked to provide vulnerability details and evidence of active exploitation so the agency can validate and potentially add them to KEV. — The KEV catalog is one of the main lists defenders use to decide what to patch first, so a faster path for outside researchers to report exploitation could speed warnings and remediation across government and private networks. Security teams should expect KEV to remain a key prioritization source and monitor for any changes in how quickly new exploited bugs are added.

U.S. House Democrats said the Trump administration is pushing major cuts to federal cybersecurity spending that would hit state and local governments. At a Homeland Security subcommittee hearing, lawmakers and state officials pointed to a proposed $707 million cut to the Cybersecurity and Infrastructure Security Agency (CISA), earlier cuts of about $135 million and roughly 1,000 staff, uncertainty around reauthorizing the State and Local Cybersecurity Grant Program, and the loss of federally supported Multi-State Information Sharing and Analysis Center services. — This matters because local governments run emergency services, schools, utilities, and courts, and many rely on federal cyber grants and shared defenses they cannot afford on their own. The practical implication is policy-focused rather than immediate patching: public-sector defenders and watchdogs should track the budget fight closely because fewer staff, grants, and shared services can increase exposure to ransomware and other attacks.

Britain’s online-safety regulator said several major platforms have promised product changes aimed at better protecting children in the UK. Ofcom said Snap will adopt its recommended anti-grooming measures, including tighter limits on adult contact with children; Roblox will let parents disable direct messages for under-16s; and Meta will hide teens’ connection lists by default on Instagram and use artificial intelligence to detect likely sexualized adult-teen direct messages. Ofcom said TikTok and YouTube did not commit to significant new changes. — This matters to UK families, teens and platform operators because it signals concrete safety and privacy changes tied to regulatory pressure, especially around grooming risks and minors’ visibility online. Users and parents should watch for new default settings and controls, while companies should expect closer enforcement under the UK’s online-safety regime.

Access Now and other civil society groups asked the Ninth Circuit to keep a court order blocking NSO Group from using WhatsApp to target users with Pegasus spyware. The filing concerns NSO’s appeal after WhatsApp and Meta won a permanent injunction and jury verdict in a case over Pegasus being delivered through WhatsApp’s servers to more than 1,400 people in 20 countries, including journalists, activists, and human rights defenders. — This matters because the appeal could shape how strongly U.S. courts can curb commercial spyware used against encrypted messaging users. It is especially relevant to people at risk of surveillance and to companies defending messaging platforms from spyware abuse.

The UK government’s planned cybercrime-law reform would protect very few security researchers from prosecution, according to sources briefed on the proposal. The reported changes to the Computer Misuse Act 1990 would create a statutory defense mainly for scanning internet-facing systems, require researchers to stop once they identify a flaw, and limit eligibility to British nationals with UK Cyber Security Council accreditation—reportedly only about 300 people. — This could leave most bug hunters, academics, and security teams exposed to legal risk for good-faith testing, which may discourage vulnerability discovery and responsible disclosure. Organizations and researchers in the UK should watch the legislation closely because it could shape what defensive testing is legally safe to perform.

At a Beijing summit, Xi Jinping and Vladimir Putin issued a joint statement promising deeper cooperation on information security, cyber-threat response, internet regulation, AI, satellite internet, IoT, and interoperability between China's BeiDou and Russia's GLONASS systems. The statement also emphasized joint software and open-source development to reduce dependence on Western technology and endorsed stronger state control over domestic internet environments. — The agreement signals closer alignment between two major authoritarian states on cyber policy, digital infrastructure and 'internet sovereignty,' with implications for censorship, surveillance, and state-backed cyber operations. It matters to policymakers, civil-society groups and defenders tracking how geopolitical blocs may reshape internet governance and security ecosystems.

The FTC said it sent warning letters to major tech firms including Alphabet, Amazon, Apple, Discord, Meta, Microsoft, Reddit, Snapchat, TikTok and X, alleging they are not complying with the Take It Down Act. The law requires covered platforms to provide a removal process for nonconsensual intimate images and delete reported content within 48 hours, with potential fines for violations. — The action puts large platforms on notice that U.S. regulators are actively enforcing rapid takedown requirements for abusive intimate imagery. Security, trust-and-safety, and privacy teams may need to implement reporting workflows, hashing, and cross-platform sharing processes to avoid penalties and better protect victims.

The FBI said IC3 received more than 13,400 complaints in 2025 involving cryptocurrency kiosks, with reported losses exceeding $388 million, up 58% from 2024. Texas led reported losses at nearly $57 million, followed by Florida at $32.7 million. The report ties the kiosks to fraud schemes including investment, tech-support, and romance scams, and comes amid state bans and lawsuits against kiosk operators. — The figures show large-scale consumer harm through a payment channel increasingly used in fraud, especially against older victims. The story matters for defenders, fraud investigators, and policymakers because it points to a growing abuse ecosystem and potential regulatory or enforcement action.

The Register reports that London’s Metropolitan Police made more than 700,000 requests for communications data from tech companies in 2025, according to FOI disclosures. The figures include requests involving platforms such as LycaMobile and claims of data acquisition from privacy-focused services including Proton Mail, ProtonVPN, and Signal, though Proton and Signal disputed parts of the police account. — The disclosures highlight the scale of police metadata surveillance and raise transparency and oversight questions around access to communications data from mainstream and privacy-oriented services. It matters to UK users, privacy defenders, and policymakers assessing lawful access powers and safeguards for sensitive professions such as journalists and lawyers.

EFF highlights reports that Microsoft investigated and reportedly suspended certain services in September 2025 after concerns that its Azure cloud and AI offerings were being used by Israeli military and intelligence units in surveillance and targeting operations in Gaza. The article also points to the reported departure of Microsoft's Israel chief amid pressure for disclosure and stronger safeguards. — This is a significant surveillance and privacy accountability story for cloud and AI providers operating in conflict settings. It matters to affected populations, civil society, and enterprise customers because it raises questions about how major vendors assess, restrict, and disclose high-risk government use of their infrastructure.

The Department of Justice sent grand jury subpoenas to The Wall Street Journal seeking records related to its journalists' reporting on the lead-up to the war in Iran, and other media outlets reportedly received similar demands. The move is framed by press-freedom advocates as an effort to identify confidential sources through leak investigations. — This has direct implications for source protection, newsroom security, and government surveillance of journalists. News organizations and reporters may need to harden communications and prepare for legal demands targeting records and metadata.