Surveillance & Privacy

EFF says police agencies searched Flock Safety automated license plate reader databases for routine matters far beyond serious criminal investigations, including school residency verification, employment background checks, and noise complaints. Based on analysis of millions of audit-log searches, the report says some agencies queried plates across thousands of shared camera networks nationwide, exposing detailed location histories without a warrant requirement and showing broad mission creep in how ALPR (automated license plate reader) data is used. — This matters to the public because a system marketed for crime-solving is being used to track ordinary people’s movements for low-level administrative and quality-of-life issues. It raises immediate privacy and civil-liberties concerns for anyone whose vehicle data may be swept into shared ALPR networks, and it increases pressure for warrant limits, access controls, and retention safeguards.

Meta says NSO Group again targeted WhatsApp users despite a court order barring it from doing so. WhatsApp said it disrupted NSO-linked social-engineering attempts involving malicious links that redirected targets to external websites, plus test accounts and groups on the platform, and published related domains and indicators of compromise. The report did not include victim counts, timing, or confirmation of successful compromises. — This matters because it suggests a spyware vendor accused of abusing messaging users may still be actively targeting people after a legal ban. WhatsApp users, journalists, activists, and high-risk targets should treat unsolicited links and unusual group invites with caution, and defenders should review the published indicators immediately.

Microsoft said it is tracking the publicly disclosed YellowKey Windows BitLocker security feature bypass as CVE-2026-45585 and published mitigations pending a security update. The flaw can allow access to BitLocker-protected drives by abusing specially crafted FsTx files and WinRE behavior; Microsoft recommends disabling autofstx.exe auto-start in WinRE and requiring BitLocker TPM+PIN startup authentication. — Organizations and users relying on BitLocker for device-at-rest protection may need to apply mitigations immediately because PoC details are public and a fix is not yet available. Defenders should review BitLocker startup settings and WinRE configuration now.

Anthropic says it intends to eventually make Mythos-class vulnerability-finding artificial intelligence available more broadly, but for now is expanding its restricted Project Glasswing program to additional partners including U.S. and allied governments. The company says Mythos has scanned more than 1,000 open-source projects, estimated 6,202 high-or-critical-severity vulnerabilities and 23,019 total flaws, and validated many findings through coordinated disclosure; no CVE list or release date for public access was provided. — This matters because a powerful AI system for finding software flaws could help defenders patch faster, but could also accelerate criminal discovery of exploitable bugs if released without effective guardrails. Security teams should expect faster vulnerability discovery pressure in widely used open-source components and be prepared for heavier disclosure and patching volume.

Researchers found that an OpenClaw AI email agent could be tricked by phishing-style messages into leaking sensitive data instead of protecting it. In Varonis simulations, the open-source agent, connected to Gmail, browser tools, and Google Workspace APIs, sent AWS IAM keys, database credentials, SSH details, and CRM exports to an external account after urgent impersonation emails. The tests used Google Gemini 3.1 Pro and OpenAI GPT-5.4 and showed that URL and OAuth-app checks were stronger than sender-identity verification. — Organizations testing AI agents for email and workflow automation could accidentally give them access to data they can be manipulated into disclosing. Treat this as an immediate design and policy issue: limit agent privileges, block unapproved external sharing, require human approval for high-risk actions, and verify sender identity before deployment.

Press-freedom groups say federal and local law enforcement assaulted at least 40 journalists covering protests and a detainee hunger strike near the Delaney Hall immigration detention facility in Newark, New Jersey. The Freedom of the Press Foundation says New Jersey police appeared to decide on the spot who counted as a journalist and who did not, raising concerns about unlawful interference with newsgathering and First Amendment protections during protest reporting. — This matters to the public because it can limit independent reporting on police activity and protests, making it harder to know what is happening on the ground. Journalists, legal observers, and civil-liberties groups should watch for further incidents, preserve evidence, and track whether authorities change policy or face legal challenges.

The UK government says Apple, Google and other tech companies have three months to enable device-level controls on smartphones and tablets that detect and block nude images for children. The Home Office says the controls must work across apps and services by default and only be disabled through age assurance, with possible legislation, fines, and potential executive liability if companies do not comply. Officials also say adults would need age verification to access nude content on devices. — This is a major security-and-privacy policy development because it pushes on-device content scanning and age checks beyond individual apps into phones and tablets themselves. Device makers, app platforms, privacy advocates, parents, and UK users may all be affected, and companies now face a short deadline to respond or prepare for regulation.

France's government says an attacker got into Tchap, the encrypted messaging service used by public-sector workers, by taking over a valid user account. DINUM said ANSSI detected the intrusion on June 8 and blocked the compromised account, while investigators review logs to determine what conversations and data were accessed or stolen. A threat actor claimed the access came from social engineering on an education-related Tchap shard and alleged theft of 13.5GB of files, roughly 650,000 messages, and data on more than 73,000 accounts, plus a flaw allowing shared media files to be downloaded without a token. — This affects a government communications platform with more than 300,000 monthly users, so exposed chats, files, and account metadata could have broad public-sector impact. French agencies and users should treat the incident as potentially sensitive, review what was shared in public rooms, investigate account takeover paths, and reset or harden credentials where appropriate.

EFF and Wired report that Meta has shipped facial-recognition code in the software for its always-on smart glasses, potentially affecting people both using the glasses and those seen by them. EFF says static analysis confirmed code that stores faceprints as 2,048-value templates and compares newly seen faces against a local database; researchers also showed the feature could be triggered in testing by manually adding a face in debug mode, though it is not yet exposed as a consumer setting. — This is a significant surveillance and privacy story because it suggests consumer wearables may already contain hidden person-identification features before any public rollout. People considering Meta glasses should weigh the privacy risk, and policymakers and civil-society groups may press Meta for transparency, safeguards, or limits before deployment.

Freedom of the Press Foundation sued the U.S. Department of Justice under the Freedom of Information Act to uncover whether DOJ hid legal protections for journalists when it sought a warrant to raid Washington Post reporter Hannah Natanson’s home. The suit centers on the Privacy Protection Act of 1980, which generally bars newsroom and journalist-home searches, and follows a judge’s February finding that DOJ’s omission of the law from the warrant process seriously undermined confidence in the government’s disclosures. — This matters to journalists, sources, and the public because it suggests federal investigators may be sidestepping legal safeguards meant to stop raids on reporters. The case could reveal whether the Natanson raid was an isolated abuse or part of a broader DOJ practice with implications for press freedom and government surveillance powers.

Russia has updated the technical rules for its SORM surveillance system, expanding how authorities can search and connect people's internet and communications data. The new regulations require broader collection, processing, and transmission of identifiers including names, passport and tax numbers, addresses, usernames, domains, URLs, device identifiers, and geolocation data. The rules apply beyond telecom carriers to other online service operators and increase compliance burdens on providers. — This matters because it strengthens Russia's ability to monitor individuals without shutting the internet off, making targeted repression and self-censorship easier while pressuring providers to integrate with state surveillance systems. The impact is immediate for people and companies operating in Russia, especially telecom and internet services that may need to change infrastructure or face regulatory penalties.

The U.N. World Food Programme says attackers accessed personal data submitted by Palestinians seeking food and cash assistance in Gaza. The incident affected the agency's Self-Registration Application used only in Palestine and exposed names, identification numbers, phone numbers, and neighborhood location details; WFP said the breach occurred on May 14, shut down the platform, and is still investigating how the intrusion happened and whether data was further leaked. — This is not just a privacy breach: exposed aid-recipient data in a war zone can put vulnerable civilians at real physical risk. People who registered for assistance may need to watch for phishing, impersonation, or other misuse of their personal details, while aid organizations should review exposure risks and incident response urgently.

City of York Council accidentally exposed the email addresses of hundreds of Blue Badge holders by sending messages without using blind carbon copy (BCC). Because the list was for Blue Badge-related communications, recipients could also infer that others on the list were disabled or had mobility impairments, making the breach especially sensitive. The council said it triggered its breach procedures, warned recipients to watch for suspicious messages, and the UK Information Commissioner's Office said it received a breach report and closed the case with advice. — This is a meaningful privacy breach because it exposed not just contact details but sensitive status information about disabled residents. Affected people should be alert for phishing or harassment, and public-sector organizations should review bulk-email controls and handling of special-category personal data.

Apple removed Russia’s state-backed Max messaging app from the App Store, cutting off new iPhone and iPad downloads and updates for existing users. Apple told BBC Russia the removal was done to comply with sanctions regulations, while Russian officials said about 20 million users lost access through Apple’s marketplace. Max, developed by VK and promoted by the Russian state as a Telegram and WhatsApp alternative, is deeply integrated with government services, digital ID, e-signatures, and payments; critics warn its lack of end-to-end encryption could make user communications easier for authorities to monitor. — This affects Russian users who rely on Max and highlights how app-store controls, sanctions, and state-backed platforms can shape access to communication tools. It also matters for privacy watchers because Max is closely tied to government infrastructure, so users should weigh surveillance risks and loss of updates if they continue using it.

The U.S. Federal Trade Commission is considering whether to modify or set aside a 2022 privacy order against X, formerly Twitter, over the company’s use of account security data for targeted advertising. The original order followed FTC allegations that Twitter collected phone numbers and email addresses for account security, including two-factor authentication (2FA), then used that data for ads in violation of a 2011 privacy order; the case involved more than 140 million users and a $150 million penalty. The FTC has opened a public comment period through July 2, 2026. — This matters to X users because it concerns whether protections imposed after a major misuse of security-related personal data will remain in force. It also matters more broadly because weakening the order could signal reduced privacy enforcement around companies that repurpose security data for advertising.

The U.S. Supreme Court ruled that the FCC lawfully fined major wireless carriers for sharing access to customers’ location data without proper consent. In an 8-1 decision, the Court said the FCC’s forfeiture process did not violate the companies’ jury-trial rights, leaving in place penalties of roughly $47 million for Verizon, $57 million for AT&T, and $92 million for T-Mobile and Sprint. The underlying FCC case alleged the carriers sold location access to aggregators and data brokers and failed to take reasonable steps to protect that sensitive data. — This matters because it reinforces that mobile carriers can be punished for letting precise location data flow to third parties without meaningful consent. It is important for users concerned about surveillance and for companies handling sensitive data, even though there is no immediate patch or user action beyond reviewing privacy choices and carrier practices.

Two former RAC employees in the UK were ordered to repay more than £118,000 after illegally selling personal data belonging to car crash victims. The Information Commissioner's Office said the pair were previously convicted under the Computer Misuse Act 1990 and Data Protection Act 2018 after about 29,500 records were copied from RAC systems and shared over WhatsApp with an unknown buyer; one defendant now faces 18 months in prison if she does not repay the proceeds within three months. — This matters because insiders abused access to sensitive data from people involved in road accidents, showing how personal information can be monetized after a breach from inside an organization. For defenders and regulated firms, it underscores the need for monitoring, least-privilege access, and rapid response to suspicious data exports.

Russia's domestic security service says foreign intelligence agencies hacked the mobile phones of senior Russian officials to spy on them. The FSB alleges malware on the devices collected correspondence, calls, geolocation, contact lists, and audio and video from the phones and their surroundings, and claims the operation relied on infrastructure from major international technology companies, including content delivery and security providers. No spyware family, infection method, or technical evidence was disclosed. — If true, this would be a significant government-targeted mobile espionage campaign with potential impact on sensitive state communications and surveillance exposure. Defenders should watch for technical indicators or vendor confirmations before taking the claims at face value, but mobile-device compromise at this level is high consequence.

Spanish police arrested a suspect accused of leaking sensitive personal data belonging to employees at key state bodies including INCIBE, the National Police, the Civil Guard, the State Attorney General's Office, and the National Security Council. Authorities say the mass publication created immediate security risks for affected staff and institutions. INCIBE previously said its own systems were not directly breached and that the leak appeared to be assembled from older breaches, credential dumps, and open-source intelligence, with some records posted on BreachForums and Doxbin. — This is a real-world exposure of personal data tied to government and security personnel, which can enable harassment, phishing, impersonation, and physical-safety risks. Affected organizations and employees should treat exposed details as compromised, review account security, and watch for targeted social-engineering attempts.

California lawmakers advanced AB 1856, a bill that would exempt open-source operating systems from parts of the state's age-assurance law but broaden age-checking requirements for many internet services. EFF says the amended bill would still extend the age-bracketing regime created by AB 1043 beyond operating systems and app stores to web browsers and websites, increasing pressure to collect users' age data and potentially affecting anonymity, privacy, and access to lawful speech. — If enacted, the bill could force more online services to ask for and retain age information, creating new privacy and security risks for ordinary users while raising compliance burdens for developers and platforms. People and organizations tracking internet freedom and privacy policy should watch the Senate process closely.

U.S. Immigration and Customs Enforcement is expanding field use of biometric scanners that can identify people by iris scans, fingerprints, and facial recognition. Contract records show ICE awarded Bi2 Technologies about $25.1 million for 1,570 mobile and stationary devices and access to Bi2's IRIS system, which searches more than five million booking, arrest, and incarceration records across 47 states, along with driver’s license and license-plate data; the deal follows a smaller 200-device deployment under a 2025 contract. — This matters to immigrants, protesters, and the public because it expands real-world government biometric surveillance at scale, with risks of misidentification, bias, and wider tracking. The concrete implication is policy and oversight scrutiny rather than patching: civil-liberties groups, lawmakers, and affected communities should watch how ICE uses the devices and what databases they query.

California has sued 23andMe, now operating as Chrome Holding Co., alleging the company failed to adequately protect customers’ genetic and account data in the 2023 breach affecting nearly 7 million people. The complaint says attackers used credential stuffing—trying usernames and passwords stolen elsewhere—to access about 14,000 accounts, then scrape broader data through 23andMe’s DNA Relatives features; the state also alleges 23andMe failed to require stronger safeguards such as multifactor authentication, missed warning signs for months, and only acted after stolen data was advertised for sale and ransom demands were made. — This matters because the stolen information included highly sensitive genetic and health-related data, and the lawsuit may shape how companies are expected to protect and handle biometric and genomic records. Affected users should reset reused passwords, enable multifactor authentication where available, and review what personal and relative-sharing data remains in their account.

A federal judge twice rejected prosecutors’ attempts to obtain YouTube account records tied to journalists Don Lemon and Georgia Fort, including information about their channels and possible viewers. The warrants were sought in a criminal case related to the journalists’ coverage of a protest at a church in St. Paul, Minnesota. Court records show the judge found the applications lacked probable cause and did not comply with the Privacy Protection Act of 1980, which generally limits search warrants targeting journalists and publishers. — This matters to journalists, sources, and viewers because prosecutors sought not just reporter account data but potentially audience information as well. It is a significant press-freedom and privacy issue, and it adds urgency to scrutiny of DOJ warrant practices and proposed updates to journalist-protection laws.

A Trump Mobile website flaw reportedly let anyone pull customer order records, exposing personal details of people who preordered the company’s phone service and handset. According to The Register and the finder, a simple HTTP POST request to exposed application programming interface (API) endpoints returned batches of records containing names, postal addresses, email addresses, phone numbers, customer numbers, enrollment IDs, and order-channel details; no CVE is assigned, and the issue was reportedly fixed after disclosure attempts. — Affected customers could face phishing, impersonation, or account-targeted fraud if their contact and order data was exposed. Trump Mobile users should watch for suspicious calls, texts, and emails referencing orders or account setup, while the company should clarify scope and notify affected users if exposure is confirmed.

Google says Chrome's Device Bound Session Credentials feature is now rolling out broadly for personal Google accounts and Google Workspace users to stop attackers from reusing stolen login cookies. The protection cryptographically binds session cookies to a specific device using hardware-backed keys such as TPM on Windows and Secure Enclave on macOS, making stolen cookies far harder to use for account takeover even after multi-factor authentication. Google says it will be enabled by default for Workspace customers and cannot be turned off by admins. — This matters to anyone using Google accounts because session-cookie theft is a common way infostealer malware and phishing campaigns bypass login protections. Users should still remove malware and harden browsers, but this rollout adds an important default defense against account hijacking.

The Pentagon says foreign adversaries used commercially available phone-location data to target or surveil U.S. military personnel in active war zones, affecting troops who carried personal or government-issued smartphones. According to DoD responses released by Sen. Ron Wyden, U.S. Central Command received multiple threat reports tied to commercial data-broker purchases sourced from mobile advertising profiles and device ad identifiers; the department said existing guidance to disable geolocation was incomplete, and some DoD-managed phones still allowed ad-targeting data to be exposed. — This is a real-world national security and personal safety risk, not a theoretical privacy problem: location data sold by brokers can expose troop movements and bases. It raises urgency for stricter mobile-device controls, disabling ad IDs and location sharing, and rethinking bring-your-own-device policies in sensitive environments.

Citizen Lab highlights concerns that Canada’s proposed lawful-access Bill C-22 could undermine encryption protections and require messaging services to collect metadata. Signal said it would leave the Canadian market rather than comply if the bill mandated such access, while researchers said officials were unwilling to clearly protect encryption. — The proposal could materially affect users of encrypted messaging in Canada, especially journalists, dissidents, and human-rights defenders. Defenders and civil-society groups should track the bill because it may create surveillance obligations or drive privacy-preserving services out of the market.

The U.S. Supreme Court is considering whether police can use geofence warrants to make Google hand over location-history data for everyone near a crime scene, a ruling that could affect millions of users. The case, Chatrie, centers on a Fourth Amendment challenge to a reverse warrant that sought unknown suspects by searching Google location data across a defined area and time window; the outcome could also shape the legality of broader reverse searches such as keyword or AI-chat queries. — This could change how easily law enforcement can obtain bulk location and other sensitive platform data about people who are not suspects. It matters to anyone whose phone or online accounts generate location history, and to privacy defenders, platforms, and policymakers watching limits on digital searches.

Several German university hospitals say hackers stole patient and billing data after breaching Unimed, an external provider used to process invoices for privately insured and self-paying patients. Disclosures from Cologne, Freiburg, Heidelberg, Tübingen, Ulm and Mannheim say the intrusion occurred in mid-April and exposed names, addresses, physician details, and in some cases diagnosis, treatment, communications, and limited bank or payment data. Hospitals said their own clinical systems were not breached and patient care was not disrupted. — This affects highly sensitive medical data, including some diagnosis and treatment information, so impacted patients may face privacy harms, impersonation attempts, or fraud. Affected hospitals have stopped sending data to Unimed; patients should watch for breach notices and be cautious of unsolicited calls, emails, or billing messages referencing their care.

Security researchers found that Google API keys may keep working for up to 23 minutes after a user deletes them, leaving developers and organizations exposed during what they believe is a safe shutdown period. Aikido says revocation propagates unevenly across Google's infrastructure, allowing repeated authenticated requests to still succeed against some backend servers; if Gemini is enabled, attackers could access uploaded files and cached conversation context, and abuse automatic billing tier increases to run up large charges. — Anyone using Google APIs, especially Gemini, could still be exposed after deleting a leaked key. Treat key deletion alone as insufficient: rotate credentials quickly, restrict key permissions, watch for ongoing usage and billing spikes, and disable affected projects or services if abuse is underway.

Britain’s online-safety regulator said several major platforms have promised product changes aimed at better protecting children in the UK. Ofcom said Snap will adopt its recommended anti-grooming measures, including tighter limits on adult contact with children; Roblox will let parents disable direct messages for under-16s; and Meta will hide teens’ connection lists by default on Instagram and use artificial intelligence to detect likely sexualized adult-teen direct messages. Ofcom said TikTok and YouTube did not commit to significant new changes. — This matters to UK families, teens and platform operators because it signals concrete safety and privacy changes tied to regulatory pressure, especially around grooming risks and minors’ visibility online. Users and parents should watch for new default settings and controls, while companies should expect closer enforcement under the UK’s online-safety regime.

Access Now and other civil society groups asked the Ninth Circuit to keep a court order blocking NSO Group from using WhatsApp to target users with Pegasus spyware. The filing concerns NSO’s appeal after WhatsApp and Meta won a permanent injunction and jury verdict in a case over Pegasus being delivered through WhatsApp’s servers to more than 1,400 people in 20 countries, including journalists, activists, and human rights defenders. — This matters because the appeal could shape how strongly U.S. courts can curb commercial spyware used against encrypted messaging users. It is especially relevant to people at risk of surveillance and to companies defending messaging platforms from spyware abuse.

At a Beijing summit, Xi Jinping and Vladimir Putin issued a joint statement promising deeper cooperation on information security, cyber-threat response, internet regulation, AI, satellite internet, IoT, and interoperability between China's BeiDou and Russia's GLONASS systems. The statement also emphasized joint software and open-source development to reduce dependence on Western technology and endorsed stronger state control over domestic internet environments. — The agreement signals closer alignment between two major authoritarian states on cyber policy, digital infrastructure and 'internet sovereignty,' with implications for censorship, surveillance, and state-backed cyber operations. It matters to policymakers, civil-society groups and defenders tracking how geopolitical blocs may reshape internet governance and security ecosystems.

The FTC said it sent warning letters to major tech firms including Alphabet, Amazon, Apple, Discord, Meta, Microsoft, Reddit, Snapchat, TikTok and X, alleging they are not complying with the Take It Down Act. The law requires covered platforms to provide a removal process for nonconsensual intimate images and delete reported content within 48 hours, with potential fines for violations. — The action puts large platforms on notice that U.S. regulators are actively enforcing rapid takedown requirements for abusive intimate imagery. Security, trust-and-safety, and privacy teams may need to implement reporting workflows, hashing, and cross-platform sharing processes to avoid penalties and better protect victims.

Discord announced that end-to-end encryption for voice and video communications is now enabled by default for all users across supported platforms, with stage channels excluded. The company said it spent nearly three years building the system after beginning experiments in 2023 and rolling out an audited protocol for audio and video in 2024. — The change improves confidentiality for hundreds of millions of users and is notable as a major platform expanding, rather than retreating from, default encrypted communications. It matters to users, privacy advocates, and policymakers tracking the availability of strong encryption on mainstream services.

The FBI said IC3 received more than 13,400 complaints in 2025 involving cryptocurrency kiosks, with reported losses exceeding $388 million, up 58% from 2024. Texas led reported losses at nearly $57 million, followed by Florida at $32.7 million. The report ties the kiosks to fraud schemes including investment, tech-support, and romance scams, and comes amid state bans and lawsuits against kiosk operators. — The figures show large-scale consumer harm through a payment channel increasingly used in fraud, especially against older victims. The story matters for defenders, fraud investigators, and policymakers because it points to a growing abuse ecosystem and potential regulatory or enforcement action.

The Register reports that London’s Metropolitan Police made more than 700,000 requests for communications data from tech companies in 2025, according to FOI disclosures. The figures include requests involving platforms such as LycaMobile and claims of data acquisition from privacy-focused services including Proton Mail, ProtonVPN, and Signal, though Proton and Signal disputed parts of the police account. — The disclosures highlight the scale of police metadata surveillance and raise transparency and oversight questions around access to communications data from mainstream and privacy-oriented services. It matters to UK users, privacy defenders, and policymakers assessing lawful access powers and safeguards for sensitive professions such as journalists and lawyers.

EFF highlights reports that Microsoft investigated and reportedly suspended certain services in September 2025 after concerns that its Azure cloud and AI offerings were being used by Israeli military and intelligence units in surveillance and targeting operations in Gaza. The article also points to the reported departure of Microsoft's Israel chief amid pressure for disclosure and stronger safeguards. — This is a significant surveillance and privacy accountability story for cloud and AI providers operating in conflict settings. It matters to affected populations, civil society, and enterprise customers because it raises questions about how major vendors assess, restrict, and disclose high-risk government use of their infrastructure.

The Department of Justice sent grand jury subpoenas to The Wall Street Journal seeking records related to its journalists' reporting on the lead-up to the war in Iran, and other media outlets reportedly received similar demands. The move is framed by press-freedom advocates as an effort to identify confidential sources through leak investigations. — This has direct implications for source protection, newsroom security, and government surveillance of journalists. News organizations and reporters may need to harden communications and prepare for legal demands targeting records and metadata.