privacy

Law enforcement’s ability to track and profile political protestors has become increasingly multifaceted and technology driven. In this edition of Incognito Mode WIRED Senior Editor, Security & Investigations Andrew Couts and WIRED Senior Writer Lily Hay Newman discuss the technologies used by law enforcement that put citizens' privacy at risk—and how to avoid them.

Hello, I want to use a PGP key with my Proton mail account.

I was wondering how using PGP works exactly. Does it encrypt the whole email message? Or is it only a signature to prove it's origin?

How does it affect recipients if they don't have my public key? Or how do I share that key securely?

cross-posted from: https://lemmy.sdf.org/post/36376926

Archived

On June 4, during a meeting with government officials, Vladimir Putin stated that all public services must be moved to the national messenger app called Max. According to Minister of Digital Development Maksut Shadayev, the multiplatform system is already operational.

[...]

The Max app — a Russian equivalent of China’s WeChat — was unveiled by the tech giant VK in late March. At present, it features a messenger, a chatbot builder, a payment system, and mini-apps. On June 5, VTB’s digital bank launched on the platform.

To register, a Belarusian or Russian SIM card is required — which, as The Insider noted, foreigners can no longer obtain without submitting biometric data.

As stated in the Max app’s privacy policy, the platform will collect data on:

• user devices
• IP address
• operating system
• browser
• location
• internet provider
• contacts from the address book
• all user activity within the service
• information obtained through the camera or microphone, if the user grants the app access (most users will, for example, in order to record voice messages)

Other messaging apps collect such data as well, but there's a catch. The Max app's privacy policy explicitly states that it may share this data with the “company's partners” as well as with “any government or local authority.”

[...]

crosspostato da: https://lemmy.sdf.org/post/36247127

Archived

A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”

The seller’s post, which appeared on the forum [on May 29, 2025], promises a dataset containing detailed user information such as:

• Email addresses
• Mobile phone numbers
• Biography, avatar URLs, and profile links
• TikTok user IDs, usernames, and nicknames
• Account flags like private_account, secret, verified, and ttSeller status.
• Publicly visible metrics such as follower counts, following counts, like counts, video counts, digg counts, and friend counts.

[...]

crosspostato da: https://lemmy.sdf.org/post/36242205

Archived

• Hundreds of millions of users are likely exposed.
• Data leak contained billions of documents with financial data, WeChat and Alipay details.
• The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

The supermassive data leak likely exposed hundreds of millions of users, primarily from China, the Cybernews research team’s latest findings reveal. A humungous, 631 gigabytes-strong database was left without a password, publicizing mind-boggling 4 billion records.

Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews team, discovered billions upon billions of exposed records on an open instance.

[...]

The database consisted of numerous collections, containing from half a million to over 800 million records from various sources. The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

“The sheer volume and diversity of data types in this leak suggests that this was likely a centralized aggregation point, potentially maintained for surveillance, profiling, or data enrichment purposes,” the team observed.

There’s no shortage of ways threat actors or nation states could exploit the data. With a data set of that magnitude, everything from large-scale phishing, blackmail, and fraud to state-sponsored intelligence gathering and disinformation campaigns is on the table.

[...]

The team managed to see sixteen data collections, likely named after the type of data they included.

The largest collection, with over 805 million records, was named “wechatid_db,” which most likely points to the data coming from the Baidu-owned super-app WeChat.

[...]

The second largest collection, “address_db,” had over 780 million records containing residential data with geographic identifiers. The third largest collection, simply named “bank,” had over 630 million records of financial data, including payment card numbers, dates of birth, names, and phone numbers.

Possessing only these three collections would enable skilled attackers to correlate different data points to find out where certain users live and what their spending habits, debts, and savings are.

Another major collection in the dataset was named in Mandarin, which roughly translates to “three-factor checks.” With over 610 million records, the collection most likely contained IDs, phone numbers, and usernames.

[...]

"Individuals who may be affected by this leak have no direct recourse due to the anonymity of the owner and lack of notification channels,” the team noted.

China-based data leaks are hardly new. We [Cybernews] ourselves have previously written about a data leak that exposed 1.5 billion Weibo, DiDi, Shanghai Communist Party, and others’ records, or a mysterious actor spilling over 1.2 billion records on Chinese users. More recently, attackers leaked 62 million iPhone users’ records online.

[...]

cross-posted from: https://lemmy.sdf.org/post/36106116

Archived

[...]

According to the measures, introduced by the Ministry of Public Security (MPS), each internet user in China will be issued with a unique “web number,” or wanghao (网号), that is linked to their personal information. While these IDs are, according to the MPS notice, to be issued on a strictly voluntary basis through public service platforms, the government appears to have been working on this system for quite some time — and state media are strongly promoting it as a means of guaranteeing personal “information security” (信息安全). With big plans afoot for how these IDs will be deployed, one obvious question is whether these measures will remain voluntary.

[...]

The measures bring China one step closer to centralized control over how Chinese citizens access the internet. The Cybersecurity Law of 2017 merely stipulated that when registering an account on, say, social media, netizens must register their “personal information” (个人信息), also called “identifying information” (身份信息). That led to uneven interpretations by private companies of what information was required. Whereas some sites merely ask for your name and phone number, others also ask for your ID number — while still others, like Huawei’s cloud software, want your facial biometrics on top of it.

[...]

Beyond the key question of personal data security, there is the risk that the cyber ID system could work as an internet kill switch on each and every citizen. It might grant the central government the power to bar citizens from accessing the internet, simply by blocking their cyber ID. “The real purpose is to control people’s behavior on the Internet,” Lao Dongyan cautioned last year.

[...]

Take a closer look at state media coverage of the evolving cyber ID system and the expansion of its application seems a foregone conclusion — even extending to the offline world. Coverage by CCTV reported last month that it would make ID verification easier in many contexts. “In the future, it can be used in all the places where you need to show your ID card,” a professor at Tsinghua’s AI Institute said of the cyber ID. Imagine using your cyber ID in the future to board the train or access the expressway.

[...]

While Chinese state media emphasize the increased ease and security cyber IDs will bring, the underlying reality is more troubling. Chinese citizens may soon find themselves dependent on government-issued digital credentials for even the most basic freedoms — online and off.

cross-posted from: https://lemmy.sdf.org/post/35993881

[...]

Under draft legislation that the State Duma approvedat first reading on May 22, 2025, a bill will require banks and merchants to facilitate digital ruble transactions and a universal QR payment code for purchases. Beginning October 1, 2025, the digital ruble will be used for a limited range of federal budget expenditures, transitioning on January 1, 2026, to full, unrestricted use for all federal outlays.

[...]

Kremlin financiers will track every digital ruble transaction in real time, granting authorities the power to block citizens’ accounts without a court order and automatically deduct taxes, fines, and other charges. Social benefits payable in digital rubles will be usable only for government‐approved categories of goods and services, and spending may be restrictedbased on a citizen’s place of residence or product type.

[...]

Critics—from human rights groups to economic analysts—argue the digital ruble will entrench state surveillance. According to The Cryptonomist, Russia’s CBDC may replicate China’s model of monitoring every transaction, but with even tighter Kremlin oversight. Ukrainian intelligence observers highlight the risk of a “behavioral loyalty” system, where digital currency access depends on citizens’ political and social “reliability.”

Previously, it was reported that Latvia’s Defense Intelligence and Security Service released a 48-page public handbook designed to help civilians identify and report suspected Russian operatives. The guide details indicators such as ragged appearance and suspicious behavior, offers safe reporting practices, and includes case studies illustrating espionage tactics in both urban and rural settings.

[...]

cross-posted from: https://lemmy.sdf.org/post/35972832

Native Android apps – including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, and Search – silently listen on fixed local ports on mobile devices to de-anonymize users’ browsing habits without consent, says a report published by a team of researchers from Spain-based IMDEA Networks Internet Analytics Group, and Dutch Radboud University.

Here is the technical report: https://localmess.github.io/

By embedding tracking code into millions of websites, Meta’s Pixel and Yandex Metrica have been able to map Android users’ browsing habits with their persistent identities (that is to say, with the account holder logged in). This method bypasses privacy protections offered by Android’s permission controls and even browsers’ Incognito Mode, affecting all major Android browsers. The international research team has disclosed the issue to several browser vendors, who are actively working on mitigations to limit this type of abuse. For instance, Chrome’s mitigation is scheduled to go into effect very soon.

These tracking companies have been doing this bypass for a long time: since 2017 in the case of Yandex, and Meta since September 2024. The number of people affected by this abuse is high, given that Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively. It is also worth noting that evidence of this tracking practice has been observed only on Android.

[...]

It's infuriating to create a "strong password" with letters, numbers, upper and lowercase, symbols, and non-repeating text... but it has to be only 8 to 16 characters long.

That's not a "strong" password, random characters or not.

Is there a limitation that somehow prevents these sites from allowing more than 16 characters?

I'm talking government websites, not just forums. It seems crazy to me.

Since laser printers all encode metadata into the printed image, and handwriting is unique to the writer, I was wondering if a typewriter would provide a more anonymous form of paper communication.

I expect it would be possible to determine the model of typewriter, but would it be possible to tell if two samples were made on the very same machine? Are electric typewriters better or worse than manual? (assuming the same operator) What about Selectric or Wheelwriter – would frequently swapping out the typing element help?

cross-posted from: https://lemm.ee/post/64675314

Looks like this got deleted from the original community where I posted it, so re-posting what I can remember here.

This screenshot is from a post I made on my city's subreddit.

Monday the Washington Post revealed my city was using a first of its kind mass surveillance and facial recognition software that allows police to track individuals added to a watchlist via cameras installed around the city.

The ACLU is saying it is "the stuff of authoritarian surveillance states, and has no place in American policing.”

“Until now, no American police department has been willing to risk the massive public blowback from using such a brazen face recognition surveillance system,” said Nathan Freed Wessler, deputy director of ACLU’s Speech, Privacy, and Technology Project. “By adopting this system–in secret, without safeguards, and at tremendous threat to our privacy and security–the City of New Orleans has crossed a thick red line.

The NOPD has stopped using it since WaPo began investigating because it violated a city ordinance, but federal agents (ICE) and state police are still using the real time tracking app.

I realized after reading an Axios article about it on Wednesday that the ordinance was created after the mayor, suddenly asked the city to lift a blanket ban on the technology and other controversial predictive policing policies.

The city's mayor has been facing federal charges regarding a scandal for several years and is currently just running out the clock on her last term as mayor. She has also been accused of other corruption such as accepting gifts as bribes in the past

The ban on predictive policing policies was originally created following the end of a secret partnership between Palantir and the city of New Orleans from ~2012-2018.

Months after the city first abandoned it's contract with Palantir, Mayor Cantrell seemed to be looking for loopholes that would allow her to continue using controversial predictive policing

I have tried to avoid pile-on critique of the mayor, and I actually voted her the first time she ran. However, one of the most common questions people in my city ask, is "how has she not been arrested?" I want to stress this is my own speculation, but given the details that are emerging now, I do wonder if these charges may have been related to why she so willingly turned over the city's privacy to the federal government in 2022?

The proposed ordinance, if passed, would largely reverse the council’s blanket bans on the use facial recognition and characteristic tracking software, which is similar to facial recognition but for identifying race, gender, outfits, vehicles, walking gait and other attributes. One provision also appears to walk back the city’s ban on predictive policing and cell-site simulators — which intercept and spy on cell phone calls — to locate people suspected of certain serious crimes.

That provision could, for the first time, give the city explicit permission to use a whole host of surveillance technology in certain circumstances, including voice recognition, x-ray vans, “through the wall radar,” social media monitoring software, “tools used to gain unauthorized access to a computer,” and more.

Lastly the proposal would allow the city to use “social media or communications software or applications for the purpose of communicating with the public, provided such use does not include the affirmative use of any face surveillance.” The Lens asked Tidwell and Green why this was included and what it was meant to allow, but neither responded.

While she may not have realized it at the time, the removal of the ban, along with her oddly warm welcome of the Governor's own state police force, Troop Nola, has placed the entire city in danger as the 2025 Trump administration continues to remove protection for civil rights and liberties as well as oversight for potential abuse of NSA surveillance

Louisiana State Police (LSP) Troop Nola, are now permanently established in the city and cannot be regulated by city policy and regulations. This means that they can also not be regulated by the same city ordinance that compelled the NOPD to pause their use of the controversial surveillance and real time tracking notifications.

As of yesterday, the Justice Department decided to stop investigating civil rights accusations previously made against LSP, while Louisiana Gov. Jeff Landry and his long time friend Attorney General Liz Murrill, were reported to have celebrated the decision.

TL;DR: If you want to customize Firefox using Enterprise Polices, you can create customized policies via the handy Enterprise Policy Generator. You can also browse a collection of policies I created, available for download.

“A republic, if you can keep it.”

OC by @Charger8232@lemmy.ml

This is original content. AI was not used anywhere except for the bottom right image, simply because I could not find one similar enough to what I needed. This took around 6 hours to make.

Transcription (for the visually impaired)

(I tried my best)

The background is an iceberg with 6 levels, denoting 6 different levels of privacy.

The tip of the iceberg is titled "The Brainwashed" with a quote beside it that says "I have nothing to hide". The logos depicted in this section are:

• Instagram
• Apple
• TikTok
• PayPal
• Google Chrome
• CashApp
• WhatsApp
• Samsung
• Steam
• Microsoft Windows
• Ring (Security Camera)
• YouTube
• Amazon
• Discord
• Gmail
• ChatGPT

The surface section of the iceberg is titled "As seen on TV" with a quote beside it that says "This video is sponsored by...". The logos depicted in this section are:

• NordVPN
• Bitdefender
• Incogni
• Malwarebytes
• Opera GX
• ExpressVPN

An underwater section of the iceberg is titled "The Beginner" with a quote beside it that says "I don't like hackers and spying". The logos depicted in this section are:

• Telegram
• Authy
• Brave Browser
• Privacy.com (Virtual Cards)
• DuckDuckGo
• iMessage
• Proton Mail
• AdBlock (Browser Extension)

A lower section of the iceberg is titled "The Privacy Enthusiast" with a quote beside it that says "I have nothing I want to show". The logos depicted in this section are:

• Signal (Messenger)
• Tuta
• addy.io
• Linux
• Bitwarden
• uBlock Origin
• Tor and Tor Browser
• ProtonVPN

An even lower section of the iceberg is titled "The Privacy Activist" with a quote beside it that says "Privacy is a human right". The logos depicted in this section are:

• Monero
• GrapheneOS
• Vanadium (Web Browser)
• KeePassDX
• SimpleX Chat
• Accrescent
• SearXNG
• Aegis Authenticator
• OpenWrt
• Mullvad VPN
• An illustration of physical cash

The lowest portion of the iceberg is titled "The Ghost". There is a quote beside it that has been intentionally redacted. The images depicted in this section are:

• A cancel sign over a mobile phone, symbolizing "no electronics"
• An illustration of a log cabin, symbolizing "living in a log cabin in the woods"
• A picture of gold bars, symbolizing "paying only in gold"
• A picture of a death certificate, symbolizing "faking your own death"
• An AI generated picture of a person wearing a black hoodie, a baseball cap, a face mask, and reflective sunglasses, symbolizing "hiding ones identity in public"

End of transcription.