Reading view

Protecting privacy as a fundamental right while supporting transatlantic data flows

At Microsoft, we are committed to our customers’ fundamental right to privacy. In a world defined by rapid technological change and geopolitical volatility, this commitment has remained constant. It’s rooted in decades of experience building trusted technologies that our customers rely on every day to manage their data. Many of these organizations depend on the ability to move data across the Atlantic, from the EU to the U.S., in a way that protects their privacy. That’s why we support the European Commission in its defense of the EU-U.S. Data Privacy Framework. And that’s why we have formally intervened in the Latombe v. Commission case before the Court of Justice of the European Union. This case puts at stake two principles that are important for Microsoft – the protection of our customers’ privacy and their ability to do business on both sides of the Atlantic.

To intervene in a case before the Court of Justice, a company must apply for permission. In this case, the Court granted our application, finding that Microsoft has a direct and existing interest in its result. Put simply, the outcome of this case will determine whether Microsoft and its enterprise customers may continue to use the EU-U.S. Data Privacy Framework to transfer data to participating U.S. companies, including vital customers and suppliers. This critical legal bridge promotes stability, beneficial trans-Atlantic ties, economic growth, and prosperity, while upholding strong privacy safeguards. The Latombe case seeks to dismantle it. As an intervener, we can now file legal briefs in support of the European Commission, participate in oral hearings, and share our perspective on the importance of upholding a framework that directly benefits the European economy.

Supporting the European Commission’s adequacy decision on the EU-U.S. Data Privacy Framework before the Court of Justice of the European Union

Companies across the globe rely on data flows to manage their people, produce their goods and services, and distribute products to their customers. We understand that data flows trigger questions about differences in legal traditions. They should. And for that reason, the European Commission and the U.S. administration worked diligently, in the decade since the Safe Harbour ruling, to harmonize EU and U.S. law. As a result of that hard work, and as required under the European General Data Protection Regulation (GDPR), the U.S. has now created an independent review court for any complaints regarding U.S. surveillance and implemented other required measures to provide an “adequate” level of data protection that is essentially equivalent to that in the EU.

This equivalence is a key point. The law entitles our customers to privacy on both sides of the Atlantic. This is the principle on which the Data Privacy Framework rests. And our intervention in the Latombe case is just one part of a long history in which we have stood up for that principle in Europe, as well as in the U.S. As far back as 2014, Microsoft challenged the FBI’s secret attempt to use its national security authorities to obtain information about an account that belonged to one of our enterprise customers. After we filed the case, the FBI withdrew its request. In 2016, we sued the U.S. government to challenge its practice of seeking indefinite secrecy orders—i.e., orders that prevented Microsoft from ever notifying its enterprise customers when the government sought their data. As a result of that case, the U.S. Department of Justice changed its policy to place strict limits on the duration of secrecy orders. In the decade since that first constitutional challenge, we’ve launched a series of successful court challenges to ensure that secrecy orders, of any duration, are the exception, not the rule. As a result of our litigation, numerous secrecy orders have been vacated or modified to allow notification to our customers.

We don’t confine our advocacy to courts. We are a steadfast proponent of strong privacy regulation on both sides of the Atlantic. That’s why we are specifically pushing Congress to update the U.S. Electronic Communications Privacy Act to place stricter limits on the use of secrecy orders and ensuring they are subject to meaningful judicial review. This legislative reform is gaining momentum in Congress and will greatly enhance our continued ability to protect our customers’ data.

Stable and trusted data transfers are not an end in themselves. They are a means to enable innovation, economic opportunity, and public services—while upholding the fundamental rights that are at the core of EU and U.S. law. Our intervention in the Latombe case reflects that principled balance and follows a long line of legal actions we have taken to protect our customers.

Looking ahead

At Microsoft, we have long recognized that trust is not a given—it is earned through sustained action, thoughtful design, and a willingness to engage openly with governments, customers, and individuals. Microsoft has consistently advocated for strong, clear, and globally interoperable privacy frameworks, recognizing that trust in technology depends on the strength of the rules that govern it.

Our customers in Europe can rely on us to continuously improve and update our privacy practices as technology and legal standards evolve. In 2018, we were the first major technology company to extend GDPR subject matter rights to all our customers around the world. And recent positive assessments of our privacy compliance by the European Data Protection Supervisor and the Hessian DPA in Germany underscore our continuous commitment to our customers’ fundamental right to privacy.

In support of this work, we’ve updated the Microsoft Privacy Statement to use clearer structure, simplified language, and more precise explanations of our data practices—making it easier to understand what data we collect and how it’s used, without changing our underlying privacy protections or commitments.

The future of technology will be shaped not only by what we build, but by the principles that guide us. By grounding innovation in respect for people and organizations, and strong legal protections, we can help ensure that technology continues to be a force for good.

The post Protecting privacy as a fundamental right while supporting transatlantic data flows appeared first on Microsoft On the Issues.

  •  

Flock Cameras Can Surveil Cars Without License Plates

This is from a 2024 company presentation:

Officers can also tap into data showing a car’s decals, bumper stickers, back and top racks—along with temporary and unique state tags.

Flock calls it a “Vehicle Fingerprint” and it’s touted as a way for law enforcement officials to get more information “even when you don’t have full plate information,” the company’s presentation shows.

The company gives police officers the ability to search that data as well, to “build stronger cases with less information upfront.” That includes being able to locate multiple vehicles law enforcement officials believe are moving together and what Flock calls a “multi geo search.”

This kind of thing is older than AI; I wrote about it in my 2014 book Beyond Fear. Edward Snowden revealed that the NSA was using cell phone location data to track phones that were habitually near each other.

As bad as Flock is, remember that anyone with broad access to cell phone location data can do the same thing.

  •  

Papa Johns Surveillance-Based Advertising

Papa Johns is spying on people’s buying activities to predict when they are low on food:

The pizza chain recently tapped NBCUniversal, Instacart and the dentsu-owned media agency Carat for help reaching consumers when they’re low on groceries—and thus more likely to be swayed by a mouth-watering ad. The idea is to reach hungry consumers by “knowing what is in their fridge without being too creepy,” said Carrie Drinkwater, chief investment officer at Carat.

To achieve that goal, NBCU and Instacart created a custom audience of shoppers who regularly purchase grocery staples on Instacart, such as eggs, milk, meat and produce. Based on that data, Papa Johns can determine which days of the week certain consumers are likely to run out of groceries and serve them an ad on NBCU streaming content accordingly. The brand served custom creatives to consumers based on their food preferences—such as whether they buy meat regularly—with QR codes and calls to action such as, “Light on groceries?” or “Empty fridge?”

Back in 2012, we learned (from Target and its campaign that detects when someone is pregnant) that the trick is to hide the knowledge in other, wrong, information. So the way for Papa John’s to not be “too creepy” is to deliberately get it wrong sometimes.

But still, ugh.

  •  

The Realities of AI Video Surveillance

The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia.

I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. The interesting development in the article is that AI allows people to ask natural language questions about video footage to AIs—and AIs can answer them.

In contrast with older tools restricted to a few dozen preset searches, these new tools allow an almost unlimited range of enquiries by enabling language-based searches on video.

That lets intelligence officers hunt through massive streams of videos using simple search terms, such as two men handing a bag to each other; a person who has changed their appearance, or has changed clothes multiple times in a day; or a vehicle that has recently been painted over, or has driven past the same spot several times in a short period.

“This is the holy grail of surveillance,” said a European official whose country uses the technology on its cities. “We are able to look for behaviour, not objects ­ it has created a world of new possibilities.”

  •  

EFFecting Change: LGBTQ+ Solidarity Against the Tide of Surveillance

LGBTQ+ communities are facing an escalating wave of censorship and targeted surveillance, but we can push back through mutual solidarity. Join us live to learn how safer virtual spaces get built, how platform policies and government pressure are reshaping the digital landscape, and what platform accountability actually looks like. Our panel will share ideas for direct action and concrete strategies you can bring back to your community. Whether you’re an activist, an ally, or just paying attention, this conversation is for you. Join the livestream online followed by live Q&A.

EFFecting Change Livestream Series:
LGBTQ+ Solidarity Against the Tide of Surveillance
Wednesday, June 17th
9:00 am - 10:00 am Pacific - Check Local Time
Livestream followed by Q&A

RSVP Today
This event is LIVE and FREE!


About the Speakers

Paige Collings
As a lawyer, digital policy activist and community organizer, Paige works to dismantle systems of oppression and advance collective liberation. Her work focuses on highlighting how state surveillance and corporate restrictions stifle marginalized communities and perpetuate historic injustices and harm. She has worked with activists across the globe to facilitate systemic change by speaking truth to power and creating spaces for alternative imaginations; and her writing on digital justice has been featured in Wired, Politico, Teen Vogue, the Daily Beast and more.

Jillian C. York
Jillian is EFF's Director for International Freedom of Expression, based in London. Her work examines state and corporate censorship and its impact on culture and human rights, with a focus on historically marginalized communities. At EFF, she organizes coalitions, writes about and researches topics related to freedom of expression, leads the Speaking Freely interview series, and contributes to various other areas of the organization's work. Jillian is the author of Silicon Values: The Future of Free Speech Under Surveillance Capitalism (Verso, 2021), a contributor to several academic volumes, and has written for MIT Technology Review, The Guardian, and WIREDamong others. She is also a visiting professor at the College of Europe Natolin in Warsaw, and a regular speaker at global events.

Soatok Dreamseeker
Soatok Dreamseeker is a gay furry security engineer. He blogs about applied cryptography on his blog, Dhole Moments, and is developing key transparency to enable end-to-end encryption on the Fediverse. His puns are 100% whole groan.

Luísa Franco Machado
Luísa Franco Machado is an award-winning international expert in digital rights and data justice. She has also been a technical advisor in data governance and AI ethics for governments, NGOs, and international organizations worldwide, including the UN, OECD.AI, GIZ, and others. Luísa has carried on policy research at the London School of Economics and Political Science (LSE) and Sciences Po Paris on the intersection between technology and socio-economic development. In 2022, the United Nations recognized them as a global Young Leader for the Sustainable Development Goals (SDGs) among more than 6,500 advocates. In 2025 she was featured in Apolitical's Government AI 100 list as a rising star.

  •  

The FCC Wants to Eliminate Burner Phones

A proposed FCC rule would kill burner phones: phones whose accounts are not attached to a particular person.

The FCC plans to do this by legally forcing the country’s telecoms to store a wealth of personal information about essentially all phone customers, including a government issued identification number and their physical address, alarming privacy advocates and civil rights activists who compare the measures to those from authoritarian countries where it can be difficult to buy a mobile phone plan without giving up your identity.

The proposed change would drastically shake up how people obtain phone plans in the U.S., and have all sorts of privacy and cybersecurity knock-on effects. The FCC is proposing the data collection partly as a way to combat scammers, with telecoms being required to collect other information on business and foreign customers like the intended use case of their bulk phone plan purchase and their IP address. But the changes would mean telecoms collect data on all new and renewing customers, and the FCC provides a long list of other things that the collected data could help authorities with.

Alternate link.

  •  

Yes to California's Bill to Ban Surveillance Pricing

Corporations harvest and monetize ever-growing amounts of our personal data, such as our browsing history and physical location. One bitter fruit of this poisonous tree is known as “surveillance pricing”: corporations offer the same product to two different people at two different prices, based on scrutiny of these people’s respective personal data.

Surveillance pricing is bad for privacy, equity, and price transparency. So EFF supports a California bill, S.B. 2564, which would ban this creepy practice.

How Surveillance Pricing Works

In 2025, the Federal Trade Commission (FTC) published a report about the practices of six companies that provide surveillance pricing services to hundreds of other companies, including grocery stores and apparel retailers. The report found that surveillance pricing draws upon customers’ browsing history, physical location, and shopping transaction history. Customers’ data can come from the vendor itself, from its surveillance pricing service provider, or from third-party data brokers. Customers are sorted into groups based on their personal data, as is done for targeted ads. As a result of surveillance pricing, a business might offer two customers different prices for the same product, based for example on whether they are a new parent, or whether they live near a business’s competitor.

As former FTC Chair Lina Khan explained:

Initial staff findings show that retailers frequently use people’s personal information to set targeted, tailored prices for goods and services – from a person’s location and demographics, down to their mouse movements on a webpage.

Unfortunately, the current FTC chair closed the FTC’s portal for public comments regarding surveillance pricing. Fortunately, the California Attorney General has initiated its own investigation of this practice.

Researchers have identified many examples of surveillance pricing:

  • The Princeton Review offered people who lived in some zip codes a higher price for test prep services, compared to people in other zip codes. As a result, Asians were twice as likely as non-Asians to be offered a higher price.
  • In a year-long study of tens of millions of rides in Chicago, Uber and Lyft offered a higher price for trips that ended in neighborhoods with high non-white populations.
  • Tindr offered older people (aged 30 to 49) higher prices for Tindr Plus, compared to younger people (aged 18-29).
  • Orbitz offered people who used Apple computers a higher price for hotel rooms, compared to people who used other types of computers.
  • Hotel booking sites offered people from San Francisco a higher price for hotel rooms, compared to people from other cities.
  • Target offered a higher price to people physically located at the store, compared to people located elsewhere.
  • Staples offered a higher price to customers who lived further from the company’s competitors, compared to customers who lived closer.

Why EFF Hates Surveillance Pricing

This practice is harmful in many ways. First, surveillance pricing invades our privacy.  Vendors offer us a price only after scrutinizing our personal data about what we’ve clicked online and where we’ve travelled offline. Moreover, surveillance pricing incentivizes all businesses to harvest as much of our personal data as possible. Some businesses will use it for their own surveillance pricing. Other businesses, which might not themselves use it this way, will sell it to data brokers, which in turn will sell it to others for use in surveillance pricing.

Second, surveillance pricing can disparately burden people of color and other vulnerable groups. For example, as described above, surveillance pricing led to Asian people paying more for test prep services, older people paying more for dating services, and people living in non-white neighborhoods paying more for a ride home.

Third, surveillance pricing is opaque. Many people don’t even know when they’ve been subjected to it. Those that do often cannot determine the unknown reasons for the price they’re offered. As a result, consumer advocates will be less able to publish meaningful price comparisons to help consumers make choices. And regulators will be less able to identify unlawful pricing practices.

Thus, EFF and many other groups object to surveillance pricing.

Its defenders sometimes argue that surveillance pricing benefits consumers because it can lead to lower prices. But while some consumers some of the time might get lower prices because of surveillance of their personal data, other consumers will get higher prices, as shown by the examples above. Some recent studies indicate there will be losers and winners based on factors like whether a consumer is willing or able to switch products. Who loses or wins also will turn on the accuracy of the underlying data – yet surveillance pricing is often based on false information.

In any event, both losers and winners of this price discrimination are harmed by surveillance. Privacy is a human right, not a property to be bought and sold on a market. For this reason, EFF has long opposed pay-for-privacy schemes, in which a company charges a higher price to a customer who refuses to submit to processing of their personal data. Thus, even if surveillance pricing sometimes leads to lower prices (and again, it often will not), we oppose it as just another way that corporations try to make customers pay for their privacy.

What the California Bill Would Do

The key term of California’s S.B. 2564 is short and sweet: “a retailer shall not engage in surveillance pricing.”

The banned practice is defined as: “[i] a customized price for a good for a specific consumer or group of consumers, [ii] based, in whole or in part, on personally identifiable information collected through electronic surveillance,” including if that information is “acquired from a third party.” In other words, “surveillance pricing” is a customized price based on personal information.

The bill has two enforcement methods. First, state and local government may bring enforcement actions, and seek all manner of remedies including monetary penalties. Second, individual consumers may bring their own enforcements lawsuits, and seek the remedies of an injunction and attorney fees. We are pleased the bill provides this private right of action, which is the most important method of enforcement (we’d be even more pleased if the private remedies included liquidated damages).

The bill has three exemptions where surveillance pricing is allowed:

  • First, for price differences “based solely on costs associated with providing the good to different consumers.”
  • Second, for a discount offered to a consumer who is taking steps to terminate a service.
  • Third, for a discount, conspicuously posted on a retailer’s website, that is uniformly available based on (1) criteria anyone can meet, such as signing up for a mailing list, (2) membership in a broadly defined group, such as seniors, or (3) participation in a loyalty program.

The bill’s author is California Assembly Member Chris Ward. Its co-sponsors are Consumer Reports and TechEquity. Its supporters include Consumer Federation, EPIC, Kapor Center Advocacy, Oakland Privacy, Privacy Rights Clearinghouse, labor unions, and other groups. The bill has advanced through the California Assembly and has arrived for consideration in the California Senate.

Why EFF Supports the California Bill

Surveillance pricing is just one part of a much larger problem: corporations maximizing their profits by invading our privacy. The all-too-common business model is to systematically harvest, collate, and store as much of our personal data as possible, and then monetize it through use and sale.

EFF’s general approach to this problem is a strong regulatory framework that we call “privacy first.” For example, laws should require businesses to “minimize” their data processing, meaning they must not collect, store, use, or disclose our data unless doing so is strictly necessary to give us what we asked for. Likewise, laws should require businesses to get our voluntary and informed opt-in consent before processing our data, buttressed by legal bans on coercive pay-for-privacy schemes and manipulative “dark patterns.”

A.B. 2564 is just a specific application of the minimization rule. Nobody who uses a web browser or a mobile app expects that, as a result, their clicks and footsteps will be funneled into personal dossiers, and later used by downstream businesses to offer a higher or lower price.

A.B. 2564 is also a specific application of the “no pay-for-privacy” rule. At its best, surveillance pricing is a corporate offer of a lower price in exchange for a consumer’s submission to surveillance of their personal data. This scheme encourages all people to surrender their privacy in exchange for a lower price. This is especially coercive for people with lower incomes, and thus carries the risk of creating a society of privacy “haves” and “have nots.” And swept into this supposed “bargain” is the potential for higher surveillance-based prices based on false information or erroneous inferences.

Surveillance pricing is very similar to online behavioral advertising, a business practice that EFF urges governments to ban. Both practices incentivize all businesses to collect as much of our personal data as possible, in order to later monetize it. Both practices lead some businesses to collate and store our data into dossiers about us for later use. Both practices use these surveillance-based dossiers to manipulate and limit our economic choices, by altering the advertisements and prices we see online. In the words of the FTC report discussed above: “Existing and common techniques used for targeted advertising can also be used for other forms of targeting prices.”

Absent a specific ban on surveillance pricing, as in A.B. 2564, it would be very difficult to protect the public from the many harms it causes. Corporate price-setting is increasingly opaque, making it difficult for consumers and regulators to determine whether a particular company set a particular price for a particular consumer based on their data, and if so, the particular data that it used. As a result, it would be very difficult in this context to enforce general laws requiring minimization or consent. Moreover, many such laws exempt how a business processes the data it directly collected from its own customers; for example, the California Consumer Privacy Act’s limits on “cross-context behavioral advertising” do not apply to how a business uses personal data it collected on its own website. Yet many practitioners of surveillance pricing (like Tindr) rely on such data.

Finally, there is little to no risk that A.B. 2564 will have unintended consequences that hurt internet users’ speech or technological innovation. The bill does not address any particular type of technology. It does not limit any collection, retention, or disclosure of personal data. It limits only one very narrow and easily defined use of data: use to set a customized price. And it has three broad exemptions.

In sum, EFF is proud to join with other groups in support of California’s A.B. 2564. You can read our support letter here.

  •  

LGBT Q&A: We’re Back With Season 2! 

Last June during Pride, we launched a new initiative—LGBT Q&A—where we answered your most pressing queer-related digital rights questions on EFF’s Instagram and TikTok accounts. No question was too big or too small! You asked us things like what pictures to use on dating apps; how to remove your name from internet searches; why homophobic content doesn't get removed after you report it; and how to stay safe at Pride marches.

And this year, we’re doing it all again. 

Both online and offline, LGBTQ+ individuals and the fight for queer liberation are under threat; and the need for guidance and protection from prying eyes and oppressive structures is increasingly pertinent. This is particularly true for those of us who face consequences when intimate details around gender or sexual identities are revealed without consent. 

But we know that it can feel overwhelming to even start thinking about how you can protect yourself online in the face of these issues. That's why this Pride, we’re answering all your digital rights questions. 

How to submit your questions?

  • If you would like to remain anonymous and away from social platforms, you can submit questions via this secure link
  • Head to EFF’s Reddit or the r/LGBTQ subreddit and submit your questions underneath the posts. 
  • Your questions can also be submitted under the linked posts on EFF’s Instagram and TikTok, as well as on our stories where you can submit questions directly. 
  • If you prefer Mastodon and Bluesky, comment your questions under the linked posts. 

As always, we will not engage with comments that discriminate against marginalized groups, including the LGBTQ+ community.

We’re here to help build an online space where you get to decide what aspects of yourself you share with others, how you present to the world, and what things you keep private. Join us to make the internet private, safe, and full of pride.

  •  

Meta’s face-recognition code raises new concerns about smart glasses

Meta’s smart glasses are once again at the center of a privacy debate due to face recognition.

WIRED reports that Meta had quietly embedded unreleased face-recognition code, internally called “NameTag,” into its Meta AI companion app, which powers the company’s smart glasses. The code was not active, but its presence in an app installed on more than 50 million devices raised immediate concerns about how quickly using smart glasses could slide into biometric surveillance.

Face recognition in glasses, even if disabled or unreleased, is especially sensitive because it can identify people at a distance, in real time, and without their consent. Many organizations have warned that this technology could be misused by stalkers, abusers, and others who want to identify people in public without drawing attention.

Gizmodo reports on a proposed Pennsylvania bill that would require smart glasses and similar wearable recording devices to include a visible indicator light when they are capturing audio or video. The bill would also prohibit users from disabling that indicator, a move clearly aimed at reducing covert recording in public spaces.

Most smart glasses already include such an indicator, but reporters noted that some users have been paying others to have them removed or disabled. The proposal is interesting because it tries to solve a hardware-level trust problem with a visible signal. But a visible light only helps if it is both mandatory and difficult to bypass, and history suggests that any visible privacy safeguard becomes a target for tampering when the incentives are high enough.

These two stories are really about the same issue: smart glasses are normalizing the use of always-on cameras, microphones, and AI features in a form that is much easier to conceal than a phone. That creates an unwanted privacy problem for people around the wearer.

Smart glasses are supposed to make computing more seamless. Instead, they are becoming a test case for what happens when cameras, microphones, AI, and biometric features are squeezed into everyday wearables before the privacy rules catch up.

From our point of view, smart glasses sit at the intersection of consumer privacy, surveillance tech, and potential abuse. The risk is not just that a device records audio or video. AI-enabled wearables can process what they see, deduce identities, and potentially store biometric data in ways that ordinary users and bystanders can’t easily detect.

We’d rather err on the side of caution and use an app that can detect when smart glasses are nearby. Unfortunately, it only detects some devices, and we don’t yet know how well it will perform if smart glasses become more common.

As noted by 404 Media, the app is an imperfect, tech-based response to a social and legal problem: it can misfire, it can’t tell you who is being recorded, and it risks giving a false sense of safety. The developer frames it not as a solution but as a small, user-controlled countermeasure in an environment where surveillance devices are becoming less visible and more AI-enabled.

Don’t get recognized

If facial recognition features ever become common in smart glasses, much of their effectiveness will depend on how much information about you is already available online. There are a few steps you can take today to reduce your visibility in facial recognition systems and people-search databases.

A major factor is limiting who can see the photographs you post on social media and other online platforms. But there is more you can do:

Remove yourself from reverse face search engines

The major, most accurate reverse face search engines, Pimeyes and Facecheck.id, offer opt-out and removal processes that can help reduce your visibility in search results:

Remove yourself from people search engines

Most people don’t realize how much information can be found from a name alone. People-search sites often aggregate home addresses, phone numbers, ages, and relatives from public records and commercial databases.

The New York Times has compiled a useful guide to many of the major people-search sites, along with instructions for opting out and removing your information.

Scrub your data

If you’re in the US, you can also use Malwarebytes Personal Data Remover to help find and remove personal information that data broker sites have collected about you.

  •  

Meta’s face-recognition code raises new concerns about smart glasses

Meta’s smart glasses are once again at the center of a privacy debate due to face recognition.

WIRED reports that Meta had quietly embedded unreleased face-recognition code, internally called “NameTag,” into its Meta AI companion app, which powers the company’s smart glasses. The code was not active, but its presence in an app installed on more than 50 million devices raised immediate concerns about how quickly using smart glasses could slide into biometric surveillance.

Face recognition in glasses, even if disabled or unreleased, is especially sensitive because it can identify people at a distance, in real time, and without their consent. Many organizations have warned that this technology could be misused by stalkers, abusers, and others who want to identify people in public without drawing attention.

Gizmodo reports on a proposed Pennsylvania bill that would require smart glasses and similar wearable recording devices to include a visible indicator light when they are capturing audio or video. The bill would also prohibit users from disabling that indicator, a move clearly aimed at reducing covert recording in public spaces.

Most smart glasses already include such an indicator, but reporters noted that some users have been paying others to have them removed or disabled. The proposal is interesting because it tries to solve a hardware-level trust problem with a visible signal. But a visible light only helps if it is both mandatory and difficult to bypass, and history suggests that any visible privacy safeguard becomes a target for tampering when the incentives are high enough.

These two stories are really about the same issue: smart glasses are normalizing the use of always-on cameras, microphones, and AI features in a form that is much easier to conceal than a phone. That creates an unwanted privacy problem for people around the wearer.

Smart glasses are supposed to make computing more seamless. Instead, they are becoming a test case for what happens when cameras, microphones, AI, and biometric features are squeezed into everyday wearables before the privacy rules catch up.

From our point of view, smart glasses sit at the intersection of consumer privacy, surveillance tech, and potential abuse. The risk is not just that a device records audio or video. AI-enabled wearables can process what they see, deduce identities, and potentially store biometric data in ways that ordinary users and bystanders can’t easily detect.

We’d rather err on the side of caution and use an app that can detect when smart glasses are nearby. Unfortunately, it only detects some devices, and we don’t yet know how well it will perform if smart glasses become more common.

As noted by 404 Media, the app is an imperfect, tech-based response to a social and legal problem: it can misfire, it can’t tell you who is being recorded, and it risks giving a false sense of safety. The developer frames it not as a solution but as a small, user-controlled countermeasure in an environment where surveillance devices are becoming less visible and more AI-enabled.

Don’t get recognized

If facial recognition features ever become common in smart glasses, much of their effectiveness will depend on how much information about you is already available online. There are a few steps you can take today to reduce your visibility in facial recognition systems and people-search databases.

A major factor is limiting who can see the photographs you post on social media and other online platforms. But there is more you can do:

Remove yourself from reverse face search engines

The major, most accurate reverse face search engines, Pimeyes and Facecheck.id, offer opt-out and removal processes that can help reduce your visibility in search results:

Remove yourself from people search engines

Most people don’t realize how much information can be found from a name alone. People-search sites often aggregate home addresses, phone numbers, ages, and relatives from public records and commercial databases.

The New York Times has compiled a useful guide to many of the major people-search sites, along with instructions for opting out and removing your information.

Scrub your data

If you’re in the US, you can also use Malwarebytes Personal Data Remover to help find and remove personal information that data broker sites have collected about you.

  •  

Internet Age Gates Are a Growing Global Threat

The internet is an essential resource for young people and adults to access information, explore community, and find themselves—both inside countries and across continents. Yet governments around the world continue to introduce and implement legislation requiring all online users to verify their ages before accessing the digital space. In some cases, politicians are going further, putting forth proposals to ban social media for younger users.  

In late 2025, Australia’s government rolled out the first complete ban on users under 16 from having social media accounts. In this sweeping regime, platforms are required to introduce age assurance tools to block under-16s, demonstrate that they have taken “reasonable steps” to deactivate accounts used by under-16s, and prevent any new accounts being created, or face fines of up to 49.5 million Australian dollars ($32 million USD). The 10 banned platforms—Instagram, Facebook, Threads, Snapchat, YouTube, TikTok, Kick, Reddit, Twitch, and X—have each said they’ll comply with the legislation, which led to young people losing access to their accounts overnight. Reddit is currently challenging the law in Australian courts on constitutional grounds. Recent research notes how the ban is preventing teenagers from accessing news in the country. 

In the United Kingdom, rules took effect in mid-2025 under the Online Safety Act that require all online services available in the country to assess whether they host content considered harmful to children; if so, these services must introduce age checks to prevent children from accessing such content. Online services are also required to change their algorithms and moderation systems to ensure that content defined as harmful, like violent imagery, is not shown to young people. 

This approach is reckless, short-sighted, and we’ve already seen it introduce more harm to the young people that it is trying to protect. The UK’s scramble to find an effective age verification method shows us that there isn't one, and we’ve spent years urging UK politicians to abandon any measures that require platforms to collect data or remove privacy protections around users’ identities. 

Earlier this year, Indonesia’s Communications and Digital Affairs Minister, Meutya Hafid, announced that users under 16 would have their accounts on “high risk” platforms deactivated from 28 March. The platforms subject to this ban are YouTube, TikTok, Facebook, Instagram, Threads, X, Bigo Live, and Roblox; with Hafid noting how this policy would make Indonesia “the first non-Western country to delay children's access to digital spaces according to age.”

Similarly, the Malaysian government has recently pushed forward with plans to ban users under 16 from having accounts on social media platforms with at least 8 million users in Malaysia, including Facebook, Instagram, TikTok, and YouTube. Users under the age of 16 are being told to download or transfer their data from these platforms in one month before the restrictions are applied. Platforms failing to comply with the ban may face penalties of up to $2.5 million USD.

In Latin America, Brazil approved a new law in 2025 establishing that providers of information technology products and services directed to children and teenagers, or likely to be accessed by them, must conduct age checks when their products and services offer risks to underage users. Regulation requires age assurance for products and services that are not allowed for children and adolescents in accordance with Brazilian legislation. App stores and operating systems are required to provide age signals for other providers. 

While the law is already in force, full compliance with its obligations is expected for early 2027, after the approval of further regulations and a transition period, and the authority responsible for enforcing the law is the Brazilian National Data Protection Agency. The list of concerns regarding the implementation of the law include: the wide scope of products and services that may fall within age-check obligations, how these obligations can affect non-proprietary operating systems and free software projects, and how effective the law's crucial data protection safeguards will be in a context of likely widespread age checks for accessing content online.

Similarly, the European Union has taken large steps towards mandatory age verification that could undermine privacy, expression, and participation rights for everyone. Politicians are promoting an EU-wide approach to age verification through its age verification “app,” which will be fully interoperable with the Digital Identity Wallet. While this mini-app has been announced as technically ready to be rolled out “for citizens to use,” it comes with its own realm of potential privacy and security concerns, such as long-term identifiers (which could result in tracking) and over-exposure of personal information. 

The European Commission also supports age verification in various legislative initiatives, from proposals that would allow or mandate companies to scan our communication (“Chat Control”) to non-binding guidelines of existing laws, such as the Digital Services Act. The EU Parliament, too, has proposed an EU digital minimum age of 16 for access to social media, a move that aligns with EU Commission’s president Ursula von der Leyen’s recent public support for measures inspired by Australia’s model. To all these initiatives EFF has provided one consistent response: mandatory age verification measures are not the right way to protect young people. 

These proposals restrict the fundamental rights of young people to speak to each other and to access information. They also force all internet users, not just those under a certain age, to upload private data—like a face scan or passport—in order to access a website or service. In considering the vast scope of privacy issues pertaining to the collection, storage, and sharing of this personal information, the problems of age verification in restricting free speech are compounded by these reckless and harmful approaches to verification. 

The problem of censorship and surveillance goes far beyond the borders of the internet. EFF continues to explore support for legislative and litigation challenges that recognize how these laws harm everyone’s rights to privacy, free expression and due process.

  •  

LGBT Q&A Season 1 Recap: Staying Safer Online

Last year during LGBTQ+ Pride month, we launched an LGBT Q&A where we answered your most pressing digital rights questions on EFF’s Instagram and TikTok  accounts. 

Ahead of LGBT Q&A Season 2 launching next week, we’re posting a recap with some of the questions we answered. Check them out below.

  1. You wanted to know: How to stay safe when dating online.
  2. You asked: I'm a 17 year old trans woman and my address is public on the Internet. What steps can I take to mitigate this risk? 
  3. You wondered about: Tips for staying safe at Budapest Pride.
  4. You questioned: Why does homophobic content I report on social media not get removed?  
  5. You asked: What pictures are safe to use on dating apps?
  6. You wanted to know: Is it safe to have gay, trans, and Palestinian flags in my bio? 

We’re here to help build an online space where you get to decide what aspects of yourself you share with others, how you present to the world, and what things you keep private. Join us to make the internet private, safe, and full of pride.

  •  

Elon Musk’s XChat: how secure is the new messaging app? | Kaspersky official blog

Pavel Durov and his “private” messaging app have a brand new rival, and it’s — drumroll, please — Elon Musk and his XChat. On our blog, we’ve discussed more than once why Durov’s claims about Telegram privacy and security are exaggerated, to put it mildly. Here, I’ll just remind the reader that standard (non-secret) chats on Telegram aren’t protected by end-to-end encryption — the bare minimum required for user data to stay private.

But let’s get back to Musk. In late April 2026, the XChat app launched for iOS users. The tech mogul had been touting his messaging app for a long time, pitching it from day one as an incredibly private and secure way to communicate, and as a direct threat to Signal, WhatsApp, Telegram, and iMessage. Today, we look at whether we should actually trust Musk’s promises this new service, break down its core features, and stack it up against the competition.

Bitcoin-style encryption

Musk initially teased XChat on June 1, 2025, naturally via his X (formerly Twitter) account. Responding to another user’s question about when to expect the new service, Musk wrote: “This week if there are no scaling issues.”

Apparently, scaling issues there were: the app’s beta didn’t drop until September 2025, and iOS users didn’t get full access until April 2026. As for Android, there is zero info on when that version would launch at the time of this writing. That said, an XChat page is already live on Google Play where users can queue up “pre-register”, whatever that means.

But let’s go back to Musk’s post announcing XChat. That specific post turned a lot of heads in the privacy and cybersecurity community, and here’s why: the tech mogul wrote that the service would be built on an “entirely new architecture”, written in Rust, and featuring “Bitcoin-style encryption”.

Elon Musk's announcement of XChat

Elon Musk announces the launch of XChat, claiming the new messaging app is written in Rust and uses “Bitcoin-style encryption”. Source

The expert community spent a long time scratching their heads and trying to figure out what Musk actually meant. After all, Bitcoin isn’t an anonymous, encrypted data exchange system. The blockchain does use public and private cryptographic keys, but for something entirely different: signing transactions. Meanwhile, these transactions aren’t hidden from prying eyes; they’re out in the open for anyone to see, forever. Simply put, Bitcoin protects its users not by ensuring privacy, but quite the opposite — through ultimate transparency.

Most likely, Musk used “Bitcoin-style encryption” as a marketing gimmick. Bitcoin was trading near all-time highs at the time of his announcement, and cryptocurrency was the talk of the town. Technically, the XChat beta that dropped in September 2025 protected user chats with a “kind of” end-to-end encryption, but this was implemented in a way that raised serious doubts among cryptography experts.

And not without a reason. Normally, setting up an end-to-end encrypted chat automatically generates a public and private key pair. The public key is used to encrypt messages, while the private key decrypts them. Because other users need your public key to start a secure chat with you, these keys are usually stored on the app’s servers.

The private key, however, should ideally live only on the user’s device — which is exactly how Signal does it. This serves as a simple, ironclad guarantee that neither the company itself nor any third party breaching its infrastructure can access user chats, even if they really want to.

But Elon Musk’s projects always march to the beat of their own drum: the XChat developers decided it would be a great idea to store users’ private keys on XChat servers. X claims they’ll use hardware security modules (HSMs) to store these private keys — specialized appliances designed to prevent even the system owner from easily accessing the data inside. However, experts are also questioning the reliability of this setup, and coming to a grim conclusion: if X really wants to get a user’s private key, they will most likely be able to do so.

How encrypted messaging in XChat works in practice

Finally, once the scaling issues were ironed out nearly a year after the announcement, X officially rolled out the XChat app for iOS in April 2026. Now anyone can use it, but from a practical standpoint, the situation with encrypted chats seems even more convoluted than in Telegram.

According to the social network’s help center, to use end-to-end chat encryption in XChat, both users must have an X account, set up XChat, and have some sort of connection between them:

  • Follow, or be subscribed to each other
  • Have exchanged messages before
  • Have previously accepted a direct message request
  • Be a member of the same Premium Business / Premium Organization subscription on X

If users don’t follow each other and haven’t interacted before, XChat might still let them send a message request. However, that initial request goes out without end-to-end encryption.

Again, this is how the process is described in the messaging app’s official help documentation. Sound overly complicated? Let me reassure you: in practice, it works — or rather, doesn’t — completely differently. I personally managed to send a message to another user who had NOT set up XChat. The app itself, of course, gave me absolutely no warning about this.

XChat lets users send messages to people who haven't set up the app

The app allows you to start a chat with a user who hasn’t even set up XChat yet, without giving the sender any heads-up.

It gets even better. The user I messaged saw a notification for it on the web version of X, but couldn’t actually access the message. Here’s the catch: to start using XChat, the user first has to create a four-digit PIN. Yet, the app asks for this PIN the very first time the user tries to open it — meaning, before they even get a chance to create one. Along with this prompt, the user also sees a warning stating that without the PIN, they won’t be able to view past encrypted chats.

XChat asks for a PIN before one is even created

The user is prompted to enter a PIN to decrypt past messages before even completing the initial XChat setup.

The only workaround I found to actually start using XChat is to tap “Forgot PIN?” — even though that PIN never existed in the first place — confirm your identity, and create a new (well, your first) PIN. Naturally, you lose access to your chat history this way, so you won’t be able to read any messages sent to you in XChat before you officially set up the app.

XChat: the new Telegram, WhatsApp, Signal… or Facebook Messenger?

All these PIN hurdles actually exist for a reason. Remember, unlike WhatsApp and Signal, the XChat developers decided to store users’ private keys on their own servers. Consequently, the app uses these four-digit PINs to encrypt those keys.

According to the XChat help documentation, this mechanism was designed to ensure a “seamless” multi-device experience. It’s impossible not to point out that both WhatsApp and Signal managed to pull this off without sketchy workarounds like PIN requirements or server-side private key storage.

The problem is, workarounds like these undermine any claims of app privacy and security. First and chief among them, a PIN isn’t exactly the most secure way to protect sensitive data. We’ve mentioned time and again that four-digit combinations are easy to crack via brute force — especially since XChat gives you a generous 20 attempts to guess the right code.

XChat warns of lockout after 20 failed attempts

The app allows up to 20 attempts to enter the four-digit PIN. Once the limit is reached, XChat warns that access to messages will be permanently lost.

Stepping away from the bizarre implementation of end-to-end encryption compared to other messaging apps, it’s hard to ignore the overall sense of pointlessness that comes with trying to use XChat. As a Wired journalist rightly pointed out, the app feels less like a relative of WhatsApp, Signal, or Telegram, and much more like Facebook Messenger. Except people usually open Messenger to read a text from their mom or grandma, whereas XChat seems meant for anyone wanting to check in on that weird nephew who spends all his free time on X, still believes John McAfee’s promise of $500 000 Bitcoin, and fanboys over Elon Musk.

So, what’s the bottom line on XChat?

The best way to wrap up this post is with a quote from a cybersecurity expert: “If what you want is good security, use Signal. If what you want is to be able to talk to pretty much anybody using encrypted messages, use WhatsApp. If your whole life is based around X, I guess this is better than nothing.”

If you do use XChat, rule number one is to avoid a predictable PIN — absolutely don’t use your birth year or, worse, 1234. It’s also crucial not to forget this code, because if you do, your entire chat history is gone for good. Finally, just like your other passwords, you shouldn’t keep it in your notes app, but rather in a secure password manager. This won’t only save you from having to memorize dozens of character combinations, but will also reduce the risk of losing access to your vital data and conversations.

To learn more about secure messaging in other apps, check out our other posts:

  •  

EFF Testifies to Congress on Protecting Americans’ Rights from Government AI

Governments must not adopt emerging and powerful AI technologies without also adopting strong and clear safeguards to protect Constitutional rights, EFF Senior Policy Analyst Dr. Matthew Guariglia testified today to the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection. 

During the hearing on “The AI Security Landscape: How Frontier Models, Agentic AI, and AI Coding Tools Are Reshaping Cybersecurity and Critical Infrastructure Resilience,” he explained that the use of generative AI for the purposes of mass government surveillance would supercharge unconstitutional violations of civil liberties. He also highlighted how government secrecy, in addition to the black box of for-profit proprietary technology, prevents the public and lawmakers from knowing when AI models make mistakes, including errors that seriously impact the cybersecurity of critical infrastructure and the lives of individuals.  

“AI also has a track record of getting things wrong—from false citations on legal briefs to a major AI mistake that sent DHS recruits to the field without proper training. There are likely more consequential examples that we do not even know about because of classification that would prevent a more thorough accounting," he said in his opening remarks.

play
Privacy info. This embed will serve content from youtube.com

 

“At this level the question is not how do we rein in AI, it’s how do we rein in the agencies that would unleash AI on the American public,” Matthew said in response to a question by Subcommittee Ranking Member Delia Ramirez, D-Ill.  

You can read his full testimony as prepared here. 

  •  

Meta’s AI support bot happily handed Instagram accounts to hackers

Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over the past few months, attackers have been opening support chats, telling the bot they were locked out of Instagram accounts they didn’t own, and walking away with the keys.

Over the weekend, Meta pushed an emergency patch after Instagram accounts belonging to the Obama White House (now dormant), beauty retailer Sephora, and a senior US Space Force official were taken over and briefly defaced with pro-Iranian imagery. Security researcher and former Meta employee Jane Manchun Wong was also hit.

How the trick worked

The attack was simple. Attackers worked out where the account owner lived (there are lists of account owners’ home cities online, or they could just research the target). Then they used a VPN to match the target account’s geographic region, which avoided raising flags with Instagram’s security systems.

Then they started a normal password reset and opened the support chat. They asked the AI bot providing support to change the email address on the account, and it did exactly that, sending a one-time code straight to the attacker’s inbox.

To do this, the chatbot appears to have been wired into Meta’s account management systems with permission to make account changes, but without being taught how to verify it was talking to the real account owner. Security people have a name for that: “confused deputy.” The term has been around since the 1980s.

In fairness to the confused bot, attackers were successful even if the enhanced security was triggered. They would apparently create video deepfakes of their targets using images that were harvested from—you guessed it—Instagram.

Meta hoisted on its own AI petard

Meta has been shedding headcount and pouring money into AI, and rolled out its AI-powered support assistant earlier this year to help handle account recovery and other support requests.

The downside is that the AI appears to have been given the ability to perform actions such as email changes and password resets without applying enough safeguards to confirm the user’s identity first.

Meta communications executive Andy Stone said on X that the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.

What actually worked

Why would anyone want to hack an Instagram account anyway? Revenge can be a driver, but more often than not, financial gain is the goal. Hijackers have blackmailed businesses that rely on those accounts for marketing.

Attackers using this technique have also been spotted targeting “OG” accounts with short or highly desirable usernames. If you joined Instagram early and registered a memorable handle, it can be worth thousands of dollars on underground markets.

What can you do to protect yourself?

A perennial piece of advice still holds: turn on multi-factor authentication (MFA). According to veteran cybersecurity reporter Brian Krebs, the attack failed against accounts that had MFA enabled, including those using SMS codes.

That doesn’t make MFA perfect, but it adds an important layer of protection.

So the practical advice is unglamorous:

  • Open Instagram’s Settings
  • Navigate to your Meta Accounts Center
  • Turn on Two-factor authentication. An authenticator app is better than SMS, but either is better than nothing.

Do it now, because this might not yet be over. TheCyberSecGuru reports that another attack is circulating, this time using an Android emulator called BlueStacks running a modified version of Instagram to send new prompts with hidden characters designed to manipulate the AI.

Expect more snafus from “helpful” bots

This won’t be the last attack against AI chatbots. As more companies use AI to reduce customer support costs, their attack surface will grow, and they’ll make plenty of mistakes as they try to balance security and functionality.

The Meta exploit is patched, but the confused deputy concept is not. And there’s nothing quite as damaging as a confused AI with the keys to your digital life.


Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

  •  

Meta’s AI support bot happily handed Instagram accounts to hackers

Customer service chatbots have one job: get the user what they’re asking for without bothering a human. Meta’s new AI support assistant took that brief a little too seriously. Over the past few months, attackers have been opening support chats, telling the bot they were locked out of Instagram accounts they didn’t own, and walking away with the keys.

Over the weekend, Meta pushed an emergency patch after Instagram accounts belonging to the Obama White House (now dormant), beauty retailer Sephora, and a senior US Space Force official were taken over and briefly defaced with pro-Iranian imagery. Security researcher and former Meta employee Jane Manchun Wong was also hit.

How the trick worked

The attack was simple. Attackers worked out where the account owner lived (there are lists of account owners’ home cities online, or they could just research the target). Then they used a VPN to match the target account’s geographic region, which avoided raising flags with Instagram’s security systems.

Then they started a normal password reset and opened the support chat. They asked the AI bot providing support to change the email address on the account, and it did exactly that, sending a one-time code straight to the attacker’s inbox.

To do this, the chatbot appears to have been wired into Meta’s account management systems with permission to make account changes, but without being taught how to verify it was talking to the real account owner. Security people have a name for that: “confused deputy.” The term has been around since the 1980s.

In fairness to the confused bot, attackers were successful even if the enhanced security was triggered. They would apparently create video deepfakes of their targets using images that were harvested from—you guessed it—Instagram.

Meta hoisted on its own AI petard

Meta has been shedding headcount and pouring money into AI, and rolled out its AI-powered support assistant earlier this year to help handle account recovery and other support requests.

The downside is that the AI appears to have been given the ability to perform actions such as email changes and password resets without applying enough safeguards to confirm the user’s identity first.

Meta communications executive Andy Stone said on X that the issue was resolved and impacted accounts were being secured. The company has not disclosed how many accounts were affected.

What actually worked

Why would anyone want to hack an Instagram account anyway? Revenge can be a driver, but more often than not, financial gain is the goal. Hijackers have blackmailed businesses that rely on those accounts for marketing.

Attackers using this technique have also been spotted targeting “OG” accounts with short or highly desirable usernames. If you joined Instagram early and registered a memorable handle, it can be worth thousands of dollars on underground markets.

What can you do to protect yourself?

A perennial piece of advice still holds: turn on multi-factor authentication (MFA). According to veteran cybersecurity reporter Brian Krebs, the attack failed against accounts that had MFA enabled, including those using SMS codes.

That doesn’t make MFA perfect, but it adds an important layer of protection.

So the practical advice is unglamorous:

  • Open Instagram’s Settings
  • Navigate to your Meta Accounts Center
  • Turn on Two-factor authentication. An authenticator app is better than SMS, but either is better than nothing.

Do it now, because this might not yet be over. TheCyberSecGuru reports that another attack is circulating, this time using an Android emulator called BlueStacks running a modified version of Instagram to send new prompts with hidden characters designed to manipulate the AI.

Expect more snafus from “helpful” bots

This won’t be the last attack against AI chatbots. As more companies use AI to reduce customer support costs, their attack surface will grow, and they’ll make plenty of mistakes as they try to balance security and functionality.

The Meta exploit is patched, but the confused deputy concept is not. And there’s nothing quite as damaging as a confused AI with the keys to your digital life.


Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

  •  

Study on the Wi-Fi security situation in Mexico | Kaspersky official blog

One of the biggest football (soccer) events of this summer is the World Cup 2026. The tournament is co-hosted by three countries: the U.S., Canada, and Mexico. Unfortunately, events of this scale attract not just fans, but also scammers from all over the globe. We’ve already covered how cybercriminals are prepping for the World Cup online, and today we’re talking about digital security for fans on the ground in Mexico.

The country will host 13 matches and welcome millions of tourists. They’ll be staying in hotels, heading to games, checking out restaurants, navigating airports, and visiting popular tourist spots — and everywhere they go, the temptation to connect to public Wi-Fi will be high.

We’ve surveyed more than 84 500 (!) public Wi-Fi access points in Mexico City, Guadalajara, and Monterrey — and we have a lot to share about their security. Spoiler alert: many networks are still using outdated security standards, so you really shouldn’t go on vacation without reliable protection and an eSIM.

What and how we tested

Walking across Mexico looking for public Wi-Fi access points would have been a bit tough, though that’s exactly what we did for a similar Wi-Fi security survey in Paris. You can check out the results of that in our post, How safe is Wi-Fi in Paris?

This time the mission was far more demanding: mapping the wireless landscape of three major metropolises. That’s why we went wardriving — scanning for and logging wireless networks from a moving vehicle while equipped with a smartphone or laptop. It’s similar to searching for Wi-Fi on your phone, where the device constantly listens for nearby networks. Except instead of connecting to them, we just collect data about them.

All information was used strictly for passive observation and infrastructure analysis. Beyond receiving publicly broadcast service information, the experts of Kaspersky’s Global Research and Analysis Team (GReAT) didn’t attempt to authenticate, intercept traffic, exploit systems, or otherwise interact with the wireless networks they discovered. Mobile access points deployed in cars and on mobile devices were excluded from the sample.

Our main target was Mexico City — the capital and one of the most densely populated cities in Latin America. We took a drive through popular tourist spots: Mexico City Stadium, Mexico City International Airport, Zócalo, Paseo de la Reforma, Colonia Roma, La Condesa, Polanco, Coyoacán.

In Guadalajara and Monterrey, we drove similar routes: stadiums, main avenues, airports, and popular neighborhoods. Below you can see a heatmap of the areas we covered, ranging from red for areas with the highest density of public access points, through yellow and green, to blue for the lowest concentration.

Heatmap showing the locations of all Wi-Fi access points we covered in Mexico City
Heatmap showing the locations of all Wi-Fi access points we covered in Mexico City
Heatmap showing the locations of all Wi-Fi access points we covered in Guadalajara
Heatmap showing the locations of all Wi-Fi access points we covered in Guadalajara
Heatmap showing the locations of all Wi-Fi access points we covered in Monterrey
Heatmap showing the locations of all Wi-Fi access points we covered in Monterrey

We used passive radio reconnaissance to log 84 500 signals and 69 500 unique network identifiers across these three cities. The majority of the signals were caught in Mexico City (61.4%), followed by Guadalajara (23.6%) and Monterrey (14.8%).

What we analyzed:

  • Wireless network identifiers (SSIDs): the names that show up in your list of available Wi-Fi networks
  • Information that can be gleaned from these identifiers
  • Default router configurations and how ISPs deploy their networks
  • Frequencies used and signal characteristics
  • Channel load and radio frequency spectrum usage
  • Wireless network security configurations:
    • Open and insecure networks
    • Networks with WPS enabled
    • Secure networks (WPA2/WPA3) with WPS activated

You can find the full version of the study on the Securelist blog.

Telltale public Wi-Fi access point names

Network names (SSIDs) can tell you a lot by unintentionally revealing information about hardware manufacturers, ISPs, deployment methods, and whether an access point belongs to a business or a private user.

About 34% of the public Wi-Fi networks we logged didn’t bother changing their names at all, either sticking with the factory SSIDs from the router manufacturers or using standard naming conventions from their ISPs. For attackers, this can be a pretty solid hint, since this kind of network name lets them know which provider owns a given access point, what hardware is being used, and how it’s likely configured by default.

Another troubling nuance is the large number of Wi-Fi networks (over 30%) that use the access point’s MAC address (BSSID) as the visible network name. The first few bytes of a BSSID contain an Organizationally Unique Identifier (OUI), which gives away the router’s manufacturer. This is a useful lead for bad actors: they can find out who made the hardware and test for vulnerabilities specific to that brand’s models.

Is Mexican Wi-Fi well-protected?

An access point secured with WPA2/WPA3 can be considered more or less safe. All other authentication mechanisms yield much weaker results. We grouped the public Wi-Fi networks into four categories:

  • Secure (WPA2/WPA3)
  • Unsecured (open/WEP)
  • Weak (WPA)
  • Undetermined

The results are roughly the same across all three cities: about 82% of all analyzed access points are protected by secure standards. The outdated and insecure WPA protocol was practically nonexistent. However, more than 10% of the access points turned out to be completely unsecured. Connecting to these networks carries the risk of traffic interception and hidden surveillance.

But security isn’t evaluated by WPA protocols alone. We also checked for the presence of WPS, the infamous feature for quickly connecting to a network without entering a password, which is highly vulnerable to attacks. It turned out that WPS is enabled on nearly half (47%) of the access points in Mexico City, 43% in Guadalajara, and 41% in Monterrey. On average, 45% of the access points are potentially vulnerable to WPS-related attacks — sacrificing security for the sake of convenience.

What’s more, this feature frequently remained active even on seemingly secure WPA2/WPA3 networks — about half of them utilized WPS. This shows that having WPA2/WPA3 is still not enough to consider a Wi-Fi access point safe, as additional features like WPS can still leave the door open to attacks.

What else every tourist needs to know

Digital risks on a trip aren’t limited to public Wi-Fi alone, especially now that many are shifting away from public Wi-Fi to an eSIM. There are still plenty of threats in crowded places: public USB chargers, QR codes with swapped links, NFC and Bluetooth attacks, and, of course, social engineering tactics. Let’s break it all down.

Charging stations. Public USB chargers can also be dangerous: bad actors could potentially gain access to the data on your device or try to install malware. We covered these attacks in detail in our post, Data theft during smartphone charging.

Dangerous QR codes. Criminals can plant phishing QR codes in popular tourist spots. The pretexts can vary wildly; for instance, ads for team-specific fan “events”, or links supposedly offering discounts or restaurant menus. In reality, any QR code posted on the street can be considered insecure by default, and you shouldn’t scan them with your smartphone unless you have a QR code threat analyzer installed.

Fake broadcasts, tickets, and betting pools. Earlier, we described cases where bad actors were distributing malware via fake IPTV apps to capitalize on the WC26 hype. Remember, even if you plan to watch the tournament from home, you still need to stay alert and not trust the first sites that pop up advertising free broadcasts, offering betting pools, or promising unbelievably generous payouts.

NFC and Bluetooth attacks. Leaving Bluetooth enabled in crowded places can also cause problems: someone might try to discover your device, track you, or initiate an unwanted pairing request. NFC services with contactless payments create additional risks too — especially when paying in sketchy spots.

How to protect yourself and your devices

Despite the prevalence of secure WPA2/WPA3 public Wi-Fi access points in Mexico City, Guadalajara, and Monterrey, our study shows that public Wi-Fi networks remain vulnerable. It’s also important to remember that attackers can create fake networks — so-called evil twins — disguised as legitimate public Wi-Fi in airports, hotels, cafés, and tourist spots.

For the average user, it’s practically impossible to tell how safe a specific access point is when trying to connect. That’s why the safest option is to use cellular data to access the internet — completely eliminating the need for Wi-Fi. Besides, there’s no need to research the nuances of local laws, rates, and other cellular details for every country you plan to visit; you can just buy a global eSIM online in two clicks. We explained how to make the entire process hassle-free in our post, Internet on the go with Kaspersky eSIM Store.

If you still plan on connecting to public Wi-Fi, always use a VPN to secure your device and data when connecting to unfamiliar — especially unsecured — Wi-Fi networks. This creates an encrypted tunnel between your device and the VPN server, making it impossible to intercept your data along the way. Haven’t picked a VPN yet? Try Kaspersky VPN Secure Connection, which is included with both Kaspersky Premium and Kaspersky Plus subscriptions.

Now, if you still plan to attend the World Cup without any cybersecurity solution, at least follow these basic rules of digital hygiene:

  • Don’t use public USB chargers
  • Don’t send sensitive information over connections that aren’t secure
  • Don’t log in to banking, email, or social media accounts over unsecured Wi-Fi
  • Turn off Bluetooth and NFC while walking around in crowded places
  • Don’t trust QR codes posted on the street
  • Connect to public Wi-Fi only when absolutely necessary

What else to read to make sure cheering for your favorite team isn’t only exciting, but also safe:

  •  

23andMe exposed genetic information of millions, lawsuit says

California has sued the former shell of DNA testing company 23andMe over alleged security failures and misleading statements surrounding its 2023 data breach.

On May 27, 2026, Attorney General Rob Bonta filed suit in San Francisco Superior Court against Chrome Holding Co., the company now handling 23andMe’s remaining assets following its bankruptcy.

California’s complaint accuses 23andMe of failing to implement reasonable security measures to protect sensitive data and alleges violations of several state privacy and consumer protection laws. It also accuses the company of making misleading statements about its security practices.

The 2023 breach used old-school credential-stuffing tactics against 23andMe’s login page. Attackers operated inside the systems for roughly five months without anyone noticing. The direct compromise was modest, affecting about 14,000 accounts, but that was all the attackers needed to steal the data of just under seven million customers.

The intruders pivoted from those accounts through DNA Relatives, the platform’s headline feature, which enabled people to determine who they were connected with through DNA similarity. The lawsuit alleges a critical coding error in that feature enabled the perpetrators to scrape data from millions of other users connected by biological kinship.

The victim-blaming defense became evidence

After the breach went public, 23andMe sent victims’ legal representatives a letter blaming users for reusing passwords from sites that had been compromised earlier. The exposed data, the company suggested, had been shared of the users’ own free will and would not cause “pecuniary harm.”

The harms stemming from genetic data theft extend far beyond financial losses, however. The genetic information that was stolen enabled thieves to determine an individual’s genetic origins.

The data was reportedly offered for sale on the dark web with this information as a selling point, enabling sellers to offer records on Asian American Pacific Islander (AAPI) or Jewish customers, for example. Bonta’s office pointed out that antisemitic violence was on the rise at the time.

In spite of the letter’s attempt to blame users, only about 14,000 accounts were directly compromised through password reuse. The rest of the data was allegedly exposed through 23andMe’s own product. According to the complaint, the coding error in DNA Relatives exposed the data of anyone who had opted into the service, not just those linked to the 14,000 compromised accounts.

Can the state recover damages?

California is seeking statutory penalties ranging from $1,000 to $7,500 per violation. With 855,541 Californians among the affected users, the costs could mount up quickly.

The question is how much of it the state will collect if it wins its case. 23andMe filed for Chapter 11 bankruptcy in March 2025, then sold most of its assets, including the genomic data of more than 15 million customers, to TTAM Research Institute, a nonprofit founded by former 23andMe CEO Anne Wojcicki. California and several other states opposed the sale on Genetic Information Privacy Act grounds, but a federal bankruptcy judge approved it. The states are now appealing that decision.

Chrome Holding Co., the corporate shell that remains of 23andMe, received $305 million from that sale. But others have already been picking over what’s left.

Other regulators have already had their turn. The UK Information Commissioner’s Office fined 23andMe £2.31 million in June last year following a joint investigation with the Privacy Commissioner of Canada. A federal court initially approved a $30 million class-action settlement covering most US customer claims. That settlement later grew to $50 million and received final approval in January 2026.

What customers can do

If you tested with 23andMe, the standard breach hygiene still applies. Reset any password you reused on other sites and turn on multi-factor authentication wherever it’s offered. Credential stuffing only works on usernames and passwords that have already been exposed elsewhere. Also watch for phishing attacks that name-drop 23andMe or the breach itself. And maybe weigh the benefits of using DNA testing services against the security risks.

Because there’s one part of this that no fine and no settlement can solve: stolen genetic data sold on the dark web cannot be taken back. Passwords can be changed. DNA can’t.


Browse like no one’s watching. 

Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free → 

  •  
❌