Privacy

cross-posted from: https://lemmy.zip/post/41151237

Arrest of Alejandro Theodoro Orellana comes as federal officials have been defending ICE use of face masks against mounting criticism

Dark Web Interdiction Act of 2025

Here is the text of a bill introduced to Congress (US), ostensibly to combat the trafficking of opioids over "The Dark Web". There's a nice definition of "The Dark Web" at section 4.

I like the part where it says people are using "The Dark Web" both within the United States and "at the international border".

GrapheneOS statement on Mastodon: https://grapheneos.social/@GrapheneOS/114661914197695338

Calyx made an official statement on this development here: https://calyxos.org/news/2025/06/11/android-16-plans/

Concerning stuff. Hopefully a workaround or solution is found at some point, but if not, I'm already thinking of how to manage without them.

I can't see myself going back to a standard Android phone, so I suppose worse case scenario, I'd have to settle with LineageOS, or potentially abandon Android altogether and see if I can manage with discrete separate devices to fulfill the same needs, such as:

• a pocketable mini-Linux PC like a MNT Pocket Reform, which has the ability to use cellular networks. Should be able to text, browse web, and maybe GPS? Alternatively, perhaps the Mecha Comet?
• Small pocket-able dumb camera
• MP3 player
• Dumb-phone kept in a faraday bag when not in use?

EDIT:

Update on the situation from GrapheneOS in this thread (using Redlib, a proxy of Reddit)

The biggest problem for GrapheneOS is not the change to AOSP but rather our lead developer since 2022 being forcibly conscripted to fight in a war in April. That's why we've been asking for help since April.

In April, we were contacted by someone about upcoming changes to AOSP impacting us including the removal of device support in Android 16. We talked about it internally but didn't know if the information was credible. We prepared as much as we could for the Android 16 port but didn't know exactly what would happen with device support. If we had clearer information on it and knew it was accurate, we could have prepared much more in advanced.

Porting to Android 16 is required to continue shipping full Android privacy/security patches regardless of device. Only the latest stable release gets full privacy/security patches, which was the May release of Android 15 QPR2 and is not Android 16. Older releases only get backports.

Pixels also only have their driver and firmware patches for Android 16, although we're working on a release within the next 24 hours with backports of the most important firmware patches. We would normally have an experimental Android 16 release out already, if they hadn't made changes to AOSP.

There are further changes coming to AOSP. It is not only what is talked about there.

In another comment:

We're going to be continuing GrapheneOS but in the long term we'll need to shift to our own devices with an OEM partner.

It's not only Pixels which are going to be impacted. Pixels are still the only devices meeting our hardware requirements (https://grapheneos.org/faq#future-devices). It's clear we need our own hardware in partnership with an OEM that's serious about security and capable of delivering on it. We've had several attempts at OEM partnerships but they were unable to provide what we needed. It will cost millions of dollars to get a device meeting our basic requirements. We can do that, but we hoped for an OEM wanting to work with us instead of us needing to pay for everything through raising funds. We didn't end up finding a good OEM to work with that way so we'll do it the hard way.

Full text to bypass paywall:

A data broker owned by the country’s major airlines, including Delta, American Airlines, and United, collected U.S. travellers’ domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from, according to internal CBP documents obtained by 404 Media. The data includes passenger names, their full flight itineraries, and financial details.

CBP, a part of the Department of Homeland Security (DHS), says it needs this data to support state and local police to track people of interest’s air travel across the country, in a purchase that has alarmed civil liberties experts.

The documents reveal for the first time in detail why at least one part of DHS purchased such information, and comes after Immigration and Customs Enforcement (ICE) detailed its own purchase of the data. The documents also show for the first time that the data broker, called the Airlines Reporting Corporation (ARC), tells government agencies not to mention where it sourced the flight data from.

“The big airlines—through a shady data broker that they own called ARC—are selling the government bulk access to Americans' sensitive information, revealing where they fly and the credit card they used,” Senator Ron Wyden said in a statement.

ARC is owned and operated by at least eight major U.S. airlines, other publicly released documents show. The company’s board of directors include representatives from Delta, Southwest, United, American Airlines, Alaska Airlines, JetBlue, and European airlines Lufthansa and Air France, and Canada’s Air Canada. More than 240 airlines depend on ARC for ticket settlement services.

Do you work at ARC or an agency that uses ARC data? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at [email protected].

ARC’s other lines of business include being the conduit between airlines and travel agencies, finding travel trends in data with other firms like Expedia, and fraud prevention, according to material on ARC’s YouTube channel and website. The sale of U.S. flyers’ travel information to the government is part of ARC’s Travel Intelligence Program (TIP).

A Statement of Work included in the newly obtained documents, which describes why an agency is buying a particular tool or capability, says CBP needs access to ARC’s TIP product “to support federal, state, and local law enforcement agencies to identify persons of interest’s U.S. domestic air travel ticketing information.” 404 Media obtained the documents through a Freedom of Information Act (FOIA) request.

A screenshot of the Statement of Work. Image: 404 Media.

The new documents obtained by 404 Media also show ARC asking CBP to “not publicly identify vendor, or its employees, individually or collectively, as the source of the Reports unless the Customer is compelled to do so by a valid court order or subpoena and gives ARC immediate notice of same.”

The Statement of Work says that TIP can show a person’s paid intent to travel and tickets purchased through travel agencies in the U.S. and its territories. The data from the Travel Intelligence Program (TIP) will provide “visibility on a subject’s or person of interest’s domestic air travel ticketing information as well as tickets acquired through travel agencies in the U.S. and its territories,” the documents say. They add this data will be “crucial” in both administrative and criminal cases.

A DHS Privacy Impact Assessment (PIA) available online says that TIP data is updated daily with the previous day’s ticket sales, and contains more than one billion records spanning 39 months of past and future travel. The document says TIP can be searched by name, credit card, or airline, but ARC contains data from ARC-accredited travel agencies, such as Expedia, and not flights booked directly with an airline. “[I]f the passenger buys a ticket directly from the airline, then the search done by ICE will not show up in an ARC report,” that PIA says. The PIA notes the data impacts both U.S. and non-U.S. persons, meaning it does include information on U.S. citizens.

“While obtaining domestic airline data—like many other transaction and purchase records—generally doesn't require a warrant, there's still supposed to go through a legal process that ensures independent oversight and limits data collection to records that will support an investigation,” Jake Laperruque, deputy director of the Center for Democracy & Technology's Security and Surveillance Project, told 404 Media in an email. “As with many other types of sensitive and revealing data, the government seems intent on using data brokers to buy their way around important guardrails and limits.”

CBP’s contract with ARC started in June 2024 and may extend to 2029, according to the documents. The CBP contract 404 Media obtained documents for was an $11,025 transaction. Last Tuesday, a public procurement database added a $6,847.50 update to that contract, which said it was exercising “Option Year 1,” meaning it was extending the contract. The documents are redacted but briefly mention CBP’s OPR, or Office of Professional Responsibility, which in part investigates corruption by CBP employees.

“CBP is committed to protecting individuals’ privacy during the execution of its mission to protect the American people, safeguard our borders, and enhance the nation’s economic prosperity. CBP follows a robust privacy policy as we protect the homeland through the air, land and maritime environments against illegal entry, illicit activity or other threats to national sovereignty and economic security,” a CBP spokesperson said in a statement. CBP added that the data is only used when an OPR investigation is open and the agency needs to locate someone related to that investigation. The agency said the data can act as a good starting point to identify a relevant flight record before then getting more information through legal processes.

On May 1, ICE published details about its own ARC data purchase. In response, on May 2, 404 Media filed FOIA requests with ICE and a range of other agencies that 404 Media found had bought ARC’s services, including CBP, the Secret Service, SEC, DEA, the Air Force, U.S. Marshals Service, TSA, and ATF. 404 Media found these by searching U.S. procurement databases. Around a week later, The Lever covered the ICE contract.

A screenshot of the Statement of Work. Image: 404 Media.

Airlines contacted by 404 Media declined to comment, didn’t respond, or deferred to either ARC or DHS instead. ARC declined to comment. The company previously told The Lever that TIP “was established after the Sept. 11 terrorist attacks to provide certain data to law enforcement… for the purpose of national security matters” and criminal investigations.

“ARC has refused to answer oversight questions from Congress, so I have already contacted the major airlines that own ARC—like Delta, American Airlines and United—to find out why they gave the green light to sell their customers' data to the government,” Wyden’s statement added.

U.S. law enforcement agencies have repeatedly turned to private companies to buy data rather than obtain it through legal processes such as search warrants or subpoenas. That includes location data harvested from smartphones, utility data, and internet backbone data.

“Overall it strikes me as yet another alarming example of how the ‘Big Data Surveillance Complex’ is becoming the digital age version of the Military-Industrial Complex,” Laperruque says, referring to the purchase of airline data.

“It's clear the Data Broker Loophole is pushing the government back towards a pernicious ‘collect it all’ mentality, gobbling up as much sensitive data as it can about all Americans by default. A decade ago the public rejected that approach, and Congress passed surveillance reform legislation that banned domestic bulk collection. Clearly it's time for Congress to step in again, and stop the Data Broker Loophole from being used to circumvent that ban,” he added.

According to ARC’s website, the company only introduced multifactor authentication on May 15.

cross-posted from: https://lemmy.sdf.org/post/36376926

Archived

On June 4, during a meeting with government officials, Vladimir Putin stated that all public services must be moved to the national messenger app called Max. According to Minister of Digital Development Maksut Shadayev, the multiplatform system is already operational.

[...]

The Max app — a Russian equivalent of China’s WeChat — was unveiled by the tech giant VK in late March. At present, it features a messenger, a chatbot builder, a payment system, and mini-apps. On June 5, VTB’s digital bank launched on the platform.

To register, a Belarusian or Russian SIM card is required — which, as The Insider noted, foreigners can no longer obtain without submitting biometric data.

As stated in the Max app’s privacy policy, the platform will collect data on:

• user devices
• IP address
• operating system
• browser
• location
• internet provider
• contacts from the address book
• all user activity within the service
• information obtained through the camera or microphone, if the user grants the app access (most users will, for example, in order to record voice messages)

Other messaging apps collect such data as well, but there's a catch. The Max app's privacy policy explicitly states that it may share this data with the “company's partners” as well as with “any government or local authority.”

[...]

Original question by @[email protected]

I am currently using Obsidian. I like it; it is great. The graph is a bit of a gimmick but very rewarding. The formatting is easy. The search can be great and powerful, but Markdown can also be a letdown sometimes; it is just so limiting sometimes.

I think Obsidian is almost boring. It works, and my main gripe is syncing it to my phone. I have tried using Syncthing, but I often get clashes with versions of notes or even lose notes, even when using Syncthing versioning.

But then there is Notion. Let me first say, I have not used Notion at all. I made an account, saw all the great stuff, especially the database feature and all the APIs, but something felt off.

Of course, I researched the privacy of Notion and realised it is a complete dumpster fire.

My work is confidential; I really can't use something like Notion. But then, for my personal stuff, I also don't want AI to be trained on it or used for marketing to me or on me.

Are there alternatives to Notion that someone can recommend to me?

Parking apps is an interesting one:

• it is very convenient to not have to run back and put more money in the meter if your appointment / event goes over time
• there are some significant privacy issues

Google warns “passwords are not only painful to maintain, but are also more prone to phishing and often leaked through data breaches.” And that’s the real issue. “It’s important to use tools that automatically secure your account and protect you from scams,” Google tells users, and that means upgrading account security now.

Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That includes social sign ins, but mainly it means passkeys. “Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.”

This is just one of their excuses, to keep their users inside google's walled-garden

Archive : https://archive.ph/iWzFo

crosspostato da: https://lemmy.sdf.org/post/36247127

Archived

A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”

The seller’s post, which appeared on the forum [on May 29, 2025], promises a dataset containing detailed user information such as:

• Email addresses
• Mobile phone numbers
• Biography, avatar URLs, and profile links
• TikTok user IDs, usernames, and nicknames
• Account flags like private_account, secret, verified, and ttSeller status.
• Publicly visible metrics such as follower counts, following counts, like counts, video counts, digg counts, and friend counts.

[...]

crosspostato da: https://lemmy.sdf.org/post/36242205

Archived

• Hundreds of millions of users are likely exposed.
• Data leak contained billions of documents with financial data, WeChat and Alipay details.
• The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

The supermassive data leak likely exposed hundreds of millions of users, primarily from China, the Cybernews research team’s latest findings reveal. A humungous, 631 gigabytes-strong database was left without a password, publicizing mind-boggling 4 billion records.

Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews team, discovered billions upon billions of exposed records on an open instance.

[...]

The database consisted of numerous collections, containing from half a million to over 800 million records from various sources. The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

“The sheer volume and diversity of data types in this leak suggests that this was likely a centralized aggregation point, potentially maintained for surveillance, profiling, or data enrichment purposes,” the team observed.

There’s no shortage of ways threat actors or nation states could exploit the data. With a data set of that magnitude, everything from large-scale phishing, blackmail, and fraud to state-sponsored intelligence gathering and disinformation campaigns is on the table.

[...]

The team managed to see sixteen data collections, likely named after the type of data they included.

The largest collection, with over 805 million records, was named “wechatid_db,” which most likely points to the data coming from the Baidu-owned super-app WeChat.

[...]

The second largest collection, “address_db,” had over 780 million records containing residential data with geographic identifiers. The third largest collection, simply named “bank,” had over 630 million records of financial data, including payment card numbers, dates of birth, names, and phone numbers.

Possessing only these three collections would enable skilled attackers to correlate different data points to find out where certain users live and what their spending habits, debts, and savings are.

Another major collection in the dataset was named in Mandarin, which roughly translates to “three-factor checks.” With over 610 million records, the collection most likely contained IDs, phone numbers, and usernames.

[...]

"Individuals who may be affected by this leak have no direct recourse due to the anonymity of the owner and lack of notification channels,” the team noted.

China-based data leaks are hardly new. We [Cybernews] ourselves have previously written about a data leak that exposed 1.5 billion Weibo, DiDi, Shanghai Communist Party, and others’ records, or a mysterious actor spilling over 1.2 billion records on Chinese users. More recently, attackers leaked 62 million iPhone users’ records online.

[...]

Old video, but keeps being relevant.

If you want to attend a protest, you have to become unidentifiable. This is how you do it. Become a producer of independent research and analysis by joining my Patreon page: / thehatedone

Police now have the ability to harass protesters with arrests, threats and coercion all the way back to their homes and offices. Attending a protest with a phone will now tell the police exactly who are you, who you communicate with and where you live.

Your phone has four main radio signals, all of which can compromise your security: • Cellular radio – is your phone’s most revealing data point. Your SIM card has a unique IMSI number that is broadcast indiscriminately into all directions. The police can capture this number with so called IMSI catchers, find your real phone number and even intercept your calls and SMS texts. • WiFi – is the second most common data point. Police can setup a rogue hotspot to trick your phone into connecting to it without you noticing and they can start monitoring your traffic in real time. • Police can also use Bluetooth beacons to catch your phone’s unique identifier. They could also try to exploit known Bluetooth vulnerabilities to attack your device with malicious payload. • GPS is broadly used for precise locations services, but this one is the safest data point. Your phone is only a receiver of GPS signals and doesn’t transmit any information. Your phone may, however, store GPS coordinates, which may be revealed to the police if they capture and unlock your phone.

Surveillance is the best tool to silence dissent. This is why if you care about your cause, you are going to have to care about protecting the identity of you and your fellow protesters. Your goal must be to become unidentifiable.

What follows is a comprehensive guide to become anonymous in the street. The goal is extreme anonymity and no middle-ground compromises. This guide will be split into two parts – Digital security, and physical security. Make sure to follow and understand every step in both of these parts as they are both equally required to remain anonymous.

Sources EFF's guide on attending a protest: https://ssd.eff.org/en/module/attendi... IMSI Catchers: https://www.eff.org/wp/gotta-catch-em...

Stingrays: https://www.wired.com/2015/10/stingra...
https://www.wired.com/2014/06/feds-to...

How to prepare your phone for a protest: https://themarkup.org/ask-the-markup/... Protest privacy - photos: https://themarkup.org/ask-the-markup/... Burner Phone tutorial by The Intercept: https://theintercept.com/2020/06/15/p... Rogue WIFI hotspots: https://www.forbes.com/sites/andygree... Dataminers spy on social media: https://theintercept.com/2020/07/09/t... Anonymous Twitter account: https://theintercept.com/2017/02/20/h... Facial recognition in Hong Kong protest: https://www.nytimes.com/2019/07/26/te...

List of all apps and services mentioned (no affiliation) GrapheneOS: https://grapheneos.org/

Download: https://grapheneos.org/releases
Install: https://grapheneos.org/install

F-Droid: https://f-droid.org/ Orbot: https://guardianproject.info/apps/org... Tor Browser: https://www.torproject.org/ Aurora Store: https://f-droid.org/en/packages/com.a...

KeepassDX: https://github.com/Kunzisoft/KeePassDX Tutanota: https://tutanota.com/ Protonmail: https://protonmail.com/ SimpleLogin: https://simplelogin.io/ Aegis Authenticator: https://getaegis.app/ Signal: https://signal.org/ Briar: https://briarproject.org/ Wire: https://wire.com/en/ Anonymous Twitter: https://twitter3e4tixl4xyajtrzo62zg5v/... Scrambled Exif: https://f-droid.org/en/packages/com.j... ImagePipe: https://f-droid.org/en/packages/com.j... ObscuraCam: https://guardianproject.info/apps/obs... OsmAnd: https://osmand.net/

Credits Music By: White Bat Audio / whitebataudio

Follow me: / the_hatedone_
/ thehatedone

The footage and images featured in the video were for critical analysis, commentary and parody, which are protected under the Fair Use laws of the United States Copyright act of 1976.

Original idea by @[email protected]

Receiving a spam call puts you in a bit of a dilemma, or at least it does for me: How do I deal with this call that doesn't alert the spammers that this is an active number that they can call again? Answering the call is obviously the wrong choice, but I always assume that rejecting the call outright will also be detected as a deliberate action and therefore a person is on the other side. Some people have suggested answering the phone but not talking, so they think it's a dead number, but I want something more definitive.

My idea is to have a "spam" button on the incoming call screen, that answers the call but doesn't connect the microphone. Instead it plays either the standard "the number you're dialing is not assigned, please check your number and try your call again" recording, or a fax/modem sound to make them think the phone number belongs to a machine and not a human.

Would they work? Or would they still be able to determine that the recording is spoofed by the phone itself? Does anything like this already exist?