Privacy

Full text to bypass paywall:

A data broker owned by the country’s major airlines, including Delta, American Airlines, and United, collected U.S. travellers’ domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from, according to internal CBP documents obtained by 404 Media. The data includes passenger names, their full flight itineraries, and financial details.

CBP, a part of the Department of Homeland Security (DHS), says it needs this data to support state and local police to track people of interest’s air travel across the country, in a purchase that has alarmed civil liberties experts.

The documents reveal for the first time in detail why at least one part of DHS purchased such information, and comes after Immigration and Customs Enforcement (ICE) detailed its own purchase of the data. The documents also show for the first time that the data broker, called the Airlines Reporting Corporation (ARC), tells government agencies not to mention where it sourced the flight data from.

“The big airlines—through a shady data broker that they own called ARC—are selling the government bulk access to Americans' sensitive information, revealing where they fly and the credit card they used,” Senator Ron Wyden said in a statement.

ARC is owned and operated by at least eight major U.S. airlines, other publicly released documents show. The company’s board of directors include representatives from Delta, Southwest, United, American Airlines, Alaska Airlines, JetBlue, and European airlines Lufthansa and Air France, and Canada’s Air Canada. More than 240 airlines depend on ARC for ticket settlement services.

Do you work at ARC or an agency that uses ARC data? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at [email protected].

ARC’s other lines of business include being the conduit between airlines and travel agencies, finding travel trends in data with other firms like Expedia, and fraud prevention, according to material on ARC’s YouTube channel and website. The sale of U.S. flyers’ travel information to the government is part of ARC’s Travel Intelligence Program (TIP).

A Statement of Work included in the newly obtained documents, which describes why an agency is buying a particular tool or capability, says CBP needs access to ARC’s TIP product “to support federal, state, and local law enforcement agencies to identify persons of interest’s U.S. domestic air travel ticketing information.” 404 Media obtained the documents through a Freedom of Information Act (FOIA) request.

A screenshot of the Statement of Work. Image: 404 Media.

The new documents obtained by 404 Media also show ARC asking CBP to “not publicly identify vendor, or its employees, individually or collectively, as the source of the Reports unless the Customer is compelled to do so by a valid court order or subpoena and gives ARC immediate notice of same.”

The Statement of Work says that TIP can show a person’s paid intent to travel and tickets purchased through travel agencies in the U.S. and its territories. The data from the Travel Intelligence Program (TIP) will provide “visibility on a subject’s or person of interest’s domestic air travel ticketing information as well as tickets acquired through travel agencies in the U.S. and its territories,” the documents say. They add this data will be “crucial” in both administrative and criminal cases.

A DHS Privacy Impact Assessment (PIA) available online says that TIP data is updated daily with the previous day’s ticket sales, and contains more than one billion records spanning 39 months of past and future travel. The document says TIP can be searched by name, credit card, or airline, but ARC contains data from ARC-accredited travel agencies, such as Expedia, and not flights booked directly with an airline. “[I]f the passenger buys a ticket directly from the airline, then the search done by ICE will not show up in an ARC report,” that PIA says. The PIA notes the data impacts both U.S. and non-U.S. persons, meaning it does include information on U.S. citizens.

“While obtaining domestic airline data—like many other transaction and purchase records—generally doesn't require a warrant, there's still supposed to go through a legal process that ensures independent oversight and limits data collection to records that will support an investigation,” Jake Laperruque, deputy director of the Center for Democracy & Technology's Security and Surveillance Project, told 404 Media in an email. “As with many other types of sensitive and revealing data, the government seems intent on using data brokers to buy their way around important guardrails and limits.”

CBP’s contract with ARC started in June 2024 and may extend to 2029, according to the documents. The CBP contract 404 Media obtained documents for was an $11,025 transaction. Last Tuesday, a public procurement database added a $6,847.50 update to that contract, which said it was exercising “Option Year 1,” meaning it was extending the contract. The documents are redacted but briefly mention CBP’s OPR, or Office of Professional Responsibility, which in part investigates corruption by CBP employees.

“CBP is committed to protecting individuals’ privacy during the execution of its mission to protect the American people, safeguard our borders, and enhance the nation’s economic prosperity. CBP follows a robust privacy policy as we protect the homeland through the air, land and maritime environments against illegal entry, illicit activity or other threats to national sovereignty and economic security,” a CBP spokesperson said in a statement. CBP added that the data is only used when an OPR investigation is open and the agency needs to locate someone related to that investigation. The agency said the data can act as a good starting point to identify a relevant flight record before then getting more information through legal processes.

On May 1, ICE published details about its own ARC data purchase. In response, on May 2, 404 Media filed FOIA requests with ICE and a range of other agencies that 404 Media found had bought ARC’s services, including CBP, the Secret Service, SEC, DEA, the Air Force, U.S. Marshals Service, TSA, and ATF. 404 Media found these by searching U.S. procurement databases. Around a week later, The Lever covered the ICE contract.

A screenshot of the Statement of Work. Image: 404 Media.

Airlines contacted by 404 Media declined to comment, didn’t respond, or deferred to either ARC or DHS instead. ARC declined to comment. The company previously told The Lever that TIP “was established after the Sept. 11 terrorist attacks to provide certain data to law enforcement… for the purpose of national security matters” and criminal investigations.

“ARC has refused to answer oversight questions from Congress, so I have already contacted the major airlines that own ARC—like Delta, American Airlines and United—to find out why they gave the green light to sell their customers' data to the government,” Wyden’s statement added.

U.S. law enforcement agencies have repeatedly turned to private companies to buy data rather than obtain it through legal processes such as search warrants or subpoenas. That includes location data harvested from smartphones, utility data, and internet backbone data.

“Overall it strikes me as yet another alarming example of how the ‘Big Data Surveillance Complex’ is becoming the digital age version of the Military-Industrial Complex,” Laperruque says, referring to the purchase of airline data.

“It's clear the Data Broker Loophole is pushing the government back towards a pernicious ‘collect it all’ mentality, gobbling up as much sensitive data as it can about all Americans by default. A decade ago the public rejected that approach, and Congress passed surveillance reform legislation that banned domestic bulk collection. Clearly it's time for Congress to step in again, and stop the Data Broker Loophole from being used to circumvent that ban,” he added.

According to ARC’s website, the company only introduced multifactor authentication on May 15.

cross-posted from: https://lemmy.sdf.org/post/36376926

Archived

On June 4, during a meeting with government officials, Vladimir Putin stated that all public services must be moved to the national messenger app called Max. According to Minister of Digital Development Maksut Shadayev, the multiplatform system is already operational.

[...]

The Max app — a Russian equivalent of China’s WeChat — was unveiled by the tech giant VK in late March. At present, it features a messenger, a chatbot builder, a payment system, and mini-apps. On June 5, VTB’s digital bank launched on the platform.

To register, a Belarusian or Russian SIM card is required — which, as The Insider noted, foreigners can no longer obtain without submitting biometric data.

As stated in the Max app’s privacy policy, the platform will collect data on:

• user devices
• IP address
• operating system
• browser
• location
• internet provider
• contacts from the address book
• all user activity within the service
• information obtained through the camera or microphone, if the user grants the app access (most users will, for example, in order to record voice messages)

Other messaging apps collect such data as well, but there's a catch. The Max app's privacy policy explicitly states that it may share this data with the “company's partners” as well as with “any government or local authority.”

[...]

Original question by @[email protected]

I am currently using Obsidian. I like it; it is great. The graph is a bit of a gimmick but very rewarding. The formatting is easy. The search can be great and powerful, but Markdown can also be a letdown sometimes; it is just so limiting sometimes.

I think Obsidian is almost boring. It works, and my main gripe is syncing it to my phone. I have tried using Syncthing, but I often get clashes with versions of notes or even lose notes, even when using Syncthing versioning.

But then there is Notion. Let me first say, I have not used Notion at all. I made an account, saw all the great stuff, especially the database feature and all the APIs, but something felt off.

Of course, I researched the privacy of Notion and realised it is a complete dumpster fire.

My work is confidential; I really can't use something like Notion. But then, for my personal stuff, I also don't want AI to be trained on it or used for marketing to me or on me.

Are there alternatives to Notion that someone can recommend to me?

Parking apps is an interesting one:

• it is very convenient to not have to run back and put more money in the meter if your appointment / event goes over time
• there are some significant privacy issues

Google warns “passwords are not only painful to maintain, but are also more prone to phishing and often leaked through data breaches.” And that’s the real issue. “It’s important to use tools that automatically secure your account and protect you from scams,” Google tells users, and that means upgrading account security now.

Google says “we want to move beyond passwords altogether, while keeping sign-ins as easy as possible.” That includes social sign ins, but mainly it means passkeys. “Passkeys are phishing-resistant and can log you in simply with the method you use to unlock your device (like your fingerprint or face ID) — no password required.”

This is just one of their excuses, to keep their users inside google's walled-garden

Archive : https://archive.ph/iWzFo

crosspostato da: https://lemmy.sdf.org/post/36247127

Archived

A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”

The seller’s post, which appeared on the forum [on May 29, 2025], promises a dataset containing detailed user information such as:

• Email addresses
• Mobile phone numbers
• Biography, avatar URLs, and profile links
• TikTok user IDs, usernames, and nicknames
• Account flags like private_account, secret, verified, and ttSeller status.
• Publicly visible metrics such as follower counts, following counts, like counts, video counts, digg counts, and friend counts.

[...]

crosspostato da: https://lemmy.sdf.org/post/36242205

Archived

• Hundreds of millions of users are likely exposed.
• Data leak contained billions of documents with financial data, WeChat and Alipay details.
• The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

The supermassive data leak likely exposed hundreds of millions of users, primarily from China, the Cybernews research team’s latest findings reveal. A humungous, 631 gigabytes-strong database was left without a password, publicizing mind-boggling 4 billion records.

Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews team, discovered billions upon billions of exposed records on an open instance.

[...]

The database consisted of numerous collections, containing from half a million to over 800 million records from various sources. The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

“The sheer volume and diversity of data types in this leak suggests that this was likely a centralized aggregation point, potentially maintained for surveillance, profiling, or data enrichment purposes,” the team observed.

There’s no shortage of ways threat actors or nation states could exploit the data. With a data set of that magnitude, everything from large-scale phishing, blackmail, and fraud to state-sponsored intelligence gathering and disinformation campaigns is on the table.

[...]

The team managed to see sixteen data collections, likely named after the type of data they included.

The largest collection, with over 805 million records, was named “wechatid_db,” which most likely points to the data coming from the Baidu-owned super-app WeChat.

[...]

The second largest collection, “address_db,” had over 780 million records containing residential data with geographic identifiers. The third largest collection, simply named “bank,” had over 630 million records of financial data, including payment card numbers, dates of birth, names, and phone numbers.

Possessing only these three collections would enable skilled attackers to correlate different data points to find out where certain users live and what their spending habits, debts, and savings are.

Another major collection in the dataset was named in Mandarin, which roughly translates to “three-factor checks.” With over 610 million records, the collection most likely contained IDs, phone numbers, and usernames.

[...]

"Individuals who may be affected by this leak have no direct recourse due to the anonymity of the owner and lack of notification channels,” the team noted.

China-based data leaks are hardly new. We [Cybernews] ourselves have previously written about a data leak that exposed 1.5 billion Weibo, DiDi, Shanghai Communist Party, and others’ records, or a mysterious actor spilling over 1.2 billion records on Chinese users. More recently, attackers leaked 62 million iPhone users’ records online.

[...]

Old video, but keeps being relevant.

If you want to attend a protest, you have to become unidentifiable. This is how you do it. Become a producer of independent research and analysis by joining my Patreon page: / thehatedone

Police now have the ability to harass protesters with arrests, threats and coercion all the way back to their homes and offices. Attending a protest with a phone will now tell the police exactly who are you, who you communicate with and where you live.

Your phone has four main radio signals, all of which can compromise your security: • Cellular radio – is your phone’s most revealing data point. Your SIM card has a unique IMSI number that is broadcast indiscriminately into all directions. The police can capture this number with so called IMSI catchers, find your real phone number and even intercept your calls and SMS texts. • WiFi – is the second most common data point. Police can setup a rogue hotspot to trick your phone into connecting to it without you noticing and they can start monitoring your traffic in real time. • Police can also use Bluetooth beacons to catch your phone’s unique identifier. They could also try to exploit known Bluetooth vulnerabilities to attack your device with malicious payload. • GPS is broadly used for precise locations services, but this one is the safest data point. Your phone is only a receiver of GPS signals and doesn’t transmit any information. Your phone may, however, store GPS coordinates, which may be revealed to the police if they capture and unlock your phone.

Surveillance is the best tool to silence dissent. This is why if you care about your cause, you are going to have to care about protecting the identity of you and your fellow protesters. Your goal must be to become unidentifiable.

What follows is a comprehensive guide to become anonymous in the street. The goal is extreme anonymity and no middle-ground compromises. This guide will be split into two parts – Digital security, and physical security. Make sure to follow and understand every step in both of these parts as they are both equally required to remain anonymous.

Sources EFF's guide on attending a protest: https://ssd.eff.org/en/module/attendi... IMSI Catchers: https://www.eff.org/wp/gotta-catch-em...

Stingrays: https://www.wired.com/2015/10/stingra...
https://www.wired.com/2014/06/feds-to...

How to prepare your phone for a protest: https://themarkup.org/ask-the-markup/... Protest privacy - photos: https://themarkup.org/ask-the-markup/... Burner Phone tutorial by The Intercept: https://theintercept.com/2020/06/15/p... Rogue WIFI hotspots: https://www.forbes.com/sites/andygree... Dataminers spy on social media: https://theintercept.com/2020/07/09/t... Anonymous Twitter account: https://theintercept.com/2017/02/20/h... Facial recognition in Hong Kong protest: https://www.nytimes.com/2019/07/26/te...

List of all apps and services mentioned (no affiliation) GrapheneOS: https://grapheneos.org/

Download: https://grapheneos.org/releases
Install: https://grapheneos.org/install

F-Droid: https://f-droid.org/ Orbot: https://guardianproject.info/apps/org... Tor Browser: https://www.torproject.org/ Aurora Store: https://f-droid.org/en/packages/com.a...

KeepassDX: https://github.com/Kunzisoft/KeePassDX Tutanota: https://tutanota.com/ Protonmail: https://protonmail.com/ SimpleLogin: https://simplelogin.io/ Aegis Authenticator: https://getaegis.app/ Signal: https://signal.org/ Briar: https://briarproject.org/ Wire: https://wire.com/en/ Anonymous Twitter: https://twitter3e4tixl4xyajtrzo62zg5v/... Scrambled Exif: https://f-droid.org/en/packages/com.j... ImagePipe: https://f-droid.org/en/packages/com.j... ObscuraCam: https://guardianproject.info/apps/obs... OsmAnd: https://osmand.net/

Credits Music By: White Bat Audio / whitebataudio

Follow me: / the_hatedone_
/ thehatedone

The footage and images featured in the video were for critical analysis, commentary and parody, which are protected under the Fair Use laws of the United States Copyright act of 1976.

Original idea by @[email protected]

Receiving a spam call puts you in a bit of a dilemma, or at least it does for me: How do I deal with this call that doesn't alert the spammers that this is an active number that they can call again? Answering the call is obviously the wrong choice, but I always assume that rejecting the call outright will also be detected as a deliberate action and therefore a person is on the other side. Some people have suggested answering the phone but not talking, so they think it's a dead number, but I want something more definitive.

My idea is to have a "spam" button on the incoming call screen, that answers the call but doesn't connect the microphone. Instead it plays either the standard "the number you're dialing is not assigned, please check your number and try your call again" recording, or a fax/modem sound to make them think the phone number belongs to a machine and not a human.

Would they work? Or would they still be able to determine that the recording is spoofed by the phone itself? Does anything like this already exist?

cross-posted from: https://lemmy.sdf.org/post/36106116

Archived

[...]

According to the measures, introduced by the Ministry of Public Security (MPS), each internet user in China will be issued with a unique “web number,” or wanghao (网号), that is linked to their personal information. While these IDs are, according to the MPS notice, to be issued on a strictly voluntary basis through public service platforms, the government appears to have been working on this system for quite some time — and state media are strongly promoting it as a means of guaranteeing personal “information security” (信息安全). With big plans afoot for how these IDs will be deployed, one obvious question is whether these measures will remain voluntary.

[...]

The measures bring China one step closer to centralized control over how Chinese citizens access the internet. The Cybersecurity Law of 2017 merely stipulated that when registering an account on, say, social media, netizens must register their “personal information” (个人信息), also called “identifying information” (身份信息). That led to uneven interpretations by private companies of what information was required. Whereas some sites merely ask for your name and phone number, others also ask for your ID number — while still others, like Huawei’s cloud software, want your facial biometrics on top of it.

[...]

Beyond the key question of personal data security, there is the risk that the cyber ID system could work as an internet kill switch on each and every citizen. It might grant the central government the power to bar citizens from accessing the internet, simply by blocking their cyber ID. “The real purpose is to control people’s behavior on the Internet,” Lao Dongyan cautioned last year.

[...]

Take a closer look at state media coverage of the evolving cyber ID system and the expansion of its application seems a foregone conclusion — even extending to the offline world. Coverage by CCTV reported last month that it would make ID verification easier in many contexts. “In the future, it can be used in all the places where you need to show your ID card,” a professor at Tsinghua’s AI Institute said of the cyber ID. Imagine using your cyber ID in the future to board the train or access the expressway.

[...]

While Chinese state media emphasize the increased ease and security cyber IDs will bring, the underlying reality is more troubling. Chinese citizens may soon find themselves dependent on government-issued digital credentials for even the most basic freedoms — online and off.

An Italian parliamentary committee has confirmed that the government used the Israeli-made spyware Graphite, developed by the offensive cyber company Paragon, to hack the smartphones of several activists working with migrants.

The committee confirmed that Paragon provided Graphite to two Italian agencies, including the country's external intelligence service, starting in 2023. The version of Graphite provided did not include the ability to activate the phone's microphone or camera, the report said. Instead, it only enabled its operators access to encrypted communications on the hacked devices.

The report also confirmed that Graphite exploited a vulnerability in WhatsApp that Meta identified and patched in December 2024, one month before the spyware's activity was publicly disclosed. The vulnerability's discovery also caused "panic" at Israel's military intelligence Unit 8200, according to the recent Israeli television report.