If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Disney is scanning the faces of 75,000 people a day at its Anaheim theme parks and a new $5 million class action lawsuit says the company never bothered to properly tell them. The suit, filed May 15 in federal court by visitor Summer Christine Duffield, targets the facial recognition system Disney rolled out in April at the entrances to Disneyland Park and Disney California Adventure. The technology photographs your face as you walk through the gates, then uses biometric software to convert that image into numerical values and compare them against the photo saved when you first activated your ticket or annual pass. The stated purpose is to speed up reentry and prevent ticket fraud. The unstated consequence is that Disney now operates one of the largest biometric surveillance systems aimed at consumers in the United States, processing the faces of more than 27 million annual visitors across the two parks. We obtained a copy of the complaint for you here. Duffield visited the park on May 10 with her minor children. The complaint accuses Disney of violating California privacy, competition, and consumer protection laws by harvesting guests’ biometric data without adequate disclosure or meaningful consent. The company “does not adequately disclose the use of their biometric collection, so consumers – which almost always include children – have no idea that Disney is collecting this highly sensitive data,” the complaint reads. Disney says the scanning is optional. The reality on the ground tells a different story. By late April, the technology was running in most entrance lanes at both parks, with the Los Angeles Times finding only four lanes that didn’t use it. Some guests told the publication they didn’t realize they could avoid the system before entering the lines. One visitor called it “a little scary” because the opt-out wasn’t clear, while a mother said she felt uneasy when the system was used on her young children. The opt-out signage consists of a silhouette icon with a diagonal line through it posted at select entrances. No verbal notice from staff. No alert through the Disneyland app, which millions of visitors use to plan their trips. No written consent form. Disney built a biometric dragnet and placed the burden of escaping it entirely on the people walking through the gates. Attorney Blake Yagman, representing the proposed class, put it bluntly in the complaint. “Guests should be able to expressly opt in to this type of sensitive facial recognition technology with written consent – the onus of privacy rights should not be on the victim,” he wrote. “Given how sensitive facial recognition data is, explicit written consent should be required to protect the privacy guests at Disney Theme Parks.” The distinction between opt-in and opt-out is the core of this case, and it reveals everything about how Disney thinks about its guests’ biometric data. An opt-in model means the company asks before it scans your face. An opt-out model means the company scans your face unless you notice a small pictogram and find the right lane. Disney chose the model that captures the most data from the most people. Perhaps that’s not an accident. The lawsuit also attacks Disney’s claim that it deletes biometric data within 30 days. Disney’s privacy policy states that numerical values derived from facial scans are deleted within 30 days of creation, “except in cases where data must be maintained for legal or fraud-prevention purposes.” The complaint argues this “simply cannot be true given the biometric information is compared to when guests first bought tickets or annual passes and associated their pictures with those tickets or passes.” Annual passholders visit repeatedly throughout the year. If the system compares your face at the gate against the image stored with your pass, that stored image has to exist somewhere for the comparison to work. Disney’s 30-day deletion claim and its year-round facial matching functionality can’t both be true at the same time. Disneyland spokesperson Jessica Jakary said: “We respect and protect our guests’ personal information and dispute the plaintiff’s claims, which we believe are without merit.” Disney also collects biometric data through other programs at its parks. The company harvests biometric information when visitors use a “Magic Band” wristband and through its “PhotoPass” photography program. The lawsuit argues this data is valuable for building consumer profiles that aggregate details across multiple arms of Disney’s business. A company that knows your face, your location within the park, your purchasing habits, and which rides you visit isn’t just preventing ticket fraud. It’s building a surveillance profile that follows you across every interaction with the Disney ecosystem. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Disney Faces $5M Lawsuit Over Disneyland Facial Recognition appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Canada’s government wants you to use a VPN. It also wants to make VPNs functionally illegal. Both of these things happened in the same week. On May 19, Public Safety Canada posted advice on X encouraging Canadians to protect themselves on public Wi-Fi. “Using a VPN protects your data,” the agency wrote. Days earlier, two major VPN providers had announced they would flee the country rather than comply with Bill C-22, a surveillance law that would force them to log the very data their users pay them not to keep. Windscribe, the Toronto-headquartered VPN company, responded to the government’s post with open contempt. “Oh this is just rich… Bill C-22 is driving VPN businesses like ours out of Canada because of the required user logging. And in the same breath you tell people to secure their data with VPNs,” the company wrote. “I hope you bought your circus tickets folks, because the clown show is starting.” Bill C-22, the Lawful Access Act introduced in March, would compel electronic service providers to build surveillance capabilities into their systems and retain user metadata for up to a year. It would also grant the public safety minister the power to issue secret orders requiring specific providers to develop technical capabilities for law enforcement and would prohibit those providers from even disclosing that the order exists. For VPN companies, whose entire product is the promise that they don’t track you, compliance would mean destroying the thing they sell. “We won’t be far behind if C-22 passes,” Windscribe posted on X. “In its current state, VPNs would almost certainly require us to log identifying user data.” Unlike Signal, which warned earlier in the week that it would pull out of Canada too, Windscribe can’t just switch off a few servers. Its headquarters is in Toronto. “Signal isn’t headquartered in Canada so they can just shut off Canadian servers, but our HQ is,” the company said. “We pay an ungodly amount of taxes to this corrupt government, and in return they want to destroy the entire essence of our service to basically spy on its own citizens. Not happening. We’ll move HQ and take our taxes elsewhere.” Windscribe didn’t stop there. In a separate post, the company made its position as clear as a company can. “BILL C-22 NEEDS TO DIE,” it wrote, repeating the phrase seven times. NordVPN delivered essentially the same message in slightly more corporate language. The company said if Bill C-22 passes, “and if we are subjected to mandatory obligations, there isn’t a scenario in which we would compromise our no-logs architecture or encryption protections.” “To prevent this, we will consider all viable options, including limiting or, if necessary, removing our presence from Canadian jurisdiction,” NordVPN said. Windscribe also pointed out an asymmetry between its situation and NordVPN’s. Because NordVPN isn’t headquartered in Canada, the bill’s impact on it is less direct. Windscribe, as a Canadian company, has no buffer. Every provision applies to it in full, which makes the threat to relocate not posturing but survival math. The company that built its reputation on not logging users would have to start logging users or leave the country that gave it a home. Shopify CEO Tobi Lütke weighed in from a different angle but landed in the same place. “C-22 is looking like a huge mistake,” Lütke wrote on X. “It worries me a great deal. There is so much nonsense in there that it may well end up dealing a death blow to Canadian tech viability.” When the head of Canada’s most prominent tech company warns that your surveillance bill could destroy the tech sector, the sensible response is to listen. Ottawa has not indicated any interest in doing so. The bill would require service providers to retain metadata about every user’s communications for up to 365 days, regardless of whether that user is suspected of anything. This is mass data retention applied to the entire population, and the EU’s highest court has already struck down exactly this kind of scheme twice on fundamental rights grounds. Canada is building the surveillance architecture that Europe has ruled illegal. Apple has said the legislation could allow the government to force companies to break encryption by inserting backdoors into their products, calling it “something Apple will never do.” Meta warned that it could require companies to build or maintain capabilities that break or weaken encryption, or force providers to install government spyware directly on their systems. A spokesperson for Public Safety Minister Gary Anandasangaree tried to push back. The government said it wants to “reassure Signal and all service providers that we are not legislating to require them to install capabilities to enable surveillance and any assertions otherwise are false.” Spokesperson Simon Lafortune said the government “categorically rejects claims that Bill C-22 would enable the surveillance of Canadians through everyday devices such as cars, home cameras, or smart TVs, or that it would require companies to introduce so‑called ‘backdoors’ into their products so that the government could gain access to customer data.” That denial doesn’t square with what the bill’s own text allows. A law that compels providers to develop and maintain “technical capabilities” for police and CSIS to access communications is a law that compels backdoors, whatever the government chooses to call them. The bill would also prohibit providers from disclosing the existence of a ministerial order, meaning Canadians wouldn’t even know when their service provider had been conscripted into the surveillance apparatus. Secret orders to build secret access points which is a backdoor with a gag order attached. The backlash has spilled across the border. The heads of the US House Judiciary Committee and the House Foreign Affairs Committee wrote to Anandasangaree, warning that the bill would “drastically expand Canada’s surveillance and data access powers in ways that create significant cross-border risks to the security and data privacy of Americans.” They said it would allow “Canadian government officials to compel American companies to build backdoors into their encrypted systems, thereby introducing systemic vulnerabilities that could be exploited by hackers, foreign adversaries, and cybercriminals.” We’ve said it before and we’ll say it again: There is no such thing as a backdoor that only “good” guys can use. Any vulnerability engineered into a system for law enforcement is a vulnerability that foreign intelligence services, criminal hackers, and hostile states can exploit. You cannot weaken encryption selectively. You either have secure systems or you don’t. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Use A VPN, Says Canadian Government That Wants VPN Logs appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Chamber of Progress, a lobbying group bankrolled by Amazon, Apple, Google, Meta, and OpenAI, is pushing Colorado Governor Jared Polis to sign SB 26-051 into law. The bill would force operating system providers to harvest users’ dates of birth and pipe that data to app developers through an API every time you download or open an app. If Polis signs it, your phone’s operating system becomes more of an identity checkpoint, not just for children, but for everyone. The bill landed on the Governor’s desk on May 12 after clearing both chambers of the Colorado legislature, passing the House 40-23 and the Senate 26-9. We obtained a copy of the latest version of the bill for you here. Sponsored by Democratic Senator Matt Ball and Representative Amy Paschal, the legislation mirrors California’s AB 1043, signed into law in October 2025. Colorado’s version would start applying to new users on July 1, 2028, with existing users folded in by January 1, 2029. When you set up a device account, the OS asks for a date of birth. That data gets translated into one of four age brackets (under 13, 13 to 15, 16 to 17, and 18-plus) and stored as an “age signal.” Developers are required to request that signal at first launch or account creation through a real-time API. Every app you open gets to ask your operating system how old you are. Chamber of Progress told Colorado lawmakers that the bill “reflects an important effort to protect children online while minimizing risks to privacy and lawful speech.” That framing collapses under the weight of what the bill constructs. It calls age-bracket data “nonpersonally identifiable,” but an age bracket combined with a device ID, app usage patterns and an IP address makes re-identification trivial. When that signal flows to dozens of apps at launch, the aggregate profile becomes far richer than any single data point suggests. The bill also makes anonymous device use functionally harder. If account setup requires an age attestation that follows you into every app, you lose the ability to use the software without disclosing something about your identity. That has consequences for journalists, activists, domestic violence survivors, and anyone who treats privacy as a default. The bill never specifies how age data is verified. Account holders just “indicate” a birth date. It may not have an ID check or a biometric scan, at least for now. But a 12-year-old can type in 1988 and the system accepts it. As a mechanism for protecting children, this is useless, and everyone involved in writing it knows that. What it does accomplish is something else entirely. It builds the architecture: the API, the data pipeline, the legal obligation for developers to query an age signal at every app launch. Once that plumbing exists, the only question left is what gets poured through it. The self-reported birth date is a placeholder. When legislators inevitably point out that kids are lying about their age (which this system was designed to let them do), the fix will be ID uploads, biometric verification, or both. The bill doesn’t protect children from anything today but it lays the groundwork for mandatory identity verification tomorrow and it does so without ever having to make that argument openly. And when the system misfires in its current form, nobody is accountable. Section 6-30-104(2) gives OS providers and app stores a “good faith” safe harbor, meaning an adult incorrectly flagged as a minor who loses access to content has no real recourse. Requiring Apple and Google to collect, store, and distribute age data makes them custodians of a sensitive dataset tying age to device identity. The bill includes data minimization language but the structural reality is that two companies gain a legally mandated role as age gatekeepers for an entire state’s population. A breach of that data would be consequential. The Chamber of Progress knows what it’s endorsing. A law requiring OS-level age signals doesn’t threaten Apple and Google. It cements their dominance, handing them a statutory mandate to manage personal data while creating compliance costs smaller competitors absorb less easily. This bill builds an infrastructure that changes the baseline expectation of anonymity when using a computing device, and the companies lobbying for it are the ones who profit from holding the keys. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Big Tech Backs Colorado OS-Level Age Data Bill appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The Canadian Armed Forces reprimanded soldiers who warned that an order to spy on citizens during COVID-19 could violate intelligence-gathering rules. The soldiers were right. The military punished them anyway. Internal records and emails obtained by CBC News show that on March 11, 2020, a team called Joint Operational Effects (JOE) was ordered to create anonymous social media accounts and scour the internet for information about Canadians. Under the direction of Col. Chris Henderson, the team produced dozens of reports between March 19 and June 5, tracking what the federal Conservative, NDP, and Bloc Québécois parties were saying about the pandemic. The Canadian military was monitoring opposition political parties using anonymous accounts created specifically for surveillance. At least two JOE team members pushed back. They emailed their chain of command, warning that creating anonymous accounts without authorization, while working from home on personal computers, could breach intelligence directives. One soldier wrote to Maj. John Zwicewicz on March 12, 2020: “Given the sensitivity around social media and military use I have concerns about this.” They added: “My concern is that by creating these accounts without following proper procedure would come close to, or cross the line set out in the policy.” Another asked to go into the office because they felt it “represented a serious risk” to do the work at home. Zwicewicz claimed a legal adviser had approved the activities and ordered the group to “cease barrack room lawyering” and get back to work. The team was formally reprimanded more than a week after raising concerns. A source told CBC News that within months, some members quit or were medically released. The people who raised alarms about potentially illegal surveillance of Canadian citizens got punished. The people who ordered the surveillance kept their positions. The military’s own top lawyer flagged the problem. Then-commodore Geneviève Bernatchez, the judge advocate general, warned that “this issue has a significant legal component, and…could present legal risk to the rights of Canadian citizens, but also legal risks to the institution.” She noted that, unlike overseas deployments, “the full range of domestic law” would apply, and “such operations will often directly or indirectly implicate the rights of Canadian citizens.” The command structure absorbed the warning and carried on. A compliance assessment by the Canadian Forces Intelligence Command, reported by CBC News in April 2026, found three separate military units violated intelligence-gathering rules during Operation Laser between March and July 2020. One unit used personal laptops to trawl Twitter, Reddit, Instagram, and Facebook. Another produced over 50 reports on political discourse and was ordered to create accounts to “monitor key regional actors,” but “deliberately disregarded” that order and used personal accounts instead. Six years later, the legal gap that allowed all of this remains open. The National Security and Intelligence Committee of Parliamentarians urged the government in 2020 to legislate rules governing what the military can collect about Canadians. Ottawa has not acted. DND spokesperson Andrée-Anne Poulin told CBC News that “additional guidance and oversight measures were put in place to prevent a recurrence and to strengthen adherence to established rules.” Additional guidance. Oversight measures: The standard institutional language for getting caught. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Canada’s Military Punished Whistleblowers Who Flagged Illegal COVID Speech Monitoring appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. X has agreed to process the vast majority of content flagged as illegal “hate” under the UK’s Online Safety Act within 48 hours, giving Ofcom, Britain’s speech regulator, a significant new enforcement win. The platform committed to “review and assess UK suspected illegal terrorist and “hate” content reported through its dedicated UK illegal content reporting tool on average within 24 hours of it being reported, to be calculated as a mean” and to “review and assess at least 85% of UK suspected illegal terrorist and hate content reported through its dedicated UK illegal content reporting tool within a maximum of 48 hours.” The deal is a notable reversal for a platform that, less than a year ago, publicly accused Ofcom of taking a “heavy-handed approach” and warned that the Online Safety Act was “seriously infringing” on free expression. X’s August 2025 statement, titled “What Happens When Oversight Becomes Overreach,” called out regulators by name and argued that the law amounted to a “conscientious decision to increase censorship in the name of ‘online safety.'” That language is gone now. What’s left is a compliance agreement with specific performance targets and a 12-month reporting obligation. The commitments go beyond speed of review. X also agreed to block access to accounts in the UK if they are reported for “posting UK illegal terrorist content” and deemed to be “operated by or on behalf of a terrorist organisation proscribed in the UK.” The platform will share quarterly performance data with Ofcom so the regulator can audit compliance. And following complaints from organizations that couldn’t tell whether X had received or acted on their reports, X agreed to “engage with experts regarding reporting systems for illegal hate and terror content.” Who those experts are tells you something about the direction of travel. Ofcom’s own press release names the Center for Countering Digital Hate (CCDH) as one of the organizations it worked with to “gather evidence about suspected illegal terrorist content and illegal hate speech online.” The CCDH is a pro-censorship campaign group co-founded in 2018 by Imran Ahmed and Morgan McSweeney, who went on to become UK Prime Minister Keir Starmer’s chief of staff. McSweeney stepped down from CCDH’s board two days after Starmer became Labour leader. The organization maintains close ties to the current government and has stated that its goal was to “kill Musk’s Twitter,” according to leaked internal documents reported by Matt Taibbi and Paul Thacker. Ahmed himself was sanctioned by the US State Department in December 2025 over concerns that his organization had led “organized efforts to coerce American platforms to censor, demonetize, and suppress American viewpoints.” A federal court blocked his deportation with a temporary restraining order. This is the organization Ofcom chose to help build the evidence base for pressuring X into compliance. Ahmed, for his part, welcomed the deal. Speaking to POLITICO, he said CCDH will be “watching closely to ensure this results in meaningful action, not just words.” Oliver Griffiths, Ofcom’s Online Safety Group Director, framed the agreement as a necessary step. “We have evidence that terrorist content and illegal hate speech is persisting on some of the largest social media sites,” he said. “We are challenging them to tackle the problem and expect them to take firm action.” X’s agreement also includes the dedicated UK illegal content reporting tool, which is specifically designed for flagging content that violates Britain’s censorship law. That tool creates a direct pipeline from whoever reports the content to X’s review queue, and from there to Ofcom’s auditing process. The 24-hour average and 48-hour backstop create a system where the pressure is always toward deletion. When you have to process 85% of flagged content within two days and a regulator is auditing your speed, the incentive is to delete first and reconsider never. Every platform operating in the UK is watching this deal and calculating the cost of resistance versus compliance. The message from Ofcom is clear: agree to our terms, on our timeline, using our preferred partners as evidence sources, or face investigation, fines, and potential shutdown. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post X Agrees to Review Illegal “Hate” Within 48 Hours Under UK Online Safety Act appeared first on Reclaim The Net.