Reclaim The Net Feed
Reclaim The Net Feed

Reclaim The Net Feed

@reclaimthenetfeed

Apple Hide My Email Vulnerability Exposes Real Email Addresses
Favicon 
reclaimthenet.org

Apple Hide My Email Vulnerability Exposes Real Email Addresses

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Apple sells Hide My Email as a shield. You switch the feature on and iCloud+ hands you a random alias, so the companies you deal with never see the address tied to your real identity. But a security researcher says that shield has a hole in it, one Apple has left open for more than a year. Tyler Murphy, co-founder of the data-removal service EasyOptOuts, found a way to take a Hide My Email alias and work backward to the genuine address it conceals. He reported it to Apple in June 2025 and handed over instructions showing exactly how to reproduce it. Twelve months on, the flaw still works. 404 Media confirmed as much this week, unmasking one of its own hidden addresses. Murphy’s testing suggests the problem runs deep. “We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” he told 404 Media. All the aliases his team probed gave up the real address behind them. That figure guts the whole premise of the feature. People reach for Hide My Email precisely when they want distance between themselves and a service they don’t fully trust, whether that’s a shopping site, a newsletter, or a stranger on a marketplace. If you take away the alias, you take away the reason to use it. Murphy points to the wider machinery that turns one data point into a full profile. He warns that “publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk.” His company exists to scrub exactly that kind of information off broker sites, so the stakes are familiar to him. An address that leads to a name, a home, or a phone number is raw material for harassment, stalking, and fraud. Apple’s response seems like a year of stalling. The company told Murphy it was looking into the report a month after he filed it. By March 2026 it claimed it had “addressed the reported issue in a recent system change.” Murphy checked, and it hadn’t. He sent more detail, and Apple went back to running checks. By May the company was still telling him it was “still investigating,” while asking him to keep the flaw quiet until it finished. Murphy offered Apple a way to protect users in the meantime. He suggested the company pause sales of Hide My Email until a real fix shipped, shrinking the pool of exposed accounts. Apple kept selling it. At the end of May, it said a fix would arrive in a security update “expected in the coming weeks.” Those weeks have passed. 404 Media contacted Apple repeatedly and got nothing back. Murphy decided he had waited long enough. “Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” he said. He has kept the technical details private, so the flaw isn’t handed to the next opportunist. A separate change to the service is landing around the same time, and it chips away at another safeguard. Apple told developers on June 15 that Hide My Email aliases will move to a new domain, private.icloud.com, replacing the iCloud.com addresses that blended in with ordinary mail. Sign in with Apple relay addresses are shifting to the same domain. That old ambiguity was a feature. A message from an iCloud.com address could have come from almost anyone, which is what made the disguise work. A private.icloud.com address announces itself, and nothing stops a website or newsletter from blocking the domain outright and forcing you to hand over a real account. Until Apple ships the fix it keeps promising, the safest assumption is that a Hide My Email alias hides less than you think. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Apple Hide My Email Vulnerability Exposes Real Email Addresses appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.

EU Reddit Users Must Verify Age With Government ID or Selfie
Favicon 
reclaimthenet.org

EU Reddit Users Must Verify Age With Government ID or Selfie

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Reddit began forcing many of its European users to prove their age on June 24, and it chose an invasive way to do it. Anyone the platform’s automated systems flag as possibly under 18 now has to hand over a government ID or a live face scan to a third party before opening a single mature community. The rollout covers the European Union and Norway, and Reddit frames the whole thing as compliance with censorship and digital ID EU law. If you refuse the check and you keep your account, though, the mature side of Reddit vanishes from view. Agree to it, and you feed your identity into Persona, the outside verification firm Reddit leans on to decide whether you are old enough to read what you came to read. The screening starts before anyone asks for a document. Reddit runs software that monitors your every move and estimates your age from how you behave on the site, reading your posting history, and the words you use. If you look like an adult to the machine, nothing changes. If you look like a teenager, the mature communities lock until you verify. The company has not published the full list of signals it weighs, which leaves users to reverse-engineer a system that has already decided something about them. The net catches far more than adult content. Users posting screenshots of the verification flow reported that some mental health support communities are tagged NSFW, which drags them behind the same wall. Someone reaching out during a crisis can find themselves asked to show a passport first. Reddit built its name on letting people speak without one attached, and that is the exact thing the check strips away. Teenagers face a separate set of rules. Accounts held by 13 to 15-year-olds are locked to the most restrictive privacy settings with no way to loosen them, covering chat, followers, and whether the profile surfaces in search. Yet, keep in mind, everyone’s privacy has already had to be invaded to get to this point. Users who are 16 or 17 start with the same defaults but can change them. Reddit presents this as protection, and some of it does protect, though it arrives welded to the identity demand rather than offered instead of it. The expansion follows months of regulatory pressure, most of it out of the United Kingdom. British regulators fined Reddit £14.47 million, roughly $19 million, earlier this year after finding the company had unlawfully handled children’s personal information between May 2018 and July 2025. Reddit had let people self-declare their age at signup, a method the Information Commissioner’s Office said children could get around without effort. “It’s concerning that a company the size of Reddit failed in its legal duty to protect the personal information of UK children,” Information Commissioner John Edwards said. Reddit’s answer named the tension the regulator would not. The company said it “didn’t require users to share information about their identities, regardless of age, because we are deeply committed to their privacy and safety.” It called the demand for more data “counterintuitive and at odds with our strong belief in our users’ online privacy and safety,” and it is appealing. Follow the regulator’s logic to its end and a platform has to identify everyone in order to shield the few who are children. That commitment has a paper trail. Reddit’s chief executive, Steve Huffman, told users a few months ago that the company had no wish to learn who they are. “We are not doing sitewide human verification,” he wrote in a post about confirming people are human rather than bots. “We don’t need or want your identity.” He described government ID checks as the company’s “least preferred” method, reserved for places where the law leaves no room. The system now reaching European users runs on the method he ranked dead last. Persona deserves a harder look than the word “verification” invites. Security researchers found an exposed Persona development environment sitting on a US government-authorized server, and the company’s chief executive, Rick Song, confirmed it was genuine. What sat inside went well past an age gate. Researchers counted 269 separate verification checks run on each person, facial recognition matched against watchlists, risk and similarity scores generated for every user, searches across internet and government databases, financial data checks, and several forms of biometric analysis on the selfie you upload. Persona’s own privacy policy fills in the rest. The company says it may pull identifiers, device details, and location data from outside sources, among them data brokers, marketing partners, and “publicly available sources…such as open government databases.” An age check, on paper, becomes an identity profile assembled from wherever the data happens to live. Reddit says it never sees the photos, that Persona hands back only a verification status and a birthdate. That answer covers Reddit and leaves everything else wide open. Whatever Persona builds out of your face, your ID, and the broker records it buys sits outside Reddit’s walls and outside the regulator’s stated concern. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post EU Reddit Users Must Verify Age With Government ID or Selfie appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.

Brave 1.92 Adds Built-In Containers for Desktop
Favicon 
reclaimthenet.org

Brave 1.92 Adds Built-In Containers for Desktop

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Brave shipped Containers this week. Version 1.92 of the browser lets you wall off tabs from one another so that cookies and site data stay locked inside whichever container you opened them in, even when two tabs point at the same website. You can now hold several identities at once without the browser blending them together. A social manager can run two accounts on the same network side by side. A developer can sign in as an administrator in one tab and a regular user in another. Someone logged into a work account can open a video stream in its own container so their viewing history never attaches to the office login. Brave is honest about what Containers are not. The company already isolates every site and its third-party requests through storage partitioning, which stops trackers from following you from one site to the next. Containers add none of that protection, because the browser was already doing it. They sit on top as a way to choose which version of yourself a site gets to see. The idea traces back to Mozilla, which built Containers when browsers still let sites swap storage through third-party cookies and pass your identity around behind your back. The web spent years being rebuilt around that kind of cross-site tracking, and features like this exist because the default was designed to watch you. Compartmentalizing your own logins shouldn’t feel like a maneuver, yet on today’s web, it is one. Firefox pioneered this style of tab isolation, and Brave is the first Chromium browser to bake it in natively rather than leaning on an add-on. For a codebase that shares its foundation with Chrome, that is a departure from Google’s priorities. Turning it on takes a trip to Settings, under brave://settings/braveContent, where a single toggle enables the feature. After that, you right-click any tab, choose “Open in container,” and pick a category. Brave ships a handful of defaults, including Personal, Work, Social, School, and Shopping, and the containers show up in the tab bar so you can tell them apart at a glance. The feature covers Windows, macOS, and Linux with no extension to install, though Brave is releasing it in phases over a few days, so it may not appear on your machine right away. Mobile isn’t part of this release. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Brave 1.92 Adds Built-In Containers for Desktop appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.

Britain’s Digital ID Watchdog Will Do Its Watching in Secret
Favicon 
reclaimthenet.org

Britain’s Digital ID Watchdog Will Do Its Watching in Secret

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The UK government has decided that the watchdog meant to keep its dystopian national digital ID scheme honest will do its watching in private. Cabinet Office minister James Frith confirmed that the advisory group’s minutes will not be published, and he sidestepped questions about what the group costs and how its members were chosen. For a body sold to the public as “independent scrutiny,” that is a curious way to start. The questions came from Andrew Snowden, the Conservative MP for Fylde and an assistant whip. He submitted three written parliamentary questions to the Cabinet Office. Would the group’s minutes, recommendations, and advice ever be published? What budget had it been given? What criteria decided who got a seat? Frith, with the creative range of a man photocopying the same sheet, returned the identical answer to all three. “The running of the digital ID advisory group will be supported by the Cabinet Office’s existing digital ID task force. The group is not a decision-making body and minutes will not be published,” he said. So it’s not a decision-making body, therefore nothing it does is worth showing you. The advisory group will shape how the state builds an identity system covering every adult in Britain. It will have a view on what gets harvested, how long it’s kept, and who gets to reach in and rummage. The label “advisory” does not change any of that. It just changes whether you’re allowed to know about it. Snowden was not impressed. “The answer was disappointing to say the least,” he told The Register, before explaining why the secrecy bothers him. “Digital ID was a deeply controversial policy when Keir Starmer announced it, causing one of the many U-turns that led to the situation we are in today. If the government are persisting with developing a system of digital ID then scrutiny of that policy by Members of Parliament is vital. To ignore key questions will not increase public support for digital ID.” He’s right. Written parliamentary questions are one of the few working tools an MP has for prising information out of a reluctant government. Frith looked at that tool and decided the appropriate response was to whistle and study the ceiling. We do at least know who some of these unseen overseers are: Security expert David Rogers, Mumsnet founder Justine Roberts, Victor Dominello, formerly digital government minister of New South Wales, which is in Australia, roughly ten thousand miles from Britain. Chief Secretary to the Prime Minister Darren Jones convened the group, and it will meet quarterly for the life of the program. How those particular names were chosen, and whether anyone in the room fancied inviting someone inclined to tell the government no, stays unexplained, because the selection criteria were among the things Frith declined to disclose. Last month the government barred journalists from a digital identity advisory panel event, since nothing soothes a nervous public quite like physically removing the people whose job is to report what’s happening. Oversight you are not permitted to observe is not oversight. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Britain’s Digital ID Watchdog Will Do Its Watching in Secret appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.

WhatsApp’s New Update Can Shield You or Sell You Out
Favicon 
reclaimthenet.org

WhatsApp’s New Update Can Shield You or Sell You Out

This Post is for Paid Supporters Reclaim your digital freedom. Get the latest on censorship and surveillance, and learn how to fight back. Subscribe Already a supporter? Sign In. The post WhatsApp’s New Update Can Shield You or Sell You Out appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.