If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Companies House in the UK briefly turned its own corporate register into a self-service fraud toolkit. A vulnerability in the dashboard of the UK’s official business registry let anyone access other companies’ private records by pressing the back button, no hacking required. Directors’ home addresses, email addresses, and dates of birth were all sitting there, readable and editable by anyone who knew where to look. Companies House is the government body where every limited company must register to legally exist. It holds the official record of who runs Britain’s businesses, including the personal details of every director. When you incorporate a company in the UK, your information goes into this register. There is no opt-out. The timing is what makes this even more interesting. Since November 2025, all directors in the UK have been legally required to verify their identity through GOV.UK One Login to act in their roles, feeding passport scans, biometric data, and government credentials into the same Companies House infrastructure. That’s the system whose dashboard just handed out private director records to anyone pressing the back button. Dan Neidle, founder of Tax Policy Associates, flagged the issue to Companies House on Friday. He was blunt about what the flaw made possible. “People could get enough data about a company and its directors to potentially commit fraud, to pretend to be it,” he told the Press Association. The risk wasn’t just passive exposure. Someone with access could update a company’s registered address to their own, intercepting official correspondence and documents. “If you could file accounts,” Neidle added, “you could do all kinds of damage.” Home addresses and dates of birth are the building blocks of identity fraud. Directors registered this information with Companies House under legal obligation, trusting that the government body safeguarding it had secured it properly. That trust had a back button. Neidle noted the window of exposure matters enormously. “If it was only there for 36 hours, then maybe it’s fine,” he said. “But if it was there for a month or more, it’s very serious.” He pointed to an uncomfortable benchmark: “Security researchers say 15 days is the average time it takes for a vulnerability to be exploited, and this was a particularly easy vulnerability with no hacking required.” Most data breaches require technical sophistication. This one required a browser. Companies House shut down the WebFiling service on Friday evening. A spokesperson said: “We are aware of an issue with our WebFiling service and have closed it while we investigate. We apologise for any inconvenience to our customers.” The agency told affected businesses to file as soon as the service returns, document any error messages with timestamps, and wait for their evidence to be reviewed against missed deadlines. What Companies House has not said is how long the vulnerability existed, how many records were accessed, or whether anyone exploited it before Neidle’s report. This is the system the UK government wants to scale up nationally. Prime Minister Keir Starmer announced a digital ID scheme in September 2025, planning to introduce it by the end of the parliamentary term in 2029. The government is developing two related services: GOV.UK One Login, a unified account system replacing over 190 separate government logins, and a GOV.UK Wallet app for storing government-issued documents like driving licences. Biometric data. Passport scans. Facial recognition. All centralized. All linked. All managed by the same government infrastructure that just exposed director records through a back button. Over time, the digital ID system is expected to serve as a single access point for government services, including benefits, tax records, and official interactions, potentially eliminating the need for physical documents or multiple logins. The convenience pitch is familiar. So is what gets sacrificed for it. The GOV.UK One Login system sitting at the core of this expansion, already has a documented security record. Security tests revealed the system allows bad actors to gain access without detection, and it scored only 21 out of 39 in its Cyber Assessment Framework tests. An internal exercise found the system may already have been compromised without detection and potentially contain malware, core work was outsourced overseas, including to Romania, individuals who raised alarms about data and process failures were allegedly silenced, and the system even lost its official trust framework certification. The government’s response has been to keep spending. The project has been compared to “Post Office Horizon all over again,” a reference to the UK’s most notorious recent IT scandal, in which a flawed computer system sent dozens of innocent postal workers to prison. The government is not learning from its mistakes. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Britain’s Business Registry Left Director Data Wide Open — Yet the Government Is Still Building a National Digital ID appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Meta is quietly dismantling one of its few genuine privacy commitments. Starting May 8, end-to-end encryption for Instagram direct messages disappears, taking with it the one technical guarantee that kept those conversations private from Meta itself. “If you have chats that are impacted by this change, you will see instructions on how you can download any media or messages you may want to keep,” the company said in a help document, framing the loss of message privacy as a data export problem. Collect your things, the walls are coming down. The feature being removed was never universal anyway. End-to-end encryption for Instagram DMs had been available only in certain regions, not enabled by default, since Meta began testing it in 2021 as part of what CEO Mark Zuckerberg called his “privacy-focused vision for social networking.” That vision apparently has an expiration date. Meta also made encrypted DMs available to all adult users in Ukraine and Russia in February 2022, weeks after the Russian invasion began. That access, too, is ending. The timing is revealing. TikTok told the BBC last week that it has no plans to bring end-to-end encryption to its DMs, arguing that privacy makes users less safe. Meta is now arriving at the same destination from a different direction. The stakes are straightforward. End-to-end encryption means only the people in a conversation can read it, a technical lock that excludes the platform, third parties, and anyone who might later obtain a warrant. When that lock disappears, Meta and its employees can read Instagram DMs, law enforcement can subpoena them, and advertisers may eventually benefit from what gets learned. Instagram users who relied on encrypted DMs have until May 8 to decide what to archive. After that, their private conversations are Meta’s to read. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Meta is Ending Instagram Direct Message End-to-End Encryption appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Canada’s Liberal government has introduced Bill C-22, the Lawful Access Act, 2026, a surveillance bill that compels electronic service providers to store Canadians’ metadata for a year and hands police and intelligence agencies new tools to access it. We obtained a copy of the bill for you here. The bill follows a failed first attempt, Bill C-2, which collapsed under the weight of near-universal criticism from opposition parties, rights groups, and the tech industry. This is a mandatory data retention regime that forces companies to hold location data, device information, and other sensitive metadata on every Canadian, not just those suspected of crimes, ready for law enforcement retrieval via warrant. The logic is familiar: build the haystack first, search it later. Public Safety Minister Gary Anandasangaree framed the bill as a necessary modernization. “Canada is woefully behind our most important allies. Technology has moved forward; our laws are stuck in the previous century,” he said Thursday, flanked by police chiefs and Justice Minister Sean Fraser. RCMP senior deputy commissioner Bryan Larkin added, “There’s an actual series of tools here that will eventually lead to greater success, greater efficiencies in police investigations, greater solvency in crime and, quite frankly, improving the safety of Canadians and, more importantly, addressing the concerns of victims.” The government claims this isn’t surveillance of ordinary Canadians. Anandasangaree was explicit: “I want to be clear what C-22 is not. It is not about surveillance of Canadians going on about their daily lives. It is about keeping Canadians safe in the online space.” The bill does exclude web browsing history and social media activity from its mandatory retention requirements. But the bill doesn’t need to include everything to be seriously invasive. Location data alone tells a story. Where you sleep, where you worship, which doctor you visit, which protests you attend. All stored for a year, accessible to police and CSIS with a warrant, and built into every electronic service provider’s systems by law. Tamir Israel, director of the Canadian Civil Liberties Association’s privacy, surveillance, and technology program, named the distinction that matters most. “Being able to categorically order companies to keep everybody’s information, not just people who are suspected of crimes… is different from getting a company to build a backdoor that then police could walk through to grab information,” he said. “You’re both putting people’s privacy at risk, and you’re creating cybersecurity threats.” That’s the architecture of C-22 in a sentence. Mass data retention treats everyone’s location and device data as pre-collected evidence, stored in advance on the off-chance it becomes useful later. The bill’s most technically alarming section authorizes the Minister of Public Safety to issue secret orders compelling “core” electronic service providers, a category the government hasn’t fully defined yet, to build and maintain surveillance capabilities for law enforcement access. Providers who receive these orders are gagged. They cannot discuss them. The government included limits: these technical capabilities cannot require providers to retain message content, browsing history, or social media activity. They also cannot introduce “systemic vulnerabilities” that weaken encryption or authentication, or create “a substantial risk that secure information could be accessed by a person who does not have any right or authority to do so.” Compared to Bill C-2, C-22 does pull back in one meaningful area. Under the original proposal, police could have approached any service provider, including those bound by professional privilege like doctors and lawyers, to ask whether an individual was a client, for how long, from where, and whether the company knew of other providers who had dealt with that person, all without a warrant. C-22 limits warrantless inquiries to telecommunications companies only, and restricts the question to a simple yes-or-no: is this person a client? Any further information requires a warrant. The bill also creates a new warrant mechanism for Canadian police seeking data held by foreign, almost certainly American, tech companies. A Canadian judge can issue a production warrant that wouldn’t bind the foreign company legally but would give it legal cover to hand over data voluntarily. It’s a workaround, not a solution, and it depends entirely on the company’s willingness to cooperate. Some of the bill’s warrant requirements include a carve-out for “exigent circumstances,” when police argue that getting a warrant would be impractical due to urgency. That exception tends to expand over time. C-22 borrows several provisions from the Strong Borders Act, Bill C-2, which drew fierce opposition before stalling entirely with no movement since September 2025. Anandasangaree acknowledged the retreat explicitly. “One thing I’ve learned is that at times when more work needs to be done on a particular bill, you retreat and you come back. You come back with better consensus, better consultation, and better supports from across the board,” he said. The rework narrows some of C-2’s most aggressive powers. What it doesn’t change is the central premise: that electronic service providers should be required to organize and warehouse Canadians’ sensitive data on behalf of the state, held in readiness for law enforcement use. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Canada’s Bill C-22 Mandates Mass Metadata Surveillance of Canadians appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Microsoft wants your medical records. The company launched Copilot Health this week, an AI feature that pulls together personal health history from wearable devices, lab results, and hospital systems, then lets users ask questions about all of it in a single interface. That’s a significant amount of sensitive data landing in the hands of a company that, notably, isn’t legally required to treat it the way your doctor is. The feature sits inside Microsoft’s broader Copilot product and connects to medical records from over 50,000 US hospitals and healthcare organizations through a platform called HealthEx. Lab results come in through Function, a health tech company. Wearables from Apple, Oura, Fitbit, and more than 50 other manufacturers can link directly to the dashboard. The homepage aggregates step counts, appointment reminders, and other health signals depending on what users opt to share. It also offers access to provider directories, letting users search for doctors by specialty, location, language, and accepted insurance. Microsoft frames this as understanding your health, not replacing your doctor. What it’s actually building is a centralized health surveillance layer that sits above the fragmented ecosystem of hospitals, labs, and wearable companies and aggregates everything into one place. That may be genuinely useful. It also concentrates a significant amount of sensitive personal data in a product that is not HIPAA compliant. That last point matters more than Microsoft’s press release suggests. The Health Insurance Portability and Accountability Act exists to set security requirements for electronic health data and restrict how it can be used and disclosed. Hospitals and doctors who violate HIPAA face fines and potential criminal liability. Microsoft faces neither, because it doesn’t have to be HIPAA compliant to run Copilot Health. Dr. Dominic King, VP of health at Microsoft AI, addressed this directly ahead of the launch: “HIPAA is not required for a direct-consumer experience like this when you’re using your own data.” He went on to say: “However, at Copilot, we think it’s incredibly important that we’re meeting all the best standards out there. So, we will be announcing some updates here on our standing in terms of what are called ‘HIPAA controls.'” What those updates actually entail, King didn’t say. Microsoft does point to an ISO 42001 certification, an international standard covering responsible AI use, traceability, and transparency. It’s a real certification, shared with Microsoft 365 Copilot and Microsoft 365 Copilot Chat. It’s also not a substitute for HIPAA controls, and it doesn’t restrict what Microsoft can do with health data the way federal law restricts your physician. The company says health chats are “isolated from general Copilot and kept under additional access, privacy, and safety controls,” and that data from those chats isn’t used to train its AI models. Users can delete their health data or disconnect data sources at any time. These are big commitments. They’re also voluntary ones, which means Microsoft can revise them at any point by updating its privacy policy. There’s no regulatory backstop if it does. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Microsoft Copilot Health Centralizes Personal Medical Records appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. At a government forum on “hate speech” in Madrid, Spain’s Prime Minister Pedro Sánchez introduced a new digital project with a blunt name: HODIO. The acronym stands for Huella del Odio y la Polarización, translated as the Footprint of Hatred and Polarization. The plan is like a scoreboard for social media speech. A government system will monitor platforms, count what officials classify as hate speech, and release public rankings twice a year. The prime minister made clear that the rankings are meant to apply pressure. “We will publicly display the results so that everyone knows who stops hate, who looks away, and who makes a business out of hate,” Sánchez said. In short, the Spanish government will measure how much objectionable speech appears on major platforms, rate each company, and publish the results for public scrutiny. The system will run through OBERAXE, the Spanish Observatory against Racism and Xenophobia, a government body tasked with monitoring discrimination. OBERAXE will apply “recognized academic criteria,” according to Sánchez, to track the spread of hate speech online. Of course, the government defines what qualifies as hate speech. The same government then measures its presence across platforms. The numbers will become the basis for public rankings. Those rankings arrive with clear consequences. Platforms that perform poorly can expect public criticism, regulatory attention, and the possibility of legal pressure. Sánchez framed the process as a method of accountability. “From now, I think social media must be held publicly accountable for every piece of hate content they allow,” he said. HODIO enters a system that already exists. Sánchez described a coordination mechanism launched in July 2025 between the Spanish government and major technology companies, including Meta, X, Google, and TikTok. Representatives from the companies meet with officials each quarter. The meetings review examples of content that the government classifies as hate speech and discuss how platforms can remove more of it. According to Sánchez, the effort has already produced results. Platforms were deleting 22 percent of flagged content several months ago. The number now stands at 51 percent. He described that improvement as progress. He also called it insufficient. HODIO appears designed to push the number further upward. Public rankings can add a layer of pressure that private meetings lack. Sánchez used the forum to criticize anonymous speech online. He argued that social networks have lowered the barrier for hostility. Platforms have “reduced the cost of hating…because just one click is enough, almost always, from the cowardly anonymity that reinforces impunity and aggressiveness,” he said. The remark places anonymity in the center of the debate. Anonymous speech has long served whistleblowers, dissidents, and activists who face retaliation. In Sánchez’s framing, it serves aggressors who hide behind a screen. The difference in perspective reflects a broader policy direction. Governments across Europe are exploring identification requirements or age verification systems tied to social media accounts. HODIO is one piece of a broader set of proposals Sánchez highlighted during the forum. The Spanish government is pushing measures that include criminal liability for platform executives when illegal content appears on their services. Another proposal targets algorithmic systems that promote or recommend prohibited material. Sánchez also reiterated support for age verification rules that would prevent users under sixteen from accessing social networks. One item drew particular attention. The government is working with Spain’s public prosecutor to pursue what Sánchez described as “infringements committed by Grok, TikTok and Instagram.” The same government that defines hate speech will monitor it, measure it, and issue public ratings of companies based on compliance. Content can disappear from platforms before courts review the decision. Sánchez attempted to address the criticism during his speech. “We are not talking about those who say that we intend to censor,” he said. “We are not talking about uncomfortable opinions. On the contrary. We are talking about messages that, for example, compare people with plagues. Dehumanization again. That justify violence against women or that celebrate aggressions against women. Dehumanization again.” He argued that tech leaders abandoned that understanding when they “decided to impose their political agenda on social networks.” The claim arrived in a speech announcing a government program that monitors speech, scores companies based on removal rates, and coordinates with prosecutors investigating specific platforms. The HODIO reports will appear every six months. Each edition will rank the major platforms based on how much hate speech the system detects. For the companies involved, the incentive structure is clear: censor or else. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Spain’s HODIO Program to Monitor and Rank Social Media Platforms on “Hate Speech” appeared first on Reclaim The Net.