If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Texas spent the past two years building the legal machinery to make you prove who you are before you go online. This week it showed how well it guards the identity documents it already holds. Hackers pulled the driver’s license and passport numbers of more than 3 million people out of a state government system, in one of the largest breaches Texas has reported this year. The stolen records came from the Texas Parks and Wildlife Department, the agency that sells hunting and fishing licenses. A breach notice posted on the department’s website says the state’s cybersecurity unit detected a security incident that gave attackers access to the outside vendor running its license system. The department did not say what the incident was or when it happened and it has not named the company that handles its license data. Driver’s license details and passport numbers were not the only things taken. The department says the haul also included email addresses, phone numbers, and home addresses of affected license holders. People who buy a Texas fishing license hand their identity documents to the state and the state hands those documents to a contractor it won’t identify. The agency also declined to say whether the hackers have contacted it, which usually means a ransom demand or a public dump is somewhere on the table. Three million people now have to wonder whether their government ID is sitting in a criminal marketplace and they can’t even find out which company lost it. The incident sits on the Attorney General Ken Paxton’s public breach reporting page alongside the rest of the year’s losses. This is the same Texas that has positioned itself as the national leader in forcing people to show identification online. State law now requires age verification to reach adult websites, a mandate the Supreme Court upheld last year, and a separate law pushes app stores to confirm how old their users are before letting them download anything. A government that cannot keep 3 million existing records out of hackers’ hands is now insisting that more companies gather the same kind of data from everyone else. Every age check that demands a scanned license or a face scan creates another database, another vendor, another copy of your identity waiting to leak. The Parks and Wildlife breach is what that policy produces, except here the data was sitting in state hands the whole time and still got out. The same pattern showed up in October, when Discord disclosed that attackers had reached a third-party vendor and exposed roughly 70,000 users’ government ID photos, images the company had collected to verify ages. Discord blamed the contractor and said its own systems stayed intact, which is cold comfort to anyone whose passport photo is now loose on the internet. The lesson repeats with each of these incidents, which is that the weak point is rarely the company you handed your ID to but the chain of vendors behind it that you never agreed to trust and that nobody audits until after the breach. Driver’s license and passport numbers don’t expire and you can’t reset them like a password. The 3 million Texans in this breach face a real risk of identity theft for years and they face it not because they did anything online but because they went fishing. That is the cost the verification-first approach keeps pushing onto the people it claims to protect. The state asks for proof of who you are, then loses it, then asks for more. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Texas Just Leaked 3 Million Driver’s Licenses and Passports appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. For years, Meta cast itself as the reluctant holdout against the Kids Online Safety Act, the one company that just could not bring itself to endorse a bill that was, at least on the face of it, written to protect children, but has an ulterior motive. That resistance lasted right up until the Senate sweetened the pot. Once lawmakers bundled KOSA with a federal block on state AI laws and a national digital ID push, two measures Meta has spent millions lobbying to win, the company located its conscience and decided the bill was tolerable after all. POLITICO reported that the conversion arrived the moment the Senate paired KOSA with the App Store Accountability Act, a digital ID bill aimed squarely at app stores. Meta now sits beside Microsoft, Apple, X, Snap, and Pinterest, all of them cheering for the legislation. It makes for an awkward look; a law sold to the public as a leash on the biggest platforms, when most of the biggest platforms turn out to be holding the leash. As we’ve said many times before, and it seems we’re having to now say on a daily basis, verifying how old you are means proving who you are. The systems that estimate your age want a government ID, a face scan, or enough surveillance of your behavior to make an educated guess. None of them confirm your age and nothing else; they confirm your identity and keep a copy, so the platform that once let you be a username now wants your legal name on file. So why would a company that lives off your data fight to make you surrender more of it? The App Store Accountability Act would order Apple and Google to verify ages at the store, which would load the cost and the legal risk onto the two companies that run the stores. Its own apps pick up no new obligation at all. Meta collects the identity-checked internet it has wanted for years and gets to look like a bystander while Apple and Google play the heavy. The deeper payoff is older than this bill. Meta has dreamed of a real-name internet since Facebook’s early days, back when it enforced an authentic-identity rule until the public revolt made the policy too expensive to keep. “Age verification” revives that dream by statute and applies it to everyone, with the invoice mailed to somebody else. A network of confirmed, identity-linked humans is also a network where the bots that annoy advertisers thin out, and ad space attached to real people fetches a premium. Protecting children is the version for the cameras; the version that moves the company sits on the balance sheet. The less advertised half of the package lives in the preemption language. A handful of states have started writing their own AI rules, some governing how companies grab biometric data and let algorithms make decisions about residents. A federal block would bulldoze those efforts and erase one of the few places ordinary people can still object to how these systems treat their information. Meta strolls away with a single, gentler national standard while residents lose the local protections they had started to build and the whole trade gets filed under everyone wins, as long as “everyone” means Meta. The bundle also tucks in the NO FAKES Act and this is where the child-safety wrapping paper comes off completely. The bill would let anyone sue over an “unauthorized digital replica” and would hit platforms with heavy penalties for failing to obey its demands, among them fast removal of flagged content and policies to cut off repeat offenders. A company staring down those fines for guessing wrong on a hard case will pull lawful speech first and worry about the details later. What the bill builds is a takedown machine, with the lever handed to whoever complains the loudest. The actors’ union SAG-AFTRA has been pushing the bill hard from the other side, gathering more than 16,000 signatures on an open letter that frames it as a shield against deepfakes used in scams, fake endorsements, and the replacement of human performers. “Unchecked AI can ruin lives,” union president Sean Astin said and on that narrow point, he has a fair case. The trouble is what the rest of the bill does and how it curbs satire and parody. The latest version came back last month from a bipartisan group that includes Senators Marsha Blackburn, Chris Coons, Thom Tillis, and Amy Klobuchar, with OpenAI, YouTube, and IBM applauding from the wings. The Senate Judiciary Committee takes it up Thursday. Blackburn, who is running the negotiations with the White House, markets the effort as an AI preemption package built around “protections for kids, creators, and communities.” If you strip off the language about kids and creators, what remains is an identity checkpoint at the door of the internet. Meta read that and signed without much fuss. Whether the children come out any safer is unlikely; the rest of us just have to show ID on the way in. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Why Meta Suddenly Loves the Kids Online Safety Act appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Apple is about to label every anonymous email address its paying customers generate, creating a new obstacle for privacy-conscious users. Hide My Email, the iCloud+ feature that creates an alias “@icloud.com” address to shield your real inbox from apps and websites, has always worked because of one specific design choice. The generated addresses were indistinguishable from any other iCloud account. An app receiving “randomword_terms_42@icloud.com” had no way to tell whether it belonged to someone generating anonymous aliases or to someone’s grandmother. That forced services to treat all iCloud addresses equally because filtering out the anonymous ones meant filtering out millions of regular Apple customers too. Starting later this summer, new Hide My Email addresses will use “@private.icloud.com” instead of plain “@icloud.com,” according to a developer notice the company posted Monday. The “private” subdomain announces to any app or email provider on the receiving end that the person signing up doesn’t want to be identified and hands them a one-line domain filter to block those sign-ups entirely. Apple presented the move as a domain unification, consolidating Sign in with Apple addresses (previously on “@privaterelay.appleid.com”) under the same new subdomain. The company told developers that existing addresses on legacy domains will keep forwarding mail and that app and email providers should update their filtering to accommodate the change. The gap between “@icloud.com” and “@private.icloud.com” looks cosmetic but functions as a kill switch. Services can now ban all anonymous aliases without touching regular iCloud mailboxes, the same way they already block disposable email providers like Guerrilla Mail or Mailinator. The plausible deniability that made Hide My Email useful, the inability for a service to prove an address was anonymous, disappears the moment Apple stamps it with a subdomain that says so. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Apple’s New Subdomain Kills “Hide My Email” Cover appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. California spent 2025 telling the public that no state agency relied on high-risk automated systems to decide anything about people’s lives. That claim collapsed this month, when the state’s Department of Technology acknowledged six such systems already running, including one that predicts whether incarcerated people will commit crimes after they get out. The reversal arrived in a legislative report the state is required to produce every year under a 2023 law. That law, pushed by civil rights, privacy, and civil liberties groups, forces agencies to disclose any “high-risk automated decision system,” which it defines as one “used to assist or replace human discretionary decisions that have a legal or similarly significant effect, including decisions that materially impact access to, or approval for, housing or accommodations, education, employment, credit, health care, and criminal justice.” A year ago, the answer California gave to that same requirement was zero. The system drawing the most attention reads like something lifted from Philip K. Dick’s Minority Report. The California Department of Corrections and Rehabilitation runs a tool called the California Static Risk Assessment, or CSRA, to scoop up data and score people behind bars on their odds of being arrested again. We obtained a copy of the report for you here. According to the report, it “produces a risk number value that will predict the likelihood that an offender will incur a felony arrest within a three-year period after release to parole. Risk factors utilized include, but are not limited to, age, gender, criminal misdemeanor and felony convictions, and sentence/supervision violations.” What the CSRA does is build a profile from fixed personal data and compress it into a single number. The report describes the system analyzing “static” factors, including age, gender and criminal history, to “assign a risk level from 1 (Low) to 5 (High Risk Violence).” Two of those inputs, age and gender, are traits a person never chose and cannot alter. The state feeds them into an algorithm and lets the output shape decisions about supervision and freedom. California frames the scoring as good housekeeping. “By identifying high-risk individuals, the CDCR can focus its limited rehabilitation resources where they are needed most to have the maximum positive impact on public safety,” the report suggests. The framing skips past who absorbs the cost when the number gets a person wrong, which is the person assigned the higher score. The department also concedes the work does not require automation at all. Staff could “manually perform the CSRA evaluation” themselves, the report notes, which makes the algorithm a convenience the state reached for rather than a capability it lacked. The state chose the version that turns human judgment into a profiling pipeline. The prison algorithm sits inside a wider pattern of automation the state never volunteered. California also runs systems that decide whether unemployment claims look fraudulent, remotely watch California State University students during exams, and more. On its own, a parole risk score is not the most alarming surveillance story of the year. A human officer reading the same rap sheet would reach for similar conclusions and the tool predates most of the current AI panic. The trend underneath it is the real story. Governments want to profile people and automate the judgments that follow and that appetite runs on data. You cannot score someone without first gathering enough about them to feed the model and the more decisions get handed to an algorithm, the more of a person’s life has to be logged and kept on file to justify the output. California going from zero disclosed systems to six is not a scandal, but what’s interesting is how ordinary that growth has become. Whatever guardrails might have followed are not coming soon. Senate Bill 1248, which would have barred state employees from using automated decision systems as the sole basis for a decision, died last month in the legislature’s fast-moving appropriations process. Nothing in California law currently stops an automated score from being the deciding factor in how the state treats a person. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post The Algorithm California Said Didn’t Exist appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Florida wants every social media user in the state to prove how old they are. The method is up to the platforms and the options include government ID uploads, biometric face scans, payment credentials, and behavioral profiling. Now the state is suing TikTok for not doing it fast enough. Attorney General James Uthmeier filed a 66-page complaint Monday in St. Lucie County Circuit Court, accusing TikTok of letting children under 14 create accounts, skipping parental consent for 14- and 15-year-olds, and lying to parents about what their kids actually see on the app. The lawsuit names TikTok Inc., its parent company ByteDance and several related entities. It’s the first enforcement action under House Bill 3, Florida’s Online Protections for Minors Act, which took effect January 1, 2025 after spending two years tangled in court challenges. We obtained a copy of the lawsuit for you here.  HB 3 bans social media platforms with addictive design features from contracting with children 13 and younger and requires parental consent before 14- and 15-year-olds can open accounts. Violations carry fines of $50,000 each. But to block minors, platforms first have to figure out who is and isn’t a minor, which means age-checking every user, adults included. Florida is building an identity verification regime for the internet under the banner of protecting kids and the surveillance costs of that project land on millions of people who have done nothing wrong. What the Complaint Says TikTok Did The state’s filing is an indictment of TikTok’s entire business model. According to the complaint, the platform’s own executives have admitted internally that “[t]he product in itself has baked into it compulsive use” and that the algorithm can disrupt young users’ ability to sleep, eat, and interact with people in person. The complaint also cites a description of “[t]eenagers in the U.S. are a golden audience,” drawn from New York Times reporting in 2016. Florida alleges TikTok uses what its own documents call “coercive design tactics” to manipulate young users into spending more time on the app. The platform harvests personal data from children and teenagers to identify psychological vulnerabilities, then exploits those vulnerabilities to serve targeted advertising. Internal records cited in the complaint acknowledge that “compulsive usage correlates with a slew of negative mental effects like loss of analytical skills, memory formation, contextual thinking, conversational depth, empathy, and increased anxiety” and that it “interferes with essential personal responsibilities like sufficient sleep, work/school responsibilities, and connecting with loved ones.” TikTok knew and kept going. The complaint also targets how TikTok represents itself in Apple’s App Store. The platform currently carries a 13+ rating and tells parents that sexual content, profanity, drug references, and self-harm themes are “infrequent” and “mild.” Florida says that’s false and that investigators found this content “frequently and easily accessible” through accounts registered as belonging to 13-year-olds. The state argues TikTok deliberately lowballed its App Store rating to dodge parental controls. If the platform had been honest, according to the filing, it would have received a 17+ rating under the old system or 16+ to 18+ under Apple’s new one, triggering automatic blocks on phones with parental restrictions enabled. “TikTok’s success hinges on its ability to addict children and teenagers to the platform,” Uthmeier said. “TikTok knowingly deceives parents and allows children to be exposed to harmful and inappropriate content in direct violation of Florida law. We have zero tolerance for companies that prioritize profit over children’s safety. TikTok should expect to be held accountable.” Beyond HB 3, the lawsuit invokes the Florida Deceptive and Unfair Trade Practices Act and asks the court to declare TikTok a public nuisance. Florida is seeking civil penalties, punitive damages, disgorgement of profits, permanent injunctive relief, and attorney’s fees. TikTok’s Response TikTok said it has already been working with the attorney general’s office and has started notifying users under 14 in Florida that their accounts will be suspended. “TikTok is built with safety at its core, with more than 50 preset safety and privacy settings for teens and easy-to-use tools for parents,” a spokesperson said. “We’re continuing to update our platform in Florida in response to state law. We are evaluating the state’s complaint and are prepared to defend our strong record on minor safety.” The company claims 50-plus preset safety settings. What it doesn’t explain is how those settings square with internal documents showing executives knew the platform was harming children and chose to keep operating the same way. Fifty safety toggles mean nothing if the algorithm underneath them is designed to override user autonomy through compulsive engagement. Florida’s case against TikTok is built on a law that creates a problem of its own. HB 3 requires platforms to verify ages but doesn’t specify what counts as “reasonable” verification. That leaves companies to decide how much personal data to extract from every user in the state, and none of the available methods come with meaningful limits on how long the data gets stored or who gets access to it. The law protects children by demanding that adults prove they aren’t children, a trade that turns anonymous internet use into identity-verified internet use for millions of people who have every legal right to browse without showing ID. Meta already capitulated in April, agreeing to start purging accounts belonging to under-14s and implementing age checks ahead of an enforcement deadline. Uthmeier has been pressuring Snapchat, Roblox, and Discord to follow. Discord’s earlier experiment with government ID-based age checks resulted in a breach that exposed over 70,000 government-issued IDs. That’s a preview of what mandatory identity harvesting across every major platform could produce at scale. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Florida Sues TikTok Over Age Verification Failures as Digital ID Mandate Takes Effect appeared first on Reclaim The Net.