Reclaim The Net Feed
Reclaim The Net Feed

Reclaim The Net Feed

@reclaimthenetfeed

EU Parliament Revives Chat Surveillance for Thursday Vote
Favicon 
reclaimthenet.org

EU Parliament Revives Chat Surveillance for Thursday Vote

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The European Parliament spent time earlier this year dismantling Europe’s mass scanning of private messages, but on Tuesday it voted to hand that same regime a second life. By approving an urgent procedure requested by the European People’s Party, the chamber cleared the path for a decisive vote on Thursday, the final sitting day before the summer recess, when attendance thins and the arithmetic tilts toward the people who want your chats scanned. At this late stage of the file, known as second reading, the Council’s text can only be amended or thrown out if an absolute majority of all sitting members, 361 votes, lines up against it. Fall short of that and the law passes automatically, with no affirmative endorsement required. What Parliament rejected outright in March would return not because a majority backed it, but because too any members had left early for summer break. Parliament had not been shy about it the first time. Members tried to salvage the rules with tight limits, demanding judicial authorization and confining any scanning to actual suspects, then watched trilogue talks collapse when national governments refused the safeguards. The extension went down 311 votes to 228, and the ePrivacy derogation expired on April 4. US companies including Meta, Google, and Microsoft lost their legal cover to comb through the private messages of Europeans at will. Reviving a defeated file is not how this normally works, which is why diplomats reached for the word “unprecedented.” The reopening traces back to Parliament’s own president, Roberta Metsola, who urged EU leaders in June to press ahead despite her chamber’s stated position and her own political group’s vote against the text. Her party now justifies the rush by pointing to a “legal gap” left behind by the expired regulation. That gap turns out to be thinner than advertised. Germany has recorded no unusual drop in abuse reports since the derogation lapsed, and companies have kept scanning voluntarily, exactly as they said they would. By the EU’s own count, more than 60 percent of reports come from public posts and cloud storage, categories the old regulation never covered. The fight is really about private, person-to-person messages, the part of your digital life where the expectation of confidentiality is strongest and the case for automated inspection weakest. The Council’s own members are talking out of both sides. Italy filed an official statement this week warning against exactly this kind of mass surveillance by private providers and its threat to encryption. Then it voted for the text anyway. “How absurd this process has become is evident in Italy’s behavior in the Council,” said Patrick Breyer, the former Pirate Party member who has tracked the file for years, in a press release sent to Reclaim The Net. Even the lawmaker formally steering the file has refused to play along. Birgit Sippel, the Socialist rapporteur, called the governments’ move an unfair maneuver and drew a line under it. “As rapporteur, I will not support an extension on the Member States’ terms,” she said, warning that reopening the interim question endangers the slow progress toward a permanent framework. Over the weekend, two cybersecurity researchers reminded members that the technical case has not budged. Carmela Troncoso of the Max Planck Institute and Bart Preneel of KU Leuven wrote urging a no vote on the fast track, citing detection tools whose error rates stay unacceptably high and pointing to far more targeted methods that already exist. They noted that over 800 researchers had signed earlier warnings, a level of agreement that rarely forms around one proposal. Some members tried to stop the procedure on the floor. Martin Sonneborn demanded that Metsola rule the urgent motion inadmissible under Parliament’s own rules, brandishing a printed copy of the rulebook. “I tried to stop the Chat Control today,” he wrote afterward. The procedural fight hides a bigger cost. Parliament has been pushing a genuinely different approach to protecting children online, one built on detection orders aimed at suspects instead of blanket scanning left to industry’s discretion, a dedicated center to pull known abuse material off the public web, and security requirements. Keeping the old voluntary regime alive drains the pressure that might move governments toward it. Prolonging the status quo does not protect children better. It lets the least effective and most invasive method coast along because no one has to defend it on the merits. That is the decision facing the chamber on Thursday. Rejecting the text requires 361 members to appear and vote no. Silence or absence counts as consent. The regime at stake once let hundreds of millions of Europeans send a message without a machine reading it first, and the same setup that flags a suspected image can be repointed at a nationality, a demographic, or a political affiliation without any change to the underlying tools. Parliament reached that conclusion clearly in March, and whether it holds through a half-empty Thursday afternoon is what the vote will settle. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post EU Parliament Revives Chat Surveillance for Thursday Vote appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.

Apple Hide My Email Vulnerability Exposes Real Email Addresses
Favicon 
reclaimthenet.org

Apple Hide My Email Vulnerability Exposes Real Email Addresses

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Apple sells Hide My Email as a shield. You switch the feature on and iCloud+ hands you a random alias, so the companies you deal with never see the address tied to your real identity. But a security researcher says that shield has a hole in it, one Apple has left open for more than a year. Tyler Murphy, co-founder of the data-removal service EasyOptOuts, found a way to take a Hide My Email alias and work backward to the genuine address it conceals. He reported it to Apple in June 2025 and handed over instructions showing exactly how to reproduce it. Twelve months on, the flaw still works. 404 Media confirmed as much this week, unmasking one of its own hidden addresses. Murphy’s testing suggests the problem runs deep. “We don’t know the full scope of the issue, but in our limited tests with volunteers, 100% of Hide My Email addresses were exploitable,” he told 404 Media. All the aliases his team probed gave up the real address behind them. That figure guts the whole premise of the feature. People reach for Hide My Email precisely when they want distance between themselves and a service they don’t fully trust, whether that’s a shopping site, a newsletter, or a stranger on a marketplace. If you take away the alias, you take away the reason to use it. Murphy points to the wider machinery that turns one data point into a full profile. He warns that “publicly accessible people-search sites make it easy to link an email address to other personal details, so people relying on Hide My Email for safety may be at risk.” His company exists to scrub exactly that kind of information off broker sites, so the stakes are familiar to him. An address that leads to a name, a home, or a phone number is raw material for harassment, stalking, and fraud. Apple’s response seems like a year of stalling. The company told Murphy it was looking into the report a month after he filed it. By March 2026 it claimed it had “addressed the reported issue in a recent system change.” Murphy checked, and it hadn’t. He sent more detail, and Apple went back to running checks. By May the company was still telling him it was “still investigating,” while asking him to keep the flaw quiet until it finished. Murphy offered Apple a way to protect users in the meantime. He suggested the company pause sales of Hide My Email until a real fix shipped, shrinking the pool of exposed accounts. Apple kept selling it. At the end of May, it said a fix would arrive in a security update “expected in the coming weeks.” Those weeks have passed. 404 Media contacted Apple repeatedly and got nothing back. Murphy decided he had waited long enough. “Apple Hide My Email is leaking email addresses that are supposed to be hidden. We reported the issue and replication instructions to Apple over a year ago. We don’t know why it hasn’t been fixed, but we don’t feel comfortable waiting any longer. Hide My Email users deserve to know that it may be possible for attackers to discover their hidden email addresses,” he said. He has kept the technical details private, so the flaw isn’t handed to the next opportunist. A separate change to the service is landing around the same time, and it chips away at another safeguard. Apple told developers on June 15 that Hide My Email aliases will move to a new domain, private.icloud.com, replacing the iCloud.com addresses that blended in with ordinary mail. Sign in with Apple relay addresses are shifting to the same domain. That old ambiguity was a feature. A message from an iCloud.com address could have come from almost anyone, which is what made the disguise work. A private.icloud.com address announces itself, and nothing stops a website or newsletter from blocking the domain outright and forcing you to hand over a real account. Until Apple ships the fix it keeps promising, the safest assumption is that a Hide My Email alias hides less than you think. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Apple Hide My Email Vulnerability Exposes Real Email Addresses appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.

EU Reddit Users Must Verify Age With Government ID or Selfie
Favicon 
reclaimthenet.org

EU Reddit Users Must Verify Age With Government ID or Selfie

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Reddit began forcing many of its European users to prove their age on June 24, and it chose an invasive way to do it. Anyone the platform’s automated systems flag as possibly under 18 now has to hand over a government ID or a live face scan to a third party before opening a single mature community. The rollout covers the European Union and Norway, and Reddit frames the whole thing as compliance with censorship and digital ID EU law. If you refuse the check and you keep your account, though, the mature side of Reddit vanishes from view. Agree to it, and you feed your identity into Persona, the outside verification firm Reddit leans on to decide whether you are old enough to read what you came to read. The screening starts before anyone asks for a document. Reddit runs software that monitors your every move and estimates your age from how you behave on the site, reading your posting history, and the words you use. If you look like an adult to the machine, nothing changes. If you look like a teenager, the mature communities lock until you verify. The company has not published the full list of signals it weighs, which leaves users to reverse-engineer a system that has already decided something about them. The net catches far more than adult content. Users posting screenshots of the verification flow reported that some mental health support communities are tagged NSFW, which drags them behind the same wall. Someone reaching out during a crisis can find themselves asked to show a passport first. Reddit built its name on letting people speak without one attached, and that is the exact thing the check strips away. Teenagers face a separate set of rules. Accounts held by 13 to 15-year-olds are locked to the most restrictive privacy settings with no way to loosen them, covering chat, followers, and whether the profile surfaces in search. Yet, keep in mind, everyone’s privacy has already had to be invaded to get to this point. Users who are 16 or 17 start with the same defaults but can change them. Reddit presents this as protection, and some of it does protect, though it arrives welded to the identity demand rather than offered instead of it. The expansion follows months of regulatory pressure, most of it out of the United Kingdom. British regulators fined Reddit £14.47 million, roughly $19 million, earlier this year after finding the company had unlawfully handled children’s personal information between May 2018 and July 2025. Reddit had let people self-declare their age at signup, a method the Information Commissioner’s Office said children could get around without effort. “It’s concerning that a company the size of Reddit failed in its legal duty to protect the personal information of UK children,” Information Commissioner John Edwards said. Reddit’s answer named the tension the regulator would not. The company said it “didn’t require users to share information about their identities, regardless of age, because we are deeply committed to their privacy and safety.” It called the demand for more data “counterintuitive and at odds with our strong belief in our users’ online privacy and safety,” and it is appealing. Follow the regulator’s logic to its end and a platform has to identify everyone in order to shield the few who are children. That commitment has a paper trail. Reddit’s chief executive, Steve Huffman, told users a few months ago that the company had no wish to learn who they are. “We are not doing sitewide human verification,” he wrote in a post about confirming people are human rather than bots. “We don’t need or want your identity.” He described government ID checks as the company’s “least preferred” method, reserved for places where the law leaves no room. The system now reaching European users runs on the method he ranked dead last. Persona deserves a harder look than the word “verification” invites. Security researchers found an exposed Persona development environment sitting on a US government-authorized server, and the company’s chief executive, Rick Song, confirmed it was genuine. What sat inside went well past an age gate. Researchers counted 269 separate verification checks run on each person, facial recognition matched against watchlists, risk and similarity scores generated for every user, searches across internet and government databases, financial data checks, and several forms of biometric analysis on the selfie you upload. Persona’s own privacy policy fills in the rest. The company says it may pull identifiers, device details, and location data from outside sources, among them data brokers, marketing partners, and “publicly available sources…such as open government databases.” An age check, on paper, becomes an identity profile assembled from wherever the data happens to live. Reddit says it never sees the photos, that Persona hands back only a verification status and a birthdate. That answer covers Reddit and leaves everything else wide open. Whatever Persona builds out of your face, your ID, and the broker records it buys sits outside Reddit’s walls and outside the regulator’s stated concern. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post EU Reddit Users Must Verify Age With Government ID or Selfie appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.

Brave 1.92 Adds Built-In Containers for Desktop
Favicon 
reclaimthenet.org

Brave 1.92 Adds Built-In Containers for Desktop

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Brave shipped Containers this week. Version 1.92 of the browser lets you wall off tabs from one another so that cookies and site data stay locked inside whichever container you opened them in, even when two tabs point at the same website. You can now hold several identities at once without the browser blending them together. A social manager can run two accounts on the same network side by side. A developer can sign in as an administrator in one tab and a regular user in another. Someone logged into a work account can open a video stream in its own container so their viewing history never attaches to the office login. Brave is honest about what Containers are not. The company already isolates every site and its third-party requests through storage partitioning, which stops trackers from following you from one site to the next. Containers add none of that protection, because the browser was already doing it. They sit on top as a way to choose which version of yourself a site gets to see. The idea traces back to Mozilla, which built Containers when browsers still let sites swap storage through third-party cookies and pass your identity around behind your back. The web spent years being rebuilt around that kind of cross-site tracking, and features like this exist because the default was designed to watch you. Compartmentalizing your own logins shouldn’t feel like a maneuver, yet on today’s web, it is one. Firefox pioneered this style of tab isolation, and Brave is the first Chromium browser to bake it in natively rather than leaning on an add-on. For a codebase that shares its foundation with Chrome, that is a departure from Google’s priorities. Turning it on takes a trip to Settings, under brave://settings/braveContent, where a single toggle enables the feature. After that, you right-click any tab, choose “Open in container,” and pick a category. Brave ships a handful of defaults, including Personal, Work, Social, School, and Shopping, and the containers show up in the tab bar so you can tell them apart at a glance. The feature covers Windows, macOS, and Linux with no extension to install, though Brave is releasing it in phases over a few days, so it may not appear on your machine right away. Mobile isn’t part of this release. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Brave 1.92 Adds Built-In Containers for Desktop appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.

Britain’s Digital ID Watchdog Will Do Its Watching in Secret
Favicon 
reclaimthenet.org

Britain’s Digital ID Watchdog Will Do Its Watching in Secret

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The UK government has decided that the watchdog meant to keep its dystopian national digital ID scheme honest will do its watching in private. Cabinet Office minister James Frith confirmed that the advisory group’s minutes will not be published, and he sidestepped questions about what the group costs and how its members were chosen. For a body sold to the public as “independent scrutiny,” that is a curious way to start. The questions came from Andrew Snowden, the Conservative MP for Fylde and an assistant whip. He submitted three written parliamentary questions to the Cabinet Office. Would the group’s minutes, recommendations, and advice ever be published? What budget had it been given? What criteria decided who got a seat? Frith, with the creative range of a man photocopying the same sheet, returned the identical answer to all three. “The running of the digital ID advisory group will be supported by the Cabinet Office’s existing digital ID task force. The group is not a decision-making body and minutes will not be published,” he said. So it’s not a decision-making body, therefore nothing it does is worth showing you. The advisory group will shape how the state builds an identity system covering every adult in Britain. It will have a view on what gets harvested, how long it’s kept, and who gets to reach in and rummage. The label “advisory” does not change any of that. It just changes whether you’re allowed to know about it. Snowden was not impressed. “The answer was disappointing to say the least,” he told The Register, before explaining why the secrecy bothers him. “Digital ID was a deeply controversial policy when Keir Starmer announced it, causing one of the many U-turns that led to the situation we are in today. If the government are persisting with developing a system of digital ID then scrutiny of that policy by Members of Parliament is vital. To ignore key questions will not increase public support for digital ID.” He’s right. Written parliamentary questions are one of the few working tools an MP has for prising information out of a reluctant government. Frith looked at that tool and decided the appropriate response was to whistle and study the ceiling. We do at least know who some of these unseen overseers are: Security expert David Rogers, Mumsnet founder Justine Roberts, Victor Dominello, formerly digital government minister of New South Wales, which is in Australia, roughly ten thousand miles from Britain. Chief Secretary to the Prime Minister Darren Jones convened the group, and it will meet quarterly for the life of the program. How those particular names were chosen, and whether anyone in the room fancied inviting someone inclined to tell the government no, stays unexplained, because the selection criteria were among the things Frith declined to disclose. Last month the government barred journalists from a digital identity advisory panel event, since nothing soothes a nervous public quite like physically removing the people whose job is to report what’s happening. Oversight you are not permitted to observe is not oversight. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Britain’s Digital ID Watchdog Will Do Its Watching in Secret appeared first on Reclaim The Net: Free Speech, Privacy, Digital Rights.