If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. German Chancellor Friedrich Merz has used the German state to pursue around 300 criminal investigations against people accused of insulting him, and his Chancellery spent months trying to keep the public from finding out which prosecutors were handling the cases. That wall has now come down. The Higher Administrative Court of Berlin-Brandenburg has ordered the Bundeskanzleramt to identify every prosecutor’s office running a Merz-insult investigation, along with the file number for each one. The ruling, which rejected the Chancellery’s appeal against an earlier decision of the Berlin Administrative Court, came after a legal challenge by Berlin daily Der Tagesspiegel. Until the judgment, roughly 300 criminal proceedings over alleged slights against the sitting head of government had been shielded from any journalistic scrutiny. More: Germany’s Shocking War on Online Speech: Armed Police Raids for Online “Insults,” “Hate Speech,” and “Misinformation” The legal hook for all of it is Section 188 of Germany’s criminal code, a special provision that gives people in political life reinforced protection against insult. The official English translation of the statute states that anyone who “insults a person who exercises a political office in relation to their office or in connection with their office shall be punished with imprisonment from three months to five years.” A politician gets to sit at the center of a prosecution aimed at a citizen who said something unpleasant about them, and the punishment on the table is years in prison. How cases enter the pipeline is itself revealing. Citizens are encouraged by NGOs and state-run reporting portals to flag supposed insults, sometimes anonymously. Those reports travel to the Federal Criminal Police Office, which routes them to the relevant regional prosecutor’s office. The targeted politician is then notified and decides whether to file a formal criminal complaint or whether to leave the prosecution to run without objection. The Chancellery alone receives between 20 and 30 such files every month. Merz has said he does not sign complaints himself, but also does not block the prosecutions that have been opened in his name. Whether that account holds up against the actual paperwork is precisely what the Chancellery was trying to prevent anyone from checking. The Chancellery’s argument in court was that no heightened public interest justified handing the information over, and that merely naming the prosecutor’s offices and file numbers could violate the rights of accused individuals. The court did not accept it. The judges held that the Chancellor’s distinctive role in these proceedings made disclosure necessary, and that neither jurisdictional objections nor the absence of urgency stood in the way. The scale alone deserves attention. A head of government who has triggered roughly 300 criminal investigations over things people said about him is using the machinery of the state against ordinary speech at a volume that does not look like an occasional recourse to legal remedy. It looks like a policy. And the instinct, once the numbers started circulating, was to hide the details rather than defend them. The chilling effect of a regime like this does not depend on convictions. It depends on the knowledge that a critical Facebook post, a rude placard, or a sharp comment can summon the Bundeskriminalamt, a prosecutor, and potentially a house search. A Stuttgart man who called Merz a “Suffkopf,” roughly a drunkard, saw his home searched after Merz signed a complaint against him. The lesson lands well beyond the individuals actually charged. Self-censorship becomes the rational response, which is the real product of the law. Section 188’s defenders describe it as protection for democratic institutions against targeted harassment of officials. The practical architecture of the provision tells a different story. The category of “insult” is elastic. German courts have struggled for years with where sharp political commentary ends and punishable disrespect begins, and individual judges have reached wildly different conclusions on facts that look almost identical. Into that vagueness steps a provision that hands the sitting Chancellor and his office a direct line to prosecutors considering whether to put a citizen through a criminal process. The deeper question sits where it has always sat. A democracy that lets its head of government send police to the homes of citizens who call him names has already made a choice about which it values more, the dignity of the office or the tongue of the citizen. The court has forced some sunlight into the process. The provision that makes the process possible in the first place is still waiting for someone to deal with it. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post Court Forces German Chancellor Merz to Open Files on 300 “Insult the Chancellor” Cases appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The genetic sequences, medical scans, and lifestyle records of half a million British volunteers spent days listed for sale on Alibaba before anyone at UK Biobank noticed. Three academic institutions, since banned from the platform, had quietly walked the data out through a research system that was supposed to keep it under lock and key. At least one of the three Alibaba listings appeared to contain the full dataset covering every one of the 500,000 participants who handed over their blood, their DNA, and decades of personal health information on the understanding it would be used for medical research. The UK government confirmed the breach on Thursday. Technology minister Ian Murray told the House of Commons that Biobank had flagged the incident on Monday, and that the Chinese government and Alibaba had cooperated to pull the listings down before any purchases went through. Murray thanked Beijing directly for its “speed and seriousness” in taking down the data, a sentence that carries some weight given the three research institutions identified as the source are Chinese, though officials have declined to draw conclusions about intent. Professor Rory Collins, Biobank’s chief executive and principal investigator, issued a statement saying the listings “were swiftly removed before any purchases were made.” He apologized to participants and confirmed that access to the research platform had been suspended while the organization installs file size limits designed to stop researchers from walking off with bulk datasets. An automated checking system to vet outgoing files is not expected to be ready until late 2026. The sales listing is not the scandal. The scandal is what the sales listing reveals about how often Biobank’s data has already been exposed and where it now sits. Prof Luc Rocher of the Oxford Internet Institute has been tracking the problem and maintains a public record of known incidents. By his count, the Alibaba posting is “the 198th known exposure of UK Biobank data since last summer.” Rocher added that the data “is not just available for sale, it also remains available online for anyone to download today.” Researchers have repeatedly uploaded the dataset to code-sharing platforms by accident, and copies have since been replicated across the web. Taking down one Alibaba listing does nothing about the other 197. Biobank’s response to this pattern has been to emphasize that the data is “de-identified” and that no participant has been knowingly re-identified. The reassurance rests on a technical claim that does not survive contact with the evidence. The Guardian, working from just two pieces of commonly available information, identified a single Biobank participant last month. Genetic sequences, detailed medical histories, and lifestyle data are among the most identifiable records a person can generate about themselves, and stripping off a name does not change that. UK Biobank was founded by the Department of Health in partnership with medical research charities, including the Wellcome Trust and the Medical Research Council. It recruited half a million volunteers aged 40 to 69 between 2006 and 2010, collecting blood samples, genetic sequences, imaging scans, and ongoing lifestyle information. Access was supposed to work through a closed system. Researchers at accredited institutions would log in, run their analysis on the platform, and export only results. Until 2024, though, accredited institutions were handed bulk datasets directly to store on their own servers. The access rules changed, but the contractual ban on downloading datasets off the new platform sat alongside a technical system that still allowed it. Murray acknowledged this gap in the Commons, saying that the system “also allowed you to do, although you were contractually as an accredited organization not supposed to do, is download the datasets.” The current thinking, he said, is that the three Chinese institutions downloaded the full dataset to local storage, and the data then ended up on Alibaba through means still being investigated. The UK Biobank breach is the kind of story that should change how people think about handing over medical data, but it probably won’t. Half a million volunteers gave their blood, their genetic sequences, their imaging scans, and decades of lifestyle records to a research project run by the Department of Health and the Wellcome Trust. They did it for cancer research, for dementia research, for Parkinson’s. They were told the data would sit behind layers of access controls. What they were not told is that “access controls” meant a contractual promise that researchers would not download the dataset, paired with a technical system that let them download it anyway. The custodianship promise has failed at a rate of roughly one breach every two days for nearly a year, and the failures are systemic. Each leak has its own story, a careless upload to GitHub, a misconfigured server, three Chinese institutions that allegedly walked the data straight onto a shopping site. Biobank’s response is to add file size limits and to point at “rogue researchers,” language that locates the problem in three bad actors instead of in a system that gave thousands of people worldwide practical access to copy one of the most sensitive datasets ever assembled. The reassurance that the data is “de-identified” does not survive contact with the evidence, given that the Guardian identified a Biobank participant last month using two pieces of commonly available information. Genetic sequences are not the kind of record a name can be peeled off. What makes this worse is the world the data is leaking into. Medical and genetic information is now the single most valuable training input for the AI systems being built across healthcare, advertising, insurance, and government. Once a dataset reaches the open web, it does not stay in one place. It gets ingested. Researchers at MIT presented work at NeurIPS last year showing that foundation models trained on de-identified electronic health records memorize patient-specific information, and that adversarial prompts can pull individual records back out. Membership inference attacks on genomic models can determine whether a specific person’s DNA was in the training set. Model inversion attacks on a personalized warfarin dosing system reconstructed patients’ genetic markers from queries alone. The premise that anonymization protects you is a premise from a different decade. The 23andMe bankruptcy made the financial logic clear. Genetic data does not get destroyed when a company fails. It gets sold to whoever bids highest, which means the consent you gave in 2008 covers uses by entities that did not exist when you signed up. Biobank operates on a similar trajectory. Volunteers consented to medical research conducted by accredited scientists working on a closed platform. They did not consent to their genome being on a Chinese e-commerce site, on GitHub, on servers Biobank cannot reach, or in the training data of a future large language model that some company will build using whatever scraped corpus is available. None of those uses required a separate breach to enable. They required only the breach that has already happened, multiplied by the fact that data on the internet replicates faster than any takedown notice can chase. The deeper problem is that medical data has properties that no other category of personal information has. You can change a password. You can cancel a credit card. You cannot revoke your DNA. The genetic sequence currently sitting on whatever servers the Alibaba listing was scraped to before the takedown will identify the volunteer who provided it for the rest of their life, and will identify their children, and their siblings, and anyone closely related to them, none of whom consented to anything. The medical scans are equally permanent. The lifestyle data, decades of it, paints a picture detailed enough that the Oxford Internet Institute’s Luc Rocher could identify individuals from a fraction of it. Hand this category of information to an institution and you are not lending it. You are releasing it, and the release becomes irreversible the moment any custodian fails, which by Biobank’s own count, is now 198 times. The case for centralized medical research databases rests on the assumption that custodians can keep them secure. Biobank’s track record over the past year is the empirical answer to that assumption. The case for handing medical data to AI companies, healthcare chatbots, wellness apps, and direct-to-consumer genetic testing services rests on the same assumption, applied to organizations with weaker safeguards, shorter institutional memories, and stronger commercial incentives to find new uses for the data after the fact. The volunteers who signed up in 2006 did so under a model of consent that the technology has since rendered obsolete. Anyone considering whether to hand over their genome, their scans, or their health records today should look at the Biobank numbers and notice that the question is no longer whether the data will leak. It is when, to whom, and into which AI system trained on which corpus collected by which company that does not yet exist. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post UK Biobank Failures Expose the Permanent Cost of Sharing Genetic and Medical Records appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Eurail wanted people’s passport number to let them ride a train. Now that data is for sale on the dark web, and some of the 308,777 people caught up in the breach are being told to cancel their passports and pay for replacements out of their own pocket. The Dutch company, which sells the Interrail passes used by young travelers across 33 European countries, confirmed this week that a sample of the stolen dataset has already surfaced on Telegram. “We can confirm that data copied during the security incident has been offered for sale on the dark web and a sample dataset has been published on Telegram,” a spokesperson said. “Customers whose personal data was included in the sample dataset are being informed directly where contact details are available to us.” The full haul contains exactly the material identity thieves dream about, including passport numbers, passport expiry dates, full names, home addresses, email addresses, phone numbers, and dates of birth. For users of the EU’s DiscoverEU program, which hands out free travel passes to young people, the exposed records also include photocopies of passports, bank account details, and some health data. The breach happened on December 26, 2025. Eurail only began notifying affected individuals on March 27, 2026, three months after hackers walked out with the files and a full month after the data appeared on a cybercrime forum. In February, a hacker claimed responsibility publicly, saying they had stolen roughly 1.3 terabytes of data from Eurail’s AWS S3, Zendesk, and GitLab instances, including source code, database backups, and support tickets. The same hacker said negotiations with Eurail had failed, which is why the files were being dumped. None of this was information Eurail needed to sell a train ticket. Rail operators ran Europe’s networks for decades without demanding scanned passports and dates of birth from every customer. The identity-verification stack that now sits behind a simple rail pass exists because identity checks have become the default business model, not because anyone can explain why selling a seven-day Interrail pass requires a permanent copy of someone’s government-issued ID. The Eurail breach is a working demonstration of what happens when governments treat identity collection as the default setting for ordinary life. The UK is moving toward a mandatory digital ID scheme. The EU is rolling out its European Digital Identity Wallet. Online Safety Act compliance in Britain now requires “age verification” across huge swathes of the web, with platforms demanding government IDs, face scans, or credit card details before users can access content that was freely available a year ago. Every one of these systems rests on the same assumption that sank Eurail’s customers, which is that identity data can be collected safely, stored securely, and kept out of the wrong hands indefinitely. That assumption has never held up. The pattern is consistent enough now to be predictable. A government or regulator decides identity verification should be mandatory for some activity, whether that is buying a train ticket, watching adult content, opening a bank account, or posting on social media. Private companies build the verification infrastructure, because governments rarely build their own. Those companies then hold databases of passport numbers, biometric scans, and home addresses, secured according to whatever corporate security practices happen to be in place. The databases get breached, because databases always get breached, and the consequences fall on the people whose data was collected rather than the entities that insisted on collecting it. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post When a Train Ticket Costs Your Passport: The Eurail Breach and the Digital ID Problem appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. Rep. Thomas Massie (R-KY) and Rep. Lauren Boebert (R-CO) have introduced the Surveillance Accountability Act, a bill that feels like someone took the Fourth Amendment and actually meant it. The legislation aims “to ensure that all searches that significantly impinge on the privacy or security of a person require a warrant based on probable cause” and to create “a right of action for violations of Fourth Amendment rights.” That covers the kinds of searches federal agencies currently conduct without judicial oversight: pulling your financial records from banks, requesting your browsing history from ISPs, buying your location data from brokers, and harvesting your biometric information from surveillance cameras. We obtained a copy of the bill for you here. The bill lands in the middle of a brutal Congressional fight over FISA Section 702, the surveillance authority that currently lets the FBI search Americans’ communications. The new legislation goes much further than the various reform bills circulating around that debate. Where the SAFE Act and the Government Surveillance Reform Act target specific loopholes in FISA, the Surveillance Accountability Act tries to close all of them at once by rewriting the baseline rule: if the government wants your data, it needs a judge’s permission. More: How Your Weather App Became a Surveillance Machine — and How to Escape It The main part of the bill adds a new Section 3119 to Title 18 of the US Code with a simple default: “no search may be conducted without a warrant issued by a neutral and detached magistrate upon probable cause, supported by oath or affirmation, and particularly describing the place to be searched and the persons or things to be seized.” The bill defines “search” broadly enough to actually matter, covering “any government-initiated act that intrudes upon an individual’s reasonable expectation of privacy,” whether through “human, digital, or automated means.” It explicitly lists what falls under warrant protection: “communications,” “associations,” “employment,” “social media usage,” “internet usage,” “financial transactions,” and “travel.” The bill goes further, extending protection to “the acquisition and analysis of any data, metadata, or information pertaining to a person’s digital or physical life,” including “geolocation,” “personal device activity,” “biometric identifiers,” and “behavioral signals data.” The government is already collecting and analyzing patterns of how you act online, and Massie and Boebert’s bill is the first piece of legislation to name it directly and bring it under warrant protection. The Third-Party Doctrine Problem The most significant provision attacks the legal fiction that has allowed warrantless government surveillance to flourish for nearly fifty years. The third-party doctrine, established by the Supreme Court in Smith v. Maryland (1979), holds that you lose your Fourth Amendment protection over any information you voluntarily share with a third party, like a phone company or a bank. The logic made a certain kind of sense when it meant the government could see which phone numbers you dialed. It makes no sense at all when every aspect of modern life generates data that passes through corporate servers. The Supreme Court acknowledged as much in Carpenter v. United States (2018), ruling that cell phone location data requires a warrant even though it’s held by wireless carriers. But Carpenter was deliberately narrow. The Court didn’t overturn the third-party doctrine. It just said that this particular type of data, cell site location information, was too revealing to leave unprotected. The new bill does what Carpenter didn’t. It creates a blanket presumption of privacy for all data held by third parties. The bill states that “the government shall not access any data, metadata, or personal information held by a third party, including financial services providers, telecommunication service providers, internet service providers, cloud storage companies, or data brokers, without a valid warrant, regardless of whether the third party consents or cooperates.” Your bank can’t waive your constitutional rights for you. Your phone company can’t either. More: Data Brokers, Deadly Consequences, and the Wild West of Information Trade The bill goes further still: “No contractual agreement between a user and a third party may be interpreted as waiving the government’s warrant requirement for access to the data of that user, unless such waiver is knowing, voluntary, and explicit.” This kills the argument that by agreeing to a terms of service, you’ve somehow consented to government surveillance. That argument has always been absurd, and the bill finally says so in statute. Facial Recognition and License Plate Readers The bill’s limitations section targets two surveillance technologies that have spread across American cities with almost no legal oversight: facial recognition systems and automated license plate readers. The bill prohibits the “warrantless collection, retention, querying, or analysis” of data gathered from people simply going about their lives in public. That prohibition covers “biometric data, including facial images, faceprints, gait, voice recognition, or other unique physical identifiers, obtained through facial recognition systems or comparable surveillance technologies.” It also covers “license plate images, vehicle metadata, or vehicle movement patterns obtained through automated license plate readers or similar systems.” Federal, state, and local law enforcement agencies have been building vast databases of facial recognition and license plate data for years, treating the fact that you walked down a public street or drove on a public road as blanket permission to track your movements indefinitely. The bill says that’s not how it works. Being in public doesn’t mean consenting to biometric surveillance. Suing the Government When It Violates Your Rights The second half of the bill creates something that currently doesn’t exist in federal law: a clear right of action for Fourth Amendment violations by federal employees. The bill’s language is direct: “Every person, including a Federal employee, who, under color of any statute, ordinance, regulation, custom, or usage, of the United States, subjects, or causes to be subjected, any citizen of the United States or any person within the jurisdiction thereof to the deprivation of any rights, privileges, or immunities secured by the Fourth Amendment, shall be liable to the party injured in an action at law, suit in equity, or other proper proceeding for redress.” Courts can award attorney’s fees to the prevailing party, which means the threat of litigation carries financial weight. This is significant because of the Supreme Court’s steady erosion of Bivens v. Six Unknown Named Agents (1971), the case that originally allowed citizens to sue federal officials for constitutional violations. The Court has spent the last decade and a half narrowing Bivens to the point where it barely functions. Massie’s bill creates a statutory alternative that doesn’t depend on judicial willingness to recognize new causes of action. The right of action covers every federal employee except the President and Vice President. That’s a wide net. An NSA analyst who runs a warrantless query on your communications, an FBI agent who buys your location data from a broker, an ICE officer who accesses your records through a Section 702 backdoor search, all of them could face personal liability. The Political Context Massie has been fighting this battle for over a decade. He sponsored an amendment in 2014 to stop warrantless backdoor searches of Americans’ online data, which passed the House 293 to 123. He introduced the Surveillance State Repeal Act in 2015, seeking to repeal the PATRIOT Act and the FISA Amendments Act entirely. He’s called for Edward Snowden to be pardoned and for former Director of National Intelligence James Clapper to be prosecuted for lying to Congress about the NSA’s phone metadata program. The Surveillance Accountability Act arrives at a moment when the politics of surveillance are stranger than they’ve been in years. Massie has publicly demanded “No FISA reauthorization without a warrant requirement for US citizens!” on social media, attaching screenshots of past statements from President Trump, Vice President Vance, and House Judiciary Chairman Jim Jordan warning about FISA abuses. The Congressional Progressive Caucus, 98 House Democrats, has formally voted to oppose any Section 702 reauthorization without dramatic reforms. Senate Intelligence Committee Chair Tom Cotton is pushing an 18-month clean extension with no reforms at all, arguing that the war with Iran makes this the wrong time to weaken intelligence capabilities. The warrant amendment that would have required court approval for FBI searches of Section 702 data lost by a single vote in 2024, a 212-212 tie in the House. Speaker Mike Johnson cast the tiebreaker against it. “The Bill of Rights is not a suggestion, and Fourth Amendment protections against warrantless searches conducted by the government are not optional,” said Massie. “The Surveillance Accountability Act requires government employees to first obtain a warrant based on probable cause before searching Americans’ personal information even if the information sought is stored on a phone, in the cloud, or held by a third party. Warrantless searches are unconstitutional, and this does not change when the data the government seeks is in digital formats or held by a third party.” “For years, the federal government has treated the Fourth Amendment like a suggestion. They’ve built a massive surveillance machine that tracks, scans, and spies on law-abiding Americans without a warrant, without probable cause, and without any accountability. Enough is enough,” said Rep. Lauren Boebert.“The Surveillance Accountability Act puts the Constitution back in charge. It protects every American from an out-of-control federal government that thinks it owns your data, your movements, and your life. This is a true bipartisan issue for anyone who still believes in limited government and individual liberty.” Massie’s bill goes beyond Section 702. It rewrites the entire framework, or tries to. The chances of the Surveillance Accountability Act passing in its current form are, being realistic, very low. The intelligence community will fight it. The national security establishment will call it dangerous. The administration has already signaled it wants a clean FISA extension with no conditions. But the bill is a marker. It describes what actual Fourth Amendment compliance would look like if Congress took the text of the Constitution at face value. Warrants for searches. Probable cause. Judicial oversight. No exceptions for data that happens to sit on a corporate server. No loopholes for biometric surveillance conducted in plain view. And real consequences, financial ones, for agents who ignore the rules. The gap between what the Surveillance Accountability Act proposes and what Congress is actually likely to pass tells you everything about how far the federal government has drifted from the privacy protections Americans were supposedly guaranteed 235 years ago. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post The Surveillance Accountability Act Demands Warrants for Data appeared first on Reclaim The Net.

If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. French authorities have added another case study to the growing argument against centralizing citizen identity data. France Titres, formerly known as ANTS, operates the portal where residents apply for passports, national ID cards, residence permits, driver’s licenses, and vehicle registrations. On April 15, something broke inside that system. A week later, the Interior Ministry confirmed what anyone watching digital ID schemes has been saying about this exact architecture for years, and the scale on offer from the attacker makes the warning harder to wave away. A threat actor using the aliases “breach3d” and “ExtaseHunters” appeared on criminal forums on April 16, claiming to have stolen between 18 and 19 million records from the agency’s internal systems. If accurate, that is roughly a third of France’s population sitting in a for-sale listing. The seller describes the haul as a fresh, structural compromise rather than a recycled dump, and is actively shopping it. Early French press reports, including Le Figaro, initially pegged the figure at around 12 million accounts before later estimates climbed. The government has not confirmed any number. What the ministry has confirmed is a “security incident that may involve the disclosure of data from both individual and professional accounts.” Login credentials, full names, email addresses, dates of birth, unique account identifiers, postal addresses, places of birth, and phone numbers may all have been extracted. That combination is a starter kit for identity fraud, synthetic identity construction, and convincing phishing attacks against people who already expect email from French government domains. The reassurances arrived on schedule. “The disclosure of data does not include additional data submitted during the various procedures, such as attachments,” the notice stressed. “This personal data does not allow unauthorized access to the portal account.” Both statements may be accurate. Neither softens the reality that a government agency holding some of the most sensitive identifiers a person possesses has just lost control of a meaningful portion of them, with no disclosed user count and no attribution to any attacker. The ministry has not said how many people are affected. It has not said who did it. It has not said how they got in. What it confirmed is that an investigation is running and that additional security measures have been put in place to keep the portal operating and improve data protection. Tightening the locks after the data has already left the building is a partial comfort at best. A state that cannot keep the contents of its secure document portal secure is the same state currently pushing for backdoor access to end-to-end encrypted services and mandatory digital IDs for platform users. The pipeline from policy to breach disclosure is short. This is the structural failure mode of national-scale digital identity. France Titres was not built as a surveillance tool. It was built to make bureaucracy function. The outcome is indifferent to intent. Consolidating the documents that define a citizen’s legal existence into one portal creates one target, and the value of that target grows with every data field the state decides to demand. A breach of France Titres is not a breach of a retail site. It is a breach of the infrastructure of French legal identity itself. The incident fits into a pattern that has become hard to overlook. Last week, France’s Education Ministry disclosed that attackers had pulled student data from the ÉduConnect platform after compromising a staff account in late 2025. In February, intruders reached into France’s National Bank Accounts File, exposing information tied to roughly 1.2 million bank accounts out of more than 300 million entries. Earlier this year, cybercriminals made off with 15.8 million medical records from a French doctors’ ministry service. Four separate government-held databases, four separate failures, all involving records that citizens had no meaningful option to withhold. The useful question is not whether France Titres will improve its defenses. It probably will. The question is why a government that has shown, repeatedly, that it cannot reliably protect data of this sensitivity keeps expanding the categories of data it demands from citizens, and keeps lobbying for access to data it does not yet hold. Proponents of digital identity like to call these systems efficient and modern. The France Titres breach is a useful translation of what modern actually means here. It means the personal records that once sat in regional offices, on paper, inside locked filing cabinets, now live in databases reachable from anywhere on the internet by anyone resourceful enough to find a way in, and up for sale to anyone willing to pay for them. If you're tired of censorship and dystopian threats against civil liberties, subscribe to Reclaim The Net. The post France’s ID Portal Hacked: 19 Million Records Up for Sale appeared first on Reclaim The Net.