This week in privacy and security has been a whirlwind of revelations, ranging from the depths of the SolarWinds attack to new government overreach in age verification. Here's a comprehensive look at the stories that defined the landscape.
The SolarWinds Hack: More Humiliating Than We Thought
A new report reveals that the SolarWinds attackers were deep inside Treasury Department email systems for an extended period, doing whatever they wanted. This goes beyond previous understanding of the breach's scope. The attackers had unrestricted access to sensitive communications, raising serious questions about the government's ability to detect and contain advanced persistent threats. The report suggests the response timeline was slower than publicly acknowledged.
FTC Fines Marketers Nearly $1 Million for Not Actually Listening
The Federal Trade Commission levied a $1 million fine against several companies that misled clients about using smart devices to overhear conversations for targeted ads. The firms claimed they could capture and analyze ambient audio from phones and smart speakers to deliver hyper-relevant advertisements. However, the FTC found no evidence they actually did so. The fine is meant to deter false advertising around surveillance capabilities.
Dark Patterns Keep Getting Darker
A privacy nonprofit's new study reveals that online platforms are using increasingly manipulative design tricks to make opting out of data sharing harder. The findings show that some companies require users to navigate through dozens of screens, use confusing language, or hide the opt-out button in hard-to-find locations. These dark patterns undermine user autonomy and circumvent legal requirements for clear consent.
U.S. Cybersecurity Agency Leaves Keys Out on GitHub
In an ironic blunder, the U.S. cybersecurity agency left its digital keys exposed in a public GitHub repository. Passwords were stored as plain text, and sensitive authentication tokens were accessible to anyone. The breach was described by insiders as the worst leak they’ve witnessed, given the agency's mission to protect federal networks. The incident highlights the persistent gap between security advice and internal practices.
Local Tech Battles Push Leaders to Tears
Local government officials are struggling with tech-related disputes that have become emotionally charged. From data privacy ordinances to debates over surveillance cameras, council meetings have seen tears and fits of mania. This reflects a broader tension between community safety concerns and the right to privacy, often exacerbated by a lack of clear legislative guidance at the state or federal level.
Pentagon Plans to Weaponize AI Models
The Pentagon reportedly intends to adopt and weaponize the latest cyber-capable AI models, including Anthropic's Claude Mythos Preview. Despite being labeled a supply chain risk, the military sees potential in leveraging advanced AI for offensive cyber operations. This move sparks debate about the ethical implications of militarizing commercial AI tools and the risks of escalation in cyber warfare.
DOJ Demands Data on 100,000 Car App Users
The Department of Justice is asking Apple and Google for data on approximately 100,000 users of a car app called EZ Lynk, which allegedly helped bypass emissions controls. The requests relate to a lawsuit accusing the company of enabling cheating on emissions tests. This massive data grab raises concerns about overreach and the privacy of innocent drivers unrelated to the case.
EU Calls VPNs a Loophole in Age Verification
The European Union has labeled VPNs as a loophole that needs closing in age verification laws. The argument is that minors use VPNs to bypass geo-blocked content restrictions, undermining efforts to protect children online. Privacy advocates warn that any mandate to disable or monitor VPN usage would severely undermine digital privacy for all citizens, creating a dangerous precedent.
Utah's Age Verification Law Takes Effect
Utah’s new age verification law targeting VPNs went into effect this week. The law requires websites and apps to verify the age of users who appear to be accessing content from Utah, and it penalizes the use of any technology that obscures the user's location. Critics say the law is unworkable and could lead to invasive verification methods, such as requiring government ID uploads for every site.
FCC's Robocall Fix Could Ruin Burner Phones
The FCC has proposed a plan to solve the robocall problem by requiring stronger caller ID verification, but it could inadvertently kill burner phones. The new rules would make it nearly impossible to use prepaid phones without tying them to a verified identity. Privacy advocates argue this would eliminate a key tool for journalists, activists, and ordinary people who need anonymous communication.
Pornhub Expands Access in UK via Apple Age Verification
Pornhub is once again allowing new users in the U.K. to access content, thanks to Apple’s new premium age verification system. Users can verify their age through an Apple device by linking to a government ID. While this provides a streamlined method, it centralizes identity data with Apple, raising concerns about data breaches and surveillance.
Canvas Hacked During Finals Week
The educational portal Canvas was hacked by the notorious group ShinyHunters during finals week, affecting over 9,000 schools. Students were locked out of their courses, grades, and submissions. The incident caused widespread panic and academic disruption, highlighting vulnerabilities in crucial educational infrastructure.
Flipper Zero App Fights Surveillance Pricing
A developer built an app using the Flipper Zero device to hack electronic shelf labels and expose surveillance pricing practices. The app demonstrates how easy it is to manipulate digital price tags in stores, and the creator claims it's for research purposes. This has prompted retailers to reconsider the security of their systems.
Pentagon Posts UFO Videos Amidst Privacy Debates
In a surprising release, the Pentagon posted several videos showing unidentified aerial phenomena. While not directly a privacy story, the footage was released under a section labeled Privacy & Security, perhaps due to its origin from classified systems. The event underscores how government transparency requests intersect with security concerns.
Venmo Finally Fixes Its Most Glaring Privacy Issue
After years of criticism, Venmo has announced that it will make hidden transactions an onboarding option by default. Previously, all transactions were public by default, allowing journalists and others to trace payments and reveal personal connections. The change is a win for privacy advocates, though the company had already faced backlash for enabling doxxing.
Context: The Broader Landscape
These stories are not isolated incidents. They are part of a larger tension between convenience, security, and privacy. The increasing digitalization of daily life has made surveillance more pervasive, while regulatory efforts often lag behind technological advancements. From government agencies exposing their own secrets to companies pushing manipulative designs, the need for robust privacy protections has never been clearer. At the same time, new laws aimed at protecting children and combating fraud risk creating authoritarian overreach, as seen in the EU’s VPN stance and Utah’s age verification mandate.
The balance between security and liberty continues to be tested. While some measures are effective, others introduce new vulnerabilities. The week's events serve as a reminder that privacy is not just about hiding information, but about maintaining autonomy in an increasingly monitored world.
Source: Gizmodo News