Native Android apps – including Facebook, Instagram, and several Yandex apps such as Maps, Navi, Browser, and Search – silently listen on fixed local ports on mobile devices to de-anonymize users’ browsing habits without consent, says a report published by a team of researchers from Spain-based IMDEA Networks Internet Analytics Group, and Dutch Radboud University.

Here is the technical report: https://localmess.github.io/

By embedding tracking code into millions of websites, Meta’s Pixel and Yandex Metrica have been able to map Android users’ browsing habits with their persistent identities (that is to say, with the account holder logged in). This method bypasses privacy protections offered by Android’s permission controls and even browsers’ Incognito Mode, affecting all major Android browsers. The international research team has disclosed the issue to several browser vendors, who are actively working on mitigations to limit this type of abuse. For instance, Chrome’s mitigation is scheduled to go into effect very soon.

These tracking companies have been doing this bypass for a long time: since 2017 in the case of Yandex, and Meta since September 2024. The number of people affected by this abuse is high, given that Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively. It is also worth noting that evidence of this tracking practice has been observed only on Android.

[...]

cross-posted from: https://lemmy.sdf.org/post/35915645

Archived

TikTok introduced a slew of new advertiser tools at the company’s annual advertiser summit on June 3rd. The new products range from AI-powered ad tools to new features connecting creators and brands, but the overall picture is clear: advertiser content on TikTok is about to become much more tailored and specific.

The company will give brands precise details about how their target audience is using the platform — including AI-generated suggestions on ads to run. Using a tool called Insight Spotlight, advertisers will be able to sort by user demographics and industry to see what videos users in the target group are watching and what keywords are associated with popular content. In an example provided by TikTok, an AI-generated suggestion recommends that a brand “produce video content focused on ‘hormonal health’ for female, English-speaking users” and to include a specific keyword. Another feature in Insight Spotlight analyzes users’ viewing history to identify types of content that are bubbling up.

[...]

cross-posted from: https://lemmy.sdf.org/post/35817780

Archived

TikTok has launched a High Court challenge to a €530m fine imposed on it by the Data Protection Commission (DPC).

It is the latest legal attempt by Big Tech to overturn penalties imposed by the Irish privacy regulator. Of the more than €4bn in fines levied on companies including Meta and Amazon, only €20m has been paid so far.

The other penalties are being challenged in the Irish courts. There is no date set for any of the hearings, as a decision is awaited from the European Court of Justice on a key legal point.

[...]

“TikTok failed to verify, guarantee and demonstrate that the personal data of European Economic Area (EEA) users, remotely accessed by staff in China, was afforded a level of protection essentially equivalent to that guaranteed within the EU,” DPC deputy commissioner Graham Doyle said at the time.

“As a result of TikTok’s failure to undertake the necessary assessments, TikTok did not address potential access by Chinese authorities to EEA personal data under Chinese anti-terrorism, counter-espionage and other laws identified by TikTok as materially diverging from EU standards.”

[...]

In a further “serious development”, the DPC noted that, throughout its inquiry, TikTok had said it did not store EEA user data on servers in China. However, in April it told the regulator that, two months earlier, it discovered that “limited” data had in fact been stored on Chinese servers.

“TikTok informed the DPC that this discovery meant it had provided inaccurate information to the inquiry,” the regulator pointed out. The DPC is currently engaging with other European data regulators on that issue.

cross-posted from: https://lemmy.sdf.org/post/35554000

Archived

[...]

Chinese hackers targeted the Czech Foreign Ministry in a sophisticated cyberattack that lasted more than a year, the government said Tuesday, formally blaming Beijing for infiltrating one of the country’s most sensitive communication systems.

[...]

Foreign Minister Jan Lipavský summoned the Chinese ambassador to Prague, Feng Biao, on Tuesday morning to formally protest the cyberattack. He said the ministry’s system had long suffered from outdated technology and security flaws, which made the breach possible.

[...]

This cyberattack didn’t expose personal data but shows ongoing risks to [...] security. Outdated systems leave sensitive government info vulnerable, which could affect national security and public services. Cooperation with NATO, the EU, and allies aims to prevent future attacks and protect services like passports and healthcare. While your data wasn’t at risk this time, the breach highlights the growing need for strong cybersecurity to keep information safe.

watch on youtube or Invidious

cross-posted from: https://lemmy.sdf.org/post/33723368

Archived

European Union privacy watchdogs fined TikTok 530 million euros ($600 million) on Friday after a four-year investigation found that the video sharing app’s data transfers to China breached strict data privacy rules in the EU.

Ireland’s Data Protection Commission also sanctioned TikTok for not being transparent with users about where their personal data was being sent and it ordered the company to comply with the rules within six months.

[...]

TikTok, whose parent company ByteDance is based in China, has been under scrutiny in Europe over how it handles personal information of its users amid concerns from Western officials that it poses a security risk over user data sent to China. In 2023, the Irish watchdog also fined the company hundreds of millions of euros in a separate child privacy investigation.

[...]

The Irish watchdog said its investigation found that TikTok failed to address “potential access by Chinese authorities” to European users’ personal data under Chinese laws on anti-terrorism, counter-espionage, cybersecurity and national intelligence that were identified as “materially diverging” from EU standards.

[...]

TikTok faces further scrutiny from the Irish regulator, which said that the company had provided inaccurate information to throughout the inquiry by saying that it didn’t store European user data on Chinese servers. It wasn’t until April that it informed the regulator that it discovered in February that some data had in fact been stored on Chinese servers.

[...]

cross-posted from: https://lemmy.sdf.org/post/33548424

Archived

• The agency said that before DeepSeek’s chatbot was removed from app stores in South Korea, the company was transferring user data to firms in China and the U.S. without consent.
• The findings were released in relation to an ongoing investigation into DeepSeek, and the company has been sent corrective recommendations.

South Korea’s data protection authority has concluded that Chinese artificial intelligence startup DeepSeek collected personal information from local users and transferred it overseas without their permission.

The authority, the Personal Information Protection Commission [PIPC], released its written findings on Thursday in connection with a privacy and security review of DeepSeek.

It follows DeepSeek’s removal of its chatbot application from South Korean app stores in February at the recommendation of PIPC.

[...]

During DeepSeek’s presence in South Korea, it transferred user data to several firms in China and the U.S. without obtaining the necessary consent from users or disclosing the practice, the PIPC said.

The agency highlighted a particular case in which DeepSeek transferred information from user-written AI prompts, as well as device, network, and app information, to a Chinese cloud service platform named Beijing Volcano Engine Technology Co.

[...]

When the data protection authority announced the removal of DeepSeek from local app stores, it signaled that the app would become available again once the company implemented the necessary updates to comply with local data protection policy.

That investigation followed reports that some South Korean government agencies had banned employees from using DeepSeek on work devices. Other global government departments, including in Taiwan, Australia, and the U.S., have reportedly instituted similar bans.

cross-posted from: https://lemmy.sdf.org/post/33122696

[...]

The first rupture appeared on January 29 when cloud security firm Wiz stumbled upon an exposed ClickHouse database tagged “ds‑log‑prod‑001". Anyone with a browser could have accessed more than a million log lines: raw chat history, API keys, and even internal service tokens. Wiz engineers demonstrated that with two clicks they could seize “full database control", inject malicious code and pivot into the rest of DeepSeek’s infrastructure.

A week later mobile forensics specialists at NowSecure published a parallel autopsy of the iOS build. Their findings read like a checklist of everything Apple’s security team tells developers not to do: hard‑coded encryption keys, deprecated 3DES ciphers and App Transport Security switched off globally, allowing chats to travel unencrypted. The company urged enterprises to ban the app outright. However, DeepSeek’s parentage turned out to be even more troubling.

Corporate registries in Zhejiang and the Cayman Islands show the chatbot is a wholly owned offshoot of High‑Flyer Quant, a hedge fund founded in 2016 by the 38‑year‑old trader and CEO of Deepseek, Liang Wenfeng. Reuters reporting confirms that High‑Flyer pivoted from equity markets to artificial intelligence research in 2023, building two super‑computing clusters stuffed with Nvidia A100 processors before US export controls came into force.

[...]

Sources say the Computer Emergency Response Team of India (CERT‑In) is preparing a broader advisory under the new Digital Personal Data Protection Act that could push local app stores to delist the software if it fails a security audit. Other democracies have gone further: Italy, Australia and Taiwan have banned DeepSeek from public‑sector systems, with Taipei warning of “systemic espionage risk".

[...]

High‑Flyer Quant’s pitch decks boast of “harvesting alternative data at planetary scale". If every trade idea whispered into DeepSeek ends up in a Hangzhou warehouse, the company enjoys a real‑time map of market sentiment unavailable to Wall Street — and unpoliced by the Securities and Exchange Commission. For American fund managers and Indian startups alike, using the chatbot could be tantamount to CC‑ing a rival on every brainstorming session.

[...]

cross-posted from: https://lemmy.sdf.org/post/32102322

Archived

TikTok owner ByteDance is set to be hit by a privacy fine of more than €500 million for illegally shipping European users’ data to China, adding to the growing global backlash over the video-sharing app.

Ireland’s data protection commission, the company’s main regulator in Europe, will issue the penalty against TikTok before the end of the month, according to people familiar with the matter.

The move comes after a lengthy investigation found the Chinese business fell foul of the European Union’s General Data Protection Regulation in sending the information to China to be accessed by engineers, added the people, who spoke under condition of anonymity.

[...]

As part of the decision from Ireland’s data protection commission, the regulator will order TikTok to suspend the unlawful data processing in China within a set time frame. China has long provoked the ire of privacy activists, who claim that the nation’s mass surveillance regime violates fundamental rights.

TikTok has been in the crosshairs of the Irish data protection commission before. In September 2023, it was fined €345 million for alleged lapses in the way it cares for children’s personal data. The watchdog has also sounded the alarm over Big Tech firms shipping the personal data of European citizens outside of the 27-member bloc, slapping a record €1.2 billion fine against Facebook owner Meta Platforms Inc. for failing to protect personal information from the American security services.

The Irish probe into TikTok started in 2021, when the regulator’s then head Helen Dixon claimed that EU user data could be accessed by “maintenance and AI engineers in China.”

[...]

cross-posted from: https://lemmy.sdf.org/post/31957116

Millions of Americans have downloaded apps that secretly route their internet traffic through Chinese companies, according to an investigation by the Tech Transparency Project (TTP), including several that were recently owned by a sanctioned firm with links to China’s military.

TTP’s investigation found that one in five of the top 100 free virtual private networks in the U.S. App Store during 2024 were surreptitiously owned by Chinese companies, which are obliged to hand over their users’ browsing data to the Chinese government under the country’s national security laws. Several of the apps traced back to Qihoo 360, a firm declared by the Defense Department to be a “Chinese Military Company." Qihoo did not respond to questions about its app-related holdings.

[...]

VPNs allow users to mask the IP address that can identify them, and, in theory, keep their internet browsing private. For that reason, they have been used by people around the world to sidestep government censorship or surveillance, or because they believe it will improve their online security. In the U.S., kids often download free VPNs to play games or access social media during school hours.

However, VPNs can themselves pose serious risks because the companies that provide them can read all the internet traffic routed through them. That risk is compounded in the case of Chinese apps, given China’s strict laws that can force companies in that country to secretly share access to their users’ data with the government.

[...]

The VPN apps identified by TTP have been downloaded more than 70 million times from U.S. app stores, according to data from AppMagic, a mobile apps market intelligence firm.

[...]

The findings raise questions about Apple’s carefully cultivated reputation for protecting user privacy. The company has repeatedly sought to fend off antitrust legislation designed to loosen its control of the App Store by arguing such efforts could compromise user privacy and security. But TTP’s investigation suggests that Apple is not taking adequate steps to determine who owns the apps it offers its users and what they do with the data they collect. More than a dozen of the Chinese VPNs were also available in Apple’s App Store in France in late February, showing that the issue extends to other Western markets.

[...]

cross-posted from: https://lemmy.sdf.org/post/31274457

Archive

An exploitation avenue found by Trend Micro in Windows has been used in an eight-year-long spying campaign, but there's no sign of a fix from Microsoft, which apparently considers this a low priority.

The attack method is low-tech but effective, relying on malicious .LNK shortcut files rigged with commands to download malware. While appearing to point to legitimate files or executables, these shortcuts quietly include extra instructions to fetch or unpack and attempt to run malicious payloads.

Ordinarily, the shortcut's target and command-line arguments would be clearly visible in Windows, making suspicious commands easy to spot. But Trend's Zero Day Initiative said it observed North Korea-backed crews padding out the command-line arguments with megabytes of whitespace, burying the actual commands deep out of sight in the user interface.

Trend reported this to Microsoft in September last year and estimates that it has been used since 2017. It said it had found nearly 1,000 tampered .LNK files in circulation but estimates the actual number of attacks could have been higher.

"This is one of many bugs that the attackers are using, but this is one that is not patched and that's why we reported it as a zero day," Dustin Childs, head of threat awareness at the Zero Day Initiative, [said].

"We told Microsoft but they consider it a UI issue, not a security issue. So it doesn't meet their bar for servicing as a security update, but it might be fixed in a later OS version, or something along those lines."

[...]

cross-posted from: https://slrpnk.net/post/19675447

Archived version

Here is an Invidious link for the video (and 'Lola' part starts at ~5 minutes)

To demonstrate this, Sadoun introduces the audience to “Lola,” a hypothetical young woman who represents the typical web user that Publicis now has data about. “At a base level, we know who she is, what she watches, what she reads, and who she lives with,” Sadoun says. “Through the power of connected identity, we also know who she follows on social media, what she buys online and offline, where she buys, when she buys, and more importantly, why she buys.”

It gets worse. “We know that Lola has two children and that her kids drink lots of premium fruit juice. We can see that the price of the SKU she buys has been steadily rising on her local retailer’s shelf. We can also see that Lola’s income has not been keeping pace with inflation. With CoreAI, we can predict that Lola has a high propensity to trade down to private label,” Sadoun says, meaning that the algorithm apprehends whether Lola is likely to start buying a cheaper brand of juice. If the software decides this is the case, the CoreAI algo can automatically start showing Lola ads for those reduced price juice brands, Sadoun says.

Firefox may be incompatible with DFSG and probably other similar principles and TOS.

From the bug report:

The new Terms of Use, from what I can see, are in violation of the DFSG points 5 and 6:

5. No discrimination against persons or groups

Rationale:

The terms of use grant Mozilla the right to terminate anyone's access:

Mozilla can suspend or end anyone’s access to Firefox at any
time for any reason

https://www.mozilla.org/en-US/about/legal/terms/firefox/#mozilla-can-update-or-terminate-this-agreement

6. No discrimination against fields of endeavor

Rationale:

The terms of use don't allow you to use Firefox to break the law. While this seems a reasonable term, it wouldn't be so reasonable for a disident in an oppressive country.

you agree that you will not use Firefox to [...] violate any
applicable laws or regulations.

...

Apart from these violations of the DFSG, Firefox has now permission to leak user data to Mozilla, and who knows who else they decide to sell it later. This is a security bug.

You give Mozilla all rights necessary to operate Firefox,
including processing data as we describe in the Firefox Privacy
Notice, as well as acting on your behalf to help you navigate
the internet.  When you upload or input information through
Firefox, you hereby grant us a nonexclusive, royalty-free,
worldwide license to use that information to [...]

cross-posted from: https://lemmy.sdf.org/post/30887912

Here is the report Security and Trust: An Unsolvable Digital Dilemma? (pdf)

Police authorities and governments are calling for digital backdoors for investigative purposes - and the EU Commission is listening. The Centre for European Policy (cep) warns against a weakening of digital encryption. The damage to cyber security, fundamental rights and trust in digital infrastructures would be enormous.

[...]

The debate has become explosive due to the current dispute between the USA and the UK. The British government is demanding that Apple provide a backdoor to the iCloud to allow investigating authorities access to encrypted data. Eckhardt sees parallels with the EU debate: "We must prevent the new security strategy from becoming a gateway for global surveillance." Technology companies such as Meta, WhatsApp and Signal are already under pressure to grant investigators access to encrypted messages.

"Once you install a backdoor, you lose control over who uses it," says Küsters. Chinese hackers were recently able to access sensitive data through a vulnerability in US telecommunications networks - a direct consequence of the infrastructure there. Instead, Küsters advocates a strategy of "security by design", i.e. designing systems securely from the outset, and the increased use of metadata analyses and platform cooperation as viable alternatives to mass surveillance.

[...]

Lessons from across the Atlantic?

A recent episode from the US provides an illustrative cautionary tale. For decades, some US law enforcement and intelligence agencies advocated “exceptional access” to encrypted communications, claiming that only criminals needed such robust privacy protections – echoing the current debate in the EU. But over the past months, a dramatic shift occurred following revelations that Chinese state-sponsored hackers had infiltrated major US telecommunications networks, gaining access to call metadata and possibly even live calls (the so-called “Salt Typhoon” hack).

Specifically, the Chinese hackers exploited systems that US telecom companies had built to comply with federal wiretapping laws such as Communications Assistance for Law Enforcement Act (CALEA), which requires telecommunications firms to enable “lawful intercepts”. In theory, these built-in channels were supposed to only give law enforcement an exclusive window into suspect communications. In practice, however, they became a universal vulnerability that hostile actors could just as easily exploit.

Suddenly, the very government voices that once dismissed end-to-end encryption began recommending that citizens use encrypted messaging apps to maintain their security.

**What can we learn from this? **

While governments often push for greater surveillance capabilities, the real and current threat of state-sponsored cyber-espionage demonstrates the indispensable value of strong encryption. As the Electronic Frontier Foundation has noted, Salt Typhoon shows once more that there is no such thing as a backdoor that only the “good guys” can use.

If the mechanism exists, a malicious party will eventually find it and weaponise it. The lesson for Europe is clear: undermining encryption to aid investigations may prove short-sighted if it also exposes citizens – and state institutions – to hostile foreign interference. Is this really what we want to do in an increasingly challenging geopolitical environment? The debate about ensuring lawful and effective access to data in the digital age will remain one of the most pressing challenges, so we need to ask whether there are alternative, viable models.

[...]

cross-posted from: https://lemmy.sdf.org/post/30804814

A former senior Facebook executive has told the BBC how the social media giant worked "hand in glove" with the Chinese government on potential ways of allowing Beijing to censor and control content in China.

Sarah Wynn-Williams - a former global public policy director - says in return for gaining access to the Chinese market of hundreds of millions of users, Facebook's founder, Mark Zuckerberg, considered agreeing to hiding posts that were going viral, until they could be checked by the Chinese authorities.

Ms Williams - who makes the claims in a new book - has also filed a whistleblower complaint with the US markets regulator, the Securities and Exchange Commission (SEC), alleging Meta misled investors. The BBC has reviewed the complaint.

Facebook's parent company Meta, says Ms Wynn-Williams had her employment terminated in 2017 "for poor performance".

It is "no secret we were once interested" in operating services in China, it adds. "We ultimately opted not to go through with the ideas we'd explored."

[...]

Ms Wynn-Williams says her allegations about the company's close relationship with China provide an insight into Facebook's decision-making at the time.

[...]

Ms Wynn-Williams claims that in the mid-2010s, as part of its negotiations with the Chinese government, Facebook considered allowing it future access to Chinese citizens' user data.

"He was working hand in glove with the Chinese Communist Party, building a censorship tool… basically working to develop sort of the antithesis of many of the principles that underpin Facebook," she told the BBC.

Ms Wynn-Williams says governments frequently asked for explanations of how aspects of Facebook's software worked, but were told it was proprietary information.

"But when it came to the Chinese, the curtain was pulled back," she says.

"Engineers were brought out. They were walked through every aspect, and Facebook was making sure these Chinese officials were upskilled enough that they could not only learn about these products, but then test Facebook on the censorship version of these products that they were building."

[...]

In her SEC complaint, Ms Wynn-Williams also alleges Mr Zuckerberg and other Meta executives had made "misleading statements… in response to Congressional inquiries" about China.

One answer given by Mr Zuckerberg to Congress in 2018 said Facebook was "not in a position to know exactly how the [Chinese] government would seek to apply its laws and regulations on content"

[...]

We're very happy to share Techlore's video review of the BusKill Kill Cord.

Can't see video above? Watch it on PeerTube at neat.tube or on YouTube at youtu.be/Zns0xObbOPM

Disclaimer: We gave Techlore a free BusKill Kit for review; we did not pay them nor restrict their impartiality and freedom to publish an independent review. For more information, please see Techlore's Review Unit Protocols policy. We did require them to make the video open-source as a condition of receiving this free review unit. The above video is licensed CC BY-SA; you are free to redistribute it. If you are a video producer and would like a free BusKill Kit for review, please contact us

To see the full discussion about this video on the Techolore forums, see:

• discuss.techlore.tech/t/buskill-secure-your-laptop-in-seconds

Support BusKill

We're looking forward to continuing to improve the BusKill software and looking for other avenues to distribute our hardware BusKill cable to make it more accessible this year.

If you want to help, please consider purchasing a BusKill cable for yourself or a loved one. It helps us fund further development, and you get your own BusKill cable to keep you or your loved ones safe.

Buy a BusKill Cable
https://buskill.in/buy

You can also buy a BusKill cable with bitcoin, monero, and other altcoins from our BusKill Store's .onion site.

Stay safe,
The BusKill Team
https://www.buskill.in/
http://www.buskillvampfih2iucxhit3qp36i2zzql3u6pmkeafvlxs3tlmot5yad.onion/

cross-posted from: https://lemmy.sdf.org/post/30014783

U.S. Federal Trade Commission urged to investigate Google’s RTB data in first ever complaint under new national security data law.

Google sends enormous quantities of sensitive data about Americans to China and other foreign adversaries, according to evidence in a major complaint filed today at the FTC by Enforce and EPIC. This is the first ever complaint under the new Protecting Americans’ Data from Foreign Adversaries Act.

The complaint (open pdf) targets a major part of Google’s business: Google’s Real-Time Bidding (RTB) system dominates online advertising, and operates on 33.7 million websites, 92% of Android apps, and 77% of iOS apps. Much of Google’s $237.9 billion advertising revenue is RTB.

Today’s complaint reveals that Google has known for at least a decade that its RTB technology broadcasts sensitive data without any security, according to internal Google discussions highlighted in today’s complaint.

The complaint cites internal Google communications showing that Google CEO, Sundar Pichai, rejected or failed to act upon internal calls (example) to reform the company’s dangerous RTB system in 2021. Instead, Google continued to expose sensitive American defense and industry personnel, and their institutions, to blackmail and compromise, in addition to causing grave privacy harm to consumers.

The complaint cites internal Google communications showing that Google CEO, Sundar Pichai, rejected or failed to act upon internal calls to reform the company’s dangerous RTB system in 2021. Instead, Google continued to expose sensitive American defense and industry personnel, and their institutions, to blackmail and compromise, in addition to causing grave privacy harm to consumers. Even Google’s so called “non personalized” data contains dangerous data.

[...]

cross-posted from: https://lemmy.sdf.org/post/30014356

The General Data Protection Regulation (GDPR) was designed to put people’s rights at the centre of the digital economy, ensuring strong safeguards against data exploitation and corporate or state overreach. However, nearly six years after its enforcement, the reality falls short of the promise. Large technology companies have repeatedly delayed and obstructed procedures, while inconsistencies between -and other practices of- Data Protection Authorities (DPAs) have left individuals without effective redress.

The GDPR Procedural Regulation offers a rare opportunity to fix systemic weaknesses by streamlining cross-border enforcement, reducing delays, and ensuring consistency in cross-border cases. If done right, it could restore trust in the GDPR and reaffirm the EU’s leadership in protecting fundamental rights in the digital age. But if weakened by loopholes and inefficiencies, it risks entrenching existing problems and setting a dangerous precedent for digital rights enforcement.

Civil Society’s Call to Action

The letter (opens pdf) —signed by a broad coalition of human rights organisations—urges negotiators to ensure that the Regulation upholds the GDPR’s original vision of strong, meaningful enforcement. Key concerns include:

• Delays and procedural asymmetries: Some DPAs, particularly in jurisdictions where major tech companies are headquartered, have systematically delayed decisions, leaving individuals without redress while companies continue to profit from unlawful practices.
• Unpaid fines and ineffective deterrence: Despite high-profile GDPR fines, enforcement remains inconsistent, with some penalties going unpaid for years, eroding the credibility of the framework.
• Loopholes in early trilogue drafts: Provisions under discussion could inadvertently introduce new complexities rather than resolving existing inefficiencies, creating further barriers to enforcement.

[...]

cross-posted from: https://lemmy.dbzer0.com/post/36880616

Help Combat Internet Censorship by Running a Snowflake Proxy (Browser or Android)

Internet censorship remains a critical threat to free expression and access to information worldwide. In regions like Iran, Russia, and Belarus, journalists, activists, and ordinary citizens face severe restrictions when trying to communicate or access uncensored news. You can support their efforts by operating a Snowflake proxy—a simple, low-impact way to contribute to a freer internet. No technical expertise is required. Here’s how it works:

What Is Snowflake?

Snowflake is a privacy tool integrated with the Tor network. By running a Snowflake proxy, you temporarily route internet traffic for users in censored regions, allowing them to bypass government or institutional blocks. Unlike traditional Tor relays, Snowflake requires minimal bandwidth, no configuration, and no ongoing maintenance. Your device acts as a temporary bridge, not a permanent node, ensuring both safety and ease of use.

Is This Safe for Me?

Short answer: Yes.

Long answer: pobably. Here is why:

• Your IP address is not exposed to the websites they access. So, you don't have to worry about what they are doing either. You are not an exit node.
• No activity logs. Snowflake cannot monitor or record what users do through your connection. The only stored information is how many people have connected to your bridge. Check docs for further info on this.
• Low resource usage. The data consumed is comparable to background app activity—far less than streaming video or music.
• No direct access to your system
• No storage of sensitive data. Snowflake proxies do not store any sensitive data, such as IP addresses or browsing history, on your system.
• Encrypted communication. All communication between the Snowflake proxy and the Tor network is encrypted, making it difficult for attackers to intercept or manipulate data.

You are not hosting a VPN or a full Tor relay. Your role is limited to facilitating encrypted connections, similar to relaying a sealed envelope.

Your IP address is exposed to the user (in a P2P-like connection). Be mindful that your ISP could also potentially see the WebRTC traffic and the connections being made to it (but not the contents), so be mindful of your threat model.

For most users, it is generally safe to run Snowflake proxies. Theoretically, your ISP will be able to know that there are connections being made there, but to them it will look like you're calling someone on, say, Zoom.

Historically, as far as we know, there haven't been any cases of people getting in legal trouble for running entry relays, middle relays, or bridges. There have a been a few cases of people running exit nodes and getting in trouble with law enforcement agencies, but none of them have been arrested or prosecuted as far as I know it. If you are aware of any cases, let me know so I can update this post.

Do not hesitate to check Snowflake's official documentation for further reference and to make informed decisions.

How to Set Up a Snowflake Proxy

Option 1: Browser Extension (Brave, Firefox, or Chrome)

1. Install the Snowflake extension.
2. Click the Snowflake icon in your browser toolbar and toggle "Enable Snowflake."
3. Keep the browser open. That’s all.

Note: Brave users can enable Snowflake directly in settings. Navigate to brave://settings/privacy and activate the option under "Privacy and security."

Option 2: Android Devices via Orbot

1. Download Orbot (Tor’s official Android app).
2. Open the app’s menu, select "Snowflake Proxy," and toggle it on.
3. For continuous operation, keep your device charged and connected to Wi-Fi.

Your device will now contribute as a proxy whenever the app is active.

Addressing Common Concerns

• Battery drain: Negligible. Snowflake consumes fewer resources than typical social media or messaging apps.
• Data usage: Most users report under 1 GB per month. Adjust data limits in Orbot’s settings or restrict operation to Wi-Fi if necessary.

Why Your Participation Matters

Censorship mechanisms grow more sophisticated every year, but tools like Snowflake empower ordinary users to counteract them. Each proxy strengthens the Tor network’s resilience, making it harder for authoritarian regimes to isolate their populations. By donating a small amount of bandwidth, you provide someone with a critical connection to uncensored information, education, and global dialogue.

Recent surges in demand—particularly in Russia—highlight the urgent need for more proxies. Your contribution, however small, has an impact.

By participating, you become part of a global effort to defend digital rights and counter censorship. Please, also be mindful of your threat mode and understand the potential risks (though very little for most people). Check Snowflake's official documentation for further reference and don't make any decisions based on this post before taking your time to read through it.

Please share this post to raise awareness. The more proxies, the stronger the network.

– llama

This post contains a canary message that's cryptographically signed by the official BusKill PGP release key

The BusKill project just published their Warrant Canary #009

For more information about BusKill canaries, see:

• https://buskill.in/canary

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Status: All good
Release: 2025-01-14
Period: 2025-01-01 to 2025-06-01
Expiry: 2025-06-30

Statements
==========

The BusKill Team who have digitally signed this file [1]
state the following:

1. The date of issue of this canary is January 14, 2025.

2. The current BusKill Signing Key (2020.07) is

   E0AF FF57 DC00 FBE0 5635  8761 4AE2 1E19 36CE 786A

3. We positively confirm, to the best of our knowledge, that the 
   integrity of our systems are sound: all our infrastructure is in our 
   control, we have not been compromised or suffered a data breach, we 
   have not disclosed any private keys, we have not introduced any 
   backdoors, and we have not been forced to modify our system to allow 
   access or information leakage to a third party in any way.

4. We plan to publish the next of these canary statements before the
   Expiry date listed above. Special note should be taken if no new
   canary is published by that time or if the list of statements changes
   without plausible explanation.

Special announcements
=====================

None.

Disclaimers and notes
=====================

This canary scheme is not infallible. Although signing the 
declaration makes it very difficult for a third party to produce 
arbitrary declarations, it does not prevent them from using force or 
other means, like blackmail or compromising the signers' laptops, to 
coerce us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to 
demonstrate that this canary could not have been created prior to the 
date stated. It shows that a series of canaries was not created in 
advance.

This declaration is merely a best effort and is provided without any 
guarantee or warranty. It is not legally binding in any way to 
anybody. None of the signers should be ever held legally responsible 
for any of the statements made here.

Proof of freshness
==================

14 Jan 25 01:01:33 UTC

Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss)
A Miracle? Pope Francis Helps Transsexual Prostitutes in Rome
Boost for the Right Wing: Why Did a German Newspaper Help Elon Musk Interfere in German Politics?

Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml)
What an Upended Mideast Means for Trump and U.S. Gulf Allies
Russia and Ukraine Battle Inside Kursk, With Waves of Tanks, Drones and North Koreans

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml)
Gaza ceasefire deal being finalised, Palestinian official tells BBC
Watch: Moment man is saved from burning LA home

Source: Bitcoin Blockchain (https://blockchain.info/q/latesthash)
0000000000000000000042db9e17f012dcd01f3425aa403e29c28c0dc1d16470

Footnotes
=========

[1] https://docs.buskill.in/buskill-app/en/stable/security/pgpkeys.html

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEeY3BEB897EKK3hJNaLi8sMUCOQUFAmeFuPcACgkQaLi8sMUC
OQXctQ//Zv7RZXPKMMyjMjfE2LjrL6RVESIZMT2tUO/y0wx8XTXKBpgOA7fTh2eC
BHkLajpU/S3LOb+wBniuo29tpGJHG5MBWDwyNUAWXqZfJ/A9YNikNYq9lOn6nKSH
oHyLB8h2nP9rfQ2wXUtN6lFJVKWU5Ef5pjMQb8flJO2kbou7QpgcOzxvRqrXOUcN
UumjSlDTtwIOYOX+Ee8SamI4LyApOlwxIGMbFcbRMcJNhtioS4qCGNGw1pqhvqmF
pi1kIaqd79I8y1U9ufncvC+pbCEvRdo+wb7ZsXA9ZYpYfJSQJzSkdCGgkbe0b1Tx
6CNlcgoXIVaEH6/W+C2DFlyG1u4JuH22eXIrloYnjOxlqSJCd0Dw1EeO33tg3xg3
tfeO9pGOcZPOwlBL509VlE9z6W3czyKJk7Z4RwYXCFYWWi8vlHvRQg0LNu0C4Jyw
fRV2LlMSeUgBz9xyE62jh/BUNZzXsD0ntprR1eRTkeW4kOGEc6Wql4lBKE08sajT
YdgTi4ojrcfTdS7Sgzh1Onh5h/nF7hoyCX0lINgyTrJFMynC6qadTZtiJ2yO8GT+
Ovk9ZJMggBMNr4Vbw6CyrU/4yYMyrEd5dzXYZLZ41lMMpjwM8OBJ/yp1pcGo9vk4
NTAjUQUvOj6nrA/r3j2ywFMDZtFR/jBjXULWE77ca3iJmc/FUdg=
=xahN
-----END PGP SIGNATURE-----

To view all past canaries, see:

• https://www.buskill.in/category/Canary/

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

cross-posted from: https://beehaw.org/post/17950455

In the judgment C-416/23, the Austrian Data Protection Authority (DSB) received a slap in the face from the CJEU. The authority has – arbitrarily – set the number of complaints that data subjects can file at a maximum of two per month, even if one is affected by GDPR violations almost daily. The CJEU has now made it clear: as long as you do not file abusive complaints, all users have the right to have any GDPR violation remedied by the DSB. Unfortunately, Data Protection Authorities (DPAs) trying to get rid of complaints isn't just an Austrian problem. Our figures show an EU-wide problem with DPA inactivity.

Archived version

[...]

The inquiry will focus on whether TikTok adequately informs users about its advertising policies and provides them with the opportunity to opt in rather than opt out.

[...]

Concerns have been raised that TikTok, owned by the Chinese company ByteDance, does not fully disclose the details of its terms of service and privacy policy at the time users sign up. Under South Korean law, digital platforms are required to give users the freedom to decide if they wish to receive marketing communications, ensuring that consent is obtained clearly and transparently prior to any such communications being sent.

[...]

The [South Korean media regulator Korea Communications Commission] KCC's probe into TikTok comes amidst a broader global conversation about the responsibilities of social media platforms in protecting user data. As authorities worldwide seek to enforce stricter data protection measures, companies must navigate complex legal landscapes to maintain user trust and compliance.

[...]