#privacy

Public notes from activescott tagged with #privacy

Thursday, July 16, 2026

Tuesday, July 14, 2026

highly sensitive video of the man’s physical takedown, wasn’t voluntarily released by the SFPD—which, like most US police departments, rarely releases drone videos even in response to public records requests. Instead, it was accidentally livestreamed onto the open internet via Skydio’s website. That’s where two security researchers, Sam Curry and Maik Robert, discovered that the SFPD was leaking all of the real-time footage from five of its surveillance drones, including both color and thermal imaging, accompanying location metadata, and the drone pilots’ names and email addresses, to anyone who merely found the public web address where the videos were hosted.

Skydio, based in nearby San Mateo, is one of the leading American drone companies selling to police departments, fire departments, government agencies, and the military. Its X10 drones are part of SFPD’s drone program, which began in 2024 and is authorized for vehicle pursuits and active criminal investigations. Since then, the program has grown quickly: SFPD’s fleet has expanded from six drones to 98, and officers logged more than 1,400 launches between May 2024 and March 2026, according to a 2025 SFPD annual report and reporting from the San Francisco Chronicle.

the drone videos were exposed not as a result of any error on the part of Skydio, but rather by what seems to be a misuse of Skydio’s software by the SFPD. Skydio allows users to generate shareable links to videos or access to drones’ data streams in real time, known as ReadyLinks, with the ability to limit access to users with an authentication code or an expiration date. Someone with access to the SFPD’s instance of Skydio’s software, however, appears to have created a link last December to five of its drones’ feeds with no authentication requirement and an expiration date of one full year.

That link was then somehow added to an open-source collection of archived web URLs known as AlienVault Open Threat Exchange, typically used by security researchers, where Curry and Robert found it. In other words, the link appeared to have already exposed the drone feeds for six months by that time, with no assurance that Curry and Robert were the only ones who had been watching.

The innocuous appearance of many of the videos raises questions about whether the surveillance was necessary. In one “auto boost/strip”-related call, the drone follows two young men in their car, at least one of whom is described in police records as having been identified as a “suspicious person in a vehicle.” Then the two men emerge onto a basketball court and start playing, and the drone departs.

A drone flight in response to what police records describe as a “person with a gun” investigation seems to fixate on a seemingly intoxicated man stooped on a sidewalk. Another drone, called in response to an alleged “prowler” incident, hovers over a young person wearing headphones and sitting on the roof of a building, zooms in on them, then flies away. “That one felt like an invasion of privacy, just so uncomfortable,” Curry says. “Like this person thinks they’re by themselves on this roof and has gotten away from everybody, and then there's a police drone watching them.”

Curry and Robert say they first became curious about Skydio last month after seeing an announcement from a Florida police department that it was adopting the company’s drone system, and then learning how widely the company’s drones have been deployed across the US. As web-focused security researchers, they decided to check out the company’s systems. In one routine step, they used the tool GetAllURLs, which pulls all archived web addresses for a given domain from sources including AlienVault Open Threat Exchange, requesting all Skydio links.

Friday, June 5, 2026

Allow for network traffic audits Some enterprise or school networks might be required to audit all network traffic by policy, and your network can block access to Private Relay in these cases. The user will be alerted that they need to either disable Private Relay for your network or choose another network. The fastest and most reliable way to alert users is to return either a "no error no answer" response or an NXDOMAIN response from your network’s DNS resolver, preventing DNS resolution for the following hostnames used by Private Relay traffic. Avoid causing DNS resolution timeouts or silently dropping IP packets sent to the Private Relay server, as this can lead to delays on client devices. mask.icloud.com mask-h2.icloud.com

iCloud Private Relay is basically Apple's implementation of oDoH (Oblivious DNS over HTTPS), the idea is you'll be using a proxy server (relay) to avoid the destination (DoH server) knowing who the request is coming from. Would be nice, if the relays would not be managed by Apple, thus not being able to collect the info anyway.

Be aware, by enabling iCloud Private Relay with the above setting, the devices will no longer be using pihole, thus everything will be allowed, regardless of the blocklists you have.

Also read this pihole documentation, here (unbound), where DL6ER explains why unbound is the best choice to get the most out of pihole, from a privacy point of view.

Saturday, April 25, 2026

The findings expose how suspected commercial surveillance vendors (CSVs) exploit the global telecom interconnect ecosystem, leverage private operator networks, and conduct covert location tracking operations that can persist undetected for years.

SIM Card Exploitation: One campaign sent a malicious SMS containing hidden SIM card commands to extract location information, attempting to turn the device into a covert tracking beacon.

Our findings highlight a systemic issue at the core of global telecommunications: operator infrastructure designed to enable seamless international connectivity is being leveraged to support covert surveillance operations that are difficult to monitor, attribute, and regulate. Despite repeated public reporting, this activity continues unabated and without consequence.

These vulnerabilities are not the result of software bugs or network misconfigurations; rather, they are inherent to global telecommunications design and business practices. The mobile ecosystem comprises over a thousand operators interconnected through roaming agreements and signalling protocols that prioritize efficiency, service availability, and revenue opportunity over security. As a result, a shadowy marketplace of state-backed and commercial espionage actors has emerged, developing and deploying software platforms that weaponize telecommunication networks for global surveillance.

he root of the security problem lies in the foundational signalling protocols themselves. Designed for a trusted community of mobile operators and legitimate third-party service providers, SS7 protocols lack the basic security mechanisms of IP networks, such as authentication and validation to verify the source of signalling messages, integrity checks to ensure that data has not been altered, and encryption to protect its contents.

While most commercial threat groups focus on device implants, there is strong demand by government agencies for “off-the-shelf” telecom surveillance services that use mobile networks to locate and track users, and intercept communications without hacking a target’s phone. These services are often brokered through intermediaries with direct or brokered access to mobile operator or provider networks, allowing surveillance traffic to blend into legitimate roaming operations.

Thursday, April 23, 2026

Today we’re releasing OpenAI Privacy Filter, an open-weight model for detecting and redacting personally identifiable information (PII) in text.

It is designed for high-throughput privacy workflows, and is able to perform context-aware detection of PII in unstructured text. It can run locally, which means that PII can be masked or redacted without leaving your machine. It processes long inputs efficiently, making redaction decisions in a quick, single pass.

Sunday, April 19, 2026

President Donald Trump said Congress must extend Section 702 of the Foreign Intelligence Surveillance Act (FISA) even if it means giving up “rights and privileges.” Section 702 allows for the collection of Americans’ data without a warrant.

Republican Congressman Thomas Massie attempted to introduce three amendments to the legislation that would have required law enforcement to obtain a warrant before collecting Americans’ data. His amendments were rejected.  Trump argued that he and Americans should be willing to sacrifice their 4th Amendment right to privacy in exchange for security.

Friday, April 10, 2026

If you use Signal, you actually have an advantage here, now that you know about this vulnerability. Signal has a setting that blocks the content of messages from appearing in their notifications. That way, even if someone accesses your alerts, all they'll see is you received a Signal message—not who sent it or what it contains.

To turn it on, open Signal, tap your profile in the top-left corner, then hit "Settings." Under Notification Content, choose "No Name or Content" to block all data to the alert. You can compromise here and choose "Name Only" if you want to know who a message is from before you open it—just remember, an intruder may also see you received a message from that person if they scrape your iPhone's notifications.

Sunday, April 5, 2026

Microsoft is running one of the largest corporate espionage operations in modern history.

Every time any of LinkedIn’s one billion users visits linkedin.com, hidden code searches their computer for installed software, collects the results, and transmits them to LinkedIn’s servers and to third-party companies including an American-Israeli cybersecurity firm.

The user is never asked. Never told. LinkedIn’s privacy policy does not mention it.

Because LinkedIn knows each user’s real name, employer, and job title, it is not searching anonymous visitors. It is searching identified people at identified companies. Millions of companies. Every day. All over the world. This is illegal and potentially a criminal offense in every jurisdiction we have examined.

LinkedIn loads an invisible tracking element from HUMAN Security (formerly PerimeterX), an American-Israeli cybersecurity firm, zero pixels wide, hidden off-screen, that sets cookies on your browser without your knowledge. A separate fingerprinting script runs from LinkedIn’s own servers. A third script from Google executes silently on every page load. All of it encrypted. None of it disclosed.

Every time you open LinkedIn in a Chrome-based browser, LinkedIn’s JavaScript executes a silent scan of your installed browser extensions. The scan probes for thousands of specific extensions by ID, collects the results, encrypts them, and transmits them to LinkedIn’s servers. The entire process happens in the background. There is no consent dialog, no notification, no mention of it in LinkedIn’s privacy policy.

This page documents exactly how the system works, with line references and code excerpts from LinkedIn’s production JavaScript bundle.

See https://browsergate.eu/how-it-works/

Tuesday, March 31, 2026

A filter composed of several other filters (AdGuard Base filter, Social media filter, Tracking Protection filter, Mobile Ads filter, EasyList and EasyPrivacy) and simplified specifically to be better compatible with DNS-level ad blocking.

The direct link to the filter: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt.

Please note, that to use this filter it is necessary to support basic ad blocking rules syntax. It does not make much sense to extract just the hosts file.

Wednesday, February 25, 2026

The danger here isn’t just about one contract; it’s about the precedent. If the Pentagon successfully bullies Anthropic into submission or replaces it with a more “flexible” competitor, we are effectively witnessing the birth of an intentionally unethical AI.

The Death of Human Agency When AI is integrated into weaponry for “all lawful purposes” without restrictions on autonomy, we invite the Responsibility Gap. If an AI-driven drone swarm misidentifies a target, who is at fault? By removing the “human-in-the-loop” requirement, the military is seeking a weapon that offers the ultimate prize of war: lethality without accountability. Surveillance as a Service Existing U.S. laws were written for wiretaps, not for generative AI that can ingest millions of data points to build predictive profiles. Under an “all lawful purposes” mandate, an LLM could be turned into a digital Panopticon. Anthropic has warned that current laws have not caught up to what AI can do in terms of analyzing open-source intelligence on citizens. The Moral Race to the Bottom If the Pentagon blacklists Anthropic, it sends a clear message to competitors: Safety is a liability. To win government billions, firms will be incentivized to strip away safety layers. Reports already suggest OpenAI, Google, and xAI have shown more “flexibility” regarding the Pentagon’s demands.

The Pentagon’s “supply chain threat” maneuver is a scorched-earth tactic designed to force Silicon Valley to choose between its values and its bottom line.

If Anthropic stands firm, it may lose $200 million in revenue and a seat at the defense table. But if they cave, they may well be providing the operating system for the very “Terminator” future they were founded to prevent. In the world of 2026, the most dangerous threat to the supply chain might just be an AI that has been ordered to stop caring about ethics.

Sunday, January 25, 2026

Sunday, January 4, 2026

Saturday, December 27, 2025

The consequences of getting caught in this expanding digital cage can be dire. In rural China, a family’s home is ringed by security cameras that alert authorities whenever they try to go to Beijing to complain about local officials. Near San Antonio, a driver is stopped as part of a secretive U.S. Border Patrol program that uses license plate readers to monitor millions of drivers and detain those whose travel patterns are deemed suspicious. In Gaza, AI-powered technology helps the Israeli military decide who to kill.

Wednesday, December 3, 2025

State legislation to attempt to protect privacy forthcoming hopefully.

A report last month out of the University of Washington found several local police departments authorized U.S. Border Patrol to use their license plate reader databases. And in other cases, Border Patrol had backdoor access without express permission. In some instances, police conducted searches on behalf of the federal agency. By Worries extend beyond immigration.

Authorities in Texas this year searched thousands of the cameras, as far as Washington state and Illinois, in their search for a woman believed to have had a self-administered abortion.

Tuesday, November 18, 2025

The cities’ move to exempt the records from disclosure was a dangerous attempt to deny transparency and reflects another problem with the massive amount of data that police departments collect through Flock cameras and store on Flock servers: the wiggle room cities seek when public data is hosted on a private company’s server.

If a government agency is conducting mass surveillance, EFF supports individuals’ access to data collected specifically on them, at the very least. And to address legitimate privacy concerns, governments can and should redact personal information in these records while still disclosing information about how the systems work and the data that they capture.

Privacy in general matters because you never know how your data might be used even if you’re a good guy.

On Thursday, a Skagit County Superior Court judge ruled that pictures taken by Flock cameras in the cities of Sedro-Woolley and Stanwood qualify as public records, and therefore must be released as required by the state's Public Records Act, court records show.

Flock's cameras, also called automated license plate readers, continuously and indiscriminately capture time- and location-stamped photos of any passing vehicles. Those images are then stored, and information about the vehicles, including their condition, make, model and license plate number, is added to a searchable database controlled by the customer.

Last week's Skagit County ruling could oblige the dozens of Washington police agencies which use Flock cameras, ostensibly to help them find stolen vehicles, crime suspects and missing people, to release the photos and data they collect — an outcome privacy advocates warned was possible.

The ruling also exacerbated concerns about potential misuse of Flock data, which swelled after University of Washington researchers released a report Oct. 21 showing federal immigration agencies like ICE and Border Patrol had accessed the data of at least 18 Washington cities, often without their police departments' knowing. The report raised concerns that the agencies might be using the data to target and arrest immigrants as part of Trump's immigration crackdown.