u/V3R1F13D0NLY

This is the first time a major phone vendor has shipped a feature explicitly built to catch Pegasus, and Google developed it alongside the groups that actually do the spyware hunting: the Amnesty International Security Lab and the Reporters Without Borders Digital Security Lab. Amnesty's lab has spent six years documenting NSO Group's targeting of journalists and dissidents, and their forensic work has historically leaned on log files that were never built for intrusion detection. Android has been harder to investigate than iOS, and this is the direct response.

What the feature actually captures:

• When the phone was unlocked, plus app installs and removals
• Network connections to websites and servers
• Whether someone connected over Android Debug Bridge
• Whether someone tried to delete the logs themselves
• Logs upload daily to your Google account, encrypted with keys you hold, stored 12 months, and Google cannot decrypt them

The point is shifting evidence from ephemeral to persistent. The old forensic problem was that the data got overwritten and vanished before anyone knew a phone was compromised. Now the record survives, and the user controls it, not the operator. The head of Amnesty's lab described it as a fundamental shift in the forensic data quality available on Android.

The Bad: it is opt-in, Pixel only, requires Advanced Protection mode, and needs a Google account. The logs also include browsing history, which is a deal breaker for many.

Full breakdown / our list of sources: https://s.vp.net/ppvx9

Canada's ruling Liberal Party introduced Bill C-22, which would force electronic service providers to install technical capabilities that allow law enforcement access to communications. It's a near-clone of the UK Technical Capability Notice, the same order Apple responded to by pulling Advanced Data Protection rather than weakening it. Meta and 20 civil society groups, including the Center for Democracy and Technology, have asked Canada to withdraw the bill. Apple has held the no-back-door line through San Bernardino, through London, and now through Ottawa.

A few things worth noting:

• The bill claims to prohibit systemic vulnerabilities but defines the term loosely enough that officials keep discretion to interpret it however they want.
• It's part of a pattern on roughly a one-year lag: UK in 2025, Sweden walked one back, France rejected one in Parliament, the EU spent three years on Chat Control.
• Apple's refusal worked in the UK because Apple had the leverage to exit the market. A smaller or differently structured company might not.

Apple's line has held so far, but it depends on every future CEO and every jurisdiction continuing to choose refusal. If a protection only holds because a company keeps deciding to honor it, is that protection or just goodwill with a shelf life?

Full breakdown and source list here: https://s.vp.net/t4bT0

Someone photographs you because they suspect you are doing something criminal. A hunch, nothing more. They file a Suspicious Activity Report, and you end up in a fusion center database. You could just be in the area at the time. This is the machinery "see something, say something" built after 9/11, and you never find out you are in it.

Relevant follow-up: Mike German, the former FBI agent who co-authored the Brennan Center report on fusion center abuse, is doing a full interview on the show May 30th.

Watch the full stream: https://www.youtube.com/watch?v=x6owEbQZ10Q

Meta pulled end to end encryption from Instagram DMs on May 8th and cited low adoption as the reason. The TAKE IT DOWN Act enforcement window opened May 19 and requires platforms to scan messages within 48 hours of a removal request. A platform that cannot read DMs cannot comply with that, which makes the timing hard to read as coincidence. The Global Encryption Coalition called the move a betrayal of Zuckerberg's 2019 promise to extend encryption across every Meta app.

If low adoption were really the concern, they would try making it the default. But Zuckerberg's just looking for a way to ditch encryption without looking like the bad guy.

Full breakdown and source list here: https://s.vp.net/QfzHa

The threat model this solves is the one ProtonMail users have hit repeatedly: payment data creates an identity link that survives end-to-end encryption. The encryption protects message bodies. The billing record doesn't. Once a court asks the payment processor who paid for which account, the encryption stops mattering.

bmail's answer is Fake ID. The setup looks like this:

• Your main account is clean and convenient. You pay with Stripe, it auto-renews, you use it for anything tied to your real identity (kids' school, library, banks, etc.).
• From inside the paid account you can mint a Fake ID. A second mailbox that has no database link to your primary.
• The mint happens inside an SGX enclave using Ed25519 Schnorr blind signatures over Ristretto255. The enclave verifies the requester holds a paid account without ever learning which one.
• The signing service sees a blinded credential it cannot connect to a specific account. The account service sees a credential it cannot connect to a specific payment. Even with full collusion between the payment processor, the signing service, and the account service, the link cannot be recovered. The blinding factors are uniformly random and known only to the client.

A few things worth flagging:

• Free tier cannot mint Fake IDs. The cryptographic proof of paid status is what makes the unlinkability work, so you need a paid plan.
• The Fake ID is included with any paid plan. No extra payment, no extra signup, no payment information entered for the Fake ID itself.
• If you don't log in for 30 days the Fake ID vanishes permanently. No backup, no recovery. That's the design.

The contrast worth talking through: this is "we cannot link them" rather than "we promise not to link them." The math is the guarantee, not the policy.

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

The Take It Down Act enforcement window opens Tuesday, May 19. Any covered platform that receives a removal request for non consensual intimate imagery or an AI generated deepfake has 48 hours to take it down and find every identical copy across their systems. Miss the deadline and it counts as a violation of the FTC Act, with a $53,088 civil penalty per violation.

The full list of companies on the FTC's notice: Amazon, Apple, Google, Meta, Microsoft, Snap, TikTok, Discord, Reddit, X, Match Group, Bumble, Pinterest, Automattic, and SmugMug. Much of the private messaging online happens on these platforms.

The law itself does not mention encryption. But it's clearly targeting encryption. If a company doesn't break encryption or switch to client-side scanning, they have no way to comply with a takedown request. The options come down to:

1. Break end to end encryption
2. Switch to client side scanning before encryption applies
3. Accept civil liability and pay the penalties

Meta already moved on the first option for Instagram 11 days before enforcement begins. TikTok went on record saying encryption "complicates" safety and law enforcement work. The others have not said it out loud yet.

The closest precedent is Lavabit in 2013, when Ladar Levison shut the service down rather than hand TLS keys to the FBI to read Edward Snowden's email. That was one company facing a court order. This is 15 companies facing the same demand in advance, in writing, with penalties already attached.

Full breakdown and source list here: https://s.vp.net/NvWuj

Longer video breakdown on YouTube: https://www.youtube.com/watch?v=hhrIcK9cfvo

GRU Unit 26165 (Fancy Bear) compromised end-of-life TP-Link routers across more than 23 US states. They went broad on the initial compromise, filtered captured DNS queries to find routers belonging to military, government, and critical infrastructure workers, then rewrote DNS for those targets. The victim goes to the Microsoft Outlook website, the router asks the GRU's DNS server, the GRU server hands back a fake address. The fake server terminates TLS, logs the password, reads the email, then forwards the traffic to the real Outlook so the inbox loads normally. No errors. No warning.

Key points:

• GRU operation ran roughly two years before disruption
• FBI's Operation Masquerade reset DNS settings on thousands of routers on April 7
• Most affected routers are still in service
• The advisory's guidance: replace your router, update firmware, use a VPN

The VPN guidance protects the wire. It does not address what happens at the email provider. If the provider can read your messages, a subpoena, a breach, or a rogue employee leaks them just as effectively as a compromised pipe.

For anyone running an older TP-Link at home: have you checked whether yours is on the EOL list?

Full breakdown and source list: https://s.vp.net/mV9rK

Full video on YouTube: https://www.youtube.com/watch?v=Xe-HTnti0kM

The name is bmail. It comes from bimil, the Korean word for secret. Secret mail. The branding is intentional and the architecture lives up to it.

This week on Hide & Speak we got into what was actually built after a long and complicated process. Not one or two privacy upgrades stacked on top of incumbent architecture. A full rebuild from the hardware up.

The key pieces:

• TLS terminates inside an Intel SGX enclave. Inbound SMTP never hits operator-readable memory, which closes the plaintext gap every other "encrypted" provider still has.
• OPAQUE password authentication (RFC 9807). The server never sees the password. Not at registration, not at login, not as a hash. A full compromise of the auth infrastructure exposes zero passwords.
• Hybrid X25519 + ML-KEM-768 on every message. Post-quantum hybrid, NIST FIPS 203. Both have to break before your mail does.
• Remote attestation. Any user can cryptographically verify the running code matches the published source. The privacy guarantee is verifiable, not promised.
• Fake ID. An unlinkable secondary mailbox minted from a paid subscription via SGX-attested blind signatures. Even bmail cannot link it to your primary account.
• Key Transparency. All public keys published in an append-only Merkle tree, so unauthorized key substitution gets caught.
• BIP-39 recovery. No real name, no phone, no recovery email. The account collects no PII.

Any one of these would be a meaningful step over the incumbents. Together it's a different category of product.

Proof > Promises. Don't Trust. Verify.

Get started for free at https://bmail.ag/

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

Most "private email" providers stop at encrypting messages at rest. That's useful but it leaves a gap: when mail arrives from Gmail or Outlook, it lands on the provider's server as plaintext SMTP before getting encrypted for storage. That window is where every public failure has happened.

ProtonMail logging an activist's IP.

Lavabit's master keys.

Tutanota being ordered to read incoming mail before delivery.

The encryption wasn't the weak link. The infrastructure around it was.

bmail closes that gap by running inbound SMTP inside an Intel SGX enclave. A few things follow from that:

• The TLS connection from the sending server terminates inside the enclave, not in front of it
• The decrypted message exists only in hardware-isolated memory that operators can't read
• The running code has a cryptographic measurement (MRENCLAVE) that anyone can verify against the published source
• If we got compelled to add logging, the measurement would change, and that change is publicly observable.

If "private" means "we encrypt your emails most of the time, then "private" isn't good enough.

You need "private AF."

You need bmail.

Get started free at https://bmail.ag

Every major "encrypted" email provider asks you to trust them not to read your mail. That's the whole offer. Encryption at rest is real, but the architecture leaves a plaintext gap when inbound SMTP arrives, the server sees passwords during login, and IPs get logged the minute a court asks. The encryption works exactly as advertised. The trust assumptions around it don't.

bmail moved the bar by removing the trust assumptions instead of just promising to honor them:

• TLS terminates inside an Intel SGX enclave. Inbound email is never processed in operator-readable memory.
• OPAQUE password authentication means the server literally never sees the password. Not at registration, not at login, not as a hash.
• The IP gets stripped before any backend service sees the request. Adding a logger would change the enclave's cryptographic measurement, and attestation would catch it.
• Hybrid X25519 + ML-KEM-768 on every message, so harvest-now-decrypt-later attacks fail in both the classical and post-quantum case.
• The whole thing is verifiable. Anyone can check the running code against the published source.

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

The California Attorney General announced this week that GM agreed to a $12.75 million settlement over a four-year practice (2020 to 2024) of selling names, contact information, precise geolocation, and driving behavior of hundreds of thousands of California drivers to two data brokers: Verisk Analytics and LexisNexis Risk Solutions. The brokers built a driver-rating product out of the data and sold it to auto insurers, who then used it to raise premiums for drivers in states where that's legal. Nationwide, GM made roughly $20 billion off this category of data sharing.

A few details worth knowing:

• California drivers weren't hit with rate hikes because state law blocks insurers from using driving data to set premiums. Drivers in other states paid for it.
• GM has 180 days to delete the data, request the same of the brokers, and stay out of the consumer reporting agency business for five years.
• This is the 8th CCPA enforcement action under AG Bonta and the first one to use the 2023 data minimization rule.

The brokers themselves haven't been named in any enforcement action, only the source of the data. Should the brokers be on the hook too, or is GM the right pressure point when the data originated with them?

Full breakdown with all source links here: https://s.vp.net/6nTTy

Mike German spent 16 years as a decorated FBI special agent working deep undercover inside domestic terrorist groups. In 2002 he caught colleagues running an illegal wiretap and altering records on a counterterrorism case in Florida. He reported it up the chain, got ignored, escalated to the Inspector General and Congress. The Bureau retaliated and he walked in 2004. A later DOJ investigation substantiated everything.

He's now a fellow at the Brennan Center and co-authored "Ending Fusion Center Abuses" in 2022. Six weeks ago California voted to audit three of its fusion centers and cited his findings. He testified before the committee that ordered it.

Watch the full livestream: https://www.youtube.com/watch?v=x6owEbQZ10Q

Read the breakdown: https://s.vp.net/zVjjH

Trust is not a guarantee of privacy. It's the absence of one.

Every VPN, every encrypted email service, every "we don't log" pitch eventually boils down to: "trust me bro."

If your privacy is "protected" by a sentence on a website that can be deleted... you aren't really protected.

vp.net is the ONLY VPN that made it impossible to log & you can verify it yourself. We run WireGuard inside Intel SGX enclaves, in CPU-encrypted memory that even we cannot access.

Our no log's policy isn't "we won't." It's "we can't." And that is a HUGE difference when faced with a subpoena. "Won't" doesn't hold up in court. "Can't" does.

We don't want your trust. We want you to verify your privacy for yourself. Trust isn't enough in 2026.

Get the ONLY verifiable zero-trust VPN at https://vp.net

The 2021 Proton case is the best examples of why policy-based privacy (aka "trust me bro") fails under pressure.

Proton Mail promised not to log IP addresses. But that promise existed as editable text on a website. When a court order arrived demanding they log a users' IP address, they simply deleted that line of text. The logging got turned on, and a climate activist got arrested. The login metadata wasn't protected by encryption at all, just by a sentence Proton could change at any time.

This week on Hide & Speak the conversation gets into the architectural difference that makes this scenario unrepeatable on bmail:

• TLS terminates inside an Intel SGX enclave, not in front of it
• The client IP exists only in enclave memory during request processing
• The IP is stripped before any backend service sees the request
• Adding a logger would change the enclave's MRENCLAVE measurement, which anyone running attestation would catch immediately
• The response to an FBI request to start logging isn't "we'll update our policy," it's "we can't, and you can verify that we can't"

The contrast that's worth talking through: Proton's encryption was fine, the failure was architectural. The metadata was protected by a promise instead of by the hardware.

If you are "protected" by a line of text that can be deleted at any time without even telling you... then are you really protected?

Full episode here: https://www.youtube.com/watch?v=X0TAd-4eIb8

Written breakdown here: https://s.vp.net/iQi47

Get the only TRULY private email for free: https://bmail.ag

"Encrypted email" almost always means encrypted at rest, your messages sit on disk in a locked box. But the moment you search your inbox, sort by sender, or open a thread, the server decrypts that data into live memory to process your request. In that window your data is visible. Readable. Copyable. By anyone with access to server memory: a rogue employee, a government with a warrant, or an attacker who found a way in.

That is the Glass Box. It looks secure from the outside. It is transparent at the moments that matter most.

bmail processes every message inside an Intel SGX enclave — a physically isolated region of the CPU whose contents are encrypted by the processor itself, not by software that can be bypassed. The host operating system cannot read it. Our engineers cannot read it. A hacker with full root access to the server cannot read it.

That is the Black Box. The processing happens. The content never leaves the sealed space.

Get started free at https://bmail.ag

loudflare Radar has Iranian internet traffic at under 1% of pre-war levels since the February 28th blackout. CNN is now reporting that pre-approved Iranians can buy a tier called "Internet Pro" through MCI, a carrier linked to the IRGC.

The pricing breakdown from CNN and Iran International:

• 50 GB per year: 2 million toman
• Activation fee: 28 million toman
• Average monthly wage in Iran: 20 to 35 million toman
• Black market VPN: roughly half a day's wages per 2 GB

Human rights activists inside Iran estimate the blackout has cost the economy $1.8 billion in two months. The math suggests this isn't accidental damage. It's a system where access becomes a loyalty reward and the price filter does the political work.

Shutting off the internet is evil, but then selling it back to people at a price the average citizen can't afford is just diabolical.

Full breakdown and source list here: https://s.vp.net/r9b8X