u/officialexaking

Time to switch to www.xprivo.com/search where you decide yourself when to use AI slop ;)

Most people who use Telegram for "privacy" are under a false assumption. Telegram's default chats are not end-to-end encrypted. That is well known at this point. But a newly published security research paper has found a problem that goes even deeper than message encryption, and it affects every Telegram user regardless of whether they use Secret Chats or not.

I try to keep it short: Every time you use Telegram, your app sends a unique identifier over the network called an auth_key_id. Think of it like a name tag your phone wears every time it connects to Telegram. The problem is that Telegram sends this name tag in plain text, not encrypted, so anyone watching the network traffic between you and Telegram's servers can see it. That includes your internet provider, your mobile carrier, the WiFi network at your hotel or coffee shop, and any government surveillance system sitting on the network path between you and the server.
This identifier does not change when you restart the app, switch networks, change your IP address, or turn on a VPN. It stays the same for a long time. That makes it a stable, long-lived fingerprint for your device.

This is also important to know even if you have 'nothing to hide':
Imagine a journalist who uses Telegram from home, from their office, from hotel WiFi at a conference, and from a cafe. Each of those networks can see the same identifier in the traffic. Now imagine that journalist checks into a hotel under their real name and connects to the hotel WiFi. That hotel's network sees the auth_key_id. If any authority, ISP, or surveillance system has been collecting logs from other networks that saw the same identifier over the past several months, those old logs just became searchable. Every network that saw that identifier is now potentially linkable to a real person.
The attack does not require breaking any encryption. It does not require access to Telegram's servers. It does not require hacking anything. It only requires passively watching network traffic, something that network operators do as a matter of routine.

Most security vulnerabilities require something to go actively wrong. Someone has to exploit something. This one is passive. The tracking is already happening on every network your phone connects to, whether or not anyone is actively trying to track you today. The value of the data only becomes apparent retroactively, when someone with access to old network logs wants to answer the question: who was using Telegram from this location six months ago?
That is exactly the kind of threat model that matters most for activists, journalists, lawyers, whistleblowers, and anyone else who uses Telegram because they think it protects them.

Telegram acrually had a straightforward fix available?!
The researchers note that this entire problem is solvable. Telegram could simply encrypt all connections by default, with no unencrypted fallback allowed. Signal does this. WhatsApp does this. Most modern messaging apps do this. It is not a technically difficult problem. Telegram chose not to do it. That is not an oversight. That is a design decision.

An alternative that we've not yet presented in this group is Briar, works over Tor by default, designed specifically for high-risk environments, no central server at all. Only available on the Play Store and F-droid though.

Telegram is fine for public channels and group chats where you have no expectation of privacy. It is not fine as a tool for secure communication. The paper linked below is technical but the conclusion is not: if your safety depends on Telegram, rethink your setup.

Source: symbolic.software/pdf/gnmx-01.pdf

For 28 years Google Search worked the same way. You typed something. You got a list of links. You clicked one. You read it. You formed your own opinion. That is over. (source at the end)

Google announced at its most recent developer event I/O that the familiar blue link results are being pushed out in favour of an "intelligent search box" as the centrepiece of a full pivot to AI-powered experiences. The box expands for longer queries, autocomplete suggestions become full AI-written responses, and this summer Google plans to launch "information agents" that monitor sites and alert you to changes without you asking. The traditional results page, the one that let you evaluate sources yourself and click through to read original reporting, is being demoted into a secondary fallback that fewer and fewer users will ever see.

Google's AI Overviews, the summarised answers sitting above all other results, have been demonstrably and repeatedly wrong. They have told users to put glue in pizza sauce, cited sources that do not exist, and confidently summarised the opposite of what the linked article actually says. None of that stopped Google from expanding the feature globally and now making it the default front-end for every search.

The core issue is not that the AI makes mistakes. Every AI makes mistakes. The core issue is that when a wrong AI answer sits at the top of the page in a confident, well-formatted summary box, most users stop there. They never click through. They never read the original source. They never catch the error. The entire value of the open web, competing sources you can evaluate against each other, is being replaced by one corporate AI deciding what the answer is.

That is not a search engine. That is an editorial filter with a chat interface.

The bias problem is actually structural and not accidental...
An AI trained on data curated by a corporation with a $300 billion advertising business does not produce neutral results. It produces results that reflect the priorities, partnerships and legal risk tolerance of that corporation. When Google's AI decides which sources to summarise, which perspectives to include, and which framing to use, that is not intelligence. That is influence at scale. Most users will never notice because the output looks confident, fluent and authoritative.

People overwhelmingly say they want to search through links and read sources themselves. The shift to AI-first search was not a response to user demand. It is a business decision made because AI answers keep users inside Google's own interface, reduce traffic to independent publishers, and deepen dependency on Google's own ecosystem.

A European alternative that never does any of this: xPrivo Search
xPrivo Search is a 100% European, fully data-sovereign search engine built on a completely independent search index. It does not rent its index from Google, Bing or any US-controlled infrastructure. It runs entirely within the EU, your queries never touch a US server, and your IP address and search history are never logged.

Most importantly: it defaults to classic search. Always. You get links. You click them. You read. You decide. No AI summary sitting between you and the source. No corporate algorithm deciding which perspective to surface. No targeting, no profiling, no "intelligent" rewriting of what the web actually says.

Key differences:
Fully independent European index: not a reskin of Bing or Google results, which is what most "privacy" search engines actually are

Zero tracking: no IP logging, no search history, no metadata leakage, no ad targeting

Classic search by default: unfiltered, unranked by AI bias, links to real sources

You are not the product: no advertising ecosystem built around your behaviour, only random add or go PRO for ad-free experience

The web was built on the idea that information should be accessible, linkable and verifiable. Google spent 25 years benefiting from that architecture and is now systematically dismantling it in favour of a closed AI layer that only they control. An independent European search engine that gives you links and respects your privacy is not a downgrade. It is what search was always supposed to be.
Try it at www.xprivo.com/search

Sources:
View our full blog post: https://www.xprivo.com/blog/en/google-search-dead-european-alternative/

Google search is over: https://techcrunch.com/2026/05/19/google-search-as-you-know-it-is-over/

GitHub says it is investigating unauthorized access to its internal repositories after the threat actor TeamPCP allegedly put source code and internal organizations up for sale, with the claim involving roughly 4,000+ repositories. At the same time, the same threat cluster is being linked to a fast-moving supply-chain worm affecting Python packages, including a compromised Microsoft package that could steal cloud credentials, password vaults, SSH keys, Docker secrets, VPN configs and shell history from Linux machines.

This says a lot about concentration risk. When the same platform is both the source code host and a central point of trust for package publishing, secrets management, CI integrations and developer identity, one compromise can cascade into many others. That is exactly the sort of single-point failure that open source infrastructure was supposed to reduce, not amplify.

For people looking for alternatives, Codeberg is the most obvious self-hosted European answer. It is based in Germany, run by a non-profit, and built around Forgejo, the open source Git hosting platform derived from Gitea. That matters because your code, issues and collaboration data are governed under European jurisdiction rather than US cloud control, with a stronger fit for GDPR-aligned workflows and less exposure to US legal compulsion.

If you need more control, self-hosted GitLab is the more flexible option. You can run it on your own infrastructure, keep repositories and CI inside your own trust boundary, and avoid dependency on a US-owned public SaaS platform for sensitive projects. For teams that care about sovereignty, that is often the better answer than hoping a third-party platform stays secure forever.

The broader lesson is simple: the developer stack is now part of the attack surface. If your code, secrets and deployment pipeline all live inside one corporate ecosystem, one breach can become a supply-chain incident very quickly. Europe already has viable alternatives, and this is exactly the kind of week that reminds people why they matter.

European countries like France, Germany, Poland, the Netherlands, Luxembourg and Belgium are all actively phasing out WhatsApp and Signal for government use, replacing them with in-house messaging systems that operate under their own jurisdictions according to Politico. NATO already runs its own dedicated messenger. The European Commission has announced it will complete its own transition before the end of 2026.

The reason is not that WhatsApp or Signal are insecure at the encryption layer. The reason is that encryption alone is not sufficient when the infrastructure surrounding it is controlled by US companies operating under US law. WhatsApp is Meta. Signal is a US-based nonprofit. Both are subject to US court orders, US national security requests and US data jurisdiction. For governments sharing sensitive but unclassified information between ministers and civil servants, the question of who controls the servers, the metadata, the access rules and the audit logs matters as much as the encryption.

Recent events accelerated the urgency. The Russian phishing campaign that compromised Signal accounts of over 300 German politicians, including Bundestag speaker Julia Klöckner, demonstrated exactly how consumer-grade apps fail in adversarial state-level environments. The US administration's use of Signal for sensitive military planning, exposed when a journalist was accidentally added to a group chat discussing Yemen strikes, showed the same structural problem from a different angle. These apps are excellent tools for private individuals. They were never built for the specific requirements of government communications infrastructure.

Each country has taken a slightly different approach. Belgium launched BEAM, developed by Belgian Secure Communications, now being used by Prime Minister Bart De Wever and the full federal government for sensitive but unclassified communications. Germany is using Wire, which already runs for tens of thousands of German federal government employees and meets BSI standards. In addition Germany uses BundesMessenger (a secure, open-source solution based on Element/Matrix) for secure, classified, and data-sovereign communications. Luxembourg uses Luxchat4Gov built on the Matrix open-source standard as its official, secure instant messaging platform. France, Poland and the Netherlands are building or deploying their own Matrix-based systems. France is additionally replacing Microsoft Teams and Zoom for video with its own in-house platform, Visio, by end of 2027. The Netherlands is currently running trials.

For individuals who want the same level of sovereignty without building a national government system, Wire is the most accessible option from this stack.
Wire is Swiss-headquartered (with German roots), open source with all code publicly available on GitHub, end-to-end encrypted using the MLS protocol, and can be self-hosted so that your organisation or community controls every layer. It uses zero-knowledge encryption, meaning Wire itself cannot read your messages. It is the only major European messenger that is simultaneously consumer-accessible, enterprise-grade and actively deployed at government level across multiple EU states. It has been independently audited multiple times with results published publicly.

For organisations or power users, Wire offers granular administrative controls, SAML-based single sign-on, SCIM provisioning, federated deployment for cross-organisational communication, and full on-premise hosting options. For individuals it is free to start, works across all platforms, and supports messages, calls, file sharing and group collaboration in one app without any Big Tech infrastructure involved.

And that's also a Data Sovereignty double standard:
The same governments that are simultaneously building mandatory age verification infrastructure, pushing for VPN restrictions and proposing identity checks for social media accounts are also, in their internal operations, moving away from US platforms toward sovereign European infrastructure that they fully control. They understand precisely what data sovereignty means and why it matters. They are applying that understanding to protect their own communications while building the architecture that removes it from everyone else's.

A newly filed federal class action complaint in California alleges that OpenAI embedded Meta Pixel and Google Analytics tracking into ChatGPT’s website, allowing query topics, user identifiers, and email-linked data to be transmitted to Meta and Google in real time. The complaint claims this happened without informed consent and that the disclosures included personally identifiable information such as Facebook IDs, Google profile IDs, and hashed email addresses.

The legal theory is serious because it does not focus on model output or training data. It focuses on the website’s tracking layer: the scripts loaded when a user opens ChatGPT in a browser, the cookies and identifiers those scripts transmit, and the way that metadata can be linked back to a real person. The complaint argues that ChatGPT users were discussing sensitive topics like finances, health, and legal issues, and that those conversations were then exposed through advertising and analytics infrastructure built for measurement and targeting.

On the Meta side, the complaint says OpenAI used the Facebook Pixel, which is designed to send browser activity to Meta whenever users visit a tracked page. The filing alleges that when a user entered a prompt into ChatGPT, the browser transmitted both the topic data and Meta-linked identifiers such as c_user and fr cookies. Those cookies can identify a Facebook account and, according to the complaint, were used to connect ChatGPT activity to Meta advertising profiles.

On the Google side, the filing alleges that ChatGPT transmitted query topics, hashed email addresses, and Google identifiers through Google Analytics and Google Signals. The complaint describes Google’s systems as designed to associate website activity with user profiles for analytics, remarketing, and cross-device tracking. In plain English, the allegation is that the service did not just know what users asked — it also helped Google tie that behavior back to a specific account and advertising identity.

Many people still assume an AI chat is a one-to-one interaction between them and the model provider. This complaint says the actual data path may include third-party ad tech sitting in the middle, turning an apparently private chat interface into a tracking surface. If proven, the case would reinforce a broader pattern we have seen across AI products: the interface looks conversational, but the surrounding web stack still behaves like advertising infrastructure.

For users who care about privacy and minimizing exposure, it's time to switch to a privacy-first alternative like xPrivo. Not perfect, but at least not training on your data, not selling your data and not sharing your precious thoughts and conversations with third parties. It's worth the switch.

It's also important to remind you to always block analytical trackers to protect you.

Recently we covered Google tying its new reCAPTCHA system to Google Play Services, effectively locking de-Googled Android users out of millions of websites. The timing of this post is deliberate. If that story made you consider what a genuinely Google-free phone looks like in practice, here is the most complete European answer available right now.
Volla Systeme, a German manufacturer, has begun shipping the Volla Phone Plinius. It is manufactured in Germany, runs an open source Google-free operating system developed on German servers, and ships at around 598 euros for the 8GB RAM and 128GB storage model. The Plinius Plus with 12GB RAM and 256GB storage follows in June at 698 euros. Both models ship to EU countries and the UK.

The hardware story is more interesting than it sounds on paper. The Plinius combines a user-replaceable 5,300mAh battery with IP68 water and dust resistance certification. This combination is nearly unique in the current smartphone market. Every major manufacturer from Samsung to Apple has spent the last several years arguing that sealed batteries and waterproofing are mutually exclusive. Volla built a phone that opens with a standard screwdriver and still meets IP68 standards. The battery replacement requires no specialist tools and does not void the certification.

The rest of the hardware is competitive for the price point. A MediaTek Dimensity 7300 processor on 4nm architecture, 5G via nano-SIM or eSIM, a 6.67-inch OLED display at 120Hz, 30W wired charging and 15W Qi wireless, microSD expansion up to 1TB, and a programmable hardware button on the side. The Plinius Plus adds a reinforced rear panel and a Pogo pin connector for magnetically attached accessories.

The software is where Volla's actual proposition lives. Volla OS is an open source Android build with Google services completely removed. No Google Play Services, no Google apps, no Google account required. According to Volla, the OS generates up to 80% less network traffic than a standard Android device as a direct result of Google services being absent. A built-in security mode lets users lock individual apps, filter internet connections and disable the optional microG component, which simulates Google Play Services for apps that require it. On-device AI handles voice recognition and camera photo optimisation without sending data to any cloud server. Ubuntu Touch is available as an alternative operating system via a multi-boot menu.

The context for this launch matters. Google announced in August 2025 that all Android app developers would be required to register with Google, pay a fee and submit a government-issued photo ID by September 2026, with apps from unverified developers blocked on certified Android devices. The Keep Android Open advocacy project has described Google's proposed transition solution as "inadequate" and noted it exists only as a blog post and UI mockups with no finished implementation. For users who want to exit both the Google ecosystem and the Apple ecosystem entirely, devices like the Plinius are among the very few options that are genuinely available, genuinely shipping and genuinely manufactured inside Europe.

The honest caveats are worth stating. At around 598 euros the Plinius is priced above many mid-range competitors that ship with more powerful processors. App compatibility without Google Play Services requires either microG or manual APK installation, which is a real friction point for users transitioning from standard Android. And Volla OS, while open source and privacy-respecting, has a smaller developer community than GrapheneOS or CalyxOS and ships on its own hardware rather than being an installable option on popular existing devices.
But for someone in the EU who wants a phone that was made in Europe, runs European software, generates no Google telemetry, has a battery they can replace themselves five years from now, and still meets the waterproofing standard of mainstream flagship devices, the Plinius is currently the most complete answer available from a European manufacturer.

On May 9, 1996, Linus Torvalds sent an email to the linux-kernel mailing list that would define the visual identity of the most influential open source operating system in history. His brief was precise and characteristically irreverent: the mascot should look "cuddly" and "contented," like a penguin that had just eaten "a suitcase full of herring" and was too stuffed to stand up straight. "Think of a Bean Bag," he wrote.
The origin of the penguin preference is one of computing history's more charming footnotes. Torvalds had visited the National Zoo in Canberra, Australia, where a small penguin bit his finger. Rather than holding a grudge, he declared himself "rather fond of penguins" and the direction was set.
Developer Larry Ewing took that brief and built the round, black-and-white character using GIMP, the open source image editor, in a decision that was quietly fitting: the mascot of a free software project created with free software tools. The name Tux followed in June 1996, proposed by James Hughes as an acronym for (T)orvalds (U)ni(X), though the obvious association with the tuxedo, which a penguin wears naturally, made the name feel inevitable.
What is remarkable is how little Tux has changed. Corporate logos are redesigned on three-year cycles. Brand consultancies are paid millions to flatten, simplify and "modernise" visual identities. Tux was drawn once by one person using an open source image editor and has remained essentially untouched for thirty years. Ewing's only condition for its use has always been attribution to himself and GIMP. No licensing fees, no trademark bureaucracy, no corporate design team to approve modifications. The decentralised ethos of open source embedded into the mascot itself.
Torvalds was always clear about the tone he wanted. "He's supposed to be kind of goofy and fun, that's the whole point," he once wrote. "Linux is supposed to be goofy and fun, it's also the best operating system in the world, but goofy and fun too." In 1998, Internet World magazine recognised Tux as one of twelve figures who had "made things happen" that year. A penguin drawn by one developer in GIMP listed alongside the year's most significant figures in technology.
The milestone lands as Linux itself approaches its 35th year. The kernel was first published in September 1991 as a student project with just over 10,000 lines of code. It has since grown to more than 34 million lines, shaped by over 25,000 individual contributors. It now runs on virtually all of the world's 500 fastest supercomputers, the majority of global cloud infrastructure, and the Android operating system on billions of mobile devices.
For this community in particular, the anniversary carries specific weight. The same properties that Torvalds encoded into Tux, open, unowned, built by individuals rather than corporations, maintained by shared convention rather than legal enforcement, are the properties under increasing pressure in 2026. Google is moving to require developer registration and government ID for Android app distribution. The EU is building centralised age verification infrastructure that will require identification before accessing the internet. The open web is being enclosed from multiple directions simultaneously.
The penguin that has symbolised the alternative for thirty years is still sitting there, full of herring, looking quietly pleased with itself.
Happy late birthday, Tux.

On April 23, 2026, Google announced "Cloud Fraud Defense" at Cloud Next, describing it as the next evolution of reCAPTCHA. What they did not announce clearly is the detail that changes everything: when this new system flags your traffic as suspicious, the old click-the-buses puzzle is gone. Instead, you get a QR code. Scanning that QR code requires Google Play Services version 25.41.30 or higher running on your device. If you removed Google Play Services because you are on GrapheneOS, LineageOS, CalyxOS, /e/OS or any other de-Googled Android distribution, the verification fails with no documented workaround. Support pages showing this requirement were silently live since at least October 2025, seven months before anyone widely noticed.

iOS users on 16.4 and above pass automatically. Android users running stock Google software pass automatically. Privacy-conscious Android users who made an informed decision to remove Google's proprietary software from their own devices get locked out. The audience most likely to have read Google's data practices carefully and chosen to opt out is now the audience being flagged as fraudulent for that exact choice.

This is not the first time Google has attempted this. In 2023, the company proposed Web Environment Integrity, a browser feature that would let Google decide which devices were "legitimate" enough to access the web. Standards bodies, the open web community and the public pushed back hard enough that Google killed the proposal. Three years later, the same architectural idea is back, implemented not as an open web standard but as a dependency buried inside a widely deployed CAPTCHA system. The outcome is identical: Google's closed proprietary stack becomes the gatekeeper for basic web access. The mechanism is just harder to see.

The practical consequences are significant and mostly invisible to the websites themselves. reCAPTCHA runs on millions of websites globally. Bank login pages, government portals, ticket sites, account registration flows, none of them have to make an active decision to block de-Googled users. They just inherit the upstream limitation by continuing to use reCAPTCHA as they always have. A bank using reCAPTCHA is not choosing to exclude GrapheneOS users. It is just that Google made that choice on their behalf without telling them. This means, if you are a privacy-conscious user you are blocked from using bank websites because of Google.

GrapheneOS is recommended by the Electronic Frontier Foundation and is actively used by journalists, lawyers, activists, people operating in high-risk environments where device security matters and by everyone who just loves privacy. It is the most security-hardened Android variant publicly available. The population of people running it is not bots or fraudsters. It is the population that took device privacy seriously enough to sacrifice app compatibility and convenience to achieve it. Google's system cannot distinguish between them and actually malicious traffic because the only signal it is checking is whether Google's own software is present.

Play Services is background software with broad device permissions that Google controls, updates silently and uses to collect device telemetry. The user who removed it made a reasonable security decision. The system now treating that decision as evidence of suspicious intent has the logic precisely backwards.

There is currently a minimal bypass: Changing the browser agent string to simulate a non-Android device bypasses the check in some cases. GrapheneOS's sandboxed Play Services approach, which runs Google's software in an isolated container, may pass the check for now. But Google will almost certainly require full Play Integrity attestation in the future, and sandboxed Play Services will eventually fail that check by design because Play Integrity is specifically built to certify that Google's software is running with full system-level access.

If you are on a de-Googled device and hitting reCAPTCHA walls, document the sites and report them to the website owners and maintainers directly. Most website operators have no idea this is happening! Tell them to switch to alternatives like Altcha (altcha.org) which is an Open Source Captcha. Altcha is European, privacy-preserving by design and requires no Play Services or proprietary software to pass. Every developer who keeps using reCAPTCHA after learning this is making a choice, even if they do not know it yet.

The European Parliamentary Research Service published a briefing paper this week titled "Virtual private networks and the protection of children online." The EU Parliament's social media account promoted it with the line: "VPNs are increasingly used to bypass online age verification." The Children's Commissioner for England is cited calling for VPNs to be restricted to adult use only. Some in the document argue that access to VPN services should require age verification.

There is one problem. The research underpinning the "VPNs are used to bypass age verification" framing is the 1,800% spike in VPN downloads in the UK after the Online Safety Act went live in July 2025. That is a real number. But it does not tell you why people downloaded VPNs. For that you need to look at the actual research on VPN usage.

A University of Michigan study covering thousands of VPN users across multiple countries found that 82.1% use VPNs to "protect myself from various threats and adversaries." Access to restricted content was a minority use case. There is no peer-reviewed research showing that VPNs are "increasingly" used specifically to bypass age verification. The EPRS briefing document conflates a correlation, more VPN downloads after age verification laws went live, with a motivation. Correlation is not causation, and the assumption that those downloads were primarily about age bypassing rather than people deciding their privacy needed protecting in response to governments demanding their biometric data is not supported by the underlying data.

This framing is not accidental. It is the legislative infrastructure for the next step. Once VPNs are established in official EU research as a "child safety loophole" rather than a privacy protection tool, the regulatory path toward restricting or requiring age verification for VPN access becomes politically available. We covered Utah's suggestion doing exactly this just this week. EU VP Henna Virkkunen explicitly stated the EU age verification system "should not be circumvented." The EPRS briefing is building the academic and policy foundation for what comes next.

The practical outcome of requiring age verification for VPN use is identical to banning anonymous VPN use. Once a VPN provider must verify your age, your identity is linked to your VPN account. The privacy tool becomes the surveillance checkpoint. This is precisely the outcome documented in our earlier post: Russia and Iran all arrived at VPN restrictions through incremental legislative pressure that began with narrowly justified use cases.

The option that cannot be regulated this way: NymVPN from Switzerland
A centralised VPN can be pressured, banned, compelled to verify users or have its servers seized. A decentralised VPN built on distributed infrastructure with no central company controlling the nodes cannot be banned in the same way because there is no single entity to compel.

NymVPN is built on the Nym mixnet, a decentralised network that protects not just your traffic content but your metadata: who you communicate with, when, and how often. Unlike traditional VPNs that hide your IP but still expose traffic patterns to a global adversary, Nym adds cover traffic and noise so that even nation-state level traffic analysis cannot de-anonymise you. Signup is anonymous, payments are unlinkable, the code is fully open source, and the network runs on independent distributed nodes with no central point of failure or control.

The most recent update of NymVPN added direct decentralised payments via zkNym credentials and removed the last requirement for a traditional account entirely. No account, no subscription tied to your identity, no company that can receive a court order requiring it to hand over your data.

The EU can regulate centralised VPN companies. It can require them to age-verify. It can compel them to log connections. What it cannot do is regulate a decentralised network that runs on distributed nodes operated by thousands of independent participants globally, any more than it can ban BitTorrent or regulate the Tor network out of existence.

Google Chrome silently downloads a 4GB AI model to hundreds of millions of computers:
Without prominent notification or upfront consent, Chrome began downloading a roughly 4GB file called weights.bin to user machines as part of Gemini Nano, Google's on-device language model. It lands in your browser's user data folder under OptGuideOnDeviceModel and powers features including "Help me write," tab suggestions, scam detection and page summarisation. The download triggers automatically for any device meeting minimum hardware requirements, and Chrome re-downloads the file if you delete it.
The model runs on your machine, not Google's servers. But that is not the issue. This is a 4GB install that happened on hundreds of millions of machines without a clear consent prompt. Multiplied globally that is thousands of tonnes of additional carbon emissions from data transfer. And the model's presence means Google's AI infrastructure now lives permanently inside your browser whether you use it or not.
To remove it: go to chrome://flags, disable the entries for Optimization Guide On Device Model and Prompt API, restart Chrome, then manually delete the folder. Chrome may attempt to re-download it.
This is also the strongest argument yet for switching to a Firefox-based browser. LibreWolf does not ship with a 4GB AI model you did not ask for.
Source: https://www.techpowerup.com/348825/google-chrome-silently-downloads-4-gb-ai-model-on-your-pc-without-consent
https://9to5google.com/2026/05/06/google-chrome-4gb-storage-ai-details/

UK kids defeated the Online Safety Act with eyebrow pencils. The first major assessment is devastating:
The first independent assessment of the UK's Online Safety Act is out and contains a sentence that tells you everything: "I did catch my son using an eyebrow pencil to draw a moustache on his face, and it verified him as 15 years old." The child was 12.
This is the law that forced UK adults to submit government IDs and biometric facial scans to access ordinary websites, triggered a 1,800% spike in VPN downloads when it went live in July 2025, and pushed millions of users into handing biometric data to private third-party verification vendors. The assessment numbers are brutal: 46% of children say age checks are easy to bypass. Only 17% say they are difficult. 32% have already bypassed them in the past two months. 49% still report experiencing harm online in the past month.
The bypass methods children described to researchers include drawing facial hair with eyebrow pencil to fool facial age estimation, holding up a video game character's head during a face scan, submitting a video of a different person's face entirely, using a parent's ID with parental consent, and entering a fake birthday which still works on most platforms. A 12-year-old girl explained the TikTok live enforcement model: "They ban me for 10 minutes and then I can go live again."
The report's most uncomfortable finding is that 26% of parents are actively helping their children bypass the checks, deciding individually which circumvention is acceptable. A verification system that relies on parents as the final enforcement layer collapses the moment parents become the bypass vector. Reminder: The Discord vendor breach in October 2025 already exposed 70,000 government IDs uploaded purely for age verification.
A 16-year-old summarised it better than any policy paper: "I think it's a great idea in theory and I applaud its intentions, but I don't see how that's feasible, because kids will always find a way."
Source: https://www.internetmatters.org/hub/research/online-safety-act-report-2026/
https://www.washingtontimes.com/news/2026/may/7/uk-kids-skirt-online-age-verification-drawing-beards-using-pictures/

Meta's Ray-Ban smart glasses were recording video watched by workers in Kenya. Many users had no idea:
Meta has ended its contract with Sama, a Kenyan outsourcing company that employed workers to watch footage captured by Meta's Ray-Ban smart glasses as part of AI training. After losing the contract, Sama fired approximately 1,100 workers. Several of those workers reported losing their jobs after speaking out about the nature of the content they were required to review.
The content included people using the bathroom, individuals undressing, people having s*x, private conversations, and footage capturing bank card details. Users of the Ray-Ban glasses, which can record video discreetly and continuously, were largely unaware that their footage was being reviewed by human workers in another country as part of an AI training pipeline. A class-action lawsuit has been filed against Meta.

The pattern is familiar from every major AI product. The "private" framing around AI features of Big Tech providers consistently obscures the human review layer that sits behind them, the layer that was exposed with ChatGPT routing messages to the FBI, the layer that sits inside every AI product that claims to be private while using human contractors to review edge cases, improve accuracy and handle content moderation. The workers who watched the most intimate footage of Meta's users are now unemployed. Meta has not issued a detailed public statement on either the contract termination or the workers' accounts.
Source: https://www.bbc.com/news/articles/c5y7yvgy0w6o

When we launched xPrivo Search earlier this year, the promise was simple: world-class search quality, absolute privacy, and full European digital sovereignty without compromise. Tens of thousands of you switched. You never became a product in return.

Today that trust gets repaid with the biggest release in xPrivo's history.

xPrivo 4.0 is live now at xprivo.com and xprivo.com/search
The single most important change under the hood is one you might not see directly but will feel in every result. Until today, xPrivo ran only on the European Search Perspective, a fully independent European index with no ties to US tech. That foundation has not changed. But we have now added our own small proprietary xPrivo Search Index on top of it. Two fully European, fully independent sources working in tandem. No Bing. No Google. No dependency on any American platform at any layer of the result pipeline.

On the surface, the results page is dramatically richer. Knowledge Cards surface structured answers for people, places, concepts and events without requiring a click. Live news results appear timestamped from trusted publishers. Sports results show for example Bundesliga standings and Champions League scores directly in your results. Image search is now inline. Place search surfaces local businesses across Europe complete with maps, opening hours and contact details, all within European infrastructure, not handed to Google Maps. Every single one of these result types can be individually toggled on or off in settings. The choice is yours.

Two new power features for users who want to move fast. Shortcuts let you trigger features directly from the search bar: /m opens a weather widget, /c opens a calculator, /ai triggers an instant AI overview generated entirely within our European AI infrastructure. QuickSearch lets you type !w climate change to jump directly to Wikipedia, !yt to YouTube, !gh to GitHub, !r to Reddit, all without an intermediate results page and without any third-party bang service logging your behaviour. The full command list appears when you type ! in the search bar.

🇩🇪 German language results are now fully supported, with Austria and Switzerland coverage included, as part of our ongoing expansion across European languages.

For local businesses, xPrivo 4.0 now lets you list your location directly in search results with a photo, map pin and website link. Placement is based on relevance, never on ad spend or behavioural tracking. Add your business from the footer at xprivo.com/search.

The iOS app is updated today. The Android app including a FOSS release on F-Droid is in active development and coming soon, making xPrivo one of the very few search applications committed to being installable without touching Google infrastructure at all.

The privacy principles have not changed and never will. No IP logging. No search history. No profiling. No Big Tech infrastructure by default. No behavioural ad targeting. Every component runs inside the EU under GDPR and European law.

The full release post with every detail is at https://www.xprivo.com/blog/en/xprivo-4

If you want to set xPrivo as your default browser search engine, the step-by-step guide for every major browser is at xprivo.com/add-xprivo-search-engine . It takes under a minute and means every search you make from that point feeds European infrastructure instead of a US data broker.
The gate to the internet belongs to you. Keep it that way.

Utah Senate Bill 73, the Online Age Verification Amendments, takes effect on May 6, 2026, making Utah the first US state to directly target VPN use as part of age verification enforcement. The law requires adult content websites to verify the age of anyone physically located in Utah, regardless of whether they use a VPN, proxy or other method to mask their location. Sites are prohibited from providing instructions or assistance on bypassing age checks using VPNs.

The law does not ban VPNs outright. It creates a legal structure where websites cannot reliably determine whether a visitor is using a VPN shield for privacy or hiding in Utah to bypass age gates, so the only legally safe option is either to block all known VPN IPs entirely or to require strict identity verification from every single visitor globally. The Electronic Frontier Foundation called this a "liability trap" that punishes users who care about their privacy, regardless of where they live. NordVPN described it as a "technical whack-a-mole" where the goal is unachievable and the enforcement breaks internet architecture.

EU Executive Vice President Henna Virkkunen, the commissioner driving the EU age verification blueprint, was asked directly at a press conference in Strasbourg on April 29, 2026 how the system stops children from circumventing it with a simple VPN. Her answer, confirmed by Reuters and the official Commission statement: "It's difficult, of course, to have the technological solutions that there's no way to circumvent … it's also an important part of next steps to look at [the issue] that it shouldn't be circumvented." She explicitly acknowledged the EU app can be bypassed with VPNs and stated it is critical that next steps address this, meaning the system that billions of euros will be spent rolling out is already known to be bypassable and the plan is to figure out how to fix it later.

The irony is staggering. The EU age verification blueprint was built to intersect with the European Digital Identity Wallet at the highest possible privacy standard, programmed with zero-knowledge proofs and anonymous credentials. The demo version was hacked in under two minutes using a mobile phone before launch. Security consultants demonstrated it stores biometric data unencrypted on the device. Experts including Belgian cryptographer Bart Preneel said the fundamental concept does not work even if the implementation were perfect. Virkkunen then stood before the press and admitted the bypass is trivial and plans are being made to stop it. The system has not stopped the bypass. It has been racing ahead at an accelerated pace anyway to meet the December 2026 deadline.

The end goal is now explicit. The EU's stated objective is to create a single age verification infrastructure across all 27 member states, with no 27 different national systems, managed by a Commission-appointed list of trusted providers and a scheme controlling what counts as compliant, all designed to prevent users from circumventing age gates using privacy tools. The same infrastructure can gate social media access, content moderation appeals, credit decisions, political ad targeting and anything else that requires provisional identity verification.

The UK has passed amendments requiring VPNs to implement age verification. Utah is banning VPN circumvention. The pattern is the same across every single instance: privacy becomes circumvention, circumventing surveillance becomes illegal, and the innocent infrastructure of anonymity becomes the target.
For millions of users worldwide, the choice they are facing is about to become binary: hand over verified identity or lose access to the internet.

Greece's Digital Governance Minister Dimitris Papastergiou confirmed this week that the government is moving forward with plans to require real identity verification for all social media accounts in the country. Users would still be permitted to use pseudonyms publicly, but every account must be linked to a verified legal identity through platform-level checks. The proposal is now being managed directly from Prime Minister Kyriakos Mitsotakis' office, which signals this is no longer a trial balloon but active government policy.

The stated justifications are the familiar ones: toxicity, hoaxes, coordinated harassment and character assassinations. Papastergiou argued that "digital democracy" should be inspired by Ancient Greece, where citizens openly expressed their views in the Assembly.

He is historically wrong in a way that is worth pointing out precisely because the argument is designed to sound educated. The Athenian Assembly invented the secret ballot specifically because public attribution is dangerous. Athenian ostracism, where citizens voted to exile powerful individuals, used anonymous pottery shards deliberately so that people could vote without fear of retaliation from the powerful. Pseudonymous political writing was widespread and understood to serve a legitimate democratic function. The historical record does not support the claim that Ancient Greece considered public identity a prerequisite for political participation. It supports exactly the opposite.

The modern case for anonymity is even stronger. Whistleblowers, abuse survivors, journalists working in hostile environments, political dissidents, LGBTQ+ individuals in unsupportive communities, employees flagging workplace misconduct, patients discussing stigmatised health conditions: all of these depend on the ability to speak without being identified. Eliminating anonymity does not eliminate toxicity. It eliminates the speech of people who have the most to lose from being identified, while leaving powerful actors who can absorb the consequences of public attribution entirely unaffected.

The "pseudonyms permitted but identity verified" framing is the part that deserves the closest scrutiny. This is the architecture that sounds like a compromise but functions as total surveillance. Your pseudonymous account says nothing that can be traced to you publicly, but every post you write, every reply you make, every community you participate in, is one platform data breach, one government request, or one policy change away from being attached to your legal name permanently. The pseudonym is a UI layer over a fully de-anonymised database.

This is not Greece operating totally alone with that kind of things. The UK passed an amendment requiring VPNs to implement age verification. Norway is moving to mandatory age verification for social media. Germany is advancing IP address retention legislation. The EU classified certain emojis as systemic risks requiring automated scanning. The Greek proposal is the most explicit version of the same direction that every other country in this list is moving toward through slightly less visible mechanisms.

The difference is that Greece is being honest about the destination. Which does not make it better. Most governments arrive at the same endpoint through incremental steps, each justified individually as a narrow technical measure. Greece just described the destination directly: a social media environment where every account is traceable to a verified legal identity held by platforms that governments can compel.

The European Commission published a formal recommendation today pressing all 27 member states to deploy a standardised age verification system by December 31, 2026. Source: https://digital-strategy.ec.europa.eu/en/library/commission-sets-out-common-approach-eu-wide-age-verification-technologies

France, Italy, Spain and several others are already testing implementations. The Commission describes the system as privacy-preserving, anonymous and built to the highest cybersecurity standards. 🤡

The demo was bypassed in under two minutes using a mobile phone.

That detail is not a minor technical footnote. It is the central fact about this rollout. The Commission's own blueprint, the one it is now recommending every EU citizen use to verify their identity before accessing age-restricted content, failed a basic real-world security test before it was even deployed nationally. The response from Brussels was to accelerate the timeline anyway.

The architecture the Commission is recommending works like this: you download a national app, scan your passport or national ID card to onboard, receive an anonymous digital credential, and present that credential to websites or apps that require age confirmation. The credential is designed to prove only that you are above a threshold age without revealing your exact age or identity to the platform. On paper this is genuinely privacy-conscious design. The cryptographic approach of proving a property without revealing the underlying data is the right way to build this.

The problem is not the design document. It is everything around it.

The EU is recommending this system be integrated with the European Digital Identity Wallet, the same eIDAS 2.0 infrastructure that Germany's first pilot deployed through Google Wallet, running on Oracle Cloud in Arizona and Amazon EC2 in Oregon, as we covered in detail here a few weeks ago. The theoretical privacy architecture and the actual implementation are two completely separate things, and every national implementation so far has chosen the fastest path to December compliance rather than the most privacy-preserving one.

Requiring every EU citizen to scan their passport into a government-linked app as a prerequisite for accessing the internet is not a narrow child safety measure. It is the construction of a universal identity verification layer for online activity, with age checking as the initial justification. The same infrastructure that confirms you are over 18 to access a gambling site can confirm you are the verified identity attached to a political post, a health forum discussion or a news comment. The scope of what gets age-gated is a policy decision that can be changed at any time after the infrastructure is built.

The governance structure the Commission is creating makes this explicit. It will maintain a list of approved age verification solution providers, a list of trusted proof-of-age attestation providers, and a scheme defining what qualifies as compliant. Once that list exists, it determines who is permitted to mediate access to online services for 450 million people. That is an enormous concentration of infrastructure power regardless of how well-intentioned the current holders of that power are.

Online child protection is a serious issue that requires greater awareness and education for parents, as the primary responsibility ultimately rests with them. But a universal identity verification layer with a two-minute bypass, deployed on infrastructure that three separate member state implementations have already shown will run on American cloud servers, managed by a Commission scheme that controls the approved provider list, does not become a privacy-preserving system because the recommendation document uses the word "anonymous" seven times.

The December 2026 deadline is eight months away. No national implementation yet fully meets the privacy standards the Commission claims to require. The demo was hacked in two minutes. The correct response to both of those facts is to slow down, not to publish a recommendation accelerating the timeline.

Lidl is set to disrupt the telecommunications industry by rolling out budget-friendly mobile plans across new markets. Although the retailer already operates mobile services in Germany, Austria, and Switzerland, it is now looking to scale its presence into as many as 30 more countries.

When Elon Musk launched XChat and marketed it as "fully end-to-end encrypted", security researchers immediately started pulling the implementation apart. What they found is a case study in how technically correct language can describe something that provides almost no real privacy in practice.

What XChat actually does

XChat uses a protocol called Juicebox to manage encryption keys. The idea behind Juicebox is sound: split a user's private key into multiple "realm" shares, distribute them across independent servers, and require a PIN to reassemble them. No single realm has the full key, so no single server can decrypt your messages on its own. In theory this is a reasonable architecture.

The problem is every single realm in XChat's implementation is operated by X Corp, all under the x.com domain with SSL certificates belonging to X. Researchers confirmed this by intercepting and decrypting XChat's network traffic, which was possible because the app does not use certificate pinning. Since X controls every realm, X can reassemble any user's private encryption key at any time. The distributed key storage is completely illusory.

Cryptography professor Matthew Green at Johns Hopkins summarized it like this: if decryption keys live in servers all under X's control, then X can obtain anyone's key and decrypt their messages, whether for internal purposes, because a warrant compels them to, or because someone in authority decides they want to read your chats. He called this a "game-over type of vulnerability" if you are judging it as an end-to-end encryption scheme.

The 4-digit PIN makes this worse. The entire key recovery system is protected by 10,000 possible combinations, the equivalent of a luggage padlock. Rate limiting is supposed to prevent brute force but requires coordinated enforcement across all servers, and all those servers are the same company. There is also no forward secrecy, meaning compromising a key exposes past messages too, no key ratcheting, and no protection against man-in-the-middle attacks through key directory manipulation.

There is one additional problem that sits above the cryptography entirely. XChat includes an "Ask Grok" button in chats that sends message content directly to Grok for AI processing. The moment a user clicks it, that conversation exits end-to-end encryption entirely and lands on X's AI servers in plaintext. X's privacy policy does not specify whether this content is used for training or for other purposes.

The European alternatives you might consider instead:

Threema (Switzerland) requires no phone number, no email address and no account linked to any real identity. You get a randomly generated Threema ID. End-to-end encryption uses the NaCl cryptography library, is fully open source and has been independently audited. Messages are permanently deleted from Threema's servers after delivery and are never stored in the clear. The app is abailanle at a one-time purchase.

Olvid (France) is the only messaging app certified by the French national cybersecurity agency ANSSI to the highest level of assurance. It requires absolutely no personal information to create an account, not a phone number, not an email, not a name. Identity verification is done cryptographically through a mutual introduction protocol rather than a phone number lookup. The French government officially recommends it for sensitive communications. It is open source and the cryptographic protocol has been formally verified by academic researchers.

SimpleX Chat takes the most radical approach of any mainstream messenger. It assigns no identifier to users whatsoever, not a phone number, not a username, not a randomly generated account ID. Communication happens through temporary pairwise queue addresses that exist only for the duration of a conversation. Even SimpleX's own servers cannot determine that your conversation with one person and your conversation with another involve the same user. There is no central directory that maps identities to keys, which means there is nothing to subpoena, breach or hand to law enforcement.

The pattern across all three is consistent: they were built by people who understood that real privacy requires designing the system so that the provider cannot betray you even if compelled to, not writing a privacy policy promising they will not.

XChat was built by people who wanted to claim end-to-end encryption while retaining full access to every conversation. The architecture reflects the intention.

Tldr: Technically, X has everything it needs to decrypt your messages and read your conversations. The lock icon that appears next to your direct messages is purely decorative.

This week was unusually dense with surveillance infrastructure news. Each story was reported separately, each justified with its own framing. Read them together and the direction is unmistakable.

1. UK: Facial recognition approved for nationwide rollout

The High Court rejected a legal challenge against the Metropolitan Police's live facial recognition program this week, and the government immediately confirmed plans to expand from 10 to 50 facial recognition vans deployed across public spaces in England and Wales. The policing minister said ordinary citizens have "nothing to fear". The system is already running in at least 13 police forces. A new national facial matching database is scheduled for testing in 2026. One police study previously identified potential racial disparities in accuracy, though authorities later claimed these were fixed. No independent audit has verified that claim.

2. PlayStation: Face scans / id verification now mandatory

Sony has announced that starting June 2026, all PlayStation Network users in the UK and Ireland must complete age verification to use party chat, messaging, voice features and certain in-game social tools. Unverified accounts lose access to all communication features. The options are a mobile carrier check, facial geometry scanning via Yoti, or uploading a government-issued ID. Sony says Yoti does not store biometric data, only passing back a confirmation. This is the same company, Yoti, used by Discord for its face scanning rollout earlier this year. The "verification provider" model means your biometric data flows through a third-party company whose privacy guarantees are entirely separate from Sony's.

3. Germany: IP address retention moving forward

Germany's Federal Ministry of Justice published a draft bill in December 2025 requiring all internet service providers to retain IP addresses and connection timestamps for a minimum of 90 days. The legislation is now advancing through the coalition government under Chancellor Merz. Previous attempts at broader data retention were struck down by the European Court of Justice, so this bill is deliberately scoped narrowly to IP addresses only, making it harder to challenge while still creating a permanent surveillance log of every German internet connection.

4. EU: Certain emojis classified as systemic risks

The European Commission published its first major Digital Services Act report on systemic risks this week, and it includes a section on emojis. Specifically, the EU identified the pill emoji 💊, snowflake emoji ❄️, leaf emoji 🍁 and others as coded language used in drug sales and flagged them as systemic risks that platforms must deploy automated systems to detect. Platforms including Meta confirmed they are already scanning for emoji-coded communications. The Commission's own social media account posted "an emoji isn't always just an emoji". Regardless of the drug sales context, building automated scanning systems for symbolic language in private communications is surveillance infrastructure that does not stay narrowly scoped once deployed.

5. Norway: National age verification system introduced

Norway's government announced this week it will introduce legislation requiring all social media platforms to verify user age at login, with a minimum age of 16. Technology companies will be legally responsible for implementation. Norway's own data protection authority, Datatilsynet, responded with a public warning that requiring biometric or passport-level verification from all users to protect some users is a privacy intrusion against everyone, and that the law should specify exactly how verification must work rather than letting platforms choose their own methods. The bill will go to the Storting later this year.

And Palantir holds government contracts touching every single one of these countries.

The UK Ministry of Defence signed a £240.6 million three-year Palantir enterprise agreement in December 2025, awarded without competitive procurement under a defence exemption. Total documented UK government spending with Palantir now exceeds £900 million across at least 10 departments including the NHS, police forces and the MoD. Germany and Norway both have active public sector Palantir relationships. The EU has ongoing engagements with the company across defence and intelligence infrastructure.

Palantir's core product is connecting disparate data sources, biometrics, communication metadata, IP logs, identity records, location data, into unified intelligence platforms. The five stories above are five separate streams of data. A company with contracts across all five governments and expertise in combining exactly these data types is watching all of them develop simultaneously.

Julia Klöckner, the speaker of Germany's Bundestag and the country's second-highest state official, has had her Signal account fully compromised by what German and Dutch intelligence services attribute to Russian state-linked hackers. She was part of a CDU executive Signal group that also included Chancellor Friedrich Merz. His device came back clean when examined. Hers did not.

This is not an isolated incident. German counterintelligence confirms at least 300 victims across Germany, including a top CDU member of parliament and the former deputy chief of German foreign intelligence, Arndt Freytag von Loringhoven. The FBI and CISA have separately assessed global victims in the thousands. The German domestic intelligence agency BfV has now explicitly warned that active parliamentary group chats are likely being monitored in real time. The campaign has been ongoing for months and is, according to the BfV's own April update, still accelerating

How the attack works

Signal's encryption was not broken. The infrastructure was not compromised. The attack is entirely social engineering, which makes it in many ways more dangerous because there is no technical patch that stops it.

The first method involves attackers impersonating Signal's support team via in-app messages, sending fabricated security alerts and convincing targets to hand over their personal Signal PIN. With that PIN the attacker registers the account on their own device, locking out the legitimate owner entirely. The second and more insidious method uses Signal's legitimate device-linking feature. The attacker contacts the target under a pretext and tricks them into scanning a QR code. This links the attacker's device to the victim's account as a secondary device. The victim keeps full access and notices nothing. The attacker silently receives a copy of every message, photo and file in real time, including all content from the previous 45 days from the moment of linking.

Parliamentary group chats with dozens of members can be compromised through a single successfully attacked account. Every person in the group becomes exposed regardless of whether they were individually targeted.

What to check right now if you use Signal

Open Signal, go to Settings and look for Linked Devices. If you see any device you do not recognise, remove it immediately. You are allowed up to five linked devices, which means an attacker can sit undetected for weeks. The German BSI and BfV have published a joint checklist specifically for this attack wave. Check your registration lock is enabled and that your PIN has not been shared with anyone, even someone who appeared to contact you as Signal support

Signal has confirmed publicly that its support team will never contact users via in-app messages, SMS or social media to ask for a confirmation code or PIN. Any message doing so is an attack.

Signal is actually one of the most secure messaging platforms available. The encryption holds. The protocol is sound. What this campaign demonstrates once again is that the human layer is always the weakest point, and when the targets are politicians, diplomats, military personnel and journalists, the attackers invest considerable effort in making the social engineering convincing. A fabricated security warning from what appears to be Signal support is more effective against a busy parliamentarian than any exploit would be.

Germany's parliament was hacked by Russia in 2015 through malware. In 2026 the method is a chat message and a QR code. The sophistication has not increased. The negligence required to succeed has simply been found at the highest levels of government again.

For anyone in a high-risk professional environment, the lesson is the same one that keeps needing to be relearned: the strongest encryption in the world does not protect you from yourself.

Source:

https://www.tagesschau.de/inland/kloeckner-signal-phishing-100.html