r/FOSSbertarian
Reminder that using Windows equals willingly giving up any hint of privacy
🇬🇧 YouTube warns UK creators over their Government's proposed algorithm rules
🇯🇵 The Japanese government will use Interpol to search every corner of the earth to arrest you in order to enforce intellectual "property"
Regular people get searched like terrorists at airports. Why does crossing a national border erase all of your rights and pricacy?
The heavy handed treatment of ordinary people at airports is an indicator of what our governments would make daily life like if they thought they could.
Google once said fingerprinting is wrong because users cannot clear it the way they clear cookies. That was 2019. August 3 2026 is the date Google starts using your IP address anyway to identify and profile your device for ads across the EU and UK.
On August 3, 2026, Google will start using IP addresses to identify and personalize ads for users across the EU, the EEA, the UK, and Switzerland. IP addresses are classified as personal data under GDPR, which means using them to track and profile devices triggers consent requirements under EU and UK law. Google has been using IP addresses to route traffic and serve ads for years. What changes on August 3 is the declared purpose: the same addresses will now officially be used for device identification, measurement, and ad personalization. That shift in purpose is legally significant, and Google knows it, which is why it is notifying advertisers to make sure their own consent flows are in order before the rollout begins.
The interesting thing about this is the fingerprinting situation. When you clear your cookies, the tracking stops. Fingerprinting, which combines signals like your IP address, browser version, screen resolution, and device characteristics to create a persistent identifier, cannot be cleared. It survives cookie deletion, incognito mode, and most standard privacy measures. In 2019, Google's own Chrome engineering director wrote publicly that fingerprinting subverts user choice and is wrong precisely for this reason. Google's own policy prohibited advertisers from using fingerprinting techniques. Now Google sent advertisers a notification that IP-based personalization is coming to the EU and UK in August. The ICO's own advice to the UK government, published in May 2026, explicitly places cross-service profiling based on user activity on the consent-required side of the line. Google's rollout sits exactly on that side. The regulator has said existing rules still apply and nothing has changed legally. Google is proceeding anyway and shifting compliance responsibility onto advertisers rather than absorbing it directly. A smart move by Google.
The best way to protect yourself right now is the same combination that has come up repeatedly in this community over the past months. A fingerprint-resistant browser is the most effective single tool here, specifically Firefox-based options like LibreWolf or Waterfox, which have fingerprint protection built in and do not participate in Google's browser ecosystem. uBlock Origin running in a Gecko-based browser blocks the ad tags, SDKs, and tracking calls that feed IP signals to Google in the first place, which is why the Chrome MV3 rollout we covered earlier matters directly in this context. Because MV3 makes uBlock origin not work in chromium browsers soon.
Reddit is rolling out ID verification or Face Scans for "NSFW" content in the EU, Norway and Sweden. The age verification is processed by Persona. Some users in Norway, Sweden and other EU countries are already seeing it also in mental health subreddits flagged as NSFW.
Users in Norway, Sweden, and other EU countries are reporting that Reddit has started prompting them to verify their age to access NSFW-marked content and subreddits. The verification is being processed through Persona, the same third-party KYC vendor Reddit uses in the UK under the Online Safety Act, and the same company we have covered before in the context of Claude's identity verification rollout. Persona has structural and funding ties to Peter Thiel, and Thiel's Palantir is a company European governments have been systematically rejecting over data sovereignty concerns throughout 2026. The data Persona processes during verification includes your government ID document, facial biometric data from a selfie, your ID number and date of birth, and geolocation inferred from your IP address. Reddit says it stores only a pass/fail result and your birthdate. Persona says it retains uploaded images for no more than seven days.
These are the same categories of assurances every KYC provider offers, and they say nothing about what happens during those seven days, who has access, or what a breach looks like, and we have seen enough KYC breaches across Discord and other platforms to know the risk is not theoretical.
This appears to be a testing phase ahead of broader EU enforcement. The CJEU ruling from June 16 gave France and other member states explicit legal authority to require age verification on platforms regardless of where those platforms are based. The European Commission has been pushing member states to have age verification infrastructure operational by the end of 2026. Reddit rolling this out quietly in the EU, Norway and Sweden now, rather than waiting for formal legal mandates, is almost certainly a compliance positioning move ahead of what is coming continent-wide. Several users have noted that mental health subreddits, harm reduction communities, and other NSFW-tagged but non-pornographic content is also being caught behind the verification wall, which is exactly the over-broad enforcement pattern privacy advocates have warned about since these laws were first proposed.
The workaround right now is a VPN set to a country without current enforcement, which removes the EU IP trigger that activates the verification prompt. The more important response of course is not participating in the verification flow at all if you are prompted, because this is explicitly described as a testing and data collection phase, and platform compliance decisions are influenced by how many users actually complete the process versus how many drop off. Every person who hands over their ID normalizes the infrastructure and makes the next rollout easier to justify. Beyond the immediate workaround, this is the moment where the age verification rollout stops being something happening to other platforms in other countries and starts being something affecting the specific communities, subreddits, and daily browsing habits of people in this group directly.
🇬🇧 Ofcom is trying to fine 4chan for not censoring their website. This is how 4chan's lawyer repleid:
Ofcom is fining the US-based 4chan website under the UK's Online Safety Act (OSA). In response, the corporate entities behind 4chan are suing Ofcom in US federal court
These are the fines Ofcom is trying to impose:
- £450,000: For failing to put in place effective age verification or age assurance to protect children from accessing pornographic content on the site.
- £50,000: For failing to carry out an adequate risk assessment regarding illegal content.
- £20,000: For failing to set out transparently in its terms of service how users are protected from illegal content
BPI research reveals that a Marxist-Leninist group with documented ties to China has been a critical mobilizer in efforts that have blocked or delayed $23.6 billion in AI investment in the US.
Its scalps include 10 data center moratoria, 1 permanent data center ban, and 4 rejected or scrapped AI projects.
In Part II of our foreign influence investigation, BPI exposes the Party for Socialism and Liberation (or PSL) as the political arm of Shanghai-based Neville Singham, and lays bare a national campaign launched by the party to stop America’s data center buildout.
Singham is the subject of multiple federal investigations into his reported ties to the CCP. Our research uncovers the anti-data-center organizing of his activist vehicle, the PSL, across 21 campaigns in 14 states, in roles ranging from lead organizer to one member of a broader coalition.
This report adds to the mounting evidence that China and its surrogates are committed to stopping America’s data center buildout so that Beijing can gain the advantage in the AI race.
Spanish PM lays out his blueprint to censor the internet
Spanish PM Pedro Sánchez:
Starting next week, my government will implement the following actions:
First, we will change the law in Spain to hold platform executives legally accountable for many infringements taking place on their sites.
Second, we will turn algorithmic manipulation and amplification of illegal content into a new criminal offense.
Third, we will implement a hate and polarization footprint system to track, quantify, and expose how digital platforms fuel division and amplify hate.
Fourth, Spain will ban access to social media for minors under the age of 16. Platforms will be required to implement effective age verification systems — not just checkboxes, but real barriers that work.
Fifth and last, my government will work with our public prosecutor to investigate and pursue the infringement committed by Grok, TikTok, and Instagram.
Source: https://x.com/clashreport/status/2018650388371521787
How a Spanish Football League broke the internet (literally blocking Docker, Cloudflare, and ECH) for an entire country.
I was trying to download some local AI models (Ollama) to my home server recently, and my connection kept dying. After 40 minutes of tracing packets, I realized the issue wasn't my setup. It was football.
In Spain, the professional football league (LaLiga) has been granted unprecedented, unmonitored power to combat piracy. Whenever there is a match, major ISPs activate dynamic, massive IP blocking.
Because they are currently at war with Encrypted Client Hello (ECH), they are blindly blocking shared IPs (like Cloudflare's) instead of specific domains. The collateral damage is massive. Recently, this blind blocking took down Docker's entire infrastructure for Spanish users just because a match was playing.
We even have a community website literally called "hayahora.futbol" (is there football right now) that developers use just to check if the Spanish internet is currently broken.
I wrote a short post translating this situation and diving deeper into the technical aspects of how this absurd censorship works. You can read the full breakdown here.
Have any other countries faced this level of collateral damage from corporate piracy enforcement?
🇪🇸 Reddit ahora pide confirmación de edad en España mediante foto o documento de identidad del usuario para poder ver contenidos +18 (Subreddits, perfiles de usuarios, etc)
Me salio cuando quise ver el perfil de otro usuario de reddit. Imagino que es para poder estar seguros respecto a las leyes de verificación de edad británicas. Cada día un internet mas distopico, con el objetivo del control y la censura.
Next Monday the EU votes on Chat Control 2.0 + The EU Parliament voted no on mass message scanning initially but this week the EU parliament president Roberta Metsola did something diplomats are calling "without precedent": she overrides her own Parliament's democratic vote to revive Chat Control.
Quick situation update because Monday June 29 is crucial and the context is also important. Chat Control 1.0, the temporary law that gave Google, Microsoft, Meta, LinkedIn and others the legal basis to voluntarily scan your private messages in the EU, expired in April after Parliament voted down its extension by a single vote, 307 to 306. That voluntary scanning has no legal foundation in the EU right now. Companies have continued scanning anyway despite the legal limbo, which is its own story, but reminds you also to use privacy-first services online where you can.
In addition to that, this week, Parliament President Roberta Metsola asked Council ambassadors to adopt a position on reviving Chat Control 1.0, the law her own Parliament already killed, in a move diplomats described in writing as "without precedent". MEPs working on the file called it unacceptable and said Parliament's position has not changed. The move appears to be a pressure tactic ahead of Monday, when the fourth and supposedly final trilogue negotiation on Chat Control 2.0, the permanent version, takes place. The permanent version currently on the table no longer includes mandatory scanning of end-to-end encrypted messages, which was the most alarming original proposal, but it does include voluntary detection provisions for unencrypted communications, age verification requirements before accessing messaging services, and risk mitigation obligations that could be used to pressure platforms into building scanning infrastructure anyway.
So what we currently see is that if a democratic vote produces the wrong result, the response is to find a procedural route around it, apply pressure through a parallel channel, and reframe the question until the answer changes. https://fightchatcontrol.eu/ is tracking this if you want to follow Monday's developments and for more informations about Chat Control and which politicians are in favor and which are against it.
Full article about European Parliament president Metsola overriding MEPs in bid to force through child abuse law: https://www.politico.eu/article/president-vs-parliament-roberta-metsola-overrides-meps-bid-force-child-abuse-law/
Sesgo de los LLMs según los tests de The Washinton Post
France, Germany, Austria and other EU countries are ditching US-Tech for Open Source solutions like Linux. The sudden Fable 5 shutdown once again proves why EU digital sovereignty isn't optional anymore.
Something significant and positive is happening across Europe right now and it is moving faster than most people realize. France is executing an aggressive plan to migrate 2.5 million civil servant workstations from Microsoft to Linux-based environments. Germany's state of Schleswig-Holstein is completing the migration of 30,000 PCs to Linux and LibreOffice, a project now being studied as a blueprint for federal-level independence from US software. Austria already completed its transition, having fully purged Microsoft Office from 16,000 military workstations and replaced it with a locally managed version of LibreOffice, specifically to ensure military communications stay within Austrian borders and outside the reach of foreign legal jurisdiction. Switzerland, after documenting the billions spent on Microsoft ecosystems over the past decade, is actively deploying exit strategies from Microsoft 365 lock-in at the federal administration level. Denmark's Ministry of Digital Affairs has mandated a formal transition to open-source software for internal operations. Estonia, one of the most digitized governments on the planet, is building contingency frameworks to reduce dependence on US cloud architecture entirely.
This movement is not a coincidence, and it is not primarily about cost savings, even though the millions saved in licensing are a really nice bonus too!
The driving force is a geopolitical reality that became impossible to ignore: any government running its core infrastructure on US-based proprietary software is subject to the US CLOUD Act, shifting export controls, and the threat of abrupt access revocation.
The perfect illustration of exactly that risk landed on the evening of Friday, June 12, 2026.
Citing national security concerns over a potential "jailbreak," the US government issued an emergency export control directive ordering Anthropic to immediately suspend all access to its two newest and most powerful AI models, Fable 5 and Mythos 5, for any foreign national worldwide. Because it is technologically impossible to reliably segment foreign nationals from US citizens in real-time, Anthropic had no choice but to comply by abruptly shutting off access for all users globally.
A frontier technology that millions of people and organizations outside the US were actively relying on disappeared overnight because a government on the other side of the planet decided it should. There was no warning, no transition period, and no appeal process. Just a directive received at 5 PM on a Friday, and access was gone for the weekend. That is the exact nightmare scenario European governments have been documenting in internal risk assessments for years, and it just played out in public in real time.
So the difference of the current open-source migration wave from previous initiatives is that many tries stalled or quietly reversed. These decisions are now no longer pitched as IT procurement choices but as explicit national security policies.
Austria for example did not migrate its military workstations to 'save money'. They did it because running military communications on foreign-controlled software with embedded telemetry is an unacceptable operational risk. That framing is much more important because it changes the political durability of the decision. When a migration is sold merely as cost-cutting, the next administration can reverse it or to appease lobbyists. When it is framed as sovereign infrastructure, reversing it means publicly arguing that your country's sensitive data should sit on someone else's servers, under someone else's laws, subject to being switched off by a foreign government on a Friday afternoon.
The Fable 5 shutdown did more to advance the European digital sovereignty argument in 48 hours than a decade of policy papers ever could. Every IT minister on the continent now has a concrete, recent, and highly visible example of what dependency on US technology infrastructure actually means in practice. You either own your stack, or you are just borrowing it.
Europe will become much more independant from Big Tech.
Wikipedia bans it's co-founder Larry Sanger
Larry Sanger has been critical of modern Wikipedia's bias and posting guidelines in the past. Now they want to permaban him.
"The KIDS Act" Is KOSA+ and Congress Could Vote On It Next Week
Within the next week, Congress is preparing to vote on the KIDS Act, a sprawling package of legislation that seeks to control Americans’ web browsing and private messaging. The package includes a revised version of the Kids Online Safety Act, or KOSA, combined with a collection of other internet bills, study bills, reporting requirements, and new regulations. Instead of debating any of these proposals on their merits, lawmakers are attempting to move them all at once under an ultra-expedited process.
Many Congress members don't like The KIDS Act—on both sides.
Tell your elected official to vote NO here.
The package of cobbled-together bills is a mess, with different age-gating schemes for different services, using different standards. It’s a lot of complexity, and a lot of legal risk. Faced with that, many companies will conclude that the safest option is restrictive age-checking practices across their entire platforms.
Buried inside the KIDS Act are provisions that will push online services to verify all users’ ages, require government-directed moderation policies for online speech, and even create new rules about private and encrypted communications. While supporters continue to claim this bill protects minors online, its requirements come at the expense of privacy, free expression, and the ability of people of all ages to use the internet without revealing sensitive data.
Technically, the KOSA section of the KIDS Act does say that KOSA shouldn’t be read to require age verification.
That disclaimer is hollow, and you know it.
Under this law, services will have to determine which users are teenagers and which are not to try to avoid liability. The bill’s authors seem to know this is a problem. On the one hand, the new KOSA section says age verification is not required. On the other, it repeatedly imposes obligations that depend on knowing whether a user is under 17. But a disclaimer doesn’t magically eliminate legal risk, especially for smaller services and startups that can’t afford to defend lawsuits or fight regulators.
And KOSA is not the only part of this package that creates age-verification pressure. The SAFE BOTS Act, like KOSA, says that if a service “knows or should have known” that a user is a minor, it can’t offer certain chatbot features.
The SCREEN Act requires services that host sexually explicit content to determine whether users are “more likely than not” under the relevant age limit, before allowing access to certain content.
The consequences of this liability will not be limited to minors. If websites and apps are expected to reliably identify teenagers, adults will be asked to prove they are adults. The result is a less private internet for everyone.
reCAPTCHA started by making you label street signs for their AI for free. Now they are testing a new version that wants your hand geometry on camera. But: There is a free, open-source alternative that website owners should consider instead of using reCAPTCHA.
Google is testing a new reCAPTCHA that asks you to wave your hand at your camera. The system extracts 21 joint coordinates from your hand geometry, analyzes the movement, and verifies you as human. Google says the video is deleted after verification, is not linked to your identity, and that audio is never recorded. These are the same assurances Google has offered about every data collection it has ever run, so take them at whatever value you assign to promises from an advertising company whose entire business model is built on knowing everything about you.
The reason this exists is that AI now defeats every traditional CAPTCHA faster than humans do. Traffic lights, fire hydrants, distorted text, crosswalks, all of it solved instantly by models that have been trained on, among other things, the billions of CAPTCHA solutions humans submitted over the past two decades. That history is worth remembering. The original reCAPTCHA was sold as a tool for digitizing old books. Then Google used it to label Street View imagery and Maps data. Users were solving puzzles. They were also providing free labor for Google's geospatial training datasets without being told. The new system follows the same pattern at a different scale: the problem being solved for Google is biometric data collection, and the mechanism for getting it is framing the collection as a service to you.
If you run a website, or work somewhere that uses Google reCAPTCHA, or use services where administrators have a choice about which verification system to deploy, it is worth raising Altcha.org as an alternative. Altcha is open source, self-hostable, requires no camera, no biometrics, no Google account, and no data leaving your infrastructure. It works on a proof-of-work model that is genuinely difficult for bots at scale without requiring users to do anything invasive or degrading. It does not scare away legitimate users, does not feed a surveillance ecosystem, and does not require you to trust Google's assurances about what happens to footage of your hand. The choice between making your users wave at a camera to benefit Google's datasets and running an open source tool that actually respects them is an easy one once you know the alternative exists.