r/xprivo

For 28 years Google Search worked the same way. You typed something. You got a list of links. You clicked one. You read it. You formed your own opinion. That is over. (source at the end)

Google announced at its most recent developer event I/O that the familiar blue link results are being pushed out in favour of an "intelligent search box" as the centrepiece of a full pivot to AI-powered experiences. The box expands for longer queries, autocomplete suggestions become full AI-written responses, and this summer Google plans to launch "information agents" that monitor sites and alert you to changes without you asking. The traditional results page, the one that let you evaluate sources yourself and click through to read original reporting, is being demoted into a secondary fallback that fewer and fewer users will ever see.

Google's AI Overviews, the summarised answers sitting above all other results, have been demonstrably and repeatedly wrong. They have told users to put glue in pizza sauce, cited sources that do not exist, and confidently summarised the opposite of what the linked article actually says. None of that stopped Google from expanding the feature globally and now making it the default front-end for every search.

The core issue is not that the AI makes mistakes. Every AI makes mistakes. The core issue is that when a wrong AI answer sits at the top of the page in a confident, well-formatted summary box, most users stop there. They never click through. They never read the original source. They never catch the error. The entire value of the open web, competing sources you can evaluate against each other, is being replaced by one corporate AI deciding what the answer is.

That is not a search engine. That is an editorial filter with a chat interface.

The bias problem is actually structural and not accidental...
An AI trained on data curated by a corporation with a $300 billion advertising business does not produce neutral results. It produces results that reflect the priorities, partnerships and legal risk tolerance of that corporation. When Google's AI decides which sources to summarise, which perspectives to include, and which framing to use, that is not intelligence. That is influence at scale. Most users will never notice because the output looks confident, fluent and authoritative.

People overwhelmingly say they want to search through links and read sources themselves. The shift to AI-first search was not a response to user demand. It is a business decision made because AI answers keep users inside Google's own interface, reduce traffic to independent publishers, and deepen dependency on Google's own ecosystem.

A European alternative that never does any of this: xPrivo Search
xPrivo Search is a 100% European, fully data-sovereign search engine built on a completely independent search index. It does not rent its index from Google, Bing or any US-controlled infrastructure. It runs entirely within the EU, your queries never touch a US server, and your IP address and search history are never logged.

Most importantly: it defaults to classic search. Always. You get links. You click them. You read. You decide. No AI summary sitting between you and the source. No corporate algorithm deciding which perspective to surface. No targeting, no profiling, no "intelligent" rewriting of what the web actually says.

Key differences:
Fully independent European index: not a reskin of Bing or Google results, which is what most "privacy" search engines actually are

Zero tracking: no IP logging, no search history, no metadata leakage, no ad targeting

Classic search by default: unfiltered, unranked by AI bias, links to real sources

You are not the product: no advertising ecosystem built around your behaviour, only random add or go PRO for ad-free experience

The web was built on the idea that information should be accessible, linkable and verifiable. Google spent 25 years benefiting from that architecture and is now systematically dismantling it in favour of a closed AI layer that only they control. An independent European search engine that gives you links and respects your privacy is not a downgrade. It is what search was always supposed to be.
Try it at www.xprivo.com/search

Sources:
View our full blog post: https://www.xprivo.com/blog/en/google-search-dead-european-alternative/

Google search is over: https://techcrunch.com/2026/05/19/google-search-as-you-know-it-is-over/

GitHub says it is investigating unauthorized access to its internal repositories after the threat actor TeamPCP allegedly put source code and internal organizations up for sale, with the claim involving roughly 4,000+ repositories. At the same time, the same threat cluster is being linked to a fast-moving supply-chain worm affecting Python packages, including a compromised Microsoft package that could steal cloud credentials, password vaults, SSH keys, Docker secrets, VPN configs and shell history from Linux machines.

This says a lot about concentration risk. When the same platform is both the source code host and a central point of trust for package publishing, secrets management, CI integrations and developer identity, one compromise can cascade into many others. That is exactly the sort of single-point failure that open source infrastructure was supposed to reduce, not amplify.

For people looking for alternatives, Codeberg is the most obvious self-hosted European answer. It is based in Germany, run by a non-profit, and built around Forgejo, the open source Git hosting platform derived from Gitea. That matters because your code, issues and collaboration data are governed under European jurisdiction rather than US cloud control, with a stronger fit for GDPR-aligned workflows and less exposure to US legal compulsion.

If you need more control, self-hosted GitLab is the more flexible option. You can run it on your own infrastructure, keep repositories and CI inside your own trust boundary, and avoid dependency on a US-owned public SaaS platform for sensitive projects. For teams that care about sovereignty, that is often the better answer than hoping a third-party platform stays secure forever.

The broader lesson is simple: the developer stack is now part of the attack surface. If your code, secrets and deployment pipeline all live inside one corporate ecosystem, one breach can become a supply-chain incident very quickly. Europe already has viable alternatives, and this is exactly the kind of week that reminds people why they matter.

xPrivo is now officially live on the Play Store. 

To celebrate this we have hidden an incredible prize right inside our Android app, and it could be yours! Download the app from the Google Play Store, start exploring, and keep your eyes peeled.

Pay close attention to your conversations with our AI assistant. At any given moment, a highly rare, secret link will randomly appear at the very bottom of a chat reply.

The Prize: A brand new Nothing CMF Phone 1 (e/OS ready)!

How to Play & Win:

• Chat Naturally: The secret message is completely unrelated to your conversation topics. Just use the app as you normally would!
• Pure Luck: The winning link is triggered entirely at random.
• Fair Play for All: The AI assistant is completely unaware of the secret code. This means clever "prompt engineering" will not increase your chances and everyone has an absolutely equal shot at winning.

The clock is ticking, and the hunt officially closes on May 22nd. Will you be the lucky user to uncover the secret? 

Download now start chatting and start your hunt:

https://play.google.com/store/apps/details?id=com.xprivo.lux

Open to everyone who can download from the Play Store! No Reddit account is required to participate. Please note that this giveaway is not affiliated with Nothing Phone.

California's Digital Age Assurance Act, Assembly Bill 1043, was signed into law by Governor Gavin Newsom in October 2025 and takes effect January 1, 2027. It requires every operating system provider to collect a user's age at account setup and transmit that data in real time to any app developer who requests it via a standardised API. The law splits users into four age brackets: under 13, 13 to 16, 16 to 18, and 18 or above. The definition of "operating system provider" is written broadly enough to cover not just Microsoft, Apple and Google but every Linux distribution, FreeBSD, SteamOS and any other general-purpose OS. Colorado and Illinois have near-identical bills moving through their own legislatures. Similar proposals are active in New York and Brazil. As of this month, roughly half of all US states have some form of age verification law on the books, nine of which were passed in 2025 alone.

The law was designed with Apple and Google in mind. Enforcing it against a Linux distribution maintained by a community of volunteers in multiple countries with no central legal entity is a structurally different problem, and nobody in the state legislatures appears to have thought it through before writing the text.

The open source community is responding in three distinct ways:

-System76, the Colorado-based Linux hardware company, spent months lobbying the Colorado legislature directly. Their effort worked. Carl Richell, System76's founder, confirmed last month that Colorado's SB26-051 has been amended to explicitly exempt open source operating systems, applications, code repositories including GitHub and GitLab, and container platforms including Docker and Podman from the requirements. The amendment does not name Linux specifically; instead it describes software distributed under licences that allow recipients to copy, redistribute and modify freely without restriction from the provider. That wording covers essentially the entire FOSS ecosystem. The bill has passed a House committee but is not yet signed into law.

-MX Linux, one of the most widely used community distributions, has taken the clearest public stance of any distro team. In its weekly update the project stated directly: "No one on the team at MX wants to implement something like age verification." The developers cited user privacy, the structural impossibility of consistent secure implementation across a decentralised OS ecosystem, and the fundamental philosophy that open source operating systems are not designed to act as gatekeepers or data collectors. Their current position is to wait for court challenges to resolve how and whether these laws apply to non-commercial open source projects before taking any further action.

-A third response has emerged from individual developers and technically sophisticated users. One approach posted to Hacker News argues that AB 1043 compliance on a Unix-like platform is technically satisfied by a single shell variable: the user enters an age category at setup, it is written to a configuration file, and any application that queries for it can read it. The law says nothing about verification, only about provision of the data. On a system with no central authority and no mandatory login service, this approach technically complies with the letter of the law while preserving the entire architecture of user autonomy that makes Linux what it is.

Why this is not really about children:

If you think AB 1043 is aimed at Google and Apple, the evidence suggests otherwise. Both companies already have age verification in their stores. Both already have parental controls, developer policies and enforcement mechanisms. The law's broad OS-level definition, which drags in volunteer-maintained community distributions with no commercial presence in California, is not the result of careful drafting aimed at large commercial platforms. It is the result of writing legislation that requires every device to report age to every application, on every platform, with every OS as a mandatory relay node.

The practical outcome of full compliance is that an operating system becomes an identity layer that transmits user age metadata to any developer who asks for it at install time. That is not a child safety feature. That is device-level identity infrastructure. The children narrative is the political justification. The technical outcome is a mandatory link between your device, your identity bracket, and every application you run.

The fight happening in Colorado right now, where System76 successfully secured an open source exemption through direct legislative engagement, is the template for what needs to happen in California, Illinois, New York and the other states still moving these bills forward. It requires people in the open source and privacy communities who have standing in those states to engage with their own legislatures the way Carl Richell did in Colorado, before the January 2027 compliance deadline makes the point moot.

MX Linux put it clearly: direct your energy at policymakers, not at Linux projects. That advice is correct. The Linux community cannot patch its way out of legislation.

This is not only a US problem. Europe is watching closely and learning.

The EU's trajectory on age verification is directly parallel and in some ways more advanced. The European Commission's formal recommendation published last month pushes all 27 member states to deploy a standardised age verification infrastructure by December 31, 2026. EU Executive Vice President Henna Virkkunen explicitly stated at a press conference in April that the system "should not be circumvented," naming VPNs as the first target.

The pattern documented in this community is consistent. Age verification is the justification. Identity infrastructure tied to device, application and operating system is the outcome. Whether that infrastructure is being built by California's legislature, Colorado's governor, or the European Commission, the technical result is the same: a mandatory link between who you are and what software you run. The open source community's entire model of anonymous, permissionless, identity-free computing is the specific thing these laws structurally undermine, whether or not that is the stated intention.

European countries like France, Germany, Poland, the Netherlands, Luxembourg and Belgium are all actively phasing out WhatsApp and Signal for government use, replacing them with in-house messaging systems that operate under their own jurisdictions according to Politico. NATO already runs its own dedicated messenger. The European Commission has announced it will complete its own transition before the end of 2026.

The reason is not that WhatsApp or Signal are insecure at the encryption layer. The reason is that encryption alone is not sufficient when the infrastructure surrounding it is controlled by US companies operating under US law. WhatsApp is Meta. Signal is a US-based nonprofit. Both are subject to US court orders, US national security requests and US data jurisdiction. For governments sharing sensitive but unclassified information between ministers and civil servants, the question of who controls the servers, the metadata, the access rules and the audit logs matters as much as the encryption.

Recent events accelerated the urgency. The Russian phishing campaign that compromised Signal accounts of over 300 German politicians, including Bundestag speaker Julia Klöckner, demonstrated exactly how consumer-grade apps fail in adversarial state-level environments. The US administration's use of Signal for sensitive military planning, exposed when a journalist was accidentally added to a group chat discussing Yemen strikes, showed the same structural problem from a different angle. These apps are excellent tools for private individuals. They were never built for the specific requirements of government communications infrastructure.

Each country has taken a slightly different approach. Belgium launched BEAM, developed by Belgian Secure Communications, now being used by Prime Minister Bart De Wever and the full federal government for sensitive but unclassified communications. Germany is using Wire, which already runs for tens of thousands of German federal government employees and meets BSI standards. In addition Germany uses BundesMessenger (a secure, open-source solution based on Element/Matrix) for secure, classified, and data-sovereign communications. Luxembourg uses Luxchat4Gov built on the Matrix open-source standard as its official, secure instant messaging platform. France, Poland and the Netherlands are building or deploying their own Matrix-based systems. France is additionally replacing Microsoft Teams and Zoom for video with its own in-house platform, Visio, by end of 2027. The Netherlands is currently running trials.

For individuals who want the same level of sovereignty without building a national government system, Wire is the most accessible option from this stack.
Wire is Swiss-headquartered (with German roots), open source with all code publicly available on GitHub, end-to-end encrypted using the MLS protocol, and can be self-hosted so that your organisation or community controls every layer. It uses zero-knowledge encryption, meaning Wire itself cannot read your messages. It is the only major European messenger that is simultaneously consumer-accessible, enterprise-grade and actively deployed at government level across multiple EU states. It has been independently audited multiple times with results published publicly.

For organisations or power users, Wire offers granular administrative controls, SAML-based single sign-on, SCIM provisioning, federated deployment for cross-organisational communication, and full on-premise hosting options. For individuals it is free to start, works across all platforms, and supports messages, calls, file sharing and group collaboration in one app without any Big Tech infrastructure involved.

And that's also a Data Sovereignty double standard:
The same governments that are simultaneously building mandatory age verification infrastructure, pushing for VPN restrictions and proposing identity checks for social media accounts are also, in their internal operations, moving away from US platforms toward sovereign European infrastructure that they fully control. They understand precisely what data sovereignty means and why it matters. They are applying that understanding to protect their own communications while building the architecture that removes it from everyone else's.

Recently we covered Google tying its new reCAPTCHA system to Google Play Services, effectively locking de-Googled Android users out of millions of websites. The timing of this post is deliberate. If that story made you consider what a genuinely Google-free phone looks like in practice, here is the most complete European answer available right now.
Volla Systeme, a German manufacturer, has begun shipping the Volla Phone Plinius. It is manufactured in Germany, runs an open source Google-free operating system developed on German servers, and ships at around 598 euros for the 8GB RAM and 128GB storage model. The Plinius Plus with 12GB RAM and 256GB storage follows in June at 698 euros. Both models ship to EU countries and the UK.

The hardware story is more interesting than it sounds on paper. The Plinius combines a user-replaceable 5,300mAh battery with IP68 water and dust resistance certification. This combination is nearly unique in the current smartphone market. Every major manufacturer from Samsung to Apple has spent the last several years arguing that sealed batteries and waterproofing are mutually exclusive. Volla built a phone that opens with a standard screwdriver and still meets IP68 standards. The battery replacement requires no specialist tools and does not void the certification.

The rest of the hardware is competitive for the price point. A MediaTek Dimensity 7300 processor on 4nm architecture, 5G via nano-SIM or eSIM, a 6.67-inch OLED display at 120Hz, 30W wired charging and 15W Qi wireless, microSD expansion up to 1TB, and a programmable hardware button on the side. The Plinius Plus adds a reinforced rear panel and a Pogo pin connector for magnetically attached accessories.

The software is where Volla's actual proposition lives. Volla OS is an open source Android build with Google services completely removed. No Google Play Services, no Google apps, no Google account required. According to Volla, the OS generates up to 80% less network traffic than a standard Android device as a direct result of Google services being absent. A built-in security mode lets users lock individual apps, filter internet connections and disable the optional microG component, which simulates Google Play Services for apps that require it. On-device AI handles voice recognition and camera photo optimisation without sending data to any cloud server. Ubuntu Touch is available as an alternative operating system via a multi-boot menu.

The context for this launch matters. Google announced in August 2025 that all Android app developers would be required to register with Google, pay a fee and submit a government-issued photo ID by September 2026, with apps from unverified developers blocked on certified Android devices. The Keep Android Open advocacy project has described Google's proposed transition solution as "inadequate" and noted it exists only as a blog post and UI mockups with no finished implementation. For users who want to exit both the Google ecosystem and the Apple ecosystem entirely, devices like the Plinius are among the very few options that are genuinely available, genuinely shipping and genuinely manufactured inside Europe.

The honest caveats are worth stating. At around 598 euros the Plinius is priced above many mid-range competitors that ship with more powerful processors. App compatibility without Google Play Services requires either microG or manual APK installation, which is a real friction point for users transitioning from standard Android. And Volla OS, while open source and privacy-respecting, has a smaller developer community than GrapheneOS or CalyxOS and ships on its own hardware rather than being an installable option on popular existing devices.
But for someone in the EU who wants a phone that was made in Europe, runs European software, generates no Google telemetry, has a battery they can replace themselves five years from now, and still meets the waterproofing standard of mainstream flagship devices, the Plinius is currently the most complete answer available from a European manufacturer.

A newly filed federal class action complaint in California alleges that OpenAI embedded Meta Pixel and Google Analytics tracking into ChatGPT’s website, allowing query topics, user identifiers, and email-linked data to be transmitted to Meta and Google in real time. The complaint claims this happened without informed consent and that the disclosures included personally identifiable information such as Facebook IDs, Google profile IDs, and hashed email addresses.

The legal theory is serious because it does not focus on model output or training data. It focuses on the website’s tracking layer: the scripts loaded when a user opens ChatGPT in a browser, the cookies and identifiers those scripts transmit, and the way that metadata can be linked back to a real person. The complaint argues that ChatGPT users were discussing sensitive topics like finances, health, and legal issues, and that those conversations were then exposed through advertising and analytics infrastructure built for measurement and targeting.

On the Meta side, the complaint says OpenAI used the Facebook Pixel, which is designed to send browser activity to Meta whenever users visit a tracked page. The filing alleges that when a user entered a prompt into ChatGPT, the browser transmitted both the topic data and Meta-linked identifiers such as c_user and fr cookies. Those cookies can identify a Facebook account and, according to the complaint, were used to connect ChatGPT activity to Meta advertising profiles.

On the Google side, the filing alleges that ChatGPT transmitted query topics, hashed email addresses, and Google identifiers through Google Analytics and Google Signals. The complaint describes Google’s systems as designed to associate website activity with user profiles for analytics, remarketing, and cross-device tracking. In plain English, the allegation is that the service did not just know what users asked — it also helped Google tie that behavior back to a specific account and advertising identity.

Many people still assume an AI chat is a one-to-one interaction between them and the model provider. This complaint says the actual data path may include third-party ad tech sitting in the middle, turning an apparently private chat interface into a tracking surface. If proven, the case would reinforce a broader pattern we have seen across AI products: the interface looks conversational, but the surrounding web stack still behaves like advertising infrastructure.

For users who care about privacy and minimizing exposure, it's time to switch to a privacy-first alternative like xPrivo. Not perfect, but at least not training on your data, not selling your data and not sharing your precious thoughts and conversations with third parties. It's worth the switch.

It's also important to remind you to always block analytical trackers to protect you.

If you try it, please share any feedback on what works, what breaks, and if possible which device you used. You can leave comments here or send feedback directly to our support email.

On April 23, 2026, Google announced "Cloud Fraud Defense" at Cloud Next, describing it as the next evolution of reCAPTCHA. What they did not announce clearly is the detail that changes everything: when this new system flags your traffic as suspicious, the old click-the-buses puzzle is gone. Instead, you get a QR code. Scanning that QR code requires Google Play Services version 25.41.30 or higher running on your device. If you removed Google Play Services because you are on GrapheneOS, LineageOS, CalyxOS, /e/OS or any other de-Googled Android distribution, the verification fails with no documented workaround. Support pages showing this requirement were silently live since at least October 2025, seven months before anyone widely noticed.

iOS users on 16.4 and above pass automatically. Android users running stock Google software pass automatically. Privacy-conscious Android users who made an informed decision to remove Google's proprietary software from their own devices get locked out. The audience most likely to have read Google's data practices carefully and chosen to opt out is now the audience being flagged as fraudulent for that exact choice.

This is not the first time Google has attempted this. In 2023, the company proposed Web Environment Integrity, a browser feature that would let Google decide which devices were "legitimate" enough to access the web. Standards bodies, the open web community and the public pushed back hard enough that Google killed the proposal. Three years later, the same architectural idea is back, implemented not as an open web standard but as a dependency buried inside a widely deployed CAPTCHA system. The outcome is identical: Google's closed proprietary stack becomes the gatekeeper for basic web access. The mechanism is just harder to see.

The practical consequences are significant and mostly invisible to the websites themselves. reCAPTCHA runs on millions of websites globally. Bank login pages, government portals, ticket sites, account registration flows, none of them have to make an active decision to block de-Googled users. They just inherit the upstream limitation by continuing to use reCAPTCHA as they always have. A bank using reCAPTCHA is not choosing to exclude GrapheneOS users. It is just that Google made that choice on their behalf without telling them. This means, if you are a privacy-conscious user you are blocked from using bank websites because of Google.

GrapheneOS is recommended by the Electronic Frontier Foundation and is actively used by journalists, lawyers, activists, people operating in high-risk environments where device security matters and by everyone who just loves privacy. It is the most security-hardened Android variant publicly available. The population of people running it is not bots or fraudsters. It is the population that took device privacy seriously enough to sacrifice app compatibility and convenience to achieve it. Google's system cannot distinguish between them and actually malicious traffic because the only signal it is checking is whether Google's own software is present.

Play Services is background software with broad device permissions that Google controls, updates silently and uses to collect device telemetry. The user who removed it made a reasonable security decision. The system now treating that decision as evidence of suspicious intent has the logic precisely backwards.

There is currently a minimal bypass: Changing the browser agent string to simulate a non-Android device bypasses the check in some cases. GrapheneOS's sandboxed Play Services approach, which runs Google's software in an isolated container, may pass the check for now. But Google will almost certainly require full Play Integrity attestation in the future, and sandboxed Play Services will eventually fail that check by design because Play Integrity is specifically built to certify that Google's software is running with full system-level access.

If you are on a de-Googled device and hitting reCAPTCHA walls, document the sites and report them to the website owners and maintainers directly. Most website operators have no idea this is happening! Tell them to switch to alternatives like Altcha (altcha.org) which is an Open Source Captcha. Altcha is European, privacy-preserving by design and requires no Play Services or proprietary software to pass. Every developer who keeps using reCAPTCHA after learning this is making a choice, even if they do not know it yet.

On May 9, 1996, Linus Torvalds sent an email to the linux-kernel mailing list that would define the visual identity of the most influential open source operating system in history. His brief was precise and characteristically irreverent: the mascot should look "cuddly" and "contented," like a penguin that had just eaten "a suitcase full of herring" and was too stuffed to stand up straight. "Think of a Bean Bag," he wrote.
The origin of the penguin preference is one of computing history's more charming footnotes. Torvalds had visited the National Zoo in Canberra, Australia, where a small penguin bit his finger. Rather than holding a grudge, he declared himself "rather fond of penguins" and the direction was set.
Developer Larry Ewing took that brief and built the round, black-and-white character using GIMP, the open source image editor, in a decision that was quietly fitting: the mascot of a free software project created with free software tools. The name Tux followed in June 1996, proposed by James Hughes as an acronym for (T)orvalds (U)ni(X), though the obvious association with the tuxedo, which a penguin wears naturally, made the name feel inevitable.
What is remarkable is how little Tux has changed. Corporate logos are redesigned on three-year cycles. Brand consultancies are paid millions to flatten, simplify and "modernise" visual identities. Tux was drawn once by one person using an open source image editor and has remained essentially untouched for thirty years. Ewing's only condition for its use has always been attribution to himself and GIMP. No licensing fees, no trademark bureaucracy, no corporate design team to approve modifications. The decentralised ethos of open source embedded into the mascot itself.
Torvalds was always clear about the tone he wanted. "He's supposed to be kind of goofy and fun, that's the whole point," he once wrote. "Linux is supposed to be goofy and fun, it's also the best operating system in the world, but goofy and fun too." In 1998, Internet World magazine recognised Tux as one of twelve figures who had "made things happen" that year. A penguin drawn by one developer in GIMP listed alongside the year's most significant figures in technology.
The milestone lands as Linux itself approaches its 35th year. The kernel was first published in September 1991 as a student project with just over 10,000 lines of code. It has since grown to more than 34 million lines, shaped by over 25,000 individual contributors. It now runs on virtually all of the world's 500 fastest supercomputers, the majority of global cloud infrastructure, and the Android operating system on billions of mobile devices.
For this community in particular, the anniversary carries specific weight. The same properties that Torvalds encoded into Tux, open, unowned, built by individuals rather than corporations, maintained by shared convention rather than legal enforcement, are the properties under increasing pressure in 2026. Google is moving to require developer registration and government ID for Android app distribution. The EU is building centralised age verification infrastructure that will require identification before accessing the internet. The open web is being enclosed from multiple directions simultaneously.
The penguin that has symbolised the alternative for thirty years is still sitting there, full of herring, looking quietly pleased with itself.
Happy late birthday, Tux.

To celebrate Europe Day and the push for digital privacy, we’re running a special community giveaway and a promo for those who want to support European tech!

🎁 The Giveaway: Win 6 Months of PRO Free! Just leave a comment below! We will randomly select 4 commenters to win a free 6-month PRO membership.

🇪🇺 Europe Day Promo: 50% OFF PRO Want to support the project right away? Get 50% OFF your first 4 months of PRO (available on Web and the App Store).

Promo runs until 12th Mai. Winners will be announced on 13th Mai In the comments of this post.

Link to the website with the promo: https://www.xprivo.com/europe-day/

The European Parliamentary Research Service published a briefing paper this week titled "Virtual private networks and the protection of children online." The EU Parliament's social media account promoted it with the line: "VPNs are increasingly used to bypass online age verification." The Children's Commissioner for England is cited calling for VPNs to be restricted to adult use only. Some in the document argue that access to VPN services should require age verification.

There is one problem. The research underpinning the "VPNs are used to bypass age verification" framing is the 1,800% spike in VPN downloads in the UK after the Online Safety Act went live in July 2025. That is a real number. But it does not tell you why people downloaded VPNs. For that you need to look at the actual research on VPN usage.

A University of Michigan study covering thousands of VPN users across multiple countries found that 82.1% use VPNs to "protect myself from various threats and adversaries." Access to restricted content was a minority use case. There is no peer-reviewed research showing that VPNs are "increasingly" used specifically to bypass age verification. The EPRS briefing document conflates a correlation, more VPN downloads after age verification laws went live, with a motivation. Correlation is not causation, and the assumption that those downloads were primarily about age bypassing rather than people deciding their privacy needed protecting in response to governments demanding their biometric data is not supported by the underlying data.

This framing is not accidental. It is the legislative infrastructure for the next step. Once VPNs are established in official EU research as a "child safety loophole" rather than a privacy protection tool, the regulatory path toward restricting or requiring age verification for VPN access becomes politically available. We covered Utah's suggestion doing exactly this just this week. EU VP Henna Virkkunen explicitly stated the EU age verification system "should not be circumvented." The EPRS briefing is building the academic and policy foundation for what comes next.

The practical outcome of requiring age verification for VPN use is identical to banning anonymous VPN use. Once a VPN provider must verify your age, your identity is linked to your VPN account. The privacy tool becomes the surveillance checkpoint. This is precisely the outcome documented in our earlier post: Russia and Iran all arrived at VPN restrictions through incremental legislative pressure that began with narrowly justified use cases.

The option that cannot be regulated this way: NymVPN from Switzerland
A centralised VPN can be pressured, banned, compelled to verify users or have its servers seized. A decentralised VPN built on distributed infrastructure with no central company controlling the nodes cannot be banned in the same way because there is no single entity to compel.

NymVPN is built on the Nym mixnet, a decentralised network that protects not just your traffic content but your metadata: who you communicate with, when, and how often. Unlike traditional VPNs that hide your IP but still expose traffic patterns to a global adversary, Nym adds cover traffic and noise so that even nation-state level traffic analysis cannot de-anonymise you. Signup is anonymous, payments are unlinkable, the code is fully open source, and the network runs on independent distributed nodes with no central point of failure or control.

The most recent update of NymVPN added direct decentralised payments via zkNym credentials and removed the last requirement for a traditional account entirely. No account, no subscription tied to your identity, no company that can receive a court order requiring it to hand over your data.

The EU can regulate centralised VPN companies. It can require them to age-verify. It can compel them to log connections. What it cannot do is regulate a decentralised network that runs on distributed nodes operated by thousands of independent participants globally, any more than it can ban BitTorrent or regulate the Tor network out of existence.

Google Chrome silently downloads a 4GB AI model to hundreds of millions of computers:
Without prominent notification or upfront consent, Chrome began downloading a roughly 4GB file called weights.bin to user machines as part of Gemini Nano, Google's on-device language model. It lands in your browser's user data folder under OptGuideOnDeviceModel and powers features including "Help me write," tab suggestions, scam detection and page summarisation. The download triggers automatically for any device meeting minimum hardware requirements, and Chrome re-downloads the file if you delete it.
The model runs on your machine, not Google's servers. But that is not the issue. This is a 4GB install that happened on hundreds of millions of machines without a clear consent prompt. Multiplied globally that is thousands of tonnes of additional carbon emissions from data transfer. And the model's presence means Google's AI infrastructure now lives permanently inside your browser whether you use it or not.
To remove it: go to chrome://flags, disable the entries for Optimization Guide On Device Model and Prompt API, restart Chrome, then manually delete the folder. Chrome may attempt to re-download it.
This is also the strongest argument yet for switching to a Firefox-based browser. LibreWolf does not ship with a 4GB AI model you did not ask for.
Source: https://www.techpowerup.com/348825/google-chrome-silently-downloads-4-gb-ai-model-on-your-pc-without-consent
https://9to5google.com/2026/05/06/google-chrome-4gb-storage-ai-details/

UK kids defeated the Online Safety Act with eyebrow pencils. The first major assessment is devastating:
The first independent assessment of the UK's Online Safety Act is out and contains a sentence that tells you everything: "I did catch my son using an eyebrow pencil to draw a moustache on his face, and it verified him as 15 years old." The child was 12.
This is the law that forced UK adults to submit government IDs and biometric facial scans to access ordinary websites, triggered a 1,800% spike in VPN downloads when it went live in July 2025, and pushed millions of users into handing biometric data to private third-party verification vendors. The assessment numbers are brutal: 46% of children say age checks are easy to bypass. Only 17% say they are difficult. 32% have already bypassed them in the past two months. 49% still report experiencing harm online in the past month.
The bypass methods children described to researchers include drawing facial hair with eyebrow pencil to fool facial age estimation, holding up a video game character's head during a face scan, submitting a video of a different person's face entirely, using a parent's ID with parental consent, and entering a fake birthday which still works on most platforms. A 12-year-old girl explained the TikTok live enforcement model: "They ban me for 10 minutes and then I can go live again."
The report's most uncomfortable finding is that 26% of parents are actively helping their children bypass the checks, deciding individually which circumvention is acceptable. A verification system that relies on parents as the final enforcement layer collapses the moment parents become the bypass vector. Reminder: The Discord vendor breach in October 2025 already exposed 70,000 government IDs uploaded purely for age verification.
A 16-year-old summarised it better than any policy paper: "I think it's a great idea in theory and I applaud its intentions, but I don't see how that's feasible, because kids will always find a way."
Source: https://www.internetmatters.org/hub/research/online-safety-act-report-2026/
https://www.washingtontimes.com/news/2026/may/7/uk-kids-skirt-online-age-verification-drawing-beards-using-pictures/

Meta's Ray-Ban smart glasses were recording video watched by workers in Kenya. Many users had no idea:
Meta has ended its contract with Sama, a Kenyan outsourcing company that employed workers to watch footage captured by Meta's Ray-Ban smart glasses as part of AI training. After losing the contract, Sama fired approximately 1,100 workers. Several of those workers reported losing their jobs after speaking out about the nature of the content they were required to review.
The content included people using the bathroom, individuals undressing, people having s*x, private conversations, and footage capturing bank card details. Users of the Ray-Ban glasses, which can record video discreetly and continuously, were largely unaware that their footage was being reviewed by human workers in another country as part of an AI training pipeline. A class-action lawsuit has been filed against Meta.

The pattern is familiar from every major AI product. The "private" framing around AI features of Big Tech providers consistently obscures the human review layer that sits behind them, the layer that was exposed with ChatGPT routing messages to the FBI, the layer that sits inside every AI product that claims to be private while using human contractors to review edge cases, improve accuracy and handle content moderation. The workers who watched the most intimate footage of Meta's users are now unemployed. Meta has not issued a detailed public statement on either the contract termination or the workers' accounts.
Source: https://www.bbc.com/news/articles/c5y7yvgy0w6o