r/xprivo

The EU is trying to pass Chat Control through a procedural loophole timed right before summer recess, when attendance drops and thresholds get harder to hit. Remember that parliament rejected mass chat scanning twice. Tomorrow they vote on a shortcut that could reinstate it anyway:
▲ 112 r/xprivo+1 crossposts

The EU is trying to pass Chat Control through a procedural loophole timed right before summer recess, when attendance drops and thresholds get harder to hit. Remember that parliament rejected mass chat scanning twice. Tomorrow they vote on a shortcut that could reinstate it anyway:

Tomorrow (7th July 2026), the European Parliament votes on whether to use an urgent procedure to revive Chat Control 1.0, the mass private message scanning framework Parliament already rejected twice, most recently by a clear 311 to 228 majority in March. This is the third plenary vote on the exact same matter, reopened just before summer recess on the initiative of Parliament President Roberta Metsola, a move diplomats are calling unprecedented and that circumvents Parliament's own March decision.

Here is why the procedure itself is the actual danger, not just the substance. At this legislative stage, Parliament can only reject or amend the Council's position with an absolute majority of 361 votes. If that threshold is not reached, the law is automatically deemed adopted, meaning the expired scanning regime comes back even without Parliament's consent. If the urgency vote passes tomorrow, the decisive vote happens Thursday, the last sitting day before recess, when attendance is historically much lower, making that 361-vote threshold far harder to hit. If the urgency is rejected tomorrow instead, the proposal goes through the normal committee process, giving MEPs three months to negotiate real amendments with a realistic path to a proper majority.

The EPP's justification is a "legal gap" since Chat Control 1.0 expired in April. But Germany's own government has confirmed no unusual drop in abuse reports since the law lapsed, companies are still voluntarily scanning anyway, and EU figures show over 60 percent of abuse reports already come from scanning public posts and cloud storage, areas this law does not even cover. The rapporteur on the file, Birgit Sippel, has called this an "unfair maneuver" and said she will not support it. Over the weekend, cybersecurity researchers Carmela Troncoso and Bart Preneel, joined by over 800 signatories from two prior open letters, sent MEPs an urgent warning that current scanning technology still has unacceptably high error rates and that untargeted scanning fails basic proportionality tests when far more targeted tools already exist.

Critics also warn this vote actively undermines the permanent child protection framework currently being negotiated, one built around targeted detection orders for actual suspects, an EU child protection center to remove known abuse material, and safety-by-design requirements for messaging apps. Reviving the voluntary scanning status quo removes the political pressure on member states to ever agree to that better system. As Patrick Breyer put it, as long as governments can keep extending their convenient status quo through procedural tricks, they have no reason to accept Parliament's more effective, more legally sound alternative.

If you want to act before tomorrow's noon deadline, fightchatcontrol.eu has a direct tool to contact MEPs marked as supporting the urgency procedure. A phone call or email today is the most direct way to affect tomorrow's vote.

u/officialexaking — 2 hours ago
▲ 98 r/xprivo

Sweden recently federated two government agencies on different vendors using Matrix. Germany just made the same open standard a pillar of its national tech stack. No single vendor. No Big Tech lock-in. This is what digital sovereignty actually looks like.

Sweden pulled off a rare feat this year: seamless, real‑time data exchange between two large public agencies that operate on entirely different technology stacks. Two major public sector agencies, the Social Insurance Agency and the Transport Administration, successfully federated their real-time communication systems even though they run on completely different vendors. One uses Element, the other uses Rocket.Chat. Neither had to switch platforms. They just both speak Matrix, the open, decentralized communication standard, and that alone was enough for their systems to talk to each other seamlessly. The initiative is led by eSam, a collaboration body covering more than 40 Swedish government agencies, and the plan is to expand this to more agencies and formally recommend Matrix as the standard for interoperable government communication across the country.

Germany went further on June 17 this year, the federal government and all 16 German states confirmed that ZaPuK, a Matrix-based messaging architecture, will be a core component of the Deutschland-Stack, Germany's national sovereign technology platform meant to unify its fragmented federal, state, and municipal IT systems by 2028. This will eventually replace a mess of incompatible government mailbox systems including De-Mail, Mein Justizpostfach, and Elster-Postfach with one interoperable, end-to-end encrypted layer built on an open standard that no single company controls. There is already a working pilot called Neo, built by a consortium including Element, extending Germany's BundID system so citizens can communicate with government agencies directly through Matrix. Germany's healthcare sector already proved this model works at scale: TI-Messenger, mandated by health regulator gematik, is already connecting over 150,000 healthcare organizations and 74 million patients on the same standard.

This is a really interesting "Europe ditches US Big Tech" story. Both countries are not swapping something like Microsoft Teams for a European-owned equivalent and calling it sovereignty because that would just trade one vendor lock-in for another, even though it would already be a good first step. Matrix is an open standard nobody owns, meaning any agency, any country, any vendor can build on it and still interoperate with everyone else doing the same. It is the same principle that makes phone calls and email work regardless of provider, applied to modern real-time communication for the first time at genuine government scale. Sweden and Germany reaching the same conclusion independently, through completely different government bodies, is a strong signal that this is not a one-off experiment. It is a template other countries are very likely to follow.

u/officialexaking — 1 day ago
▲ 4.4k r/xprivo+3 crossposts

Regular people get searched like terrorists at airports. Why does crossing a national border erase all of your rights and pricacy?

The heavy handed treatment of ordinary people at airports is an indicator of what our governments would make daily life like if they thought they could.

u/amogusdevilman — 2 days ago
▲ 261 r/xprivo+1 crossposts

Google once said fingerprinting is wrong because users cannot clear it the way they clear cookies. That was 2019. August 3 2026 is the date Google starts using your IP address anyway to identify and profile your device for ads across the EU and UK.

On August 3, 2026, Google will start using IP addresses to identify and personalize ads for users across the EU, the EEA, the UK, and Switzerland. IP addresses are classified as personal data under GDPR, which means using them to track and profile devices triggers consent requirements under EU and UK law. Google has been using IP addresses to route traffic and serve ads for years. What changes on August 3 is the declared purpose: the same addresses will now officially be used for device identification, measurement, and ad personalization. That shift in purpose is legally significant, and Google knows it, which is why it is notifying advertisers to make sure their own consent flows are in order before the rollout begins.

The interesting thing about this is the fingerprinting situation. When you clear your cookies, the tracking stops. Fingerprinting, which combines signals like your IP address, browser version, screen resolution, and device characteristics to create a persistent identifier, cannot be cleared. It survives cookie deletion, incognito mode, and most standard privacy measures. In 2019, Google's own Chrome engineering director wrote publicly that fingerprinting subverts user choice and is wrong precisely for this reason. Google's own policy prohibited advertisers from using fingerprinting techniques. Now Google sent advertisers a notification that IP-based personalization is coming to the EU and UK in August. The ICO's own advice to the UK government, published in May 2026, explicitly places cross-service profiling based on user activity on the consent-required side of the line. Google's rollout sits exactly on that side. The regulator has said existing rules still apply and nothing has changed legally. Google is proceeding anyway and shifting compliance responsibility onto advertisers rather than absorbing it directly. A smart move by Google.

The best way to protect yourself right now is the same combination that has come up repeatedly in this community over the past months. A fingerprint-resistant browser is the most effective single tool here, specifically Firefox-based options like LibreWolf or Waterfox, which have fingerprint protection built in and do not participate in Google's browser ecosystem. uBlock Origin running in a Gecko-based browser blocks the ad tags, SDKs, and tracking calls that feed IP signals to Google in the first place, which is why the Chrome MV3 rollout we covered earlier matters directly in this context. Because MV3 makes uBlock origin not work in chromium browsers soon.

u/amogusdevilman — 2 days ago
▲ 2.0k r/xprivo+6 crossposts

Reddit is rolling out ID verification or Face Scans for "NSFW" content in the EU, Norway and Sweden. The age verification is processed by Persona. Some users in Norway, Sweden and other EU countries are already seeing it also in mental health subreddits flagged as NSFW.

Users in Norway, Sweden, and other EU countries are reporting that Reddit has started prompting them to verify their age to access NSFW-marked content and subreddits. The verification is being processed through Persona, the same third-party KYC vendor Reddit uses in the UK under the Online Safety Act, and the same company we have covered before in the context of Claude's identity verification rollout. Persona has structural and funding ties to Peter Thiel, and Thiel's Palantir is a company European governments have been systematically rejecting over data sovereignty concerns throughout 2026. The data Persona processes during verification includes your government ID document, facial biometric data from a selfie, your ID number and date of birth, and geolocation inferred from your IP address. Reddit says it stores only a pass/fail result and your birthdate. Persona says it retains uploaded images for no more than seven days.
These are the same categories of assurances every KYC provider offers, and they say nothing about what happens during those seven days, who has access, or what a breach looks like, and we have seen enough KYC breaches across Discord and other platforms to know the risk is not theoretical.

This appears to be a testing phase ahead of broader EU enforcement. The CJEU ruling from June 16 gave France and other member states explicit legal authority to require age verification on platforms regardless of where those platforms are based. The European Commission has been pushing member states to have age verification infrastructure operational by the end of 2026. Reddit rolling this out quietly in the EU, Norway and Sweden now, rather than waiting for formal legal mandates, is almost certainly a compliance positioning move ahead of what is coming continent-wide. Several users have noted that mental health subreddits, harm reduction communities, and other NSFW-tagged but non-pornographic content is also being caught behind the verification wall, which is exactly the over-broad enforcement pattern privacy advocates have warned about since these laws were first proposed.

The workaround right now is a VPN set to a country without current enforcement, which removes the EU IP trigger that activates the verification prompt. The more important response of course is not participating in the verification flow at all if you are prompted, because this is explicitly described as a testing and data collection phase, and platform compliance decisions are influenced by how many users actually complete the process versus how many drop off. Every person who hands over their ID normalizes the infrastructure and makes the next rollout easier to justify. Beyond the immediate workaround, this is the moment where the age verification rollout stops being something happening to other platforms in other countries and starts being something affecting the specific communities, subreddits, and daily browsing habits of people in this group directly.

u/BlokZNCR — 5 days ago
▲ 86 r/xprivo

A US Supreme Court ruling just cracked the EU-US data deal. Schrems III? Also, a separate US law made "EU server region" meaningless years ago anyway. Everything you need to know

[*Full article] The US Supreme Court just ruled in Trump v. Slaughter that the FTC is not independent from the President, which knocks out a core legal pillar the EU relied on when it approved the EU-US Data Privacy Framework, the deal that lets companies legally move EU data to the US. Max Schrems and noyb are preparing a legal challenge. If it lands, this would be the third EU-US data deal to collapse in a decade, after Safe Harbor and Privacy Shield. The framework is still technically in force for now, but the foundation under it just cracked.
Here is the part most businesses get wrong even without this ruling. Picking an "EU region" on AWS, Azure, or Google Cloud does not protect you from the CLOUD Act, a separate US law that compels any American company to hand over data on a US legal order regardless of where the server physically sits. AWS, Microsoft, and Google are all US companies. A subpoena served on Amazon in Seattle reaches customer data in Frankfurt exactly like it reaches data in Ohio. Even the hyperscalers know this. AWS for example opened a physically and legally separate "European Sovereign Cloud" entity in Germany in 2026 specifically because a normal EU region checkbox was never enough (even though this new strategy does not make it much better). Brussels is also tightening DMA obligations on Azure and AWS this year to push European alternatives.
The actual fix is providers with no US parent company at all, meaning the CLOUD Act structurally cannot reach them. Worth knowing: OVHcloud (French, largest EU-headquartered cloud provider), Scaleway (French, strong for AI/GPU workloads), StackIT (German, Schwarz Group's sovereign cloud arm), and Ionos (German, long-established GDPR-native hosting). None of these have a US legal nexus a subpoena could exploit.
We wrote a longer breakdown covering the legal mechanics, a comparison table, and why this matters for daily tools too: * https://www.xprivo.com/blog/en/eu-us-data-privacy-framework/

u/officialexaking — 4 days ago
▲ 381 r/xprivo

The US just passed the KIDS Act through the House. The EU and US cannot agree on trade, defense, taxes, or anything else. But making every adult prove their identity to use the internet to protect children? Somehow they are perfectly aligned. And we know why.

The US House passed the KIDS Act today, a package of around a dozen bills combining a revised Kids Online Safety Act with new age verification requirements and messaging regulations for platforms. It now moves to the Senate. The bill requires websites with 'explicit' content to verify user ages, creates nationwide child safety standards enforced by the FTC, and requires companies to protect age verification data and not retain unnecessary personal information. Sponsors say the text does not explicitly require age verification for all users. The EFF (Electronic Frontier Foundation) points out that liability attaches when a service "should have known" a user's age, which in practice pressures every platform to check everyone, because the safest legal position is verifying all users rather than guessing which ones might be minors. The EFF also flags new rules touching encrypted and disappearing messages, which follows the same pattern as the UK's Online Safety Act and the EU's Chat Control proposals, where messaging privacy gets pulled into child safety legislation as a secondary provision that receives far less scrutiny than the headline measure.

Now zoom out for a bit. Australia enforced its social media ban for under-16s in December 2025. In 2026: Malaysia enforced its version in June. France passed its age verification law and is in enforcement. Reddit is now rolling out age verification via Persona. The EU's CJEU gave member states explicit authority to mandate age checks on adult platforms in June. Canada tabled Bill C-34 requiring ID or face scans for social media. Norway, UAE, and others are all moving in the same direction. And now the US House just passed a federal age verification bill with bipartisan support. Republicans and Democrats agree on almost nothing in 2026. The EU and US are in the middle of a trade conflict. These governments cannot coordinate on climate, defense spending, or tax policy. But building national identity verification infrastructure for internet access under the banner of protecting children is apparently the one policy position that transcends every political, geographic, and ideological division simultaneously.

The bill still has to pass the Senate, which could amend, reject, or pass it, and then both chambers have to agree on the same version before it reaches the president. Senators Mike Lee, Rand Paul, and Ron Wyden voted against a similar bill two years ago, so resistance exists. But the structural reality is the same one playing out everywhere else: the technical consequence of any effective age verification system is universal identity checks for all users, not just minors. The data gets collected by third party vendors, sits in databases that get breached, and creates a persistent link between your legal identity and your browsing behavior that cannot be undone. The 'reassurances' about not retaining unnecessary data are written into every one of these bills across every country. They have ironically not prevented a single breach yet.

u/officialexaking — 6 days ago
▲ 432 r/xprivo+1 crossposts

Next Monday the EU votes on Chat Control 2.0 + The EU Parliament voted no on mass message scanning initially but this week the EU parliament president Roberta Metsola did something diplomats are calling "without precedent": she overrides her own Parliament's democratic vote to revive Chat Control.

Quick situation update because Monday June 29 is crucial and the context is also important. Chat Control 1.0, the temporary law that gave Google, Microsoft, Meta, LinkedIn and others the legal basis to voluntarily scan your private messages in the EU, expired in April after Parliament voted down its extension by a single vote, 307 to 306. That voluntary scanning has no legal foundation in the EU right now. Companies have continued scanning anyway despite the legal limbo, which is its own story, but reminds you also to use privacy-first services online where you can.

In addition to that, this week, Parliament President Roberta Metsola asked Council ambassadors to adopt a position on reviving Chat Control 1.0, the law her own Parliament already killed, in a move diplomats described in writing as "without precedent". MEPs working on the file called it unacceptable and said Parliament's position has not changed. The move appears to be a pressure tactic ahead of Monday, when the fourth and supposedly final trilogue negotiation on Chat Control 2.0, the permanent version, takes place. The permanent version currently on the table no longer includes mandatory scanning of end-to-end encrypted messages, which was the most alarming original proposal, but it does include voluntary detection provisions for unencrypted communications, age verification requirements before accessing messaging services, and risk mitigation obligations that could be used to pressure platforms into building scanning infrastructure anyway.

So what we currently see is that if a democratic vote produces the wrong result, the response is to find a procedural route around it, apply pressure through a parallel channel, and reframe the question until the answer changes. https://fightchatcontrol.eu/ is tracking this if you want to follow Monday's developments and for more informations about Chat Control and which politicians are in favor and which are against it.

Full article about European Parliament president Metsola overriding MEPs in bid to force through child abuse law: https://www.politico.eu/article/president-vs-parliament-roberta-metsola-overrides-meps-bid-force-child-abuse-law/

u/amogusdevilman — 11 days ago
▲ 721 r/xprivo+3 crossposts

France, Germany, Austria and other EU countries are ditching US-Tech for Open Source solutions like Linux. The sudden Fable 5 shutdown once again proves why EU digital sovereignty isn't optional anymore.

Something significant and positive is happening across Europe right now and it is moving faster than most people realize. France is executing an aggressive plan to migrate 2.5 million civil servant workstations from Microsoft to Linux-based environments. Germany's state of Schleswig-Holstein is completing the migration of 30,000 PCs to Linux and LibreOffice, a project now being studied as a blueprint for federal-level independence from US software. Austria already completed its transition, having fully purged Microsoft Office from 16,000 military workstations and replaced it with a locally managed version of LibreOffice, specifically to ensure military communications stay within Austrian borders and outside the reach of foreign legal jurisdiction. Switzerland, after documenting the billions spent on Microsoft ecosystems over the past decade, is actively deploying exit strategies from Microsoft 365 lock-in at the federal administration level. Denmark's Ministry of Digital Affairs has mandated a formal transition to open-source software for internal operations. Estonia, one of the most digitized governments on the planet, is building contingency frameworks to reduce dependence on US cloud architecture entirely.

This movement is not a coincidence, and it is not primarily about cost savings, even though the millions saved in licensing are a really nice bonus too!
The driving force is a geopolitical reality that became impossible to ignore: any government running its core infrastructure on US-based proprietary software is subject to the US CLOUD Act, shifting export controls, and the threat of abrupt access revocation.
The perfect illustration of exactly that risk landed on the evening of Friday, June 12, 2026.
Citing national security concerns over a potential "jailbreak," the US government issued an emergency export control directive ordering Anthropic to immediately suspend all access to its two newest and most powerful AI models, Fable 5 and Mythos 5, for any foreign national worldwide. Because it is technologically impossible to reliably segment foreign nationals from US citizens in real-time, Anthropic had no choice but to comply by abruptly shutting off access for all users globally.
A frontier technology that millions of people and organizations outside the US were actively relying on disappeared overnight because a government on the other side of the planet decided it should. There was no warning, no transition period, and no appeal process. Just a directive received at 5 PM on a Friday, and access was gone for the weekend. That is the exact nightmare scenario European governments have been documenting in internal risk assessments for years, and it just played out in public in real time.
So the difference of the current open-source migration wave from previous initiatives is that many tries stalled or quietly reversed. These decisions are now no longer pitched as IT procurement choices but as explicit national security policies.
Austria for example did not migrate its military workstations to 'save money'. They did it because running military communications on foreign-controlled software with embedded telemetry is an unacceptable operational risk. That framing is much more important because it changes the political durability of the decision. When a migration is sold merely as cost-cutting, the next administration can reverse it or to appease lobbyists. When it is framed as sovereign infrastructure, reversing it means publicly arguing that your country's sensitive data should sit on someone else's servers, under someone else's laws, subject to being switched off by a foreign government on a Friday afternoon.
The Fable 5 shutdown did more to advance the European digital sovereignty argument in 48 hours than a decade of policy papers ever could. Every IT minister on the continent now has a concrete, recent, and highly visible example of what dependency on US technology infrastructure actually means in practice. You either own your stack, or you are just borrowing it.
Europe will become much more independant from Big Tech.

u/amogusdevilman — 12 days ago
▲ 8 r/xprivo

is xprivo search down now?

I am not using the ai feature, so this shouldn’t be about reaching limits or whatever it is related to ai usage?

u/BarnacleHeavy5061 — 9 days ago
▲ 23 r/xprivo+1 crossposts

why i cant turn this off and i cant remove from the chat……. Its SO DAMN ANNOYING

u/Conscious-Item-1633 — 10 days ago
▲ 106 r/xprivo+1 crossposts

reCAPTCHA started by making you label street signs for their AI for free. Now they are testing a new version that wants your hand geometry on camera. But: There is a free, open-source alternative that website owners should consider instead of using reCAPTCHA.

Google is testing a new reCAPTCHA that asks you to wave your hand at your camera. The system extracts 21 joint coordinates from your hand geometry, analyzes the movement, and verifies you as human. Google says the video is deleted after verification, is not linked to your identity, and that audio is never recorded. These are the same assurances Google has offered about every data collection it has ever run, so take them at whatever value you assign to promises from an advertising company whose entire business model is built on knowing everything about you.
The reason this exists is that AI now defeats every traditional CAPTCHA faster than humans do. Traffic lights, fire hydrants, distorted text, crosswalks, all of it solved instantly by models that have been trained on, among other things, the billions of CAPTCHA solutions humans submitted over the past two decades. That history is worth remembering. The original reCAPTCHA was sold as a tool for digitizing old books. Then Google used it to label Street View imagery and Maps data. Users were solving puzzles. They were also providing free labor for Google's geospatial training datasets without being told. The new system follows the same pattern at a different scale: the problem being solved for Google is biometric data collection, and the mechanism for getting it is framing the collection as a service to you.

If you run a website, or work somewhere that uses Google reCAPTCHA, or use services where administrators have a choice about which verification system to deploy, it is worth raising Altcha.org as an alternative. Altcha is open source, self-hostable, requires no camera, no biometrics, no Google account, and no data leaving your infrastructure. It works on a proof-of-work model that is genuinely difficult for bots at scale without requiring users to do anything invasive or degrading. It does not scare away legitimate users, does not feed a surveillance ecosystem, and does not require you to trust Google's assurances about what happens to footage of your hand. The choice between making your users wave at a camera to benefit Google's datasets and running an open source tool that actually respects them is an easy one once you know the alternative exists.

u/amogusdevilman — 14 days ago