#privacy

Grok CLI uploads entire codebase and secrets by default

gist.github.com · ⭐️ 9/10 · 2026-07-12

9/10

Security researchers discovered that xAI's Grok CLI (version 0.2.93) automatically uploads entire Git repositories and sensitive files like .env to Google Cloud Storage, even when prompts instruct not to read specific files. Disabling the 'improve model' setting does not prevent the upload. This vulnerability exposes users' proprietary code, API keys, and credentials by default, posing a severe privacy and security risk. It undermines trust in AI-assisted coding tools and raises questions about data handling practices. The tool sends file contents via two channels: embedded in model conversation requests and as a git bundle file. In a test with a 12 GB repository, over 5 GiB of data was successfully uploaded without rejection. The opt-out toggle in settings had no effect on the upload behavior.

EU Parliament Approves Chat Control 1.0 Mass Scanning

patrick-breyer.de · ⭐️ 9/10 · 2026-07-09

9/10

The European Parliament voted on July 8, 2026, to allow mass scanning of private messages until April 3, 2028, despite a majority of MEPs opposing the measure. This decision represents a significant setback for digital privacy in the EU, as it permits warrantless scanning of private communications on platforms like Gmail, Snapchat, and Skype, setting a precedent for mass surveillance. The motion to reject the scanning law failed because it required an absolute majority of all 705 MEPs (361 votes), not just those present; only 314 voted against, 276 in favor, 17 abstentions, and 113 were absent.

EU close to reviving message scanning rules

cyberinsider.com · ⭐️ 9/10 · 2026-07-08

9/10

The European Union is one step away from reviving proposed rules that would require scanning of private messages for child sexual abuse material, threatening the future of end-to-end encryption. If enacted, these rules could undermine privacy and encryption across the EU, affecting hundreds of millions of users and setting a dangerous precedent for mass surveillance. The proposal, known as Chat Control, has two versions: Chat Control 1.0 allows voluntary scanning by platforms, while Chat Control 2.0 mandates scanning and effectively bans end-to-end encryption.

9/10

A prompt injection vulnerability in YouTube's AI comment summarization tool allows attackers to leak the titles of a creator's private videos by leaving a crafted comment that injects a malicious prompt. This vulnerability compromises the privacy of YouTube creators by exposing their private video titles, and highlights the broader security risks of integrating large language models into user-facing applications without adequate safeguards against prompt injection. The attack works when a creator opens YouTube Studio's comment tab and clicks a suggested AI prompt; the injected comment then forces the model to include private video titles in its response. Community testing shows mixed results, with some users unable to reproduce the issue, indicating possible partial mitigations by YouTube.

Chinese researchers developed a non-contact forensic technique that identifies smartphone apps and operations by analyzing leaked low-frequency electromagnetic signals, achieving up to 99.07% accuracy on devices like iPhone 15 Pro, Xiaomi 15 Pro, and OPPO Reno 13. This attack method poses a serious privacy threat because it can work even when the phone is offline, in airplane mode, encrypted, or locked, without any access to the device's system or stored data. The technique analyzes low-frequency electromagnetic (EM) signals emitted by a running smartphone's components, and the researchers tested it on popular apps including TikTok, WeChat video calls, Baidu Maps, SMS, browser, camera, and cloud storage.

EU Chat Control Proposals: Privacy vs Child Safety

fightchatcontrol.eu · ⭐️ 8/10 · 2026-07-07

8/10

The European Union is advancing Chat Control proposals 1.0 and 2.0, which would require messaging platforms to scan all private messages and uploaded content for child sexual abuse material, potentially undermining end-to-end encryption. These proposals represent a significant shift towards mass surveillance, threatening the privacy and security of all EU citizens' digital communications. If enacted, they could set a global precedent for weakening encryption and enable broader government surveillance capabilities. Chat Control relies on client-side scanning, which checks content on users' devices before encryption, bypassing end-to-end protection. The proposals have been criticized for technical risks like false positives and potential abuse by authorities for purposes beyond child protection.

EU Mandates Driver Monitoring Cameras in All New Cars

allaboutcookies.org · ⭐️ 8/10 · 2026-07-07

8/10

As of July 2024, the EU General Safety Regulation 2019/2144 requires all new car models sold in the European Union to be equipped with a driver monitoring system (DMS) that uses a camera to detect distraction and drowsiness. This regulation aims to reduce accidents caused by driver inattention, but it also raises significant privacy and usability concerns among drivers and consumer advocates. The DMS must be integrated into the vehicle's type-approval process and cannot be permanently disabled. The system typically uses infrared cameras to track eye and head movements, issuing alerts when distraction is detected.

Chat Control passed first round in EU Parliament

heise.de · ⭐️ 8/10 · 2026-07-07

8/10

The European Parliament unexpectedly revived the controversial Chat Control law during its second reading, and it passed the first procedural round, giving proponents a tactical advantage. This law would mandate mass surveillance of private messages, threatening end-to-end encryption and digital privacy. Its advancement could set a dangerous precedent for widespread surveillance in the EU. In the second reading, amendments or rejection require an absolute majority of 361 MEPs, while the law itself can pass with a simple majority of those present. Many MEPs have already left for summer break, making rejection harder.

Google's new 'Save media' setting lets Lens, voice data train AI

techcrunch.com · ⭐️ 8/10 · 2026-07-07

8/10

Google introduced a new 'Save media' setting within Search service history that saves media from features like Google Lens, Search Live, voice search, and Translate speaking exercises, and uses it to improve Google services and AI models. This policy change affects millions of users who use these features, raising privacy concerns about how media is used for AI training. It also highlights the importance of opt-out mechanisms in an era of growing AI data collection. The setting is part of the 'Search service history' in Google Account settings, and users can opt out by turning off 'Save media'. Media includes images, files, audio, and video from Google Lens, Search Live, voice search, and Translate speaking exercises.

iOS 27 Trust Insights: On-Device Anti-Fraud with Privacy

cultofmac.com · ⭐️ 8/10 · 2026-07-04

8/10

Apple announced Trust Insights, a new on-device anti-fraud feature in iOS 27 that analyzes user behavior patterns to detect scams without reading personal content like messages or photos. This feature enhances user security against phone scams while maintaining strong privacy by processing data entirely on-device and only sending a single anonymized output to servers. Trust Insights uses device sensor data and contextual analysis to identify suspicious behavior like being guided by a scammer to transfer money or change accounts; it can trigger warnings, delays, or extra authentication before transactions.

F-Droid: Android developer verification is a Trojan horse

f-droid.org · ⭐️ 8/10 · 2026-07-02

8/10

F-Droid published an article arguing that Google's new Android developer verification, which requires identity verification and package name registration starting September 2026, is actually a threat disguised as protection, especially for open-source app distribution. This verification could restrict installation of apps from third-party stores like F-Droid on certified Android devices, undermining user freedom and the open-source ecosystem. It represents a broader trend of platform control that affects developers and users who rely on alternative app sources. Google's developer verification requires developers to verify their identity and register their package names, and starting September 2026, only apps from verified developers can be installed on certified Android devices in select regions. F-Droid claims this gives Google a chokehold over app distribution, akin to a Trojan horse.

8/10

Apple provided the FBI with the real iCloud account details linked to a 'Hide My Email' address used to send threatening messages, leading to the identification and confession of the suspect, Alden Ruml. This case shows that Apple's 'Hide My Email' feature, marketed as a privacy tool, is not fully anonymous and can be traced back to users in law enforcement investigations, challenging user trust in Apple's privacy promises. The suspect, Alden Ruml, had created 134 anonymous email addresses through the 'Hide My Email' feature and admitted to sending threats to Alexis Wilkins, the girlfriend of FBI Director Kash Patel.

Claude Code 2.1.91 Hidden Telemetry Detects China Region

reddit.com · ⭐️ 8/10 · 2026-07-01

8/10

Anthropic's Claude Code version 2.1.91 includes obfuscated code that checks for Chinese timezones and proxy URLs, then encodes region information into prompts sent to the API without disclosure in changelogs. This raises serious concerns about user privacy and transparency in AI tools, as it could be used to identify unauthorized usage or model distillation without user consent, potentially undermining trust. The detection logic uses XOR obfuscation with key 91 to check for timezones Asia/Shanghai or Asia/Urumqi, and proxy URLs pointing to Chinese domains or AI labs; region data is encoded by altering the system prompt's date format and Unicode apostrophe.

The U.S. Supreme Court ruled that law enforcement's use of a geofence warrant to obtain cellphone location data from Google constitutes a Fourth Amendment search, requiring probable cause and a warrant. The decision came in a case involving a 2019 bank robbery in Virginia. This landmark ruling strengthens digital privacy protections by requiring law enforcement to meet constitutional standards before accessing bulk location data. It sets a precedent for how courts handle reverse location warrants and limits warrantless surveillance of innocent bystanders. The geofence warrant instructed Google to provide location data for devices within 150 meters of a bank during a 30-minute window before and after the robbery. The Court found that accessing this aggregated location history invaded a reasonable expectation of privacy, rejecting arguments that data in public places is unprotected.

IP Crawl: A Living Atlas of Open Webcams

ipcrawl.com · ⭐️ 8/10 · 2026-06-28

8/10

IP Crawl is a website that maps and provides access to live feeds from thousands of unsecured webcams found on the public internet. It functions as a searchable atlas of these exposed devices. This highlights the widespread insecurity of IoT devices, as many users connect cameras without proper configuration, exposing private spaces to anyone. It raises significant privacy and ethical concerns, especially for non-technical users who may not realize their cameras are publicly accessible. The site indexes webcams discovered via internet-wide scanning, showing live feeds without authentication. Many feeds are from common IP camera brands with default settings, and the site includes a map view showing approximate locations.