On May 27th at 18h CEST, I’ll participate on a (streamed) panel on the #CyberResilienceAct for maintainers of Free and Open Source Software, with @ag_dubs, @bagder and moderators @tobie and @senficon.
Info at https://maintainermonth.github.com/schedule/2025-05-27-CRA

Incredible. The UK Legal Aid Agency suffers a cyberattack which led to a data breach of a highly sensitive nature: "This data may have included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments."

Ah, at least they'll take action, right?

Nope, just ask people to be more vigilant and change their passwords. Cheers guys!

https://www.gov.uk/government/news/legal-aid-agency-data-breach

New paper, open access:

‘The EU Digital Services Act: what does it mean for online advertising and adtech?’

By Pieter Wolters and me.

We explore the question: what does the Digital Services Act (DSA) mean for online advertising?

For us, the most surprising finding is the following. We conclude that some types of ad tech companies, such as ad networks, should be considered platforms.

https://doi.org/10.1093/ijlit/eaaf004

#eu #law #dsa #gdpr #eprivacy #advertising #adtech #tech #platform #cookie

“Microsoft has simply given us no other option,” Signal says as it blocks Windows Recall
Even after its refurbishing, Recall provides few ways to exclude specific apps.
https://arstechnica.com/security/2025/05/signal-resorts-to-weird-trick-to-block-windows-recall-in-desktop-app/

Researchers Scrape 2 Billion #Discord Messages and Publish Them Online

https://www.404media.co/researchers-scrape-2-billion-discord-messages-and-publish-them-online/

#privacy

New, from me:

KrebsOnSecurity last week was hit by a near record distributed denial-of-service (DDoS) attack that clocked in at more than 6.3 terabits of data per second (a terabit is one trillion bits of data). The brief attack appears to have been a test run for a massive new Internet of Things (IoT) botnet capable of launching crippling digital assaults that few web destinations can withstand. Read on for more about the botnet, the attack, and the apparent creator of this global menace.

According to Google, the botnet that hit my site - at a rate of 585 million packets per second -- is an IoT botnet known as Aisuru, and it is the same one that hit Cloudflare with a remarkably similar attack last month. I interviewed the self-professed creator of Aisuru, a 21 y/o Brazilian who goes by the handle "Forky." Forky denied being involved in an attack on my site, but he also lied in almost everything else he told me.

There's a lot more to this story, including some eerie parallels between Aisuru's rise and that of the Mirai IoT botnet, which became so powerful because it effectively out-competed every other DDoS botnet in existence, giving them enormous firepower. Ironically, this same concentration of power happens each time the FBI conducts another one of its mass takedowns of DDoS-for-hire services. The ones that don't get taken down benefit enormously.

https://krebsonsecurity.com/2025/05/krebsonsecurity-hit-with-near-record-6-3-tbps-ddos/

Weer mooi onderzoek van BNR Nieuwsradio! Ondanks mooie verhalen verhuizen hele stukken overheid in hoog tempo al onze privégegevens naar Amerikaanse clouds. Daar kan de regering Trump bij onze medische details, en misschien praktisch erger: ze kunnen onze toegang ook afsluiten. En hier praten we dit recht met de kromste smoezen zoals "we zijn heel voorzichtig hoor". Maar dat zijn we niet: https://www.bnr.nl/nieuws/tech-innovatie/10574510/overheidsorganisaties-blijven-in-de-amerikaanse-cloud-ondanks-zorgen-in-de-tweede-kamer

Not attending #CPDP this year, for the first time since starting my PhD in 2022.

The wonderful time I am having in Edinburgh as part of my research visit at the #UniversityofEdinburgh more than makes up for the FOMO I am feeling, thankfully!

If you are attending #CPDP this week: have fun! And see you again next year!

PS: I highly recommend the following panels where some wonderful colleagues will be discussing EU cybersec law:

https://www.cpdpconferences.org/panels/the-transformation-of-eu-cybersecurity-law

https://www.cpdpconferences.org/panels/aligning-cybersecurity-information-sharing-with-the-european-data-protection-framework

Something's very different in tech. Once upon a time, every bad choice by tech companies - taking away features, locking out mods or plugins, nerfing the API - was countered, nearly instantaneously, by someone writing a program that overrode that choice.

--

If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2025/05/14/pregnable/#checkm8

1/

The @wikimediafoundation Foundation has filed a lawsuit against the UK 🇬🇧 government over its implementation of the Online Safety Act

The new UK law enters into effect next year and will require Wikimedia to verify the identity of Wikipedia users

The Foundation says the new law puts the #privacy of its users in danger, with some users relying on anonymity as they operate from hostile governments
https://diff.wikimedia.org/2025/05/08/wikimedia-foundation-brings-legal-challenge-to-new-uk-online-safety-act-requirements/

So now we know. Genocide is good for business, says the UK government.

“Preserving the British role in the F-35 jet fighter programme takes precedence over any UK obligation to prevent a genocide in Israel, UK government lawyers will argue in court this week.”

https://www.theguardian.com/uk-news/2025/may/12/uks-f-35-exports-more-important-than-stopping-genocide-lawyers-to-argue

#Genocide #Palestine #Israel #UKPolitics #Starmer

By me @Forbes: Anonymous defaces the site of an airline associated with Trump's El Salvador deportation flights, claiming to have stolen passenger manifests.

#infosec

https://www.forbes.com/sites/daveywinder/2025/05/07/anonymous-hacks-airline-used-in-trump-el-salvador-deportations/

Google enables the storage and use of digital identity credentials by verifying a passport or government-issued document, using a cryptographic zero-knowledge proof method to confirm a user's age or identity without disclosing any personal information. https://blog.google/products/google-pay/google-wallet-age-identity-verifications/

I'm hiring a PhD student in Copenhagen, Denmark to do #HCI research on #privacy and #interoperability in messaging apps!

This is a fully funded 3-year position in the Copenhagen campus of Aalborg University. The student will join my project "mInt" (for "messaging interoperability" ;)) and will be co-supervised by me and @nielsvanberkel .

More info and application form here: https://www.stillinger.aau.dk/phd-stillinger/vis-stilling/vacancyId/1219575. Deadline is May 18.

#hci #interoperability #messaging #dma #phd

🎮 Today, we filed a complaint against the video game company Ubisoft!

👉 Ubisoft forces its customers to connect to the internet when they launch a single-player game, which allows it to collect their gaming behaviour.

Find out more here 👇

https://noyb.eu/en/play-alone-ubisoft-still-watching-you

Very happy to announce that I will be conducting a research visit at the University of Edinburgh in May and June! I will be working with @mooseabyte on all things IoT, law & tech, design studies, etc. Super excited! Let me know if you happen to be in/around Edinburgh around that time, always happy to chat!

#academicchatter #UniversityofEdinburgh

The #CouncilOfEurope is looking for a #DataProtection Commissioner

https://www.coe.int/en/web/data-protection/-/call-for-candidates-data-protection-commissioner-at-the-council-of-europe

#fedijobs #jobs #privacy #strasbourg

Russians celebrate Palm Sunday by bombing Sumy www.bbc.com/news/videos/...

Russian ballistic missile stri...

The Trump administration conceded in a court filing Monday that it mistakenly deported a Maryland father to El Salvador “because of an administrative error” and argued it could not return him because he’s now in Salvadoran custody.

https://amp.cnn.com/cnn/2025/04/01/politics/maryland-father-mistakenly-deported-el-salvador-prison