Mike ❌

The UK government spyware demand means that the government decides exactly what should be censored on every mobile device. They say they will start with nude pictures (if you don’t identify yourself as an adult). But it could at any time be expanded to anything the government disapproves of. Today, 30 people are arrested every day in the United Kingdom for writing something online that the government classifies as "grossly offensive". It is obvious that they will use this tool to restrict free speech. Currently, there appears to be no requirement to report findings outside the device. However, with both legal and technological decision-making power taken away from individuals and transferred to the government, that is only a pen stroke away. This means that the government could also use this system for total mass surveillance. And they can do so in secret. The government recently, in secret, tried to pressure Apple (which is now agreeing to client-side scanning) to build backdoors into its end-to-end encrypted cloud service. They can do this under the Investigatory Powers Act 2016, also known as the "Snoopers' Charter" – a law that makes it illegal for tech companies to disclose secret demands from the government.

‼️ Google is about to disable all adblocker extensions in Chrome. Instead of letting the adblocker inspect traffic itself, extensions now have to hand Google's browser a limited list of filtering rules and hope for the best. This leads to weaker blocking and more ads getting through. Google makes the vast majority of its money selling ads. The company that profits from every ad you see also controls the browser most people use, with Chrome 149 being the last version supporting adblockers. For example, under the new rules, uBlock Origin cannot exist. For millions of people, that extension is the only thing standing between them and a wall of ads, trackers, and autoplay garbage. One user put it bluntly: "The web is literally unusable without uBlock Origin."

Our statement on the UK government’s demand that all content on all devices sold or used in the country be scanned, on the presumption of nudity, using a dystopian combination of age verification and content scanning. This proposal will not safeguard children. It endangers us all. https://t.co/VdWe9uhi8p

So-called age verification for social media is spreading across the world, framed as an effort to create a safer internet for children. In reality, age verification lays the foundation for a fully controlled internet. The age verification rush must be slowed down, and politicians need to recognize the consequences of different types of legislation and systems. Age verification is the wrong approach to fix “the social media problem” The big tech social media companies are bad. Their business model is bad; it is based on mass surveillance and manipulation, and they cooperate with governments in mapping entire populations. But age verification is fundamentally the wrong approach to preventing children from using big tech social media platforms. Introducing age verification is based on coercion; the state forces social media companies to verify their users’ identities. But the big tech social media platforms already know which of their users are children. Their business model depends on knowing this. They know how old users are, and they know exactly what type of person they are. As age verification is based on coercion, politicians could instead force platforms to stop doing the things politicians consider harmful to children, or force them to block children (again, they know who they are) from using their services. But instead, politicians seek to massively invade everyone’s privacy and undermine democratic rights on a global scale. In other words, the latter is the real objective – they do not want to protect children; they want to impose control. Slippery slope of age verification It is undeniable that age verification threatens freedom of expression, risks increasing mass surveillance, and is likely to lead to censorship. It will not only shrink the online world and reduce young people’s right to privacy (for example, if VPN services were to be restricted); but also risks becoming a significant step toward a controlled internet for everyone. Most age verification is identity verification Most countries are now considering introducing age verification systems, meaning that everyone would have to identify themselves either to the service/website they want to use or to a third party capable of linking them to their activity on that service or website. This is not age verification but identity verification, and the consequence is therefore that freedom of information is restricted (you can no longer visit regulated websites anonymously) and that you can no longer post anonymously on social media. This is a major problem in countries like the UK and Germany where the police conduct raids on people’s homes for posting content on social media that the authorities dislike. Or in the United States, where authorities are trying to pressure tech companies into revealing the identities behind accounts protesting ICE. Social media identity verification removes important tools for activists in countries where criticizing those in power is dangerous. Restrictions on app store or operating system level Some countries are looking to impose identity verification at the app store level or even within the operating system itself. This is an exciting experiment, since this is possible to circumvent using open-source operating systems. Some countries are already looking to include open-source systems. Since open-source systems cannot be controlled, politicians would ultimately need to ban devices that are not controlled by the state. The end point: telescreens like those in Orwell’s 1984, devices that both monitor you and broadcast only the information approved by the state. The Zero-Knowledge Proof (ZKP) alternative and the EU The EU has presented its own age verification app as “completely anonymous”. The idea is to use Zero-Knowledge Proof (ZKP) cryptography to break the link between the age credential issuer (EU governments) and the regulated services/sites. Currently, the EU app does not have ZKP functionality, contrasting Ursula von der Leyen’s claim that the app ”is technically ready to be used”. But more importantly, the app is currently designed to always function without ZKP technology; if ZKP is unavailable, the app falls back to a non-ZKP model. Even if fully developed ZKP technology could be implemented in the future, it would remain an optional extra feature that countries may choose to disable and that the EU could remove at any time. Read more on our site. https://t.co/wTVKHMS1zg

The EU age verification app is presented as “completely anonymous”. But the risk is that member states (the countries are supposed to create their own versions of the open-source EU app) use it to introduce identity verification that makes it impossible to post anonymously on social media. The idea behind “completely anonymous” is to use Zero-Knowledge Proof (ZKP) cryptography to break the link between the age credential issuer (EU governments) and the regulated services/sites. Currently, the EU app does not have ZKP functionality, contrasting Ursula von der Leyen’s claim that the app ”is technically ready to be used”. But more importantly, the app is designed to always function without ZKP technology; if ZKP is unavailable, the app falls back to a non-ZKP model. Even if fully developed ZKP technology could be implemented in the future, it would remain an optional extra feature that countries may choose to disable and that the EU could remove at any time. This means that the EU could decide at any time that ZKP may no longer be used, and in one stroke the app would fall back to its default mode, meaning that every post on social media carries an ID tag. By that point, an infrastructure will already have been rolled out; people will have gotten used to it, and it will be harder to roll it back. More details on https://t.co/wTVKHMS1zg

A Japanese manga artist lost his entire Google account forever after he uploaded private files from an old comic he drew to Google Drive. Google’s AI checked the files and flagged them as not allowed. He asked Google to review it again, but they rejected his appeal and banned the account immediately. He can no longer access years of his private drawings and lost access to many websites and services that used his Google login. The artist said this is very embarrassing and causes him a lot of trouble. He warned that it might not happen to people who always follow every rule, but others should be careful. So Google is scanning files that people upload to its cloud storage even if they are supposed to be private. I wonder how long they have been doing this.

ВЦИОМ "усовершенствовал" свою методику: теперь его сотрудники не только звонят россиянам, но и приходят с анкетами прямо в квартиры. И сразу после этого рейтинг Путина перестал падать. Предлагаю ещё два усовершенствования. 1. Если в вопросе "доверяете ли вы Путину?" начать учитывать только ответы "да", то рейтинг доверия будет 100% 2. А если приходить в квартиры россиян в сопровождении росгвардейцев и эшников, то уровень поддержки Путина вообще моментально достигнет 146%. (дежурно напоминаю, что все официальные рейтинги Путина нарисованы, и никакого значения "опросы" ВЦИОМ не имеют)

Apple and Google are gradually expanding their use of hardware-based attestation. They're convincing a growing number of services to adopt it. Google's Play Integrity API and Apple's App Attest API are very similar. Apple brought it to the web via Privacy Pass, which Google intends on doing too. Google's Play Integrity API requires hardware attestation for the strong integrity level and is gradually phasing in requiring it for the more commonly used device integrity level. Apple already has it as a requirement. Over the long term, this will increasingly lock out hardware and OS competition. The purpose of these systems is disallowing people from using hardware and software not approved by Apple or Google. This is wrongly presented as being a security feature. Banks and government services are the main ones adopting it but Apple and Google are encouraging every service to use it. Apple's Privacy Pass brought hardware attestation to the web to help with passing captchas on their own hardware. Many people saw that as harmless since few sites would be willing to lock out non-Apple-hardware users. Apple and Google are both likely to bring broader hardware attestation to the web. Google's reCAPTCHA is planning an approach where they use Privacy Pass on Apple hardware, their own approach on Google Mobile Services Android devices and a QR code scanning system to require an iOS or Google certified Android device for Windows and other systems: https://t.co/7rQnioRa8A Banking and government services increasingly require using a mobile app where they can use attestation to force using an Apple or Google approved device and OS. Apple's privacy pass, Google's 'cancelled' Web Environment Integrity and now reCAPTCHA Mobile Verification are bringing this to the web. Current media coverage for reCAPTCHA Mobile Verification misunderstands it and the impact of it. They're bringing a hardware attestation requirement to Windows, desktop Linux, OpenBSD, etc. by requiring a QR scan from a certified smartphone to pass reCAPTCHA in some cases. They could expand it more. Control over reCAPTCHA puts Google in a position where they can require having either iOS or a certified Android device to use an enormous amount of the web. Google defines certification requirements for Android which includes forcing bundling Google Chrome, etc. It's enormously anti-competitive. Google's Play Integrity API bans using GrapheneOS despite it being far more secure than anything they permit. It also bans using any other alternative. This isn't somehow specific to an AOSP-based OS. You can't avoid this by using a mobile OS based on FreeBSD instead. You'll just be more locked out. Google's Play Integrity API permits devices with no security patches for 10 years. The device integrity level can be bypassed via spoofing but they can detect it quite well and block it once it starts being done at scale. The strong integrity level requires leaked keys from TEEs/SEs to bypass it. It doesn't provide a useful security feature, but it does lock out competition very well. Services requiring Apple App Attest or Google Play Integrity are primarily helping to lock in Apple and Google having a duopoly for mobile devices. Play Integrity is more relevant due to AOSP being open source. Governments are increasingly mandating using Apple's App Attest and Google's Play Integrity for not only their own services but also commercial services. The EU is leading the charge of making these requirements for digital payments, ID, age verification, etc. Many EU government apps require them. Instead of governments stopping Apple and Google from engaging in egregiously anti-competitive behavior, they're directly participating in locking out competition via their own services. Requiring people to have an Apple device or Google-certified Android device is anti-competition, not security. reCAPTCHA Mobile Verification will currently work with sandboxed Google Play on GrapheneOS but it clearly exists to provide a way for them to start using hardware attestation on systems without it. People without an iOS or Android device will be locked out when this is required even without that. This isn't about security or any missing functionality. GrapheneOS can be verified via hardware attestation. Google bans using GrapheneOS for Play Integrity because we don't license Google Mobile Services and conform to anti-competitive rules already found to be illegal in South Korea and elsewhere. Services shouldn't ban people from using arbitrary hardware and operating systems in the first place. Google's security excuse is clearly bogus when they permit devices with no patches for 10 years but not a much more secure OS. It's for enforcing their monopolies via GMS licensing, that's all.

‼️🚨 ALARMING: Google now treats privacy as suspicious behavior by default. Users of GrapheneOS, CalyxOS, /e/OS, and other deGoogled Android phones are being locked out of millions of websites unless they install the exact Google Play Services software they deliberately removed. GrapheneOS is recommended by the EFF and used by journalists, lawyers, and activists in high-risk environments. The audience most likely to read Google's data practices and refuse its terms is now flagged as fraudulent for that exact decision. What happened?: ▪️ Google announced "Cloud Fraud Defense" at Cloud Next on April 22-23, 2026, branding it "the next evolution of reCAPTCHA." Existing reCAPTCHA customers were auto-migrated. ▪️ When the system flags traffic as suspicious, the old click-the-bus puzzle is gone. Users get a QR code instead. ▪️ Scanning the QR code requires Google Play Services running on the device. Internet Archive snapshots show this requirement has been live since at least October 2025, silently rolled out for 7 months before anyone noticed. ▪️ No Play Services = no QR scan = locked out. The bigger picture: ▪️ Google already tried this in 2023. It was called Web Environment Integrity (WEI), and it would have let Google decide which devices were "real enough" to access the web. Standards bodies and the public pushed back hard, and Google killed it. Three years later, the same idea is back, just hidden behind a QR code instead of a browser feature. ▪️ reCAPTCHA runs on millions of websites. Every developer who keeps using it is now, by default, telling deGoogled Android users they're not welcome...

‼️🇺🇸 Utah is about to become the first US state to legally target VPN use as part of online age verification. The law goes into effect Wednesday, May 6, 2026. 🔴 If you are physically located in Utah, you count as a Utah user, regardless of whether you use a VPN, proxy, or any other tool to disguise your location. Websites are now legally responsible for age-verifying you anyway. 🔴 Sites that handle "material harmful to minors" are banned from sharing instructions on how to use a VPN, or from offering any means to bypass geofencing. The EFF calls this a "liability trap." Websites cannot reliably tell where a VPN user actually is, so the safest legal move is either to block every known VPN IP outright, or to force ID-based age verification on every visitor worldwide. Either path subjects millions of users to invasive identity checks, regardless of where they actually live. The Cato Institute put it bluntly. When a policy can be defeated by a privacy tool millions of people legitimately use, the policy is the problem. The collateral damage is, as always, the people who actually need VPNs: 🔴 Journalists protecting sources 🔴 Domestic abuse survivors hiding from stalkers 🔴 Activists in hostile environments 🔴 Remote workers tunneling into corporate networks 🔴 Travelers banking from abroad 🔴 Anyone who simply does not want their ISP, employer, or data brokers reading their traffic This is not staying in Utah. The UK's Children's Commissioner has called VPNs a "loophole that needs closing." France's Minister Delegate for AI and Digital Affairs has named VPNs as "the next topic on my list." The EU is rolling out age verification across all 27 member states by end of 2026, with EVP Henna Virkkunen openly admitting they have no plan for VPN bypass yet. Utah is leading by example. EFF: "Attacks on VPNs are, at their core, attacks on the tools that enable digital privacy."