That case involved Talkspace, an online and mobile therapy services app. But the underlying problem is far bigger than one platform.

Millions of Americans are generating detailed records of their mental and physical health every day through apps that most people have never thought could be used against them legally.

Your sleep logs, your step counts, your mood tracking, and your calorie intake data are all stored on someone else’s servers. And when a lawsuit happens, the owner of those servers get a letter demanding the information.

This has already happened to people in divorce cases, custody disputes, employment lawsuits, and personal injury claims. The incriminating data existed and the other side’s lawyer found it. But by then it was too late to do anything about it.

Subscribe now

What “Subpoena” Actually Means Here

Most people think of subpoenas in the context of criminal investigations, like cops at the door. Scenes you would see in a Law & Order episode.

Civil litigation is quieter and far more common. Divorce proceedings, child custody disputes, personal injury claims, and employment lawsuits are scenarios where where health app data is increasingly being pulled into court. Those scenarios are also where you are far less likely to have thought about the long term implications of the data in advance.

In divorce proceedings, sleep patterns, stress levels, and activity data from health apps have been used to argue about a spouse’s mental state or ability to care for children. In personal injury cases, defense lawyers can use fitness tracker data to argue that a plaintiff is more active than their claimed injuries would suggest.

In one California case, a victim’s Fitbit showed a spike in heart rate followed by a rapid slowdown at the exact time a suspect claimed he was only there briefly to drop off food. In Connecticut, a man was charged with murdering his wife after data from her Fitbit showed she was moving around an hour after he claimed an intruder had killed her, and that she had covered far more distance than his account described.

These are criminal examples, but they illustrate the basic mechanics at play:

apps that record time-stamped physiological data create a parallel account of events.

In civil litigation, that parallel account is available to any attorney who files the right paperwork.

Your Health Apps Are Not Protected by HIPAA

Most people assume health data is private because there are laws about health data being private. There are, but those laws don’t apply to most of the apps on your phone.

The information stored in health apps isn’t covered by HIPAA, so companies can legally share the data. HIPAA applies to healthcare providers, insurers, and their direct business partners. The most common examples are your doctor’s office, your hospital, and your insurance company.

A consumer wellness app you downloaded from the App Store is a technology company. It sits entirely outside that regulatory framework.

This means Calm, Headspace, MyFitnessPal, most period trackers, most fitness apps, and most mood-logging tools have no federal obligation to treat your data as medical information. They have privacy notices, but privacy notices are not laws. If you read the fine print, you’ll find that these companies are required to disclose information to law enforcement officials with a subpoena or search warrant, or to other parties if a court so orders.

The one partial exception in the consumer app world is therapy platforms explicitly contracted with licensed providers and billed through insurance. Those may carry HIPAA obligations depending on how they’re structured. But even HIPAA isn’t the full shield people assume it is.

The protected status of “psychotherapy notes” under HIPAA does not generally extend to civil litigation brought by the patient where health records may contain relevant evidence and where the privilege has been waived. A typical example is when someone sues for emotional distress. By doing that, they’ve then made all records about their mental state fair game.

Share

What’s Actually Being Retained

Deleting an app doesn’t delete the data of course. The data lives on the company’s servers, often indefinitely.

Calm’s data retention policies do not define a clear length of time after which data or cookies are deleted. Headspace says it will keep personal information for as long as needed to perform its obligations, or for as long as legally permitted, and explicitly lists responding to subpoenas and court orders as a stated use of that data. MyFitnessPal retains personal information for as long as you maintain an account or as needed to provide services, and as necessary to comply with legal obligations, resolve disputes, and enforce agreements.

In plain terms:

years of data, sitting on servers, is available to any attorney who wants it badly enough and has a plausible legal argument for relevance.

The Talkspace situation illustrates this most clearly. The platform has, by its CEO’s own account to investors, amassed 140 million message exchanges. That database exists because the company records and stores conversations. The individual user never sees that infrastructure. They just see a chat window that feels private.

Subscribe now

My Take

What’s making health data more of a personal legal risk isn’t really the law. Subpoenas have always allowed adverse parties in litigation to get at your data. What’s changing is the richness of the data being generated and how long it persists.

Someone going through a divorce ten years ago had a phone and maybe some emails. Someone going through a divorce today potentially has years of detailed sleep data, mood logs, location history, calorie records, menstrual cycle data, and therapy transcripts, all of it stored in cloud accounts they stopped thinking about.

The risk isn’t hypothetical future legislation either. The risk is that the data you generated last year, when nothing was wrong, gets subpoenaed in a proceeding you haven’t imagined yet.

Auditing Your Exposure: a Threat-Model Approach

The right way to think about this isn’t “which apps are safe”. That’s too vague.

Instead, think about “which apps create risk in the specific scenarios most likely to affect me.” The three scenarios that drive the vast majority of civil health-data subpoenas are:

Read more

Hackers spent nearly ten weeks inside the network of the largest public health system in the United States, took the fingerprints of at least 1.8 million people, and the response was 24 months of credit monitoring.

Now the monitoring isn’t worthless. It covers real financial fraud risk. But it’s aimed at the wrong threat for the wrong timeframe. And NYCHHC isn’t a one-off. It’s the most visible example so far of something that’s going to keep happening.

Subscribe now

Biometric data collection has expanded rapidly across healthcare, government, workplaces, and financial services over the past decade. Each new collection point is another institution whose vendor could be compromised, and another population of people who had no meaningful say in the collection and will have no real remedy after the exposure.

The advice below is written for anyone in the NYCHHC dataset. But it applies equally to anyone whose fingerprints have ever been collected by an employer, a hospital, a government agency, or a background check vendor. That population is much larger than 1.8 million people, and it’s growing. Odds are you fall in that bucket.

Before getting into what to do, there are two risk timelines worth understanding, because they require different responses and almost no breach coverage distinguishes between them.

The first is immediate and concrete. The second is slower and speculative in the short term, but increasingly probable as tools get cheaper and the data ages.

Share

The Near-Term Threat Isn’t the Fingerprints

First things first. The near-term risk in this breach isn’t the biometric data. It’s what the biometric data comes packaged with because this breach didn’t take fingerprints alone. It took:

medical records, health insurance details, specific diagnoses and medications, Social Security numbers, passports, driver’s licenses, geolocation data, and financial account information.

That combination is the raw material for medical identity fraud, a specific and growing crime where someone uses your insurance to obtain prescriptions, medical equipment, or procedures in your name. You often don’t find out until a debt collector calls about a bill for a procedure you never received, or you go to use your benefits and find they’re exhausted.

While the theft of fingerprints are what gets the most attention, they aren’t the primary weapon by scammers in this scenario. What they do is make impersonation more convincing. An attacker who can call your insurer knowing your diagnosis, your medications, your policy number, and your SSN is already dangerous. Having the biometric data on hand is just one more piece to support the scam.

The Long-Term Threat Is Real, Just Slower

Stolen fingerprint templates can be used to reconstruct fingerprint images. With accessible equipment, including 3D printers and materials like silicone or gelatin, researchers have demonstrated the ability to create physical spoofs capable of fooling most consumer fingerprint sensors, including the ones used for mobile banking. This has been shown in controlled research and in real-world demonstrations.

The barrier today is effort because it takes more work than cracking a stolen password. But biometric data has an indefinite shelf life, and the tools to exploit it are getting cheaper every year. The people in this dataset will still be in it when the economics become more feasible.

The OPM case is the clearest precedent. When the Office of Personnel Management disclosed in 2015 that 5.6 million fingerprint records had been stolen, the agency acknowledged that:

“the ability to misuse fingerprint data is limited -- however, this probability could change over time as technology evolves.”

That was eleven years ago. The technology has evolved. The people whose fingerprints were taken have no more options now than they did then. The people in the NYCHHC dataset will still be in it when the economics shift. So will anyone else whose fingerprints are sitting in an institutional database somewhere.

Share

What the Credit Monitoring Is Actually For

The monitoring NYCHHC is offering is oriented toward financial fraud such as new credit accounts opened in your name, hard inquiries, score changes, etc. That’s the risk model that all breach responses are built for, because it’s the one with established, clear remedies. Biometric exposure doesn’t fit into it, and medical identity fraud fits into it imperfectly at best. Neither is the core use case the monitoring was designed for.

Part of why the remediation is so narrow is that there’s no legal framework requiring anything broader. There’s no federal biometric privacy law. HIPAA governs how healthcare institutions must secure data, not whether they should be collecting certain kinds of data in the first place.

Illinois’ Biometric Information Privacy Act is the closest thing to a meaningful framework in the country, and it only applies in one state. NYCHHC collected millions of fingerprints under a legal framework designed for an earlier era, and the remediation framework that kicked in when it was breached was designed for a different kind of data entirely.

The steps below address the actual threat. Some are specific to people in the NYCHHC dataset. Most apply to anyone whose biometric data has ever been held by an institution, which, if you’ve been employed, treated at a major healthcare system, or processed through a government agency in the last decade, is probably you.

Read more

Change your password, keep an eye on your credit report, and you’ll probably be okay.

The NYC Health + Hospitals breach doesn’t have that. There is no version of “okay” available for the 1.8 million people whose data was taken, because among the things hackers walked out with were fingerprints and palm prints.

Those cannot be changed. They cannot be cancelled and reissued. The people in this database are more exposed today than they were in January, and that will still be true 15 years from now.

Subscribe now

NYC Health + Hospitals, the largest public health system in the United States, disclosed the breach on May 18. Hackers were inside its network from late November 2025 through early February 2026, nearly ten weeks, entering through a compromised third-party vendor.

What was taken varies by individual but covers a lot of ground:

• medical records

• Social Security numbers

• passports

• driver’s licenses

• health insurance details

• billing and financial data

• geolocation data

• biometric data including fingerprints and palm prints.

NYCHHC is offering 24 months of credit monitoring to those affected. The fingerprints were almost certainly collected during employee onboarding, as prospective staff are generally required to enroll their fingerprints for criminal background checks. Whether patients’ biometrics were also compromised has not been confirmed.

The standard breach response assumes compromised data can be fixed in some form:

• Passwords reset.

• Credit cards get cancelled.

• Even a Social Security number can be changed (even if not easily)

• You can freeze your credit, set up an IRS identity protection PIN, and file fraud alerts.

The entire response to a data breach is built on that assumption.

Biometric data doesn’t fit into that arrangement though. A stolen fingerprint template is useful to a criminal today, in five years, and in twenty. It has no expiration date.

Share

This isn’t the first time this has happened. In 2015, hackers breached the US Office of Personnel Management and took 5.6 million fingerprint records from federal employees and contractors. Those people were offered credit monitoring. More than a decade later, no additional remedy was ever provided. The NYCHHC breach just added 1.8 million more people to that list.

For the most part, this story is being treated as a healthcare cybersecurity story. Just another hospital breach that is unfortunate but familiar.

That’s not entirely wrong, but it misses something.

When an institution collects your fingerprints, it permanently takes on a liability that it can eventually shed but that you never can. NYCHHC can get breached, patch its systems, update its vendor contracts, issue its press release, and move on. The people in its database carry the exposure for the rest of their lives. The 24 months of credit monitoring is the institution’s closure. For the individual, there’s nothing similar because the exposure of biometric data never ends.

If there’s one practical thing worth doing today, regardless of whether you’re directly affected by this breach, it’s reconsidering your use of biometric data.

Regular readers know we’re not a fan of the technology and have advised against it for some time. For your most sensitive accounts, including your personal devices, a strong PIN or passphrase has distinct advantages, including:

• it lives only in your head and can be changed if something goes wrong.

• Law enforcement (at least in the US) can’t compel you to provide a password to unlock your devices, but in some jurisdictions, they can compel you to use your biometrics

The harder question is what people are what to do about compulsory biometric use like at work or for some government service. And what are people owed when the government or an employer takes their biometrics then is compromised?

In most cases, it’s not an option to decline or opt out of providing your biometric data to an employer or the government. But two years of credit monitoring isn’t a true remedy. It’s laughably insufficient and disproportionate to the harm.

The fingerprints stolen from OPM in 2015 are still stolen, still potentially useful, and the people who lost them still have no meaningful remedy. Modern society has built an entire infrastructure for collecting biometric data without building any corresponding accountability for when it’s lost.

That needs to change.

Subscribe now

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Know your doxxing risk. DoxxScore gives you a personalized exposure assessment and action plan in under 5 minutes. Get Your Risk Score →

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

  Share Secrets of Privacy

Article sources:

Sources:

• https://www.securitymagazine.com/articles/100424-trust-in-biometric-data-is-declining-among-consumers

• https://www.nextgov.com/cybersecurity/2015/09/opm-says-more-fingerprint-data-was-stolen-opm-hack-first-believed/121781/

• https://thenextweb.com/news/nyc-health-hospitals-data-breach-biometrics-fingerprints

when a breach includes booking details specifically, the follow-on scam isn’t generic phishing. It’s targeted.

A scammer with your name, your hotel, and your travel dates can reach out in a way that feels completely legitimate, because the details are real.

Since then I’ve had people ask some version of the same question.

How do I know if a message from my hotel is real? How do I verify without getting it wrong?

That’s the right question. Unfortunately it’s also the wrong moment to be asking it.

In this post I'm going to walk through a pre-booking privacy protocol that actually reduces your exposure before anything goes wrong. Most of it is straightforward. One tip comes from a travel insider friend that turns out to have a privacy benefit nobody talks about.

Subscribe now

By the Time You Get the Message, It’s Too Late

By the time someone sends you a message referencing your reservation at your hotel, the hard part of the scam is already done. The attacker has what they need. Your vigilance at the point of contact still matters, such as catching the payment method requests, the urgency pressure, the slightly-off domain name. But it’s a last line of defense operating after the window for real prevention has closed.

Researchers at Sekoia documented a campaign in 2025 in which attackers compromised hotel staff credentials and used that access to contact guests directly over WhatsApp and email, with accurate reservation details in hand. The cover story was a routine verification procedure.

It was convincing because the details were real. That campaign predates the Booking.com breach, which means the data exposure problem isn’t specific to one platform or one incident.

The Scale of the Problem is Noteworthy.

According to the FTC, there were more than 58,000 reports of travel, vacation, and timeshare fraud in 2024 totaling $274 million in losses. That almost certainly undercounts the actual number, since most fraud goes unreported.

AI has made the identification problem meaningfully worse. The old tells like awkward phrasing, generic salutations, obvious typosquatting have been largely neutralized. What researchers from iSeatz and Carnegie Mellon have both flagged is that urgency remains one of the more reliable signals, but it’s a thin thread to hang your security on when everything else about the message looks right.

Voice cloning technology now allows attackers to impersonate airline representatives using voice samples pulled from publicly available customer service recordings. Click-to-call ads on mobile search results can route you directly to a scammer posing as your airline without any visible indication something is wrong. The technical sophistication of these attacks is increasing faster than most people’s awareness of them.

The Window Most People Don’t Use

Here’s what I think gets missed in most coverage of this topic. Every article I’ve read (and I’ve read a lot of them recently) focuses on how to recognize a scam when it arrives.

• Check the domain.

• Look for urgency.

• Call the hotel back using a number from the official site.

All of that is correct. But it treats the moment of contact as the starting point.

It isn’t.

There’s a window between when you decide to travel and when you finalize your reservation, and the decisions you make in that window determine how much information is circulating about you when something eventually goes wrong. Travel platforms know a surprising amount:

your name, email, phone number, travel dates, specific property, number of guests, special requests, payment method, and in many cases device and IP data.

That information sits in their systems long after your trip ends, feeding loyalty programs and in some cases data-sharing arrangements you didn’t explicitly agree to.

What you hand over, and to how many different systems, is something you can actually influence, but only before you confirm.

Most people never think about it until a suspicious message lands.

The Pre-Booking Protocol

None of this requires technical expertise. It’s a set of small decisions made earlier in the process than most people consider. Including this first tip from a long time friend in the hospitality industry.

Read more

Not in some vague, aggregated sense. They have a record of the domains your phone connected to, the apps that sent requests, and depending on which programs you haven’t opted out of, your physical location derived from cell towers rather than your GPS. Turning off location on your phone doesn’t touch that.

The good news is you can do something about it. The bad news is that most of the settings you’d instinctively reach for don’t address the problem. I’ll show you below what settings you need to tweak and the one tool that ISPs wish you wouldn’t use.

Subscribe now

Why Carrier Tracking Is Different

When you use incognito mode or clear your cookies, you’re affecting what gets stored on your device and limiting some cookie-based tracking. Your ISP operates independently of all of that.

AT&T, for example, states in its privacy notice that when it collects web browsing information as an internet service provider, it “works independently of your web browser’s cookie and private browsing settings.” What your browser knows and what your carrier knows are separate data streams.

The same applies to device location settings.

Your phone’s location toggle controls what apps can access. Your carrier can collect location data from the network itself, derived from which cell towers your phone is connecting to, without involving your device’s GPS at all.

This isn’t a loophole or a gray area. It’s how these programs are designed to work. And it’s all legal.

Share

How We Got Here

In 2016, the FCC passed broadband privacy rules that would have required ISPs to get affirmative opt-in consent before using or sharing your browsing history and other sensitive data. Congress repealed those rules in 2017, largely along party lines, and President Trump signed the repeal into law. Because the repeal used the Congressional Review Act, the FCC is also blocked from issuing any substantially similar rule without future legislation specifically authorizing it.

That leaves a genuine regulatory gap. The FTC nominally handles privacy for most industries, but its jurisdiction over ISPs, which are classified as common carriers, is legally complicated. The practical result is that the major mobile carriers operate opt-out advertising programs, and customers are enrolled by default.

What Each Carrier Actually Does

Verizon runs two tiers. The Custom Experience program, which all consumer smartphone customers are enrolled in by default, uses information about websites you visit and apps you use to build interest profiles. Custom Experience Plus, which requires an opt-in, adds device location obtained from the Verizon network and Customer Proprietary Network Information, including call details. Your device location settings have no effect on it. The carrier doesn’t need your GPS because it uses the towers your phone is already connecting to.

AT&T runs a similar structure. The base “Personalized” program is on by default and uses demographic data, general location, and account usage to tailor ads. “Personalized Plus” requires an opt-in and is where AT&T collects web browsing data as your ISP, adds precise location, and shares it with third parties. Per AT&T’s own policy, both programs operate independently of your browser’s private mode and cookie settings.

T-Mobile runs the Magenta Advertising Platform. Its Do Not Sell or Share page states directly: “We may sell or share your personal information on this website or app.” T-Mobile’s Privacy Dashboard contains multiple toggles that are on by default, and the Do Not Sell toggle doesn’t automatically cover advertising programs you may have previously opted into. Those require separate action.

Then there’s Starlink, which until recently was the exception. As a satellite provider with a simpler business model, it had stayed out of the ad profiling game. On January 15, 2026, Starlink updated its global privacy policy to allow the use of customer data to train AI models, including sharing with third-party collaborators for their own independent purposes, unless customers opt out. Starlink clarified afterward that individual browsing history and destination IP addresses are not included. Account data, contact information, and usage metrics are.

What “We Don’t Sell Your Data” Actually Means

All three major carriers use some version of this language. Verizon states it doesn’t sell information from its Custom Experience programs to others for their own advertising.

What they do is build interest profiles and then use those profiles to power their own advertising platforms, which brands pay to target against. The data doesn’t move to a third party. The targeting capability does. That distinction matters considerably to the lawyers who drafted those privacy policies. It matters less to you as a subscriber.

While the 2017 repeal didn’t create this business model, it did clear the path for it.

Here’s What the Opt-Out Menus Don’t Tell You

Opting out of these programs stops the ad-tier profiling. It doesn’t affect the data your carrier collects to actually provide service. Call records, billing data, network diagnostics, the cell towers your phone touched today, all of that continues regardless of your privacy settings. What these opt-outs address is the separate commercial layer built on top of operational data.

There’s also a timing problem.

Read more

So it’s understandable if you overlook a new effort by New York State to regulate what you can use a 3D printer for. The problem is this new law would have repercussions far beyond 3d printers.

In fact, it’s another example of legislatures (backed by special interests) using a sympathetic cause to push for a privacy invasion.

Subscribe now

What This Law Is Actually Building

New York’s still-unfinished 2026-2027 budget contains a provision requiring every 3D printer sold in the state to ship with mandatory surveillance software. The stated goal is stopping people from printing untraceable “ghost guns” at home. In practice, this means that the 3D printer software will scan every print job against a government-specified algorithm and will refuse to execute anything it flags as a potential firearm component.

Whether that goal is legitimate is a separate conversation. What matters here is the mechanism being built to pursue it:

a government-specified prohibited-content list, embedded inside a consumer device at the manufacturer level, and enforced by criminal law.

It’s worth noting that New York isn’t alone. California and Washington are pursuing identical legislation in the same session. Which implies there’s a centralized push to enact these laws in friendly jurisdictions before wider deployment.

So far, most of the coverage of these bills has stayed inside the 3D printing community, focused on whether the algorithm actually works. That’s the wrong frame and not thinking big picture enough.

The larger concern is what gets established as legally acceptable, and which devices legislators decide to target next. Because the legal precedent set here can easily apply to other commonly owned devices.

What the Algorithm Actually Has to Do

A brief overview of 3D printer technology is helpful here to understand why 3D printers are the initial target.

3D printers work by following a script that includes thousands or even millions of tiny instructions that say things like “move left 2mm, extrude a little plastic, move right 3mm.” The printer executes these one by one, in order, with no idea what it’s making. It doesn’t know if it’s building a chess piece or a phone case. It just follows the list.

To comply with a law like the one proposed in New York, manufacturers would have to build software capable of analyzing that code in real time. The software would need to infer the geometry of the object being constructed, and compare it against a prohibited-shapes database. It would stop working if it matched a prohibited design.

Pilot tests found these algorithms triggered on 17% of non-weapon prints due to superficial geometric resemblance to firearm components. Things like L-shaped brackets and cylindrical housings. Basically anything that looks vaguely like a barrel or receiver to software with no ability to understand context.

The algorithm doesn’t work well enough and has a high false positive rate, which is a problem in and of itself. Similar things are happening with the AI technology automobile manufactures will soon be required to deploy in vehicles in the U.S. and EU. The tech doesn’t work well enough to meet the stated goal.

But whether the tech works or not is likely beside the point.

Share

What This Law is Actually Building

The surveillance apparatus required to block the 3D printing of firearm components is comprised of the following:

• A database of prohibited designs maintained by the state and updated at the state’s discretion, with no public process for contesting entries

• Mandatory firmware on a general-purpose manufacturing device that checks against that database

• Class E felony charges for possessing certain design files, even if you never print anything

• Criminal penalties for anyone who share those files with anyone the state hasn’t licensed.

The censorware doesn’t even have to work to cause harm. Creating a government-controlled blacklist baked into consumer devices, backed by criminal penalties is the harm. The technology is almost beside the point. The real goal is creating infrastructure to monitor and restrict consumer behavior, and the ghost gun argument is just how they’re selling it.

On the Ghost Gun Rationale

If you’ve read my coverage of age verification laws, the ghost gun rationale will feel familiar. (see here)

“Protect the children” is a political argument that is almost impossible to oppose publicly, which makes it an effective vehicle for pushing through surveillance infrastructure that would face real scrutiny if proposed on its own terms. Nobody wants to be the legislator who voted against protecting kids. The policy that gets attached to that rationale is almost beside the point.

Ghost guns serve the same function here.

“Stop people from printing untraceable weapons at home” is the kind of argument that can move quickly through a legislature, especially when it’s buried in a budget bill rather than debated as standalone policy.

The 3D printing community is fighting it on technical grounds, arguing the algorithm doesn’t work and the false positive rate makes it unworkable. Both things are true.

But a law doesn’t have to achieve its stated purpose to establish a precedent. What matters is what legal architecture gets built in the attempt, and whether that architecture is available for the next application once this one normalizes it.

Subscribe now

The “Dual-Use” Problem

“Dual-use” is a term used in military and export-control law, where it describes technologies with both legitimate civilian applications and potential weapons uses.

That term used loosely applies well in the 3D printer regulations context because the underlying logic is the same. Every legislature that passes a version of this 3D printer law is establishing that a consumer device with obvious legitimate uses can be required by statute to run government-specified content-filtering software, enforced at the firmware level. Criminal penalties are available for circumvention.

3D printers are the test case. They’re politically convenient because the user base is small and most voters don’t own one. The same statutory structure can be applied to any device a future legislature decides fits the same description.

The 3D printing angle is ultimately a distraction. Here’s what this actually looks like applied to devices you do own.

Routers

Your home router transmits web traffic that could, theoretically, be used to plan violence or coordinate criminal activity. A dual-use designation doesn’t require the device to be primarily used for harm. It requires only a plausible argument that it could be.

Under a router-targeting version of this template, your ISP or router manufacturer could be compelled to run state-specified deep packet inspection firmware, refusing to route traffic flagged by a government algorithm, with criminal liability for anyone who tries to disable it.

Laptop Cameras

Your laptop camera can be used to record things the state might someday want to restrict. So can your phone.

We already have a live version of this debate in the CSAM (child sexual abuse material) scanning context, where governments have pushed Apple and others to implement client-side scanning that checks your photos against a government database before you can upload them. The 3D printer law is that argument applied to manufactured objects rather than digital images.

General Equipment

A document scanner in a law office, a CNC router in a small machine shop, and a laser cutter in a school makerspace are all general-purpose tools that can produce outputs someone in a legislature might someday want to prohibit.

The legal template being built in New York doesn’t care which device it’s applied to. It needs a public-safety rationale, a device class the public doesn’t feel strongly about, and a state legislature willing to bury the provision in a budget bill.

The Manufacturer-Compliance Wrinkle

One thing that gets lost in the “government surveillance” framing is the state doesn’t run this software. Manufacturers do. And they do so under compulsion from the state, which is effectively getting the manufacturer to do their surveillance dirty work.

This is a feature, not a bug.

It gives the state the surveillance outcome without the accountability that would attach to a government-run program. The manufacturer takes the legal and reputational exposure. The state gets the compliance. Users get a device that reports their activity to a third party under terms they can’t negotiate, enforced by criminal law.

Where This Stands

New York’s budget is still being negotiated, and this provision could be stripped in conference. California’s AB 2047 and Washington’s HB 2321 are still moving. If any of these pass, the others get easier.

A passed law is a model. Legislators who want to look tough on ghost guns will cite the precedent, and manufacturers who’ve already built compliance infrastructure for one state will lobby for uniformity rather than a patchwork.

The 3D printing community is fighting this on technical grounds. Those arguments are correct. They’re also arguments about a narrow constituency. The precedent being set here goes far beyond 3D printing.

Subscribe now

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Know your doxxing risk. DoxxScore gives you a personalized exposure assessment and action plan in under 5 minutes. Get Your Risk Score →

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

  Share Secrets of Privacy

Her owner, Dennis Morida, did what anyone would do:

posted photos on social media and neighborhood apps asking for help.

Within hours, he received a call from someone claiming to be a police sergeant. Hazel had been hit by a car, the voice said. She was at a local vet, awaiting surgery.

A photo arrived showing what appeared to be Hazel injured on an operating table. The couple paid nearly $2,000. Then a strange thing happened - Hazel showed up next morning on her own at the house.

Turns out the photo was fabricated using AI tools and the real images Morida had posted publicly. The caller was never a police sergeant and Hazel was never hurt.

The whole operation, from monitoring the post to pulling the photos to generating the fake photo to making the call probably took minutes.

Subscribe now

What You’re Actually Publishing

What made this scam possible wasn’t the AI, which is just a tool. It was the information Morida provided for free.

A lost pet post is, structurally, a targeting package. Consider what it contains:

• a clear photo of the subject with enough detail to generate convincing fakes

• your phone number or a direct way to reach you

• your approximate neighborhood

• the breed and distinctive markings of the animal

• an unmistakable signal that you are emotionally compromised and willing to pay quickly to resolve the situation.

Scammers don’t need to guess anything. It’s sitting in a public post, searchable, broadcasting to anyone who happens to be watching.

It would be nice if this was just a handful of bad actors stumbling across posts. But it’s looking more like organized monitoring.

The Animal Compassion Team, a Fresno, California-based nonprofit, told local media they receive around 20 calls per day from pet owners reporting similar incidents. This is a volume that suggests systematic social media surveillance, not random opportunism.

The cases follow a consistent script. In December 2025, an elderly Fresno man received a message claiming his missing service dog, Chewie, had undergone surgery at a specific local veterinary clinic. The scammer sent AI-generated photos of Chewie appearing to recover from a procedure inside that facility, built from images the owner had shared online months earlier when Chewie first went missing.

Fortunately the man called the clinic directly before sending any money. The clinic confirmed they had never seen the dog.

Not everyone makes that call though.

Subscribe now

In March 2026, an Alabama man named James Laiacona posted about his missing Chihuahua, Tank, on a Monday. Tuesday morning, a caller told him Tank had been hit by a car and was in surgery, implying the procedure would stop without immediate payment. Laiacona paid $900 before the call ended. Tank was found safe later.

The AI image component doesn't need to be sophisticated. A photo of a specific dog's face placed in a generic surgery setting is enough to override rational thinking in someone who is already panicked, and that's really all it needs to do.

Share

The AI Isn’t the Story

Most coverage of these cases focuses on the image generation technology, as though that’s the novel part. TBH, these same scams could be done pre-AI with photoshop, though perhaps not as quickly.

The more useful observation is deeper:

this scam only works because public distress posts create reliable, detailed targeting opportunities at no cost to the scammer.

Lost pet posts are one instance of a broader pattern. The scam works the same way for any post that:

• simultaneously signals emotional vulnerability

• announces a problem the person would pay to solve

• identifies the subject clearly enough to generate convincing fakes, and

• provides a direct contact method.

AI tools just lowered the production cost of acting on that information to nearly zero.

Most protective advice focuses on recognizing the scam after contact has been made. However, the lost pet post itself is where the exposure happens, and there’s a way to ask for help publicly without broadcasting the details that make you targetable.

What to Share Publicly, and What to Withhold

The goal of a public lost pet post is to get recognized and reported by someone in your area. It doesn’t require providing everything a scammer needs to impersonate that scenario convincingly.

Read more

That’s not how it usually works. In fact, the most common version requires no special skills at all.

The doxxer just needs a name, some publicly available websites, and about 20 minutes. Top sources they look at are people search sites, property records, and old social media accounts. Data broker sites that aggregate all of it in one place are even better.

The important takeaway is that the information needed to doxx you is already out there. Someone just has to look and put the pieces together.

Subscribe now

Most people who care about privacy have done something about it. Switched to a different search engine, maybe. Stopped posting publicly as much. They’ve thought about it, which puts them ahead of most people, but thinking about it tends to produce a general sense of being careful rather than any real picture of what’s actually out there.

The gap between “I’m pretty private” and what someone could find about you in twenty minutes varies enormously depending on who you are and what you’ve done online over the past decade. Someone with a common name and no social media footprint has a different risk profile than someone with a decade of LinkedIn history, a public Instagram, and a home address on their business website.

The exposure also isn’t uniform across life circumstances.

People going through a divorce, changing jobs, or relocating often have vulnerabilities they haven’t stopped to consider. Attorneys, therapists, real estate agents, teachers, basically anyone in a public-facing role tends to be more findable than they realize, because their work requires a certain amount of visibility. Parents who posted about their kids through the 2010s have left a trail they’ve probably never looked at as a whole.

You can’t do much about any of this without first knowing where you stand.

What DoxxScore Does

DoxxScore is a self-assessment tool we built. It walks you through a five-section questionnaire covering seven risk categories, including search visibility, social media exposure, contact information accessibility and identity linkage. It then runs your email against known breach databases and calculates a personalized risk score from 0 to 100.

The output isn’t a generic checklist. It’s a prioritized action plan built around your answers, with difficulty ratings and time estimates for each step, so you know what to tackle first and what can wait. Delivered as a web report and a PDF sent to your email.

One-time cost of $19. No subscription, no recurring charges.

Why This Exists

The hardest part of improving your privacy isn’t finding advice. There’s no shortage of that.

Instead, the hardest part is knowing where to start when you don’t know how exposed you actually are.

DoxxScore answers that question first. Once you know your risk profile, the path forward gets a lot clearer.

If you’ve been meaning to get a handle on your digital exposure but haven’t known where to begin, this is a good place to start.

Take the assessment at doxxscore.com. Use discount code LAUNCH50 for 50% off (only 20 discounted spots, so don’t wait).

Questions about how it works, what the report looks like, or what goes into the scoring? Reply and ask.

Further reading on doxxing risk:

Meta wants training data for the AI agents it’s racing to ship.

A company spokesperson confirmed as much directly, saying:

the models need real examples of how people actually use computers, and that the best way to get those examples is to watch employees at work.

This is the third announcement like this in four months. Workplace activity is becoming AI training data, and most workers are still thinking about workplace surveillance the way they thought about it five years ago. That model is out of date, and here’s why.

Subscribe now

Three Pipelines, One Supply Chain

Three distinct streams are feeding into the same data supply chain.

The first is active collection from current employees. Meta is the highest-profile example. Any employer large enough to train its own AI models has an obvious incentive to start here, because in-house employee data is free and already flowing through company systems.

The second pipeline runs through contractors. In January, Wired reported that OpenAI's data vendor Handshake AI started asking its freelance contractors to upload real work products from their past and current jobs. Actual contracts, financial models, decks, and code repositories produced for other employers. The point of collecting these documents is to feed them into OpenAI's training data, where they become part of the model weights. Handshake provides a tool called "Superstar Scrubbing" to help contractors remove confidential information before uploading. The original employers and clients are not in the loop.

The third is the dead-company market. On April 16, a startup called SimpleClosure launched a platform called Asset Hub that helps shutting-down companies monetize what its CEO, Dori Yona, calls “operational exhaust.”

The full archive of a defunct company (years of Slack messages, Jira tickets, email chains, Google Drive folders) gets bundled and sold to AI labs as training material. Per Forbes, SimpleClosure has processed nearly 100 of these deals in the past year, with payouts ranging from $10,000 to $100,000 per company. A competitor called Sunset is doing the same thing.

The first company to go through this at scale was cielo24, a transcription business that shut down after thirteen years. Its former CEO, Shanna Johnson, sold every Slack message, internal email, and Jira ticket for what she described as hundreds of thousands of dollars.

Share

It Isn’t Just Meta, and It Isn’t Just Engineers

A reasonable response at this point is that these are three tech-industry stories about tech-industry companies, which doesn’t necessarily say much about the average worker. I don’t think that holds up, and a viral video from 2024 is a decent way to show why.

The post hit four million views because people found it viscerally strange.

But the software running in that coffee shop wasn’t custom-built. It was sold to the cafe by a vendor, which means the same vendor is selling it to other cafes, other retail operations, other small businesses.

Each of those installations generates data about how humans interact with physical workspaces, which happens to be exactly the kind of embodied-workflow training data AI labs are short on. And the worker making the coffee has even less leverage than the Meta engineer to negotiate what happens to any of it.

The Breach Problem Nobody Is Pricing In

Every company involved in this supply chain says it strips personally identifiable information before the data changes hands. SimpleClosure says it, OpenAI says it, Meta says it. The claim is that your name, email, and phone number come out before the archive goes to the buyer.

That’s the wrong thing to focus on.

A Slack archive with names removed still contains your writing style, your project details, your references to specific coworkers and clients, your internal jokes, and the content of what you actually said. ‘Anonymized’ doesn’t mean what it did 50 years ago. For nearly 20 years, it’s meant something closer to ‘lightly disguised’ when in the right (wrong?) hands. More to the point, the content itself is the sensitive material.

• A complaint about a manager.

• A disclosure of a medical condition.

• A complaint about a client.

• A half-formed opinion about a competitor.

These don’t need your name attached to be damaging, and PII scrubbing doesn’t touch them.

There’s also a concentration problem.

An AI lab holding archives from a hundred defunct companies is a bigger breach target than any one of those companies ever was. If that lab gets breached, the fallout hits every former employee of every source company at once, years after they’ve moved on. The risk isn’t contained by the original employer closing its doors. It’s been handed off to a third party who now has every reason to keep the data and every reason to keep buying more.

Workplace Monitoring Used to Have An End Point

What feels different about this moment is that the purpose of workplace monitoring has shifted.

Traditional workplace monitoring existed to inform management decisions.

Was Kelly productive enough? Should she be promoted? Should the team be restructured?

The data was analyzed inside the company, for the company’s own use. It was invasive, but it was somewhat bounded.

What’s happening now operates on a different level.

Workplace activity is being harvested as a commodity that sells on an open market. The data doesn’t stay within the company that collected it. It feeds models that get deployed into thousands of other workplaces. The worker who clicks through a dropdown menu on a Meta laptop today is effectively helping train the AI that will, in two or three years, replace some other worker at some other company. And that worker hasn’t been offered anything in exchange.

There’s no opt-out in most of this. Most employment agreements don’t address it at all (yet). The IP assignment language employees signed when they took their jobs was written on the assumption that the employer might use work product internally. Nobody was anticipating the secondary market in employee work product.

Your Defensive Playbook

The rest of this piece focuses on what you can actually do, because there are meaningful moves available.

Most employers haven’t worked out their own policies on this yet, which means there’s a window of time where individual pushback can shape outcomes. And even solo workers without any collective bargaining power can meaningfully limit their exposure, if they know what to look for.

Read more

Instead, they open with your actual profile photo, your real follower count, and a thumbnail of your most recent post. Everything in the email looks legitimate because the attacker pulled your public data before sending you anything.

This comes from a phishing campaign documented this week by Malwarebytes that pulls real YouTube channel data to build a personalized copyright scare page. The moment you land on it, the page already knows your avatar, your subscriber count, and your most recent video. If you enter your credentials on the fake Google sign-in it serves up, you lose your entire Google account.

And while this particular scam focuses on YouTube, it can equally apply to any number of other platforms, from Facebook to Instagram to Substack. Creators are especially at risk.

Subscribe now

This scheme runs like a global hacker franchise. Multiple attackers share the same phishing kit, each running their own campaigns with their own affiliate ID embedded in the links. One operator can swap out the destination domain at any time to evade takedowns. That means the infrastructure stays live even when individual phishing pages get flagged.

There’s also a detail that says a lot about how professionally these operations are being run. The scam automatically screens out any channel with more than three million subscribers, instead showing those creators a clean bill of health rather than a scare page. The reason is simple if you think about it:

Large creators are more likely to have security staff, YouTube contacts, or the visibility to get the operation shut down quickly. Smaller creators, who have less protection and just as much to lose, are the higher value target.

The reason this scam works is that YouTube has a public API. In case you think this is just a YouTube problem, public APIs are not unique to YouTube. Any platform that displays your profile photo, follower count, and recent activity to the world gives an attacker the raw material to build a personalized scare page.

Facebook business pages, LinkedIn profiles, Etsy storefronts, Substack publications all expose enough public data to run the same scheme. A fake “your Facebook page has been flagged for removal” notice showing your page name, your follower count, and your most recent post would be just as convincing to a small business owner as the YouTube copyright notice is to a creator.

Voice cloning has crossed what researchers at the University at Buffalo describe as the “indistinguishable threshold.” Some major retailers are already reporting over 1,000 AI-generated scam calls per day.

The family emergency call, the one where you hear your daughter’s voice saying she’s been in an accident, is no longer a theoretical risk. It’s running at scale, and it runs on a few seconds of audio pulled from a public video or voicemail. Experian’s 2026 fraud forecast describes intelligent bots carrying out automated family-member-in-need scams with a sophistication that wasn’t possible even two years ago.

Both of those attacks share the same logic as the YouTube scam. They start with real data about you, pulled from public sources, and use it to make the approach feel legitimate before you’ve had a chance to think.

There’s a separate but related story worth knowing about too. A credential-stealing malware called Omnistealer revealed the other day hides its attack code inside blockchain transactions on networks like TRON and Binance Smart Chain. Because blockchains are append-only, those malicious snippets are effectively permanent once they’re mined into a block. You can take down a malicious GitHub repo or revoke a domain, but you can’t roll back TRON to remove a few hundred bytes of malware staging code.

The campaign has been linked by on-chain forensics to (no surprise!) North Korean state-sponsored actors. It spread through fake developer job offers on LinkedIn and GitHub where technically skilled targets handed what looked like a routine freelance project.

While the personalization angle is less pronounced here, what Omnistealer illustrates is the other half of the same shift:

sophisticated fraud operations are not only getting better at targeting people, they’re getting better at making their infrastructure difficult, if not impossible, to shut down. The attacks are more convincing and more resilient at the same time.

That combination is what makes this moment different from previous waves of online fraud.

Share

For most of the history of online fraud, the attacker’s main constraint was personalization. A phishing email that addressed you by name was already considered sophisticated. And a scam call that knew where you worked was alarming.

Building a scam that looked genuinely specific to you (your face on the page, your voice in the audio or your channel data in the copyright notice) required real effort and real resources. That constraint kept the scam volume down. It limited who could run these operations and how many people they could reach.

That constraint is gone, and it’s not coming back.

The YouTube copyright kit fetches your real data automatically from a public API. Voice cloning tools require a few seconds of audio, freely available for most people who have ever posted a video or left a voicemail. The personalization layer is now a commodity. Anyone with modest resources can build an attack that feels like it was made specifically for you, because technically, it was.

What legislators and most security advice haven’t caught up to yet is that the old detection signals no longer work. You were told to look for misspellings, generic greetings, implausible urgency. An email that called you “Dear Customer” was a tell. None of that applies anymore. The new signals are different, and defending against them requires a different posture.

Subscribe now

How to Defend Yourself

The defense move here isn’t about being more skeptical of suspicious-looking messages. That’s because messages won’t look suspicious. The defense is structural, which means developing habits and configurations that hold up even when the attacker has already done their homework on you. Here’s how to do that.

Read more

Yet their faces ended up training a facial recognition system that now sells to police departments, government agencies, and the military.

How did that happen?

Subscribe now

The U.S. Federal Trade Commission (FTC) alleged that OkCupid shared users’ photos, location data, and demographic profiles with Clarifai, a “computer vision company”. They did so without user consent and in direct violation of its own privacy policy. OkCupid’s founders were personally invested in Clarifai, and one of them sent the photos from his personal email account, bypassing any corporate oversight.

No contract governed the data handoff. And no restrictions were placed on what Clarifai could do with the misappropriated data.

Clarifai ended up using the images to build technology capable of identifying the age, sex, and race of faces. The company has since secured contracts with the U.S. Air Force Research Laboratory and partnered with defense firms supplying AI to the Army’s intelligence community.

So dating profile pictures became raw material for defense contractors. The people in those photos had no idea, and were never asked.

Share

The FTC settled the case in March 2026.

The good: The settlement permanently bars Match Group and OkCupid from misrepresenting their data practices and requires compliance reporting for a decade.

The bad: Match Group did not admit wrongdoing.

The ugly: The settlement carries no financial penalty. And the FTC did not require Clarifai to delete any of the data it received.

Twelve years of willfully misusing people’s images, and the regulatory consequence is a promise to tell the truth going forward.

The OkCupid Story Isn’t Really About OkCupid

Most people process news like this as a company-specific scandal. OkCupid was reckless with customer data, OkCupid got caught, but you don’t use OkCupid, so you’re fine.

That’s the superficial take. As is usually the case with these stories, there’s a deeper level.

Every site where you’ve uploaded photos, whether LinkedIn, Facebook, Instagram, a fitness app, a medical portal, or a real estate platform, operates under a privacy policy that its legal team wrote. And they wrote it to maximize the company’s flexibility, not yours. I’ve written before about why reading those policies is a waste of time. 👇

What the OkCupid case illustrates is the specific mechanisms that makes privacy policies useless:

Privacy policies are often inaccurate, either out of negligence or intentional bad behavior (as appears to be the case with OKCupid). Or a company can change the policy at any time, usually without notice, to make their privacy infringing practices legit. And in almost all cases privacy policies are drafted to provide broad rights and discretion to use your data, which means most people don’t know what they’re supposedly consenting to.

Unfortunately the OKCupid incident isn’t a one-time failure by a company with bad intentions. It’s a repeatable playbook.

Many people now understand that tech companies design features specifically to get you to hand over your face voluntarily. It’s been going on since the dawn of the internet but AI companies have taken it to a whole new level. The best example is when OpenAI/ChatGPT pushed an anime filter, the Ghibli-style portrait, which allowed users to see themselves as a cartoon.

Users got a quick dopamine hit from doing that. And OpenAI received valuable data to bolster their facial recognition capabilities without paying anything. That’s about as lopsided of a trade as you can find.

OkCupid’s founders didn’t need a clever feature to capture valuable biometric data because they already had three million photos sitting in a database. But the outcome is the same:

your face, in a training set, with no restrictions on what gets built from it.

The enforcement consequence for any of this is, apparently, a compliance checklist. Which shouldn’t be surprising to anyone following these incidents. Penalties handed down by regulators are usually small compared to company revenues. Businesses then calculate the cost of protecting (or not protecting) your privacy, and when the answer is zero (or near zero) dollars in penalties, the math doesn’t work in favor of your privacy.

For photos specifically, the only meaningful control you still have is upload discipline. Review which apps have access to your Google, Apple, or Facebook account, and think carefully before handing your face to the next platform that makes it seem fun or convenient. The photos you never put up can’t be handed to anyone.

You can't un-upload a photo, and you can't control where it goes once a company has it. Knowing that your photos can move from a dating app to a defense contractor through a personal email and a handshake should change how you evaluate the next platform that asks for your face. While the next platform asking for your photo isn't OkCupid, the incentive structure is identical.

One more thing: I've been sharing the behind-the-scenes of building DoxxScore over on Substack Notes. Things like the thinking behind the product, what I've learned about digital privacy along the way, and where it's headed. If that interests you, a sample post is below. DoxxScore goes live next week, so stay tuned for more information. ⌛

Subscribe now

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

  Share Secrets of Privacy

That’s the official summary. Here’s what the official summary doesn’t help you with.

Subscribe now

When a breach involves booking details specifically, the follow-on scam isn’t generic phishing. It’s targeted.

A scammer who knows your name, your hotel, and your travel dates can send you a WhatsApp message that reads exactly like something your accommodation would send. Or call you, reference your reservation, and tell you there’s a payment problem with your booking.

The message will be well-written and the details will be accurate. Add it all up and the urgency will feel legitimate.

And this isn’t a theoretical scenario.

In November 2025, researchers at Sekoia documented a campaign in which attackers who had stolen hotel staff credentials used that access to contact guests over WhatsApp and email, referencing their real reservation details. The cover story was that a security issue had come up during verification of their banking details, and that confirming their information was a procedure Booking.com used to protect against cancellations. Victims who followed the link landed on a fake payment page built to look like the real thing.

The current breach didn’t involve hotel account access (thankfully). But the same logic applies: an attacker who already knows your name, your hotel, and your travel dates doesn’t need to compromise anything else to make an approach convincing.

The disorienting part is that the breach notification email itself looks like the kind of thing scammers send. Plenty of people receiving a legitimate email from noreply@booking.com this week will reasonably wonder whether to trust it. Reasonably so because a decade of phishing awareness training has taught people to distrust exactly this kind of message.

The actual risk hierarchy here is worth being clear about. On the positive side, the exposed data cannot be used to make purchases or drain accounts directly. What it can do is make someone more likely to hand over payment details voluntarily, because the person asking seems to already know things only Booking.com would know.

Share

One thing worth doing now: If you received a breach notification, or if you have an upcoming Booking.com reservation, treat any inbound contact claiming to be from Booking.com or from your accommodation as suspicious by default. That means phone calls, WhatsApp messages, and emails asking you to update payment details or “secure” your booking. If something seems urgent, navigate to booking.com directly by typing the URL and handle it from your account there. Don’t call back numbers from messages you received. Look up the number yourself.

Booking.com says it has reset PINs for affected reservations, which is a reasonable containment step. What they haven’t said is how many reservations were affected or how the access happened. That opacity is frustrating, and it’s also a pattern for them: the company was fined €475,000 by Dutch regulators in 2021 for notifying authorities too late after a previous breach.

There’s a structural question buried in all of this. Travel platforms collect a surprising amount of contextual detail about where you’re going, when, with whom, and what you’ve requested. That data is operationally necessary in the short term. Whether it needs to be retained as long as it typically is, in the form it’s stored, is a question the industry hasn’t been forced to answer seriously yet.

If you’ve had a similar experience with scam follow-up after a travel booking, I’d be curious to hear about it. Reply to this email.

Subscribe now

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

  Share Secrets of Privacy

The results are quietly sent back to LinkedIn’s servers for processing and data mining. None of this is in LinkedIn’s privacy policy.

This is BrowserGate, a detailed investigation published last week by Fairlinked e.V., a European association of commercial LinkedIn users. BleepingComputer independently confirmed the scanning behavior through its own testing.

LinkedIn calls it a security measure. The rest of us call it covert surveillance of a billion users’ browsing behavior at industrial scale. BrowserGate is a bad look for Microsoft owned LinkedIn and reinforces their poor privacy tactics.

But there’s a larger issue here beyond LinkedIn. And that is Google Chrome’s role, which makes this whole scheme possible (and all the similar ones out there you don’t know about yet).

Subscribe now

What LinkedIn Can Actually Learn From Your Extensions

A list of browser extensions sounds like dry technical data. It isn’t.

Some of the extensions on LinkedIn’s scan list may indicate religious beliefs, political views, health conditions, or whether a user is actively seeking employment.

The investigation found 509 job search tools on the list, including extensions for Indeed, Glassdoor, and Monster. If you’re quietly browsing jobs while your current employer can still see your profile, LinkedIn may already know.

The list also includes extensions that identify practicing Muslims, tools built for neurodivergent users, and partisan news filters that reveal political leanings. Under EU law, this is special-category data. Collecting it without explicit consent is prohibited, not just discouraged.

Perhaps most interesting, LinkedIn scans for over 200 products that directly compete with its own sales tools, including Apollo, Lusha, and ZoomInfo. Because LinkedIn knows each user’s employer, it can map which companies use which competitor products. LinkedIn knows your real name, your job title, and where you work. When it spots a competitor’s tool in your browser, it doesn’t just know you have it. It knows your company has it. This data is extremely valuable.

Share

This is a Google Chrome Problem

Google built Chrome, and Google’s business model is advertising.

Chrome is the most widely used browser in the world, which means the data it makes available to websites (and to Google itself) flows at enormous scale. Google uses Chrome browsing data to inform its ad targeting systems. It has repeatedly introduced features that privacy advocates pushed back on, including a tracking system called the Privacy Sandbox that replaced third-party cookies not by eliminating tracking, but by moving it into the browser itself. Chrome still doesn’t block third-party tracking cookies by default, something Firefox, Brave, and Safari have done for years.

The extension architecture that makes LinkedIn’s scanning possible is a Chrome-specific design. Firefox and Safari expose extensions differently, which is why the scan doesn’t work there.

LinkedIn’s script actually checks whether you’re using Chrome before it fires. If you’re not using Chrome, nothing happens.

Now LinkedIn didn’t single out Chrome users. Chrome was simply the only browser where the technique works, and it covers roughly two thirds of all web traffic. That combination of architecture and reach is what made BrowserGate possible.

The scan list in this case started at 38 extensions in 2017. As is true with most privacy intrusions, it quickly grew. LinkedIn’s scanning now covers more than 6,000. Nearly a decade of growth, all enabled by the same Chrome design decisions that Google has never had much incentive to change.

So Which Browser Should You Use?

If you switch from Google Chrome to Firefox or Safari, LinkedIn’s scanning script simply doesn’t run. That’s the cleanest fix, though not our recommendation.

Brave is also a meaningful upgrade over Google Chrome. Now Brave detractors will tell you that Brave is a chromium based browser, which is true. But that’s a misleading story.

Yes, Brave is built on the same underlying engine as Chrome, so LinkedIn’s script does target it. But Brave blocks the tracking endpoints where the collected data gets sent. A Brave privacy engineer confirmed this publicly, and even told users they could verify it themselves by opening LinkedIn in Brave and watching the DevTools network tab. The data collection is interrupted before it leaves your browser.

So what’s the practical solution hierarchy here? Firefox or Safari stops the scan entirely. Brave stops the data from being transmitted. Whichever browser you choose, you’re in a substantially better position than Google Chrome users.

Our Recommendation on What You Can Do Right Now

Brave is our recommended primary browser, and BrowserGate is a good illustration of why.

While Brave is built on the same underlying engine as Chrome, Brave blocks the tracking endpoints where the collected data gets sent. And in the grand scheme of things, Brave is the best overall privacy browser around. The reasons for that deserve a separate post, which is in our queue.

Firefox stops the scan from running at all, since LinkedIn’s script checks for Chrome’s architecture before it fires. But as regular readers know, we don’t recommend Firefox as a primary browser since they’ve strayed from their privacy first ways. But keeping it installed and using it as a dedicated browser for sites like LinkedIn is a reasonable approach. Either way, Firefox is a better choice than Google Chrome for anything privacy-sensitive.

The bottom line:

if you’re using Google Chrome as your primary browser, you’re exposed to this LinkedIn scheme and to a long list of similar techniques that Chrome’s architecture enables. Switching to Brave costs you nothing and fixes the problem.

Switching browsers is one of the easiest first steps toward removing Google from your daily life entirely. If you want a full roadmap for doing that, I put one together, and it covers the browser switch and everything beyond it. Paid annual subscribers get it for free but everyone else can get it for 20% off here.

For further reading on the technical aspect of BrowserGate, check out this post from our friend Digital Mark:

Digital-Mark

The LinkedIn Panopticon

SPECIAL ANNIVERSARY BULLETIN: 04.03.2026…

Read more

2 months ago · 54 likes · 11 comments · Digital-Mark

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

Initially it looked like a one-off crime. Turns out it wasn’t.

Federal investigators eventually connected that break-in to at least 19 other burglaries across the United States, spanning both coasts, with total losses exceeding $1.6 million. Ten suspects were arrested in Michigan, California, New Jersey, and Wisconsin. According to federal court documents, the group had conducted weeks of surveillance on each target, researching victims through internet searches, open-source databases, and social media to study the layouts of their homes and identify items of value.

They didn’t pick their targets randomly. They built profiles on them, using tools that are freely available to anyone with an internet connection.

Subscribe now

The Digital Casing Playbook

Think of traditional burglary as a physical operation. A thief drives through a wealthy neighborhood, looks for an unlocked door or an empty driveway, and takes their chances.

What federal prosecutors described in this case is fundamentally different. It’s a research operation that follows a repeatable playbook, one I’d call “digital casing.”

The playbook works in four stages.

Stage 1 — Identify. Find a target through business directories, social media, or community visibility. In this case, the group focused on immigrant business owners, particularly those running restaurants, jewelry stores, and other enterprises where cash and gold might be kept at home.

Stage 2 — Locate. Use people-search websites, open-source databases, and property records to connect a business owner’s name to a home address. These sites aggregate data from voting registries, property filings, motor vehicle records, and more. Many provide a home address for free.

Stage 3 — Surveil. Study the home using real estate listing photos (which often remain online for years after a sale), Google Street View, and social media posts that reveal layouts, valuables, routines, and travel patterns. In one case tied to this ring, a neighbor of a victim in Kentucky found a camera hidden in the bushes, rigged with fake foliage and a wireless hotspot.

Stage 4 — Execute. Time the break-in using GPS trackers placed on vehicles, knowledge of the family’s schedule, and even estimates of local police response times.

This four-stage process is what transformed a burglary into something closer to an intelligence operation. And every tool used in stages 1 through 3 is legal, commercially available, and accessible from a phone right now.

Share

This is Not an Isolated Case

The Kent County case is part of a much larger pattern. The FBI has identified what it calls “South American Theft Groups” (SATGs) as a significant and growing criminal threat. These aren’t a single organization. According to Kent County Sheriff’s Sgt. Scott Dietrich, there are “tens, maybe hundreds of these groups all over the United States” that target specific people or specific things. (source)

The scope is larger than you would think.

In Houston, law enforcement linked over 60 home burglaries to SATG-connected crews. West University Place Police Chief Gary Ratliff told Fox News Digital that these groups used signal jammers to disable Wi-Fi security cameras and alarm systems during break-ins, rendering wireless home security effectively useless. (source)

A separate Chilean burglary ring targeted the homes of professional athletes, including Patrick Mahomes, Travis Kelce, and Joe Burrow, using public social media posts and game schedules to time their break-ins for when the players were away. The FBI released a podcast episode in February 2025 specifically warning about this tactic ahead of the Super Bowl, noting that SATGs use “a combination of internet research, surveillance, and commercially available camera and tracking technologies to scope out their targets.” (source and source)

In Pennsylvania, a theft ring targeting Asian business owners led to six convictions, with suspects sentenced to up to 10 years in prison. (source)

And police in Riverside, California have confirmed that detectives routinely find Zillow and Redfin searches on phones seized from arrested burglary suspects. (source)

This Is a Privacy Story More Than a Crime Story

Most coverage of these burglary rings focuses on the criminal element.

And that’s understandable.

But the reason I’m writing about it is because the vulnerability these criminals exploited isn’t a broken lock or an open window. It’s the fact that an enormous amount of actionable intelligence about where you live, what you own, and when you’re home is publicly available by default.

Consider what a motivated person can assemble about you, right now, without breaking any laws.

From people-search sites like Spokeo, WhitePages, and BeenVerified, they can get your full name, home address, phone number, email, names of relatives, and sometimes estimated income or net worth. Many of these sites provide actionable results for free.

From real estate platforms like Zillow, Redfin, and Realtor.com, they can view interior photos of your home, floor plans, entry points, window types, and camera placements.

From Google Street View, they can study your property from multiple angles, check vehicles in your driveway, scope out fences and access points, and assess escape routes.

From social media, they can learn your daily routines, track when you’re on vacation, identify expensive purchases, and piece together your family structure.

From business registrations and licensing databases, they can connect you to a business and make assumptions about cash or inventory you might keep at home.

None of this requires hacking. None of it requires specialized skills. And critically, none of it requires the criminal to be anywhere near your home until they’re ready to act.

The court documents in the Kent County case put it plainly.

These were not crimes of opportunity based on an unlocked door. Victims were targeted and stalked. The court noted that the “shadowing sense of fear that someone is coming after you is not unrealistic.”

The immigrants who were victimized in this case had done most things right. They built businesses, followed the law, saved diligently. What they hadn’t done, and what almost nobody does, is manage their digital footprint. Because most people don’t realize there’s anything to manage.

That’s the gap. And it’s one that organized criminals have figured out how to exploit with industrial efficiency. The question is whether the rest of us are going to keep pretending this information is harmless just because it’s technically “public.”

The good news is that this is a solvable problem. Not perfectly, but meaningfully.

Most of the data these groups rely on during the “identify” and “locate” phases of their playbook can be removed or significantly reduced. And the surveillance tools they use during the “execute” phase, particularly Wi-Fi signal jammers, have known countermeasures that most homeowners haven’t implemented because they don’t know the threat exists.

Below I’ll walk you through exactly how to close each stage of the digital casing playbook, starting with the single most impactful step you can take in the next 10 minutes.

How to Close Each Stage of the Digital Casing Playbook

The digital casing playbook has four stages. Each one has countermeasures. I’ll walk through them in reverse order of difficulty, starting with the steps you can take today.

Read more

Then they actually look, and it’s much more than that.

This guide walks you through exactly how to audit your own digital footprint: where to look, what you’ll find, and what to do about it.

Subscribe now

Start With a Basic Search (but do it right)

The obvious first step is searching your own name in Google, DuckDuckGo, or Brave. But most people do this wrong and miss a lot.

Do these searches:

• Your full name in quotes: "Jane Smith"

• Your name plus your city: "Jane Smith" Chicago

• Your name plus your employer: "Jane Smith" Acme Corp

• Your name plus your phone number or email address

• Your username, if you use the same one across sites

Search on at least two engines. DuckDuckGo and Google surface different results, so start there first. What one buries, the other sometimes surfaces prominently.

Look past the first page. Most people stop at page one, but data brokers and people-search sites often rank lower and contain far more personal detail than anything on page one.

Data Brokers Are the Real Problem

Search engines show you what’s publicly indexed. Data brokers show you what’s been collected, aggregated, and sold.

Data brokers are companies that compile personal information from public records, purchase histories, loyalty programs, social media, voter registrations, property records, and dozens of other sources. They then package it into profiles they sell to marketers, landlords, employers, and anyone else willing to pay.

The profiles are detailed. A typical data broker entry might include your full name, current and past addresses, phone numbers, email addresses, relatives’ names, estimated income, property ownership, court records, and social media handles — all on one page, available to anyone who searches.

The major people-search sites to check first:

• Spokeo

• WhitePages

• BeenVerified

• Intelius

• PeopleFinder

• FastPeopleSearch

• Radaris

• MyLife

Search your name on each one because what you find will vary. Some brokers have more complete records than others, and the data they hold updates at different rates.

This is uncomfortable for most people. The volume and specificity of what’s available is usually worse than expected.

Check What Google Knows Specifically

Beyond general search, Google maintains records of your activity across its own products. If you use Gmail, Google Maps, YouTube, or Android, there’s a detailed log of that activity attached to your account.

Go to myactivity.google.com and sign in. You’ll see a timeline of searches, sites visited, videos watched, locations visited, and more. This data often going back years.

Google also allows people to request removal of certain personal information from search results. If your phone number, home address, or other sensitive details appear in Google Search, you can submit a removal request at support.google.com/websearch/troubleshooter/9948276.

Look at What Social Media Exposes, Including Accounts You Forgot About

Social media platforms often expose more than people realize, especially when privacy settings drift from their defaults over time.

Facebook: Check your profile as a non-friend or logged-out user. Go to your profile, click the three dots, and select “View As.” What’s visible may surprise you, and can include tagged photos, check-ins, and older posts are often more public than expected.

LinkedIn: Your profile is typically fully public and indexed by search engines. Your connections list, employment history, education, and any posts or comments you’ve made are visible to anyone. LinkedIn is one of the most commonly harvested surfaces for scammers and data collectors because the information is both detailed and voluntarily provided.

Instagram and Twitter/X: Both default to public. Old posts, location tags on photos, and comments under other people’s content all appear in search results.

Also think about accounts you may have created years ago and forgotten: old forums, Tumblr, Reddit, Disqus, Quora, and gaming platforms. Search your username across these. A username you’ve used consistently is one of the most reliable ways for someone to build a comprehensive profile of your activity online.

Check Public Records

A surprising amount of information is publicly available through government records:

• Voter registration: In many US states, voter rolls are publicly accessible and include your name, address, date of birth, and party affiliation

• Property records: If you own property, your name, purchase price, and address are typically in public county records

• Court records: Civil and criminal court filings are often searchable online by name

• Business filings: If you’ve ever registered a business, LLC, or been listed as a registered agent, that information is typically in state records

Many data brokers pull directly from these sources, which is why opting out of the broker itself doesn’t always prevent the information from resurfacing. The reason? They just re-pull from the original public record that never changes.

What You’re Likely to Find

After going through this process, most people discover some combination of the following:

• Current and past home addresses, sometimes going back decades

• Phone numbers, including mobile numbers they never gave out publicly

• Names of family members and their addresses

• Estimated income and net worth ranges

• A list of “associated” people (neighbors, relatives, former roommates)

• Old email addresses

• Court records, even minor ones

• Photos pulled from social media, sometimes years old

• URLs that you registered

The goal of this audit isn’t to alarm you, rather it’s to give you an accurate picture of your actual exposure, rather than an assumed one.

What to do About It

Knowing what’s out there is step one. Step two is reducing it.

The highest-leverage moves, in order:

1. Opt out of the major data brokers. Most have opt-out processes, though they vary in difficulty and reliability. Some require ID verification, some require a written request, and some re-add your data after a period of time and need to be revisited.

2. Tighten your social media privacy settings. Review what’s visible to non-connections and to search engines. Most platforms have a “view as public” option that shows you exactly what a stranger sees.

3. Request Google removal for any personally identifying information that appears in search results.

4. Use separate email addresses for different purposes so a data breach on one service doesn’t expose activity across others.

5. Be selective with loyalty programs and apps that request location access. These are common data collection points.

The honest answer is that a full cleanup takes time. The data broker opt-out process alone involves dozens of individual sites, each with its own process. But each step meaningfully reduces your exposure, and the high-leverage ones (like the major people-search sites) make an immediate difference.

If you want a structured path through all of this, including a step-by-step audit process, a data broker opt-out tracker with 75+ sites pre-loaded, and guides covering email privacy, LinkedIn, Apple settings, and more, the Secrets of Privacy Library has everything in one place. “Excellent content, really helpful and clear” - James Adams

Published by Secrets of Privacy — practical privacy guidance for people who want real protection without going off-grid.

He hosted a webinar on a sensitive topic and deliberately chose not to record it because the content was personal, the attendees were vulnerable, and he wanted no record to exist.

Weeks later, he received a cold email from a company called WebinarTV. It contained a direct link to his webinar session, which was now published as an AI-generated podcast episode on WebinarTV’s platform.

Rademacher hadn’t uploaded anything and hadn’t consented to the podcast creation. He hadn’t even recorded the webinar himself.

So what happened?

Subscribe now

WebinarTV describes itself as “a search engine for the best webinars.”

What it actually does is scan the internet for publicly accessible Zoom meeting links, join those calls using bots or AI transcription tools, record the audio, and convert it into podcast content. The company then uses it as a sales pitch to the very people whose meetings it captured. Journalists at 404 Media found their own public event with the Freedom of Press Foundation listed on the platform without their knowledge or consent. (source)

Zoom confirmed the activity is not the result of a vulnerability or security issue on its platform. (source) The problem is the link itself and the settings controlled by the Zoom webinar creator. So no hacking.

A Zoom Meeting Link is a Door With No Lock

If that link is anywhere on the internet, such as embedded in a public calendar event, posted in a community forum, listed on an events page, it’s findable. WebinarTV’s bots scan for the “zoom.us/j/” string across public web pages, and if a link isn’t behind an authentication wall, it’s treated as public. (source)

The meeting being “private” in your mind means nothing if the link is public in practice. It’s the same logic as leaving your address on a public post and assuming only friends will show up.

The fix is the same across every major platform:

stop treating the join link as the access control, and start requiring identity before entry.

Zoom: When scheduling a meeting in the Zoom web portal (not the desktop app), enable “Registration required” under the meeting settings. Set approval to “Manual” so you review each registrant before they receive a join link. Each approved participant gets a unique link tied to their registration, which means a generic link won’t get them in. This is the single most effective change you can make.

Google Meet: In your Calendar invite, click the gear icon next to the Meet link and open Host controls. Set the meeting access type to “Trusted” or “Restricted,” then uncheck the box that says “Anyone with the meeting link can ask to join.” (source) With that unchecked, only participants signed into their invited Google Account can enter. Bots attempting to knock via “Ask to join” are automatically denied without any action required by the host. (source)

Microsoft Teams: Before the meeting, open Meeting options and find “Who can bypass the lobby?” Set it to “People who were invited” so anyone who has the link but not an actual calendar invitation will wait in the lobby until you admit them. (source) Also disable the option that allows participants to forward the invitation, which closes a common secondary vector.

One More Thing Worth Knowing

CyberAlberta, a Canadian cybersecurity organization that investigated WebinarTV in depth, found that some access comes through AI note-taking browser extensions that users install voluntarily. These are extensions that quietly request calendar permissions and forward meeting details to the platform. (source)

For individuals, the fix is straightforward: in Chrome, go to Settings > Extensions and review what’s installed. For any extension with calendar or meeting access, check its permissions and remove anything you don’t actively use.

If you run a security or privacy program you may be rolling your eyes because you know that browser extensions are a major shadow IT problem.

Employees routinely install productivity and AI tools directly in the browser, grant them calendar and meeting access without a second thought, and IT often times never sees it happen. WebinarTV is an unusually visible consequence of that, but the underlying exposure is much broader because any extension with calendar permissions can see meeting links, attendee lists, and in some cases join URLs.

If you run a security program, the WebinarTV story is a useful conversation-starter for adjusting internal policies regarding browser extensions on corporate equipment. Browser extensions that touch calendar or meeting data should probably require explicit approval, not just user discretion.

Whether to ban web browser extensions all together is a conversation for another day.

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Check out our new, free username generator to help you create unique usernames for different accounts. Reusing usernames is convenient, but terrible for your privacy. This tool makes it easy to create unique usernames on the fly.

• Do you own a Smart TV? If so, you won’t want to miss this reader fav post Smart TV Privacy Settings: How to Disable Tracking on Every Brand.

If you’re reading this but haven’t yet signed up, join for free (4.7K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇

“How are companies getting my phone number? I never gave it to them.”

A recent example from a privacy forum illustrates the problem.

Someone recently visited the Samsung website for the first time, browsed a few phone models to compare prices, and left without adding anything to a cart or entering any information. The next day, Samsung called to ask why they hadn’t completed a purchase.

The person didn’t create an account, didn’t fill out a form and didn’t buy anything. He simply visited a website.

So how did Samsung get this guy’s phone number?

The short answer is that he probably did give his number to them, just not to Samsung directly. The mechanism connecting those two facts is called identity resolution, and understanding it changes how you think about every form field you’ve ever filled out online.

Subscribe now

You may recall that last month we ran a test on a free reverse phone lookup site.

We entered a family member’s phone number and got back his full name, home address, estimated income range, and a list of domain names he’d registered years ago and largely forgotten. We didn’t have to create an account or even make a payment. We typed in a 10-digit number and had detailed results a few seconds later.

That post was about what gets exposed once your phone number is in the data broker ecosystem. This situation is different and about how your number keeps getting passed around to companies even after you’ve done everything right.

What’s Actually Happening

When you visit a website, your browser sends a set of signals, such as your IP address, device type, browser version, and a collection of behavioral fingerprints that are surprisingly unique to you.

Most of that sounds familiar. What’s less understood is what happens to those signals next.

Companies like LiveRamp, Neustar, and Tapad maintain what the industry calls “identity graphs”. Translated, that means databases linking device fingerprints, IP addresses, cookies, and mobile advertising IDs to real-world identifiers: names, email addresses, and phone numbers.

These graphs are built from years of data collected across millions of websites and apps. One company’s graph covers more than 260 million U.S. profiles.

When you visit a site carrying one of their tracking pixels, your signals get matched against that graph. If you ever entered your phone number into any form on any site carrying one of their trackers, such as a a checkout page, a loyalty program signup, a contact form, that number is now linked to your device. The site you’re visiting today can surface it, even if you’ve never interacted with that company before.

This is distinct from what session replay tools do (recording your keystrokes in real time, which we covered previously - see here) and from what reverse phone lookup sites do (serving your data to anyone who searches).

Identity resolution is the layer that feeds both of those systems. It’s also why opted-out data broker profiles keep reappearing a few weeks after removal.

Share

The Phone Call is the Least Of It

Getting an unexpected phone call from a retailer is annoying. That’s the visible effect, and it’s the one that tends to generate Reddit threads.

What happens beneath the surface is considerably more significant.

When identity resolution links your browsing behavior to your real phone number and name, it doesn’t just enable that call. It creates a behavioral record that is attached to your actual identity. That could include a wide array of activities like what health symptoms you researched at 11pm, whether you spent time on a bankruptcy attorney’s site, what political content you engaged with, how often you visited a payday loan page.

That record flows into the same data broker ecosystem we covered in our reverse phone lookup post. From there, it becomes accessible to insurance underwriters, employers running background checks, lenders running risk models, and anyone else paying for enriched consumer profiles.

The call is visible. The downstream use of the behavioral profile built in the process of identifying you is not.

There’s no notification, no audit trail, no way for most people to know what inferences have been drawn from their browsing history or how those inferences are affecting decisions made about them.

This is also why the standard privacy advice, such as opting out of data brokers, use incognito mode, clear your cookies, doesn’t address the actual problem. Incognito mode doesn’t prevent a site from running identity resolution scripts. Clearing cookies doesn’t erase your entry from an identity graph. And opting out of data brokers removes the current record but doesn’t stop the graph from re-linking your number to your device the next time you visit a tracked site.

One Thing You can Do Right Now

Stop using your primary phone number for anything outside trusted personal contacts and critical financial accounts. Every loyalty program, app signup, online order, and form gets a secondary number.

A Google Voice number works as a starting point (even if it does create a Google nexus). A prepaid SIM (a $5-10 card that reloads automatically) is more robust, since VoIP numbers are increasingly flagged by sites requiring verified numbers.

The secondary number can be handed out freely. Your real number stays out of the identity graphs, which means it stops accumulating behavioral data linked to your actual identity.

This is the correct upstream intervention. It’s why we recommend it in the reverse phone lookup post as a long-term protection strategy. Now you know the mechanism that makes it work.

The identity resolution industry is actively developing ways to maintain these graphs even as third-party cookies disappear. The infrastructure is expanding, not contracting. If you’ve wondered why your data broker profiles keep coming back after removal, or why a company seems to know more about you than you ever told them, this is the system responsible.

Reply and let us know: did you already suspect something like this was happening, or is this new information?

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

• Privacy freedom is more affordable than you think. We tackle the top Big Tech digital services and price out privacy friendly competitors here. The results may surprise you.

• Do you own a Smart TV? If so, you won’t want to miss this post from our three part series on how To make your smart TV less creepy.

If you’re reading this but haven’t yet signed up, join for free (4.7K+ subscribers strong) and get our newsletter delivered to your inbox by subscribing here 👇

Subscribe now

That post created a hypothetical scenario about a woman we called “Tina” whose Instagram account gets taken over by a bad actor who then uses her real photos for exploitation.

We wrote that as a warning of where things were heading. As it turns out, a federal court case proved us right almost detail for detail.

Subscribe now

In late February, a 22-year-old Alabama man named Jamarcus Mosley pled guilty to computer fraud, extortion, and cyberstalking after hijacking the social media accounts of hundreds of young women, including minors, over a three-year period.

And shortly before that, a 27-year-old Illinois man named Kyle Svara pled guilty to hacking nearly 600 women’s Snapchat accounts. He sold and traded their stolen private photos online and even offered his hacking services on Reddit.

Two men. Two guilty pleas. Nearly 900 victims combined. And neither one used any sophisticated hacking tools.

The Back Door to Your Account

Both of these cases relied on the same basic approach, and it’s worth understanding because it does not require technical skill. It’s social engineering, which means manipulating people into giving up information they shouldn’t.

Think of it this way.

Your social media account has two doors. The front door is your password.

Most people have gotten reasonably good at locking that one (or at least they know they should). The back door is your account recovery system, the process platforms use to help you get back in when you’re locked out. That back door is now a huge target.

In both federal cases, the attackers didn’t crack passwords. They tricked victims into handing over the keys to the back door.

Share

Two Cases, One Playbook

The Mosley Case

According to the U.S. Attorney’s Office for the Northern District of Georgia, Mosley ran his scheme from April 2022 through May 2025. His method was straightforward. He would use an already-compromised account belonging to a victim’s actual friend to reach out on Instagram or Snapchat. Because the message appeared to come from someone the victim knew and trusted, the request seemed legitimate.

In one case, Mosley used an Instagram account belonging to a 20-year-old Georgia woman’s high school friend. Pretending to be that friend, he asked the woman to help him recover “his” Snapchat account. She provided a recovery passcode, not realizing it was for her own account. Mosley used it to take full control, accessed her private images and videos, and then threatened to post them unless she complied with his demands.

When an 18-year-old Florida woman refused his demands for additional explicit photos, Mosley followed through on his threat and posted her stolen private photos publicly. He also targeted a 17-year-old in Illinois, tricking her into sharing her Snapchat “My Eyes Only” passcode. He then used her compromised account to contact her 13-year-old sister, sending a Snapchat map screenshot to show he knew where the younger girl lived.

The case was investigated by the Kennesaw Police Department and the U.S. Secret Service.

(Sources: BleepingComputer, WSB-TV, FOX 5 Atlanta, Marietta Daily Journal)

The Svara Case

Svara’s operation ran from May 2020 through February 2021. He took a slightly different approach.

Instead of impersonating friends, he posed as a Snapchat support representative. When his unauthorized login attempts triggered Snapchat’s security system to send verification codes to victims’ phones, he would text the victims using a free VoIP service and ask them to share those codes. He contacted over 4,500 women. Roughly 570 provided the codes, and he accessed at least 59 of their accounts to download private images.

Svara then sold or traded the stolen photos on internet forums and advertised on Reddit that he could hack Snapchat accounts on demand. One of his paying clients was Steve Waithe, a former Northeastern University track and field coach who hired Svara to hack the accounts of student athletes he had coached. Waithe was sentenced to five years in federal prison in 2024 for cyberstalking and sextortion.

(Sources: The Record, CBS Chicago, Reuters via U.S. News, BleepingComputer)

This Is a Pattern, Not an Anomaly

These two cases are not outliers. They are part of a well-documented surge.

The FBI has reported a significant increase in sextortion cases involving minors in recent years. In fact, we wrote a heartbreaking post earlier in the year about a teen boy who took his own life because of a sextortion scam. See here:

But between October 2021 and March 2023 alone, the FBI and Homeland Security Investigations received over 13,000 reports of online financial sextortion of minors, involving at least 12,600 victims. At least 20 of those victims died by suicide. The FBI observed a 20% increase in financially motivated sextortion reports involving minors in a six-month period compared to the prior year.

The National Center for Missing & Exploited Children (NCMEC) reported that online enticement reports increased by more than 300% between 2021 and 2023. Research published by Thorn in late 2025 found that one in five teens reported experiencing sextortion.

And on Safer Internet Day in February 2026, just weeks before the Mosley plea, the FBI issued yet another public warning about the growing threat.

(Sources: FBI Nashville, FBI Kansas City / Safer Internet Day 2026, NCMEC via Our Rescue, Thorn)

Recovery Codes Are the New Passwords

What stands out about these two cases is not that they happened. We know sextortion is a rapidly growing criminal activity. Rather, it’s how these cases happened.

Neither Mosley nor Svara needed to write a single line of code. They didn’t exploit a software vulnerability. They didn’t deploy malware. They used the platform’s own account recovery process as a weapon. Mosley impersonated friends. Svara impersonated Snapchat support. Both convinced real people to hand over recovery codes voluntarily.

This is the evolution we flagged in the 2024 article. Back then, the dominant threat was credential stuffing, where attackers take stolen username/password combos from data breaches and try them on other platforms. That’s still a problem, and password managers remain essential protection against it.

But attackers have adapted.

As more people adopt stronger passwords and two-factor authentication, the attack surface has shifted to the recovery process itself. Recovery codes bypass your password entirely. They bypass your two-factor authentication. They are designed to be the override, and that makes them the most valuable target.

The reality is that platform security features designed to help you regain access are now being turned against you. And the platforms have done very little to address this. Snapchat’s recovery process was exploited in both of these cases across a span of five years, from 2020 to 2025.

If these cases involved one isolated attacker, you could dismiss it. Two separate federal cases with nearly 900 combined victims should make it clear that this is a pattern, not an anomaly. And while these cases targeted young women, the underlying technique works on anyone. It only requires trust and a recovery code.

Most of the advice you’ll find about protecting yourself online still focuses on passwords. Use a strong one, don’t reuse them, get a password manager.

That’s all still true and it’s necessary. But it’s not sufficient anymore. The attack vector in these cases bypasses all of it.

There are specific steps you can take to protect yourself and your family against recovery code attacks. Some are settings you can change today in about five minutes. Others require a shift in how you think about account security altogether.

What You Can Do About It

Read more

Most people who try to DIY opt out give up because the scope feels unmanageable. Dozens of sites, each with its own form, its own verification step, its own timeline. The project looks like it measures in days.

Turns out the math is more forgiving than it appears (at least a little).

Subscribe now

What most opt-out guides don’t tell you is that a significant share of the data broker industry is owned by a small number of parent companies. Which means those parent companiess typically run a single opt-out process across all their properties.

Why is that good?

Because one submission can remove you from a dozen sites at once. Work through a handful of the right processes in the right order and you’ve covered far more ground than the site count suggets.

Free opt-out lists you find online tend to miss this entirely. They give you a column of URLs and leave you to figure out the rest. The ownership layer (i.e. which sites share a process, which submissions are redundant, which ones actually matter) usually isn’t there.

Understanding that structure is what separates people who make real progress from people who spend a weekend on it and still feel like they’ve barely started.

To help with that, we just released the Data Broker Opt-Out Tracker. It’s a formatted Excel workbook covering 76+ of the highest risk data broker sites. Best of all, it’s organized by parent company, priority tier, and what each opt-out actually requires.

It includes step-by-step instructions for each site and a built-in status tracker so you don’t lose your place. The goal is to give you a clear picture of how the industry is structured and a logical path through it, rather than just a list of links.

Annual paid subscribers get it free. Everyone else can grab it for $19, which includes lifetime updates to the tracker.

Grab your copy here —> Data Broker Opt-Out Tracker: 70+ Brokers with Direct Links, Methods, and Notes

If you’ve been putting off the opt-out process because it felt like too much, the consolidation in this industry works in your favor, you just need to know where it is.

Share Secrets of Privacy

Looking for help with a privacy issue or privacy concern? Chances are we’ve covered it already or will soon. Follow us on X and LinkedIn for updates on this topic and other internet privacy related topics.

Disclaimer: None of the above is to be deemed legal advice of any kind. These are *opinions* written by a privacy and tech attorney with years of working for, with and against Big Tech and Big Data. And this post is for informational purposes only and is not intended for use in furtherance of any unlawful activity. This post may also contain affiliate links, which means that at no additional cost to you, we earn a commission if you click through and make a purchase.

That’s a problem, because some of these settings genuinely matter. They determine what happens to your account if you die, whether a thief can lock you out of your own Apple ID, and how much of your data Apple itself can access.

This post covers nine settings worth your attention. Some are foundational. Others are more situational. All of them are overlooked by the vast majority of iPhone users.

You don’t need to enable all nine today. But you should at least know they exist.

Note for paid subscribers - we added two extra privacy/security features just for you at the end. 🎁

Subscribe now

Two-Factor Authentication

Two-factor authentication is the baseline. If you haven’t enabled it, nothing else on this list matters much.

Here’s how it works: when you sign into your Apple ID on a new device, Apple sends a six-digit verification code to a device you already trust. Without that code, your password alone isn’t enough to get in.

This protects you from the most common attack vector: someone who’s obtained your password through a phishing attempt, a data breach, or simple guessing. Even if they have the password, they’re stuck without physical access to one of your trusted devices.

If you created your Apple ID in the last few years, two-factor authentication may already be enabled. But it’s worth checking.

To verify or enable: Settings > [your name] > Sign-In & Security > Two-Factor Authentication.

If it’s off, turn it on. If it’s on, make sure your trusted phone numbers are current. That list is critical because if you lose access to all your trusted devices and your trusted phone numbers are outdated, recovery becomes significantly harder.

Recovery Key

A recovery key is a 28-character code that serves as a backup way into your Apple ID if you ever get locked out.

Once you enable a recovery key, Apple can no longer help you regain access to your account. The usual “forgot password” flow that relies on Apple verifying your identity? Gone. You’re on your own.

That might sound scary, but for privacy-conscious users, it’s actually a feature. It means Apple doesn’t have a back door into your account. No one at Apple can reset your password, which means no one can be socially engineered or legally compelled to do so either.

So the catch here is kind of obvious. If you lose your recovery key and get locked out, you’re done. There’s no appeal process. There’s no customer service escalation that will save you. Your account and everything in it (photos, documents, purchases, etc.) becomes permanently inaccessible.

To enable: Settings > [your name] > Sign-In & Security > Account Recovery > Recovery Key.

If you enable this protection, be sure to write the code down. Store it somewhere physically secure and separate from your devices. A safe deposit box or at home firebox are great locations. Treat it like you’d treat a passport or a birth certificate.

Share

Recovery Contacts

Recovery contacts offer a softer alternative to the recovery key.

Instead of relying entirely on a code you might lose, you designate one or more people you trust. If you ever get locked out, Apple can send them a verification code that helps confirm your identity. They don’t get access to your account, rather, they’re just vouching for you.

This is a good option for people who want a safety net but aren’t ready to go full self-sovereign with a recovery key. It’s also a reasonable complement to a recovery key, giving you multiple paths back into your account if something goes wrong.

To add a recovery contact: Settings > [your name] > Sign-In & Security > Recovery Contacts

Choose someone who’s reliable, who won’t lose their own phone, and who you’ll still be in contact with years from now. You can add multiple people if you want redundancy.

One thing to keep in mind: recovery contacts won’t help you if you’ve enabled a recovery key and lost it. The recovery key overrides everything. So think of these as two different approaches rather than layers that stack on top of each other.

Legacy Contact

Here’s a question most people don’t think about: what happens to your Apple ID when you die?

By default, the answer is “nothing good.” Your family can’t access your account. They can’t retrieve your photos, your documents, your messages. Apple’s policy is to protect your privacy, even posthumously, which means your data stays locked unless someone navigates a complicated legal process involving death certificates and court orders.

A legacy contact changes that.

You designate someone, such as a spouse, a family member, or a trusted friend, and share an access key with them. When you die, they combine that key with a copy of your death certificate to gain access to your account. They can download your data, manage your digital legacy, and eventually memorialize or delete the account.

To set up a legacy contact: Settings > [your name] > Sign-In & Security > Legacy Contact > Add Legacy Contact.

You’ll be prompted to share an access key with the person you choose. You can send it digitally or print a physical copy. Either way, make sure they know where to find it and what it’s for.

This setting is especially important if you have photos or documents that would matter to your family. Without a legacy contact, those memories might be lost forever.

Subscribe now

Advanced Data Protection for iCloud

This is the most significant privacy setting Apple has introduced in years, and few people use it. Here’s a quick overview.

When you store data in iCloud, Apple encrypts it. But for most data types, Apple holds the encryption keys. That means Apple can technically access your data if they choose to or if they’re compelled to by law enforcement. Your iCloud backups, your photos, and your notes can be ready by Apple if the circumstances demand it.

Advanced Data Protection changes the equation. When you enable it, end-to-end encryption extends to almost everything in iCloud: backups, photos, notes, reminders, voice memos, and more. Apple no longer holds the keys. Only your devices can decrypt the data.

The practical effect is that your iCloud data becomes genuinely private. Even Apple can’t access it. Neither can hackers who breach Apple’s servers. Neither can government agencies serving Apple with warrants.

To enable: Settings > [your name] > iCloud > Advanced Data Protection > Turn On Advanced Data Protection.

Apple will require you to set up account recovery first, either a recovery contact or a recovery key. That’s because if you get locked out with Advanced Data Protection enabled, Apple can’t help you. There’s no fallback.

This setting isn’t for everyone. If you’re worried about losing access to your account, the standard iCloud encryption is probably fine. But if you care about privacy and you’re disciplined about account recovery, this is one of the most meaningful steps you can take.

Share Secrets of Privacy

Stolen Device Protection

Stolen Device Protection is relatively new, and it addresses a specific nightmare scenario that’s become increasingly common.

Think of a thief who watches you enter your passcode in public, such as a bar, on the subway, or concert. Then they steal your phone. With your passcode, they can change your Apple ID password, disable Find My iPhone, and lock you out of your own account. By the time you realize what’s happened, your digital life is gone.

Stolen Device Protection adds friction to this attack.

When it’s enabled, certain sensitive actions, like changing your Apple ID password, turning off Find My, or accessing saved passwords, require Face ID or Touch ID authentication. A passcode alone won’t work. And for the most critical actions, there’s also a one-hour security delay, but only when you’re away from familiar locations like your home or workplace.

The idea is that a thief can’t make irreversible changes to your account in the few minutes after stealing your phone. You have time to remotely lock or erase the device before they can do real damage.

To enable: Settings > Face ID & Passcode > Stolen Device Protection.

There are two levels: “Standard” applies the protections only when you’re away from familiar locations. “Always On” applies them everywhere. For most people, “Standard” strikes the right balance between security and convenience.

Significant Locations

This one’s less about security and more about awareness.

Your iPhone quietly tracks the places you visit most frequently. Apple calls these “Significant Locations,” and the stated purpose is to improve personalized services. Think predicting traffic, surfacing relevant photos, that sort of thing.

In practice, it means your phone maintains a detailed log of where you go and when.

Some people are fine with this. Others find it unsettling to discover that their phone has been silently building a dossier on their movements. Either way, you should probably know it’s happening.

To view or disable: Settings > Privacy & Security > Location Services > System Services > Significant Locations.

You’ll need to authenticate with Face ID or your passcode to access this menu. Once you’re in, you can see the history, like a list of cities and specific locations, with timestamps. You can clear the history, turn off the feature entirely, or leave it on if you find the personalization useful.

There’s no right answer here. It’s a personal decision based on how you weigh convenience against surveillance. But it’s a decision you should make consciously, not one that’s made for you by default.

Safety Check

Safety Check is designed for people in dangerous situations, such as domestic abuse, stalking, controlling relationships. But it’s useful for anyone who wants to quickly audit and revoke the access they’ve granted over time.

When you open Safety Check, you get two options: “Emergency Reset” and “Manage Sharing & Access.”

Emergency Reset is the nuclear option. It immediately stops sharing your location with everyone, resets privacy permissions for all apps, limits FaceTime and Messages to the device in your hand, and signs you out of iCloud on your other devices. It’s designed for someone who needs to cut ties quickly and completely.

Manage Sharing & Access is more surgical. It walks you through who has access to your location, which apps have permissions, and which devices are signed into your account. You can revoke access selectively, without blowing everything up.

To access: Settings > Privacy & Security > Safety Check.

Even if you’re not fleeing a dangerous situation, this is a useful tool. Over the years, you accumulate sharing relationships and app permissions that you forget about. Safety Check lets you see it all in one place and clean house if needed.

Subscribe now

App Privacy Report

App Privacy Report gives you visibility into what your apps are actually doing.

Once you enable it, your iPhone tracks how often each app accesses sensitive data: your location, your camera, your microphone, your contacts, your photos. It also shows you which network domains each app contacts, revealing who they’re sending data to behind the scenes.

The results can be illuminating. Some apps access your location hundreds of times a week even when you’re not using them. Others reach out to dozens of tracking domains the moment you open them. The information is all there, you just have to look.

To enable: Settings > Privacy & Security > App Privacy Report > Turn On App Privacy Report.

Check it periodically. If an app’s behavior seems disproportionate to its function (e.g. a flashlight app hitting your location every hour or a game contacting dozens of ad networks), that’s a signal worth paying attention to.

Final Thought

None of these settings will make your iPhone perfectly private. iOS is still a closed system controlled by Apple, and Apple’s interests don’t always align with yours. Though it’s worth noting that the GrapheneOS project recently said that an iPhone 17 is the best private phone option behind a Pixel running their OS. 👇

But these nine settings represent the controls Apple does give you. Most people never touch them. Now you know where they are and what they do.

Pick a few. Enable them. And if you found this useful, share it with someone who could use the nudge.

Share

Two More (For Paid Subscribers)

Two more settings below, for paid subscribers only. The first addresses an attack vector that lets someone intercept your two-factor authentication codes and take over your accounts without ever touching your phone. The second stops email senders from tracking exactly when you read their messages and where you were when you did it. Both are fixable in minutes. Both are worth knowing about.

Read more