Sunday, July 05, 2026

Tip of an iceberg or a one time thing?

https://www.bloomberg.com/news/features/2026-07-03/google-and-meta-lost-a-landmark-trial-to-kaley-but-kept-her-as-a-user?accessToken=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzb3VyY2UiOiJTdWJzY3JpYmVyR2lmdGVkQXJ0aWNsZSIsImlhdCI6MTc4MzA4MjU5MywiZXhwIjoxNzgzNjg3MzkzLCJhcnRpY2xlSWQiOiJUSExGU01LR0NURlcwMCIsImJjb25uZWN0SWQiOiIyMkFCMzMwMjhGQTY0NjczOTYxNEE2RDFFMDk3QTkyMCJ9.hlUtsajBp9vE9j4Kt0jiky_2NmsAwH1Xi0BKXwcGmNQ&leadSource=uverify%20wall

At 17, She Sued Meta and Google, and Won. Now She’s Ready to Tell Her Story

When Kaley Glenn-Mills, at age 17, agreed to take on some of the world’s most powerful corporations — accusing them in court of addicting children to social media — she was afraid of only one thing. Her trepidation wasn’t over attorneys combing through her digital history, or her explicit photos being entered into evidence, or things she’d said in private therapy sessions being used against her, or her mom being villainized publicly, or potential corporate surveillance, or even having to testify. No. What kept her up at night was the possibility that the social media companies she was suing — Instagram, YouTube, TikTok and Snapchat — would banish her. “Are the companies going to get mad at me and delete my accounts?” she remembers thinking. “If they delete my accounts, what am I going to do with my life?”



Saturday, July 04, 2026

A point!

https://pogowasright.org/letter-urging-the-committee-of-conference-to-retain-the-private-right-of-action-in-the-massachusetts-consumer-data-privacy-act/

Letter Urging the Committee of Conference to Retain the Private Right of Action in the Massachusetts Consumer Data Privacy Act

Privacy law scholar Neil Richards writes:

A privacy right that you can’t enforce isn’t really a right – and that’s how Big Tech likes it. Massachusetts is close to passing a meaningful privacy law with a private right of action. So Woodrow Hartzog and I, along with 16 other privacy and technology legal scholars (with fantastic help from my former student and Duke 2L Lea Despotis ), wrote a letter to the Massachusetts legislature in support of the private right of action, substantive data minimization rules, and bright-line prohibitions on dangerous data practices.

[Letter follows...]



Friday, July 03, 2026

Clearly not limited to the legal profession…

https://www.bespacific.com/exposing-the-risk-surface-of-agentic-ai-in-the-practice-of-law/

Exposing the Risk Surface of Agentic AI in the Practice of Law

Murray, Michael D., Exposing the Risk Surface of Agentic AI in the Practice of Law (April 14, 2026). Available at SSRN: https://ssrn.com/abstract=6576480  or http://dx.doi.org/10.2139/ssrn.6576480

This article examines how the legal profession’s shift from passive generative AI tools to autonomous or semi-autonomous agentic AI systems dramatically expands the “risk surface” of AI in law practice. It argues that once AI systems can plan, use tools, access files, interact with other agents, and take actions in the world, the ethical and professional risks move far beyond confidentiality and fabricated output to include unauthorized acts, tool misuse, memory leakage, cross-agent cascading failures, shadow AI, and compromised permissions. The article explains how these risks implicate a wide range of duties under the Model Rules of Professional Conduct, including competence, confidentiality, candor, scope of representation, supervision, fees, and unauthorized practice of law. It concludes by outlining practical governance responses for law firms and courts, including secure deployment environments, zero-trust architecture, human-in-the-loop review, and least-privilege access, while emphasizing that the human lawyer remains ultimately responsible for the actions of digital agents in legal practice.





New Jersey did this? Amazing.

https://pogowasright.org/new-jersey-enacts-broad-data-broker-law-with-costly-fees-and-severe-fines/

New Jersey Enacts Broad Data Broker Law with Costly Fees and Severe Fines

A newly enacted law is causing shock waves. David Stauss of Stauss Law writes:

The risks and costs of being a data broker in the United States just went up — again. On 30 June 2026, Gov. Mikie Sherrill, D-N.J., signed A 5328 into law, making New Jersey the seventh state to enact a data broker law, and the second this year, following Connecticut.
New Jersey’s data broker law stands out for its breadth and cost. It covers not just data brokers but also “data collectors” – entities with a direct relationship to consumers who sell their data to data brokers. Its biggest impact is a tiered annual registration fee: up to $1.5 million for the largest data brokers/collectors. Registration failures or outdated filings also carry significant fines. The law also bans sale of sensitive data – both directly and via an amendment to New Jersey’s general consumer privacy law – with violations carrying a steep $50,000-per-record penalty.
In this article for the IAPP, David Stauss and Cobun Zweifel-Keegan examine the new law and its potential impact on businesses

Expect to see a lot more coverage of this law.





Evolving surveillance. (Next? Facial recognition without the face.)

https://www.schneier.com/blog/archives/2026/07/flock-cameras-can-surveil-cars-without-license-plates.html

Flock Cameras Can Surveil Cars Without License Plates

This is from a 2024 company presentation:

Officers can also tap into data showing a car’s decals, bumper stickers, back and top racks—along with temporary and unique state tags.
Flock calls it a “Vehicle Fingerprint” and it’s touted as a way for law enforcement officials to get more information “even when you don’t have full plate information,” the company’s presentation shows.
The company gives police officers the ability to search that data as well, to “build stronger cases with less information upfront.” That includes being able to locate multiple vehicles law enforcement officials believe are moving together and what Flock calls a “multi geo search.”

This kind of thing is older than AI; I wrote about it in my 2014 book Beyond Fear. Edward Snowden revealed that the NSA was using cell phone location data to track phones that were habitually near each other.

As bad as Flock is, remember that anyone with broad access to cell phone location data can do the same thing.





Imagine thousands of copies…

https://thenextweb.com/news/ai-agent-first-end-to-end-ransomware-attack

Researchers say an AI agent just ran a ransomware attack from start to finish, with no human at the keyboard

Ransomware has always needed a skilled human somewhere in the loop. Security firm Sysdig says that just changed. It has documented what it calls the first ransomware attack run from start to finish by an AI agent, with no human at the keyboard.

The researchers named the attacker JADEPUFFER, and say a large language model handled the entire job. It broke in, stole credentials, moved deeper into the network, planted a backdoor, then encrypted and destroyed a company’s production database. Sysdig’s Threat Research Team laid out the case in a detailed write-up.



Thursday, July 02, 2026

If not the answer, perhaps a baseline?

https://www.bespacific.com/un-unchecked-ai-progress-may-pose-catastrophic-risks/

UN – Unchecked AI progress may pose catastrophic risks

The Preliminary Report of the Independent International Scientific Panel on AI: Evidence-based assessment of opportunities, risks and impacts of AI  is a first-of-its-kind independent scientific assessment of the capabilities, emerging opportunities and risks of artificial intelligence. The Panel, composed of independent scientists and experts from all 5 UN regions, outlines trends in AI. It’s central warning: current safeguards cannot keep pace with the growth of AI’s capabilities. It identifies a crucial evidence challenge for decision-makers around the world: policymakers need scientific evidence to effectively govern AI, but by the time the evidence is clear, it may be too late to act on it. In the report, the Panel outlines its findings across seven key domains:

  • AI science, advances & trajectories

  • Societal applications: science, health, education & agriculture

  • Economic implications

  • Security, systems & environmental implications

  • Human rights, information & democracy

  • Cultural & individual flourishing, autonomy and child safety

  • Management, governance & reliability

This Preliminary Report marks the beginning of the Panel’s work. The Panel will continue to deepen its evidence base through consultations, engagement with the scientific community, and thematic briefs on emerging or fast-moving issues. Its next annual report will inform the second Global Dialogue in May 2027 in New York. The preliminary report will inform the inaugural Global Dialogue on AI Governance, to be held on 6 and 7 July 2026 in Geneva, providing a common scientific starting point for discussion.





Curious…

https://www.schneier.com/blog/archives/2026/07/cybersecurity-mission-creep-in-the-us.html

Cybersecurity Mission Creep in the US

Interesting paper: “Cybersecurity Mission Creep.”

Abstract: Cybersecurity is experiencing mission creep. Policymakers are casting more and more problems as issues of cybersecurity. So reframed, wildly different policy issues, from misinformation, to child social media safety laws, to antitrust regulations, to alleged journalist misconduct, to anti-sex trafficking statutes become what this Article calls “cybersecuritized.” Before this reframing, these issues present as important but not existential. But once cybersecuritization positions the issues as threats intensified by their technological nature, they gain access to the politics and law of urgency and exceptionalism and invite troubling governance responses.
Positioned as security threats, cybersecuritized issues become endowed with the apparent normative power to override countervailing considerations, oversimplifying the problem. Cybersecuritization’s oversimplification similarly risks unidimensional solutions and invites use of argumentative trump cards, like First Amendment challenges. Cybersecuritization also invites deference to purported specialists and their proposed solutions. Together, the reductive tendencies of cybersecuritization and the deference it prompts to specialists renders ultimate governance choices more opaque. And this opacity can erode public trust and political legitimacy.
This Article surfaces the phenomenon of cybersecuritization and offers a novel framework for analyzing and critiquing it. Mining cases from across criminal and civil domains, the account also demonstrates the insidiousness of cybersecuritization and the likelihood that it will continue to expand. Confronting cybersecuritization is crucial. If we continue to ignore it, we risk abdicating further responsibility for difficult choices to the trump card of cybersecurity. This Article’s analysis and critique aim to help reclaim the hard work of governance for our hands.





I don’t quite get the economic benefits. Political benefits seem obvious.

https://thenextweb.com/news/openai-5-percent-stake-trump-administration

OpenAI has reportedly offered Washington a 5% stake worth $42.6bn

OpenAI has proposed handing the US government a 5% equity stake in the company, according to the Financial Times, as the White House and Silicon Valley’s best-funded startup edge closer to a deal that has been under discussion for more than a year.

The politics around the idea are messier than the mechanics. Senator Bernie Sanders has pushed a competing and considerably more aggressive plan, the American AI Sovereign Wealth Fund Act, which would impose a one-time 50% stock tax on large AI companies to seed a fund the senator’s office projects could reach $7 trillion.

Palantir’s Alex Karp has argued that OpenAI’s voluntary 5% offer will look modest next to Sanders’ proposal, and that full nationalisation of frontier AI companies is coming regardless of which version wins first.

Where the two plans agree is on the underlying premise, that a handful of AI companies are about to become extraordinarily large and that the public should hold some claim on that value before it fully accrues to private shareholders. [Why? Bob]





Wednesday, July 01, 2026

What was the goal of this surveillance?

https://pogowasright.org/ca11-yahoo-not-a-govt-actor-in-scanning-emails-for-csam/

CA11: Yahoo not a govt actor in scanning emails for CSAM

Seen on FourthAmendment.com:

Yahoo and NCMEC didn’t act as government agents when they scanned defendant’s email account for hash values of CSAM. They were not required to do so, but did so and warned customers they would. NCMEC passed on the information to the local police who got a search warrant.  United States v. Williamson, 2026 U.S. App. LEXIS 18972 (11th Cir. June 30, 2026)





Would you like to play a game?

https://thenextweb.com/news/bioshocking-ai-browser-credential-leak-layerx

BioShocking” tricks AI browsers into leaking your passwords

Security researchers convinced six AI browsers they were playing a game. The browsers then handed over their users’ passwords and treated it as a win.

The firm behind it, LayerX, calls the technique BioShocking, and says it worked on every agent it tried. The list reads like a roll-call of the new AI browser market: OpenAI’s ChatGPT Atlas, Perplexity’s Comet, Anthropic’s Claude extension for Chrome, and three smaller players, Fellou, Genspark, and Sigma.

The attack starts on a booby-trapped web page built as a puzzle. To fit its dystopian theme, the puzzle rewards wrong answers, insisting that two plus two equals five. Once the agent accepts that “wrong” is the winning move, it switches from safety logic to game logic. From there, the researchers simply made stealing credentials the next level.





The law is what you make it…

https://www.reuters.com/world/china/china-says-it-has-right-target-people-overseas-with-new-ethnic-unity-law-2026-06-24/

China says it has a right to target people overseas with new ethnic unity law

The new law, which goes into effect on July 1, includes a clause saying people and groups beyond the borders of the People's Republic of China can be held legally accountable for undermining "ethnic unity and progress or inciting ethnic separatism".

That has sparked alarm in Chinese-claimed Taiwan in particular that it could give Beijing another legal basis to go after Taiwanese it views as separatists. Rights groups have also complained that China has tried to used Interpol "red notices" to try and get foreign governments to arrest people abroad it wants for political offences at home.



Tuesday, June 30, 2026

When technology runs amok…

https://sloanreview.mit.edu/article/the-real-question-to-ask-about-ai-governance/

The Real Question to Ask About AI Governance

When an AI model does something it shouldn’t, who in your organization has the authority to stop it? If you can’t answer that question, you’re performing AI governance theater.





Think of it as “Moneyball for politicians.”

https://www.nytimes.com/2026/06/29/us/politics/political-campaigns-ai-tech.html?unlocked_article_code=1.t1A.0BIa.SrowQDfeMYAi&smid=bs-share

How A.I. Is Changing the Way Politicians Run for Office

A.I.-generated images are the public face of this election overhaul. Behind the scenes, campaigns are using the technology to analyze voter data, craft campaign materials and write custom messages.





How common are health care hallucinations?

https://www.zdnet.com/article/us-adults-use-ai-for-health-information-now/

61% of US adults use AI for health information now - up from 2% in 2024

Only 2% of U.S. adults turned to AI for healthcare information in 2024, and today the number is 61%, according to Salesforce's Connected Health Consumer report, a survey of 3,200 consumers worldwide aimed at better understanding how the rise of agentic AI is reshaping consumer expectations, attitudes, and demands within healthcare -- specifically patient experience. 





Electronic search is still search… What a concept!

https://www.theguardian.com/us-news/2026/jun/29/supreme-court-geofence-warrants-case-decision

US supreme court rules geofence warrants require constitutional privacy protections

The US supreme court has ruled that law enforcement’s use of sprawling warrants that sweep up smartphone location data requires privacy protections under the fourth amendment, in a boost to critics who view their use as an unconstitutional dragnet.

Justice Elena Kagan wrote the majority opinion, which held that the sensitive data scooped up by “geofence warrants” counts as a fourth amendment search, and offers individuals a “reasonable expectation of privacy”, even if they may be in a public area.



Monday, June 29, 2026

Big Brother is looking after you.

https://www.bespacific.com/redesign-of-us-government-websites-stokes-surveillance-fears/

Redesign of US government websites stokes surveillance fears

The Guardian: “The National Design Studio, staffed by Doge veterans, installed visitor-tracking software on vital federal website.  An opaque White House office staffed largely by veterans of Elon Musk’s “department of government efficiency” (Doge) has quietly rebuilt some of the federal government’s most sensitive websites – for passport applications, voter registration, prescription-drug pricing and children’s savings – in ways critics say appear to violate federal law. The National Design Studio (NDS) was established by a Donald Trump executive order last August, and is led by Trump-aligned Airbnb co-founder Joe Gebbia and staffed by Doge veterans. A Guardian investigation has found the office has apparently been developing or redeveloping sensitive federal websites, including those connecting Americans with prescription drugs, children’s savings accounts, passports and voter registration. The investigation corroborates and advances earlier reporting by the Drey Dossier, a YouTube investigative outlet.  The NDS built and now operates four public federal websites: ndstudio.gov, trumprx.gov, realfood.gov and trumpaccounts.gov. All four ran commercial visitor-tracking software, configured to evade the privacy tools many web users install, and none carry the public filings federal privacy law requires under laws including the Privacy Act of 1974 and the E-Government Act of 2002. Separately, none of the NDS’s spending or its arrangements with outside vendors appears in USAspending, the federal contracting database, raising questions about how it is funded and overseen. Separately, the NDS has also built and runs White House-controlled versions of services the US Congress assigned to other federal agencies, including a passport-application portal that bypasses the state department’s existing site, and a copy of voter-registration site vote.gov. Combined, the sites route sensitive interactions Americans have with their government through infrastructure the White House apparently controls, and outside the reporting and accountability systems that normally cover federal agencies…”





Don’t try to slip surveillance under the radar, be the radar!

https://doctorow.medium.com/https-pluralistic-net-2026-06-23-destroy-the-village-to-save-it-c4eaddaef7bc

Spying on kids to save kids from spying is very, very stupid

The literature on harms to kids from online platforms is complex and nuanced, rife with people citing small, ambiguous studies as iron-clad evidence that kids are being destroyed by the internet:

It’s a weird coalition of anti-Big Tech campaigners (who are rightly angry at the platforms’ callous disregard for user welfare) and Heritage Foundation-backed culture warriors (who think that if their kids aren’t exposed to LGBTQ content they won’t come out as queer). While there’s plenty these groups disagree about, they share one consensus: there should be a “minimum age” for certain kinds of internet use.

The problem is, there’s no such thing as “age verification” for the internet.  What we call “age verification” is actually mass surveillance, so invasive and pervasive that it makes the ad-tech industry’s commercial surveillance look like some kind of cypherpunk darknet pirate utopia:

Age verification” means that everyone who does anything online will have to submit to fine-grained tracking and recording of all their online activities. This nightmare is the surveillance advertising industry’s fondest dream, a world where it’s literally illegal to avoid their tracking, all in the name of saving kids…from them!



(Related)

https://thenextweb.com/news/eth-zurichs-bidirectional-pixel-could-turn-screens-into-cameras

ETH Zurich’s bidirectional pixel could turn screens into cameras

Researchers at ETH Zurich have built the first bidirectional pixel, in work published in Nature. The same tiny patch of chip can create an image and analyse the light falling on it. Not just brightness, but the phase and polarisation of the wave too.

The promise is a camera-display: one surface that shows you a picture and watches you at the same time. Picture a phone screen that is also its own front camera, with no notch and no cut-out. Or a video call where the lens sits behind the eyes you are looking at.