Your cell phone number uniquely identifies you. Many companies rely on this 1-to-1 relationship to authenticate you to their systems. So if someone were to somehow manage to steal your mobile phone number – a hack called SIM swapping – they could use that to impersonate you and compromise any of your accounts that are validated via SMS or phone call. There’s a new tool to combat this scam that’s better than the old-style account PIN codes. I’ll explain how it works.

In the news: many Brother printers have serious cyber vulnerabilities; Belkin in abandoning Wemo smart devices next January; Xfinity’s WiFi routers can detect motion in your entire home; Bluesky is rolling out age verification in the UK; California is using drones to catch the use of illegal fireworks; McDonald’s AI hiring bot was hacked to expose millions of applicants’ data; Mexican drug cartel hacked FBI phone to catch informants; US strikes blow against North Korean fake worker scams; Denmark is looking to ditch Microsoft products.

Privacy risks are bad enough for adults – but it’s much worse for our kids, particularly as students. Who provides notice and obtains consent for minors at school? In many cases it’s not the parents, let alone the students – it’s the school system. Not only are they opting the students into invasive data collection by profit-driven third parties, but they often also bind them to mandatory arbitration clauses, neutering their ability to seek legal redress for the inevitable violations. Today I’ll discuss this horrid state of affairs with someone who is on the front lines of this battle for our children’s right to privacy: co-founder of the EdTech Law Center, Andy Liddell.

Do you realize that you’re not always using your chosen mobile web browser or your network privacy features? Many mobile apps have their own in-app browser that can gather your data and even inject ads and trackers into any web links you click. I’ll explain how this works and what you can do about it.

In the news: 23andMe bankruptcy ombudsman argues for user consent to data; Meta AI app privacy nightmare; Amazon, Roku sharing users for ads; WhatsApp launches in-app ads; healthcare sites are sharing your data; ICE seeks powerful new surveillance tool; Austrian government wants your encrypted data; new US visa rules require social media posts; Scattered Spider targeting insurance info; VT governor signs child data privacy law; Flock blocks access to some US states; Microsoft offers 1-year security updates for Win10 users; new Android 16 security features; Denmark’s answer to deepfakes; cleaner Google search results; ChatGPT user info reports.

On January 12th, 2025, the ShmooCon hacker conference held it’s 20th and final gathering. I was lucky enough to be able to not only attend the final show but also to interview the founders, Heidi and Bruce Potter. We talk about how it all got started, what made this hacker con so special and beloved, and hear some hilarious stories from the past twenty years of hacker shenanigans in Washington D.C.

Artificial Intelligence is taking over. But I don’t mean that in a Skynet kinda way. It’s simply becoming ubiquitous because companies are insisting on inserting the technology into all their products, even if it’s not useful – or not even safe. Unfortunately, the breathless reporting on dangers of AI is also getting way out of hand, including stories of AI systems ‘blackmailing’ their designers. Today I’ll try to bring us back to reality a bit.

Also in the news: Billions of session login cookies up for grabs; Meta and Yandex cheat in order to track you around the web; Qualcomm fixes three zero-day bugs being actively exploited; Apple releases transparency report on push notification data requests; LAPD using Waymo for gathering video evidence; another massive AT&T user data leak includes SSNs; AI system appears to try to blackmail its owner; judge grants preliminary injunction on DOGE data grab; and we’ll check in on your 2025 New Year’s Resolutions!

Debbie Reynolds (aka, The Data Diva) has been working in the privacy realm for many years, as a privacy consultant, speaker, advisor and podcaster. She and I have been running in the same circles on LinkedIn for a while now, and we finally decided it was time to be a guest on each other’s shows. Today Debbie and I will discuss the dangers of privacy in the realm of IoT devices (including her contributions on the US Department of Commerce’s IoT Advisory Board), vehicles, and AI. I’ll ask about her experiences advising corporations on privacy issues with emerging technologies and how she advocates for less data gathering and more transparency.

Tracking our faces and whereabouts is getting out of control. It’s a mass surveillance infrastructure that keeps growing in Borg-like fashion. Facial recognition and license plate readers are proliferating at a stupefying pace and companies like Flock are consolidating the collected data and packaging it up for sale to law enforcement agencies. Even if no human in these agencies were to abuse this data, it’s creating an irresistible target for scheming hackers and nation states keen on espionage. The longer we let this go, the harder it will be to stop.

In today’s news: Asus routers are being hacked and you need to take action; 23andMe has been sold, along with its users’ genetic data; AI-generated videos have just become way more realistic; US government taps surveillance company to centralize all its citizen data; CFPB regulation limiting data brokers is axed; Kroger is packaging and selling its customer loyalty data; automated license plate reader data use is expanding in scary ways; Android phones gain key new security feature; EU court rules that real-time bidding data gathering is illegal; Montana is first state to plug data broker loophole; and I relate my recent privacy experience at the US border.

VPNs were not invented for privacy, despite the name – they were invented for security. Nevertheless, in recent years, they have been touted as privacy tools to thwart rampant and fanatical data gathering. With a regular VPN, this really just means you’re shifting your trust from your internet service provider to your VPN provider. But what if your encrypted data traffic was actually divided between two separate companies? The split trust model is a powerful way to protect your privacy and it’s the key technology behind new services like Apple’s Private Relay and Obscura VPN. Today we’ll discuss the benefits of this approach with Obscura’s founder, Carl Dong.

There are way too many messenger apps today. It’s a sad state of affairs and I don’t see it getting better anytime soon. But the real problem (for me) is that almost all of the popular messenger apps aren’t really that secure and private. Most do not have end-to-end encryption (E2EE) at all or it’s not turned on by default. And frankly even the apps with E2EE are run by companies whose revenue model is based on monetizing your personal data. I’m going to suggest you try Signal.

In other news: study finds Canadian’s health data being sold to drug makers; DOGE worker’s computer has been hacked; airlines are selling your data to ICE; a massive proxy botnet has been shut down; Google pays $1.4B to Texas over unauthorized tracking and data collection; Denver decides to stop using license plate readers of privacy concerns; jury orders NSO Group to pay hundreds of millions of dollars for hacking WhatsApp users.

Almost exactly two years ago, “Five Eyes” intelligence agencies discovered a successful and ongoing cyber attack on critical US infrastructure by a state-sponsored actor based in China. This group, associated with the People’s Liberation Army and known as Volt Typhoon, was tasked with quietly gaining persistent remote access to critical systems including water, power, communications, and transportation systems, as well as ports and government networks. The goal was to deter the US from interfering with a future invasion of Taiwan by China, either by crippling the US infrastructure or threatening to. Despite dire warnings from the four top cyber officials in a Jan 2024 Congressional hearing, the US is still woefully unprepared for such attacks. Josh Corman is leading an effort labeled UnDisruptable27 to greatly improve the resilience of our critical systems before 2027, the year China seems to be targeting to make their move.