u/officialexaking

On May 9, 1996, Linus Torvalds sent an email to the linux-kernel mailing list that would define the visual identity of the most influential open source operating system in history. His brief was precise and characteristically irreverent: the mascot should look "cuddly" and "contented," like a penguin that had just eaten "a suitcase full of herring" and was too stuffed to stand up straight. "Think of a Bean Bag," he wrote.
The origin of the penguin preference is one of computing history's more charming footnotes. Torvalds had visited the National Zoo in Canberra, Australia, where a small penguin bit his finger. Rather than holding a grudge, he declared himself "rather fond of penguins" and the direction was set.
Developer Larry Ewing took that brief and built the round, black-and-white character using GIMP, the open source image editor, in a decision that was quietly fitting: the mascot of a free software project created with free software tools. The name Tux followed in June 1996, proposed by James Hughes as an acronym for (T)orvalds (U)ni(X), though the obvious association with the tuxedo, which a penguin wears naturally, made the name feel inevitable.
What is remarkable is how little Tux has changed. Corporate logos are redesigned on three-year cycles. Brand consultancies are paid millions to flatten, simplify and "modernise" visual identities. Tux was drawn once by one person using an open source image editor and has remained essentially untouched for thirty years. Ewing's only condition for its use has always been attribution to himself and GIMP. No licensing fees, no trademark bureaucracy, no corporate design team to approve modifications. The decentralised ethos of open source embedded into the mascot itself.
Torvalds was always clear about the tone he wanted. "He's supposed to be kind of goofy and fun, that's the whole point," he once wrote. "Linux is supposed to be goofy and fun, it's also the best operating system in the world, but goofy and fun too." In 1998, Internet World magazine recognised Tux as one of twelve figures who had "made things happen" that year. A penguin drawn by one developer in GIMP listed alongside the year's most significant figures in technology.
The milestone lands as Linux itself approaches its 35th year. The kernel was first published in September 1991 as a student project with just over 10,000 lines of code. It has since grown to more than 34 million lines, shaped by over 25,000 individual contributors. It now runs on virtually all of the world's 500 fastest supercomputers, the majority of global cloud infrastructure, and the Android operating system on billions of mobile devices.
For this community in particular, the anniversary carries specific weight. The same properties that Torvalds encoded into Tux, open, unowned, built by individuals rather than corporations, maintained by shared convention rather than legal enforcement, are the properties under increasing pressure in 2026. Google is moving to require developer registration and government ID for Android app distribution. The EU is building centralised age verification infrastructure that will require identification before accessing the internet. The open web is being enclosed from multiple directions simultaneously.
The penguin that has symbolised the alternative for thirty years is still sitting there, full of herring, looking quietly pleased with itself.
Happy late birthday, Tux.

On April 23, 2026, Google announced "Cloud Fraud Defense" at Cloud Next, describing it as the next evolution of reCAPTCHA. What they did not announce clearly is the detail that changes everything: when this new system flags your traffic as suspicious, the old click-the-buses puzzle is gone. Instead, you get a QR code. Scanning that QR code requires Google Play Services version 25.41.30 or higher running on your device. If you removed Google Play Services because you are on GrapheneOS, LineageOS, CalyxOS, /e/OS or any other de-Googled Android distribution, the verification fails with no documented workaround. Support pages showing this requirement were silently live since at least October 2025, seven months before anyone widely noticed.

iOS users on 16.4 and above pass automatically. Android users running stock Google software pass automatically. Privacy-conscious Android users who made an informed decision to remove Google's proprietary software from their own devices get locked out. The audience most likely to have read Google's data practices carefully and chosen to opt out is now the audience being flagged as fraudulent for that exact choice.

This is not the first time Google has attempted this. In 2023, the company proposed Web Environment Integrity, a browser feature that would let Google decide which devices were "legitimate" enough to access the web. Standards bodies, the open web community and the public pushed back hard enough that Google killed the proposal. Three years later, the same architectural idea is back, implemented not as an open web standard but as a dependency buried inside a widely deployed CAPTCHA system. The outcome is identical: Google's closed proprietary stack becomes the gatekeeper for basic web access. The mechanism is just harder to see.

The practical consequences are significant and mostly invisible to the websites themselves. reCAPTCHA runs on millions of websites globally. Bank login pages, government portals, ticket sites, account registration flows, none of them have to make an active decision to block de-Googled users. They just inherit the upstream limitation by continuing to use reCAPTCHA as they always have. A bank using reCAPTCHA is not choosing to exclude GrapheneOS users. It is just that Google made that choice on their behalf without telling them. This means, if you are a privacy-conscious user you are blocked from using bank websites because of Google.

GrapheneOS is recommended by the Electronic Frontier Foundation and is actively used by journalists, lawyers, activists, people operating in high-risk environments where device security matters and by everyone who just loves privacy. It is the most security-hardened Android variant publicly available. The population of people running it is not bots or fraudsters. It is the population that took device privacy seriously enough to sacrifice app compatibility and convenience to achieve it. Google's system cannot distinguish between them and actually malicious traffic because the only signal it is checking is whether Google's own software is present.

Play Services is background software with broad device permissions that Google controls, updates silently and uses to collect device telemetry. The user who removed it made a reasonable security decision. The system now treating that decision as evidence of suspicious intent has the logic precisely backwards.

There is currently a minimal bypass: Changing the browser agent string to simulate a non-Android device bypasses the check in some cases. GrapheneOS's sandboxed Play Services approach, which runs Google's software in an isolated container, may pass the check for now. But Google will almost certainly require full Play Integrity attestation in the future, and sandboxed Play Services will eventually fail that check by design because Play Integrity is specifically built to certify that Google's software is running with full system-level access.

If you are on a de-Googled device and hitting reCAPTCHA walls, document the sites and report them to the website owners and maintainers directly. Most website operators have no idea this is happening! Tell them to switch to alternatives like Altcha (altcha.org) which is an Open Source Captcha. Altcha is European, privacy-preserving by design and requires no Play Services or proprietary software to pass. Every developer who keeps using reCAPTCHA after learning this is making a choice, even if they do not know it yet.

The European Parliamentary Research Service published a briefing paper this week titled "Virtual private networks and the protection of children online." The EU Parliament's social media account promoted it with the line: "VPNs are increasingly used to bypass online age verification." The Children's Commissioner for England is cited calling for VPNs to be restricted to adult use only. Some in the document argue that access to VPN services should require age verification.

There is one problem. The research underpinning the "VPNs are used to bypass age verification" framing is the 1,800% spike in VPN downloads in the UK after the Online Safety Act went live in July 2025. That is a real number. But it does not tell you why people downloaded VPNs. For that you need to look at the actual research on VPN usage.

A University of Michigan study covering thousands of VPN users across multiple countries found that 82.1% use VPNs to "protect myself from various threats and adversaries." Access to restricted content was a minority use case. There is no peer-reviewed research showing that VPNs are "increasingly" used specifically to bypass age verification. The EPRS briefing document conflates a correlation, more VPN downloads after age verification laws went live, with a motivation. Correlation is not causation, and the assumption that those downloads were primarily about age bypassing rather than people deciding their privacy needed protecting in response to governments demanding their biometric data is not supported by the underlying data.

This framing is not accidental. It is the legislative infrastructure for the next step. Once VPNs are established in official EU research as a "child safety loophole" rather than a privacy protection tool, the regulatory path toward restricting or requiring age verification for VPN access becomes politically available. We covered Utah's suggestion doing exactly this just this week. EU VP Henna Virkkunen explicitly stated the EU age verification system "should not be circumvented." The EPRS briefing is building the academic and policy foundation for what comes next.

The practical outcome of requiring age verification for VPN use is identical to banning anonymous VPN use. Once a VPN provider must verify your age, your identity is linked to your VPN account. The privacy tool becomes the surveillance checkpoint. This is precisely the outcome documented in our earlier post: Russia and Iran all arrived at VPN restrictions through incremental legislative pressure that began with narrowly justified use cases.

The option that cannot be regulated this way: NymVPN from Switzerland
A centralised VPN can be pressured, banned, compelled to verify users or have its servers seized. A decentralised VPN built on distributed infrastructure with no central company controlling the nodes cannot be banned in the same way because there is no single entity to compel.

NymVPN is built on the Nym mixnet, a decentralised network that protects not just your traffic content but your metadata: who you communicate with, when, and how often. Unlike traditional VPNs that hide your IP but still expose traffic patterns to a global adversary, Nym adds cover traffic and noise so that even nation-state level traffic analysis cannot de-anonymise you. Signup is anonymous, payments are unlinkable, the code is fully open source, and the network runs on independent distributed nodes with no central point of failure or control.

The most recent update of NymVPN added direct decentralised payments via zkNym credentials and removed the last requirement for a traditional account entirely. No account, no subscription tied to your identity, no company that can receive a court order requiring it to hand over your data.

The EU can regulate centralised VPN companies. It can require them to age-verify. It can compel them to log connections. What it cannot do is regulate a decentralised network that runs on distributed nodes operated by thousands of independent participants globally, any more than it can ban BitTorrent or regulate the Tor network out of existence.

Google Chrome silently downloads a 4GB AI model to hundreds of millions of computers:
Without prominent notification or upfront consent, Chrome began downloading a roughly 4GB file called weights.bin to user machines as part of Gemini Nano, Google's on-device language model. It lands in your browser's user data folder under OptGuideOnDeviceModel and powers features including "Help me write," tab suggestions, scam detection and page summarisation. The download triggers automatically for any device meeting minimum hardware requirements, and Chrome re-downloads the file if you delete it.
The model runs on your machine, not Google's servers. But that is not the issue. This is a 4GB install that happened on hundreds of millions of machines without a clear consent prompt. Multiplied globally that is thousands of tonnes of additional carbon emissions from data transfer. And the model's presence means Google's AI infrastructure now lives permanently inside your browser whether you use it or not.
To remove it: go to chrome://flags, disable the entries for Optimization Guide On Device Model and Prompt API, restart Chrome, then manually delete the folder. Chrome may attempt to re-download it.
This is also the strongest argument yet for switching to a Firefox-based browser. LibreWolf does not ship with a 4GB AI model you did not ask for.
Source: https://www.techpowerup.com/348825/google-chrome-silently-downloads-4-gb-ai-model-on-your-pc-without-consent
https://9to5google.com/2026/05/06/google-chrome-4gb-storage-ai-details/

UK kids defeated the Online Safety Act with eyebrow pencils. The first major assessment is devastating:
The first independent assessment of the UK's Online Safety Act is out and contains a sentence that tells you everything: "I did catch my son using an eyebrow pencil to draw a moustache on his face, and it verified him as 15 years old." The child was 12.
This is the law that forced UK adults to submit government IDs and biometric facial scans to access ordinary websites, triggered a 1,800% spike in VPN downloads when it went live in July 2025, and pushed millions of users into handing biometric data to private third-party verification vendors. The assessment numbers are brutal: 46% of children say age checks are easy to bypass. Only 17% say they are difficult. 32% have already bypassed them in the past two months. 49% still report experiencing harm online in the past month.
The bypass methods children described to researchers include drawing facial hair with eyebrow pencil to fool facial age estimation, holding up a video game character's head during a face scan, submitting a video of a different person's face entirely, using a parent's ID with parental consent, and entering a fake birthday which still works on most platforms. A 12-year-old girl explained the TikTok live enforcement model: "They ban me for 10 minutes and then I can go live again."
The report's most uncomfortable finding is that 26% of parents are actively helping their children bypass the checks, deciding individually which circumvention is acceptable. A verification system that relies on parents as the final enforcement layer collapses the moment parents become the bypass vector. Reminder: The Discord vendor breach in October 2025 already exposed 70,000 government IDs uploaded purely for age verification.
A 16-year-old summarised it better than any policy paper: "I think it's a great idea in theory and I applaud its intentions, but I don't see how that's feasible, because kids will always find a way."
Source: https://www.internetmatters.org/hub/research/online-safety-act-report-2026/
https://www.washingtontimes.com/news/2026/may/7/uk-kids-skirt-online-age-verification-drawing-beards-using-pictures/

Meta's Ray-Ban smart glasses were recording video watched by workers in Kenya. Many users had no idea:
Meta has ended its contract with Sama, a Kenyan outsourcing company that employed workers to watch footage captured by Meta's Ray-Ban smart glasses as part of AI training. After losing the contract, Sama fired approximately 1,100 workers. Several of those workers reported losing their jobs after speaking out about the nature of the content they were required to review.
The content included people using the bathroom, individuals undressing, people having s*x, private conversations, and footage capturing bank card details. Users of the Ray-Ban glasses, which can record video discreetly and continuously, were largely unaware that their footage was being reviewed by human workers in another country as part of an AI training pipeline. A class-action lawsuit has been filed against Meta.

The pattern is familiar from every major AI product. The "private" framing around AI features of Big Tech providers consistently obscures the human review layer that sits behind them, the layer that was exposed with ChatGPT routing messages to the FBI, the layer that sits inside every AI product that claims to be private while using human contractors to review edge cases, improve accuracy and handle content moderation. The workers who watched the most intimate footage of Meta's users are now unemployed. Meta has not issued a detailed public statement on either the contract termination or the workers' accounts.
Source: https://www.bbc.com/news/articles/c5y7yvgy0w6o

When we launched xPrivo Search earlier this year, the promise was simple: world-class search quality, absolute privacy, and full European digital sovereignty without compromise. Tens of thousands of you switched. You never became a product in return.

Today that trust gets repaid with the biggest release in xPrivo's history.

xPrivo 4.0 is live now at xprivo.com and xprivo.com/search
The single most important change under the hood is one you might not see directly but will feel in every result. Until today, xPrivo ran only on the European Search Perspective, a fully independent European index with no ties to US tech. That foundation has not changed. But we have now added our own small proprietary xPrivo Search Index on top of it. Two fully European, fully independent sources working in tandem. No Bing. No Google. No dependency on any American platform at any layer of the result pipeline.

On the surface, the results page is dramatically richer. Knowledge Cards surface structured answers for people, places, concepts and events without requiring a click. Live news results appear timestamped from trusted publishers. Sports results show for example Bundesliga standings and Champions League scores directly in your results. Image search is now inline. Place search surfaces local businesses across Europe complete with maps, opening hours and contact details, all within European infrastructure, not handed to Google Maps. Every single one of these result types can be individually toggled on or off in settings. The choice is yours.

Two new power features for users who want to move fast. Shortcuts let you trigger features directly from the search bar: /m opens a weather widget, /c opens a calculator, /ai triggers an instant AI overview generated entirely within our European AI infrastructure. QuickSearch lets you type !w climate change to jump directly to Wikipedia, !yt to YouTube, !gh to GitHub, !r to Reddit, all without an intermediate results page and without any third-party bang service logging your behaviour. The full command list appears when you type ! in the search bar.

🇩🇪 German language results are now fully supported, with Austria and Switzerland coverage included, as part of our ongoing expansion across European languages.

For local businesses, xPrivo 4.0 now lets you list your location directly in search results with a photo, map pin and website link. Placement is based on relevance, never on ad spend or behavioural tracking. Add your business from the footer at xprivo.com/search.

The iOS app is updated today. The Android app including a FOSS release on F-Droid is in active development and coming soon, making xPrivo one of the very few search applications committed to being installable without touching Google infrastructure at all.

The privacy principles have not changed and never will. No IP logging. No search history. No profiling. No Big Tech infrastructure by default. No behavioural ad targeting. Every component runs inside the EU under GDPR and European law.

The full release post with every detail is at https://www.xprivo.com/blog/en/xprivo-4

If you want to set xPrivo as your default browser search engine, the step-by-step guide for every major browser is at xprivo.com/add-xprivo-search-engine . It takes under a minute and means every search you make from that point feeds European infrastructure instead of a US data broker.
The gate to the internet belongs to you. Keep it that way.

Utah Senate Bill 73, the Online Age Verification Amendments, takes effect on May 6, 2026, making Utah the first US state to directly target VPN use as part of age verification enforcement. The law requires adult content websites to verify the age of anyone physically located in Utah, regardless of whether they use a VPN, proxy or other method to mask their location. Sites are prohibited from providing instructions or assistance on bypassing age checks using VPNs.

The law does not ban VPNs outright. It creates a legal structure where websites cannot reliably determine whether a visitor is using a VPN shield for privacy or hiding in Utah to bypass age gates, so the only legally safe option is either to block all known VPN IPs entirely or to require strict identity verification from every single visitor globally. The Electronic Frontier Foundation called this a "liability trap" that punishes users who care about their privacy, regardless of where they live. NordVPN described it as a "technical whack-a-mole" where the goal is unachievable and the enforcement breaks internet architecture.

EU Executive Vice President Henna Virkkunen, the commissioner driving the EU age verification blueprint, was asked directly at a press conference in Strasbourg on April 29, 2026 how the system stops children from circumventing it with a simple VPN. Her answer, confirmed by Reuters and the official Commission statement: "It's difficult, of course, to have the technological solutions that there's no way to circumvent … it's also an important part of next steps to look at [the issue] that it shouldn't be circumvented." She explicitly acknowledged the EU app can be bypassed with VPNs and stated it is critical that next steps address this, meaning the system that billions of euros will be spent rolling out is already known to be bypassable and the plan is to figure out how to fix it later.

The irony is staggering. The EU age verification blueprint was built to intersect with the European Digital Identity Wallet at the highest possible privacy standard, programmed with zero-knowledge proofs and anonymous credentials. The demo version was hacked in under two minutes using a mobile phone before launch. Security consultants demonstrated it stores biometric data unencrypted on the device. Experts including Belgian cryptographer Bart Preneel said the fundamental concept does not work even if the implementation were perfect. Virkkunen then stood before the press and admitted the bypass is trivial and plans are being made to stop it. The system has not stopped the bypass. It has been racing ahead at an accelerated pace anyway to meet the December 2026 deadline.

The end goal is now explicit. The EU's stated objective is to create a single age verification infrastructure across all 27 member states, with no 27 different national systems, managed by a Commission-appointed list of trusted providers and a scheme controlling what counts as compliant, all designed to prevent users from circumventing age gates using privacy tools. The same infrastructure can gate social media access, content moderation appeals, credit decisions, political ad targeting and anything else that requires provisional identity verification.

The UK has passed amendments requiring VPNs to implement age verification. Utah is banning VPN circumvention. The pattern is the same across every single instance: privacy becomes circumvention, circumventing surveillance becomes illegal, and the innocent infrastructure of anonymity becomes the target.
For millions of users worldwide, the choice they are facing is about to become binary: hand over verified identity or lose access to the internet.

Greece's Digital Governance Minister Dimitris Papastergiou confirmed this week that the government is moving forward with plans to require real identity verification for all social media accounts in the country. Users would still be permitted to use pseudonyms publicly, but every account must be linked to a verified legal identity through platform-level checks. The proposal is now being managed directly from Prime Minister Kyriakos Mitsotakis' office, which signals this is no longer a trial balloon but active government policy.

The stated justifications are the familiar ones: toxicity, hoaxes, coordinated harassment and character assassinations. Papastergiou argued that "digital democracy" should be inspired by Ancient Greece, where citizens openly expressed their views in the Assembly.

He is historically wrong in a way that is worth pointing out precisely because the argument is designed to sound educated. The Athenian Assembly invented the secret ballot specifically because public attribution is dangerous. Athenian ostracism, where citizens voted to exile powerful individuals, used anonymous pottery shards deliberately so that people could vote without fear of retaliation from the powerful. Pseudonymous political writing was widespread and understood to serve a legitimate democratic function. The historical record does not support the claim that Ancient Greece considered public identity a prerequisite for political participation. It supports exactly the opposite.

The modern case for anonymity is even stronger. Whistleblowers, abuse survivors, journalists working in hostile environments, political dissidents, LGBTQ+ individuals in unsupportive communities, employees flagging workplace misconduct, patients discussing stigmatised health conditions: all of these depend on the ability to speak without being identified. Eliminating anonymity does not eliminate toxicity. It eliminates the speech of people who have the most to lose from being identified, while leaving powerful actors who can absorb the consequences of public attribution entirely unaffected.

The "pseudonyms permitted but identity verified" framing is the part that deserves the closest scrutiny. This is the architecture that sounds like a compromise but functions as total surveillance. Your pseudonymous account says nothing that can be traced to you publicly, but every post you write, every reply you make, every community you participate in, is one platform data breach, one government request, or one policy change away from being attached to your legal name permanently. The pseudonym is a UI layer over a fully de-anonymised database.

This is not Greece operating totally alone with that kind of things. The UK passed an amendment requiring VPNs to implement age verification. Norway is moving to mandatory age verification for social media. Germany is advancing IP address retention legislation. The EU classified certain emojis as systemic risks requiring automated scanning. The Greek proposal is the most explicit version of the same direction that every other country in this list is moving toward through slightly less visible mechanisms.

The difference is that Greece is being honest about the destination. Which does not make it better. Most governments arrive at the same endpoint through incremental steps, each justified individually as a narrow technical measure. Greece just described the destination directly: a social media environment where every account is traceable to a verified legal identity held by platforms that governments can compel.

The European Commission published a formal recommendation today pressing all 27 member states to deploy a standardised age verification system by December 31, 2026. Source: https://digital-strategy.ec.europa.eu/en/library/commission-sets-out-common-approach-eu-wide-age-verification-technologies

France, Italy, Spain and several others are already testing implementations. The Commission describes the system as privacy-preserving, anonymous and built to the highest cybersecurity standards. 🤡

The demo was bypassed in under two minutes using a mobile phone.

That detail is not a minor technical footnote. It is the central fact about this rollout. The Commission's own blueprint, the one it is now recommending every EU citizen use to verify their identity before accessing age-restricted content, failed a basic real-world security test before it was even deployed nationally. The response from Brussels was to accelerate the timeline anyway.

The architecture the Commission is recommending works like this: you download a national app, scan your passport or national ID card to onboard, receive an anonymous digital credential, and present that credential to websites or apps that require age confirmation. The credential is designed to prove only that you are above a threshold age without revealing your exact age or identity to the platform. On paper this is genuinely privacy-conscious design. The cryptographic approach of proving a property without revealing the underlying data is the right way to build this.

The problem is not the design document. It is everything around it.

The EU is recommending this system be integrated with the European Digital Identity Wallet, the same eIDAS 2.0 infrastructure that Germany's first pilot deployed through Google Wallet, running on Oracle Cloud in Arizona and Amazon EC2 in Oregon, as we covered in detail here a few weeks ago. The theoretical privacy architecture and the actual implementation are two completely separate things, and every national implementation so far has chosen the fastest path to December compliance rather than the most privacy-preserving one.

Requiring every EU citizen to scan their passport into a government-linked app as a prerequisite for accessing the internet is not a narrow child safety measure. It is the construction of a universal identity verification layer for online activity, with age checking as the initial justification. The same infrastructure that confirms you are over 18 to access a gambling site can confirm you are the verified identity attached to a political post, a health forum discussion or a news comment. The scope of what gets age-gated is a policy decision that can be changed at any time after the infrastructure is built.

The governance structure the Commission is creating makes this explicit. It will maintain a list of approved age verification solution providers, a list of trusted proof-of-age attestation providers, and a scheme defining what qualifies as compliant. Once that list exists, it determines who is permitted to mediate access to online services for 450 million people. That is an enormous concentration of infrastructure power regardless of how well-intentioned the current holders of that power are.

Online child protection is a serious issue that requires greater awareness and education for parents, as the primary responsibility ultimately rests with them. But a universal identity verification layer with a two-minute bypass, deployed on infrastructure that three separate member state implementations have already shown will run on American cloud servers, managed by a Commission scheme that controls the approved provider list, does not become a privacy-preserving system because the recommendation document uses the word "anonymous" seven times.

The December 2026 deadline is eight months away. No national implementation yet fully meets the privacy standards the Commission claims to require. The demo was hacked in two minutes. The correct response to both of those facts is to slow down, not to publish a recommendation accelerating the timeline.

Lidl is set to disrupt the telecommunications industry by rolling out budget-friendly mobile plans across new markets. Although the retailer already operates mobile services in Germany, Austria, and Switzerland, it is now looking to scale its presence into as many as 30 more countries.

When Elon Musk launched XChat and marketed it as "fully end-to-end encrypted", security researchers immediately started pulling the implementation apart. What they found is a case study in how technically correct language can describe something that provides almost no real privacy in practice.

What XChat actually does

XChat uses a protocol called Juicebox to manage encryption keys. The idea behind Juicebox is sound: split a user's private key into multiple "realm" shares, distribute them across independent servers, and require a PIN to reassemble them. No single realm has the full key, so no single server can decrypt your messages on its own. In theory this is a reasonable architecture.

The problem is every single realm in XChat's implementation is operated by X Corp, all under the x.com domain with SSL certificates belonging to X. Researchers confirmed this by intercepting and decrypting XChat's network traffic, which was possible because the app does not use certificate pinning. Since X controls every realm, X can reassemble any user's private encryption key at any time. The distributed key storage is completely illusory.

Cryptography professor Matthew Green at Johns Hopkins summarized it like this: if decryption keys live in servers all under X's control, then X can obtain anyone's key and decrypt their messages, whether for internal purposes, because a warrant compels them to, or because someone in authority decides they want to read your chats. He called this a "game-over type of vulnerability" if you are judging it as an end-to-end encryption scheme.

The 4-digit PIN makes this worse. The entire key recovery system is protected by 10,000 possible combinations, the equivalent of a luggage padlock. Rate limiting is supposed to prevent brute force but requires coordinated enforcement across all servers, and all those servers are the same company. There is also no forward secrecy, meaning compromising a key exposes past messages too, no key ratcheting, and no protection against man-in-the-middle attacks through key directory manipulation.

There is one additional problem that sits above the cryptography entirely. XChat includes an "Ask Grok" button in chats that sends message content directly to Grok for AI processing. The moment a user clicks it, that conversation exits end-to-end encryption entirely and lands on X's AI servers in plaintext. X's privacy policy does not specify whether this content is used for training or for other purposes.

The European alternatives you might consider instead:

Threema (Switzerland) requires no phone number, no email address and no account linked to any real identity. You get a randomly generated Threema ID. End-to-end encryption uses the NaCl cryptography library, is fully open source and has been independently audited. Messages are permanently deleted from Threema's servers after delivery and are never stored in the clear. The app is abailanle at a one-time purchase.

Olvid (France) is the only messaging app certified by the French national cybersecurity agency ANSSI to the highest level of assurance. It requires absolutely no personal information to create an account, not a phone number, not an email, not a name. Identity verification is done cryptographically through a mutual introduction protocol rather than a phone number lookup. The French government officially recommends it for sensitive communications. It is open source and the cryptographic protocol has been formally verified by academic researchers.

SimpleX Chat takes the most radical approach of any mainstream messenger. It assigns no identifier to users whatsoever, not a phone number, not a username, not a randomly generated account ID. Communication happens through temporary pairwise queue addresses that exist only for the duration of a conversation. Even SimpleX's own servers cannot determine that your conversation with one person and your conversation with another involve the same user. There is no central directory that maps identities to keys, which means there is nothing to subpoena, breach or hand to law enforcement.

The pattern across all three is consistent: they were built by people who understood that real privacy requires designing the system so that the provider cannot betray you even if compelled to, not writing a privacy policy promising they will not.

XChat was built by people who wanted to claim end-to-end encryption while retaining full access to every conversation. The architecture reflects the intention.

Tldr: Technically, X has everything it needs to decrypt your messages and read your conversations. The lock icon that appears next to your direct messages is purely decorative.

This week was unusually dense with surveillance infrastructure news. Each story was reported separately, each justified with its own framing. Read them together and the direction is unmistakable.

1. UK: Facial recognition approved for nationwide rollout

The High Court rejected a legal challenge against the Metropolitan Police's live facial recognition program this week, and the government immediately confirmed plans to expand from 10 to 50 facial recognition vans deployed across public spaces in England and Wales. The policing minister said ordinary citizens have "nothing to fear". The system is already running in at least 13 police forces. A new national facial matching database is scheduled for testing in 2026. One police study previously identified potential racial disparities in accuracy, though authorities later claimed these were fixed. No independent audit has verified that claim.

2. PlayStation: Face scans / id verification now mandatory

Sony has announced that starting June 2026, all PlayStation Network users in the UK and Ireland must complete age verification to use party chat, messaging, voice features and certain in-game social tools. Unverified accounts lose access to all communication features. The options are a mobile carrier check, facial geometry scanning via Yoti, or uploading a government-issued ID. Sony says Yoti does not store biometric data, only passing back a confirmation. This is the same company, Yoti, used by Discord for its face scanning rollout earlier this year. The "verification provider" model means your biometric data flows through a third-party company whose privacy guarantees are entirely separate from Sony's.

3. Germany: IP address retention moving forward

Germany's Federal Ministry of Justice published a draft bill in December 2025 requiring all internet service providers to retain IP addresses and connection timestamps for a minimum of 90 days. The legislation is now advancing through the coalition government under Chancellor Merz. Previous attempts at broader data retention were struck down by the European Court of Justice, so this bill is deliberately scoped narrowly to IP addresses only, making it harder to challenge while still creating a permanent surveillance log of every German internet connection.

4. EU: Certain emojis classified as systemic risks

The European Commission published its first major Digital Services Act report on systemic risks this week, and it includes a section on emojis. Specifically, the EU identified the pill emoji 💊, snowflake emoji ❄️, leaf emoji 🍁 and others as coded language used in drug sales and flagged them as systemic risks that platforms must deploy automated systems to detect. Platforms including Meta confirmed they are already scanning for emoji-coded communications. The Commission's own social media account posted "an emoji isn't always just an emoji". Regardless of the drug sales context, building automated scanning systems for symbolic language in private communications is surveillance infrastructure that does not stay narrowly scoped once deployed.

5. Norway: National age verification system introduced

Norway's government announced this week it will introduce legislation requiring all social media platforms to verify user age at login, with a minimum age of 16. Technology companies will be legally responsible for implementation. Norway's own data protection authority, Datatilsynet, responded with a public warning that requiring biometric or passport-level verification from all users to protect some users is a privacy intrusion against everyone, and that the law should specify exactly how verification must work rather than letting platforms choose their own methods. The bill will go to the Storting later this year.

And Palantir holds government contracts touching every single one of these countries.

The UK Ministry of Defence signed a £240.6 million three-year Palantir enterprise agreement in December 2025, awarded without competitive procurement under a defence exemption. Total documented UK government spending with Palantir now exceeds £900 million across at least 10 departments including the NHS, police forces and the MoD. Germany and Norway both have active public sector Palantir relationships. The EU has ongoing engagements with the company across defence and intelligence infrastructure.

Palantir's core product is connecting disparate data sources, biometrics, communication metadata, IP logs, identity records, location data, into unified intelligence platforms. The five stories above are five separate streams of data. A company with contracts across all five governments and expertise in combining exactly these data types is watching all of them develop simultaneously.

Julia Klöckner, the speaker of Germany's Bundestag and the country's second-highest state official, has had her Signal account fully compromised by what German and Dutch intelligence services attribute to Russian state-linked hackers. She was part of a CDU executive Signal group that also included Chancellor Friedrich Merz. His device came back clean when examined. Hers did not.

This is not an isolated incident. German counterintelligence confirms at least 300 victims across Germany, including a top CDU member of parliament and the former deputy chief of German foreign intelligence, Arndt Freytag von Loringhoven. The FBI and CISA have separately assessed global victims in the thousands. The German domestic intelligence agency BfV has now explicitly warned that active parliamentary group chats are likely being monitored in real time. The campaign has been ongoing for months and is, according to the BfV's own April update, still accelerating

How the attack works

Signal's encryption was not broken. The infrastructure was not compromised. The attack is entirely social engineering, which makes it in many ways more dangerous because there is no technical patch that stops it.

The first method involves attackers impersonating Signal's support team via in-app messages, sending fabricated security alerts and convincing targets to hand over their personal Signal PIN. With that PIN the attacker registers the account on their own device, locking out the legitimate owner entirely. The second and more insidious method uses Signal's legitimate device-linking feature. The attacker contacts the target under a pretext and tricks them into scanning a QR code. This links the attacker's device to the victim's account as a secondary device. The victim keeps full access and notices nothing. The attacker silently receives a copy of every message, photo and file in real time, including all content from the previous 45 days from the moment of linking.

Parliamentary group chats with dozens of members can be compromised through a single successfully attacked account. Every person in the group becomes exposed regardless of whether they were individually targeted.

What to check right now if you use Signal

Open Signal, go to Settings and look for Linked Devices. If you see any device you do not recognise, remove it immediately. You are allowed up to five linked devices, which means an attacker can sit undetected for weeks. The German BSI and BfV have published a joint checklist specifically for this attack wave. Check your registration lock is enabled and that your PIN has not been shared with anyone, even someone who appeared to contact you as Signal support

Signal has confirmed publicly that its support team will never contact users via in-app messages, SMS or social media to ask for a confirmation code or PIN. Any message doing so is an attack.

Signal is actually one of the most secure messaging platforms available. The encryption holds. The protocol is sound. What this campaign demonstrates once again is that the human layer is always the weakest point, and when the targets are politicians, diplomats, military personnel and journalists, the attackers invest considerable effort in making the social engineering convincing. A fabricated security warning from what appears to be Signal support is more effective against a busy parliamentarian than any exploit would be.

Germany's parliament was hacked by Russia in 2015 through malware. In 2026 the method is a chat message and a QR code. The sophistication has not increased. The negligence required to succeed has simply been found at the highest levels of government again.

For anyone in a high-risk professional environment, the lesson is the same one that keeps needing to be relearned: the strongest encryption in the world does not protect you from yourself.

Source:

https://www.tagesschau.de/inland/kloeckner-signal-phishing-100.html