r/xprivo

On April 23, 2026, Google announced "Cloud Fraud Defense" at Cloud Next, describing it as the next evolution of reCAPTCHA. What they did not announce clearly is the detail that changes everything: when this new system flags your traffic as suspicious, the old click-the-buses puzzle is gone. Instead, you get a QR code. Scanning that QR code requires Google Play Services version 25.41.30 or higher running on your device. If you removed Google Play Services because you are on GrapheneOS, LineageOS, CalyxOS, /e/OS or any other de-Googled Android distribution, the verification fails with no documented workaround. Support pages showing this requirement were silently live since at least October 2025, seven months before anyone widely noticed.

iOS users on 16.4 and above pass automatically. Android users running stock Google software pass automatically. Privacy-conscious Android users who made an informed decision to remove Google's proprietary software from their own devices get locked out. The audience most likely to have read Google's data practices carefully and chosen to opt out is now the audience being flagged as fraudulent for that exact choice.

This is not the first time Google has attempted this. In 2023, the company proposed Web Environment Integrity, a browser feature that would let Google decide which devices were "legitimate" enough to access the web. Standards bodies, the open web community and the public pushed back hard enough that Google killed the proposal. Three years later, the same architectural idea is back, implemented not as an open web standard but as a dependency buried inside a widely deployed CAPTCHA system. The outcome is identical: Google's closed proprietary stack becomes the gatekeeper for basic web access. The mechanism is just harder to see.

The practical consequences are significant and mostly invisible to the websites themselves. reCAPTCHA runs on millions of websites globally. Bank login pages, government portals, ticket sites, account registration flows, none of them have to make an active decision to block de-Googled users. They just inherit the upstream limitation by continuing to use reCAPTCHA as they always have. A bank using reCAPTCHA is not choosing to exclude GrapheneOS users. It is just that Google made that choice on their behalf without telling them. This means, if you are a privacy-conscious user you are blocked from using bank websites because of Google.

GrapheneOS is recommended by the Electronic Frontier Foundation and is actively used by journalists, lawyers, activists, people operating in high-risk environments where device security matters and by everyone who just loves privacy. It is the most security-hardened Android variant publicly available. The population of people running it is not bots or fraudsters. It is the population that took device privacy seriously enough to sacrifice app compatibility and convenience to achieve it. Google's system cannot distinguish between them and actually malicious traffic because the only signal it is checking is whether Google's own software is present.

Play Services is background software with broad device permissions that Google controls, updates silently and uses to collect device telemetry. The user who removed it made a reasonable security decision. The system now treating that decision as evidence of suspicious intent has the logic precisely backwards.

There is currently a minimal bypass: Changing the browser agent string to simulate a non-Android device bypasses the check in some cases. GrapheneOS's sandboxed Play Services approach, which runs Google's software in an isolated container, may pass the check for now. But Google will almost certainly require full Play Integrity attestation in the future, and sandboxed Play Services will eventually fail that check by design because Play Integrity is specifically built to certify that Google's software is running with full system-level access.

If you are on a de-Googled device and hitting reCAPTCHA walls, document the sites and report them to the website owners and maintainers directly. Most website operators have no idea this is happening! Tell them to switch to alternatives like Altcha (altcha.org) which is an Open Source Captcha. Altcha is European, privacy-preserving by design and requires no Play Services or proprietary software to pass. Every developer who keeps using reCAPTCHA after learning this is making a choice, even if they do not know it yet.

The European Commission published a formal recommendation today pressing all 27 member states to deploy a standardised age verification system by December 31, 2026. Source: https://digital-strategy.ec.europa.eu/en/library/commission-sets-out-common-approach-eu-wide-age-verification-technologies

France, Italy, Spain and several others are already testing implementations. The Commission describes the system as privacy-preserving, anonymous and built to the highest cybersecurity standards. 🤡

The demo was bypassed in under two minutes using a mobile phone.

That detail is not a minor technical footnote. It is the central fact about this rollout. The Commission's own blueprint, the one it is now recommending every EU citizen use to verify their identity before accessing age-restricted content, failed a basic real-world security test before it was even deployed nationally. The response from Brussels was to accelerate the timeline anyway.

The architecture the Commission is recommending works like this: you download a national app, scan your passport or national ID card to onboard, receive an anonymous digital credential, and present that credential to websites or apps that require age confirmation. The credential is designed to prove only that you are above a threshold age without revealing your exact age or identity to the platform. On paper this is genuinely privacy-conscious design. The cryptographic approach of proving a property without revealing the underlying data is the right way to build this.

The problem is not the design document. It is everything around it.

The EU is recommending this system be integrated with the European Digital Identity Wallet, the same eIDAS 2.0 infrastructure that Germany's first pilot deployed through Google Wallet, running on Oracle Cloud in Arizona and Amazon EC2 in Oregon, as we covered in detail here a few weeks ago. The theoretical privacy architecture and the actual implementation are two completely separate things, and every national implementation so far has chosen the fastest path to December compliance rather than the most privacy-preserving one.

Requiring every EU citizen to scan their passport into a government-linked app as a prerequisite for accessing the internet is not a narrow child safety measure. It is the construction of a universal identity verification layer for online activity, with age checking as the initial justification. The same infrastructure that confirms you are over 18 to access a gambling site can confirm you are the verified identity attached to a political post, a health forum discussion or a news comment. The scope of what gets age-gated is a policy decision that can be changed at any time after the infrastructure is built.

The governance structure the Commission is creating makes this explicit. It will maintain a list of approved age verification solution providers, a list of trusted proof-of-age attestation providers, and a scheme defining what qualifies as compliant. Once that list exists, it determines who is permitted to mediate access to online services for 450 million people. That is an enormous concentration of infrastructure power regardless of how well-intentioned the current holders of that power are.

Online child protection is a serious issue that requires greater awareness and education for parents, as the primary responsibility ultimately rests with them. But a universal identity verification layer with a two-minute bypass, deployed on infrastructure that three separate member state implementations have already shown will run on American cloud servers, managed by a Commission scheme that controls the approved provider list, does not become a privacy-preserving system because the recommendation document uses the word "anonymous" seven times.

The December 2026 deadline is eight months away. No national implementation yet fully meets the privacy standards the Commission claims to require. The demo was hacked in two minutes. The correct response to both of those facts is to slow down, not to publish a recommendation accelerating the timeline.

Utah Senate Bill 73, the Online Age Verification Amendments, takes effect on May 6, 2026, making Utah the first US state to directly target VPN use as part of age verification enforcement. The law requires adult content websites to verify the age of anyone physically located in Utah, regardless of whether they use a VPN, proxy or other method to mask their location. Sites are prohibited from providing instructions or assistance on bypassing age checks using VPNs.

The law does not ban VPNs outright. It creates a legal structure where websites cannot reliably determine whether a visitor is using a VPN shield for privacy or hiding in Utah to bypass age gates, so the only legally safe option is either to block all known VPN IPs entirely or to require strict identity verification from every single visitor globally. The Electronic Frontier Foundation called this a "liability trap" that punishes users who care about their privacy, regardless of where they live. NordVPN described it as a "technical whack-a-mole" where the goal is unachievable and the enforcement breaks internet architecture.

EU Executive Vice President Henna Virkkunen, the commissioner driving the EU age verification blueprint, was asked directly at a press conference in Strasbourg on April 29, 2026 how the system stops children from circumventing it with a simple VPN. Her answer, confirmed by Reuters and the official Commission statement: "It's difficult, of course, to have the technological solutions that there's no way to circumvent … it's also an important part of next steps to look at [the issue] that it shouldn't be circumvented." She explicitly acknowledged the EU app can be bypassed with VPNs and stated it is critical that next steps address this, meaning the system that billions of euros will be spent rolling out is already known to be bypassable and the plan is to figure out how to fix it later.

The irony is staggering. The EU age verification blueprint was built to intersect with the European Digital Identity Wallet at the highest possible privacy standard, programmed with zero-knowledge proofs and anonymous credentials. The demo version was hacked in under two minutes using a mobile phone before launch. Security consultants demonstrated it stores biometric data unencrypted on the device. Experts including Belgian cryptographer Bart Preneel said the fundamental concept does not work even if the implementation were perfect. Virkkunen then stood before the press and admitted the bypass is trivial and plans are being made to stop it. The system has not stopped the bypass. It has been racing ahead at an accelerated pace anyway to meet the December 2026 deadline.

The end goal is now explicit. The EU's stated objective is to create a single age verification infrastructure across all 27 member states, with no 27 different national systems, managed by a Commission-appointed list of trusted providers and a scheme controlling what counts as compliant, all designed to prevent users from circumventing age gates using privacy tools. The same infrastructure can gate social media access, content moderation appeals, credit decisions, political ad targeting and anything else that requires provisional identity verification.

The UK has passed amendments requiring VPNs to implement age verification. Utah is banning VPN circumvention. The pattern is the same across every single instance: privacy becomes circumvention, circumventing surveillance becomes illegal, and the innocent infrastructure of anonymity becomes the target.
For millions of users worldwide, the choice they are facing is about to become binary: hand over verified identity or lose access to the internet.

To celebrate Europe Day and the push for digital privacy, we’re running a special community giveaway and a promo for those who want to support European tech!

🎁 The Giveaway: Win 6 Months of PRO Free! Just leave a comment below! We will randomly select 4 commenters to win a free 6-month PRO membership.

🇪🇺 Europe Day Promo: 50% OFF PRO Want to support the project right away? Get 50% OFF your first 4 months of PRO (available on Web and the App Store).

Promo runs until 12th Mai. Winners will be announced on 13th Mai In the comments of this post.

Link to the website with the promo: https://www.xprivo.com/europe-day/

When we launched xPrivo Search earlier this year, the promise was simple: world-class search quality, absolute privacy, and full European digital sovereignty without compromise. Tens of thousands of you switched. You never became a product in return.

Today that trust gets repaid with the biggest release in xPrivo's history.

xPrivo 4.0 is live now at xprivo.com and xprivo.com/search
The single most important change under the hood is one you might not see directly but will feel in every result. Until today, xPrivo ran only on the European Search Perspective, a fully independent European index with no ties to US tech. That foundation has not changed. But we have now added our own small proprietary xPrivo Search Index on top of it. Two fully European, fully independent sources working in tandem. No Bing. No Google. No dependency on any American platform at any layer of the result pipeline.

On the surface, the results page is dramatically richer. Knowledge Cards surface structured answers for people, places, concepts and events without requiring a click. Live news results appear timestamped from trusted publishers. Sports results show for example Bundesliga standings and Champions League scores directly in your results. Image search is now inline. Place search surfaces local businesses across Europe complete with maps, opening hours and contact details, all within European infrastructure, not handed to Google Maps. Every single one of these result types can be individually toggled on or off in settings. The choice is yours.

Two new power features for users who want to move fast. Shortcuts let you trigger features directly from the search bar: /m opens a weather widget, /c opens a calculator, /ai triggers an instant AI overview generated entirely within our European AI infrastructure. QuickSearch lets you type !w climate change to jump directly to Wikipedia, !yt to YouTube, !gh to GitHub, !r to Reddit, all without an intermediate results page and without any third-party bang service logging your behaviour. The full command list appears when you type ! in the search bar.

🇩🇪 German language results are now fully supported, with Austria and Switzerland coverage included, as part of our ongoing expansion across European languages.

For local businesses, xPrivo 4.0 now lets you list your location directly in search results with a photo, map pin and website link. Placement is based on relevance, never on ad spend or behavioural tracking. Add your business from the footer at xprivo.com/search.

The iOS app is updated today. The Android app including a FOSS release on F-Droid is in active development and coming soon, making xPrivo one of the very few search applications committed to being installable without touching Google infrastructure at all.

The privacy principles have not changed and never will. No IP logging. No search history. No profiling. No Big Tech infrastructure by default. No behavioural ad targeting. Every component runs inside the EU under GDPR and European law.

The full release post with every detail is at https://www.xprivo.com/blog/en/xprivo-4

If you want to set xPrivo as your default browser search engine, the step-by-step guide for every major browser is at xprivo.com/add-xprivo-search-engine . It takes under a minute and means every search you make from that point feeds European infrastructure instead of a US data broker.
The gate to the internet belongs to you. Keep it that way.

On May 9, 1996, Linus Torvalds sent an email to the linux-kernel mailing list that would define the visual identity of the most influential open source operating system in history. His brief was precise and characteristically irreverent: the mascot should look "cuddly" and "contented," like a penguin that had just eaten "a suitcase full of herring" and was too stuffed to stand up straight. "Think of a Bean Bag," he wrote.
The origin of the penguin preference is one of computing history's more charming footnotes. Torvalds had visited the National Zoo in Canberra, Australia, where a small penguin bit his finger. Rather than holding a grudge, he declared himself "rather fond of penguins" and the direction was set.
Developer Larry Ewing took that brief and built the round, black-and-white character using GIMP, the open source image editor, in a decision that was quietly fitting: the mascot of a free software project created with free software tools. The name Tux followed in June 1996, proposed by James Hughes as an acronym for (T)orvalds (U)ni(X), though the obvious association with the tuxedo, which a penguin wears naturally, made the name feel inevitable.
What is remarkable is how little Tux has changed. Corporate logos are redesigned on three-year cycles. Brand consultancies are paid millions to flatten, simplify and "modernise" visual identities. Tux was drawn once by one person using an open source image editor and has remained essentially untouched for thirty years. Ewing's only condition for its use has always been attribution to himself and GIMP. No licensing fees, no trademark bureaucracy, no corporate design team to approve modifications. The decentralised ethos of open source embedded into the mascot itself.
Torvalds was always clear about the tone he wanted. "He's supposed to be kind of goofy and fun, that's the whole point," he once wrote. "Linux is supposed to be goofy and fun, it's also the best operating system in the world, but goofy and fun too." In 1998, Internet World magazine recognised Tux as one of twelve figures who had "made things happen" that year. A penguin drawn by one developer in GIMP listed alongside the year's most significant figures in technology.
The milestone lands as Linux itself approaches its 35th year. The kernel was first published in September 1991 as a student project with just over 10,000 lines of code. It has since grown to more than 34 million lines, shaped by over 25,000 individual contributors. It now runs on virtually all of the world's 500 fastest supercomputers, the majority of global cloud infrastructure, and the Android operating system on billions of mobile devices.
For this community in particular, the anniversary carries specific weight. The same properties that Torvalds encoded into Tux, open, unowned, built by individuals rather than corporations, maintained by shared convention rather than legal enforcement, are the properties under increasing pressure in 2026. Google is moving to require developer registration and government ID for Android app distribution. The EU is building centralised age verification infrastructure that will require identification before accessing the internet. The open web is being enclosed from multiple directions simultaneously.
The penguin that has symbolised the alternative for thirty years is still sitting there, full of herring, looking quietly pleased with itself.
Happy late birthday, Tux.

Greece's Digital Governance Minister Dimitris Papastergiou confirmed this week that the government is moving forward with plans to require real identity verification for all social media accounts in the country. Users would still be permitted to use pseudonyms publicly, but every account must be linked to a verified legal identity through platform-level checks. The proposal is now being managed directly from Prime Minister Kyriakos Mitsotakis' office, which signals this is no longer a trial balloon but active government policy.

The stated justifications are the familiar ones: toxicity, hoaxes, coordinated harassment and character assassinations. Papastergiou argued that "digital democracy" should be inspired by Ancient Greece, where citizens openly expressed their views in the Assembly.

He is historically wrong in a way that is worth pointing out precisely because the argument is designed to sound educated. The Athenian Assembly invented the secret ballot specifically because public attribution is dangerous. Athenian ostracism, where citizens voted to exile powerful individuals, used anonymous pottery shards deliberately so that people could vote without fear of retaliation from the powerful. Pseudonymous political writing was widespread and understood to serve a legitimate democratic function. The historical record does not support the claim that Ancient Greece considered public identity a prerequisite for political participation. It supports exactly the opposite.

The modern case for anonymity is even stronger. Whistleblowers, abuse survivors, journalists working in hostile environments, political dissidents, LGBTQ+ individuals in unsupportive communities, employees flagging workplace misconduct, patients discussing stigmatised health conditions: all of these depend on the ability to speak without being identified. Eliminating anonymity does not eliminate toxicity. It eliminates the speech of people who have the most to lose from being identified, while leaving powerful actors who can absorb the consequences of public attribution entirely unaffected.

The "pseudonyms permitted but identity verified" framing is the part that deserves the closest scrutiny. This is the architecture that sounds like a compromise but functions as total surveillance. Your pseudonymous account says nothing that can be traced to you publicly, but every post you write, every reply you make, every community you participate in, is one platform data breach, one government request, or one policy change away from being attached to your legal name permanently. The pseudonym is a UI layer over a fully de-anonymised database.

This is not Greece operating totally alone with that kind of things. The UK passed an amendment requiring VPNs to implement age verification. Norway is moving to mandatory age verification for social media. Germany is advancing IP address retention legislation. The EU classified certain emojis as systemic risks requiring automated scanning. The Greek proposal is the most explicit version of the same direction that every other country in this list is moving toward through slightly less visible mechanisms.

The difference is that Greece is being honest about the destination. Which does not make it better. Most governments arrive at the same endpoint through incremental steps, each justified individually as a narrow technical measure. Greece just described the destination directly: a social media environment where every account is traceable to a verified legal identity held by platforms that governments can compel.

The European Parliamentary Research Service published a briefing paper this week titled "Virtual private networks and the protection of children online." The EU Parliament's social media account promoted it with the line: "VPNs are increasingly used to bypass online age verification." The Children's Commissioner for England is cited calling for VPNs to be restricted to adult use only. Some in the document argue that access to VPN services should require age verification.

There is one problem. The research underpinning the "VPNs are used to bypass age verification" framing is the 1,800% spike in VPN downloads in the UK after the Online Safety Act went live in July 2025. That is a real number. But it does not tell you why people downloaded VPNs. For that you need to look at the actual research on VPN usage.

A University of Michigan study covering thousands of VPN users across multiple countries found that 82.1% use VPNs to "protect myself from various threats and adversaries." Access to restricted content was a minority use case. There is no peer-reviewed research showing that VPNs are "increasingly" used specifically to bypass age verification. The EPRS briefing document conflates a correlation, more VPN downloads after age verification laws went live, with a motivation. Correlation is not causation, and the assumption that those downloads were primarily about age bypassing rather than people deciding their privacy needed protecting in response to governments demanding their biometric data is not supported by the underlying data.

This framing is not accidental. It is the legislative infrastructure for the next step. Once VPNs are established in official EU research as a "child safety loophole" rather than a privacy protection tool, the regulatory path toward restricting or requiring age verification for VPN access becomes politically available. We covered Utah's suggestion doing exactly this just this week. EU VP Henna Virkkunen explicitly stated the EU age verification system "should not be circumvented." The EPRS briefing is building the academic and policy foundation for what comes next.

The practical outcome of requiring age verification for VPN use is identical to banning anonymous VPN use. Once a VPN provider must verify your age, your identity is linked to your VPN account. The privacy tool becomes the surveillance checkpoint. This is precisely the outcome documented in our earlier post: Russia and Iran all arrived at VPN restrictions through incremental legislative pressure that began with narrowly justified use cases.

The option that cannot be regulated this way: NymVPN from Switzerland
A centralised VPN can be pressured, banned, compelled to verify users or have its servers seized. A decentralised VPN built on distributed infrastructure with no central company controlling the nodes cannot be banned in the same way because there is no single entity to compel.

NymVPN is built on the Nym mixnet, a decentralised network that protects not just your traffic content but your metadata: who you communicate with, when, and how often. Unlike traditional VPNs that hide your IP but still expose traffic patterns to a global adversary, Nym adds cover traffic and noise so that even nation-state level traffic analysis cannot de-anonymise you. Signup is anonymous, payments are unlinkable, the code is fully open source, and the network runs on independent distributed nodes with no central point of failure or control.

The most recent update of NymVPN added direct decentralised payments via zkNym credentials and removed the last requirement for a traditional account entirely. No account, no subscription tied to your identity, no company that can receive a court order requiring it to hand over your data.

The EU can regulate centralised VPN companies. It can require them to age-verify. It can compel them to log connections. What it cannot do is regulate a decentralised network that runs on distributed nodes operated by thousands of independent participants globally, any more than it can ban BitTorrent or regulate the Tor network out of existence.

Google Chrome silently downloads a 4GB AI model to hundreds of millions of computers:
Without prominent notification or upfront consent, Chrome began downloading a roughly 4GB file called weights.bin to user machines as part of Gemini Nano, Google's on-device language model. It lands in your browser's user data folder under OptGuideOnDeviceModel and powers features including "Help me write," tab suggestions, scam detection and page summarisation. The download triggers automatically for any device meeting minimum hardware requirements, and Chrome re-downloads the file if you delete it.
The model runs on your machine, not Google's servers. But that is not the issue. This is a 4GB install that happened on hundreds of millions of machines without a clear consent prompt. Multiplied globally that is thousands of tonnes of additional carbon emissions from data transfer. And the model's presence means Google's AI infrastructure now lives permanently inside your browser whether you use it or not.
To remove it: go to chrome://flags, disable the entries for Optimization Guide On Device Model and Prompt API, restart Chrome, then manually delete the folder. Chrome may attempt to re-download it.
This is also the strongest argument yet for switching to a Firefox-based browser. LibreWolf does not ship with a 4GB AI model you did not ask for.
Source: https://www.techpowerup.com/348825/google-chrome-silently-downloads-4-gb-ai-model-on-your-pc-without-consent
https://9to5google.com/2026/05/06/google-chrome-4gb-storage-ai-details/

UK kids defeated the Online Safety Act with eyebrow pencils. The first major assessment is devastating:
The first independent assessment of the UK's Online Safety Act is out and contains a sentence that tells you everything: "I did catch my son using an eyebrow pencil to draw a moustache on his face, and it verified him as 15 years old." The child was 12.
This is the law that forced UK adults to submit government IDs and biometric facial scans to access ordinary websites, triggered a 1,800% spike in VPN downloads when it went live in July 2025, and pushed millions of users into handing biometric data to private third-party verification vendors. The assessment numbers are brutal: 46% of children say age checks are easy to bypass. Only 17% say they are difficult. 32% have already bypassed them in the past two months. 49% still report experiencing harm online in the past month.
The bypass methods children described to researchers include drawing facial hair with eyebrow pencil to fool facial age estimation, holding up a video game character's head during a face scan, submitting a video of a different person's face entirely, using a parent's ID with parental consent, and entering a fake birthday which still works on most platforms. A 12-year-old girl explained the TikTok live enforcement model: "They ban me for 10 minutes and then I can go live again."
The report's most uncomfortable finding is that 26% of parents are actively helping their children bypass the checks, deciding individually which circumvention is acceptable. A verification system that relies on parents as the final enforcement layer collapses the moment parents become the bypass vector. Reminder: The Discord vendor breach in October 2025 already exposed 70,000 government IDs uploaded purely for age verification.
A 16-year-old summarised it better than any policy paper: "I think it's a great idea in theory and I applaud its intentions, but I don't see how that's feasible, because kids will always find a way."
Source: https://www.internetmatters.org/hub/research/online-safety-act-report-2026/
https://www.washingtontimes.com/news/2026/may/7/uk-kids-skirt-online-age-verification-drawing-beards-using-pictures/

Meta's Ray-Ban smart glasses were recording video watched by workers in Kenya. Many users had no idea:
Meta has ended its contract with Sama, a Kenyan outsourcing company that employed workers to watch footage captured by Meta's Ray-Ban smart glasses as part of AI training. After losing the contract, Sama fired approximately 1,100 workers. Several of those workers reported losing their jobs after speaking out about the nature of the content they were required to review.
The content included people using the bathroom, individuals undressing, people having s*x, private conversations, and footage capturing bank card details. Users of the Ray-Ban glasses, which can record video discreetly and continuously, were largely unaware that their footage was being reviewed by human workers in another country as part of an AI training pipeline. A class-action lawsuit has been filed against Meta.

The pattern is familiar from every major AI product. The "private" framing around AI features of Big Tech providers consistently obscures the human review layer that sits behind them, the layer that was exposed with ChatGPT routing messages to the FBI, the layer that sits inside every AI product that claims to be private while using human contractors to review edge cases, improve accuracy and handle content moderation. The workers who watched the most intimate footage of Meta's users are now unemployed. Meta has not issued a detailed public statement on either the contract termination or the workers' accounts.
Source: https://www.bbc.com/news/articles/c5y7yvgy0w6o

Every time you drag a file into WeTransfer, Dropbox Transfer or Google Drive and hit share, the file travels to an American server where the provider can technically read it, scan it, flag it, hand it to law enforcement, or train AI models on it. WeTransfer's own privacy policy explicitly reserves the right to scan content for policy violations. Google Drive feeds Gemini. Dropbox has disclosed law enforcement data requests for years. None of this is a secret but most people simply do not think about it when sending a contract, a medical document or a client file. Before we look at the alternative: it's worth mentioning that I also already introduced you to Localsend a few weeks ago which is another great alternative for sending files locally. It's free a open-source, cross-platform file sharing tool. I's a great Airdrop alternative for any device in the local network.

Retyc is a French startup from Lyon, built by Emilien Mantel, that starts from the opposite assumption. Its tagline is "Hors de leur portée", out of their reach, and the architecture actually delivers on that. Files and their metadata are encrypted on your device before they leave it, using the AGE encryption standard, an open source, independently audited library, not proprietary in-house cryptography. By the time the data reaches Retyc's servers, it is already locked. Retyc itself cannot read what you sent, cannot hand the content to a third party and has explicitly committed to never integrating AI into the platform.

The zero-knowledge model goes further than most "secure" file transfer services. Many competitors encrypt files in transit and at rest, which sounds reassuring until you realise that the provider still holds the keys. Retyc's model ensures the provider never has the keys in the first place. Even the metadata, file names, sizes, sender and recipient details, is encrypted before upload.

The entire infrastructure is hosted in France, fully under EU jurisdiction and GDPR compliance is built into the architecture rather than bolted on as a checkbox.

The comparison that matters is not just against WeTransfer. It is against every file sharing tool that you or your organisation currently uses by default because it came bundled with something else. Google Drive sharing links, Outlook attachments previewed on Microsoft servers, Slack file uploads processed in US data centres. Every one of these is a tool that a US company has the technical and legal ability to access. Retyc's zero-knowledge model removes that ability entirely, which is especially relevant for anyone in a profession where client confidentiality is not optional.

It launched its public beta on March 24, 2026 and is still in early access, so treat it accordingly. Test it with non-critical files first, verify the full sender and recipient experience, and evaluate whether the current free tier limits work for your use case before integrating it into sensitive workflows. The architecture is solid and the approach is exactly what the European sovereign software stack at the file transfer layer is needing.