With demonstrations ramping up against the Trump administration, this week was all about protests. With President Donald Trump taking the historic step to deploy US Marines and the National Guard to Los Angeles, we dove into the “long-term dangers” of sending troops to LA, as well as what those troops are permitted to do while they’re there.
Of course, it’s not just the military getting involved in the LA protests against the heavy crackdowns by Immigration and Customs Enforcement (ICE). There’s also Customs and Border Protection (CBP), which further escalated federal involvement by flying Predator drones over LA. And there are local and state authorities, who’ve used “nonlethal” weapons and chemical agents like tear gas against protesters. Even Waymo’s self-driving taxis—some of which were set on fire during last weekend’s LA protests—could be used to investigate people who commit crimes during demonstrations thanks to their surveillance capabilities.
In addition to protests, the undocumented community is pushing back against ICE’s enforcement activities by turning social media platforms into DIY alert systems for ICE raids and other activities. And with thousands of protests scheduled to take place this weekend, we updated our guide to protecting your privacy—in addition to your physical safety—while demonstrating.
Even if you’re not an immigrant nor attending any protests, it’s possible your data is still getting shared with immigration authorities. In partnership with WIRED, 404 Media this week revealed that a data broker owned by major airlines sold domestic US flight data to CBP and instructed the agency to not reveal that it did so. 404 also detailed a bug that allowed a researcher to discover the phone numbers connected to any Google accounts. (The bug has since been fixed.) Finally, we dissected Apple’s AI strategy, which appears to bank more on privacy than on splashy features.
And that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
The Trump administration quietly ordered the transfer of Medicaid data belonging to undocumented individuals to deportation officials this week, according to the Associated Press, in a move legal experts warn is likely to erode public trust in the government’s handling of personal data and result in a chilling effect among undocumented people desperate for medical care.
The transfer, which was reportedly ordered by Health and Human Services secretary Robert F. Kennedy Jr.’s office and included names, addresses, immigration status, and health claims, pertains to millions of enrollees, many in states that pay for the coverage using their own funds, the AP reports. The transfer may also be illegal, violating the Social Security Act and other data-handling statutes. According to the AP, Medicaid officials warned the administration that they did not have legal authority to disclose the records and that doing so would carry legal and reputation risks that could lead states to begin refusing to share information with the federal government, impacting the agency’s operational functions.
California governor Gavin Newsom, whose state is occupied by undesired federal military forces and ICE agents conducting continuous sweeps across neighborhoods heavily populated by immigrants, condemned the act, calling it “potentially illegal.” An HHS official rejected the claim, saying the agency acted in full compliance with the law, while declining to clarify to reporters how the data would actually be used.
Move over, NSO Group. Two Italian journalists were hacked with spyware made by Israeli phone-focused surveillance firm Paragon, Citizen Lab revealed this week in a report based on forensic analyses of their phones. Two other Italians, both staffers at the immigrant rescue nonprofit Mediterranea Saving Humans, also had their phones compromised with the same malware. Paragon’s Graphite malware, like NSO’s Pegasus, infects phones with a zero-click technique that requires no interaction from the victim—in this case using a vulnerability in iPhones that was patched in iOS version 18.3 earlier this year. While Citizen Lab couldn’t determine the Paragon customer behind the intrusions, there’s reason to suspect the Italian government, given that an Italian parliamentary committee determined in a report earlier this month that two Italian intelligence agencies are Paragon customers.
In its latest salvo against the Russian air force, Ukraine’s HUR military intelligence agency said that it had hacked into the network of Tupolev, an aerospace company that manufactures and services Russia’s strategic bombers. According to the cybersecurity news outlet The Record, the Ukrainian state hackers claim to have stolen 4.4 gigabytes of data, including internal communications, meeting notes, personnel files, and purchase records. Specifically, HUR says it was targeting data about individuals involved in the servicing and maintenance of Russia’s bomber fleet, which has targeted Ukrainian cities. The hackers also defaced the homepage of Tupolev’s website to show an owl clutching a Russian aircraft. “There is nothing secret left in Tupolev’s activities for Ukrainian intelligence,” HUR said in a statement. “The result of the operation will be noticeable both on the ground and in the sky.” The move follows Ukraine’s unprecedented drone operation earlier this month that damaged or destroyed 41 Russian aircraft, including bombers and spy planes.
On Wednesday, a consortium of cops from Interpol and 26 countries announced a takedown, dubbed “Operation Secure,” of domains and other digital infrastructure linked to 69 infostealer malware variants. In recent years, malicious hackers have leaned more and more on information-stealing malware, or infostealers, that grab sensitive information like passwords, cookies, and search histories to make it easier for attackers to target specific organizations and individuals. Operation Secure ran from January to April this year, Interpol said, and involved takedowns of more than 20,000 malicious IP addresses or domains and seizure of 41 servers as well as more than 100 GB of data. A total of 32 people were also arrested in connection with the investigation in Vietnam, Sri Lanka, Nauru, and elsewhere. Interpol described the operation as a “regional initiative” organized by the Asia and South Pacific Joint Operations Against Cybercrime Project.
Meta sued Hong Kong–based Joy Timeline HK Limited for repeatedly advertising an app on Instagram called CrushAI that offers “nudify” deepfakes, using artificial intelligence to remove the clothes from anyone in a photo. Meta said in its announcement of the lawsuit that the company had repeatedly violated its terms of service for advertisers and that the move is part of a larger crackdown on similar deepfake apps pushed by “adversarial advertisers,” as it dubs the companies who violate its terms. “We’ll continue to take the necessary steps—which could include legal action—against those who abuse our platforms like this,” Meta wrote in a statement.
