User Privacy

A January 2026 Citizen Lab report found Cellebrite equipment was used in at least seven cases to extract data from phones seized from activists and a journalist detained during pro-Palestinian protests in Jordan between late 2023 and mid-2025. None of the individuals consented to the searches. All four devices forensically analyzed showed Cellebrite product use in 2024-2025.

Crunchbase confirmed it was hacked in January 2026 after the cybercriminal group ShinyHunters published samples of stolen data. The company stated they detected a cybersecurity incident where a threat actor exfiltrated certain documents from their corporate network. Investigators linked the attack to a broader ShinyHunters campaign focused on voice phishing targeting Okta single sign-on credentials, with similar techniques tied to recent breaches at SoundCloud and Betterment.

A widespread malware campaign abused Google's Chrome Web Store for months, exposing private AI chatbot conversations and browsing data from roughly 900,000 users. The campaign involved two malicious browser extensions identified as 'ChatGPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI' and 'AI Sidebar with DeepSeek, ChatGPT, Claude.' The extensions remained available in the Chrome Web Store despite the security vulnerabilities.

In January 2026, reporting revealed that ICE was using a Palantir-built tool called ELITE that taps Medicaid data to identify and arrest people for deportation. The tool maps potential targets and provides 'confidence scores' for individuals' current addresses. A data-sharing agreement between ICE and the Centers for Medicare and Medicaid Services gave ICE access to personal data of nearly 80 million Medicaid patients. The Electronic Frontier Foundation challenged the use of healthcare data for immigration enforcement, arguing patients never consented to their health-related information being repurposed for deportation.

Since 2020, Coinbase has published annual transparency reports detailing government and law enforcement requests for customer information. The 2025 report (covering October 2024-September 2025) disclosed 12,716 requests, a 19% increase year-over-year, with approximately 53% from outside the United States. The reports provide customers with data about requests received and offer insight into global law enforcement and regulatory trends around the world.

The US Federal Communications Commission designated DJI as a national security threat and banned its communications equipment from use in the United States in December 2025.

In December 2025, families of Levi Maciejewski (13, Pennsylvania, died 2024) and Murray Downey (16, Scotland, died 2023) sued Meta alleging Instagram's design enabled sextortion schemes targeting teens. The lawsuit cited an internal 2022 audit that allegedly found Instagram's 'Accounts You May Follow' feature recommended 1.4 million potentially inappropriate adults to teenage users in a single day. Instagram's default public privacy settings for teens were not changed to private until 2024, despite Meta claiming the change was made in 2021.

In November 2025, Meta's board of directors settled a shareholder derivative lawsuit for $190 million. Shareholders alleged that board members failed to properly oversee compliance with a 2012 FTC consent decree on user privacy, and that they improperly agreed to the $5 billion 2019 FTC settlement specifically to shield Mark Zuckerberg from personal liability. The suit highlighted undisclosed conflicts of interest among board members, including allegations that Marc Andreessen provided Zuckerberg strategic advice during board negotiations over a stock restructuring.

Wales stated Wikipedia would not comply with UK Online Safety Act age verification requirements, saying 'We will not be identifying users under any circumstances. We will not be age-gating Wikipedia under any circumstances. So, if it comes to that, it's going to be an interesting showdown, because we're going to just refuse to do it.'

Anthropic reversed privacy stance, shifting from not using consumer conversations for training to opt-out model. Extended data retention to 5 years (from 30 days - 6,000% increase). Pop-up presented 'Accept' button prominently with opt-out toggle set to 'On' by default in smaller print. Mandatory deadline (Sept 28, later extended to Oct 8) forced immediate decisions.

In August 2025, Cloudflare published research finding Perplexity used undeclared 'stealth' web crawlers to bypass robots.txt files and web application firewalls across tens of thousands of domains and millions of requests daily. When blocked, Perplexity would obscure its crawling identity to circumvent website preferences. Cloudflare de-listed Perplexity as a verified bot. Perplexity accused Cloudflare of 'incompetence and publicity-seeking.'

The One Big Beautiful Bill Act, signed by President Trump on July 4, 2025, includes provisions that effectively grant Anduril Industries a monopoly on new autonomous surveillance towers for US Customs and Border Protection across both southern and northern borders. CBP confirmed to The Intercept that Anduril is now the country's only approved border tower vendor. Anduril's ASTs cover an estimated 30% of the US southern land border, using AI and computer vision to detect, identify, classify, and track people crossing the border. Civil liberties groups have raised concerns about the humanitarian impact of automated border surveillance.

Ireland's Data Protection Commission fined TikTok €530 million (€485M for data transfer violations, €45M for transparency failures) after finding TikTok transferred EEA user data to China without adequate safeguards. TikTok also admitted it had provided inaccurate information to the inquiry, revealing EU data had been stored on Chinese servers contrary to its own evidence. Third-largest GDPR fine ever and first EU data transfer fine involving China.

Founders Fund, co-founded by Palantir chairman Peter Thiel, has been a major investor in Palantir Technologies since its founding in 2003. Palantir built the ImmigrationOS platform for ICE, receiving a $30 million contract in 2025. The Electronic Frontier Foundation reported in January 2026 that ICE uses a Palantir tool that feeds on Medicaid and other government data to identify and track people for arrest. The American Immigration Council documented how the system enables mass surveillance of immigrant communities. Founders Fund's continued investment in and promotion of Palantir directly supports the expansion of government surveillance infrastructure.

The European Commission issued its first-ever Digital Markets Act fine, finding Meta's 'consent or pay' model violated DMA obligations to give consumers a choice of service using less personal data. Meta offered EU users of Facebook and Instagram only a binary choice between consenting to full data combination for personalized ads or paying a subscription. Internal documents revealed the model 'was never intended to comply' with the DMA, with Meta's own estimates predicting below 1% subscription uptake. The violation period ran from March to November 2024.

In April 2025, security researcher Jane Manchun Wong discovered an unreleased Waymo privacy policy page revealing plans to use interior camera data associated with rider identities for training generative AI models. The draft included opt-out language for riders. Waymo initially confirmed the feature was under development, but later denied using in-car footage for generative AI training, claiming the discovered text was inaccurate placeholder language. Each Waymo vehicle carries 29 external cameras, and the company's data retention policies for interior and exterior footage remain opaque.

Briskin v. Shopify class action lawsuit alleged the Shop app collected user personal data and shopping behavior without adequate consent, sharing it with third parties.

23andMe filed for Chapter 11 bankruptcy in March 2025, raising serious concerns about the fate of genetic data from 15 million customers. Multiple state attorneys general urged users to delete their data before a potential sale.

Reddit filed a lawsuit in California state court against Anthropic, alleging the AI company made over 100,000 unauthorized requests to Reddit's servers to collect user posts and comments without permission. The suit alleged Anthropic circumvented Reddit's robots.txt file and refused to engage in licensing negotiations, unlike Google and OpenAI which entered formal licensing agreements. The case raised questions about intellectual property rights and data protection for user-generated content.

In January 2025, a Delaware judge sanctioned Sandberg for allegedly deleting emails from a personal account despite being instructed to preserve them during 2018 shareholder lawsuit over Cambridge Analytica privacy scandal. Meta later settled the investor lawsuit for over $5 billion in FTC fines.