HeadFlash

Privacy

NY's stealth crawler ban, Signal's encrypted spaces, HK data rules, and more

New York forces AI bots to identify; Signal vets build encrypted collaboration; Hong Kong eyes ride-hailing data storage; plus Pokemon Go data, medical hacks, India EVM debate, Africa sovereignty.

Listen

New York Passes Bill Requiring AI Crawlers to Identify Themselves to News Sites

The New York State Assembly has passed the New York Stealth Crawler Prohibition Act, sending it to Governor Kathy Hochul for signature. The bill requires any web crawler accessing a covered news source to disclose its identity via a valid user-agent string and state the specific nature and purpose of its activities, including all potential uses of the content. Failure to comply makes the crawler a ‘stealth crawler’ and can result in civil penalties of up to $15,000 per day. The legislation defines covered news sources broadly, including digital publications with at least 1,000 monthly active users in New York that perform a public-information function and publish original content regularly. The New York Attorney General can bring enforcement actions without requiring proof of injury to any specific person, and journalism providers can also seek pre-litigation subpoenas to identify covert scrapers. The bill passed with near-unanimous margins, reflecting growing concern over AI agents that impersonate human browsers, with research showing 80% of AI agents do not properly declare themselves when visiting commercial sites.

New York passes bill forcing AI crawlers to identify themselves to news sites →

Signal Veterans Launch Encrypted Spaces to Bring End-to-End Encryption to Collaboration Apps

A team including the co-creator of the Signal protocol and contributors from Microsoft and Harvard has released Encrypted Spaces, an open-source infrastructure project aimed at bringing end-to-end encryption to collaborative platforms like Slack, Google Docs, and Discord. Currently in a ‘Research Preview’ phase, the software uses zero-knowledge proofs to allow a central server to keep users updated on document changes without ever seeing unencrypted data. The project is designed as a reusable platform for developers, not a suite of apps, with the goal of making encryption the default for any collaborative tool. It originated from work on Signal’s group chat feature. While existing encrypted alternatives like Proton and CryptPad offer similar functionality, Encrypted Spaces is unique in providing a standard cryptographic library that developers can integrate, reducing the complexity of building secure apps. The project is expected to reignite debates over encryption, as governments have historically pushed back against widespread use of end-to-end encryption, with Signal’s president recently stating the company would leave the UK rather than comply with measures undermining encryption.

Signal Veterans Want to Encrypt Slack, Google Docs, and Basically Every Other App →

Hong Kong to Explore Secure Storage of Ride-Hailing Data for National Security

Hong Kong transport authorities will ‘actively explore’ secure storage arrangements for ride-hailing data as part of new regulations set to take effect in August. Secretary for Transport and Logistics Mable Chan emphasized data safety and national security, though she did not confirm whether user data must be stored within Hong Kong. Deputy Secretary Kirk Yip Hoi-ying stated that licensing clauses will require ride-hailing platforms to use personal data only for providing services and obtain client approval, with strict adherence to privacy regulations. Lawmakers raised concerns that travel patterns of politicians and their families could pose national security risks if data is stored overseas. The government has proposed a cap of 10,000 vehicles under the new licensing regime, a figure that Uber says covers only one-third of its active drivers in Hong Kong. The regulation aims to close a decade-long regulatory gap for platforms like Uber, Tada, DiDi, and Amap.

Hong Kong eyes secure storage of ride-hailing data for national security →

African Leaders Warn Against ‘Digital Berlin Conference’, Call for Data Sovereignty

University leaders Letlhokwa Mpedi and Thebe Ikalafeng published an opinion piece arguing that Africa must build data sovereignty and cultural protection now to avoid a 21st-century ‘Digital Berlin Conference’. They draw parallels between historical colonial extraction and AI systems that train on African cultural output without attribution or compensation, citing examples such as Amapiano taught by Korean instructors, MaXhosa knitwear replicated by AI generators, and Maasai fabric patterns produced in China. The authors note that Africa accounts for only 1.5% of the global creative economy despite producing culturally dominant content like Nollywood and Afrobeats. They call for AI equivalents of geographical indication protections and a joint position under the African Continental Free Trade Agreement to set requirements for AI training data. They also highlight that only about 26 of Africa’s 2,000 languages perform reliably in GPT-4, arguing that language is cognition and AI must be built to serve African epistemologies.

Africa Must Build Data Sovereignty and Cultural Protection Now to Avoid a ‘Digital Berlin Conference’, Say UJ and Sol Plaatje University Leaders →

Cryptographer Details Theoretical Vulnerabilities in India’s EVM System

Professor Mridul Nandi of the Indian Statistical Institute presented a seminar on the transparency of India’s Electronic Voting Machines, outlining theoretical methods by which the algorithm embedded in the Control Unit could be manipulated to transfer votes from one candidate to another. He explained that because the Candidate key sequence is unknown at the time the algorithm is burned into the hardware, the machine could be programmed to respond to a numeric code sent from the VVPAT via the Symbol Loading Unit to reassign votes. Nandi also described a method where a specific pattern of key presses triggers dishonest behavior. He proposed publishing a hash value of the data stored in the Control Unit at the end of polling on the Election Commission’s website to detect tampering between polling and counting. Nandi calculated that with only five VVPAT audits per Assembly segment, a small number of manipulated machines have a 90% chance of going undetected, potentially allowing thousands of votes to be stolen. The Election Commission has not disclosed the source code driving the machines.

The transparency question at the heart of the EVM debate →

Pokémon Go Scans Used to Train AI Now Linked to Military Drone Navigation

Volunteer AR scans from Pokémon Go players were used to train Niantic’s spatial AI models, which are now being combined with software from US defense contractor Vantor for GPS-free military drone navigation. A 2021 update to Pokémon Go added in-game incentives for players to scan real-world locations, generating billions of mapping data points. Niantic spun off its geospatial business into Niantic Spatial, which partnered with Vantor in December 2025 to integrate its Visual Positioning System with Vantor’s Raptor software. The system allows drones, vehicles, and AR headsets to locate themselves using cameras when satellite signals are unavailable, with early tests showing accuracy of about 1.5 meters and error reduction of up to 70%. Both companies stated that the Pokémon Go scans were used to train foundation models and were not handed directly to Vantor. In February 2026, Vantor received a US Army contract worth up to $217 million for terrain data. The development raises privacy concerns about gaming data being repurposed for military applications, though Niantic emphasized that scans were voluntary and covered by privacy policies.

Pokémon Go data helped train AI now linked to military drones →

Chinese Hackers Breach REDCap Servers, Steal Medical Research Over Year-Long Campaign

Google Threat Intelligence Group disclosed a China-linked espionage campaign that targeted exposed REDCap servers to deploy custom InfiniteRed malware and steal sensitive medical research from a North American institution. The threat actor, tracked as UNC6508, remained undetected for over a year from September 2023 to November 2025. The malware consists of a persistence/update module, a credential harvester capturing usernames and passwords from REDCap login pages, and a backdoor capable of executing shell commands, uploading/downloading files, running SQL queries, and retrieving stolen credentials. A notable technique was the use of legitimate content compliance rules in cloud-based productivity tools to exfiltrate data via email, with keywords targeting medical research, advanced technology, military topics, and geo-strategic policy. Google notified multiple compromised organizations in the US and Canada. REDCap is widely used in medical and scientific research to manage databases and surveys. The attackers used US-based residential proxies and compromised routers for operational security.

Chinese hackers breach REDCap servers, steal medical research →