Law enforcement has more tools than ever to track your movements and access your communications. Here’s how to protect your privacy if you plan to protest.

A major groundswell of nationwide protests against the second Trump administration has arrived.

If you're going to join any protests, as is your right under the First Amendment, you need to think beyond your physical well-being to your digital security, too. The same surveillance apparatus that’s enabling the Trump administration’s raids of undocumented people and targeting of left-leaning activists will no doubt be out in full force on the streets.

Two key elements of digital surveillance should be top of mind for protestors. One is the data that authorities could potentially obtain from your phone if you are detained, arrested, or they confiscate your device. The other is surveillance of all the identifying and revealing information that you produce when you attend a protest, which can include wireless interception of text messages and more, and tracking tools like license plate scanners and face recognition. You should be mindful of both.

After all, police have already demonstrated their willingness to arrest and attack entirely peaceful protesters as well as journalists observing demonstrations. In that light, you should assume that any digital evidence that you were at or near a protest could be used against you.

“The Trump administration is weaponizing essentially every lever of government to shut down, suppress, and curtail criticism of the administration and of the US government generally, and there have never been more surveillance toys available to law enforcement and to US government agencies,” says Evan Greer, the deputy director of the activist organization Fight for the Future, who also wrote a helpful X (then-Twitter) thread laying out digital security advice during the Black Lives Matter protests in the summer of 2020. “That said, there are a number of very simple, concrete things that you can do that make it exponentially more difficult for someone to intercept your communications, for a bad actor to ascertain your real-time location, or for the government to gain access to your private information.”

_This story was originally published on May 31, 2020 and updated on June 12, 2025._

**Your Phone**

The most important decision to make before leaving home for a protest is whether to bring your phone—or what phone to bring. A smartphone broadcasts all sorts of identifying information; law enforcement can force your mobile carrier to cough up data about what cell towers your phone connects to and when. Police in the US have also been documented using so-called stingray devices, or IMSI catchers, that impersonate cell towers and trick all the phones in a certain area into connecting to them. This can give cops the individual mobile subscriber identity number of everyone at a protest at a given time, undermining the anonymity of entire crowds en masse.

“The device in your pocket is definitely going to give off information that could be used to identify you,” says Harlo Holmes, director of digital security at the Freedom of the Press Foundation, a nonprofit press advocacy group. (Disclosure: WIRED’s global editorial director, Katie Drummond, serves on Freedom of the Press Foundation’s board.)

For that reason, Holmes suggests that protesters who want anonymity leave their primary phone at home altogether. If you do need a phone for coordination or as a way to call friends or a lawyer in case of an emergency, keep it off as much as possible to reduce the chances that it connects to a rogue cell tower or Wi-Fi hot spot being used by law enforcement for surveillance. Sort out logistics with friends in advance so you only need to turn your phone on if something goes awry. Or to be even more certain that your phone won’t be tracked, keep it in a Faraday bag that blocks all of its radio communications. Open the bag only when necessary. Holmes herself uses and recommends the Mission Darkness Faraday bag.

If you do need a mobile device, consider bringing only a secondary phone you don’t use often, or a burner. Your main smartphone likely has the majority of your digital accounts and data on it, all of which law enforcement could conceivably access if they confiscate your phone. But don’t assume that any backup phone you buy will grant you anonymity. If you give a prepaid carrier your identifying details, after all, your “burner” phone could be no more anonymous than your primary device. “Don’t expect because you got it from Duane Reade that you’re automatically a character from _The Wire_,” Holmes cautions.

Instead of a burner phone, Holmes argues that it may be far more practical to simply own a secondary phone that you’ve set up to be less sensitive—leaving off accounts and apps that offer your most private information to anyone who seizes it, such as social media, email, and messaging apps. “Choosing a secondary device that limits the amount of personal data that you have on you at all times is probably your best protection,” Holmes says.

Regardless of what phone you’re using, consider that traditional calls and text messages are vulnerable to surveillance. That means you need to use end-to-end encryption. Ideally, you and those you communicate with should use disappearing messages set to self-delete after a few hours or days. The encrypted messaging and calling app Signal has perhaps the best and longest track record. Just make sure you and the people you’re communicating with are using the same app, since they’re not interoperable.

Aside from protecting your phone’s communications from surveillance, be prepared in the event police seize your device and try to unlock it in search of incriminating evidence. The first order of business is to make sure your smartphone’s contents are encrypted. iOS devices have full disk encryption on by default if you enable an access lock. For Android phones, go to **Settings**, then **Security** to make sure the **Encrypt Disk** option is turned on. (These steps may differ depending on your specific device.)

Regardless of your operating system, always protect devices with a long, strong passcode rather than a fingerprint or face unlock. As convenient as biometric unlocking methods are, it may be more difficult to resist an officer forcing your thumb onto your phone’s sensor, for instance, than to refuse to tell them a passcode. So if you use biometrics day-to-day for convenience, disable them before heading into a protest.

If you insist on using biometric unlocking methods to have faster access to your devices, keep in mind that some phones have an emergency function to disable these types of locks. Hold the wake button and one of the volume buttons simultaneously on an iPhone, for instance, and it will lock itself and require a passcode to unlock rather than FaceID or TouchID, even if they’re enabled. Most devices also let you take photos or record video without unlocking them first, a good way to keep your phone locked as much as possible.

**Your Face**

Face recognition has become one of the most powerful tools to identify your presence at a protest. Consider wearing a face mask and sunglasses to make it far more difficult for you to be identified by face recognition in surveillance footage or social media photos or videos of the protest. Fight for the Future’s Greer cautions, however, that the accuracy of the most effective face recognition tools available to law enforcement remains something of an unknown, and a simple surgical mask or KN95 may no longer be enough to defeat well-honed face-tracking tech.

If you’re serious about not being identified, she says, a full-face mask may be far safer—or even a Halloween-style one. “I've seen people wear funny cosplay-style cartoon masks or mascot suits or silly costumes,” says Greer, offering as an example Donald Trump and Elon Musk masks that she’s seen protesters wear at Tesla Takedown protests against Musk and the so-called Department of Government Efficiency (DOGE). “That's a great way to defy facial recognition and also make the protest more fun.”

You should also consider the clothes you’re wearing before you head out. Colorful clothing or prominent logos makes you more recognizable to law enforcement and easier to track. If you have tattoos that make you identifiable, consider covering them.

Greer cautions, though, that preventing determined surveillance-empowered agencies from learning the mere fact that you attended a protest at all is increasingly difficult. For those of you in the most sensitive positions—such as undocumented immigrants at risk of deportation—she suggests that you consider staying home rather than depend on any obfuscation technique to mask their presence at an event.

If you’re driving a car to a protest—your own or someone else’s—consider that automatic license plate readers can easily identify the vehicle’s movements. And, in addition to license plates, be aware that these same sensors can also detect other words and phrases, including those on bumper stickers, signs, and even T-shirts.

More broadly, everyone who attends a protest needs to consider—perhaps more than ever before—what their tolerance for risk might be, from mere identification to the possibility of arrest or detention. “I think it's important to say that protesting in the US now comes with higher risks than it used to—it comes with a real possibility of physical violence and mass arrest,” says Danacea Vo, the founder of Cyberlixir, a cybersecurity provider for nonprofits and vulnerable communities. “Even just compared to protests that happened last month, people were able to just show up barefaced and march. Now things have changed.”

**Your Online Footprint**

Though most privacy and security considerations for attending an in-person protest naturally relate to your body, any devices you bring with you, and your physical surroundings, there are a set of other factors to think about online. It’s important to understand how posts on social media and other platforms before, during, or after a protest could be collected and used by authorities to identify and track you or others. Simply saying on an online platform that you are attending or attended a protest puts the information out there. And if you take photos or videos during a protest, that content could be used to expand law enforcement’s view of who attended a protest and what they did while there, including any strangers who appear in your images or footage.

Authorities can come to your online presence by looking for information about you in particular, but can also arrive there using bulk data analysis tools like Dataminr that offer law enforcement and other customers real-time monitoring connecting people to their online activity. Such tools can also surface past posts, and if you’ve ever made violent comments online or alluded to committing crimes—even as a joke—law enforcement could discover the activity and use it against you if you are questioned or arrested during a protest. This is a particular concern for people living in the US on visas or those whose immigration status is tenuous. The US State Department has said explicitly that it is monitoring immigrants’ and travelers’ social media activity.

In addition to written posts, keep in mind that files you upload to social media might contain metadata like time stamps and location information that could help authorities track protest crowds and movement. Make sure you have permission to photograph or videotape any fellow protesters who would be potentially identifiable in your content. Also think carefully before livestreaming. It’s important to document what’s going on but difficult to be sure that everyone who could show up in your stream is comfortable being included.

Even if you take photos and videos that you don’t plan to post on social media or otherwise share, remember that this media could fall into law enforcement’s hands if they demand access to your device.

With federal crackdowns on protests ramping up around the country, Cyberlixir’s Vo says that people must assess each situation and weigh the benefits of maintaining personal privacy versus chronicling the reality of what’s happening at protests.

“Social media monitoring and online profiling is the factor that lots of people forget. Those who publish footage on social media should avoid sharing photos or videos that reveal people's faces,” she says. “But I also believe that documenting what’s going on is essential, especially in high-risk conditions, because when the state escalates we need proof for legal defense, for public record, for future organizing, and also to keep ourselves physically safe in real time.”

As protests continue—with the real possibility of even further escalated response from the Trump administration—be prepared for the emergence of forms of digital surveillance that have never been used in the US before to counter civil disobedience or to retaliate against protesters after the fact. Protesters will need to stay vigilant, and Fight for the Future’s Greer emphasizes that everyone has different potential vulnerabilities and tolerance for risk. For people of every category of risk, however, a few thoughtful privacy protections can go a long way towards empowering them to hit the streets.

“Part of the goal of governments extending and implementing mass surveillance programs is to scare people and make people think twice before they speak up,” Greer says. “I think that we should be very careful in this moment not to fall into that trap.”

How to Protest Safely in the Age of Surveillance

The undocumented migrant community in the United States is using social networks and other digital platforms to send alerts about raids and the presence of immigration agents around the US.

The Coalition for Humane Immigrant Rights of Los Angeles (Chirla) estimates that in recent days, around 300 migrants have been detained in California as part of raids carried out by Immigration and Customs Enforcement (ICE), in compliance with an order issued by the Trump administration.

This figure is based on collaborative reports compiled by the Rapid Response Network, an alliance comprised of dozens of organizations that provide support to migrants and disseminate information about immigration detentions and operations.

Angelica Salas, director of Chirla, described the raids as a phenomenon “never seen before” in the three decades she has been defending migrant communities, according to statements reported by The Los Angeles Times.

Jorge Mario Cabrera, spokesman for the same organization, told the EFE news agency that most of the detainees are not criminals, “as the US government has tried to portray them.” He indicated that most of those arrested are workers from Los Angeles, although arrests have also been documented in other parts of the state.

In the midst of intense protests against Trump's immigration policies, these operations are expected to continue in Los Angeles for at least 30 days, according to US representative Nanette Barragan, citing data provided by the White House. Likewise, an escalation of these actions is anticipated nationwide, after the administration announced its goal of making up to 3,000 arrests per day.

Several migrant-rights organizations have warned about possible violations of due process of people targeted by ICE. They have denounced ICE for restricting access to detainees on multiple occasions, which could limit their right to adequate legal representation.

**Watching ICE**

This situation has generated concern among the undocumented population, most of whom are of Hispanic origin, which has intensified the use of social networks to alert people about the presence of immigration agents in different regions of the US.

In a search conducted by the WIRED en Español team, several groups and pages were identified on digital platforms dedicated to receiving, verifying, and disseminating reports about ICE checkpoints, patrols, and raids. The origin of these profiles is diverse: Some are managed by well-known nongovernmental organizations and activist collectives, while others were created by private members of the migrant community.

The family of a man apprehended by ICE agents demands that the victim be returned.

Genaro Molina/Los Angeles Times via Getty Images

Alerts about operations are disseminated through direct messages, WhatsApp, or posts on each page's feed. In turn, it is possible to anonymously report the presence of immigration agents through private text messages or calls to specific phone numbers.

In general, users are asked for basic data such as time, date, city, state, and exact location of the operation, as well as photographs or videos when it is possible to document them. In addition to issuing real-time alerts, many of these pages offer free legal guidance, not only on migration issues, but also on labor rights, access to health, education, and other key services.

Some of the networks active in this work include:

Union del Barrio California

This grassroots pro-immigrant organization maintains an active presence on Facebook. It conducts community patrols to detect ICE movement, shares urgent alerts, and organizes workshops on legal rights.

Chirla

With constant activity on Facebook and other platforms, Chirla publishes notifications about raids, provides legal advice, and calls for citizen mobilizations in the face of new raids.

Stop ICE Raids Alert Network

This network distributes emergency alerts and offers assistance to people affected by ICE raids. In addition to its social network accounts, it has a web page that allows people to receive geolocalized notifications in real time.

Siembra NC

This organization operates primarily in North Carolina. Through its Facebook page, it promotes a whistleblower hotline (336-543-0353). Although its focus is on Alamance, Durham, Forsyth, Guilford, Orange, Wake, Randolph, and Rockingham counties, it has a statewide presence across North Carolina.

RadarSafe

This project uses the Common Alerting Protocol (CAP), a system for sending out digital emergency alerts, to provide secure information on immigration stops and operations. It also publishes community-submitted reports and verifies information with support from local residents.

Inmigración y Visas

Focused on immigration issues, this portal offers a WhatsApp channel where users can report raids, exchange experiences, and receive advice. It also shares informative content on its Facebook page and website.

SignalSafe

Adding to this assistance network is SignalSafe, an application created by a team of anonymous developers that provides real-time alerts on ICE activity. Through collaborative reporting, the app maps sightings of federal agents and unidentified vehicles, allowing migrants to avoid potential checkpoints.

Since Trump's return to the presidency, SignalSafe has gained widespread popularity. The tool allows the integration of various filters based on the user's location, type of activity by immigration authorities, and time range.

This platform is fed by citizen reports, which are verified by a group of specialized moderators. The system is bilingual, with support for Spanish and English, and has advanced security protocols to help protect user privacy.

**Key Access**

Given the growing number of raids in the United States and the lack of certainty about the safety of those detained in these operations, examples such as the above show that some sectors of the citizenry seem to have taken an active role in digital spaces against the implementation of immigration policies.

In this context, the widespread use of social networks among the migrant community has turned these platforms into key tools within the resistance movement. According to data from the International Organization for Migration, by 2023, 64 percent of migrants in transit through Central America, Mexico, and the Dominican Republic—mostly bound for the United States—had access to a smartphone and internet connection during their journey. Of these, 47 percent of men and 35 percent of women used these devices to access social networks.

_This story was originally published on_ WIRED _en Español_ _and has been translated from Spanish._

Social Media Is Now a DIY Alert System for ICE Raids

Waymo driverless taxis capture troves of video footage in order to operate, but the company reveals very little about how much data is stored—and for how long.

Thousands of people across the United States poured into the streets this week to protest the Trump administration’s immigration policies, joining a nationwide wave of resistance that began in Los Angeles. One of the most widely shared images from the city, where federal authorities have sent almost 5,000 active-duty Marines and National Guard members, is of five Waymo robotaxis that were vandalized and set on fire. The incident has become one of the most recognizable symbols of the demonstrations so far, and prompted Waymo to temporarily shut off service in several parts of the city as well as parts of San Francisco on Monday.

The charred Waymo cars have also raised fresh questions about what kinds of technology authorities can use to surveil protesters and potentially collect evidence to make arrests. According to Waymo’s website, its latest driverless cars have 29 external cameras, providing “a simultaneous 360° view around the vehicle,” as well as an unknown number of internal ones.

Over the past several years, Waymo has repeatedly shared video footage with police after receiving formal legal requests. But it’s not clear how often the self-driving company, which is owned by Google’s parent organization Alphabet, complies with these demands. Unlike Google, Waymo doesn’t disclose the number of legal requests it receives nor how it responds to them. When police do obtain footage, they could also combine it with other technology—like face recognition or nonbiometric tools for finding and tracking people in videoclips—to identify possible criminal suspects.

Waymo spokesperson Sandy Karp tells WIRED that the company's general policy is to challenge data requests that are overly broad or lack sound legal basis, but it doesn’t disclose or comment on specific cases. Karp pointed to Waymo’s privacy policy, which acknowledges that the company may share user data to comply with laws and governmental requests. A separate support page for Waymo One, the dedicated app for its robotaxi service, notes that the company “may share certain data with law enforcement as needed to comply with legal requirements, enforce agreements, and protect the safety of you and others.”

It’s not clear how much, if any, of the video footage potentially captured by the burned Waymos in Los Angeles may have been destroyed along with the cars. Waymo doesn’t specify whether the data collected by its robotaxis is stored locally in the vehicle itself or externally in the cloud. The company previously told The Washington Post that “interior camera data” isn’t stored alongside the data from external cameras.

If any footage does still exist from the destroyed vehicles, Waymo doesn’t disclose how long it may remain available. Waymo’s website and privacy policy do not specify how long the company retains camera footage captured inside or outside its vehicles. For years, self-driving companies like Waymo retained large amounts of information collected by their cars for training purposes and to optimize the underlying technology. The company has generally been trending more recently toward deleting data sooner, WIRED previously reported, though it’s unclear whether some types may be stored longer than others.

Waymo declined to answer questions from WIRED about how many cameras are inside its vehicles, exactly how long footage is retained, and whether the company has ever turned over footage to US federal law enforcement or a branch of the military. Karp did note, however, that the company’s engineering team sometimes uses information from sensors, including video footage and other data, to run simulations aimed at improving its technology. She says Waymo also puts limits on both who can access data and how long it’s retained.

Waymo’s robotaxi service is currently available in the Phoenix metro area and parts of San Francisco, Los Angeles, and Austin, Texas. In the company’s relatively short time operating in US cities, it has shown a willingness to comply with requests for footage from law enforcement.

Officers working for the Mesa Police Department and the Chandler Police Department in Arizona have been requesting and using footage from Waymos for criminal investigations since 2016, or about as long as the vehicles have been in their towns, according to reporting from Phoenix’s ABC 15. Police told the news outlet in 2022 that they have used the footage for several cases, including an alleged road rage incident. (The individual pleaded guilty after being charged with disorderly conduct.)

In May 2022, two months after Waymo began limited robotaxi operations in San Francisco, Vice reported that a training document for San Francisco police explicitly told officers that “autonomous vehicles” have footage that could sometimes “help with investigative leads.”

As of 2023, Waymo had been issued at least nine search warrants in San Francisco and Arizona’s Maricopa County, its primary markets at the time, according to reporting from Bloomberg. One of the cases involved the murder of an Uber driver in 2021. While San Francisco police said they couldn’t identify a specific Waymo vehicle that was near the crime scene, an officer argued that there was “probable cause” that Waymo vehicles were “driving around the area” and had footage of the victim, possible suspects, and the crime scene, according to a search warrant viewed by Bloomberg. Waymo complied and provided footage, but it ultimately did not lead to the arrest of the suspect, who was convicted of the murder in 2023.

Last year, WIRED reported that Waymo had sued two individuals for allegedly vandalizing its vehicles in San Francisco and had camera footage from the cars of the alleged incidents. (One of the cases is ongoing; the other was dismissed last month.)

Waymo’s video-recording and data-collection practices aren’t unique. All vehicles with self-driving capabilities rely on a combination of lidar, radar, and video data in order to operate. Cruise, the now defunct self-driving-car venture run by General Motors, also reportedly gave camera footage to law enforcement upon request.

Private owners of camera-equipped vehicles can also voluntarily turn over camera footage to law enforcement. For example, police in Berkeley, California, have received at least two sets of footage from the owner of a Tesla Cybertruck who said their car was vandalized twice this year, according to documents obtained by WIRED via public record request.

_Additional reporting by Paresh Dave._

How Waymo Handles Footage From Events Like the LA Immigration Protests

Many new Apple Intelligence features happen on your device rather than in the cloud. While it may not be flashy, the privacy-centric approach could be a competitive advantage.

As Apple’s Worldwide Developers Conference keynote concluded on Monday, market watchers couldn't help but notice that the company's stock price was down, perhaps a reaction to Apple's relatively low-key approach to incorporating AI compared to most of its competitors. Still, Apple Intelligence–based features and upgrades were plentiful, and while some are powered using the company's privacy- and security-focused cloud platform known as Private Cloud Compute, many run locally on Apple Intelligence–enabled devices.

Apple’s new Messages screening feature automatically moves texts from phone numbers and accounts you’ve never interacted with before to an “Unknown Sender” folder. The feature automatically detects time-sensitive messages like login codes or food delivery updates and will still deliver them to your main inbox, but it also scans for messages that seem to be scams and puts them in a separate spam folder. All of this sorting is done locally using Apple Intelligence. Similarly, the expanded Call Screening feature will automatically and locally pick up untrusted phone calls, ask for details about the caller, and transcribe the answers so you can decide whether you want to pick up the call. Even Live Translation adds real-time language translation to calls and messaging using local processing.

From a privacy perspective, local processing is the gold standard for AI features. Data never leaves your device, meaning there's no risk that it could end up somewhere unintended as a result of a journey through the cloud. And new features like spam and “Unknown Sender” sorting for Messages, call screening for untrusted phone numbers, and Live Translation tools all seemed to be designed with a strategy of using privacy as a differentiator in an already crowded AI field.

In addition to being privacy-friendly, local processing has other benefits like allowing AI-based services to be available offline and speeding up certain tasks, since data doesn’t have to be sent to the cloud, processed, and then sent back to a device. If AI features are going to be widely available and accessible, though, most companies are constrained by attempting to factor in the old, low-end devices that many of their customers are likely using that may not be able to handle local AI. Apple has less need to be inclusive, though, because it produces both hardware and software and has already imposed limitations that Apple Intelligence can only run on recent device models.

There are other limitations to Apple Intelligence, too, and the company offers opt-in integrations with some third-party generative AI services to expand functionality. For OpenAI’s ChatGPT, for example, users must turn the integration on, and Apple services will then prompt the user to confirm each time they go to submit a ChatGPT query. Additionally, users can elect to log in to a ChatGPT account, in which case their queries will be subject to OpenAI’s normal policies, or they can use ChatGPT without logging in. In this scenario, Apple says, it does not connect an Apple ID or other identifier to queries and obfuscates users‘ IP addresses.

Apple invested extensively to develop Private Cloud Compute to maintain strong security and privacy guarantees for AI processing in the cloud. Other companies have even begun to create similar secure AI cloud schemes for products and services that specifically center privacy as a crucial feature. But the fact that Apple still deploys local processing for new features when possible may indicate that privacy isn't just an intellectual priority in the company's approach to AI. It may be a business strategy.

Apple Intelligence Is Gambling on Privacy as a Killer Feature

President Trump’s deployment of more than 700 Marines to Los Angeles—following ICE raids and mass protests—has ignited a fierce national debate over state sovereignty and civil-military boundaries.

As hundreds of United States Marines deploy in Los Angeles under presidential orders to protect federal property amid growing protests over immigration enforcement, constitutional scholars and civil rights attorneys warn of long-term implications for American democracy and civil-military relations.

President Donald Trump revealed Monday that he had ordered the deployment of more than 700 activity-duty Marines out of Camp Pendleton—an extraordinary use of military force in response to civil unrest. The move, widely condemned by his critics, follows Trump’s federalization of the National Guard. Some 3,800 guardsmen have since been deployed in California against the objections of its government, spurring debate among legal observers over the limits of the president’s power to send troops into American streets.

Trump ordered the deployments in response to thousands of Angelenos who took to the streets on Friday in protests. LA residents responded after Immigration and Customs Enforcement (ICE) agents carried out sweeping raids of local businesses, arresting, among others, dozens of day laborers who were vying for work outside a local Home Depot. Larger demonstrations soon formed and remained largely peaceful until residents were engaged by police with riot shields and crowd control weapons. Over the weekend, the clashes between police and protesters escalated across many neighborhoods with large immigrant populations. Numerous buildings were vandalized with anti-ICE messages, and several Waymo autonomous vehicles were set ablaze.

Videos captured by protest attendees show police firing upon demonstrators with rubber bullets and other crowd control agents, including waves of asphyxiating CS gas. Members of the press shared images online showing injuries they incurred from the police assault. In widely shared footage, a law enforcement officer appears to intentionally target an Australian reporter, Lauren Tomasi, shooting her from feet away with a rubber bullet as she delivers a monologue into a camera. On Monday, CNN correspondent Jason Carroll was arrested live on air.

California governor Gavin Newsom condemned Trump’s troop deployment in posts on social media, calling the president’s actions an “unmistakable step toward authoritarianism.” His attorney general, Rob Bonta, has filed a lawsuit in federal court claiming the order violated the state’s sovereignty, infringing on Newsom’s authority as the California National Guard’s commander in chief.

In response to a request for comment, the Department of Defense referred WIRED to a US Northern Command press release detailing the deployment of Marines and National Guardsmen.

Federal troops in the United States are ordinarily barred from participating in civilian law enforcement activities. This rule, known as “posse comitatus,” may be suspended, however, by a sitting president in cases of civil unrest or outright rebellion. This exception—permitted under the Insurrection Act—allows the president to deploy troops when circumstances make it “impracticable” for state authorities to enforce federal law by “ordinary” means.

While these powers are most often invoked at the request of a state government, the president may also invoke the act when a state chooses to ignore the constitutional rights of its inhabitants—as happened multiple times in the mid-20th century, when southern states refused to desegregate schools after the Supreme Court’s landmark _Brown v. Board of Education_ decision.

President Trump, however, has so far not invoked the Insurrection Act, relying instead on a theory of “inherent authority” advanced by the US Justice Department in 1971 during the height of the anti–Vietnam War protests. This interpretation of presidential power finds that troops may be deployed in an effort to “protect federal property and functions.” Notably—unlike the Insurrection Act—this does not permit troops to engage in activities that are generally the purview of civilian law enforcement agencies.

Trump also invoked statutory power granted to him by Congress under Title 10 of the US Code, which enabled him to federalize elements of California’s National Guard. These activations typically occur when guardsmen are needed to support overseas military operations, as happened routinely this century during the wars in Iraq and Afghanistan. Domestically, however, guardsmen are not usually federalized without the agreement of a state’s governor—unless the Insurrection Act has been invoked.

Legal experts interviewed by WIRED offered a range of opinions on the president’s authority to deploy active-duty military troops or federalize the National Guard. While most believe it is likely within Trump’s power to ignore Newsom’s express objections, doing so without an invocation of the Insurrection Act, they say, is a decision fraught with legal complexities that carries serious implications, from altering—perhaps permanently—the fundamental relationship between Americans, states, and the federal government, to disturbing the delicate balance between civilian governance and military power.

Liza Goitein, senior director of the Brennan Center's Liberty and National Security Program, underscores the “unprecedented” nature of Trump’s approach. “He’s trying to basically exercise the powers of the Insurrection Act without invoking it,” she says. A key issue for Goitein is that the memorandum signed by Trump last week federalizing the National Guard makes no mention of Los Angeles or California. Rather, it states that the guardsmen are being mobilized to address protests that are both “occurring” and “likely to occur.”

In essence, the memo “authorizes the deployment of federal troops anywhere in the country,” Goitein says, “including places where there are no protests yet. We’re talking about preemptive deployment.”

Goitein argues that the administration’s justifications could undermine both judicial accountability and civil‑military boundaries. Under the Insurrection Act, federal troops can take on the responsibilities of local and state police. But without it, their authority should be quite limited. Neither the guardsmen nor the Marines, for instance, should engage with protesters acting peacefully, according to Goitein. “He says they’re there to protect federal property,” she says. “But it looks a lot like quelling civil unrest.”

Anthony Kuhn, a 28-year US Army veteran and managing partner at Tully Rinckey, believes, meanwhile, that there is really “no question” that Trump would be justified in declaring a “violent rebellion” underway in California, empowering him to ignore Newsom’s objections. The images and video of protesters hurling rocks and other items at police and lighting cars on fire all serve as evidence toward that conclusion.

“I know people in California, the governor, the mayor, are trying to frame it as a protest. But at this point,” says Kuhn, “it’s a violent rebellion. You can draw your own conclusions from the pictures and videos floating around.” Kuhn argues that the intentions of the protesters, the politics fueling the demonstrations, don’t matter. “They’re attacking federal facilities. They’re destroying federal property. So in an attempt to restore the peace, the president has the authority under Title 10 to deploy troops. It’s pretty straightforward.”

In contrast, Rutgers University professor Bruce Afran says deploying military forces against Americans is “completely unconstitutional” in the absence of a true state of domestic insurrection. “There was an attack on ICE’s offices, the doorways, there was some graffiti, there were images of protesters breaking into a guardhouse, which was empty,” he says. “But even if it went to the point of setting a car on fire, that's not a domestic insurrection. That's a protest that is engaged in some illegality. And we have civil means to punish it without the armed forces.”

Afran argues that meddling with the expectations of civilians, who naturally anticipate interacting with police but not armed soldiers, can fundamentally alter the relationship between citizens and their government, even blurring the line between democracy and authoritarianism. “The long-term danger is that we come to accept the role of the army in regulating civilian protest instead of allowing local law enforcement to do the job,” he says. “And once we accept that new paradigm—to use a kind of BS word—the relationship between the citizen and the government is altered forever.”

“Violent rioters in Los Angeles, enabled by Democrat governor Gavin Newsom, have attacked American law enforcement, set cars on fire, and fueled lawless chaos," Abigail Jackson, a White House spokesperson, tells WIRED. "President Trump rightfully stepped in to protect federal law enforcement officers. When Democrat leaders refuse to protect American citizens, President Trump will always step in.”

As the orders to mobilize federal troops have come down, some users on social media have urged service members to consider the orders unlawful and refuse to obey—a move that legal experts say would be very difficult to pull off.

David Coombs, a lecturer in criminal procedure and military law at the University of Buffalo and a veteran of the US Army’s Judge Advocate General's Corps, says it’s hypothetically possible that troops could question whether Trump has the authority to mobilize state guardsmen over the objection of a state governor. “I think ultimately the answer to that will be yes,” he says. “But it is a gray area. When you look at the chain of command, it envisions the governor controlling all of these individuals.”

Separately, says Coombs, when troops are ordered to mobilize, they could—again, hypothetically—refuse to engage in activities that are beyond the scope of the president’s orders, such as carrying out immigration raids or making arrests. “All they can do in this case, under Title 10 status, is protect the safety of federal personnel and property. If you go beyond that, then it violates the Posse Comitatus Act.” Federal troops, for instance, would need civilian police to step in at the point that local authorities want peaceful protesters to disperse.

The San Francisco Chronicle reports that, in a letter on Sunday, Homeland Security Secretary Kristi Noem requested that military troops be directed to detain alleged “lawbreakers” during protests “or arrest them,” which legal experts almost universally agree would be illegal under ordinary circumstances. The letter was addressed to Defense Secretary Pete Hegseth and accused the anti-ICE protesters of being “violent, insurrectionist mobs” aiming to “protect invaders and military aged males belonging to identified foreign terrorist organizations.”

Khun, who warns there’s a big difference between philosophizing over what constitutes an unlawful order and disobeying commands, dismisses the idea that troops, in the heat of the moment, will have an option. “It’s not going to be litigated in the middle of an actual deployment,” he says. “There’s no immediate relief, no immediate way to prove that an order is unlawful.”

Khun says that were he deployed into a similar situation, “me and my junior soldiers would not respond to a nonviolent or peaceful protest.” Asked what protesters should expect, should they engage with federal troops trained for combat overseas, Kuhn says the Marines will hold their ground more firmly than police, who are often forced to retreat as mobs approach. In addition to being armed with the same crowd control weapons, Marines are extensively trained in close-quarters combat.

“I would expect a defensive response,” he says, “but not lethal force.”

_Additional reporting by Alexa O’Brien._

_Updated at 1:40 pm ET, June 10, 2025: Added clarifying language around the less-lethal shooting of Lauren Tomasi and fixed a typo in the California attorney general's name._

The ‘Long-Term Danger’ of Trump Sending Troops to the LA Protests

A contract obtained by 404 Media shows that an airline-owned data broker forbids the feds from revealing it sold them detailed passenger data.

A data broker owned by the country’s major airlines, including Delta, American Airlines, and United, collected US travelers’ domestic flight records, sold access to them to Customs and Border Protection (CBP), and then as part of the contract told CBP to not reveal where the data came from, according to internal CBP documents obtained by 404 Media. The data includes passenger names, their full flight itineraries, and financial details.

CBP, a part of the Department of Homeland Security (DHS), says it needs this data to support state and local police to track people of interest’s air travel across the country, in a purchase that has alarmed civil liberties experts.

The documents reveal for the first time in detail why at least one part of DHS purchased such information, and comes after Immigration and Customs Enforcement (ICE) detailed its own purchase of the data. The documents also show for the first time that the data broker, called the Airlines Reporting Corporation (ARC), tells government agencies not to mention where it sourced the flight data from.

“The big airlines—through a shady data broker that they own called ARC—are selling the government bulk access to Americans' sensitive information, revealing where they fly and the credit card they used,” senator Ron Wyden said in a statement.

ARC is owned and operated by at least eight major US airlines, other publicly released documents show. The company’s board of directors include representatives from Delta, Southwest, United, American Airlines, Alaska Airlines, JetBlue, and European airlines Lufthansa and Air France, and Canada’s Air Canada. More than 240 airlines depend on ARC for ticket settlement services.

ARC’s other lines of business include being the conduit between airlines and travel agencies, finding travel trends in data with other firms like Expedia, and fraud prevention, according to material on ARC’s YouTube channel and website. The sale of US fliers’ travel information to the government is part of ARC’s Travel Intelligence Program (TIP).

A Statement of Work included in the newly obtained documents, which describes why an agency is buying a particular tool or capability, says CBP needs access to ARC’s TIP product “to support federal, state, and local law enforcement agencies to identify persons of interest’s US domestic air travel ticketing information.” 404 Media obtained the documents through a Freedom of Information Act (FOIA) request.

The new documents obtained by 404 Media also show ARC asking CBP to “not publicly identify vendor, or its employees, individually or collectively, as the source of the Reports unless the Customer is compelled to do so by a valid court order or subpoena and gives ARC immediate notice of same.”

The Statement of Work says that TIP can show a person’s paid intent to travel and tickets purchased through travel agencies in the US and its territories. The data from the Travel Intelligence Program (TIP) will provide “visibility on a subject’s or person of interest’s domestic air travel ticketing information as well as tickets acquired through travel agencies in the U.S. and its territories,” the documents say. They add that this data will be “crucial” in both administrative and criminal cases.

A DHS Privacy Impact Assessment (PIA) available online says that TIP data is updated daily with the previous day’s ticket sales, and contains more than one billion records spanning 39 months of past and future travel. The document says TIP can be searched by name, credit card, or airline, but ARC contains data from ARC-accredited travel agencies, such as Expedia, and not flights booked directly with an airline. “If the passenger buys a ticket directly from the airline, then the search done by ICE will not show up in an ARC report,” that PIA says. The PIA notes that the data impacts both US and non-US persons, meaning it does include information on US citizens.

“While obtaining domestic airline data—like many other transaction and purchase records—generally doesn't require a warrant, there's still supposed to go through a legal process that ensures independent oversight and limits data collection to records that will support an investigation,” Jake Laperruque, deputy director of the Center for Democracy & Technology's Security and Surveillance Project, told 404 Media in an email. “As with many other types of sensitive and revealing data, the government seems intent on using data brokers to buy their way around important guardrails and limits.”

CBP’s contract with ARC started in June 2024 and may extend to 2029, according to the documents. The CBP contract 404 Media obtained documents for was an $11,025 transaction. Last Tuesday, a public procurement database added a $6,847.50 update to that contract, which said it was exercising “Option Year 1,” meaning it was extending the contract. The documents are redacted but briefly mention CBP’s OPR, or Office of Professional Responsibility, which in part investigates corruption by CBP employees.

“CBP is committed to protecting individuals’ privacy during the execution of its mission to protect the American people, safeguard our borders, and enhance the nation’s economic prosperity. CBP follows a robust privacy policy as we protect the homeland through the air, land and maritime environments against illegal entry, illicit activity or other threats to national sovereignty and economic security,” a CBP spokesperson said in a statement. CBP added that the data is only used when an OPR investigation is open, and the agency needs to locate someone related to that investigation. The agency says the data can act as a good starting point to identify a relevant flight record before then getting more information through legal processes.

On May 1, ICE published details about its own ARC data purchase. In response, on May 2, 404 Media filed FOIA requests with ICE and a range of other agencies that 404 Media found had bought ARC’s services, including CBP, the Secret Service, SEC, DEA, the Air Force, US Marshals Service, TSA, and ATF. 404 Media found these by searching US procurement databases. Around a week later, The Lever covered the ICE contract.

Airlines contacted by 404 Media declined to comment, didn’t respond, or deferred to either ARC or DHS instead. ARC declined to comment. The company previously told The Lever that TIP “was established after the Sept. 11 terrorist attacks to provide certain data to law enforcement … for the purpose of national security matters” and criminal investigations.

“ARC has refused to answer oversight questions from Congress, so I have already contacted the major airlines that own ARC—like Delta, American Airlines, and United—to find out why they gave the green light to sell their customers' data to the government,” Wyden’s statement added.

US law enforcement agencies have repeatedly turned to private companies to buy data rather than obtain it through legal processes such as search warrants or subpoenas. That includes location data harvested from smartphones, utility data, and internet backbone data.

“Overall it strikes me as yet another alarming example of how the ‘Big Data Surveillance Complex’ is becoming the digital-age version of the military-industrial complex,” Laperruque says, referring to the purchase of airline data.

“It's clear the data broker loophole is pushing the government back towards a pernicious ‘collect it all’ mentality, gobbling up as much sensitive data as it can about all Americans by default. A decade ago the public rejected that approach, and Congress passed surveillance reform legislation that banned domestic bulk collection. Clearly it's time for Congress to step in again, and stop the data broker loophole from being used to circumvent that ban,” he added.

According to ARC’s website, the company only introduced multifactor authentication on May 15.

Airlines Don’t Want You to Know They Sold Your Flight Data to DHS

While they can cause serious injuries, “nonlethal” weapons are regularly used in the United States to disperse public demonstrations, including at the recent ICE protests in Los Angeles.

In a stormy weekend for US domestic politics, police and the National Guard arrested at least 56 people demonstrating in Los Angeles, California. On Friday, June 6, several groups took to the streets to protest Immigration and Customs Enforcement raids, which have grown in intensity and number over the past few months. According to CBS News, ICE recorded more than 2,000 arrests per day during Tuesday and Wednesday of the first week of June alone, a considerable increase when compared to the average of 660 that occurred in the first 100 days of Donald Trump's second administration.

The use of the National Guard to address a local situation like the protests in Los Angeles raised alarms from California governor Gavin Newsom, who accused the Trump administration of “creating a crisis.” Meanwhile, other civil society groups condemned the state response against protesters. “President Trump's deployment of National Guard troops to Los Angeles in response to protests against recent ICE raids is deeply alarming,” Amnesty International wrote. “Armed troops have no place in our neighborhoods. This is not about protecting communities, but about suppressing dissent and instilling fear.”

During the scenes, protesters came face-to-face with National Guard and Los Angeles Sheriff's Office police officers. Both bodies were equipped with “nonlethal” weapons to disperse the protests. Among these devices are believed to be the PGL-65 (or P540) or the 37mm or 40mm Sage Deuce Projectile Launcher, “less lethal” ammunition launchers that law enforcement agencies have in their repertoire. Weapons such as those mentioned can launch tear gas grenades with a maximum range of nearly 500 feet. They can also fire kinetic impact grenades (rubber ammunition), “less lethal” fragmentation grenades (rubber balls that scatter when the munition explodes), stun grenades (explosions that cause loud noises and lights to disorient), and paint marker grenades (to mark demonstrators). According to media outlets such as CNN, police in Los Angeles have used stun guns and tear gas to disperse protesters.

**Weapons Banned Abroad**

Canada prohibits the use of these “nonlethal weapons” for demonstration control. Canada's Firearms Regulations (SOR/2020-96 and SOR/98-462) include the PGL-65, Sage Deuce, and other equivalent models within the category of banned weapons. The statute restricts the use of “Any firearm with a (bore bore) diameter of 20 mm or more” (except those designed exclusively to neutralize explosive devices) under the “regulations establishing certain firearms and other weapons, components and parts of weapons, accessories, cartridge magazines, ammunition and projectiles as prohibited or restricted.”

Although Canada is among the few countries that explicitly prohibit the PGL-65, civil society organizations discourage its use and warn about the potential dangers of this launcher.

The Los Angeles police force also uses another “less lethal” projectile launcher against protesters. WIRED was able to verify that this weapon matches the Defense Technology 40mm Single-Shot Launcher (model 1325 or similar), which in this case is painted green to distinguish its “anti-riot” application. A video from the Australian site 9News shows how one of these police officers shot an Australian journalist with what was reportedly a rubber bullet. This weapon appears in other images that media and citizens have documented during the protests.

Riot police in Los Angeles fire a 40mm LMT weapon from Defense Technology, which is banned by Canada.

Jim Vondruska/Getty Images

Under the Geneva conventions, the “recommendations” for the application of kinetic projectiles (such as the Model 1325) discourage police from aiming at protesters’ faces, as they could result in “skull fractures and brain damage, eye damage (including permanent blindness) and even death.” The use of kinetic projectiles from an elevated area, such as at a protest, can increase the risk of protesters being shot in the head. Targeting the torso can cause damage to vital organs and result in body penetration, especially when fired at close range. The caliber and velocity of the projectile, as well as the material from which they are made, will also influence the seriousness of the injury.

In addition, the Geneva conventions specify the circumstances of possible illegal uses of these weapons and lay down the rules:

*   Kinetic projectiles should not be fired in automatic mode.
*   Firing multiple projectiles at the same time does not comply with the principles of necessity and proportionality.
*   The impact of projectiles should be tested and authorized to ensure that they are accurate enough for a safe area without using excessive energy that could cause injury.
*   Kinetic ammunition weapons should not be used to target the face, face or neck.

**“Less Lethal”**

The vast majority of countries keep confidential the specific name of the models they use to deter protests. Some governments, for example, register purchases under generic designations, such as “40 mm launchers,” without citing the make or model, making accountability and verification of the illegal use of these devices difficult.

For example, in Mexico, the Secretariat of National Defense launched tender LA-007000999-E818-2022 in November 2022 for the purchase of 70,000 long- and short-range 40-mm caliber gas projectiles, along with smoke ammunition and liquid marking, according to El Universal. The specifications do not show brands or models of the launcher or manufacturers.

Only countries, such as Canada, include the makes and models of their “nonlethal” weapons. Similar records do not exist in Mexico or Latin America.

The application of weapons such as the Penn Arms GL-1 or similar, as well as the Defense Technology 1325, is seen in social protests, often documented by Amnesty International, which accuses them of abusive use against peaceful civilians. And, while touted as “less lethal,” they can cause serious injuries and human rights violations. In addition, the organization, in its 2023 report “My Eye Exploded,” demands that the use of 40-mm gas or impact projectiles against peaceful civilians be suspended.

According to an assessment by Chile's National Human Rights Institute, police actions during the protests that began in October 2019 resulted in more than 440 eye injuries, with more than 30 cases of eye loss or eye rupture.

_This story was originally published on WIRED en Español and has been translated from Spanish._

The Dangerous Truth About the ‘Nonlethal’ Weapons Used Against LA Protesters

Phone numbers are a goldmine for SIM swappers. A researcher found how to get this precious piece of information through a clever brute-force attack.

A cybersecurity researcher was able to figure out the phone number linked to any Google account, information that is usually not public and is often sensitive, according to the researcher, Google, and 404 Media’s own tests.

The issue has since been fixed but at the time presented a privacy issue in which even hackers with relatively few resources could have brute forced their way to peoples’ personal information.

“I think this exploit is pretty bad since it's basically a gold mine for SIM swappers,” the independent security researcher who found the issue, who goes by the handle brutecat, wrote in an email. SIM swappers are hackers who take over a target's phone number in order to receive their calls and texts, which in turn can let them break into all manner of accounts.

In mid-April, we provided brutecat with one of our personal Gmail addresses in order to test the vulnerability. About six hours later, brutecat replied with the correct and full phone number linked to that account.

“Essentially, it's bruting the number,” brutecat said of their process. Brute forcing is when a hacker rapidly tries different combinations of digits or characters until finding the ones they’re after. Typically that’s in the context of finding someone’s password, but here brutecat is doing something similar to determine a Google user’s phone number.

Brutecat said in an email the brute forcing takes around one hour for a U.S. number, or 8 minutes for a UK one. For other countries, it can take less than a minute, they said.

In an accompanying video demonstrating the exploit, brutecat explains an attacker needs the target’s Google display name. They find this by first transferring ownership of a document from Google’s Looker Studio product to the target, the video says. They say they modified the document’s name to be millions of characters, which ends up with the target not being notified of the ownership switch. Using some custom code, which they detailed in their write up, brutecat then barrages Google with guesses of the phone number until getting a hit.

“The victim isn’t notified at all :)” a caption in the video reads.

A Google spokesperson told 404 Media in a statement “This issue has been fixed. We've always stressed the importance of working with the security research community through our vulnerability rewards program and we want to thank the researcher for flagging this issue. Researcher submissions like this are one of the many ways we’re able to quickly find and fix issues for the safety of our users.”

Phone numbers are a key piece of information for SIM swappers. These sorts of hackers have been linked to countless hacks of individual people in order to steal online usernames or cryptocurrency. But sophisticated SIM swappers have also escalated to targeting massive companies. Some have worked directly with ransomware gangs from Eastern Europe.

Armed with the phone number, a SIM swapper may then impersonate the victim and convince their telecom to reroute text messages to a SIM card the hacker controls. From there, the hacker can request password reset text messages, or multi-factor authentication codes, and log into the victim’s valuable accounts. This could include accounts that store cryptocurrency, or even more damaging, their email, which in turn could grant access to many other accounts.

On its website, the FBI recommends people do not publicly advertise their phone number for this reason. “Protect your personal and financial information. Don’t advertise your phone number, address, or financial assets, including ownership or investment of cryptocurrency, on social media sites,” the site reads.

In their write-up, brutecat said Google awarded them $5,000 and some swag for their findings. Initially, Google marked the vulnerability as having a low chance of exploitation. The company later upgraded that likelihood to medium, according to brutecat’s write-up.

A Researcher Figured Out How to Reveal Any Phone Number Linked to a Google Account

Plus: A 22-year-old former intern gets put in charge of a key anti-terrorism program, threat intelligence firms finally wrangle their confusing names for hacker groups, and more.

Since it’s already chaos out there, this week, we thought we’d lean into the madness by envisioning the future threats that you’re not ready for. From cyberattacks on the US grid to GPS blackouts, rampant deepfake scams, AI-powered super hackers, and widespread communication system collapse, there’s a whole spectrum of scenarios that could take things from bad to worse.

All is not lost, however—at least if you’re Ross Ulbricht. The creator of the Silk Road dark web market, who was pardoned by President Donald Trump earlier this year, received a mysterious $31 million bitcoin donation last weekend. Crypto-tracing firm Chainalysis now suspects the lavish gift may have come from a vendor at another now-defunct black market, AlphaBay.

A trove of public records reviewed by WIRED this week reveal a years-long effort by a farming industry group to get the FBI to treat animal rights activists as a “bioterrorist” threat. The Animal Agriculture Alliance (AAA) was repeatedly in contact with the bureau’s Weapons of Mass Destruction Directorate about the activities of groups like Direct Action Everywhere, or DxE. The records show that AAA fed intelligence about DxE to the FBI and used corporate spies to infiltrate the group’s activities.

Immigration and Customs Enforcement recently updated its guidance for agents who carry out courthouse raids and other “enforcement actions” in and nearby court houses, according to an agency document reviewed by WIRED. The updated policy removes language that explicitly instructed agents to ensure they followed local and state laws.

Anyone who was trying to play a new video game on Christmas Day in 2014 likely remembers the infamous Lizardsquad hack of Xbox Live and Playstation Network. Now, more than a decade later, we finally have the full story.

But that’s not all! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Mysterious iPhone Crashes Hint at a Chinese Hacks. Apple Denies It**

The security firm iVerify this week brought to light a series of suspicious iPhone crashes that researchers say might just indicate a stealthy, unprecedented Chinese zero-click hacking campaign victimizing American phones, including even those of staffers for the Harris-Walz presidential campaign. Or it’s a random, not-particularly-dangerous bug that Apple has already squashed.

In a report released Thursday, iVerify assessed with “moderate confidence” that China-linked hackers may have targeted a series of iPhones with a sophisticated exploit, going after activists and dissidents critical of China, an EU government official, tech executives at AI firms competing with Chinese ones, and US political staffers—revealed by NBC News to be employees of the Harris-Walz campaign. iVerify didn’t have a sample of the malware that might have infected those phones or other definitive proof that any hacking occurred. But it pointed to signs that seem like more than coincidences: The staffers whose phones had experienced the crashes had also been warned by the FBI that they’d already been targeted in China’s Salt Typhoon hacking campaign against US telecoms. Another owner of the devices that crashed in the same way was later warned by Apple itself that he or she had been targeted by sophisticated hackers.

All of that would represent a serious threat to national security. Except that, strangely, Apple flatly denies it happened. “We strongly disagree with the claims of a targeted attack against our users,” Apple’s head of security engineering, Ivan Krstić, wrote in a statement to WIRED. Apple has patched the issue that iVerify highlighted in its report, which caused iPhones to crash in certain cases when a message sender changed their own nickname and avatar. But it calls those crashes the result of a “conventional software bug,” not evidence of a targeted exploitation. (That blanket denial certainly isn’t Apple’s usual response to confirmed iPhone hacking. The company has, for instance, sued hacking firm NSO group for its targeting of Apple customers.)

The result is that what might have been a four-alarm fire in the counterintelligence world is reduced—for now—to a very troubling enigma.

**A 22-Year-Old Is Running a Key US Anti-Terrorism Program**

A 22-year-old former intern at the Heritage Foundation with no national security experience has reportedly been appointed to a key Department of Homeland Security role overseeing a major program designed to combat domestic terrorism.

According to Propublica, Thomas Fugate last month assumed leadership of the Center for Programs and Partnerships (CP3), a DHS office tasked with funding nationwide efforts to prevent politically motivated violence—including school shootings and other forms of domestic terrorism.

Fugate, a 2024 graduate of the University of Texas at San Antonio, replaced the former CP3 director, Bill Braniff, an Army veteran with 20 years of national security experience who resigned in March following staff cuts ordered by the Trump administration.

According to CP3’s most recent report to Congress, the office has funded more than 1,100 initiatives aimed at disrupting violent extremism. In recent months, the US has seen a string of high-profile targeted attacks, including a car bombing in California and the shooting of two Israeli Embassy aids in Washington, DC. Its $18 million grant program, designed to support local prevention efforts, is reportedly now under Fugate’s supervision.

**Threat Intelligence Firms (Finally) Agree to a Glossary of Hacker Group Names**

Hacker group names have long been an unavoidable absurdity in the cybersecurity industry. Every threat intelligence company, in a scientifically defensible attempt to not make any assumption that they’re tracking the same hackers as another firm, comes up with their own code name for any group they observe. The result is a somewhat silly profusion of overlapping naming systems based on elements, weather, and zoology: “Fancy Bear” is “Forest Blizzard” is “APT28” is “Strontium.” Now, several major threat intelligence players, including Google, Microsoft, CrowdStrike, and Palo Alto Networks, have finally shared enough of their internal research to agree to a glossary that confirms that they’re referring to the same entities. The companies did _not,_ however, agree to consolidate their naming systems into a single taxonomy. So this agreement doesn’t mean the end of sentences in security reporting such as “the hacker group Sandworm, also known as Telebots, Voodoo Bear, Hades, Iron Viking, Electrum, or Seashell Blizzard.” It just means we cybersecurity reporters can write that sentence with a little more confidence.

**Phone-Hacking Firm Corellium Acquired for $200 Million—After Trump Pardons Its Founder**

Chris Wade, the founder and CTO of mobile device reverse-engineering company Corellium, has had a wild last few decades: In 2005, he was convicted on criminal charges of enabling spammers by providing them proxy servers, and agreed to work undercover for law enforcement while avoiding prison. Then in 2020, he mysteriously received a pardon from President Donald Trump. He also settled a major copyright lawsuit from Apple. Now his company, which creates virtual images of Android and iOS devices so that customers can find ways to break into them, is being acquired by phone-hacking firm Cellebrite, a major law enforcement contractor, for $200 million—a significant payday for a hacker who has found himself on both sides of the law.

The Mystery of iPhone Crashes That Apple Denies Are Linked to Chinese Hacking

In an effort to evade detection, cybercriminals are increasingly turning to “residential proxy” services that cover their tracks by making it look like everyday online activity.

For years, gray-market services known as “bulletproof” hosts have been a key tool for cybercriminals looking to anonymously maintain web infrastructure with no questions asked. But as global law enforcement scrambles to crack down on digital threats, they have developed strategies for getting customer information from these hosts and have increasingly targeted the people behind the services with indictments. At the cybercrime-focused conference Sleuthcon in in Arlington, Virginia, today, researcher Thibault Seret outlined how this shift has pushed both bulletproof hosting companies and criminal customers toward an alternative approach.

Rather than relying on web hosts to find ways of operating outside law enforcement's reach, some service providers have turned to offering purpose-built VPNs and other proxy services as a way of rotating and masking customer IP addresses and offering infrastructure that either intentionally doesn't log traffic or mixes traffic from many sources together. And while the technology isn't new, Seret and other researchers emphasized to WIRED that the transition to using proxies among cybercrminals over the last couple of years is significant.

“The issue is, you cannot technically distinguish which traffic in a node is bad and which traffic is good,” Seret, a researcher at the threat intelligence firm Team Cymru, told WIRED ahead of his talk. “That's the magic of a proxy service—you cannot tell who’s who. It's good in terms of internet freedom, but it's super, super tough to analyze what’s happening and identify bad activity.”

The core challenge of addressing cybercriminal activity hidden by proxies is that the services may also, even primarily, be facilitating legitimate, benign traffic. Criminals and companies that don't want to lose them as clients have particularly been leaning on what are known as “residential proxies,” an array of decentralized nodes that can run on consumer devices—even old Android phones or low-end laptops—offering real, rotating IP addresses assigned to homes and offices. Such services offer anonymity and privacy, but can also shield malicious traffic.

By making malicious traffic look like it comes from trusted consumer IP addresses, attackers make it much more difficult for organizations' scanners and other threat detection tools to spot suspicious activity. And, crucially, residential proxies and other decentralized platforms that run on disparate consumer hardware reduce a service provider's insight and control, making it more difficult for law enforcement to get anything useful from them.

“Attackers have been ramping up their use of residential networks for attacks over the last two to three years,” says Ronnie Tokazowski, a longtime digital scams researcher and cofounder of the nonprofit Intelligence for Good. “If attackers are coming from the same residential ranges as, say, employees of a target organization, it's harder to track.”

Criminal use of proxies isn't new. In 2016, for example, the US Department of Justice said that one of the obstacles in a years-long investigation of the notorious “Avalanche” cybercriminal platform was the service's use of a “fast-flux” hosting method that concealed the platform's malicious activity using constantly changing proxy IP addresses. But the rise of proxies as a gray-market service rather than something attackers must develop in-house is an important shift.

“I don’t know yet how we can improve the proxy issue,” Team Cymru's Seret told WIRED. “I guess law enforcement could target known malicious proxy providers like they did with bulletproof hosts. But in general, proxies are whole internet services used by everyone. Even if you take down one malicious service, that doesn't solve the larger challenge.”

Source

Wired