Records reviewed by WIRED show law enforcement agencies are eager to take advantage of the data trails generated by a flood of new internet-connected vehicle features.

Automakers are increasingly pushing consumers to accept monthly and annual fees to unlock preinstalled safety and performance features, from hands-free driving systems and heated seats to cameras that can automatically record accident situations. But the additional levels of internet connectivity this subscription model requires can increase drivers’ exposure to government surveillance and the likelihood of being caught up in police investigations.

A cache of more than two dozen police records recently reviewed by WIRED show US law enforcement agencies regularly trained on how to take advantage of “connected cars,” with subscription-based features drastically increasing the amount of data that can be accessed during investigations. The records make clear that law enforcement’s knowledge of the surveillance far exceeds that of the public and reveal how corporate policies and technologies—not the law—determine driver privacy.

“Each manufacturer has their whole protocol on how the operating system in the vehicle utilizes telematics, mobile Wi-Fi, et cetera,” one law enforcement officer noted in a presentation prepared by the California State Highway Patrol (CHP) and reviewed by WIRED. The presentation, while undated, contains statistics on connected cars for the year 2024. “If the vehicle has an active subscription,” they add, “it does create more data.”

The CHP presentation, obtained by government transparency nonprofit Property of the People via a public records request, trains police on how to acquire data based on a variety of hypothetical scenarios, each describing how vehicle data can be acquired based on the year, make, and model of a vehicle. The presentation acknowledges that access to data can ultimately be limited due to choices made by not only vehicle manufacturers but the internet service providers on which connected devices rely.

One document notes, for instance, that when a General Motors vehicle is equipped with an active OnStar subscription, it will transmit data—revealing its location—roughly twice as often as a Ford vehicle. Different ISPs appear to have not only different capabilities but policies when it comes to responding to government requests for information. Police may be able to rely on AT&T to help identify certain vehicles based on connected devices active in the car but lack the ability to do so when the device relies on a T-Mobile or Verizon network instead.

Charlotte McCoy, a GM spokesperson, tells WIRED the company now requires a court order before handing over location data to law enforcement. “We review each request individually to assess the circumstances and the nature of the request before providing any information,” they say. “Connectivity offers many benefits—including navigation, communication, safety, and maintenance—and customers can mask their location or turn off connectivity at any time.”

Other car manufacturers listed in the CHP presentation, including Ford, did not respond to a request for comment.

“There's definitely a role being played by the companies in deciding what kind of standard they're going to insist on,” says Andrew Crocker, the surveillance litigation director at the Electronic Frontier Foundation. “And this is a dynamic we've seen in other areas of tech. Google and Facebook and Apple all played a role in saying, ‘We'll only provide this data in response to a warrant; other data we'll provide in response to a subpoena.’”

When police are investigating a specific suspect, they will often use a technique known as a “ping” to geographically locate a specific device known to belong to that individual. But when canvassing near a crime scene for an unknown perpetrator, authorities commonly rely on a procedure known as a “tower dump,” requesting that ISPs cast a wider net and identify virtually any devices that have connected to a specific cell tower during a certain window of time. Police analysts can then comb through this data and attempt to identify a culprit, often using surveillance footage or witness testimony about a vehicle’s color, make, or model.

Nearly all subscription-based car features rely on devices that come preinstalled in a vehicle, with a cellular connection necessary only to enable the automaker's recurring-revenue scheme. The ability of car companies to charge users to activate some features is effectively the only reason the car’s systems need to communicate with cell towers. The police documents note that companies often hook customers into adopting the services through free trial offers, and in some cases the devices are communicating with cell towers even when users decline to subscribe.

In an August 2022 email, one detective noted: “In some vehicles, again \[it\] depends on manufacturer, the vehicle is still doing this despite the lack of an active subscription, and just sending the data back to the mother ship. This could be due to collecting user data for what the manufacturer sells it for, to providing this data to try to sell you on renewing your \[subscription\] package that lapsed.”

The “tower dump” technique is becoming increasingly unpopular in US courts following the US Supreme Court’s acknowledgement in 2018 that location data raises significant Fourth Amendment concerns. While the Supreme Court specifically avoided addressing tower dumps in its landmark _US v. Carpenter_ decision, a Fifth Circuit ruling last year placed the capability in great jeopardy, concluding that a warrant to “geofence” an area and collect evidence from a wide variety of individuals is inherently unconstitutional.

On the back of that decision, a federal magistrate in Mississippi ruled two months ago that tower dumps are likewise unconstitutional. While a “tower dump” and a “geofence” are not precisely the same—the latter relying on GPS coordinates obtained from internet companies such as Google, as opposed to a cell tower—the results are more or less identical: offering police a dragnet with which to accumulate vast amounts of location data on individuals, many if not most of whom are not suspected of committing a crime.

In response to the rapid changes in case law surrounding location data, Google—historically a frequent target of geofence warrants—announced technical changes to its software last year, making it effectively impossible to respond to these types of warrants.

“Location data is some of the most sensitive, revealing information that is generated by our devices, including our cars,” the EFF’s Crocker says. “It's extremely revealing of obviously where you go and where you've been, but also all the people you associate with and all the things you're doing. You can paint a very clear picture of someone's life with just a list of all the places they've been in their car. The Supreme Court has made that very clear.”

The police documents reviewed by WIRED alone demonstrate the arbitrary nature of vehicle surveillance upon this shifting legal landscape, with police noting, for instance, that while Verizon will refuse to allow police to define their own radius when requesting cell tower data, its competitors impose no such limitations. Another document notes that while AT&T will conduct “pings,” locating a device in real time, it will only do so for “voice devices.”

What is also clear from the documents is that US police are aware of the control corporations have over their ability to acquire vehicle location data, expressing fears that they could abruptly decide to kill off certain capabilities at any time.

In a letter sent in April 2024 to the Federal Trade Commission, US senators Ron Wyden and Edward Markey—Democrats from Oregon and Massachusetts, respectively—noted that a range of automakers, from Toyota, Nissan, and Subaru, among others, are willing to disclose location data to the government in response to a subpoena without a court order. Volkswagen, meanwhile, had its own arbitrary rules, limiting subpoenas to fewer than seven days’ worth of data. The senators noted that these policies stood in contrast to public pledges previously made by some automakers to require a warrant or court order before surrendering a customer’s location data.

Automakers “differ significantly on the important issue of whether customers are ever told they were spied on,” the senators wrote. At the time of the letter, only Tesla had a policy, they said, of informing customers about legal demands. “The other car companies do not tell their customers about government demands for their data, even if they are allowed to do so.”

“We respect our customers’ privacy and take our responsibility to protect their personal information seriously,” Bennet Ladyman, a T-Mobile spokesperson, says.

AT&T spokesperson Jim Kimberly says: “Like all companies, we are required by law to provide information to law enforcement and other government entities by complying with court orders, subpoenas, and other lawful discovery requests. In all cases, we review requests to determine whether they are valid. We require a search warrant based on the probable-cause standard for all government demands for real-time or historical location information, except in emergency situations. For government demands for cell tower searches, we require a probable-cause search warrant or a court order, except in emergency situations.”

Verizon did not respond to a request for comment.

“Especially now, with American civil liberties eroding rapidly, people should exercise great caution in granting new surveillance powers to law enforcement,” says Ryan Shapiro, executive director of Property of the People.

Jay Stanley, a senior policy analyst at the American Civil Liberties Union, notes that the police documents reviewed by WIRED contained substantial detail about car surveillance that appear to be publicly unavailable, suggesting that corporations are being far more open with law enforcement than they are with their own customers.

“It's an ongoing scandal that this kind of surveillance is taking place without people being aware of it, let alone giving permission for it,” Stanley says. “If they're carrying out surveillance on the public, the public should know. They should have meaningful knowledge and give meaningful consent before any kind of surveillance is activated, which clearly is not the case.”

Car Subscription Features Raise Your Risk of Government Surveillance, Police Records Show

Plus: Cybercriminals stole a record-breaking fortune from US residents and businesses in 2024, and Google performs its final flip-flop in its yearslong quest to kill tracking cookies.

As the Trump administration’s aggressive immigration policy ramps up, people have started to seriously consider their privacy and security when crossing into the United States. That’s especially true when it comes to searches of travelers’ phones and other devices, which US Customs and Border Protection agents have broad authority to search. Fortunately, there are some steps you can take, such as deleting certain apps from your personal phone or using an alternative phone that’s set up just for traveling internationally.

Operatives with Elon Musk’s so-called Department of Government Efficiency (DOGE) have spent the first months of the Trump administration clawing their way into US government systems. It’s now starting to become clear exactly what those systems are and what kind of data on US residents they hold. WIRED this week detailed the 19 systems DOGE operatives have access to just at the Department of Health and Human Services.

Pope Francis died on Monday at age 88. The passing of the supreme pontiff sets in motion a conclave, the secretive process used to select the new pope. To protect the conclave’s integrity and try to prevent leaks, a wide range of security measures will be put in place, from privacy film on windows at the Vatican to signal jammers and sweeps for hidden microphones.

Google recently announced the initial rollout of end-to-end encrypted email for Google Workspace accounts, which is good news for the privacy of enterprise-level users. When a Workspace user emails a non-Workspace account, the recipient gets an invitation to create a guest account so they can read the email. Unfortunately, security experts say, this will likely create new opportunities for phishing attacks, as scammers try to bait people with fake invitations.

But that’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

SignalGate is the scandal that just won’t die—at least not if you’re US secretary of defense Pete Hegseth. On Wednesday, The Washington Post reported that Hegseth had installed Signal on a “second computer in his office” so that he could “use Signal in a classified space, where his cellphone and other personal electronics are not permitted, and communicate with ease with anyone.”

The Associated Press on Thursday added to the picture of Hegseth’s reported Signal use, revealing that Hegseth got a second internet line installed that connected directly to the public internet rather than through the Pentagon’s secured connection, according to sources who spoke with the AP. Hegseth allegedly did this so he could use that second computer with Signal installed. Then on Friday, The New York Times found that the phone number associated with Hegseth’s Signal account—the one he used in that infamous group chat—is easily discoverable online, potentially opening him up to targeted cyberattacks by hostile nations.

**Cybercriminals Stole a Record-Breaking $16.6 Billion From US Entities in 2024**

Despite a steady flow of arrests and takedowns of online scammers, cybercriminals are operating at unprecedented levels and making more money than ever. Two reports released this week reveal the stark scale of online criminality. Last year in the United States, businesses and individuals lost $16.6 billion to online crimes, according to the FBI’s Internet Crime Complaint Center—that’s the highest figure ever reported and a leap of 33 percent compared to 2023. In 2024, there were 859,532 complaints about potential online crimes, with the FBI saying phishing and spoofing complaints account for 193,000 of them, followed by extortion with 86,000 complaints. Investment scams, which often involve cryptocurrency, made up more than $6 billion of the total losses, with business email compromise scams leading to losses of $2.7 billion.

Around the same time, the United Nations Office on Drugs and Crime highlighted that giant scam compounds in Southeast Asia—where human trafficking victims are forced to work scamming people—are generating $40 billion in profits per year and keep on growing. These industrial-scale scam organizations, which are often linked to Chinese criminals, heavily use investment scams (sometimes called pig-butchering) to con people out of their life savings and are expanding outside of the region. “It spreads like a cancer,” Benedikt Hofmann of the UNODC said in a statement.

**Google Chrome Won’t Ditch Creepy Tracking Cookies After All**

Back in 2020, Google announced its Chrome browser would stop using third-party cookies, which track people around the web, and would move to a less creepy way of powering its advertising businesses. Web browsers such as Safari, Firefox, and Brave ditched cookies years before Google made the announcement. But this week, after countless U-turns, failed efforts to develop alternatives, and criticism that proposals to replace cookies would favor Google, the company announced it will, in fact, keep the trackers in Chrome.

“We’ve made the decision to maintain our current approach to offering users third-party cookie choice in Chrome,” wrote Anthony Chavez, the Google VP in charge of its Privacy Sandbox efforts, in a blog post. “As we’ve engaged with the ecosystem, including publishers, developers, regulators, and the ads industry, it remains clear that there are divergent perspectives on making changes that could impact the availability of third-party cookies,” Chavez wrote. While the US government is proposing that Google sell off Chrome as part of its antitrust case against the company, it’s still possible to turn off third-party cookies or use a privacy-friendly browser instead.

Pete Hegseth’s Signal Scandal Spirals Out of Control

In this episode of Uncanny Valley, our hosts explain how to prepare for travel to and from the United States—and how to stay safe.

Protecting Your Phone—and Your Privacy—at the US Border

Google is rolling out an end-to-end encrypted email feature for business customers, but it could spawn phishing attacks, particularly in non-Gmail inboxes.

Google announced at the beginning of April that it is launching a streamlined tool that will allow business users to easily send “end-to-end encrypted” emails—an effort to address the longstanding challenge of adding additional security protections to email messages. The feature is currently in beta for enterprise users to try out within their own organization. It will then expand to allow Google Workspace users to send end-to-end encrypted emails to any Gmail user. By the end of the year, the feature will allow Workspace users to send the more secure emails to any inbox. Email spam and digital fraud researchers warn, though, that while the feature will provide a new option for email privacy and security, it will also inevitably spawn new phishing attacks.

End-to-end encryption is a protection that keeps data scrambled at all times except on the sender and recipient's devices, and it is difficult to add to the historic email protocol. Mechanisms to do it are typically very complicated and costly to implement and only make sense for large organizations trying to meet specific compliance requirements. In contrast, Google's end-to-end encrypted email tool is simple to use and doesn't require significant IT overhead. The scenario that digital fraud researchers are most concerned about, though, relates to the case where a Workspace user sends an end-to-end encrypted email to a non-Gmail user.

“When the recipient is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail,” Google wrote in a blog post. “The recipient can then use a guest Google Workspace account to securely view and reply to the email.”

The fear is that scammers will take advantage of this new and more secure communication mechanism by creating fake copies of these invitations that contain malicious links, and prompt targets to enter their login credentials for their email, single sign-on services, or other accounts.

“Looking at Google's implementation, we can see it introduces a new workflow for non-Gmail users—receiving a link to view an email,” says Jérôme Segura, senior director of threat intelligence at Malwarebytes. “Users might not yet be familiar with exactly what a legitimate invitation looks like, making them more susceptible to clicking on a fake one.”

Given email's technical limitations, Google created a way for an organization's Workspace to automatically manage keys—used to descramble encrypted messages. Key management is what makes end-to-end encrypting email so difficult, so offering a solution that is easy for customers is a departure from what's currently available. The fact that the organization's Workspace controls the keys rather than storing them locally on a sender and recipient's devices does mean that the feature doesn't quite qualify as end-to-end encryption in the strictest sense of the term. But researchers say that for use cases like business compliance, the tool could still be extremely useful. And individuals who want end-to-end encrypted communications should just use a purpose-built app like Signal.

When Gmail users receive one of the new encrypted emails from a Google Workspace user, Google's extensive array of dynamic spam filters and fraud detection mechanisms will be in play to protect against spam, phishing, and rogue imposters broadly. But email users outside the Google ecosystem will also be able to receive encrypted email invitations, which makes the service available to anyone, but also will leave non-Google users to their own devices.

Scammers will prey on anything topical to generate new scams, and this threat certainly isn't unique to Google's new encrypted email feature. The invitations to view end-to-end encrypted emails will come with a warning that says, “Be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.”

“While it’s absolutely true that scammers are always looking for new ways to abuse any product, we built this particular technology with this risk in mind,” Google spokesperson Ross Richendrfer said in a statement. “The notifications users will receive in this case are very similar to Drive file sharing notifications that go out whenever someone shares a doc or file. All the protections we employ to keep scammers from capitalizing on these messages will help us protect this new class of notifications as well.”

Generations of Google Drive and Google Docs scams show, though, that it is particularly difficult to combat imposter invitations outside of Google's ecosystem. But when it comes to the new end-to-end encrypted email feature, “it was either adding a warning or not allowing this feature for non-Gmail users,” Malwarebytes's Segura says.

In fact, the new tool may offer particularly good fodder for scammers, given that Google is such a trusted organization, and targets may have heard about how end-to-end encryption is a special, gold-standard security feature.

“It's almost as if someone at Google knew this was a bad idea and asked for a warning to be added,” Malwarebytes’ Segura says. “It's quite likely fraudsters will jump on the opportunity to craft phishing emails using this exact same template, even including the original warning that will be overlooked.”

Gmail’s New Encrypted Messages Feature Opens a Door for Scams

Following the death of Pope Francis, the Vatican is preparing to organize a new conclave in less than 20 days. This is how they’ll tamp down on leaks.

In 2005, cell phones were banned for the first time during the conclave, the process by which the Catholic Church elects its new pope. Twenty years later, after the death of Pope Francis, the election process is underway again. Authorities have two priorities: to protect the integrity of those attending the meeting, and to ensure that it proceeds in strict secrecy (under penalty of excommunication and imprisonment) until the final decision is made.

By 2025, the Gendarmerie corps guarding Vatican City faces unprecedented technological challenges compared to other conclaves. Among them are artificial intelligence systems, drones, military satellites, microscopic microphones, a misinformation epidemic, and a world permanently connected and informed through social media.

The conclave is scheduled to take place approximately 20 days after the pope's death. The Vatican and the Holy See are preparing for the arrival of the cardinals who will vote for the next leader of the Catholic faith. Emergency and control bodies are also working on it with state-of-the-art technology. So far, they have not shared details about their security arrangements, but they are not inexperienced in the task of safeguarding the integrity of high-profile figures in the face of today's technological risks.

In fact, the election in 2013 of Jorge Mario Bergoglio—the real name of Pope Francis—as supreme pontiff gives some indications of the rigorous security strategies that will be presented in the next conclave.

**Signal Jammers and Device Checks**

The Vatican has internet access, but within the areas where the cardinals will reside and vote for the new pope, there will be signal jammers. The technology prevents two devices from communicating with each other through radio frequency interference. The headquarters becomes an electronic bunker. Thus, if someone were to manage to introduce a microphone, telephone, or computer, they would be unable to transmit information.

However, the possibility of administrative staff or the cardinals themselves introducing technology is remote. Authorities inspect the building for days in search of unauthorized microphones or cameras, check every permitted attendee, and double-check participants.

**Privacy Film in the Windows**

Contemporary satellites are capable of taking pictures of people's faces from space, while AI can interpret lip movements. However, since there's currently no technology to see through walls with such high resolution, the best strategy against espionage in the conclave is to close doors and windows.

During meetings and in the sleeping quarters, voters are not allowed to look outside. In addition, before the cardinals arrive, Vatican staff place opaque film over windows so that no journalist, satellite, or drone can take pictures of the interior.

**Locked-Down Vatican**

The Vatican covers only 0.44 square kilometer in area. It is the smallest nation in the world. Until 2018, it had 650 cameras monitoring its streets from an underground command center. In addition, the Vatican City Gendarmerie, which functions as a conventional police force, and the Pontifical Swiss Guard, which acts as an army, are located within the territory. While in photographs they appear to be wearing antique costumes and carrying halberds, the latter group has highly trained personnel with heavy weapons, such as machine guns, rifles, and explosives.

An estimated 200,000 people are expected to be present in the small city-state once the conclave has determined the name of Pope Francis' successor.

_This story originally appeared on_ WIRED _en Español_ _and has been translated from Spanish._

The Tech That Safeguards the Conclave’s Secrecy

Customs and Border Protection has broad authority to search travelers’ devices when they cross into the United States. Here’s what you can do to protect your digital life while at the US border.

Entering the United States has become more precarious since the start of the second Trump administration in January. There has been an apparent surge in both foreign visitors and US visa holders being detained, questioned, and even deported at the border. As the situation evolves, demand for flights from Canada and Europe has plummeted as people reevaluate their travel plans.

Many people, though, can’t avoid border crossings, whether they are returning home after traveling for work or visiting friends and family abroad. Regardless of the reason for travel, US Customs and Border Protection (CBP) officials have the authority to search people’s phones and other devices as they determine who is allowed to enter the country. Multiple travelers have reported being questioned or turned away at the US border in recent weeks in relation to content on their phones.

While not unique to the US border—other nations also have powers to inspect phones—the increasingly volatile nature of the Trump administration’s border policies is causing people to rethink the risks of carrying devices packed with personal information to and from the US. Canadian authorities have updated travel guidance to warn of phone searches and seizures, some corporate executives are reconsidering the devices they carry, some officials in Europe continue to receive burner phones for certain trips to the US, and the Committee to Protect Journalists has warned foreign reporters about device searches at the US border.

With this in mind, here’s the WIRED guide to planning for bringing a smartphone across the border. You should also use WIRED’s guide to entering the US with your digital privacy intact to get a broader view of how to minimize data and take precautions. But start here for everything smartphone.

**What Can CBP Access?**

Do CBP officials have the authority to search your phone at the border? The short answer is yes. Searches are either manual, with a border official looking through the device, or more advanced, involving forensic tools to extract data en masse. To get into your phone, border officials can ask for your PIN or biometric to unlock the phone. However, your legal status and right to enter the US will make a difference in what a search might look like at the border.

Generally, border zones—which includes US international airports—fall outside of Fourth Amendment protections that require a warrant for a device to be searched (though one federal court has ruled otherwise). As such, CBP has the power to search any traveler’s phone or other electronic devices, such as computers and cameras, when they’re entering the country. US citizens and green card holders can refuse a device search without being denied entry, but they may face additional questioning or temporary device seizure. And as the Trump administration pushes the norms of acceptable government conduct, it is possible that, in practice, green card holders could face new repercussions for declining a device search. US visa holders and foreign visitors can face detention and deportation for refusing a device search.

“Not everybody has the same risk profile,” says Molly Rose Freeman Cyr, a member of Amnesty International’s Security Lab. “A person’s legal status, the social media accounts that they use, the messaging apps that they use, and the contents of their chats” should all factor into their risk calculus and the decisions they make about border crossings, Cyr says.

If you feel safe refusing a search, make sure to disable biometrics used to unlock your device, like face or fingerprint scanners, which CBP officers can use to access your device. Instead, use only a PIN or an alphanumeric code (if available on your device). Make sure to keep your phone’s operating system up to date, which can make it hard to crack with forensic tools.

You should also consider factors like nationality, citizenship, profession, and geopolitical views in assessing whether you or someone you’re traveling with could be at higher risk of scrutiny during border crossings.

In short, you need to make some decisions before you travel about whether you would be prepared to refuse a device search and whether you want to make changes to your devices before your trips.

Keep in mind that there are simple steps anyone can take to keep your devices out of sight and, hopefully, out of mind during border crossings. It’s always a good idea to obtain a printed boarding pass or prepare other paper documents for review and then turn your phone off and store it in your bag before you approach a CBP agent.

**Traveling With an Alternate Phone**

There are two ways to approach device privacy for border crossings. One is to start with a clean slate, purchasing a phone for the purpose of traveling or wiping and repurposing your old phone—if it still receives software updates.

The device doesn’t need to be a true “burner” phone, in the sense that you will be carrying it with you as if nothing is out of the ordinary, so you don’t need to purchase it with cash or take other steps to ensure that it can’t be connected to you. The idea, though, is to build a sanitized version of your digital life on the travel phone, ideally with separate communication and social media accounts created specifically for travel. This way, if your device is searched, it won’t have the back catalog of data—old text messages, years of photos, forgotten apps, and access to many or all of your digital accounts—that exists on your primary phone and could reveal details of your political views, your associations, or your movements over time.

Starting with a clean slate makes it easy to practice “data minimization,” or reducing the data available to another person: Simply put the things you’ll need for a trip on the phone without anything you won’t need. You might make a travel email address, some alternate social media accounts, and a separate account for end-to-end encrypted communications using an app like Signal or WhatsApp. Ideally you would totally silo your real digital life from this travel life. But you can also include some of your regular personal apps, building back from the ground up while determining on a selective basis whether you have existing accounts that you feel comfortable potentially exposing. Perhaps, for example, you think that showing a connection to your employer or a community organization could be advantageous in a fraught situation.

Privacy and digital rights advocates largely prefer the approach of building a travel device from scratch, but they caution that a phone that is too squeaky clean, too much like a burner phone, can arouse suspicion.

“You have to ‘seed’ the device. Use the phone for a day or even for a few hours. It just can't be _clean_ clean. That’s weird,” says Matt Mitchell, founder of CryptoHarlem, a security and privacy training and advocacy nonprofit. “My recommendation is to make a finsta for travel, because if they ask you what your profile is, how are you gonna say ‘I don't use any social media’? Many people have a few accounts anyway. One ratchet, one wholesome—add one travel.”

Cyr, from Amnesty International, also points out that a true burner phone would be a “dumb” phone, which wouldn’t be able to run apps for encrypted communications. “The advantage that we all have with smartphones is that you can communicate in an encrypted way,” Cyr says. “People should be conscious that any nonencrypted communication is less secure than a phone call or a message on an application like Signal.”

While a travel device doesn’t need to use a prepaid SIM card bought with cash, it should not share your normal phone number, since this number is likely linked to most if not all of your key digital accounts. Buy a SIM card for your trip or only use the device on Wi-Fi.

**Traveling With Your Primary Phone**

The other approach you can take to protecting your device during border crossings is to modify your primary smartphone before travel. This involves removing old photos and messages and storing them somewhere else, cleaning out nonessential apps, and either removing some apps altogether or logging out of them with your main accounts and logging back in with travel accounts.

Mohammed Al-Maskati, digital security helpline director at the rights group Access Now, says that people should consider this type of clean-out before they travel. “I will look at my device and see what apps I need,” he says. “If I don't need the app, I just remove it.”

Al-Maskati adds that he suggests people particularly remember to remove dating apps and anything related to LGBTQI communities, especially if they consider themselves to be at higher risk of facing a device search. And generally, this approach is only safe if you are particularly diligent about removing every app that might expose you to risk.

You could use your own phone as a travel phone by backing it up, wiping it, building a travel device with only the apps you really need while traveling, going on your trip, and then restoring from the backup when you get home. This approach is doable but time consuming, and it creates more opportunities for operational security mistakes or what are known as “opsec fails.” If you try to delete all of your old, unwanted apps, but miss one, you could end up exposing an old social media account or other historic service that has forgotten data in it. Messaging apps can have easily searchable archives going back years and can automatically save photos and files without you realizing it. And if you back up all of your data to the cloud and take it off your device, but are still logged into the cloud account underpinning other services (like your main Google or Apple account), you could be asked to produce the data from the cloud for inspection.

Still, if you assess that you are at low risk of facing scrutiny during a border crossing or you don’t have access to an additional device for travel, modifying your main smartphone is a good option. Just be careful.

**What To Do, If Nothing Else**

Given all of this, you may be hyped up and ready to throw your phone in the ocean. Or you may be thinking there’s no way in hell that you’re ever going to take the time to deal with any of this. For those in the latter camp, you’ve come this far, so don’t click away just yet. If you don’t want to take the time to make a bunch of changes, and you don’t think you’re at particular risk during border crossings (though keep in mind that it’s possible your risk is higher than you realize), there are still a few easy things you can do to protect your digital privacy that are better than nothing.

First, as mentioned above, print a paper boarding pass and any other documents you might need. Even if you don’t turn your phone off and stow it in a bag for your entire entry or exit process, you can put it in your pocket and have your paper ticket and other documents ready while actually interacting with agents. And taking basic digital hygiene steps, like updating your phone and removing apps and data you no longer need, can go a long way.

“We all need to be recognizing that authorities may scrutinize your online presence, including social media activity and posts you’ve published,” says Danacea Vo, founder of Cyberlixir, a cybersecurity provider for nonprofits and vulnerable communities. “Since people have gotten more vocal on social media, they’re very worried about this. Some have even decided not to risk traveling to or from the US this year.”

How to Protect Yourself From Phone Searches at the US Border

Plus: A US judge rules against police cell phone “tower dumps,” China names alleged NSA agents it says were involved in cyberattacks, and Customs and Border Protection reveals its social media spying tools.

Just three months into the Trump administration's promised crackdown on immigration to the United States, Immigrations and Customs Enforcement now has a $30 million contract with Palantir to build a “near-real time” surveillance platform called ImmigrationOS that would track information about people self-deporting (electing to leave the US). Meanwhile, the Department of Homeland Security has been sending aggressive emails telling people with temporary legal status to leave the US. It is unclear who has actually been sent the messages, though, given that a number of people who are US-born citizens have reported receiving them.

The US Cybersecurity and Infrastructure Security Agency briefly seemed poised this week to cancel funding for the critical software vulnerability tracking project known as the CVE Program. CISA eventually came through with the funding, but some members of the CVE Program's governing board are planning to make the project into an independent nonprofit.

A lawsuit over the Trump administration’s Houthi Signal group chat is revealing details on steps that federal departments did—and did not—take to preserve the messages per records laws.

WIRED took a look at the most dangerous hackers you've never heard of, diving deep on the unrelenting and two-faced Russian intelligence group Gamaredon; the incredibly prolific Chinese Smishing Triad text message scammers; the dangerous members of fallen ransomware giant Black Basta; the Iranian critical infrastructure hackers known as CyberAv3ngers; the TraderTraitor North Korean cryptocurrency hackers responsible for a staggering number of massive heists; and the notorious, longtime Chinese criminal and state-backed crossover hackers known as Brass Typhoon.

On top of all of that, a suspected 4chan hack may have devastating consequences for the controversial image board. The AI company Massive Blue is helping cops generate AI-powered social media bots to pose as sympathetic figures and talk to people of interest. And the New Jersey attorney general is suing Discord, claiming that the platform doesn't have adequate safeguards in place to protect children under 13 from sexual predators and harmful content.

But wait, there's more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

**Draft Legislation in Florida Explicitly Demands Encryption Backdoors**

A draft bill in the state of Florida would require social media companies to provide law enforcement with encryption backdoors so cops could access users’ accounts. The bill advanced unanimously from committee this week and will now go to the state Senate for a vote. If passed, the Social Media Use by Minors bill, which is sponsored by state senator Blaise Ingoglia, would require “social media platforms to provide a mechanism to decrypt end-to-end encryption when law enforcement obtains a subpoena.” The bill would also ban disappearing messages in accounts designed for children and would require social media companies to create a mechanism for parents or guardians to access children's accounts. Experts have long warned that encryption backdoors make everyone less secure, including those they are intended to help. Yet waves of attacks on encryption have repeatedly emerged over the years, including a recent trend in the European Union and United Kingdom.

**Judge Finds Broad Searches of Cell Tower Data Are Unconstitutional**

A Nevada district judge said this week that the practice of “tower dumps,” in which law enforcement pulls vast quantities of personal caller data from cell towers, violates the Fourth Amendment and is, thus, unconstitutional. Cell towers collect large quantities of information about users, including phone numbers and phone locations, so when cops request data from a tower during a specific time period, they often receive information on thousands of devices or more. In spite of the decision this week, though, Judge Miranda M. Du said that law enforcement could still use the evidence they had collected through a tower dump in their case.

**China Hits US With Accusations of Cyberattacks, Naming Alleged NSA Agents**

China claimed this week that the US National Security Agency perpetrated “advanced” cyberattacks against critical industries in February during the Asian Winter Games. Law enforcement from the northeastern city of Harbin put three alleged NSA agents—Katheryn A. Wilson, Robert J. Snelling, and Stephen W. Johnson—on a wanted list and claimed that the University of California and Virginia Tech were involved in the attacks. “We urge the US to take a responsible attitude on the issue of cyber security and … stop unprovoked smears and attacks on China,” ministry spokesperson Lin Jian said during a news briefing about multiple topics, according to Reuters. The US government frequently calls out Chinese state-backed hacking and names individual alleged perpetrators, but China has been less consistent about such statements. The move this week comes amid escalating tensions between the two countries, including the Trump's administration's trade war.

**US Customs and Border Protection Is Using a Number of AI Tools to Monitor Social Media**

CBP is using multiple artificial intelligence tools to scan social media and identify people of interest online, according to information from the agency and marketing materials reviewed by 404 Media from the contractors. CBP released information about the platforms this week in parallel to the US Department of Homeland Security’s announcement that it will “begin screening aliens’ social media activity for Antisemitism.” That statement also says that US Citizenship and Immigration Services is conducting “antisemitism” social media searches. CBP told 404 Media in an email that “neither tool is used for vetting or travel application processing,” referring to Dataminr and Onyx, but did not elaborate beyond that. The platforms use AI to parse large troves of data and can be used to develop leads on people who may be in violation of US immigration laws.

Florida Man Enters the Encryption Wars

In a document published Thursday, ICE explained the functions that it expects Palantir to include in a prototype of a new program to give the agency “near real-time” data about people self-deporting.

Immigration and Customs Enforcement is paying software company Palantir $30 million to provide the agency with “near real-time visibility” on people self-deporting from the United States, according to a contract justification published in a federal register on Thursday. The tool would also help ICE choose who to deport, giving special priority to “visa overstays,” the document shows.

Palantir has been an ICE contractor since 2011, but the document published Thursday indicates that Palantir wants to provide brand-new capabilities to ICE. The agency currently does not have any publicly known tools for tracking self-deportation in near real-time. The agency does have a tool for tracking self-reported deportations, but Thursday’s document, which was first reported by Business Insider, does not say to what degree this new tool may rely on self-reported data. ICE also has “insufficient technology” to detect people overstaying their visas, according to the Department of Homeland Security. This is particularly due to challenges in collecting "biographic and biometric" data from departing travelers, especially if they leave over land, according to Customs and Border Protection.

The agency says in the document that these new capabilities will be under a wholly new platform called the Immigration Lifecycle Operating System, or ImmigrationOS. Palantir is expected to provide a prototype of ImmigrationOS by September 25, 2025, and the contract is scheduled to last at least through September 2027. ICE’s update to the contract comes as the Trump administration is demanding that thousands of immigrants “self-deport,” or leave the US voluntarily.

ICE and Palantir did not respond for comment.

According to the document, ImmigrationOS is intended to have three core functions. Its “Targeting and Enforcement Prioritization” capability would streamline the “selection and apprehension operations of illegal aliens.” People prioritized for removal, ICE says, should be “violent criminals,” gang members, and “visa overstays.”

Its “Self-Deportation Tracking” function would have “near real-time visibility into instances of self-deporation,” the document says. The document does not say what data Palantir would use for such a system, but ICE says it aims to “accurately report metrics of alien departures from the United States.” The agency stipulates that this tool should also integrate with “enforcement prioritization systems to inform policy” but does not elaborate on these systems or policies.

Meanwhile, the “Immigration Lifecycle Process” function would streamline the “identification” of aliens and their “removal” from the United States, with the goal of making "deportation logistics” more efficient.

In a “rationale” section, ICE claims that it has an “urgent and compelling” need for ImmigrationOS’s capabilities. Without them, ICE claims, it would be “severely” limited in its ability to target the gangs MS-13 and Tren de Aragua, and abide by President Donald Trump’s executive order to expedite deportations.

Palantir, ICE claims, is “the only source that can provide the required capabilities and prototype of ImmogrationOS \[sic\] without causing unacceptable delays.” ICE says the company has developed “deep institutional knowledge of the agency’s operations over more than a decade of support.”

“No other vendor could meet these timeframes of having the infrastructure in place to meet this urgent requirement and deliver a prototype in less than six months,” ICE says in the document.

ICE’s document does not specify the data sources Palantir would pull from to power ImmigrationOS. However, it says that Palantir could “configure” the case management system that it has provided to ICE since 2014.

Palantir has done work at various other government agencies as early as 2007. Aside from ICE, it has worked with the US Army, Air Force, Navy, Internal Revenue Service, and Federal Bureau of Investigation. As reported by WIRED, Palantir is currently helping Elon Musk’s so-called Department of Government Efficiency (DOGE) build a brand-new “mega API” at the IRS that could search for records across all the different databases that the agency maintains.

Last week, 404 Media reported that a recent version of Palantir’s case-management system for ICE allows agents to search for people based on “hundreds of different, highly specific categories,” including how a person entered the country, their current legal status, and their country of origin. It also includes a person’s hair and eye color, whether they have scars or tattoos, and their license-plate reader data, which would provide detailed location data about where that person travels by car.

These functionalities have been mentioned in a government privacy assessment published in 2016, and it’s not clear what new information may have been integrated into the case management system over the past four years.

This week’s $30 million award is an addition to an existing Palantir contract penned in 2022, originally worth about $17 million, for work on ICE’s case management system. The agency has increased the value of the contract five times prior to this month; the largest was a $19 million increase in September 2023.

The contract’s ImmigrationOS update was first documented on April 11 in a government-run database tracking federal spending. The entry had a 248-character description of the change. The five-page document ICE published Thursday, meanwhile, has a more detailed description of Palantir’s expected services for the agency.

The contract update comes as the Trump administration deputizes ICE and other government agencies to drastically escalate the tactics and scale of deportations from the US. In recent weeks, immigration authorities have arrested and detained people with student visas and green cards, and deported at least 238 people to a brutal megaprison in El Salvador, some of whom have not been able to speak with a lawyer or have due process.

As part of its efforts to push people to self-deport, DHS in late March revoked the temporary parole of more than half a million people and demanded that they self-deport in about a month, despite having been granted authorization to live in the US after fleeing dangerous or unstable situations in Cuba, Haiti, Nicaragua, and Venezuela under the so-called “CHNV parole programs.”

Last week, the Social Security Administration listed more than 6,000 of these people as dead, a tactic meant to end their financial lives. DHS, meanwhile, sent emails to an unknown number of people declaring that their parole had been revoked and demanding that they self-deport. Several US citizens, including immigration attorneys, received the email.

On Monday, a federal judge temporarily blocked the Trump administration’s move to revoke people’s authorization to live in the US under the CHNV programs. White House spokesperson Karoline Leavitt called the judge’s ruling “rogue.”

ICE Is Paying Palantir $30 Million to Build ‘ImmigrationOS’ Surveillance Platform

The New Jersey attorney general claims Discord’s features to keep children under 13 safe from sexual predators and harmful content are inadequate.

Discord is facing a new lawsuit from the state of New Jersey, which claims that the chat app is engaged in “deceptive and unconscionable business practices” that put its younger users in danger.

The lawsuit, filed on Thursday, comes after a multiyear investigation by the New Jersey Office of Attorney General. The AG’s office claims it has uncovered evidence that, despite Discord’s policies to protect children and teens, the popular messaging app is putting youth “at risk.”

“We’re the first state in the country to sue Discord,” Attorney General Matthew Platkin tells WIRED.

Platkin says there were two catalysts for the investigation. One is personal: A few years ago, a family friend came to Platkin, astonished that his 10-year-old son was able to sign up for Discord, despite the platform forbidding children under 13 from registering.

The second was the mass-shooting in Buffalo, in neighboring New York. The perpetrator used Discord as his personal diary in the lead-up to the attack and livestreamed the carnage directly to the chat and video app. (The footage was quickly removed.)

“These companies have consistently, knowingly, put profit ahead of the interest and well-being of our children,” Platkin says.

The AG’s office claims in the lawsuit that Discord violated the state’s Consumer Fraud Act. The allegations, which were filed on Thursday morning, turn on a set of policies adopted by Discord to keep children younger than 13 off the platform and to keep teenagers safe from sexual exploitation and violent content. The lawsuit is just the latest in a growing list of litigation from states against major social media firms—litigation that has, thus far, proven fairly ineffective.

Discord’s child and teen safety policies are clear: Children under 13 are forbidden from the messaging app, while it more broadly forbids any sexual interaction with minors, including youth “self-endangerment.” It further has algorithmic filters operating to stop unwanted sexual direct messages. The California-based company’s safety policy, published in 2023, states, “We built Discord to be different and work relentlessly to make it a fun and safe space for teens.”

But New Jersey says “Discord’s promises fell, and continue to fall, flat.”

The attorney general points out that Discord has three levels of safety to prevent youth from unwanted and exploitative messages from adults: “Keep me safe,” where the platform scans all messages into a user’s inbox; “my friends are nice,” where it does not scan messages from friends; and “do not scan,” where it scans no messages.

Even for teenage users, the lawsuit alleges, the platform defaults to “my friends are nice.” The attorney general claims this is an intentional design that represents a threat to younger users. The lawsuit also alleges that Discord is failing by not conducting age verification to prevent children under 13 from signing up for the service.

In 2023, Discord added new filters to detect and block unwanted sexual content, but the AG’s office says the company should have enabled the “keep my safe” option by default.

“Consider me unimpressed by their PR campaign,” Platkin says. He contends that the new features are insufficient and easy to get around, and they are less than what the company has made available to users in other countries. “If you put lipstick on a pig,” he says, “it’s still a pig.”

Discord responded to WIRED's requests for comment after this story was published, writing that the company is “proud” of their efforts to protect children on their platform, and insists that they dispute the claims made in the lawsuit. “Given our engagement with the Attorney General's office, we are surprised by the announcement that New Jersey has filed an action against Discord today,” the statement reads.

“Together, these open design features and default settings make it so that anyone can gain direct, private access to a child user with just a few clicks,” the filings allege. Later, the AG goes further, writing that “Discord promised parents safety but made deliberate choices to design its Application and establish default settings that rendered those promises utterly meaningless.”

The lawsuit lists a half-dozen criminal cases where adults allegedly used Discord to lure and exploited children, including the case of 764, a digital far-right pedophile ring.

The lawsuit proposes several different remedies, including a court injunction requiring that Discord improve its safety features and possible financial penalties if it’s found to be failing to keep its users safe.

While this appears to be the first state-level lawsuit against Discord, a number of private law firms have taken aim at the company on similar grounds. In 2022, the family of a then-11-year-old girl filed a class action lawsuit against Discord, alleging that the platform failed to implement enough safeguards to prevent her exploitation by other users. A similar case was filed in California earlier this year. Both cases are ongoing.

But these lawsuits are growing more and more common: Meta, in particular, is facing two massive lawsuits, led by dozens of states, claiming it harmed its teenage users. A similar lawsuit was filed by a coalition of school boards in the Canadian province of Ontario. The European Union, meanwhile, has crafted a suite of regulations meant to tackle these externalities—but, thus far, it is having trouble getting the American tech giants to comply.

Platkin has filed a number of other lawsuits—most recently against TikTok—in an attempt to force social media giants to improve their child protection measures.

“They can’t knowingly put out a product that’s unsafe for kids,” Platkin says. “I don’t care if you’re a social media company, or an opioid manufacturer or any other company that’s telling the public your product is safe when it’s not. We’re going to hold the company accountable.”

Platkin says he’s hopeful that the Trump administration, which has indicated some willingness to go after major social media companies, is interested in keeping children safe—not just targeting supposed conservative censorship. “Hope springs eternal for me,” Platkin says.

_Updated at 3:05 pm ET: Added comment from Discord._

New Jersey Sues Discord for Allegedly Failing to Protect Children

Massive Blue is helping cops deploy AI-powered social media bots to talk to people they suspect are anything from violent sex criminals all the way to vaguely defined “protesters.”

American police departments near the United States-Mexico border are paying hundreds of thousands of dollars for an unproven and secretive technology that uses AI-generated online personas designed to interact with and collect intelligence on “college protesters,” “radicalized” political activists, and suspected drug and human traffickers, according to internal documents, contracts, and communications that 404 Media obtained via public records requests.

Massive Blue, the New York–based company that is selling police departments this technology, calls its product Overwatch, which it markets as an “AI-powered force multiplier for public safety” that “deploys lifelike virtual agents, which infiltrate and engage criminal networks across various channels.” According to a presentation obtained by 404 Media, Massive Blue is offering cops these virtual personas that can be deployed across the internet with the express purpose of interacting with suspects over text messages and social media.

Massive Blue lists “border security,” “school safety,” and stopping “human trafficking” among Overwatch’s use cases. The technology—which as of last summer had not led to any known arrests—demonstrates the types of social media monitoring and undercover tools private companies are pitching to police and border agents. Concerns about tools like Massive Blue have taken on new urgency considering that the Trump administration has revoked the visas of hundreds of students, many of whom have protested against Israel’s war in Gaza.

404 Media obtained a presentation showing some of these AI characters. These include a “radicalized AI” “protest persona,” which poses as a 36-year-old divorced woman who is lonely, has no children, is interested in baking, activism, and “body positivity.” Another AI persona in the presentation is described as a “‘Honeypot’ AI Persona.” Her backstory says she’s a 25-year-old from Dearborn, Michigan, whose parents emigrated from Yemen and who speaks the Sanaani dialect of Arabic. The presentation also says she uses various social media apps, that she’s on Telegram and Signal, and that she has US and international SMS capabilities. Other personas are a 14-year-old boy “child trafficking AI persona,” an “AI pimp persona,” “college protestor,” “external recruiter for protests,” “escorts,” and “juveniles.”

One example of an AI persona created by Massive Blue’s Overwatch tool. The company adds backstories for many of its AI personas, in an apparent attempt to make them appear more realistic.

Courtesy of Massive Blue/Texas Department of Public Safety

Our reporting shows that cops are paying a company to help them deploy AI-powered bots across social media and the internet to talk to people they suspect are anything from violent sex criminals all the way to vaguely defined “protestors” with the hopes of generating evidence that can be used against them.

“This idea of having an AI pretending to be somebody, a youth looking for pedophiles to talk online, or somebody who is a fake terrorist, is an idea that goes back a long time,” Dave Maass, who studies border surveillance technologies for the Electronic Frontier Foundation, told 404 Media. “The problem with all these things is that these are ill-defined problems. What problem are they actually trying to solve? One version of the AI persona is an escort. I’m not concerned about escorts. I’m not concerned about college protesters. So like, what is it effective at, violating protesters’ First Amendment rights?”

Massive Blue has signed a $360,000 contract with Pinal County, Arizona, which is between Tucson and Phoenix. The county is paying for the contract with an anti-human trafficking grant from the Arizona Department of Public Safety. A Pinal County purchasing division report states that it has bought “24/7 monitoring of numerous web and social media platforms” and “development, deployment, monitoring, and reporting on a virtual task force of up to 50 AI personas across 3 investigative categories.” Yuma County, in southwestern Arizona, meanwhile, signed a $10,000 contract to try Massive Blue in 2023 but did not renew the contract. A spokesperson for the Yuma County Sheriff’s Office told 404 Media “it did not meet our needs.”

This image from a Massive Blue presentation for police departments shows how the company's RADAR program uses AI personas to provide law enforcement with “intelligence reports.”

Courtesy of Massive Blue/Texas Department of Public Safety

Massive Blue cofounder Mike McGraw did not answer a series of specific questions from 404 Media about how Massive Blue works, what police departments it works with, and whether it had been used to generate any arrests. “We are proud of the work we do to support the investigation and prosecution of human traffickers,” McGraw said. “Our primary goal is to help bring these criminals to justice while helping victims who otherwise would remain trafficked. We cannot risk jeopardizing these investigations and putting victims’ lives in further danger by disclosing proprietary information.”

The Pinal County Sheriff’s Office told 404 Media that Massive Blue has not thus far been used for any arrests.

“Our investigations are still underway. Massive Blue is one component of support in these investigations, which are still active and ongoing. No arrests have been made yet,” Sam Salzwedel, Pinal County Sheriff's Office public information officer, told 404 Media. “It takes a multifaceted approach to disrupting human traffickers, narcotics traffickers, and other criminals. Massive Blue has been a valuable partner in these initiatives and has produced leads that detectives are actively pursuing. Given these are ongoing investigations, we cannot risk compromising our investigative efforts by providing specifics about any personas.”

Salzwedel added, “Massive Blue is not working on any immigration cases. Our agency does not enforce immigration law. Massive Blue’s support is focused on the areas of human trafficking, narcotics trafficking, and other investigations.”

Law enforcement agencies have taken steps to prevent specifics about what Massive Blue is and how it works from becoming public. At public appropriations hearings in Pinal County about the Massive Blue contract, the sheriff’s office refused to tell county council members about what the product even is. Matthew Thomas, Pinal County Deputy Sheriff, told the county council he “can’t get into great detail” about what Massive Blue is and that doing so would “tip our hand to the bad guys.”

The Arizona Department of Public Safety said, “From what we can ascertain, Pinal County planned to implement technology to help identify and solve human trafficking cases, and that is what we funded,” but was unaware of any of the specifics of Overwatch.

While the documents don’t describe every technical aspect of how Overwatch works, they do give a high-level overview of what it is. The company describes a tool that uses AI-generated images and text to create social media profiles that can interact with suspected drug traffickers, human traffickers, and gun traffickers. After Overwatch scans open social media channels for potential suspects, these AI personas can also communicate with suspects over text, Discord, and other messaging services. The documents we obtained don’t explain how Massive Blue determines who is a potential suspect based on their social media activity. Salzwedel, of Pinal County, said “Massive Blue’s solutions crawl multiple areas of the Internet, and social media outlets are just one component. We cannot disclose any further information to preserve the integrity of our investigations.”

One slide in the Massive Blue presentation obtained by 404 Media gives the example of a “Child Trafficking AI Persona” called Jason. The presentation gives a short “backstory” for the persona, which says Jason is a 14-year-old boy from Los Angeles whose parents emigrated from Ecuador. He’s bilingual and an only child, and his hobbies include anime and gaming. The presentation describes his personality as shy and that he has difficulty interacting with girls. It also says that his parents don’t allow him to use social media and that he hides his use of Discord from them. This AI persona is also accompanied by an AI-generated image of a boy.

Another example of an AI-generated persona, along with a sample of chats showing how the AI personas interact with targeted suspects.

Courtesy of Massive Blue/Texas Department of Public Safety

The presentation includes a conversation between this AI persona and what appears to be a predatory adult over text messages and Discord.

“Your parents around? Or you getting some awesome alone time,” a text from the adult says.

“Js chillin by myself, man. My momz @ work n my dadz outta town. So itz jus me n my vid games. 🎮,” Jason, the AI-generated child, responds.

In another example of how the “highly adaptable personas” can communicate with real people, the presentation shows a conversation between Clip, an “AI pimp persona,” and what appears to be a sex worker.

“Dem tricks trippin 2nite tryin not pay,” the sex worker says.

“Facts, baby. Ain’t lettin’ these tricks slide,” the Clip persona replies. “You stand your ground and make ’em pay what they owe. Daddy got your back, ain’t let nobody disrespect our grind. Keep hustlin’, ma, we gonna secure that bag💰💪✨”

A list from Massive Blue's presentation showing the types of “highly customizable” personas Overwatch can generate.

Courtesy of Massive Blue/Texas Department of Public Safety

“The continuous evolution of operational, communication & recruitment tactics by bad actors drives exponential increases of threats and significant challenges in reducing demand,” says a one-page brochure provided to police departments that explains Overwatch’s functionality. “The Overwatch platform harnesses the power of AI & blockchain to scale your impact without operational or technical overhead.”

Jorge Brignoni took notes for the Cochise County, Arizona, Sheriff’s Office at a meeting with Massive Blue in August 2023, which 404 Media obtained. In the notes, he wrote that Overwatch does “passive engagement, then active engagement, towards commitment” with a “Bad Actor, Predator, DTO,” or drug trafficking organization. These targets are then “HAND\[ed\] OFF to L.E. \[law enforcement\] to arrest, indict, convict.”

“Why is he talking about converting folks into ‘buying something,’” Brignoni wrote. “So dumb. Talk about the widget, not how you’re selling the widget to L.E.”

According to Brignoni’s notes, in addition to collecting intelligence via these AI personas, Overwatch also leverages “Telco & Geo Data” and “Blockchain Data” in the form of “full transaction history, top associated wallet IDs, sending & receiving cryptocurrency, potential off-ramps (Exchange names).” The Cochise County Sheriff’s Office ultimately did not buy Massive Blue and did not provide answers to 404 Media’s questions about its meeting with the company.

Besides scanning social media and engaging suspects with AI personas, the presentation says that Overwatch can use generative AI to create “proof of life” images of a person holding a sign with a username and date written on it in pen.

A variety of AI-generated images of Massive Blue's personas, which are made to look realistic in an attempt to fool targets.

Courtesy of Massive Blue/Texas Department of Public Safety

The Massive Blue presentation gives an example of an “Overwatch Recon Report” based on “24 hours of activity across Dallas, Houston, and Austin.” It claims that Overwatch identified 3,266 unique human traffickers, 25 percent of which were affiliated with “larger sophisticated trafficking organizations” and 15 percent of which were flagged as “potential juvenile traffickers.” 404 Media was not able to verify what these accounts were and whether they actually engaged in any criminal activity, and Massive Blue didn’t respond to questions about what these accounts were and how exactly it identified them.

On top of the ongoing contract with the Pinal County Sheriff’s Office and the pilot with the Yuma County Sheriff’s Department last year, Massive Blue has pitched its services to Cochise County in Arizona and the Texas Department of Public Safety, according to documents obtained as part of this investigation.

In September 2023, Yuma County set up a meeting that was going to include federal law enforcement, but Massive Blue had to cancel the meeting: “That’s unfortunate, we had federal agents here that focus on human trafficking ready to go,” a Yuma County sergeant wrote in an email to Massive Blue CEO Brian Haley after Haley canceled the meeting.

Much of Massive Blue’s public-facing activity has been through its executive director of public safety, Chris Clem, who is a former US Customs and Border Protection agent who testified before Congress about border security last year and regularly appears on Fox News and other media outlets to discuss immigration and the border. In recent months, Clem has posted images of himself on LinkedIn at the border and with prominent Trump administration members Tulsi Gabbard and Robert F. Kennedy Jr. Massive Blue has also relied on former Kansas City Chiefs kicker Nick Lowery to introduce and endorse Overwatch to police departments.

Clem and Lowery have spoken most extensively publicly about Overwatch, where they have described it as an amorphous “cyberwall” that can do everything from stopping human traffickers to preventing hackers from breaking into 401(k) accounts to taking money back from hackers who have stolen from you, though they provide no specifics about how that would work.

In a two-and-a-half-hour interview with podcaster Theo Von, Clem said, “My company Massive Blue, we basically use deep tech to identify the habits and process of you know, look, I worked on a physical wall, now we’ve created a cyberwall,” adding that he believed it would “save lives.”

Von asked, “OK, but how does your company do that?”

“Well, I’m not going to get into that too much,” Clem responded, adding that he is trying to sell the technology to US Border Patrol.

More examples of Massive Blue's AI personas, which include a “child trafficking AI persona,” an “AI pimp persona,” “college protestor,” “external recruiter for protests,” “escorts,” and “juveniles.”

Courtesy of Massive Blue/Texas Department of Public Safety

On June 5, a Pinal County Board of Supervisors meeting was asked to approve a $500,000 contract between the county and Massive Blue in order to license Overwatch.

“I was looking at the website for Massive Blue, and it’s a one-pager with no additional information and no links,” Kevin Cavanaugh, the then-supervisor for District 1, said to Pinal County’s Chief Deputy at the Sheriff’s Office, Matthew Thomas. “They produce software that we buy, and it does what? Can you explain that to us?”

“I can’t get into great detail because it’s essentially trade secrets, and I don’t want to tip our hand to the bad guys,” Thomas said. “But what I can tell you is that the software is designed to help our investigators look for and find and build a case on human trafficking, drug trafficking, and gun trafficking.”

Cavanaugh said at the board meeting that the basic information he got is that Massive Blue uses “50 AI bots.” He then asked whether the software has been successful and if it helped law enforcement make any arrests. Thomas explained they have not made any arrests yet because they’ve only seen the proof of concept, but that the proof of concept was “good enough for us and our investigators to move forward with this. Once this gets approved and we get them \[Massive Blue\] under contract, then we are going to move forward with prosecution of cases.”

Cavanaugh asked if Overwatch is used in other counties, which prompted Thomas to invite Clem to the podium to speak. Clem introduced himself as a recently retired border agent and said that Massive Blue is currently in negotiations with three counties in Arizona, including Pinal County.

“As a resident of 14 years of Pinal County I know what’s happening here,” Clem said to the Board of Supervisors. “To be able \[to\] use this program \[...\] to provide all the necessary information to go after the online exploitation of children, trafficking victims, and all the other verticals that the sheriff may want to go after.”

Cavanaugh again asked if Massive Blue gathered any data that led to arrests.

“We have not made arrests yet, but there is a current investigation right now regarding arson, and we got the leads to the investigators,” Clem said, explaining that the program has been active for only about six months. “Investigations take time, but we’ve been able to generate the necessary leads for the particular counties that we’re involved with and also in the private sector.”

The Pinal County Board of Supervisors concluded the exchange by approving payment for a handful of other, unrelated projects, but with board members asking to delay the vote on payment for Massive Blue “for further study.”

The decision not to fund Massive Blue that day was covered in a local newspaper. Cavanaugh told the paper that he asked the company to meet with supervisors to explain the merits of the software.

“The State of Arizona has provided a grant, but grant money is taxpayer money. No matter the source of the funding, fighting human and sex trafficking is too important to risk half a million dollars on unproven technology,” he said. “If the company demonstrates that it can deliver evidence to arrest human traffickers, it may be worthwhile. However, it has yet to achieve this goal.”

404 Media’s public record requests yielded several emails from Cavanaugh’s office to IT professionals and other companies that provide AI products to law enforcement, asking them if they’re familiar with Massive Blue. We don’t know what was said in those meetings, or if they occurred, but when the Pinal County Board of Supervisors convened again on June 19 it voted to pay for Massive Blue’s Overwatch without further discussion.

“Supervisor \[Cavanaugh\] ultimately voted for the agreement because Massive Blue is alleged to be in pursuit of human trafficking, a noble goal,” a representative from Cavanaugh’s office told 404 Media in an email. “A major concern regarding the use of the application, is that the government should not be monitoring each and every citizen. To his knowledge, no arrests have been made to date as a result of the use of the application. If Overwatch is used to bring about arrests of human traffickers, then the program should continue. However, if it is just being used to collect surveillance on law-abiding citizens and is not leading to any arrests, then the program needs to be discontinued.”

In an August 7, 2024, Board of Supervisors meeting, Cavanaugh asked then-Pinal County Sheriff Mark Lamb for an update on Massive Blue. “So they have not produced any results? They’ve produced no leads? No evidence that is actionable?” Cavanaugh asked. “That would be public knowledge, that would be public information.”

“I think there’s a lot of ongoing investigations that they’re not going to give you information on, and we’re not going to give you information on,” Lamb said.

Source

Wired