Privacy and security are an Apple selling point. But the DOJ’s new antitrust lawsuit argues that Apple selectively embraces privacy and security features in ways that hurt competition—and users.

For well over a decade, Apple has been praised by privacy advocates for its decision in 2011 to end-to-end encrypt iMessage, securing users' communications on the default texting app for all its devices so thoroughly that even Apple itself can't read their messages. This was years before WhatsApp switched on end-to-end encryption in 2016, and before Signal—now widely considered the most private end-to-end encrypted messaging platform—even existed, Apple quietly led the way with that security feature, baking it into a core piece of the Apple ecosystem.

So it's ironic that the US Department of Justice has now hit Apple with a landmark antitrust lawsuit, alleging that it has sought for years to monopolize the smartphone market and gravely harmed consumers in the process, iMessage's end-to-end encryption has become Exhibit A for an argument about Apple's privacy hypocrisy—that Apple's allegedly anticompetitive practices have denied users not only better prices, features, and innovation, but also better digital security.

In its sweeping antitrust lawsuit, the DOJ on Thursday laid out a broad set of allegations against Apple, accusing it of monopolistic practices in how it uses its walled-garden operating systems and app stores to deprive consumers of apps and services that might make it easier for them to wean themselves from their Apple addictions—keeping out of the App Store so-called super apps with cross-platform, broad functionality; limiting streaming and cloud-based applications; and handicapping the functionality of competitors' devices like smartwatches.

The DOJ's complaint also homes in on Apple's approach to security and privacy, arguing that it uses those principles as an excuse for its anticompetitive practices, yet jettisons them whenever they might hurt the bottom line. “In the end, Apple deploys privacy and security justifications as an elastic shield that can stretch or contract to serve Apple’s financial and business interests,” the complaint reads.

“I definitely think that Apple has strategically used privacy and security in ways that benefit its business,” says Caitlin Chin-Rothmann, a research fellow at the Center for Strategic & International Studies (CSIS) who focuses on technology policy. “Apple has taken some steps to improve end-to-end encryption in iMessage, for example, but it hasn’t extended that to iPhone users that text Android users or iPhone users that don’t use iMessage.”

In its privacy and security arguments, the DOJ faults Apple for decisions like its deal with Google to make Google's search engine the default on Apple products, rather than a more privacy-preserving alternative, or allowing data-harvesting apps into its App Store. But it repeatedly returns to iMessage as perhaps the clearest example of how Apple's anticompetitive practices directly harm users security. The DOJ argues that by refusing to allow users of other smartphone platforms like Android to use its end-to-end encryption iMessage protocol, it has significantly reduced the overall security of messaging worldwide, both for those Android users and for the Apple users who communicate with them.

“Text messages sent from iPhones to Android phones are unencrypted as a result of Apple’s conduct,” the complaint reads. “If Apple wanted to, Apple could allow iPhone users to send encrypted messages to Android users while still using iMessage on their iPhone, which would instantly improve the privacy and security of iPhone and other smartphone users.”

The argument is one that some Apple critics have made for years, as spelled out in an essay in January by Cory Doctorow, the science fiction writer, tech critic, and coauthor of _Chokepoint Capitalism_. “The instant an Android user is added to a chat or group chat, the entire conversation flips to SMS, an insecure, trivially hacked privacy nightmare that debuted 38 years ago—the year _Wayne's World_ had its first cinematic run,” Doctorow writes. “Apple's answer to this is grimly hilarious. The company's position is that if you want to have real security in your communications, you should buy your friends iPhones.”

In a statement to WIRED, Apple says it designs its products to “work seamlessly together, protect people’s privacy and security, and create a magical experience for our users,” and it adds that the DOJ lawsuit “threatens who we are and the principles that set Apple products apart” in the marketplace. The company also says it hasn't released an Android version of iMessage because it couldn't ensure that third parties would implement it in ways that met the company's standards.

“If successful, \[the lawsuit\] would hinder our ability to create the kind of technology people expect from Apple—where hardware, software, and services intersect,” the statement continues. “It would also set a dangerous precedent, empowering government to take a heavy hand in designing people’s technology. We believe this lawsuit is wrong on the facts and the law, and we will vigorously defend against it.”

Apple has, in fact, not only declined to build iMessage clients for Android or other non-Apple devices, but actively fought against those who have. Last year, a service called Beeper launched with the promise of bringing iMessage to Android users. Apple responded by tweaking its iMessage service to break Beeper's functionality, and the startup called it quits in December.

Apple argued in that case that Beeper had harmed users' security—in fact, it did compromise iMessage's end-to-end encryption by decrypting and then re-encrypting messages on a Beeper server, though Beeper had vowed to change that in future updates. Beeper cofounder Eric Migicovsky argued that Apple's heavyhanded move to reduce Apple-to-Android texts to traditional text messaging was hardly a more secure alternative.

“It’s kind of crazy that we’re now in 2024 and there still isn't an easy, encrypted, high-quality way for something as simple as a text between an iPhone and an Android,” Migicovsky told WIRED in January. “I think Apple reacted in a really awkward, weird way—arguing that Beeper Mini threatened the security and privacy of iMessage users, when in reality, the truth is the exact opposite.”

Even as Apple has faced accusations of hoarding iMessage's security properties to the detriment of smartphone owners worldwide, it's only continued to improve those features: In February it upgraded iMessage to use new cryptographic algorithms designed to be immune to quantum codebreaking, and last October it added Contact Key Verification, a feature designed to prevent man-in-the-middle attacks that spoof intended contacts to intercept messages. Perhaps more importantly, it's said it will adopt the RCS standard to allow for improvements in messaging with Android users—although the company did not say whether those improvements would include end-to-end encryption.

Even as it makes those advances in iMessage's security and privacy, Apple has rarely touted them in its public-facing marketing, points out Nadim Kobeissi, a cryptographer focused on secure messaging and the director of the cryptography consultancy Symbolic Software, and has actively contributed to public, nonproprietary security products. He argues that this deflates any argument the DOJ might make that Apple has intentionally hoarded security features as a competitive advantage.

Instead, Kobeissi says that the security gap is a byproduct of Apple's attempt to preserve the exclusivity of more visibly integrated and fun social features—reactions, FaceTime, coveted blue bubbles—while also conscientiously maintaining the product's security. “It’s not a security question, it's a societal question about the openness of communication platforms,” Kobeissi says. He points out that people who are aware of iMessage's security advantages are also aware of other end-to-end encrypted messaging options like WhatsApp and Signal.

Apple critics like Doctorow and Migicovsky both point out, however, that iMessage is deeply integrated in Apple devices as their default messaging app, and thus will always be used on those devices far more often than Signal or WhatsApp. “Defaults matter,” Doctorow says, pointing out that Google pays Apple a fortune for the right to make Google the default search engine on its devices. “Apple makes \[nearly\] $20 billion a year off the proposition that a click away is a click too far.”

Even if Apple's security features are good for its customers, “Apple’s size does matter” because it gives the company power over the broader market in ways that smaller technology companies cannot, regardless of whether they market their security and privacy features to beat out the competition, says CSIS's Chin-Rothmann. The question, ultimately, is whether people should be relying on technology giants like Apple to set the standards for privacy and security at all. She points out that comprehensive data privacy legislation that ensures minimum security requirements for software might well be a better approach than depending entirely on the private sector to decide who gets privacy—and who is denied it.

“If Congress or the US government really wants to increase privacy and security," Chin-Rothmann says, “we really should take these decisions out of the hands of massive technology companies like Apple.”

Apple's iMessage Encryption Puts Its Security Practices in the DOJ's Crosshairs

The company behind the Saflok-brand door locks is offering a fix, but it may take months or years to reach some hotels.

When thousands of security researchers descend on Las Vegas every August for what's come to be known as “hacker summer camp,” the back-to-back Black Hat and Defcon hacker conferences, it's a given that some of them will experiment with hacking the infrastructure of Vegas itself, the city's elaborate array of casino and hospitality technology. But at one private event in 2022, a select group of researchers were actually _invited_ to hack a Vegas hotel room, competing in a suite crowded with their laptops and cans of Red Bull to find digital vulnerabilities in every one of the room's gadgets, from its TV to its bedside VoIP phone.

One team of hackers spent those days focused on the lock on the room's door, perhaps its most sensitive piece of technology of all. Now, more than a year and a half later, they're finally bringing to light the results of that work: a technique they discovered that would allow an intruder to open any of millions of hotel rooms worldwide in seconds, with just two taps.

Today, Ian Carroll, Lennert Wouters, and a team of other security researchers are revealing a hotel keycard hacking technique they call Unsaflok. The technique is a collection of security vulnerabilities that would allow a hacker to almost instantly open several models of Saflok-brand RFID-based keycard locks sold by the Swiss lock maker Dormakaba. The Saflok systems are installed on 3 million doors worldwide, inside 13,000 properties in 131 countries.

By exploiting weaknesses in both Dormakaba's encryption and the underlying RFID system Dormakaba uses, known as MIFARE Classic, Carroll and Wouters have demonstrated just how easily they can open a Saflok keycard lock. Their technique starts with obtaining any keycard from a target hotel—say, by booking a room there or grabbing a keycard out of a box of used ones—then reading a certain code from that card with a $300 RFID read-write device, and finally writing two keycards of their own. When they merely tap those two cards on a lock, the first rewrites a certain piece of the lock's data, and the second opens it.

“Two quick taps and we open the door,” says Wouters, a researcher in the Computer Security and Industrial Cryptography group at the KU Leuven University in Belgium. “And that works on every door in the hotel.”

A video of the researchers demonstrating their lock-hacking technique. (The pattern of lights shown on the lock is redacted at one point at the researchers’ request to avoid revealing a detail of their technique they agreed with Dormakaba not to make public.)Video: Ian Carroll

Wouters and Carroll, an independent security researcher and founder of travel website Seats.aero, shared the full technical details of their hacking technique with Dormakaba in November 2022. Dormakaba says that it's been working since early last year to make hotels that use Saflok aware of their security flaws and to help them fix or replace the vulnerable locks. For many of the Saflok systems sold in the last eight years, there's no hardware replacement necessary for each individual lock. Instead, hotels will only need to update or replace the front desk management system and have a technician carry out a relatively quick reprogramming of each lock, door by door.

Wouters and Carroll say they were nonetheless told by Dormakaba that, as of this month, only 36 percent of installed Safloks have been updated. Given that the locks aren't connected to the internet and some older locks will still need a hardware upgrade, they say the full fix will still likely take months longer to roll out, at the very least. Some older installations may take years.

“We have worked closely with our partners to identify and implement an immediate mitigation for this vulnerability, along with a longer-term solution,” Dormakaba wrote to WIRED in a statement, though it declined to detail what that “immediate mitigation” might be. “Our customers and partners all take security very seriously, and we are confident all reasonable steps will be taken to address this matter in a responsible way.”

The technique to hack Dormakaba's locks that Wouters and Carroll's research group discovered involves two distinct kinds of vulnerabilities: One that allows them to write to its keycards, and one that allows them to know _what_ data to write to the cards to successfully trick a Saflok lock into opening. When they analyzed Saflok keycards, they saw that they use the MIFARE Classic RFID system, which has been known for more than a decade to have vulnerabilities that allow hackers to write to keycards, though the brute-force process can take as long as 20 seconds. They then cracked a part of Dormakaba's own encryption system, its so-called key derivation function, which allowed them to write to its cards far faster. With either of those tricks, the researchers could then copy a Saflok keycard at will, but still not generate one for a different room.

The researchers' more crucial step required them to obtain one of the lock programming devices that Dormakaba distributes to hotels, as well as a copy of its front desk software for managing keycards. By reverse engineering that software, they were able to understand all the data stored on the cards, pulling out a hotel property code as well as a code for each individual room, then create their own values and encrypt them just as Dormakaba's system would, allowing them to spoof a working master key that opens any room on the property. “You can make a card that really looks as if it was created by the software from Dormakaba, essentially,” says Wouters.

And how did Carroll and Wouters obtain Dormakaba's front desk software? “We nicely asked a few people,” Wouters says. “Manufacturers assume that no one will sell their equipment on eBay, and that no one will make a copy of their software, and those assumptions, I think everyone knows, are not really valid.”

Once they'd managed all that reverse engineering work, the final version of their attack could be pulled off with little more than a $300 Proxmark RFID read-write device and a couple of blank RFID cards, an Android phone, or a Flipper Zero radio hacking tool.

A Saflok branded lock.

Photograph: Dormakaba

The biggest caveat to the hackers' Unsaflok technique is that it still requires that they have a keycard—even an expired one—for a room somewhere in the same hotel as the room they're targeting. That's because each card has a property-specific code they need to read and then duplicate on their spoofed card, as well as a room-specific one.

Once they have that property code, the technique also requires using an RFID read-write device to write two cards—one card that reprograms a target lock as well as the second spoofed card that unlocks it. (An Android phone or a Flipper Zero could also be used to emit one signal after another instead of the two cards, the researchers say.) The researchers hint that the first card allows them to open a target room without guessing its unique identifier in the hotel's system, but declined to say exactly what that first card does. They're holding that element of the technique in confidence to avoid giving too clear a set of instructions to would-be intruders or thieves.

By contrast, one security researcher presented a similar hotel keycard hack that opened locks sold by the firm Onity at the Black Hat conference in 2012 with no such obfuscation, and allowed any hacker to build a device that opened any of Onity's 10 million locks worldwide. When Onity refused to pay for the hardware upgrades necessary to solve the problem and instead put the onus on its customers, the issue remained unfixed in many hotels—and eventually was exploited in at least one hacker's cross-country burglary spree.

Carroll and Wouters say that they're trying to avoid that scenario by taking a more cautious approach, while still warning the public about their technique, given that hundreds of properties will likely remain vulnerable to it even now that Dormakaba has offered its fix. “We're trying to find the middle ground of helping Dormakaba to fix it quickly, but also telling the guests about it," says Carroll. “If someone else reverse engineers this today and starts exploiting it before people are aware, that might be an even bigger problem.”

To that end, Carroll and Wouters point out that hotel guests can recognize the vulnerable locks most often—but not always—by their distinct design: a round RFID reader with a wavy line cutting through it. They suggest that if hotel guests do have a Saflok on their door, they can determine if it's been updated by checking their keycard with the NFC Taginfo app by NXP, available for iOS or Android. If the lock is manufactured by Dormakaba, and that app shows that the keycard is still a MIFARE Classic card, it's likely still vulnerable.

If that's the case, the two researchers say, there's not much to do other than avoid leaving valuables in the room and, when you're inside, bolt the chain on the door. They warn that the deadbolt on the room is also controlled by the keycard lock, so it doesn't provide an extra safeguard. “If someone locks the deadbolt, they’re still not protected,” says Carroll.

Even without a perfect or fully implemented fix, Wouters and Carroll argue, it's better for hotel guests to know the risks than to have a false sense of security. After all, they point out, the Saflok brand has been sold for more than three decades, and may have been vulnerable for much or all of those years. Though Dormakaba says it's not aware of any past use of Wouters and Carroll's technique, the researchers point out that doesn't mean it never happened in secret.

“We think the vulnerability has been there for a long time,” says Wouters. “It's unlikely that we are the first to find this.”

Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds

Cookie pop-ups now show the number of “partners” that websites may share data with. Here's how many of these third-party companies may get your data from some of the most popular sites online.

Everywhere you go online, you’re being tracked. Almost every time you visit a website, trackers gather data about your browsing and funnel it back into targeted advertising systems, which build up detailed profiles about your interests and make big profits in the process. In some places, you’re tracked more than others.

In a little-noticed change at the end of last year, thousands of websites started being more transparent about how many companies your data is being shared with. In November, those infuriating cookie pop-ups—which ask your permission to collect and share data—began sharing how many advertising “partners” each website is working with, giving a further glimpse of the sprawling advertising ecosystem. For many sites, it’s not pretty.

A WIRED analysis of the top 10,000 most popular websites shows that dozens of sites say they are sharing data with more than 1,000 companies, while thousands of other websites are sharing data with hundreds of firms. Quiz and puzzle website JetPunk tops the pile, listing 1,809 “partners” that may collect personal information, including “browsing behavior or unique IDs.”

More than 20 websites from publisher Dotdash Meredith—including Investopedia.com, People.com, and Allrecipes.com—all say they can share data with 1,609 partners. The newspaper _The Daily Mail_ lists 1,207 partners, while internet speed-monitoring firm Speedtest.net, online medical publisher WebMD, and media outlets Reuters, ESPN, and BuzzFeed all state they can share data with 809 companies. (WIRED, for context, lists 164 partners.) These hundreds of advertising partners include dozens of firms most people have likely never heard of.

“You can always assume all of them are first going to try and disambiguate who you are,” says Midas Nouwens, an associate professor at Aarhus University in Denmark, who has previously built tools to automatically opt out of tracking by cookie pop-ups and helped with the website analysis. The data collected can vary by website, and the cookie pop-ups allow some control over what can be gathered; however, the information can include IP addresses, fingerprinting of devices, and various identifiers. “Once they know that, they might add you to different data sets, or use it for enrichment later when you go to a different site,” Nouwens says.

The online advertising world is a messy, murky space, which can involve networks of companies building profiles of people with the aim of showing you tailored ads the second you open a webpage. For years, strong privacy laws in Europe, such as the GDPR, have resulted in websites showing cookie consent pop-ups that ask for permission to store cookies that collect data on your device. In recent years, studies have shown that cookie pop-ups have included dark patterns, disregarded people’s choices, and are ignored by people. “Every single person we’ve ever observed in user testing doesn't read any of this. They find the fastest way they can to close it out,” says Peter Dolanjski, a product director at privacy-focused search engine and browser DuckDuckGo. “So they end up in a worse privacy state.”

For the website analysis, Nouwens scraped the 10,000 most popular websites and analyzed whether the collected pop-ups mentioned partners and, if so, the number they disclosed. WIRED manually verified all the websites mentioned in this story, visiting each to confirm the number of partners they displayed. We looked at the highest total number of partners within the whole data set, and the highest number of partners for the top 1,000 most popular websites. The process, which is only a snapshot of how websites share data, provides one view of the complex ecosystem. The results can vary depending on where in the world someone visits a website from.

It also only includes websites using just one system to display cookie pop-ups. Many of the world’s biggest websites—think Google, Facebook, and TikTok—use their own cookie pop-ups. However, thousands of websites, including publishers and retailers, use third-party technology, made by consent management platforms (CMPs), to show the pop-ups. These pop-ups largely follow standards from the marketing and advertising group IAB Europe, which details the information that should be included in the cookie pop-ups.

Some of the Most Popular Websites Share Your Data With Over 1,500 Companies

Anonymous, candid reviews made Glassdoor a powerful place to research potential employers. A policy shift requiring users to privately verify their real names is raising privacy concerns.

Using Glassdoor, the site famous for candid employee reviews that break through corporate facades, is less anonymous than it used to be.

In July last year, the company added new social features integrated from Fishbowl, an app for work-related discussions acquired in 2021. Glassdoor has also changed its sign-up process to ask people to disclose their full name, job title, and employer; historically, it had required email addresses, but not names. In tests by WIRED, returning users who didn’t previously provide a full name are prompted to enter one by an impossible-to-dismiss pop-up that says, “Entering your real name is required to verify your profile but other users won't see your name unless you choose to share it.”

Reviews of employers posted to Glassdoor remain anonymous, and people can post in its new discussion channels with only their work titles or employer visible, but the company’s policy of collecting and verifying real names has triggered concern among some users and privacy experts.

Alarm about those changes recently spread on social media, where several people described logging in to old Glassdoor accounts and allegedly finding their names had been added, they say, without their consent. WIRED reviewed emails in which one user was told by a Glassdor support representative that they would not be able to remove their name, and would have to delete their account if they wanted it gone. Glassdoor did not provide comment on these scenarios. When this reporter attempted to delete or change her name from a Glassdoor profile, the site instead provided a link to contact the help center to make changes.

Glassdoor’s help pages say it has to verify identities and employment information to “ensure that our users can engage in authentic, candid conversations with other professionals, coworkers, and company leaders in a safe space.” Having verified identity info on file could also make it more seamless for people to respond to the job ads listed on the platform. But trying to maintain that accuracy comes with a cost.

“You can’t both be verified and anonymous,” says Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project, a pro-privacy organization. “You can’t both be a social network and a confidential reporting space. You can do one of those well, or you can do both of them badly.”

The concerns over Glassdoor’s evolving policies on real names show how confusion can arise when a platform that many people visit only infrequently shifts its business model. Amanda Livingood, Glassdoor’s VP of corporate communications, provided a statement saying that integrating Fishbowl with Glassdoor created a broader set of services that user information is now shared across—a different model to that many people with older Glassdoor accounts signed up for. Fishbowl’s old terms of service state that people who signed up for accounts may have been required to add their names.

“When a user provides information, either during the sign-up process or by uploading a résumé, that information will automatically cross-populate between all Glassdoor services, including our community app Fishbowl,” Livingood says. “When using Glassdoor and Fishbowl, there is always the option to remain anonymous. Users can choose to be fully anonymous or reveal elements of their identity, like company name or job title, while using our community service.” Company help pages say real names and email addresses are used only for “verification purposes _only_.”

Glassdoor has a history of working to keep its users’ identities private, but there are concerns about these identity changes. “Glassdoor has been second to none in defending their user’s First Amendment rights,” says Aaron Mackey, a senior staff attorney with the digital rights group Electronic Frontier Foundation. He represented a Glassdoor user in a case initiated in 2019 when their former employer, cryptocurrency exchange Kraken, attempted to unmask the authors of reviews, alleging that former workers had violated severance agreements with their posts. (The parties settled and the subpoena was withdrawn in 2020).

The current terms, Mackey says, are a big shift. “This is concerning, if the way in which they’re operating their business now creates potential for people to be identified, separate from whether or not they’re sued.”

Glassdoor won name recognition by marketing itself as a place focused on protecting anonymity, but companies with smaller workforces have always had good odds at guessing who wrote a particular review. That might be even easier if managers can also see social channels on Glassdoor where people are posting with their real names, indicating which workers have accounts on the site. People unaccustomed to thinking about their online footprint could inadvertently leave big clues, for example, by posting anonymously and then less covertly at the same time.

Glassdoor’s terms cite the risk. “You acknowledge that Glassdoor cannot guarantee your anonymity,” as a company or department’s size, the content posted, and the user’s location may allow employers’ to infer who left a review, the document says. “You should understand this risk before submitting Content to the services.”

**Social Pivot**

Glassdoor’s acquisition of Fishbowl in 2021 united two platforms that lured users by hosting relatively unfiltered discussions of work, a place to pick up the kind of gossip more often shared in person. Together they had offered a counterweight to LinkedIn, which relies on people using their full identities and often results in rose-tinted, overly congratulatory, and sometimes downright cringey posts about work.

Glassdoor is owned by Recruit Holdings, which also owns Indeed. Indeed and Glassdoor profit from advertising open jobs. Some 55 million people visit Glassdoor every month, according to the company. Verifying profiles could help prevent trolls from posting fake information about companies and misleading those seeking an insider’s view—all of which erode trust with other users.

Changing policies on names and verification can erode trust, too. If Glassdoor isn’t so anonymous, it may change how some of those users engage. The recent social media discussion inspired some people to try and delete their accounts.

Tracking the evolution of Glassdoor’s terms of service shows how its commitments to users changed as it began to add new social features. The company consolidated its terms with Fishbowl between December 2022 and January 2023, months before the company announced the new discussion channels on Glassdoor.

Some of the changes to the terms added information about how users are verified, as well as how they can be anonymous across services. Glassdoor’s terms of use state that the company may use information obtained from third parties to update profiles, along with personal data provided on résumés or elsewhere on its services. It may also attempt to verify employment history.

Glassdoor’s approach is very different from that of Blind, a younger, competing forum where people discuss work. It requires an email to sign up, and a work email to access certain features, but says that it does not store email addresses, and that activity on the site cannot be linked back to a person’s email. Blind does not require real names to use its services, but employers could potentially know an employee signed up by seeing they received a verification code at a company email address.

Glassdoor calls its community aspects a “verified network,” requiring people to confirm their identity, including name, job title, industry, company, and active email address or social network to gain access to all of the Glassdoor services. (It also recommends handing over both work and personal email addresses, as well as a phone number.) On a page updated in December, Glassdoor says it uses a “proprietary verification process” to validate accounts, along with confirming emails or an active profile from another social network.

The company’s help pages also say, “We don’t allow anyone, including employers, to access the identity of anonymous posts.”

But Glassdoor’s pages add a caveat: “Considering the reality of our digital age, we're unable to fully confirm our users' identities, the truthfulness of their contributions, or their employment status.”

Glassdoor Wants to Know Your Real Name

Plus: The operator of a dark-web cryptocurrency “mixing” service is found guilty, and a US senator reveals that popular safes contain secret backdoors.

How do you know the internet has a deepfake porn problem? Just look at copyright takedown requests. WIRED found this week that Google is receiving thousands of Digital Millennium Copyright Act complaints for deepfake nudes, most of which are published by just a handful of websites. Experts say the deluge of DMCA takedown requests is evidence that Google should delist the offending sites from search. In Texas, meanwhile, a federal court upheld the state’s age-verification requirements for porn sites, which could lead to even more lawsuits.

In a win for privacy advocates, Airbnb announced on Monday that it will ban the use of indoor security cameras at short-term rental properties around the world. The ban extends to outdoor areas where there is a “greater expectation of privacy,” such as saunas or outdoor showers. The company has long banned the use of hidden cameras and required hosts to tell guests where it has security cameras installed. Hosts who violate the security cam ban could have their properties removed from Airbnb.

Cryptocurrency firm Binance’s troubles have gone from bad to downright scary. Two of the company's executives—Tigran Gambaryan, a former financial crimes investigator for the IRS, and UK-based government affairs specialist Nadeem Anjarwalla, have been held for weeks by Nigeria’s government amid its broader crackdown on cryptocurrency. Neither man has been charged with any crime, and their families are asking the US and UK governments for help securing their release.

In case you’re wondering: No, the US government isn’t hiding evidence of aliens, according to a new Pentagon report. But it sure seems to be hiding _something_, raising more questions about what’s out there if that thing isn’t UFOs. Elsewhere in the world of government secrets, the US House Intelligence Committee chair recently held a closed-door meeting in which he urged lawmakers to block privacy reforms to a major US surveillance program by citing how it could be used to surveil US-based protesters, further raising civil liberties concerns. Congress’ efforts to renew that program, known as Section 702, remain ongoing.

Donald Trump this week earned enough delegates in the 2024 Republican primary to officially win the party’s nomination. If Trump does win another term in the White House, experts fear he could use a slate of “emergency powers” to carry out an authoritarian agenda—and there’s little the other branches of government could do to stop him.

Finally, reporters at _Der Spiegel_, Recorder, _The_ _Washington Post_, and WIRED collaborated on an investigation into a global network of violent predators who use major platforms like Discord, Telegram, and even Roblox to target children and extort them into committing horrific acts of abuse—or worse.

And that’s not all. Each week, we round up the security news we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Insurance companies have long offered discounts to drivers who'll carry GPS devices or download smartphone apps that track their driving habits. But when wary drivers refuse, insurers find other ways of monitoring their driving. Data brokers like LexisNexus are buying people's car data directly from manufacturers, such as General Motors, which are making a killing by selling it off. This data is then used to create “risk” scores for individual drivers, which insurance providers use to set premiums. The businesses claim the data-sharing is consensual, but most drivers have no idea what's happening. Drivers whose risk scores are shared with insurance providers often see their monthly insurance payments skyrocket.

**The Bitcoin Fog Case Ends in a Guilty Verdict**

The operator of a darknet cryptocurrency “mixing” service called Bitcoin Fog faces a maximum of 20 years in prison after his conviction this week by a federal jury in Washington, DC. Roman Sterlingov, 35, ran Bitcoin Fog between 2011 and 2021, moving roughly $400 million worth of currency, much of which, prosecutors say, was tied to narcotics, identity theft, and cybercrime. Sterlingov had denied founding Bitcoin Fog in interviews with WIRED; however, the US Justice Department countered that claim in court with blockchain analysis and a trial of financial paperwork.

**Popular Safes Contain Secret Backdoors**

Two commercial safe makers have been called out for installing backdoors in their safes, according to a letter by Ron Wyden, a US senator from Oregon. The reset codes are one reason the Department of Defense has banned the safes from being used inside the US government. Knowledge of the codes, which Wyden says leaves consumers vulnerable to criminals and spies, was made public through a letter he wrote to the National Counterintelligence and Security Center. In it, he asks the agency to issue an alert, warning Americans about the risks posed by the safes.

Automakers Are Telling Your Insurance Company How You Really Drive

For months, US lawmakers have examined every side of a historic surveillance debate. With the introduction of the SAFE Act, all that’s left to do now is vote.

A bill introduced by senators Dick Durbin and Mike Lee to reauthorize the Section 702 surveillance program is the fifth introduced in the US Congress this winter. The authority is threatening to expire in a month, disrupting a global wiretapping program said to inform a third of articles in the President’s Daily Briefing—a morning “tour d’horizon” of US spies’ top concerns.

But the stakes aren't exactly so clear. With or without Congress, the Biden administration is seeking court approval to extend the 702 program into 2025. From the moment US representative Mike Johnson assumed the House speakership, he’s been unable to orchestrate a vote on the program. Outgunned most recently by Mike Turner, the chairman of the House Intelligence Committee, Johnson was forced to kill a vote after a month of negotiations.

This, even though Congress can essentially agree on one thing if nothing else: that the 702 program is vital to the national defense and that it can’t be allowed to expire. Johnson has, once again, vowed to hold a vote on the matter, this time after Easter. And historically, this is where things have begun to fall apart.

The biggest hurdle to reauthorizing the program is a dispute between lawmakers over whether the government should get search warrants before looking up Americans using 702, a massive wiretap database full of millions of email, voice, and text conversations intercepted by spies.

The Durbin-Lee bill contains tweaks designed, its authors say, to meet the Biden administration halfway. While all the legislation up to this point has wrestled over the title of “reform bill,” Durbin’s has set its sights on an idea far more defensible: The Security and Freedom Enhancement (SAFE) Act, he says, is a “bill of compromise.”

Unlike other reform bills, the SAFE Act would _not_ require the FBI to obtain a warrant to find out if the 702 database contains an American’s communications. Only if the search produces results would investigators need a warrant, and only if they wanted to read what the messages say.

Without going to court, investigators could learn whether the communications they’re after exist, whether the person they’re looking at communicated with any foreigners under US surveillance, and when exactly those conversations took place. As it’s generally trivial for law enforcement to obtain these kinds of records anyway, this is a compromise that doesn’t serve up a major loss for lawmakers on the side of reform.

The tweak will add to the difficulty the FBI is having convincing lawmakers that warrants will hinder investigations or destroy the program altogether. “This narrow warrant requirement is carefully crafted to ensure that it is feasible to implement,” Durbin says, “and sufficiently flexible to accommodate legitimate security needs.”

“There is little doubt that Section 702 is a valuable national security tool,” adds Durbin, but the program sweeps up “massive amounts of Americans’ communications.”

“Even after implementing compliance measures, the FBI still conducted more than 200,000 warrantless searches of Americans’ communications in just one year—more than 500 warrantless searches per day,” he says.

The SAFE Act contains the same menu of emergency exceptions that members of the House Judiciary Committee offered up in previously introduced legislation. The exceptions would allow the FBI to ignore the warrant requirements during emergencies, such as people faced with imminent harm or death. The bureau can search the database at will using “known threat signatures” linked to cybercrimes as well, a carve-out designed to help the FBI dodge legal red tape while mitigating harm from malicious software.

While the possibility looms that the Foreign Intelligence Surveillance Court (FISC) will approve the Biden administration’s request, extending the 702 program into 2025 on its own, it's an outcome that all sides seem eager to avoid—improvising a way to prolong a hotly debated surveillance program being a bad look for nearly everyone involved.

One of the program’s core tenets, according to a “fact sheet” distributed by the Office of the Director of National Intelligence (ODNI) this year, reflects the bargain it strikes between the government and the public: US spies are to receive an “invaluable source of intelligence on foreigners located outside the US.” Americans get in return “robust civil liberties and privacy safeguards, overseen by all three branches of government.”

If Congress had meant, in 2018, to reauthorize the 702 program for seven years rather than six, its members wouldn’t have found out last week. Allowing the program to carry on without a mandate from Congress—with nothing but a green light from a secret court—is a legacy of dysfunction that most members aren’t eager to carry, and one that the intelligence community may also come to resent, as people start to question the integrity of its oversight.

“Although the legislation does not include every reform we have called for, it is a thoughtful compromise that would meaningfully restore privacy in the United States,” says Sean Vitka, policy director at Demand Progress, a digital rights nonprofit.

“An overwhelming number of Americans from across the political spectrum want Congress to seize this once-in-a-generation moment and get this done.”

Sinking Section 702 Wiretap Program Offered One Last Lifeboat

Every US president has the ability to invoke “emergency powers” that could give an authoritarian leader the ability to censor the internet, restrict travel, and more.

Donald Trump appears to dream of being an American authoritarian should he return to office. The former US president, who on Tuesday secured enough delegates to win the 2024 Republican nomination, plans to deport millions of undocumented immigrants and house scores of them in large camps. He wants to invoke the Insurrection Act to deploy the military in cities across the nation to quell civil unrest. He wants to prosecute his political opponents. There’s an organized and well-funded effort to replace career civil servants in the federal government with Trump loyalists who will do his bidding and help him consolidate power.

What’s also concerning to legal experts, though, are the special powers that would be available to him that have been available to all recent presidents but have not typically been used. Should Trump decide to go full authoritarian, he could utilize what are called “emergency powers” to shut down the internet in certain areas, censor the internet, freeze people’s bank accounts, restrict transportation, and more.

Utilizing laws like the National Emergencies Act, the Communications Act of 1934, and the International Emergency Economic Powers Act (IEEPA), he would be able to wield power in ways this country has never seen. Furthermore, America’s vast surveillance state, which has regularly been abused, could theoretically be abused even further to surveil his perceived political enemies.

“There really aren’t emergency powers relating to surveillance, and that’s because the non-emergency powers are so powerful and give such broad authority to the executive branch. They just don’t need emergency powers for that purpose,” says Elizabeth Goitein, senior director of the Brennan Center for Justice’s Liberty & National Security Program at the New York University School of Law.

Goitein says she worries most about what a president could do with the emergency powers available to them, though, when she considers whether a president might decide to behave like an authoritarian. She says the laws surrounding these powers offer few opportunities for another branch of government to stop a president from doing as they please.

“Emergency powers are meant to give presidents extraordinary authorities for use in extraordinary circumstances. Because they provide these very potent authorities, it is critical that they have checks and balances built into them and safeguards against abuse,” Goitein says. “The problem with our current emergency powers system—and that system comprises a lot of different laws—is that it really lacks those checks and balances.”

Under the National Emergencies Act, for example, the president simply has to declare a national emergency of some kind to activate powers that are contained in more than 130 different provisions of law. What constitutes an actual emergency is not defined by these laws, so Trump could come up with any number of reasons for declaring one, and he couldn’t easily be stopped from abusing this power.

“There's a provision of the Communications Act of 1934 that allows the president to shut down or take over communications facilities in a national emergency. There is a provision that allows the president to exert pretty much unspecified controls over domestic transportation, which could be read extremely broadly,” Goitein says. “There’s IEEPA, which allows the president to freeze the assets of and block financial transactions with anyone, including an American, if the president finds it necessary to address an unusual or extraordinary threat that is emanating at least partly from overseas.”

Goitein says that if someone is targeted using IEEPA, they wouldn’t be allowed to even rent an apartment, buy groceries, or have a job in the US. She says Congress needs to reform these laws before a president decides to abuse them.

You can imagine Trump deciding he wants to shut down the internet, use the military as a police force, and utilize the government’s surveillance powers if a large anti-Trump protest were to occur in one or more cities around the country. This would resemble the tactics authoritarians have used to quash popular resistance in less democratic countries around the globe.

Though the Insurrection Act is not technically an emergency power, because no emergency has to be declared for it to be used, Goitein says she’s deeply concerned about how that law could be utilized.

“It clearly falls into the category of extraordinary powers that are meant for extraordinary circumstances,” Goitein says. “The Insurrection Act gives the president incredibly broad discretion to use federal armed forces as a domestic police force.”

Chris Edelson, an assistant professor of government at the American University, tells WIRED that he worries what Trump might do regardless of what is lawfully allowed.

“I think he will do what he can get away with, and he will make use of whatever tools are available, which could include statutory provisions like the National Emergencies Act, or it could just include acting by fiat. He could just say, ‘I’ll order the government to do whatever I want,’” Edelson says.

If the US Supreme Court were to rule that Trump has overstepped what he’s allowed to do, Edelson says he’s not confident Trump would obey such a decision. This harkens back to something that happened in 1832 when President Andrew Jackson said of the Supreme Court decision in _Worcester v. Georgia_, “\[Chief Justice\] John Marshall has made his decision, now let him enforce it.” The Supreme Court can put out a decision, but it’s not guaranteed that a president will listen. The executive branch has been operating under norms, and Trump likes to break norms.

“Trump is a bully at heart. He might try to ignore a court ruling,” Edelson says. “He’ll do whatever he thinks he can get away with, including ignoring a judicial decision.”

Regardless of who’s president, Goitein and Delson both say that Congress needs to reform the laws that allow presidents to wield such great power. If they’re not abused by Trump, they could be abused by another president in the future. It’s best not to leave a powerful weapon available to someone who may one day be tempted to use it, and Trump has historically tested what a president can get away with.

The ‘Emergency Powers’ Risk of a Second Trump Presidency

A global network of violent predators is hiding in plain sight, targeting children on major platforms, grooming them, and extorting them to commit horrific acts of abuse.

There Are Dark Corners of the Internet. Then There's 764

The US Court of Appeals for the 5th Circuit has vacated an injunction against an age-verification requirement to view internet porn in Texas.

Texas can enforce a law requiring age-verification systems on porn websites, the US Court of Appeals for the 5th Circuit ruled Thursday. The appeals court vacated an injunction against the law's age-verification requirement but said that Texas cannot enforce a provision requiring porn websites to "display health warnings about the effects of the consumption of pornography."

In a 2-1 decision, judges ruled that "the age-verification requirement is rationally related to the government's legitimate interest in preventing minors' access to pornography. Therefore, the age-verification requirement does not violate the First Amendment."

The Texas law was challenged by the owners of Pornhub and other adult websites and an adult-industry lobby group called the Free Speech Coalition. "We disagree strenuously with the analysis of the Court majority," the Free Speech Coalition said. "As the dissenting opinion by Judge \[Patrick\] Higginbotham makes clear, this ruling violates decades of precedent from the Supreme Court."

A US District Court judge issued a preliminary injunction blocking enforcement of the law in August 2023, finding that "Plaintiffs have shown that their First Amendment rights will likely be violated if the statute takes effect, and that they will suffer irreparable harm absent an injunction."

But a few weeks later, the 5th Circuit issued a temporary stay that allowed the law to take effect in September 2023. The new ruling issued last week was on the merits of the preliminary injunction.

**Court Cites Magazine Precedent**

The 5th Circuit, generally regarded as one of the most conservative appeals courts, found that the Texas porn-site law should be reviewed on the "rational-basis" standard and not under strict scrutiny. The court panel majority pointed to _Ginsberg v. New York_, a 1968 Supreme Court ruling about the sale of "girlie" magazines to a 16-year-old at a lunch counter. The Supreme Court in that case upheld a New York criminal obscenity statute that prohibited the knowing sale of obscene materials to minors.

The same principle applies to the internet, the 5th Circuit majority found. "Because it is never obvious whether an Internet user is an adult or a child, any attempt to identify the user will implicate adults in some way... To suggest protecting children would be so difficult is inconsistent with _Ginsberg_, where rational basis review was sufficient _even though_ adults would presumably have to identify themselves to buy girlie magazines," the ruling said.

As Santa Clara University law professor Eric Goldman wrote, the 5th Circuit "panel majority claims the 56-year-old _Ginsberg_ opinion, which dealt with offline retailers, governs the Conlaw \[constitutional law\] analysis of the Texas law instead of the squarely on-point 1997 _Reno v. ACLU_ and 2004 _Ashcroft v. ACLU_ opinions, both of which dealt with the Internet."

In his dissent, Judge Higginbotham said the majority's attempts to distinguish _Ginsberg_ from later rulings "are unconvincing." Although "_Ginsberg_ remains good law and indubitably recognizes the government's power to protect children from age-inappropriate materials," the Supreme Court "has unswervingly applied strict scrutiny to content-based regulations that limit adults' access to protected speech," he wrote.

The Texas law "limits access to materials that may be denied to minors but remain constitutionally protected speech for adults," Higginbotham wrote. "It follows that the law must face strict scrutiny review because it limits adults' access to protected speech using a content-based distinction—whether that speech is harmful to minors."

**Section 230 Analysis Flawed, Professor Says**

The 5th Circuit panel majority found that Section 230 of the Communications Decency Act does not preempt the Texas law. Goldman called the decision "another entry in the Fifth Circuit's increasingly unstable Section 230 jurisprudence."

Goldman said that judges seem to be saying "that the age authentication mandate only regulates the services' conduct, and thus it doesn't impose liability for third-party content... However, fundamentally, the statute imposes liability for services for publishing third-party content to underage viewers, and Section 230 clearly should apply to that aspect."

Porn Sites Need Age-Verification Systems in Texas, Court Rules

A closed-door presentation for House lawmakers late last year portrayed American anti-war protesters as having possible ties to Hamas in an effort to kill privacy reforms to a major US spy program.

At a private meeting about the reauthorization of a major United States surveillance program late last year, the Republican chairman of the US House Permanent Select Committee on Intelligence (HPSCI) presented an image of Americans protesting the war in Gaza while implying possible ties between the protesters and Hamas, an allegation that was used to illustrate why surveillance reforms may prove detrimental to national security, WIRED has learned. Sources who attended the meeting say it alarmed Republicans who are pursuing new limits on the US government's power to warrantlessly access the communications of US citizens.

In December, as many as 200 Republican staffers gathered behind closed doors to hear a presentation by House Intelligence chair Mike Turner, one of several such meetings that day aimed at shoring up support for a US surveillance program known as Section 702.

House lawmakers were expected to cast votes the following day to determine which of two rival bills would become law. While both aimed to reauthorize the 702 program, they shared little else in common. The first bill was backed by Turner and Jim Himes—HPSCI's leading Democrat—and had the support of the US intelligence community. The second, a bill chock full of privacy reforms, had been introduced by the House Judiciary Committee and was opposed by the Biden White House.

While Turner addressed the Republican staffers, representatives from the intelligence community conducted their own briefing with Democrats on Capitol Hill. Both meetings were designed to dissuade House members from supporting the privacy reforms offered under the Judiciary bill—chiefly among them, an amendment that would force the FBI to obtain warrants before accessing the communications of Americans collected under the 702 program—phone calls, emails, and text messages intercepted by US spies in the process of eavesdropping on foreigners overseas.

The briefing conducted by Turner at roughly 2 pm EST on December 11 carried on for more than an hour. Roughly 15 minutes into the presentation, two slides were introduced referencing American protesters. The implication, sources present for the briefing tell WIRED, was that the demonstrators were suspected of having ties to Hamas, which the US government classifies as a terrorist organization.

A spokesperson for the House Intelligence Committee said in an email on Friday that the protesters depicted in the slide had “responded to what appears to be a Hamas solicitation.”

A WIRED review of the slides shown by Turner casts doubt on that claim. Notably, while the two slides were portrayed as being related to a single protest in November outside Senate majority leader Chuck Schumer's Brooklyn residence, WIRED has since learned that the slides reference two separate events that occurred nearly a month apart.

What’s more, the allegation that the protesters were following Hamas' lead is based on a post on X that contains false information about who organized one of these two events.

Three Republican staffers who attended Turner’s briefing that day tell WIRED the images immediately set off alarms. Section 702 authorizes the government to surveil foreigners located physically overseas, they said, but not Americans or individuals on US soil. Even while Turner spoke, a few staffers began privately debating whether what Turner described was a lawful use of the program.

While eavesdropping on foreigners is permitted, doing so for the explicit purpose of gaining access to an American’s communications—a practice commonly referred to as “reverse targeting”—is strictly forbidden.

"At the outset of the presentation, he's running through slides, making his case for why 702 reauthorization is needed,” a senior Republican aide tells WIRED. “Then he throws up that photo. The framing was: ‘Here are protesters outside of Chuck Schumer's house. We need to be able to use 702 to query these people.’”

Another aide in attendance said: "The sentiment was that \[Turner\] wanted to know if these people were talking to Hamas. That's how I interpreted why he brought up those slides."

Jeff Naft, the HPSCI spokesperson, says the purpose of the slides was to illustrate that, even if the protesters did have ties to Hamas, they would “not be subject to surveillance” under the 702 program. “702 is not used to target protesters," he says. “702 is used on foreign terrorist organizations, like Hamas. Chairman Turner’s presentation was a distinction exercise to explain the difference between a US person and Hamas.”

WIRED's sources, who are not authorized to discuss closed-door briefings and requested anonymity to do so, describe this as a conflation of two separate issues—a tactic, they say, that has become commonplace in the debate over the program’s future. “Yes, it’s true, you cannot ‘target’ protesters under 702,” one aide, a legislative director for a Republican lawmaker, says. “But that doesn’t mean the FBI doesn't still have the power to access those emails or listen to their calls if it wants.”

Under the 702 program—authorized under the Foreign Intelligence Surveillance Act (FISA)—the term “target” refers to foreign individuals whose communications are primarily sought after by US spies. But a person needn't be a “target” (or a foreigner, for that matter) for the US government to intercept their calls or emails. Nor does a person need to be a “target” for the FBI to access and review those conversations, a practice that privacy advocates have come to call a “backdoor search.”

The government’s claim that 702 is not used to _target_ protesters may be misleading to those not steeped in the program’s specifics. Between 2020 and early 2021, the FBI conducted “tens of thousands” of queries related to “civil unrest” in the United States. Even had those queries been lawful, the FBI would never have referred to those Americans as “targets.” For people whose communications are being accessed, it’s a distinction without much of a difference.

A Biden administration official tells WIRED that it was made clear at the briefing that individuals “can never be queried due to the fact that they participated in a protest.” Any suggestion to the contrary, they said, is inaccurate. “US person queries of lawfully collected 702 data are based on information such as contact with a foreign terrorist, since such queries must be reasonably likely to return foreign intelligence information,” the official says.

The bar for justifying a query, though, is far below “contact with a terrorist,” according to Elizabeth Goitein, a senior director at the Brennan Center for Justice at the NYU School of Law. “The law’s definition of ‘foreign intelligence’ is extremely broad and sweeps far beyond matters relating to terrorism or espionage,” she says.

A query for an American's communications may be allowed, for instance, if it's deemed necessary for “purposes of security," Goitein says, noting that the term “security” isn't defined. The information sought by the government can merely be necessary to understand the “conduct of foreign affairs,” something that the Center for Strategic & International Studies says may apply to “almost any activity.”

Last year, the FISA court approved three definitions of foreign intelligence information, adds Goitein. One of them is simply information related to “foreign governments and related entities.”

James Czerniawski, a senior policy analyst at Americans for Prosperity, a libertarian think tank, says the idea that US protesters could be queried under 702 without a warrant, simply based on accusations of harboring overseas ties, represents “an affront to Americans' privacy.”

"It manifests why trust has eroded in the very institutions meant to protect us, and it represents a material threat to the millions of Americans who will undoubtedly soon join protests,” Czerniawski says, “no matter what happens in November.”

Beyond what the slides represented to Turner’s audience at the time, they are more controversial now for reasons that weren't quite apparent during that December 11 briefing.

The first of Turner's slides includes a photograph of anti-war activists sitting cross-legged at an intersection in Brooklyn’s Park Slope neighborhood, arms interlocked. The second slide features a tweet by Matthew Foldi, a conservative staff writer at the Washington Free Beacon. It also relates to a protest outside of Schumer’s home. The implication of Foldi’s tweet, sources say, was that the protesters in both cases had gotten their marching orders overseas from an organization Foldi referred to as a “Hamas front group.”

Regardless of whether Turner and his staff bought into the claim, there are several issues with this portrayal, and HPSCI had no evidence on hand to support the allegation—not to staff members in December and not last week when questioned by WIRED about the veracity of the claim.

The first of the two slides, showing protesters sitting in the street, can be traced back to a demonstration on October 13, organized by the US nonprofit Jewish Voice for Peace. Thousands of Americans had attended protests across New York City that day.

According to a local news report, several rabbis as well as descendants of Holocaust survivors were among the 57 people arrested for blocking traffic near Schumer’s home. New York State Assembly members Zohran Mamdani and Marcela Mitaynes were also present and were issued citations for acts of civil disobedience. Statements gathered from journalists at the scene show the demonstration was being closely monitored by the FBI’s New York field office. But aside from a few “scuffles” with counter-protesters earlier in the day, there are no reports of the protests turning violent.

Sean Vitka, a policy director at the civil-liberties-focused nonprofit Demand Progress, says Congress enacted FISA specifically to stop the FBI from spying on protesters. "Spying on protesters is ice in the heart of democracy—and if someone trolling the ‘other side’s’ protest on Twitter is cause to spy on those protesters, we have an enormous problem,” he says.

The second slide in Turner’s presentation featured the tweet by Foldi, which likewise references a march on Schumer’s home. That protest, however, took place nearly a month after the first. HPSCI's claim that Hamas may have incited the demonstration appears solely based on this remark by Foldi, who claims the protesters were responding to a call issued by a pro-Palestinian group known as Samidoun.

However, that wasn't the case.

The only evidence of the Palestinian group’s involvement is that the protest was included on a calendar maintained by Samidoun on its website. The calendar currently lists more than 5,000 protests that have taken place around the world, from Australia and England to Finland, Nigeria, Iceland, and Japan. The same site bears a disclaimer that notes the list includes protests not organized by Samidoun, and visitors are encouraged to submit details about events being organized in their respective countries.

Foldi went on to portray Samidoun as having been “banned from Germany and booted from numerous payment processors over suspicions of acting as a Hamas front group.”

A German branch of Samidoun was dissolved in November, but not as a result of evidence it had ties to Hamas. Rather, the group, formed to protest the imprisonment of Palestinians, was accused of spreading “anti-Jewish conspiracy theories,” an allegation that the organizers vehemently deny, while noting their ranks boast many Jewish members.

For obvious reasons, Germany has some of the strictest antisemitism laws in the world, enabling Berlin to issue blanket bans against protests aimed at raising awareness of the humanitarian crisis in Gaza. Such bans would be unlawful in the United States under its constitution.

Branches of Samidoun have also faced bans by payment processors overseas. This also happens frequently in the United States. The bar for being banned by a payment processor is notably far below having terrorism ties.

Payment processors last year severed ties with a French branch of the group, known as Collectif Palestine Vaincra, a result of the French government attempting to dissolve the organization under allegations it was “anti-Jewish.” This attempt was blocked by a French court in May, however, after it rules the Macron government's allegations of “antisemitism” against the group were “unfounded.”

Neither Foldi nor Samidoun immediately responded to requests for comment.

That the chairman of a US intelligence committee chose such questionable examples during a presentation aimed at garnering support for a US surveillance authority gave many Republican staffers pause.

None of the House sources who spoke to WIRED work for lawmakers that could be credibly accused of showing anything but support for the Israeli government. Yet all agreed the issue of domestic surveillance transcends political ideology—one of the purest examples of the “pendulum politics” that define America’s two-party system.

“What we know for sure is this,” a Republican aide says, “However the government decides to treat left-wing protesters today, that’s how we should expect protesters in our party to be treated under future administrations.”

A House Democratic staffer—half-jokingly referencing the Cold War doctrine of “mutually assured annihilation”—says that they agreed “wholeheartedly” with the sentiment. “Our fates are aligned,” they say. “That's the best defense we have.”

“Political protest is literally how America was founded. It’s in our DNA,” says Jason Pye, senior policy analyst at the nonprofit FreedomWorks. “Whether you agree with these protesters or not is irrelevant.”

Source

Wired