More Moxie in the IT Privacy and Security Weekly Update for the week ending January 13th., 2026
EP 274.
Moxie Marlinspike, architect of Signal’s groundbreaking privacy standards, now brings his uncompromising approach to secure, user-controlled artificial intelligence with the launch of Confer.
The fifth annual Worst in Show anti-awards returned to CES 2026, shining a harsh spotlight on the year’s most wasteful, invasive, and counterproductive consumer electronics.
Wegmans has quietly expanded biometric surveillance in its New York City stores, collecting facial, iris, and voice data from every shopper under the stated goal of safety and security.
California’s new DROP law marks a major victory for consumer privacy, empowering residents to delete their personal information from hundreds of data brokers with a single request.
Google faces intense backlash after directly notifying 13-year-olds that they can unilaterally remove parental supervision from their accounts, raising serious concerns about child safety and parental authority.
Chinese state-sponsored hackers, operating under the long-running Salt Typhoon campaign, have compromised email accounts of staff on multiple powerful U.S. House committees.
Anthropic has committed $1.5 million over two years to the Python Software Foundation, targeting major security improvements to CPython and PyPI to protect millions of developers and users.
Neuromorphic computers, designed to emulate the human brain’s architecture, have demonstrated remarkable efficiency and accuracy in solving complex partial differential equations, challenging conventional assumptions about their capabilities.
Let's go get the moxie.
Global: Signal creator Moxie Marlinspike wants to do for AI what he did for messaging
Moxie Marlinspike, the engineer behind Signal Messenger’s strong privacy protections, is now turning his attention to artificial intelligence.
He has introduced Confer, an open source AI assistant designed so that user data and conversations remain encrypted and unreadable to platform operators, hackers, law enforcement, and others.
Much of its software can be independently verified by users.
Confer encrypts user queries and AI responses within a trusted execution environment, which even server administrators cannot access.
Conversations are stored encrypted with keys that stay only on users’ devices.
This model of confidentiality aims to treat AI interactions with the same privacy assurance that Signal brought to messaging.
Marlinspike’s design emphasizes simplicity and ease of use, similar to how Signal made encrypted messaging accessible to the average person.
Early users report they feel freer to share sensitive thoughts and information because their interactions can remain private.
Confer uses passkeys and hardware-protected key storage for secure login and forward secrecy, allowing encrypted chats to sync across devices without exposing plaintext data to third parties.
The system also uses remote attestation to prove the platform is running approved software.
So what's the upshot for you?
It's good to see another AI initiative focus on user privacy in addition to Google's privacy-centric large language model (LLM) VaultGemma, because too many of our most secret questions are being shared with... people we don't know.
US: “Worst in Show” Returns at CES 2026, Calling Out Gadgets That Make Things Worse
CES, the Consumer Electronics Show, isn't just about shiny new gadgets.
As AP reports, this year brought back the fifth annual Worst in Show anti-awards, calling out the most harmful, wasteful, invasive, and unfixable tech at the Las Vegas show.
The coalition behind the awards -- including Repair.org, iFixit, EFF, PIRG, Secure Repairs, and others -- put the spotlight on products that miss the point of innovation and make life worse for users.
2026 Worst in Show winners include:
Overall (and Repairability): Samsung's AI-packed Family Hub Fridge -- over-engineered, hard to fix, and trying to do everything but keep food cold.
Privacy: Amazon Ring AI -- expanding surveillance with features like facial recognition and mobile towers.
Security: Merach UltraTread treadmill -- an AI fitness coach that also hoovers up sensitive data with weak security guarantees, including a privacy policy that declares the company 'cannot guarantee the security of your personal information' (!!).
Environmental Impact: Lollipop Star -- a single-use, music-playing electronic lollipop that epitomizes needless e-waste.
Enshittification: Bosch eBike Flow App -- pushing lock-in and digital restrictions that make gear worse over time.
"Who Asked For This?": Bosch Personal AI Barista -- a voice-assistant coffee maker that nobody really wanted.
People's Choice: Lepro Ami AI Companion -- an overhyped 'soulmate' cam that creeps more than it comforts.
So what's the upshot for you?
Not all tech is progress.
Some products add needless complexity, threaten privacy, or throw sustainability out the window -- and the industry's watchdogs are calling them out.
US: NYC Wegmans Is Storing Biometric Data On Shoppers' Eyes, Voices, and Faces
Wegmans in New York City has begun collecting biometric data from anyone who enters its supermarkets, according to new signage posted at the chain's Manhattan and Brooklyn locations earlier this month.
Anyone entering the store could have data on their face, eyes, and voices collected and stored by the Rochester-headquartered supermarket chain.
The information is used to 'protect the safety and security of our patrons and employees,' according to the signage.
The new scanning policy is an expansion of a 2024 pilot.
The chain had initially said that the scanning system was only for a small group of employees and promised to delete any biometric data it collected from shoppers during the pilot rollout.
The new notice makes no such assurances.
Wegmans representatives did not reply to questions about how the data would be stored, why it changed its policy, or if it would share the data with law enforcement.
Surveillance experts warn that biometric systems can have significant privacy implications for everyday consumers.
So what's the upshot for you?
Wegmans is not alone; other retailers in New York City have acknowledged using facial recognition systems, and signage revealing such practices has drawn public attention.
Under a 2021 city law, shops must disclose biometric collection, but enforcement is limited.
US: California's War on Data Brokers Begins
California's DROP (Delete Request and Opt-out Platform) law, effective January 1, allows residents to submit one request to delete their data from over 500 brokers.
It simplifies the previous Delete Act process, which required individual requests.
Users must verify residency and provide personal info for effective deletion.
Brokers must report status by August 2026.
This strict privacy measure has data brokers unhappy, as it streamlines consumer opt-outs and requires brokers to comply and report.
Challenges include verification processes and ensuring effective data removal.
So what's the upshot for you?
As a US resident, especially in California, you now have a powerful, one-stop tool to reclaim your personal data from brokers, potentially reducing targeted ads and identity theft risks without the hassle of chasing each company individually.
Global: Google accused of grooming kids after child receives this email
Google is drawing sharp criticism after sending emails directly to 13-year-old users explaining they can remove parental controls on their accounts when they turn 13.
Child safety advocates reacted strongly to screenshots circulating online showing the messages informing children they are 'eligible' to disable supervision without parental consent.
The criticism stems from concerns that these notifications bypass parents and shift control of digital boundaries to a corporate platform.
Critics argue the company’s messages could weaken parental oversight and frame the platform as a default authority in a child’s online life.
Google responded by saying it plans to update the process to require formal parental approval for teens to exit supervised accounts.
The company also noted it typically emails both parents and children to support family discussions about account transitions.
Under Google’s Family Link system, once a child disables supervision, parents lose the ability to monitor browsing, control screen time, or block content.
Children can also make purchases and add payment methods, subject to limited safeguards on pre-added cards.
The debate reflects broader tensions over parental authority and tech company policies in minor account transitions, drawing attention to how digital platforms interact with family dynamics and online freedoms.
So what's the upshot for you?
Google’s approach to parental control messaging may influence future expectations for how digital services communicate with minors, and in the meantime put parents on high alert.
CN: China hacked email systems of US congressional committee staffers
China has hacked the emails used by congressional staff on powerful committees in the US House of Representatives, as part of a massive cyber espionage campaign known as Salt Typhoon.
Chinese intelligence accessed email systems used by some staffers on the House China committee in addition to aides on the foreign affairs committee, intelligence committee and armed services committee, according to people familiar with the attack.
The intrusions were detected in December.
The attacks are the latest element of an ongoing cyber campaign against US communication networks by the Ministry of State Security, China's intelligence service.
One person familiar with the attack said it was unclear if the MSS had accessed lawmakers' emails.
The Ministry of State Security has been operating Salt Typhoon for several years.
It allows China to access the unencrypted phone calls, texts and voicemails of almost every American, and in some cases enables access to email accounts.
Salt Typhoon has also intercepted the calls of senior US officials over the past couple of years, sources said.
So what's the upshot for you?
Once more: 'It allows China to access the unencrypted phone calls, texts and voicemails of almost every American.' Not just Americans but every phone system that runs on SS7.
While modern 4G/5G uses Diameter, SS7 is still widespread for SMS and older networks, meaning nearly every country using traditional mobile infrastructure is affected, from North America and Europe to Asia, Africa, and beyond.
Next time you have something important to say use the Signal or Session app to do it.
Global: Anthropic Invests $1.5 Million in the Python Software Foundation and Open Source Security
Python Software Foundation: We are thrilled to announce that Anthropic has entered into a two-year partnership with the Python Software Foundation (PSF) to contribute a landmark total of $1.5 million to support the foundation's work, with an emphasis on Python ecosystem security.
This investment will enable the PSF to make crucial security advances to CPython and the Python Package Index (PyPI) benefiting all users, and it will also sustain the foundation's core work supporting the Python language, ecosystem, and global community.
Anthropic's funds will enable the PSF to make progress on our security roadmap, including work designed to protect millions of PyPI users from attempted supply-chain attacks.
Planned projects include creating new tools for automated proactive review of all packages uploaded to PyPI, improving on the current process of reactive-only review.
We intend to create a new dataset of known malware that will allow us to design these novel tools, relying on capability analysis.
So what's the upshot for you?
'One of the advantages of this project is that we expect the outputs we develop to be transferable to all open source package repositories. As a result, this work has the potential to ultimately improve security across multiple open source ecosystems, starting with the Python ecosystem.'
Global: Nature-inspired computers are shockingly good at math
Researchers at Sandia National Laboratories report that neuromorphic computers, which mimic the human brain’s structure, can solve very complex mathematical problems with surprising skill and efficiency.
These problems, called partial differential equations, are foundational to modeling physical systems such as fluid flow and electromagnetic fields.
Unlike traditional supercomputers, neuromorphic systems process information in ways similar to brain networks.
This approach uses much less energy while handling demanding calculations that typically require vast computational power.
The breakthrough stems from a new algorithm that enables this hardware to tackle sophisticated math problems once thought beyond its scope.
Scientists previously expected these machines to be useful only for pattern recognition or neural-network tasks.
The implications extend to scientific and engineering simulations, potentially transforming how high-performance computing is done.
Future neuromorphic supercomputers could deliver powerful number-crunching with drastically lower energy costs.
So what's the upshot for you?
Wouldn't it be great to one day grow a pre-trained LLM in a petri dish when your old one was out-of-date, and simply plug it in, and feed it some fish food once in a while? We won't hold our breath.
OK, to tie this week’s update into a nice little package, we covered:
Moxie Marlinspike, who launched Confer, an open-source AI assistant that keeps user queries and conversations fully encrypted and verifiable. It brings Signal-level privacy to AI interactions, allowing users to engage freely without exposing sensitive data to platforms or third parties.
The fifth annual Worst in Show awards at CES 2026 highlighted products that harm privacy, security, repairability, and the environment. Winners included Samsung’s over-engineered Family Hub Fridge, Amazon Ring’s expanding surveillance features, and single-use electronic lollipops as prime examples of misguided innovation.
Wegmans has expanded biometric collection in its New York City stores, scanning faces, irises, and voices of all shoppers for claimed safety purposes. The policy shift from a limited pilot has raised privacy concerns, with no clear answers on data storage, sharing, or deletion.
California’s new DROP law, effective January 1, 2026, lets residents submit one request to delete their data from over 500 data brokers. The streamlined process empowers consumers to reduce targeted advertising and identity theft risks far more easily than before, but gee whiz, the data brokers aren’t happy!
Google drew sharp criticism for emailing 13-year-olds that they can remove parental supervision without consent, prompting concerns about bypassing parents and weakening child safety controls. The company has promised to update the process to require parental approval moving forward.
Chinese state hackers, part of the long-running Salt Typhoon campaign, compromised email accounts of staff on several powerful U.S. House committees. The intrusions highlight China’s ongoing ability to access unencrypted communications across traditional phone networks worldwide.
Anthropic has pledged $1.5 million over two years to the Python Software Foundation to strengthen security across CPython and PyPI. The funding will support proactive tools to detect supply-chain attacks and aims to improve open-source package security beyond Python alone.
Neuromorphic computers, modeled after the human brain, have shown surprising efficiency and accuracy in solving complex partial differential equations. This breakthrough suggests future high-performance computing could become dramatically more energy-efficient for scientific and engineering simulations, and one day, maybe one will land in a petri dish near you!
And our quote of the week: “You’ve got what my dad calls moxie.” “Moxie?” “Yeah. It means courage. Determination. You can handle what comes at you and land on your feet.” - Melanie Harlow
That's it for this week. Stay safe, Stay secure, get moxie, and we'll see you in Se7en!
YouTube: https://youtu.be/J3eAHS6rNUQ
Comments
Post a Comment