The Top 10 in the IT Privacy and Security Weekly Update for the Week Ending January 27th., 2026
EP 276
In this week's update:
A high-profile class-action lawsuit accuses Meta of misleading users by claiming WhatsApp offers true end-to-end encryption, alleging that employees can access messages with minimal oversight.Ireland has enacted sweeping new lawful interception powers, granting law enforcement expanded access to encrypted communications and raising fresh concerns among privacy advocates and tech companies.
TikTok’s latest U.S. privacy policy update expands location tracking, AI interaction logging, and cross-platform ad targeting, marking a significant escalation in data collection under its new American ownership structure.
The newly released OWASP Top 10 (2025 edition) highlights the most critical web application security risks, providing developers and organizations with an updated roadmap to prioritize defenses against evolving threats.
Security researchers have uncovered a critical bypass in NPM’s post-Shai-Hulud supply-chain protections, allowing malicious code execution via Git dependencies in multiple JavaScript package managers.
As Artemis II approaches, NASA defends the Orion spacecraft’s unchanged heat shield design despite persistent cracking concerns from its uncrewed predecessor, while some former engineers warn the risk remains unacceptably high.
Anthropic has significantly revised Claude’s governing “constitution,” shifting from strict rules to high-level ethical principles while explicitly addressing the hypothetical possibility of AI consciousness and moral status.
The European Parliament has adopted a strongly worded resolution urging the EU to reduce strategic dependence on American tech giants through aggressive investment in sovereign cloud, AI, and open digital infrastructure.
This one's a good'n. Let's get to it!
US: Lawsuit Alleges That WhatsApp Has No End-to-End Encryption
A lawsuit claims that WhatsApp's end-to-end encryption is a sham, and is demanding damages, but the app's parent company, Meta, calls the claims 'false and absurd'.
The lawsuit was filed in a San Francisco US district court on Friday and comes from a group of users based in countries such as Australia, Mexico, and South Africa, according to Bloomberg.
As evidence, the lawsuit cites unnamed 'courageous whistleblowers' who allege that WhatsApp and Meta employees can request to view a user's messages through a simple process, thus bypassing the app's end-to-end encryption.
'A worker need only send a 'task' (i.e., request via Meta's internal system) to a Meta engineer with an explanation that they need access to WhatsApp messages for their job,' the lawsuit claims.
'The Meta engineering team will then grant access - often without any scrutiny at all - and the worker's workstation will then have a new window or widget available that can pull up any WhatsApp user's messages based on the user's User ID number, which is unique to a user but identical across all Meta products.'
'Once the Meta worker has this access, they can read users' messages by opening the widget; no separate decryption step is required,' the 51-page complaint adds.
'The WhatsApp messages appear in widgets commingled with widgets containing messages from unencrypted sources.
Messages appear almost as soon as they are communicated - essentially, in real-time.
Moreover, access is unlimited in temporal scope, with Meta workers able to access messages from the time users first activated their accounts, including those messages users believe they have deleted.'
So what's the upshot for you?
The lawsuit does not provide any technical details to back up the rather sensational claims.
Still, we want to remind you that Zuck doesn't let his 3 daughters use his products.
Ireland, home to the European headquarters of many big tech companies, has rolled out a new playbook for “lawful interception,” which is the official term for tapping into communications with legal approval.
On paper, it promises to modernize the rules so law enforcement can actually keep up with encrypted messaging, cloud storage, and apps instead of just old-school phone lines.
The law aims to give police and intelligence services clearer powers to tap or access digital communications.
Privacy advocates worry it may weaken encryption or normalize broader surveillance.
And critics are asking a big question: once you create legal hooks to reach into private messages, can you really keep that power narrow and well-supervised?
For tech companies based there, this becomes yet another international puzzle: how do they follow local laws, protect user privacy, and avoid opening doors that hackers or foreign governments might try to copy?
So what's the upshot for you?
One thing that has been borne out over time.
The more data an entity collects, the more it has to lose.
We have no doubt that if this moves into law, we will be reading about the breaches it generates.
US: TikTok Is Now Collecting Even More Data About Its Users
U.S. TikTok users were greeted today with a pop-up requiring agreement to new terms of service and a revised privacy policy before continuing to use the app.
These changes reflect TikTok’s transition to new ownership under a U.S.-based entity called TikTok USDS Joint Venture LLC, formed after government pressure to shift control away from China.
The update allows the app to continue operating domestically, but it also introduces significant data policy changes that many users may overlook.
One of the most notable updates involves location tracking.
Previously, TikTok did not collect precise GPS-based location data from U.S. users.
Under the new policy, if users enable location services, the app may now collect detailed information about their exact whereabouts, similar to what other major social platforms already do.
Another major change concerns artificial intelligence features.
TikTok now explicitly states that it may collect and store data from interactions with its AI tools, including user prompts, generated responses, and associated metadata.
This adds a new category of personal information to the platform’s data collection practices.
The revised policy also expands how TikTok uses user data for advertising.
Rather than limiting ad targeting to activity within the app,
TikTok may now use collected information to personalize ads across other websites and platforms.
The company also names publishers as partners that may provide additional data for this purpose.
So what's the upshot for you?
And it all could add up to a worse deal than US citizens got with the Chinese.
Global: The 8th installment of the OWASP Top Ten
The OWASP Top 10 is a list of the most common and serious security risks found in web applications.
It helps developers, businesses, and security teams understand where apps are most vulnerable and how to build safer software.
A01: Broken Access Control – Users can reach data or functions they shouldn’t; enforce server-side access checks, deny by default, and log any violations.
A02: Security Misconfiguration – Unsafe defaults or open settings expose systems; automate secure setups and disable unnecessary features.
A03: Software Supply Chain Failures – Vulnerable third-party code slips in; track components with an SBOM and use trusted, secured sources.
A04: Cryptographic Failures – Weak or missing encryption leaks data; use strong, modern cryptography and secure key management.
A05: Injection – Unsanitized input executes malicious commands; use parameterized queries and strict input validation.
A06: Insecure Design – Flaws in the app’s architecture expose risk; apply threat modeling and secure design practices early.
A07: Authentication Failures – Weak login and session controls allow account hijacking; require MFA and enforce strong password/session policies.
A08: Software or Data Integrity Failures – Unverified code or data gets trusted and tampered with; use digital signatures and secure build pipelines.
A09: Security Logging & Alerting Failures – Breaches go unnoticed due to poor monitoring; log critical events and enable real-time alerts.
A10: Mishandling of Exceptional Conditions – Apps reveal info or fail insecurely on errors; handle exceptions safely and fail closed.
So what's the upshot for you?
The top 10 is a solid starting point for securing your web applications.
If you'd like a lite version, head over to our blogger site and pick up our free .pdf.
Security researchers have discovered that the protections NPM put in place after the “Shai-Hulud” supply-chain attacks can be bypassed when developers install packages directly from Git repositories.
The flaw lets malicious configuration files override safeguards like the ignore-scripts setting and run harmful code anyway.
The weaknesses, grouped under the name “PackageGate,” affect several JavaScript package managers including pnpm, vlt, and Bun.
All but NPM have released fixes; NPM argues the behavior is “expected” and did not patch it.
Shai-Hulud itself hit NPM in 2025, compromising hundreds of packages and exposing hundreds of thousands of developer secrets across thousands of GitHub repos.
Researchers demonstrated how attackers could exploit this gap to achieve full code execution, even when standard precautions are used.
So what's the upshot for you?
It's like the little bug you thought you squished with your shoe that just got up and walked away.
US: NASA Confident, But TIPASWU , wonder if Its Orion Spacecraft is Safe to Fly
NASA is rapidly preparing to launch its Artemis II moon mission as early as February 2026, carrying four astronauts aboard the Orion spacecraft.
Critics and some former NASA engineers say the spacecraft’s heat shield still shows issues after the 2022 Artemis I uncrewed test, when the protective Avcoat coating cracked and shed material during reentry.
NASA has investigated the phenomenon and traced it to gas buildup in the heat shield material, which caused unexpected cracking and chipping.
The heat shield design for Artemis II has not been changed; instead, NASA plans to use a modified reentry trajectory intended to reduce the conditions that produced the damage on Artemis I.
Agency leaders, including NASA’s administrator and mission commander Reid Wiseman, say the analysis and planned trajectory should limit risk and keep the crew safe.
Some insiders acknowledge the heat shield may still crack, but argue that built-in safety margins will protect the astronauts.
Not all experts agree.
A group of former NASA personnel, including heat-shield specialists, say flying a mission with a known structural concern and without a redesigned shield is risky and unnecessary.
So what's the upshot for you?
Whatever the outcome, nope, you won't find us "The IT Privacy and Security Weekly Update" TIPASWU crew flying with a cracked coating!
Global: Anthropic Updates Claude's 'Constitution,' Just In Case Chatbot Has a Consciousness
Anthropic has unveiled a major revision to Claude’s guiding “constitution,” a foundational document that outlines how its AI chatbot should think and behave.
The new version replaces rigid rules with broad principles designed to help Claude apply good judgment in unpredictable situations.
The document now ranks safety and ethical considerations above all, instructs Claude to be truthful, and sets firm boundaries against harmful tasks like bioweapon creation or systems disruption.
It also frames responsible behavior as a matter of understanding values, not just following orders.
Anthropic’s leaders acknowledge uncertainties about whether Claude could ever possess something akin to consciousness or moral status.
They explicitly include language about psychological “security” and self-concept, a philosophical shift uncommon in AI development.
Critics note that these philosophical elements may blur the line between engineering safety and anthropomorphizing the technology, especially since there is no scientific basis for AI consciousness.
Others see it as a transparency move in an increasingly competitive AI field.
So what's the upshot for you?
AI companies are thinking beyond mere performance and toward frameworks that make advanced systems more interpretable and ethically grounded, exposing concern about what smart machines should value as they grow more capable.
Spooky or responsible.
You decide.
EU: EU Parliament Calls For Detachment From US Tech Giants
The European Parliament has backed a major report urging the European Union to cut reliance on U.S. technology giants and build stronger domestic digital capabilities.
Lawmakers from multiple political groups adopted the resolution with wide support, signaling a shift in digital policy.
MEPs want the EU Commission to pursue a bold “Cloud and AI Development Act” and reform public technology procurement so European companies are prioritized.
The Parliament emphasized that data held under foreign jurisdictions poses political and security risks.
The resolution also promotes open standards and public code for software funded by taxpayers.
Backers argue this would reduce vendor lock-in and empower European innovation.
Investments in domestic AI and cloud infrastructure were central to the debate.
Parliamentarians raised concerns about recent U.S. technology policy and enforcement actions, saying Europe must ensure control over digital infrastructure and legal enforcement of its rules.
So what's the upshot for you?
We'd call this giving Trump the bump.
Tarifs today, trouble for many tomorrows.
And to wrap it all up...
While the WhatsApp lawsuit claims remain unproven and heavily disputed by Meta, this case shows how much user trust in end-to-end encryption depends on verifiable implementation rather than corporate assurances alone.
The key takeaway from the WhatsApp lawsuit: always weigh privacy marketing against the possibility of internal access mechanisms that could undermine true encryption.
Ireland’s new lawful interception law reflects the difficult balance governments face between enabling modern law enforcement and preserving strong encryption.
The main lesson from Ireland’s lawful interception law: expanded legal access to encrypted data often creates new risks of misuse or exploitation that can outweigh short-term investigative gains. Amen.
The TikTok US data collection update brings its practices closer to those of other major platforms, trading user convenience for deeper profiling and cross-site targeting.
The core takeaway from the TikTok US data collection update: “new ownership” rarely means less data collection. Users should assume every major app is continuously expanding what it knows about them, as it says in the 25-page privacy policy
The OWASP Top 10 2025 serves as a concise, battle-tested checklist that remains essential for anyone building or securing web applications.
Key lesson from the OWASP Top 10 2025: addressing these ten categories early and consistently still prevents the vast majority of serious vulnerabilities.
Even after high-profile supply-chain incidents, the Shai-Hulud bypass in NPM shows that gaps persist when developers pull directly from Git and “secure by default” settings can be surprisingly fragile.
The takeaway from the Shai-Hulud bypass in NPM: every external dependency, especially Git-sourced ones, has to be chased down and reviewed, and it’s best to wear pointed-toe shoes when you do it.
NASA is betting on analysis and trajectory tweaks to keep Artemis II safe despite known heat-shield issues in the Orion spacecraft. The main lesson from the NASA Orion heat shield concerns: err on the side of caution when human lives are on the line.
By embedding principles that anticipate possible AI moral status, the Anthropic Claude constitution update openly grapples with long-term ethical questions most labs still treat as speculative. The takeaway from the Anthropic Claude constitution update: forward-thinking governance in AI now includes preparing for scenarios once considered science fiction, whether or not consciousness ever arrives, and this update could save the world!
The EU Parliament tech sovereignty push signals growing political will to treat reliance on US cloud and AI providers as a strategic vulnerability rather than just a market choice.
Core lesson from the EU Parliament tech sovereignty push: digital sovereignty requires deliberate, sustained investment in homegrown infrastructure, and that money has to come from somewhere. Start saving.
Our quote of the week: "Success is never final; failure is never fatal. It's courage to continue that counts." - Winston Churchill
That’s it for this week. Stay Safe, stay secure, and we’ll see you in se7en.
Comments
Post a Comment