Sold Out. The AI, Privacy, and Security Weekly Update for the week ending March 24th., 2026
Episode 284.
Yes, that's it. So much of what we cover is now AI-based that we're updating the Update to reflect that. From today, the IT Privacy and Security Weekly Update will be formally renamed the AI, Privacy, and Security Weekly Update.
In this week’s update:
The FBI has officially confirmed it is once again purchasing commercial location data to track American citizens, bypassing traditional warrant requirements.
A newly revealed government proposal outlines plans for a single, AI-powered database containing detailed personal information on virtually every American.
TikTok and Meta’s advertising pixels are quietly collecting far more sensitive personal and behavioral data than most websites and users realize.
A major cyberattack on Intoxalock has left thousands of drivers unable to start their court-ordered breathalyzer-equipped vehicles.
H&R Block’s tax preparation software has been found to install a long-lived root certificate with its private key exposed, creating a serious security risk that can persist for decades.
The FCC has banned imports of all new foreign-made consumer routers, citing severe national security risks posed by devices predominantly manufactured in China.
Cloudflare’s CEO predicts that by 2027, AI-driven bot traffic will surpass human-generated internet traffic for the first time in history.
Mozilla is rolling out a free built-in VPN in Firefox 149, initially available to users in the US, France, Germany, and the UK.
Come on, let’s learn a little about what’s being sold around us!
US: FBI is buying location data to track US citizens, director confirms
The FBI has resumed buying commercially available location data on Americans, according to testimony from Director Kash Patel during a Senate Intelligence Committee hearing.
The data, often collected from mobile apps and sold by brokers, can reveal individuals’ movements without requiring a warrant.
Patel said the practice complies with existing laws and has produced valuable intelligence for investigations.
The disclosure came after questioning from Senator Ron Wyden, who challenged whether the agency was sidestepping constitutional protections.
While the Supreme Court requires warrants for certain types of location tracking, purchasing data from third-party brokers allows agencies to bypass that requirement.
This distinction has become a focal point in the broader debate over digital surveillance.
Lawmakers and privacy advocates argue the practice effectively weakens Fourth Amendment protections against unreasonable searches.
Wyden and others have called it an “end run” around the law and are pushing legislation to close the loophole.
Supporters of the FBI’s approach, however, maintain that the data is legally obtainable because it is sold on the open market.
The issue also reflects how modern data ecosystems operate.
Apps routinely collect location information for advertising purposes, which is then aggregated and resold.
Government agencies can access this data at scale, raising concerns about how easily detailed personal profiles can be constructed without direct user consent or judicial oversight.
So what's the upshot for you?
The controversy reveals a growing tension between national security capabilities and personal privacy, where the real leverage lies not in secret surveillance tools, but in the vast amounts of data people unknowingly generate, and others are free to buy.
US: Every American in One AI-Searchable Government Database
A newly disclosed report obtained through a public records request has revealed details of a proposed U.S. government system designed to centralize vast amounts of personal data and apply artificial intelligence to analyze it.The system, described in internal documents, would aggregate information from multiple federal agencies and external sources into a single searchable database, significantly expanding the government’s ability to track individuals’ activities, relationships, and behavior patterns.
According to the documents, the database would combine sensitive data such as immigration records, financial information, and biometric identifiers.
The use of AI would allow agencies to rapidly cross-reference datasets and generate detailed profiles at scale.
Critics argue this represents a shift from targeted surveillance toward a more comprehensive monitoring model, where large populations can be analyzed without individualized suspicion.
The disclosure aligns with broader federal efforts to integrate data systems and expand AI capabilities across agencies.
Recent reporting shows agencies already purchase large volumes of commercial data, including location and browsing information, which can bypass traditional warrant requirements and enable wide-scale tracking of Americans.
This existing infrastructure provides a foundation for more advanced, AI-driven surveillance systems.
Civil liberties groups warn that such a database raises constitutional concerns, particularly around privacy and due process.
They argue that consolidating disparate datasets into a single platform increases the risk of misuse, errors, and mission creep, especially when oversight mechanisms remain unclear or underdeveloped.
The combination of government and commercially sourced data is seen as especially difficult to regulate under current legal frameworks.
So what's the upshot for you?
Officials have framed the initiative as a tool for national security and enforcement efficiency, but the newly revealed details have intensified debate over how far surveillance powers should extend in the AI era.
The emerging picture suggests that the real shift is not just more data collection, but the transformation of that data into a continuously evolving intelligence layer that can map ordinary life with unprecedented precision.
Global: TikTok and Meta’s ad pixels are collecting far more than people realize
Research highlighted in the episode notes says TikTok and Meta ad pixels can collect far more than simple ad attribution, including personal data, shopping behavior, and detailed checkout events.
Jscrambler said the collection goes “beyond analytics” and can create privacy and compliance risks for the businesses deploying the pixels.
OK, so this is what happened: Jscrambler analyzed TikTok and Meta pixels on real websites.
The research says the pixels can capture emails, phone numbers, addresses, and detailed checkout interactions.
The notes say some data may be transmitted before consent tools fully block it.
The report frames this as both a privacy issue and a competitive intelligence issue for merchants.
So what's the upshot for you?
Suddenly, it’s not just “ads following you around.”
It’s a story about the quiet industrial-scale collection of what people browse, click, type, and buy.
US: Cyberattack on a Car Breathalyzer Firm Leaves Drivers Stuck
Last week, hackers launched a cyberattack on an Iowa company called Intoxalock that left some drivers unable to start their court-mandated breathalyzer-equipped cars.
Intoxalock, an automotive breathalyzer maker that says it's used daily by 150,000 drivers across the U.S., last week reported that it had been the target of a cyberattack, resulting in its systems currently experiencing downtime, according to an announcement posted to its website.
Meanwhile, drivers who use the breathalyzers have reported being stranded due to the devices' inability to connect to the company's services.
Our vehicles are giant paperweights right now through no fault of ours, one wrote on Reddit.
I'm being held accountable at work and feel completely helpless.
The lockouts appear to be the result of Intoxalock's breathalyzers needing periodic calibrations that require a connection to the company's servers.
Drivers who are due for a calibration and can't perform one due to the company's downtime have been stuck, though the company now states on its website that it's offering 10-day extensions on those calibrations due to its cybersecurity disruption, as well as towing services in some cases.
So what's the upshot for you?
In the meantime, Intoxalock hasn't explained what sort of cyberattack it's facing or whether hackers have obtained any of the company's user data, so we'll just be holding onto the keys to their car.
US: Tax time? H&R Block’s tax software planted a trust bomb
One of the wildest stories in the batch is about H&R Block tax software allegedly installing its own root certificate on users’ machines, with the matching private key reportedly left inside a DLL.
In plain English, that means the software may have created a way for trusted-looking fake websites or software signatures to be accepted on affected systems.
It's a long-lived certificate that can remain even after uninstall, and the original public disclosure says the cert was named “WK ATX ServerHost 2024” and expired in 2049.
A tax program is supposed to help people file returns, not quietly mess with the trust settings of a computer in a way that could last for decades.
So what's the upshot for you?
Boring normal consumer software can create unusually deep security risks.
For everyday users... treat software that modifies certificates, browsers, or network settings as a much bigger deal than a typical app install.
US: FCC Bans Imports of New Foreign-Made Routers, Citing Security Concerns
The U.S. Federal Communications Commission said on Monday it was banning the import of all new foreign-made consumer routers, the latest crackdown on Chinese-made electronic gear over security concerns.
China is estimated to control at least 60% of the U.S. market for home routers, boxes that connect computers, phones, and smart devices to the internet.
The FCC order does not impact the import or use of existing models, but will ban new ones.
The agency said a White House-convened review deemed imported routers pose a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure.
It said malicious actors had exploited security gaps in foreign-made routers to attack households, disrupt networks, enable espionage, and facilitate intellectual property theft, citing their role in major hacks like Volt and Salt Typhoon.
The determination includes an exemption for routers the Pentagon deems do not pose unacceptable risks.
So what's the upshot for you?
If you’re buying a new router, expect fewer cheap options and more scrutiny around where it’s made.
This won’t affect your current setup, but over time, the market will shift toward “approved” devices, likely at a higher price.
Your home router isn’t just a boring box anymore; it’s seen as a real security risk, so choosing a reputable, regularly updated device matters more than ever.
Global: Online Bot Traffic Will Exceed Human Traffic By 2027, Cloudflare CEO Says
Cloudflare’s CEO Matthew Prince says artificial intelligence is on track to fundamentally reshape internet traffic.
Speaking at SXSW, he predicted that by 2027, automated systems powered by AI will generate more online activity than humans.
The shift reflects how AI agents perform tasks at a scale far beyond typical human behavior.
Today, bot traffic accounts for a smaller share of the internet, historically driven by tools like Googlebot and a limited number of malicious actors.
However, generative AI systems require massive amounts of data to function, leading to a surge in automated requests across websites.
This growing demand is rapidly increasing the overall load on the internet infrastructure.
Prince illustrated the difference with a simple example.
A person shopping online might visit a handful of websites, while an AI agent performing the same task could scan thousands.
Each of those visits creates real traffic, placing new and significant demands on servers, networks, and cybersecurity systems worldwide.
To handle this surge, Cloudflare is exploring new infrastructure models.
One concept involves temporary computing environments, or sandboxes, that can be created instantly to support AI agents and then shut down once tasks are complete.
These systems could operate at a massive scale, with millions potentially running at any given moment.
So what's the upshot for you?
Prince described AI as a major platform shift, comparable to earlier transformations in how people access and use the internet.
The implication is clear: as machines increasingly act on behalf of users, understanding and adapting to automated activity becomes essential to navigating a digital environment where volume, not visibility, defines influence.
US/FR/DE/UK: Get the Fox, get a free VPN
Mozilla said Firefox 149 would include a free built-in VPN.
The feature initially launches in the U.S., France, Germany, and the U.K.
Mozilla said users would get 50 GB per month, but remember that the protection is browser-level, not a full-device VPN in the traditional sense.
So what's the upshot for you?
Privacy tools become much more likely to be used when they do not require a side job.
We like that privacy for some apps is becoming a product feature.
And so to round up this week’s sell off….
In an era where personal location data is treated as a commodity, even the FBI can access it without a warrant. The real takeaway is that your everyday movements are far more exposed than most people realize; protecting your privacy now requires far more than just avoiding obvious surveillance.
The government is building the infrastructure to centralize and AI-analyze vast amounts of personal data on nearly every American. The core lesson is clear: in the AI age, the biggest privacy threat isn’t secret spying, it’s the quiet consolidation of everything you do into one searchable profile.
TikTok and Meta’s ad pixels are harvesting emails, addresses, purchase details, and behavior far beyond simple ad tracking. The lesson is that much of the “free” internet runs on invisible, industrial-scale data collection that happens before you even click “accept cookies.”
A single cyberattack on a breathalyzer company turned thousands of drivers’ cars into expensive paperweights overnight. It’s a stark reminder that our growing dependence on connected devices means one company’s security failure can directly paralyze your daily life.
H&R Block’s tax software quietly installed a powerful root certificate that could undermine your computer’s trust system for decades. The takeaway: even trusted, everyday programs can introduce serious long-term security risks; always be cautious with software that modifies system-level settings.
The FCC’s ban on new foreign-made routers highlights how national security concerns are now reshaping the consumer electronics market. For users, the lesson is simple: your home router is a critical security device, and choosing a reputable, regularly updated one matters more than ever.
By 2027, AI bots are expected to generate more internet traffic than humans, fundamentally changing how the web works. The key takeaway is that the internet is rapidly becoming a machine-to-machine environment; understanding and preparing for automated activity will soon be essential for everyone.
Mozilla is making privacy easier by baking a free VPN directly into Firefox for users in several countries. The real lesson: privacy tools succeed when they’re convenient and built-in rather than complicated add-ons; the fewer extra steps, the more likely we are to actually use them.
And our quote of the week - “Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about freedom of speech because you have nothing to say.” - Edward Snowden
<Edward Snowden lives in Russia, where he has resided in exile since 2013 following his leaks of U.S. surveillance programs. He was granted Russian citizenship in 2022 and received his Russian passport in 2023. Snowden has kept a lower public profile recently, living with his wife, Lindsay Mills, and two children, and maintains his freedom of movement within Russia>
That’s it for this week. Stay safe, stay secure, stay informed, and we’ll see you in se7en.
Comments
Post a Comment