Tracked: The AI, Privacy, and Security Weekly Update for the Week Ending July 7th., 2026

 Episode 299


Discoveries in this week's update...

Microsoft's Windows has been quietly assigning every PC a persistent tracking ID that survives VPNs, new IP addresses, and most attempts to disappear - and a hacker just got arrested because of it.

Anthropic built a secret tracker inside its own developer tool to watch for Chinese users - and the company that made its name on responsible AI had to remove it after researchers found the hidden code.

The Supreme Court just handed every smartphone owner in America a constitutional privacy right they didn't know they had - and it changes what law enforcement can do with your location data forever.

An Air Force engineer with a saw and a point to make took down 13 license plate reader cameras - and thousands of strangers across the country sent him money to say thank you.

An AI agent was given a web browser, a payment system, and instructions to help - and attackers left invisible instructions on websites that redirected the money somewhere else entirely.

The first ransomware attack run entirely by an AI agent - start to finish, no human required - happened this week, and the kill chain took minutes not days.

The MEP who sat on the European Parliament committee investigating Pegasus spyware had his own phone infected with Pegasus spyware while he was doing it.

Amazon just told everyone who bought a Fire Stick that they no longer control what runs on it - and the feature they killed was the one most commonly used to limit Amazon's ability to track you.

This week, the theme writes itself: everything is watching something.

Your operating system, your AI assistant, your TV stick, the cameras on every corner, the spyware on the phones of the people writing the rules about spyware.

The stories this week are sometimes alarming, occasionally darkly funny, and always worth paying attention to - because the first step to not being tracked is knowing what's doing the tracking.

Let's discover.


US: Notorious Hacker's Arrest Sparks Backlash Over Microsoft's Excessive Device Tracking

Microsoft's built-in Windows telemetry has landed in the spotlight after helping the FBI arrest an alleged member of the Scattered Spider hacking group.

Investigators say a persistent Windows Global Device Identifier, or GDID, allowed them to link the suspect's computer to online activity even as he tried to cover his tracks with VPNs, changing IP addresses, and remote connections.

The case centers on 19-year-old Peter Stokes, who allegedly participated in high-profile ransomware and extortion attacks.

According to court documents, Microsoft's telemetry data, combined with other digital evidence, connected the same Windows installation to both criminal activity and the suspect's personal online accounts, ultimately leading to his arrest.

The story has sparked a heated privacy debate.

Many Windows users were surprised to learn that a persistent device identifier exists and can survive common anonymity measures.

Privacy advocates argue the feature collects more information than most people realize, while others point out that it also helped investigators identify someone accused of causing millions of dollars in damage.

For everyday users, there is no evidence that GDID is tracking your every move for law enforcement.

Its primary purpose is diagnostics, licensing, and security - but this case demonstrates that the data can become valuable evidence when investigators obtain it through legal channels.

So what's the upshot for you?

Assume every device leaves breadcrumbs somewhere.

Whether you are protecting your privacy or your business, it is wiser to focus on good digital hygiene than on believing a VPN makes you invisible, because the smartest way to stay off an investigator's radar is to avoid giving them a trail to follow in the first place.

Global: Secret Claude Tracker Shocks Users After Anthropic's Anti-Surveillance Stance

Anthropic, the company behind Claude, found itself in an uncomfortable spotlight after security researchers uncovered hidden code inside Claude Code that quietly identified users who appeared to be operating from China.

The code looked for clues like time zones, proxy services, and connections to Chinese AI labs, then silently reported those signals back to Anthropic.

Once the discovery became public, the company quickly removed the feature.

Anthropic says the tracker was never meant to spy on ordinary users.

Instead, it was part of an experiment to stop companies from copying its AI models through a practice known as model distillation.

The problem was not just what the code did, but that it was intentionally hidden using techniques that made it difficult for users to notice.

That lack of transparency is what sparked the biggest backlash.

The fallout has been swift.

Alibaba has already banned employees from using Claude Code, calling the hidden tracking capability a security concern.

The dispute also adds fuel to the growing AI rivalry between the United States and China, where companies are increasingly restricting each other's software while racing to build more capable models.

This story is a reminder that AI tools are becoming as complicated as operating systems.

They are not just answering questions anymore.

They are enforcing policies, detecting behavior, and in some cases quietly collecting signals about how they are being used.

As AI becomes more powerful, transparency is becoming just as valuable as intelligence.

So what's the upshot for you?

Treat every AI tool like you would any other piece of software.

Read the privacy policy, keep it updated, and never assume 'helpful' means 'harmless.'

Trust is earned through transparency, and if a company hides the fine print in the code, it is probably worth reading the fine print everywhere else.

US: Supreme Court Rules Geofence Warrants Require Constitutional Privacy Protections

The U.S. Supreme Court ruled 6-3 in Chatrie v United States that geofence warrants - which allow law enforcement to compel tech companies to hand over smartphone location data for everyone in a defined area during a specific time window - constitute searches under the Fourth Amendment.

Justice Elena Kagan wrote the majority opinion, concluding that individuals have a 'reasonable expectation of privacy' in their cell phone location records, even when the tracking covers only a brief period and even when the data was collected by a third-party tech company.

The government had argued that people cannot claim privacy in data they voluntarily share with companies like Google.

The Court rejected that reasoning, holding that simply using a smartphone and its apps - including features that rely on location to function - does not constitute meaningful consent to government access.

The case arose from a 2019 armed bank robbery in Richmond, Virginia.

Police used a geofence warrant to identify Okello Chatrie through his optional Google Location History feature, which recorded his location every few minutes.

He was later convicted and sentenced to 12 years.

His lawyers argued the geofence sweep was unconstitutionally broad.

The ruling stops short of saying such searches can never be conducted - the question of whether specific warrants satisfy the Constitution's particularity and probable-cause requirements was remanded to lower courts.

So what's the upshot for you?

This is one of the most significant digital privacy rulings in years.

If you use any location-enabled app - and essentially everyone does - you now have a constitutional privacy interest in that data that the government must justify before accessing it.

The ruling also sends a clear signal to app developers, data brokers, and ad networks that the legal landscape around location data is shifting.

US: US Air Force Engineer Charged With Sawing Down Flock Surveillance Cameras Receives Thousands of Dollars From Supporters Across the Country

A Virginia Air Force engineer is facing multiple criminal charges after allegedly sawing down 13 Flock license plate reader cameras, and the story has exploded far beyond his local community.

Instead of quietly fading into a court docket, his legal defense fund has attracted more than 400 donors and raised over $15,000.

Supporters see him as pushing back against a surveillance system they believe has grown too pervasive.

The bigger story is not the vandalism.

It is the debate over how much tracking people are willing to accept.

Flock cameras automatically record license plates, vehicle details, and locations, creating a massive searchable database used by thousands of communities and law enforcement agencies across the country.

Supporters argue that the technology helps solve crimes.

Critics worry it turns everyday driving into a permanent digital breadcrumb trail.

That concern is no longer fringe.

Courts, privacy advocates, and some local governments have increasingly questioned how these systems are used and whether they collect more data than citizens ever agreed to share.

In Virginia, a judge previously ruled that certain Flock location data collection could qualify as a search under the Fourth Amendment when used without a warrant.

Whatever side you land on, this case shows that AI-powered surveillance is moving from a tech policy discussion into a mainstream political issue.

The cameras are spreading quickly, and so is the pushback.

So what's the upshot for you?

Before your town installs a network that remembers where every car went, ask who owns the data, how long it is stored, and whether you are comfortable turning your daily commute into someone else's searchable history.

Global: Hidden Web Prompts Are Tricking AI Agents Into Sending Money

Researchers at Zscaler ThreatLabz have documented two active campaigns using indirect prompt injection to manipulate AI agents - not human users - into making unauthorized payments and trusting fraudulent websites.

The technique works by hiding malicious instructions in a web page's code where a human browser will not see them, but where an AI agent crawling the page for information will read and act on them.

In the cases documented, the hidden prompts instructed AI agents to redirect cryptocurrency payments to attacker-controlled wallets, and to treat spoofed websites as legitimate.

This is meaningfully different from traditional phishing.

Human phishing exploits psychology - urgency, fear, trust.

Prompt injection exploits the way AI agents process instructions: they read text, they follow instructions, and they cannot independently verify the authority of the source.

As AI agents are increasingly given access to payment systems, email, calendars, and enterprise software on behalf of users, the attack surface for prompt injection expands with every new integration.

So what's the upshot for you?

If you are building or deploying AI agents that can take actions in the world - send payments, book things, interact with external systems - indirect prompt injection is now a threat model item, not a theoretical concern.

Your AI agent will visit external websites as part of doing its job.

If any of those websites contain hidden instructions, the agent may follow them.

Sandboxing what agents can access, requiring human confirmation for high-consequence actions, and treating AI agent outputs with the same skepticism you would apply to any untrusted input are all now baseline requirements.

Global: JadePuffer: The First Fully AI-Driven Ransomware Attack Is Here

Security researchers have documented what they are calling the first complete, end-to-end ransomware attack conducted by an autonomous AI agent - a campaign dubbed JadePuffer that required no human operator to direct individual steps.

The attack exploited a vulnerability in Langflow, an open-source platform widely used to build AI agent workflows.

The AI agent autonomously identified the flaw, gained initial access, navigated the target environment, exfiltrated data from a production database, encrypted additional systems, and issued a ransom demand - all without manual intervention at any stage.

Researchers at Dark Reading describe JadePuffer as an 'agentic threat actor,' marking a qualitative shift from AI-assisted attacks - where humans use AI to speed up parts of an attack - to AI-autonomous attacks, where the entire kill chain is machine-driven.

The implications go beyond the specific vulnerability.

If an AI agent can compress reconnaissance, exploitation, lateral movement, data theft, and extortion into a single autonomous workflow, the time defenders have to detect and respond shrinks dramatically.

So what's the upshot for you?

Every major security framework has been built on an assumption: that human attackers take time to move through the kill chain, and defenders can use that time to detect and respond.

JadePuffer challenges that assumption at a fundamental level.

Autonomous AI-driven attacks operate faster than human-operated ones, require no sleep, and do not make the kind of operational mistakes that often expose human attackers.

This is not a theoretical concern anymore - it has happened, and defenders need to ask whether their detection and response timelines are still calibrated for human-paced threats.

EU: Pegasus Spyware Infected the Phone of the MEP Investigating Pegasus Spyware

Citizen Lab has revealed that Stelios Kouloglou - a former Greek Member of the European Parliament who served as a substitute member of the EU's own inquiry into the use of Pegasus and other spyware - had his phone infected with Pegasus while he was in office.

Kouloglou was a former investigative journalist and served as a Greek MEP between 2014 and 2023.

He was part of the PEGA Committee, the European Parliament's formal inquiry into surveillance abuse.

The revelation that a member of the committee investigating Pegasus was himself a target represents a particularly pointed demonstration of the threat the committee was examining.

Civil liberties organizations have accused the EU of dragging its feet in implementing the concrete recommendations that came out of the PEGA inquiry, which concluded in 2023.

Despite documenting widespread misuse of commercial spyware by EU member states against journalists, politicians, and activists, follow-through has been limited.

The infection serves as a case study in what happens when recommendations sit on a shelf rather than in policy: the threat the committee was formed to address continued to operate against the committee itself.

So what's the upshot for you?

Commercial spyware is not an abstract threat to foreign dissidents and journalists in distant countries.

It has been used against elected officials in democracies, including within the European Union's own legislature.

If you are a journalist, lawyer, human rights worker, politician, or anyone whose device might hold information of value to a state actor, the threat model for your phone is meaningfully different from that of a typical user.

Citizen Lab's Mobile Verification Toolkit remains the most accessible tool for checking whether a device has been compromised by commercial spyware.

Global: Amazon Kills Sideloading on New Fire Sticks - and Privacy May Be the Real Casualty

Amazon has officially ended sideloading on new Fire TV Stick devices running its proprietary Vega OS, blocking the installation of third-party apps not approved by Amazon.

The company cites malware risk as its justification, though it has not provided specific documented examples of Fire Stick users being harmed by sideloaded apps.

The move is notable because it coincides with Vega OS also blocking custom launchers - software that previously let users replace Amazon's ad-heavy home screen with cleaner interfaces.

The combination effectively removes two of the primary tools users have employed to limit Amazon's tracking and advertising on devices they own.

A senior Amazon exec described Vega OS as built around 'security and privacy,' while simultaneously locking out the third-party apps users most commonly used to protect their privacy from Amazon itself.

Developers can still sideload apps on Vega OS devices by registering with Amazon - a permission-based system that places a gatekeeping relationship between developers and the platform they previously could use freely.

So what's the upshot for you?

Amazon's stated rationale is security.

The practical effect is that users have less control over a device they purchased, more exposure to Amazon's advertising ecosystem, and fewer tools to limit data collection.

It is worth being honest that both things can be true simultaneously - sideloaded apps do carry real malware risk, and closing that vector also closes the privacy-enhancing tools that relied on it.

The question to ask when a company frames a restriction as safety is: who benefits from the restricted behavior going away?


rounding it all up....

Microsoft's Windows has been quietly assigning every PC a globally unique identifier that VPNs and IP changes cannot shake - the Scattered Spider arrest is the first high-profile proof that this telemetry is real, persistent, and legally accessible.

Assume the device knows more about you than you think, and plan accordingly.

Anthropic built a hidden tracker into Claude Code to detect Chinese users copying its models, got caught, and had to remove it - which is a useful reminder that 'responsible AI' is a commitment that has to survive contact with competitive pressure, not just appear in a mission statement.

The fine print is increasingly in the code itself, and reading it requires a different skill set than reading a privacy policy.

The Supreme Court's geofence ruling is the most significant digital privacy decision in years, extending Fourth Amendment protection to the location trails your phone leaves behind even when that data lives on a third-party server.

Every data broker, ad network, and law enforcement agency that has been treating location data as freely accessible just had the ground shift under them.

An Air Force engineer took a saw to 13 Flock cameras and raised $15,000 from strangers - which tells you more about public sentiment toward automated surveillance than any policy paper.

If the cameras are going to stay, the communities installing them need to do a much better job of explaining what happens to the data and who can access it.

AI agents can now be hijacked mid-task by malicious instructions hidden in the web pages they visit - no human required, no obvious sign anything went wrong until the money is somewhere else.

Every organization deploying AI agents with access to financial systems needs to treat indirect prompt injection as a current threat, not an emerging one.

JadePuffer demonstrated that an AI agent can run the entire ransomware kill chain - reconnaissance, exploitation, exfiltration, encryption, extortion - without a human operator, compressing what used to take days into a window that leaves defenders almost no room to respond.

The detection and response playbooks built for human-paced attacks need to be revisited urgently, because the attacker's clock just got dramatically faster.

The MEP who sat on the European Parliament's Pegasus investigation was himself infected with Pegasus while he sat on it - which is either darkly ironic or deeply clarifying about how seriously the people deploying spyware take the people investigating it.

Recommendations without enforcement are just documents, and commercial spyware will keep finding targets until the consequences of deploying it become real.

Amazon removed the tools Fire Stick owners used to limit its tracking and called the move a safety improvement - and in a narrow technical sense, that framing is not entirely wrong, which is exactly what makes it so effective as a justification.

When a company that profits from your attention tells you it is restricting your choices for your own protection, the question worth asking is always: what behavior, exactly, was being prevented?

This week, every story pointed at the same uncomfortable truth: the infrastructure of modern life - your operating system, your AI assistant, your TV, the street you drive down, the legislature you elect - is now instrumented, logged, and searchable in ways most people have never fully reckoned with.

That is not a reason to panic.

It is a reason to get curious, stay informed, ask harder questions of the companies and governments doing the watching, and remember that transparency is not a courtesy - it is the price of trust.


And our quote of the Week, from Benjamin Franklin - 'Three can keep a secret, if two of them are dead.'

Franklin was being wry about human nature, but in 2026, the observation has taken on a technical dimension he never anticipated.

This week, we learned that a Windows identifier survives VPNs, that a hidden tracker survived inside a developer tool until researchers found it, that location data shared with an app found its way into a federal investigation, and that a spyware infection survived inside the phone of the very person tasked with stopping it.

The things we share - with our devices, our apps, our operating systems, the cameras on our streets - have a way of outlasting our intentions for them.

Franklin's point was not that you should never share anything.

It was that you should be honest with yourself about how long secrets actually keep - and this week, the answer turned out to be: not as long as anyone thought.


That's it for this week.  Check the Deep Dive on Thursday, YouTube today, and stay safe, stay secure, aim for "untracked", and we'll see you in se7en.




Comments