California’s Corporate Cover-Up Act Is a Privacy Nightmare

EFF update
5 days 6 hours ago

California lawmakers are pushing one of the most dangerous privacy rollbacks we’ve seen in years. S.B. 690, what we’re calling the Corporate Cover-Up Act, is a brazen attempt to let corporations spy on us in secret, gutting long-standing protections without a shred of accountability.

The Corporate Cover-Up Act is a massive carve-out that would gut California’s Invasion of Privacy Act (CIPA) and give Big Tech and data brokers a green light to spy on us without consent for just about any reason. If passed, S.B. 690 would let companies secretly record your clicks, calls, and behavior online—then share or sell that data with whomever they’d like, all under the banner of a “commercial business purpose.”

Simply put, The Corporate Cover-Up Act (S.B. 690) is a blatant attack on digital privacy, and is written to eviscerate long-standing privacy laws and legal safeguards Californians rely on. If passed, it would:

  • Gut California’s Invasion of Privacy Act (CIPA)—a law that protects us from being secretly recorded or monitored
  • Legalize corporate wiretaps, allowing companies to intercept real-time clicks, calls, and communications
  • Authorize pen registers and trap-and-trace tools, which track who you talk to, when, and how—without consent
  • Let companies use all of this surveillance data for “commercial business purposes”—with zero notice and no legal consequences

This isn’t a small fix. It’s a sweeping rollback of hard-won privacy protections—the kind that helped expose serious abuses by companies like Facebook, Google, and Oracle.

TAKE ACTION

You Can't Opt Out of Surveillance You Don't Know Is Happening

Proponents of The Corporate Cover-Up Act claim it’s just a “clarification” to align CIPA with the California Consumer Privacy Act (CCPA). That’s misleading. The truth is, CIPA and CCPA don’t conflict. CIPA stops secret surveillance. The CCPA governs how data is used after it’s collected, such as through the right to opt out of your data being shared.

You can't opt out of being spied on if you’re never told it’s happening in the first place. Once companies collect your data under S.B. 690, they can:

  • Sell it to data brokers
  • Share it with immigration enforcement or other government agencies
  • Use it to against abortion seekers, LGBTQ+ people, workers, and protesters, and
  • Retain it indefinitely for profiling

…with no consent; no transparency; and no recourse.

The Communities Most at Risk

This bill isn’t just a tech policy misstep. It’s a civil rights disaster. If passed, S.B. 690 will put the most vulnerable people in California directly in harm’s way:

  • Immigrants, who may be tracked and targeted by ICE
  • LGBTQ+ individuals, who could be outed or monitored without their knowledge
  • Abortion seekers, who could have location or communications data used against them
  • Protesters and workers, who rely on private conversations to organize safely

The message this bill sends is clear: corporate profits come before your privacy.

We Must Act Now

S.B. 690 isn’t just a bad tech bill—it’s a dangerous precedent. It tells every corporation: Go ahead and spy on your consumers—we’ve got your back.

Californians deserve better.

If you live in California, now is the time to call your lawmakers and demand they vote NO on the Corporate Cover-Up Act.

TAKE ACTION

Spread the word, amplify the message, and help stop this attack on privacy before it becomes law.

Rindala Alajaji

CA: Stop the Corporate Cover Up Act (S.B. 690)

EFF action alerts
5 days 7 hours ago

S.B. 690 is a corporate cover-up. Tell California lawmakers to reject it.
California’s S.B. 690 would gut long standing privacy protections and give corporations free rein to secretly surveil, record, and profit off Californians’ private moments. If passed, it would:
● Legalize corporate interception of real-time communications, location data, and device activity without consent
● Allow companies to use invasive tools like wiretaps, pen registers, and trap-and-trace devices for any “commercial business purpose”
● Remove accountability by eliminating your right to sue under California’s Invasion of Privacy Act (CIPA)
● Create new risks for immigrants, LGBTQ+ people, abortion seekers, and protesters

Electronic Frontier Foundation

【お知らせ】ヒロシマが再び『軍都』になるの?―高校生たちと共に考える私たちの未来 7月5日(土)13時から18時 広島弁護士会館

日本ジャーナリストクラブ(JCJ)
5 days 8 hours ago
【開催趣旨】世界ではウクライナやパレスチナ・ガザで殺戮、虐殺が続いています。広島でも、平和都市ヒロシマがヒロシマでなくなるようなことが起きていると言われています。広島の地で声をあげてみませんか。力と知恵を持ち寄ってみませんか。いろんな人の声に耳を傾けてみませんか。年齢や性別、国籍、職業、もろもろの違いを超えて集まり、高校生たちと未来を考えませんか。【プログラム】虐殺とヒロシマを伝える 斉藤とも子(俳優)ガザ虐殺、広島原爆、原発をめぐる詩作品などの朗読。第1部「トランプ時代のヒ..
JCJ

Our staff and trustees

Statewatch
5 days 12 hours ago
Staff

To contact individual staff members, replace [at] with @.

Chris Jones (Executive Director)

Chris has been working for Statewatch since 2010 and in September 2020 was appointed as Executive Director. He specialises in issues relating to policing, migration, privacy and data protection and security technologies.

Romain Lanneau (Consultant Researcher)

Romain Lanneau is a legal researcher, publishing on the topics of migration, asylum, and the use of new technologies for public policies. He has been working for Statewatch since 2022. As an independent consultant, he worked for the European Network Against Racism, Fair Trials International and Data Rights. In addition to leading investigation and producing research, Romain has been assisting activists with strategic litigation on digital rights issues. He holds a LLM in International Migration and Refugee Law from the University of VU Amsterdam as well as a Master degree in Public International Law from the University of Lyon III.

Yasha Maccanico (Researcher)

Yasha has worked for Statewatch since 1998, providing news coverage, analysis and translations to link EU policies to events on the ground in the justice and home affairs field in several member states (UK, Italy, Spain, France, Belgium and Portugal). He has extensive public speaking experience in civil society and academic contexts and in 2019 completed a PhD at the University of Bristol in Policy Studies on the topic of 'European Immigration Policies as a Problem: State Power and Authoritarianism'.

McKensie Marie (Head of Communications)

McKensie joined Statewatch in early 2024 to lead its communications efforts, shaping and implementing our communications strategy. She manages external outreach and oversees all aspects of our communication work. With experience as a communications specialist, designer, copywriter, and researcher, McKensie has worked with NGOs and charities across Europe and North America. She holds a BA in Culture & Political Studies from The Evergreen State College, USA, and an MA in Cultural Encounters & Communication Studies from Roskilde University, Denmark. In addition to her communications role, McKensie conducts academic research on international development, political communication, and cultural identity.

Rahmat Tavakkoli (Finance & Administration Worker)

Rahmat joined Statewatch in September 2021 to take care of our financial and administrative procedures, ensure compliance with regulatory requirements and contribute to the smooth running of the office and the organization.

  • Email admin [at] statewatch.org

Tony Bunyan (Founder, Director, 1991-2020; Director Emeritus, 2020-2024)

Tony passed away in September 2024. You can find our tribute to his life and work here.

 

Trustees

Marie-Laure Basilien-Gainche

Marie-Laure Basilien-Gainche is Professor of Law at the University Jean Moulin Lyon 3, honorarium member of the Institut Universitaire de France, and fellow of the Institut Convergence Migrations. Her researches focus on the exigencies of the rule of law and their limitations in cases of exceptions: the situations of serious crises which allow the concentration of powers and restriction of rights (e.g. the use of the state of emergency), and the areas of legal confinement which are conducive to abuses of power and rights infringements (e.g. camps and centres where migrants and refugees are detained). She is member of the editorial board of various reviews and is involved in numerous academics networks regarding human rights law. You can find more information about her activities and publications on her personal webpage.

Laure Baudrihaye-Gérard

Laure is a lawyer based in Brussels, where she works on EU and Belgian criminal justice policy. She qualified as a solicitor in London, specialised in EU law and worked in private practice in both London and Brussels before studying criminology. After participating in several academic research projects, Laure joined Fair Trials, a criminal justice watchdog, in 2018. As Legal Director for Europe, she led on EU advocacy, strategic litigation in European courts and the coordination of a European-wide network of criminal defence lawyers, civil society and academic organisations. She has also been working as a prison monitor since 2019 in a large pre-trial detention prison in Brussels, and since 2020 heads up the appeals committee that adjudicates on complaints from detained people against the prison administration.

Jonathan Bloch

Jonathan Bloch studied law at the University of Cape Town and the London School of Economics. He was politically involved in South Africa in the worker and student movement and remains active in human rights circles in the UK. From 2002 until 2014 he chaired the Canon Collins Educational and Legal Assistance Trust, one of the largest scholarship awarding organisations in South Africa. He was a councillor in the London Borough of Haringey 2002-14. He has co-authored several books on intelligence. He owns and runs a worldwide financial information business across four continents.

Victoria Canning

Victoria Canning is senior lecturer in Criminology at the University of Bristol. She has spent over a decade working on the rights of women seeking asylum, specifically on support for survivors of sexual violence and torture with NGOs and migrant rights organisations. She recently completed an ESRC Research Leaders Fellowship focussing on harmful practice in asylum systems in Britain, Denmark and Sweden, and the gendered implications thereof. Vicky has experience researching in immigration detention in Denmark and Sweden, as well as Denmark’s main deportation centre. She is currently embarking on a study of torture case file datasets with the Danish Institute Against Torture which aims to create a basis from which to better identify and thus respond to sexual torture and sexualised torturous violence with refugee survivors of torture more broadly.

Nadine Finch

Nadine was a member of the Statewatch contributors group for a number of years and also previously a trustee. She was a human rights barrister between 1992 and 2015 and an Upper Tribunal Judge from 2015 to 2020. She is now an Honorary Senior Policy Fellow at the University of Bristol and an Associate at Child Circle, a children's rights NGO based in Brussels.

Statewatch

FBI Warning on IoT Devices: How to Tell If You Are Impacted

EFF update
5 days 20 hours ago

On June 5th, the FBI released a PSA titled “Home Internet Connected Devices Facilitate Criminal Activity.” This PSA largely references devices impacted by the latest generation of BADBOX malware (as named by HUMAN’s Satori Threat Intelligence and Research team) that EFF researchers also encountered primarily on Android TV set-top boxes. However, the malware has impacted tablets, digital projectors, aftermarket vehicle infotainment units, picture frames, and other types of IoT devices. 

One goal of this malware is to create a network proxy on the devices of unsuspecting buyers, potentially making them hubs for various potential criminal activities, putting the owners of these devices at risk from authorities. This malware is particularly insidious, coming pre-installed out of the box from major online retailers such as Amazon and AliExpress. If you search “Android TV Box” on Amazon right now, many of the same models that have been impacted are still up being sold by sellers of opaque origins. Facilitating the sale of these devices even led us to write an open letter to the FTC, urging them to take action on resellers.

The FBI listed some indicators of compromise (IoCs) in the PSA for consumers to tell if they were impacted. But the average person isn’t running network detection infrastructure in their homes, and cannot hope to understand what IoCs can be used to determine if their devices generate “unexplained or suspicious Internet traffic.” Here, we will attempt to help give more comprehensive background information about these IoCs. If you find any of these on devices you own, then we encourage you to follow through by contacting the FBI's Internet Crime Complaint Center (IC3) at www.ic3.gov.

The FBI lists these IoC:

  • The presence of suspicious marketplaces where apps are downloaded.
  • Requiring Google Play Protect settings to be disabled.
  • Generic TV streaming devices advertised as unlocked or capable of accessing free content.
  • IoT devices advertised from unrecognizable brands.
  • Android devices that are not Play Protect certified.
  • Unexplained or suspicious Internet traffic.

The following adds context to above, as well as some added IoCs we have seen from our research.

Play Protect Certified

“Android devices that are not Play Protect certified” refers to any device brand or partner not listed here: https://www.android.com/certified/partners/. Google subjects devices to compatibility and security tests in their criteria for inclusion in the Play Protect program, though the mentioned list’s criteria are not made completely transparent outside of Google. But this list does change, as we saw with the tablet brand we researched being de-listed. This encompasses “devices advertised from unrecognizable brands.” The list includes international brands and partners as well.

Outdated Operating Systems

Other issues we saw were really outdated Android versions. For posterity, Android 16 just started rolling out. Android 9-12 appeared to be the most common versions routinely used. This could be a result of “copied homework” from previous legitimate Android builds, and often come with their own update software that can present a problem on its own and deliver second-stage payloads for device infection in addition to what it is downloading and updating on the device.

You can check which version of Android you have by going to Settings and searching “Android version”.

Android App Marketplaces

We’ve previously argued how the availability of different app marketplaces leads to greater consumer choice, where users can choose alternatives even more secure than the Google Play Store. While this is true, the FBI’s warning about suspicious marketplaces is also prudent. Avoiding “downloading apps from unofficial marketplaces advertising free streaming content” is sound (if somewhat vague) advice for set-top boxes, yet this recommendation comes without further guidelines on how to identify which marketplaces might be suspicious for other Android IoT platforms. Best practice is to investigate any app stores used on Android devices separately, but to be aware that if a suspicious Android device is purchased, it can contain preloaded app stores that mimic the functionality of legitimate ones but also contain unwanted or malicious code.

Models Listed from the Badbox Report

We also recommend looking up device names and models that were listed in the BADBOX 2.0 report. We investigated the T95 models along with other independent researchers that initially found this malware present. A lot of model names could be grouped in families with the same letters but different numbers. These operations are iterating fast, but the naming conventions are often lazy in this respect. If you're not sure what model you own, you can usually find it listed on a sticker somewhere on the device. If that fails, you may be able to find it by pulling up the original receipt or looking through your order history.

A Note from Satori Researchers:

“Below is a list of device models known to be targeted by the threat actors. Not all devices of a given model are necessarily infected, but Satori researchers are confident that infections are present on some devices of the below device models:”

List of Potentially Impacted Models

Broader Picture: The Digital Divide

Unfortunately, the only way to be sure that an Android device from an unknown brand is safe is not to buy it in the first place. Though initiatives like the U.S. Cyber Trust Mark are welcome developments intended to encourage demand-side trust in vetted products, recent shake ups in federal regulatory bodies means the future of this assurance mark is unknown. This means those who face budget constraints and have trouble affording top-tier digital products for streaming content or other connected purposes may rely on cheaper imitation products that are rife with not only vulnerabilities, but even come out-of-the-box preloaded with malware. This puts these people disproportionately at legal risk when these devices are used to provide the buyers’ home internet connection as a proxy for nefarious or illegal purposes.

Cybersecurity and trust that the products we buy won’t be used against us is essential: not just for those that can afford name-brand digital devices, but for everyone. While we welcome the IoCs that the FBI has listed in its PSA, more must be done to protect consumers from a myriad of dangers that their devices expose them to.

Alexis Hancock

Weekly Report: Apache Tomcatに複数の脆弱性

JPCERT
6 days ago
Apache Tomcatには、複数の脆弱性があります。この問題は、当該製品を修正済みのバージョンに更新することで解決します。詳細は、開発者が提供する情報を参照してください。