404 Media

2026-06-08 19:08:01

This Company Will Add Phone, AirPod, and Smartwatch Trackers to License Plate Readers

A surveillance company plans to add sensors to automatic license plate readers (ALPRs) that would mean the devices, as well as capture the license plate of passing vehicles, would also sweep up unique identifiers of mobile phones, wearables, and other Bluetooth-enabled devices in those cars, potentially letting law enforcement identify specific drivers or passengers.

The technology, called SignalTrace, would turn ALPR cameras from devices focused on tracking cars to ones that can more readily track the location of particular people. ALPR cameras have become a commonly deployed technology all across the U.S.; SignalTrace would make some of those cameras capable of collecting much more data.

💡
Do you know anything else about SignalTrace? Do you work for Leonardo? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

This Company Will Add Phone, AirPod, and Smartwatch Trackers to License Plate Readers

SignalTrace “links devices that regularly travel together, correlating them to license plate.” It is a surveillance product that will sweep up and add all sorts of Bluetooth and other data to license plate readers, linking specific devices—and people…

^{Joseph Cox (404 Media)}

404 Media

2026-05-26 13:49:22

‘BusPatrol’ Put AI Cameras in Tens of Thousands of School Buses. Now They Want to Give Cops Access

BusPatrol, a company that has installed AI-powered cameras in tens of thousands of school buses around the U.S., now plans to turn those cameras into automatic license plate readers (ALPRs), capturing the location of every vehicle the buses drive past, and give that data to law enforcement, 404 Media has learned. The plan will essentially transform school buses into roaming surveillance vehicles, taking a technology that was originally designed to issue tickets to people illegally passing stopped buses and using it for much wider and general law enforcement, likely without a warrant.

BusPatrol has already taken steps to share the collected data with law enforcement contracting giant Axon, according to leaked BusPatrol documents and a source with knowledge of the plans. Internally, BusPatrol has acknowledged how controversial its plan to collect and share this data is, pointing specifically to concerns about ICE using license plate data, but emphasizes the likely success of selling the angle of protecting children.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

‘BusPatrol’ Put AI Cameras in Tens of Thousands of School Buses. Now They Want to Give Cops Access

^{Joseph Cox (404 Media)}

404 Media

2026-05-18 18:19:45

The FBI Wants to Buy Nationwide Access to License Plate Readers

The FBI wants to buy access to automated license plate readers (ALPRs) nationwide, which would likely allow the agency to track the movements of vehicles—and by extension people—across the country without a warrant, according to FBI procurement records reviewed by 404 Media.

The documents show that ALPRs continue to be a sought-after tool for law enforcement, not just for local police and individual communities, but federal agencies too. The news also comes as protests and pushback against ALPRs have spread around the country.

💡
Do you work at Flock or Motorola? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

The FBI Wants to Buy Nationwide Access to License Plate Readers

^{Joseph Cox (404 Media)}

404 Media

2026-05-18 13:17:44

Researchers Wanted Preschool Teachers to Wear Cameras to Train AI

University of Washington researchers planned to have preschool teachers wear cameras that would record everything they saw from a first-person perspective, including the children they were teaching, then use that footage to develop AI models. One parent who spoke to 404 Media understood the program as opt-out, rather than opt-in. The university said classroom participation was contingent upon receiving parental permission for all of the children.

“With your permission, your child’s lead teacher may wear a small teacher-worn camera that captures the teacher's approximate first-person perspective, and/or we may place a fixed video camera in the classroom,” a document given to parents and later shared with 404 Media reads. “These videos simply capture the normal interactions between teachers and children during regular classroom activities. Recordings occur during morning program hours up to 150 minutes, up to 4 visits in one month. Your child will not be asked to do anything new or different. Their daily routine will stay exactly the same.”

💡
Do you know anything else about how researchers are using AI? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Researchers Wanted Preschool Teachers to Wear Cameras to Train AI

“With your permission, your child’s lead teacher may wear a small teacher-worn camera that captures the teacher's approximate first-person perspective, and/or we may place a fixed video camera in the classroom,” a document given to parents and later …

^{Joseph Cox (404 Media)}

404 Media

2026-05-15 13:00:08

Mayo Clinic is Using AI to Listen to Emergency Room Visits

Mayo Clinic, the massive U.S. hospital network, is using what it describes as “Ambient Listening” to record patient interactions with nurses, including in emergency rooms, then using AI to process that collected data. The recording is opt-out, rather than opt-in, and at least some patients are likely not aware the recording is happening.

The recording brings up questions of informed consent and whether the generated notes may be accurate enough. A study last month found that AI-powered scribe tools sometimes produce much less accurate notes than humans depending on the situation.

💡
Do you know anything else about AI use in healthcare? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Mayo Clinic is Using AI to Listen to Emergency Room Visits

^{Joseph Cox (404 Media)}

404 Media

2026-04-14 13:13:34

Google, Microsoft, Meta All Tracking You Even When You Opt Out, According to an Independent Audit

An independent privacy audit of Microsoft, Meta, and Google web traffic in California found that the companies may be violating state regulations and racking up billions in fines. According to the audit from privacy search engine webXray, 55 percent of the sites it checked set ad cookies in a user’s browser even if they opted out of tracking. Each company disputed or took issue with the research, with Google saying it was based on a “fundamental misunderstanding” of how its product works.

The webXray California Privacy Audit viewed web traffic on more than 7,000 popular websites in California in the month of March and found that most tech companies ignore when a user asks to opt-out of cookie tracking. California has stringent and well defined privacy legislation thanks to its California Consumer Privacy Act (CCPA) which allows users to, among other things, opt out of the sale of their personal information. There’s a system called Global Privacy Control (GPC), which includes a browser extension that indicates to a website when a user wants to opt out of tracking.

According to the webXray audit, Google failed to let users opt out 87 percent of the time. “Googleʼs failure to honor the GPC opt-out signal is easy to find in network traffic. When a browser using GPC connects to Googleʼs servers it encodes the opt-out signal by sending the code ‘sec-gpc: 1.’ This means Google should not return cookies,” the audit said. “However, when Googleʼs server responds to the network request with the opt-out it explicitly responds with a command to create an advertising cookie named IDE using the ‘set-cookie’ command. This non-compliance is easy to spot, hiding in plain sight.”

The audit said that Microsoft fails to opt out users in the same way and has a failure rate of 50 percent in the web traffic webXray viewed. Meta’s failure rate was 69 percent and a bit more comprehensive. “Meta instructs publishers to install the following tracking code on their websites. The code contains no check for globally standard opt-out signals—it loads unconditionally, fires a tracking event, and sets a cookie regardless of the consumerʼs privacy preferences,” the audit said. It showed a copy of Meta’s tracking data which contains no GPC check at all.

webXray is an independent technology company that runs a search engine that lets people look for privacy violations on the internet. Its founder Timothy Libert is the former lead of cookie policy and compliance at Google. Libert told 404 Media he felt his job at Google was to protect its users but that his bosses didn’t agree. He left the company in 2023 and started webXray.

“Shortly before I left my boss told me, direct quote, my job is to protect the company. There was another time I got into a very serious ontological discussion with a fairly senior engineer about what the difference was between taxes and fines and they didn’t understand there was a difference,” he said.
playlist.megaphone.fm?p=TBIEA2…
Microsoft, Meta, and Google have collectively paid billions in fees for previous privacy violations similar to the ones Libert and webXray found during the audit. According to Libert, the big tech companies don’t fear these fines. “In many ways fines have come to replace taxes,” he said. “What I’m trying to show here is, ‘How is enforcement failing?’ What we’re trying to do here is put people in the regulatory and legal community who work on these issues to have an understanding of what’s actually going on under the hood.”

One of the things going on under the hood revealed in the audit is how cookie banners work. Anyone who uses the internet has seen these annoying pop-ups that ask users how they want to handle cookies issued from the site. These are called consent management platforms (CPM). Google, one of the premier purveyors of cookies, runs a service called “Cookiebot” that certifies CPMs.

“This clear conflict of interest led us to ask: do these CMPs actually work?” the audit said. “By measuring what happens when an opt-out signal is sent to a website, we were able to find out, and the findings are clear: no Google-certified CMP we evaluated works 100% of the time, and all of them are often found to fail to prevent Google from setting cookies despite opt-out signals being present.”

webXray said it tested three CMP companies and found opt-out failure rates of 77 percent, 91 percent, and 90 percent. “It does not work. It fails. It lets Google, specifically the party who said that this will work, it lets them set cookies,” Libert said.

Google, Meta, and Microsoft all disputed the audit. “This report is based on a fundamental misunderstanding of how our products work. We honor opt-out provided by advertisers and publishers as required by law,” a Google spokesperson told 404 Media.

“This is a marketing ploy that mischaracterizes how GPC works and Meta's role," Meta told 404 Media. “GPC only restricts certain uses of third-party data and allows website operators to override GPC signals, and we offer the Limited Data Use feature to help websites indicate what permissions they have. When data is transmitted to us with the LDU flag, we restrict the use of that data, as specified in our State-Specific Terms.”

“Consumer privacy is a top priority for us, and we remain committed to transparency and compliance with applicable privacy requirements. As outlined in our Privacy Statement, when we receive a GPC signal, we opt the user out of sharing personal data with third parties for personalized advertising, and our advertising systems are designed to reflect that choice,” a Microsoft spokesperson said. “Certain Microsoft cookies are necessary for operational purposes, and may therefore be placed and read even when a GPC signal is detected.”

“In my view this stuff isn’t complicated. You say, ‘don’t set the cookie.’ They set the cookie,” Libert said. “The regulators see a fox going into the henhouse and the fox says, ‘I’m just here to count the eggs, not to eat any chickens.’ And they take them at their word. They don’t make them produce any public record.”

When caught, governments levy fines against companies and the companies pay. Libert said that isn’t enough. “They can just pay fines forever,” he said.

Key to the audit is that Libert and his team provided a simple solution to the violations. According to webXray, it’s as easy as adding one line of code. “When Microsoftʼs ad server receives traffic with Sec-GPC: 1, all it has to do is return a 451 Unavailable For Legal Reasons status code to indicate the content cannot be served due to the consumerʼs legally defined opt-out. No cookie is set in this condition,” the audit said.

“This is the Strait of Hormuz in the data economy. If you want to make a change, this is where you cut it off. Anything short of that is theatrical political posture,” Libert said.

webXray | Be the First to Know

Top US class-action law firms and Fortune 100 privacy compliance teams use WebXray to find digital privacy violations and act first.

^webXray

404 Media

2026-04-08 14:18:44

A 'Self-Doxing' Rave Helps Trans People Stay Safe Online

It’s Trans Day of Visibility, and I’m at an event space in the heart of New York City’s Commie Corridor to learn how to become less visible online.

The crowd gathered at the aptly-named Trans Pecos in Ridgewood, Queens is here for “404: Deadname Not Found,” a digital self-defense workshop which promises to teach trans people how to find and remove their sensitive personal information from the internet (and which also has no relation to this website). The vibe is giving OpSec rave happy hour—attendees sip colorful drinks, groove to DJ sets, and huddle around laptops using online tools to track down their own digital footprints.

The goal of the exercise is to find holes in your digital defenses, a practice cybersecurity folks call “red-teaming.” A slide deck guides participants through this “self-doxing” ritual, instructing them to use websites like IntelBase, PimEyes, and haveibeenpwned to find addresses, selfies, passwords, old names and aliases, and other personal info that might have been left sitting around on the open internet.

It makes for great cocktail party banter. One participant raises their arms in triumph upon receiving a clean bill of health while checking if their information was leaked in a data breach. Others swivel laptop screens and compare notes on the various places their digital detritus had cropped up. In my case, I was lucky: I mostly found data brokers with incorrect information, a long-forgotten MySpace page, and a woman whose spam calls I’ve been receiving for the past 10 years. Finally, participants are directed to various pages where they can request data to be removed, or sign up for discounted services like Kanary and DeleteMe that do the removals on your behalf.

Behind the fun and light atmosphere, everyone here knows the unspoken reality that drives tonight’s activities: an unrelenting wave of discriminatory bills and executive orders that are rapidly demolishing trans rights across the US. “Trans Visibility” is a nice idea, but it turns out it really sucks to be visible in a fascist surveillance state where the highest levels of government are obsessively trying to destroy your ability to live.

“In this world of hyper-surveillance, I want to make sure all my stuff is safe and that no one is trying to harvest my data for anything,” Anna, a workshop participant, told 404 Media. Anna asked to use a pseudonym to protect her identity, which is not surprising given that the goal of the workshop is to make it harder to be doxed. “Especially now that there’s lots of incentives for the federal government to get into that business, I just wanna make sure all of that is under wraps.”

Like the event’s name suggests, many attendees are looking for traces of their “deadnames,” which is how some trans folks refer to the names they were given pre-transition. Trans people face a disproportionatelyhigh risk of being doxed online, and deadnames and other sensitive info are frequently dug up on right-wing hate forums like KiwiFarms and social media sites like Elon Musk’s X, where harassment campaigns and hate speech are allowed and even encouraged.

“We have to protect ourselves,” said Ryan, who also used a pseudonym. “It’s great to know how to find stuff like this, because you never know what’s still out there.”

Imani Thompson, a digital security trainer who organized the event as part of her series Cache Me Outside, says she started hosting the free workshops at queer bars in Brooklyn a year ago, after noticing trans and intersex friends who were noticeably shaken by the opening salvos of the second Trump administration.

“I hadn't seen cybersecurity events that looked like they would attract or resonate with the crowds I felt needed this information the most,” she told 404 Media. “I wanted to make this fun and un-intimidating and doing digital security training at the bar is kind of silly and fun and gives us a built-in VPN and protection from sensitive convos being recorded.”
playlist.megaphone.fm?p=TBIEA2…
There are specific reasons many trans people are anxious about their personal data and online presence these days. For one, trans identities often don’t fit neatly into government boxes, and the name and gender they are assigned at birth may or may not match their government-issued IDs. Recently, a new law in Kansas resulted in hundreds of trans people being told that theirdrivers licenses and IDs had been invalidated overnight, forcing them to obtain new documents that revert to the sex marker assigned at birth. JournalistMarissa Kabas later reported that the 300 trans IDs in question had been flagged and not immediately invalidated, but the goal of the law and its ensuing chaos was clear: requiring trans people to have IDs that don’t match their appearance or lived reality, forcing them to out themselves and introducing friction and discrimination into their everyday lives.

The same Kansas law also implemented the first state-level “bathroom bounty,” making it a crime for trans people to use appropriate bathrooms and changing rooms and promising rewards to random passersby who feel “aggrieved” by someone they think might be trans. Lawmakers in Idaho have passed an even harsher bill, which would charge repeat trans bathroom-users with a felony and up to 5 years of jail time. These bills threaten not only trans people, but anyone whose appearance might fall outside of someone’s normative expectations of “male” and “female.” And they are especially dangerous at a time when facial recognition can near-instantly identify someone with a quick search.

Thompson also worries about the information that queer folks can reveal while asking for help online. Trans people experienceunemployment,housing insecurity, andviolence at exponentially higher rates than cis people, and it’s not uncommon to see Gofundme pages and Venmo accounts flooding social media feeds. These posts will sometimes include personal details like a person’s name, face, transition status, location, immigration status, and even how much they have in their bank account—great for getting donations, but not so great for the doxable breadcrumbs they leave behind.

You Can’t Post Your Way Out of Fascism
Authoritarians and tech CEOs now share the same goal: to keep us locked in an eternal doomscroll instead of organizing against them, Janus Rose writes.
404 MediaJanus Rose

“I think the risk is tenfold for the dolls and Black trans siblings because of disproportionate scrutiny in light of these bathroom bills and also how we do mutual aid,” said Thompson. “Whenever I see a mutual aid request being reposted or processed it makes me nervous, because we're basically doxing our most vulnerable friends.” To reduce risk, she recommends people take down mutual aid posts as soon as needs are met and set their Venmo activity to private. “I feel like the intention in listing off how all these systems of oppression impact our friends are meant to create a sense of urgency and care, but then months later it's still floating around and is a goldmine for someone who wants to claim they were made to feel unsafe in a bathroom so they can claim $3k or further an agenda.”

The privacy attitudes on display at the event contrast with the dominant media narratives about trans communities a decade ago. Fresh off the Supreme Court victory in Obergefell vs. Hodges that legalized same-sex marriage, many at that time were convinced that trans visibility would pave the way to equality, as glossy magazine covers featuring stars like Laverne Cox declared a “Trans Tipping Point.” But while conditions for some trans people marginally improved, we all know what happened next: a wave of reactionary anti-trans state laws, culminating in the re-election of Donald Trump and a series of executive orders aimed at destroying trans peoples’ access to healthcare, sports, bathrooms—essentially the ability to live a normal life.

At the same time, protection can’t be a retreat back into the closet. “It’s still important for trans voices to be heard in online spaces,” said Anna. “It’s not like I wanna go into the shadows or anything. I just don’t want people to know my personal data, my personal records, any of that.”

“Being Black, I also understand the distinction between visibility and hypervisibility and the precarity and lack of agency that hypervisibility creates,” said Thompson. “It's tricky to find language around digital security that doesn't imply queerness is something to hide or a shameful thing, because of course it's not. I think having agency and purpose in how we can show up online and interact with tech as well as literacy around how technology and surveillance operates makes us better equipped.”

Janus Rose is New York City-based journalist, educator and artist whose work explores the impacts of A.I. and technology on activists and marginalized communities. Previously a senior editor at VICE, she has been published in digital and print outlets including e-Flux Journal, DAZED Magazine, The New Yorker, and Al Jazeera.

10 years since the ‘transgender tipping point’ | Xtra Magazine

ANALYSIS: Ten years after the iconic ‘TIME’ cover, trans people are subject to even more widespread hatred and legalized bigotry. If we’ve ‘tipped’ in any direction, it’s backward

^{Jude Ellison S. Doyle (Xtra Magazine)}

404 Media

2026-04-02 13:47:24

A Secure Chat App’s Encryption Is So Bad It Is ‘Meaningless’

TeleGuard, an app that markets itself as a secure, end-to-end encrypted messaging platform which has been downloaded more than a million times, implements its encryption so poorly that an attacker can trivially access a user’s private key and decrypt their messages, multiple security researchers told 404 Media. TeleGuard also uploads users’ private keys to a company server, meaning TeleGuard itself could decrypt its users’ messages, and the key can also at least partially be derived from simply intercepting a user’s traffic, the researchers found.

The news highlights something of the wild west of encrypted messaging apps, where not all are created equal.

💡
Do you know anything else about this app or other security issues? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

“No storage of data. Highly encrypted. Swiss made,” the website for TeleGuard reads. The site also says, “The chats as well as voice and video calls are end-to-end encrypted.”

This post is for subscribers only

Become a member to get access to all content
Subscribe now

A Secure Chat App’s Encryption Is So Bad It Is ‘Meaningless’

^{Joseph Cox (404 Media)}

404 Media

2026-03-26 19:38:04

Apple Gives FBI a User’s Real Name Hidden Behind ’Hide My Email’ Feature

This article was produced in collaboration with Court Watch, an independent outlet that unearths overlooked court records. Subscribe to them here.

Apple provided the FBI with the real iCloud email address hidden behind Apple’s ‘Hide My Email’ feature, which lets paying iCloud+ users generate anonymous email addresses, according to a recently filed court record.

The move isn’t surprising but still provides uncommon insight into what data is available to authorities regarding the Apple feature. The data was turned over during an investigation into a man who allegedly sent a threatening email to ​​Alexis Wilkins, the girlfriend of FBI director Kash Patel.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Apple Gives FBI a User’s Real Name Hidden Behind ’Hide My Email’ Feature

^{Joseph Cox (404 Media)}

404 Media

2026-03-05 20:36:01

Proton Mail Helped FBI Unmask Anonymous ‘Stop Cop City’ Protester

Privacy-focused email provider Proton Mail provided Swiss authorities with payment data that the FBI then used to determine who was allegedly behind an anonymous account affiliated with the Stop Cop City movement in Atlanta, according to a court record reviewed by 404 Media.

The records provide insight into the sort of data that Proton Mail, which prides itself both on its end-to-end encryption and that it is only governed by Swiss privacy law, can and does provide to third parties. In this case, the Proton Mail account was affiliated with the Defend the Atlanta Forest (DTAF) group and Stop Cop City movement in Atlanta, which authorities were investigating for their connection to arson, vandalism and doxing. Broadly, members were protesting the building of a large police training center next to the Intrenchment Creek Park in Atlanta, and actions also included camping in the forest and lawsuits. Charges against more than 60 people have since been dropped.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Proton Mail Helped FBI Unmask Anonymous ‘Stop Cop City’ Protester

^{Joseph Cox (404 Media)}

404 Media

2026-03-03 14:03:26

CBP Tapped Into the Online Advertising Ecosystem To Track Peoples’ Movements

📄
This article was primarily reported using public records requests. We are making it available to all readers as a public service. FOIA reporting can be expensive, please consider subscribing to 404 Media to support this work. Or send us a one time donation via our tip jar here.

Customs and Border Protection (CBP) bought data from the online advertising ecosystem to track peoples’ precise movements over time, in a process that often involves siphoning data from ordinary apps like video games, dating services, and fitness trackers, according to an internal Department of Homeland Security (DHS) document obtained by 404 Media.

The document shows in stark terms the power, and potential risk, of online advertising data and how it can be leveraged by government agencies for surveillance purposes. The news comes after Immigration and Customs Enforcement (ICE) purchased similar tools that can monitor the movements of phones in entire neighbourhoods. ICE also recently said in public procurement documents it was interested in sourcing more “Ad Tech” data for its investigations. Following 404 Media’s revelation of that ICE purchase, on Tuesday a group of around 70 lawmakers urged the DHS oversight body to conduct a new investigation into ICE’s location data buying.

💡
Do you work at CBP, ICE, or a location data company? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

This sort of information is a “goldmine for tracking where every person is and what they read, watch, and listen to,” Johnny Ryan, director of the Irish Council for Civil Liberties (ICCL) Enforce, which has closely followed the sale of advertising data, told 404 Media in an email.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

CBP Tapped Into the Online Advertising Ecosystem To Track Peoples’ Movements

^{Joseph Cox (404 Media)}

404 Media

2026-03-02 13:00:57

How to Detect Phone Spying Tech (with Cooper Quintin)

Joseph speaks to Cooper Quintin, a security researcher and senior public interest technologist with the Electronic Frontier Foundation (EFF). Quintin is one of the people behind Rayhunter, an easy to install tool that can detect nearby IMSI-catchers. This tech, sometimes known as Stingrays, poses as a fake cellphone tower to track a phone’s location, intercept calls and texts, and can sometimes even deliver malware.
playlist.megaphone.fm?e=TBIEA9…
Listen to the weekly podcast on Apple Podcasts,Spotify, or YouTube. Become a paid subscriber for access to this episode's bonus content and to power our journalism. If you become a paid subscriber, check your inbox for an email from our podcast host Transistor for a link to the subscribers-only version! You can also add that subscribers feed to your podcast app of choice and never miss an episode that way. The email should also contain the subscribers-only unlisted YouTube link for the extended video version too. It will also be in the show notes in your podcast player.
youtube.com/embed/vEFPPaOn0ts?…
Rayhunter GitHub

The 404 Media Podcast

Tech News Podcast · Updated Weekly · Welcome to the podcast from 404 Media where Joseph, Sam, Emanuel, and Jason catch you up on the stories we published this week. 404 Media is a journalist-owned digital media company exploring the way …

^{Apple Podcasts}

404 Media

2026-02-12 14:14:48

Cops Are Buying ‘GeoSpy’, an AI That Geolocates Photos in Seconds

📄
This article was primarily reported using public records requests. We are making it available to all readers as a public service. FOIA reporting can be expensive, please consider subscribing to 404 Media to support this work. Or send us a one time donation via our tip jar here.

The Miami-Dade Sheriff’s Office (MDSO) and the Los Angeles Police Department (LAPD) have bought access to GeoSpy, an AI tool that can near instantly geolocate a photo using clues in the image such as architecture and vegetation, with plans to use it in criminal investigations, according to a cache of internal police emails obtained by 404 Media.

The emails provide the first confirmed purchases of GeoSpy’s technology by law enforcement agencies. On its website GeoSpy has previously published details of investigations it says used the technology, but did not name any agencies who bought the tool.

“The Cyber Crimes Bureau is piloting a new analytical tool called GeoSpy. Early testing shows promise for developing investigative leads by identifying geospatial and temporal patterns,” an MDSO email reads.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Cops Are Buying ‘GeoSpy’, an AI That Geolocates Photos in Seconds

^{Joseph Cox (404 Media)}

404 Media

2026-02-11 20:53:57

Free Tool Says it Can Bypass Discord's Age Verification Check With a 3D Model

A newly released tool claims it can bypass Discord’s age verification system by allowing users to control a 3D model of a computer-generated man in their browser instead of scanning their real face.

On Monday, Discord announced it was launching teen-by-default settings globally, meaning that more users may be required to verify their age by uploading an identity document or taking a selfie. Users responded with widespread criticism, with Discord then publishing an update saying, “You need to be an adult to access age-restricted experiences such as age-restricted servers and channels or to modify certain safety settings.”

The tool, however, shows those age verification checks may be bypassed. 404 Media previously reported kids said they were using photos of Trump and G-Man from Half Life to bypass the age verification software in the popular VR game Gorilla Tag. That game uses the service k–ID, which is the same as what Discord is using.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

Free Tool Says it Can Bypass Discord's Age Verification Check With a 3D Model

The tool presents users with a 3D model they can then manipulate to, the creator says, bypass Discord's age verification system.

^{Joseph Cox (404 Media)}

404 Media

2026-02-04 14:05:33

FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled

The FBI has been unable to access a Washington Post reporter’s seized iPhone because it was in Lockdown Mode, a sometimes overlooked feature that makes iPhones broadly more secure, according to recently filed court records.

The court record shows what devices and data the FBI was able to ultimately access, and which devices it could not, after raiding the home of the reporter, Hannah Natanson, in January as part of an investigation into leaks of classified information. It also provides rare insight into the apparent effectiveness of Lockdown Mode, or at least how effective it might be before the FBI may try other techniques to access the device.

💡
Do you know anything else about phone unlocking technology? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

FBI Couldn’t Get into WaPo Reporter’s iPhone Because It Had Lockdown Mode Enabled

Lockdown Mode is a sometimes overlooked feature of Apple devices that broadly make them harder to hack. A court record indicates the feature might be effective at stopping third parties unlocking someone's device. At least for now.

^{Joseph Cox (404 Media)}

404 Media

2026-02-03 14:00:28

Wedding Photo Booth Company Exposes Customers’ Drunken Photos

A photo booth company that caters to weddings, lobbying events in D.C., and engagement parties has exposed a cache of peoples’ photos, with the revellers likely unaware that their sometimes drunken antics have been collected and insecurely stored by the company for anyone to download. A security researcher who flagged the issue to 404 Media said the company, Curator Live, has not responded to his request to fix the issue.

The exposure, which also includes phone numbers, highlights how we can face data collection even at innocuous events like weddings. It’s also not even the only recent exposure by a photo booth company. TechCrunch reported on a similar issue with a different company in December.

“Even if you just wanted the printed photo, your data is being held by a third party unbeknownst to you,” the security researcher, who requested anonymity to speak about a sensitive security issue, said. “The fact that this third party leaks it freely is icing on the cake. It violates any reasonable expectation of privacy.”

In all, the researcher says at least 100GB of photos are exposed. 404 Media reviewed a smaller sample of photos. They show people at various weddings and engagement parties cheering and drinking. Some photos include children. Others appear to have been taken at a NASA branded event.

“You can attribute the phone numbers to photos of people in some cases. I think the greatest reasonable risk for photo booth users is that it could reveal intimate photos,” the researcher added.

Curator Live’s website says the company “delivers industry-leading enterprise photo and video capture solutions. From photo booth operators to zoos, sports events, attractions, and vacation destinations, we help your brand create unforgettable experiences and lasting memories.”

As for how they found this issue, the researcher said they went to a wedding where the DJ company had a Curator Live photo booth. “The booth was configured to take four or so photos, then printed them out. The machine promoted the user for a phone number to receive digital copies of the photos,” he said.

After reluctantly entering his number, the researcher received a text with a link to Curator Live’s API, he said. From there, he found the exposed data. The company is still exposing people’s data so 404 Media is not explaining the security issue in detail. But the impact is that a stranger could dig through other peoples’ photos.

The researcher shared a copy of his email he sent to Curator Live in November detailing the issue. The researcher said he never received a response. “Fix your shit,” one line read.

Curator Live did not respond to 404 Media’s request for comment.

Flaw in photo booth maker’s website exposes customers’ pictures | TechCrunch

Hama Film makes photo booths that upload pictures and videos online. But their back-end systems have a simple flaw that allows anyone to download customer pictures.

^{Lorenzo Franceschi-Bicchierai (TechCrunch)}

404 Media

2026-02-02 14:00:16

Privacy Telecom ‘Cape’ Introduces ‘Disappearing Call Logs’ That Delete Every 24 Hours

Cape, a privacy-focused telecommunications company, says it has introduced a feature that automatically deletes a user’s call data records, such as who they call and when, every 24 hours. These “disappearing call logs” as Cape describes them break with the telecom industry standard of keeping hold of call logs for months if not years.

“One of our first design principles was to minimize the amount of data that we collect and the amount of data that we store,” John Doyle, CEO of Cape, told 404 Media in an interview. “There’s no other business purpose to keep most of these logs more than like a day.”

Call data records, or CDRs, are metadata about a user’s phone call and text records. This includes the phone number the user contacted. This information can be especially revealing, showing that a particular person called an abortion clinic, for instance. In 2024, hackers stole “nearly all” of AT&T customers’ call records spanning several months. That in turn started a rush from the FBI to protect the identities of confidential informants, Bloomberg reported. That hack was so damaging in part because AT&T kept its customers’ call records for an extended period of time.

💡
Do you know about any other similar tools? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

Cape is a mobile virtual network operator (MVNO), meaning it runs its service on top of other companies’ existing telecommunications infrastructure. Cape isn’t building cellphone towers; it’s making software to add security benefits. Cape is able to make changes to how long it retains data and other technical aspects because it runs its own mobile core—all of the software necessary to route messages and essentially be a telecom.

404 Media asked Cape to demonstrate that CDRs were being deleted. In response, Cape made a video describing the process. It appeared to show that the databases Cape uses to store CDRs did only contain data from a 24 hour period. Previously, Cape stored CDRs for 60 days, “which was already well short of industry standards,” Doyle said. Cape says it does hold “billing CDRs” for longer, for 30 days. These records are used to determine how much Cape has used carriers’ infrastructure.
playlist.megaphone.fm?p=TBIEA2…
Cape’s CDRs are made when a customer uses the Cape phone number assigned to their account. The change wouldn’t impact data generated by an app such as Signal; those are separate, and Signal already has various metadata protections.

Doyle said Cape did not warn law enforcement about the change to CDR retention beforehand. “I guess they’ll find out in the same way everyone else does,” he said. He added that the company still is in keeping with CALEA, or the Communications Assistance for Law Enforcement Act, which requires telecommunications companies to respond to legal demands for data.

Because Cape is piggybacking off other carriers’ infrastructure, that does mean that somewhere along the line those other companies could store their own copy of Cape users’ data.

“It’s definitely true that some of our carrier partners may collect some information,” Doyle said, including the IMEI, a unique identifier assigned to a device.

Since I first covered Cape in 2024, I occasionally get emails asking me if Cape is a honeypot, in the sense that maybe it is a ruse to then provide data to the authorities. Doyle is also formerly of Palantir.

“All I can do is say we definitively are not a honeypot,” Doyle said. “It’s so hard to prove a negative, but I say it out loud every chance I get.”

Hackers Steal Text and Call Records of ‘Nearly All’ AT&T Customers

In one of the most significant data breaches in recent history, hackers stole AT&T customers’ call and text metadata spanning several months.

^{Joseph Cox (404 Media)}

404 Media

2025-12-13 08:01:06

How a US Citizen Was Scanned With ICE's Facial Recognition Tech

This article is a partnership between Reveal and 404 Media.

Jesus Gutiérrez, 23, was walking home one morning from a Chicago gym when he noticed a gray Cadillac SUV with no license plates. He kept walking, shrugging it off. Then the car pulled over and two men got out.

The federal immigration officials told him not to run. They then peppered Gutiérrez with questions: Where are you going? Where are you coming from? Do you have your ID on you?

Gutiérrez is a U.S. citizen. He told the officials this. He didn’t have any identification on him, but, panicking, he tried to find a copy on his phone. The agents put him into the car, where another two agents were waiting, and handcuffed him. Just sit there and be quiet, they said.

💡
Has this happened to you or someone you know? Do you have any videos of ICE or CBP scanning people's faces? Do you work for either agency? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

Without Gutiérrez’s ID, the agents resorted to another approach. They took a photo of his face. A short while later, the agents got their answer: “Oh yeah, he’s right. He’s saying the right thing. He does got papers,” Gutiérrez recalled the agents saying.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

How a US Citizen Was Scanned With ICE's Facial Recognition Tech

^{Joseph Cox (404 Media)}

404 Media

2025-10-29 14:40:03

ICE and CBP Agents Are Scanning Peoples’ Faces on the Street To Verify Citizenship

“You don’t got no ID?” a Border Patrol agent in a baseball cap, sunglasses, and neck gaiter asks a kid on a bike. The officer and three others had just stopped the two young men on their bikes during the day in what a video documenting the incident says is Chicago. One of the boys is filming the encounter on his phone. He says in the video he was born here, meaning he would be an American citizen.

When the boy says he doesn’t have ID on him, the Border Patrol officer has an alternative. He calls over to one of the other officers, “can you do facial?” The second officer then approaches the boy, gets him to turn around to face the sun, and points his own phone camera directly at him, hovering it over the boy’s face for a couple seconds. The officer then looks at his phone’s screen and asks for the boy to verify his name. The video stops.

💡
Do you have any more videos of ICE or CBP using facial recognition? Do you work at those agencies or know more about Mobile Fortify? I would love to hear from you. Using a non-work device, you can message me securely on Signal at joseph.404 or send me an email at joseph@404media.co.

This post is for subscribers only

Become a member to get access to all content
Subscribe now

ICE and CBP Agents Are Scanning Peoples’ Faces on the Street To Verify Citizenship

^{Joseph Cox (404 Media)}